diff --git a/fuzzers/frida_libpng/src/fuzzer.rs b/fuzzers/frida_libpng/src/fuzzer.rs index 3fb03f922a..6e32f5d417 100644 --- a/fuzzers/frida_libpng/src/fuzzer.rs +++ b/fuzzers/frida_libpng/src/fuzzer.rs @@ -32,7 +32,8 @@ use libafl::{ token_mutations::Tokens, }, observers::{HitcountsMapObserver, ObserversTuple, StdMapObserver, TimeObserver}, - stages::mutational::StdMutationalStage, + //stages::mutational::StdMutationalStage, + stages::{StdMutationalStage, TracingStage}, state::{HasCorpus, HasMetadata, StdState}, stats::MultiStats, Error, @@ -302,7 +303,7 @@ unsafe fn fuzz( unsafe extern "C" fn(data: *const u8, size: usize) -> i32, > = lib.get(symbol_name.as_bytes()).unwrap(); - let mut frida_harness = move |input: &BytesInput| { + let mut frida_harness = |input: &BytesInput| { let target = input.target_bytes(); let buf = target.as_slice(); (target_func)(buf.as_ptr(), buf.len()); @@ -383,7 +384,6 @@ unsafe fn fuzz( // Setup a basic mutator with a mutational stage let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations())); - let mut stages = tuple_list!(StdMutationalStage::new(mutator)); // A minimization+queue policy to get testcasess from the corpus let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); @@ -400,7 +400,6 @@ unsafe fn fuzz( tuple_list!( edges_observer, time_observer, - cmplog_observer, AsanErrorsObserver::new(&ASAN_ERRORS) ), &mut fuzzer, @@ -419,6 +418,25 @@ unsafe fn fuzz( println!("We imported {} inputs from disk.", state.corpus().count()); } + // Secondary harness due to mut ownership + let mut frida_harness = |input: &BytesInput| { + let target = input.target_bytes(); + let buf = target.as_slice(); + (target_func)(buf.as_ptr(), buf.len()); + ExitKind::Ok + }; + + // Setup a tracing stage in which we log comparisons + let tracing = TracingStage::new(InProcessExecutor::new( + &mut frida_harness, + tuple_list!(cmplog_observer), + &mut fuzzer, + &mut state, + &mut mgr, + )?); + + let mut stages = tuple_list!(tracing, StdMutationalStage::new(mutator)); + fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; Ok(()) }; diff --git a/fuzzers/libfuzzer_stb_image/src/main.rs b/fuzzers/libfuzzer_stb_image/src/main.rs index 5fca306e93..4ee16c36c3 100644 --- a/fuzzers/libfuzzer_stb_image/src/main.rs +++ b/fuzzers/libfuzzer_stb_image/src/main.rs @@ -155,7 +155,9 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re } // Secondary harness due to mut ownership - let mut harness = |buf: &[u8]| { + let mut harness = |input: &BytesInput| { + let target = input.target_bytes(); + let buf = target.as_slice(); libfuzzer_test_one_input(buf); ExitKind::Ok }; diff --git a/libafl_targets/src/cmplog.h b/libafl_targets/src/cmplog.h index b595033602..5933f59c8f 100644 --- a/libafl_targets/src/cmplog.h +++ b/libafl_targets/src/cmplog.h @@ -33,7 +33,7 @@ extern uint8_t libafl_cmplog_enabled; static void __libafl_targets_cmplog(uintptr_t k, uint8_t shape, uint64_t arg1, uint64_t arg2) { - if (!libafl_cmplog_enabled) return; + //if (!libafl_cmplog_enabled) return; uint16_t hits; if (libafl_cmplog_map.headers[k].kind != CMPLOG_KIND_INS) { diff --git a/libafl_targets/src/cmplog.rs b/libafl_targets/src/cmplog.rs index 8f975c716f..a02a57a575 100644 --- a/libafl_targets/src/cmplog.rs +++ b/libafl_targets/src/cmplog.rs @@ -140,7 +140,7 @@ pub use libafl_cmplog_map as CMPLOG_MAP; /// Value indicating if cmplog is enabled. #[no_mangle] -pub static mut libafl_cmplog_enabled: u8 = 0; +pub static mut libafl_cmplog_enabled: u8 = 1; pub use libafl_cmplog_enabled as CMPLOG_ENABLED;