SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #1932 (#2089)

Browse Source 
* fix

* Stupid lint

* increase rate

* fix
This commit is contained in:
Dongjia "toka" Zhang 2024-04-22 19:27:13 +02:00 committed by GitHub
parent 98863fbff5
commit 0f3ad288e7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 11 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/frida_libpng/Cargo.toml
View File

@ -26,7 +26,7 @@ reqwest = { version = "0.11.4", features = ["blocking"] }
[dependencies] [dependencies]
libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli" ] } #, "llmp_small_maps", "llmp_debug"]} libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli", "errors_backtrace" ] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../libafl_bolts/" } libafl_bolts = { path = "../../libafl_bolts/" }
frida-gum = { version = "0.13.6", features = [ "auto-download", "event-sink", "invocation-listener"] } frida-gum = { version = "0.13.6", features = [ "auto-download", "event-sink", "invocation-listener"] }
libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] } libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }

2
fuzzers/frida_libpng/Makefile.toml
View File

@ -111,7 +111,7 @@ script_runner = "@shell"
script=''' script='''
rm -rf libafl_unix_shmem_server || true rm -rf libafl_unix_shmem_server || true
timeout 30s ./${FUZZER_NAME} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so | tee fuzz_stdout.log 2>/dev/null || true timeout 30s ./${FUZZER_NAME} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so | tee fuzz_stdout.log 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then if grep -qa "corpus: 70" fuzz_stdout.log; then
echo "Fuzzer is working" echo "Fuzzer is working"
else else
echo "Fuzzer does not generate any testcases or any crashes" echo "Fuzzer does not generate any testcases or any crashes"

6
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -140,7 +140,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// RNG // RNG
StdRand::with_seed(current_nanos()), StdRand::with_seed(current_nanos()),
// Corpus that will be evolved, we keep it in memory for performance // Corpus that will be evolved, we keep it in memory for performance
CachedOnDiskCorpus::no_meta(PathBuf::from("./corpus_discovered"), 64) CachedOnDiskCorpus::no_meta(PathBuf::from("./corpus_discovered"), 4)
.unwrap(), .unwrap(),
// Corpus in which we store solutions (crashes in this example), // Corpus in which we store solutions (crashes in this example),
// on disk so the user can get them after stopping the fuzzer // on disk so the user can get them after stopping the fuzzer
@ -256,7 +256,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// RNG // RNG
StdRand::with_seed(current_nanos()), StdRand::with_seed(current_nanos()),
// Corpus that will be evolved, we keep it in memory for performance // Corpus that will be evolved, we keep it in memory for performance
CachedOnDiskCorpus::no_meta(PathBuf::from("./corpus_discovered"), 64) CachedOnDiskCorpus::no_meta(PathBuf::from("./corpus_discovered"), 4)
.unwrap(), .unwrap(),
// Corpus in which we store solutions (crashes in this example), // Corpus in which we store solutions (crashes in this example),
// on disk so the user can get them after stopping the fuzzer // on disk so the user can get them after stopping the fuzzer
@ -386,7 +386,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// RNG // RNG
StdRand::with_seed(current_nanos()), StdRand::with_seed(current_nanos()),
// Corpus that will be evolved, we keep it in memory for performance // Corpus that will be evolved, we keep it in memory for performance
CachedOnDiskCorpus::no_meta(PathBuf::from("./corpus_discovered"), 64) CachedOnDiskCorpus::no_meta(PathBuf::from("./corpus_discovered"), 4)
.unwrap(), .unwrap(),
// Corpus in which we store solutions (crashes in this example), // Corpus in which we store solutions (crashes in this example),
// on disk so the user can get them after stopping the fuzzer // on disk so the user can get them after stopping the fuzzer

14
libafl/src/corpus/cached.rs
View File

@ -45,20 +45,14 @@ where
&'a self, &'a self,
testcase: &'a RefCell<Testcase<I>>, testcase: &'a RefCell<Testcase<I>>,
idx: CorpusId, idx: CorpusId,
is_disabled: bool,
) -> Result<(), Error> { ) -> Result<(), Error> {
if testcase.borrow().input().is_none() { if testcase.borrow().input().is_none() {
self.load_input_into(&mut testcase.borrow_mut())?; self.load_input_into(&mut testcase.borrow_mut())?;
let mut borrowed_num = 0; let mut borrowed_num = 0;
while self.cached_indexes.borrow().len() >= self.cache_max_len { while self.cached_indexes.borrow().len() >= self.cache_max_len {
let removed = self.cached_indexes.borrow_mut().pop_front().unwrap(); let removed = self.cached_indexes.borrow_mut().pop_front().unwrap();
if let Ok(mut borrowed) = if is_disabled {
self.inner.get_from_all(removed) if let Ok(mut borrowed) = self.inner.get_from_all(removed)?.try_borrow_mut() {
} else {
self.inner.get(removed)
}?
.try_borrow_mut()
{
*borrowed.input_mut() = None; *borrowed.input_mut() = None;
} else { } else {
self.cached_indexes.borrow_mut().push_back(removed); self.cached_indexes.borrow_mut().push_back(removed);
@ -125,14 +119,14 @@ where
#[inline] #[inline]
fn get(&self, idx: CorpusId) -> Result<&RefCell<Testcase<I>>, Error> { fn get(&self, idx: CorpusId) -> Result<&RefCell<Testcase<I>>, Error> {
let testcase = { self.inner.get(idx)? }; let testcase = { self.inner.get(idx)? };
self.cache_testcase(testcase, idx, false)?; self.cache_testcase(testcase, idx)?;
Ok(testcase) Ok(testcase)
} }
/// Get by id; considers both enabled and disabled testcases /// Get by id; considers both enabled and disabled testcases
#[inline] #[inline]
fn get_from_all(&self, idx: CorpusId) -> Result<&RefCell<Testcase<Self::Input>>, Error> { fn get_from_all(&self, idx: CorpusId) -> Result<&RefCell<Testcase<Self::Input>>, Error> {
let testcase = { self.inner.get_from_all(idx)? }; let testcase = { self.inner.get_from_all(idx)? };
self.cache_testcase(testcase, idx, true)?; self.cache_testcase(testcase, idx)?;
Ok(testcase) Ok(testcase)
} }

2
libafl_bolts/src/os/unix_shmem_server.rs
View File

@ -179,7 +179,7 @@ where
/// Connect to the server and return a new [`ServedShMemProvider`] /// Connect to the server and return a new [`ServedShMemProvider`]
/// Will try to spawn a [`ShMemService`]. This will only work for the first try. /// Will try to spawn a [`ShMemService`]. This will only work for the first try.
fn new() -> Result<Self, Error> { fn new() -> Result<Self, Error> {
// Needed for MacOS and Android to get sharedmaps working. // Needed for `MacOS` and Android to get sharedmaps working.
let service = ShMemService::<SP>::start(); let service = ShMemService::<SP>::start();
let mut res = Self { let mut res = Self {

2
libafl_cc/src/clang.rs
View File

@ -278,7 +278,7 @@ impl ToolWrapper for ClangWrapper {
if linking { if linking {
new_args.push("-lrt".into()); new_args.push("-lrt".into());
} }
// MacOS has odd linker behavior sometimes // `MacOS` has odd linker behavior sometimes
#[cfg(target_vendor = "apple")] #[cfg(target_vendor = "apple")]
if linking || shared { if linking || shared {
new_args.push("-undefined".into()); new_args.push("-undefined".into());