SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sender id fix (#610)

Browse Source 
* Starting to fix id issues

* add crashing testcase

* remove debug flags
This commit is contained in:
Dominik Maier 2022-04-15 19:25:51 +02:00 committed by GitHub
parent a99d0b2967
commit 1690dbb2cc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 98 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/libfuzzer_libpng/Cargo.toml
View File

@ -7,6 +7,8 @@ edition = "2021"
[features] [features]
default = ["std"] default = ["std"]
std = [] std = []
# Forces a crash
crash = []
[profile.release] [profile.release]
lto = true lto = true

61
fuzzers/libfuzzer_libpng/Makefile.toml
View File

@ -45,6 +45,24 @@ windows_alias = "unsupported"
command = "cargo" command = "cargo"
args = ["build" , "--release"] args = ["build" , "--release"]
[tasks.crash_cxx]
linux_alias = "crash_cxx_unix"
mac_alias = "crash_cxx_unix"
windows_alias = "unsupported"
[tasks.crash_cxx_unix]
command = "cargo"
args = ["build" , "--release", "--features=crash"]
[tasks.crash_cc]
linux_alias = "crash_cc_unix"
mac_alias = "crash_cc_unix"
windows_alias = "unsupported"
[tasks.crash_cc_unix]
command = "cargo"
args = ["build" , "--release", "--features=crash"]
# Library # Library
[tasks.lib] [tasks.lib]
linux_alias = "lib_unix" linux_alias = "lib_unix"
@ -60,6 +78,20 @@ make -C libpng-1.6.37 CC="${PROJECT_DIR}/target/release/libafl_cc" CXX="${PROJEC
''' '''
dependencies = [ "libpng", "cxx", "cc" ] dependencies = [ "libpng", "cxx", "cc" ]
# Library
[tasks.crash_lib]
linux_alias = "crash_lib_unix"
mac_alias = "crash_lib_unix"
windows_alias = "unsupported"
[tasks.crash_lib_unix]
script_runner="@shell"
script='''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${PROJECT_DIR}/target/release/libafl_cc" CXX="${PROJECT_DIR}/target/release/libafl_cxx"
'''
dependencies = [ "libpng", "crash_cxx", "crash_cc" ]
# Harness # Harness
[tasks.fuzzer] [tasks.fuzzer]
@ -72,6 +104,17 @@ command = "target/release/libafl_cxx"
args = ["${PROJECT_DIR}/harness.cc", "${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a", "-I", "${PROJECT_DIR}/libpng-1.6.37/", "-o", "${FUZZER_NAME}", "-lm", "-lz"] args = ["${PROJECT_DIR}/harness.cc", "${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a", "-I", "${PROJECT_DIR}/libpng-1.6.37/", "-o", "${FUZZER_NAME}", "-lm", "-lz"]
dependencies = [ "lib", "cxx", "cc" ] dependencies = [ "lib", "cxx", "cc" ]
# Crashing Harness
[tasks.fuzzer_crash]
linux_alias = "fuzzer_crash_unix"
mac_alias = "fuzzer_crash_unix"
windows_alias = "unsupported"
[tasks.fuzzer_crash_unix]
command = "target/release/libafl_cxx"
args = ["${PROJECT_DIR}/harness.cc", "${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a", "-I", "${PROJECT_DIR}/libpng-1.6.37/", "-o", "${FUZZER_NAME}_crash", "-lm", "-lz"]
dependencies = [ "crash_lib", "crash_cxx", "crash_cc" ]
# Run the fuzzer # Run the fuzzer
[tasks.run] [tasks.run]
linux_alias = "run_unix" linux_alias = "run_unix"
@ -87,6 +130,24 @@ sleep 0.2
''' '''
dependencies = [ "fuzzer" ] dependencies = [ "fuzzer" ]
# Run the fuzzer with a crash
[tasks.crash]
linux_alias = "crash_unix"
mac_alias = "crash_unix"
windows_alias = "unsupported"
[tasks.crash_unix]
script_runner = "@shell"
script='''
./${FUZZER_NAME}_crash &
sleep 0.2
./${FUZZER_NAME}_crash 2>/dev/null
'''
dependencies = [ "fuzzer_crash" ]
# Test # Test
[tasks.test] [tasks.test]
linux_alias = "test_unix" linux_alias = "test_unix"

10
fuzzers/libfuzzer_libpng/src/lib.rs
View File

@ -5,6 +5,8 @@ use mimalloc::MiMalloc;
static GLOBAL: MiMalloc = MiMalloc; static GLOBAL: MiMalloc = MiMalloc;
use core::time::Duration; use core::time::Duration;
#[cfg(feature = "crash")]
use std::ptr;
use std::{env, path::PathBuf}; use std::{env, path::PathBuf};
use libafl::{ use libafl::{
@ -145,6 +147,14 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
let mut harness = |input: &BytesInput| { let mut harness = |input: &BytesInput| {
let target = input.target_bytes(); let target = input.target_bytes();
let buf = target.as_slice(); let buf = target.as_slice();
#[cfg(feature = "crash")]
if buf.len() > 4 && buf[4] == 0 {
unsafe {
eprintln!("Crashing (for testing purposes)");
let addr = ptr::null_mut();
*addr = 1;
}
}
libfuzzer_test_one_input(buf); libfuzzer_test_one_input(buf);
ExitKind::Ok ExitKind::Ok
}; };

36
libafl/src/bolts/llmp.rs
View File

@ -451,7 +451,7 @@ fn next_shmem_size(max_alloc: usize) -> usize {
/// Initialize a new `llmp_page`. The size should be relative to /// Initialize a new `llmp_page`. The size should be relative to
/// `llmp_page->messages` /// `llmp_page->messages`
unsafe fn _llmp_page_init<SHM: ShMem>(shmem: &mut SHM, sender: u32, allow_reinit: bool) { unsafe fn _llmp_page_init<SHM: ShMem>(shmem: &mut SHM, sender_id: ClientId, allow_reinit: bool) {
#[cfg(all(feature = "llmp_debug", feature = "std"))] #[cfg(all(feature = "llmp_debug", feature = "std"))]
println!("_llmp_page_init: shmem {:?}", &shmem); println!("_llmp_page_init: shmem {:?}", &shmem);
let map_size = shmem.len(); let map_size = shmem.len();
@ -469,7 +469,7 @@ unsafe fn _llmp_page_init<SHM: ShMem>(shmem: &mut SHM, sender: u32, allow_reinit
} }
(*page).magic = PAGE_INITIALIZED_MAGIC; (*page).magic = PAGE_INITIALIZED_MAGIC;
(*page).sender = sender; (*page).sender_id = sender_id;
(*page).current_msg_id.store(0, Ordering::Relaxed); (*page).current_msg_id.store(0, Ordering::Relaxed);
(*page).max_alloc_size = 0; (*page).max_alloc_size = 0;
// Don't forget to subtract our own header size // Don't forget to subtract our own header size
@ -707,7 +707,7 @@ pub struct LlmpPage {
/// to check if this page got initialized properly /// to check if this page got initialized properly
pub magic: u64, pub magic: u64,
/// The id of the sender /// The id of the sender
pub sender: u32, pub sender_id: ClientId,
/// Set to != 1 by the receiver, once it got mapped. /// Set to != 1 by the receiver, once it got mapped.
/// It's not safe for the sender to unmap this page before /// It's not safe for the sender to unmap this page before
/// (The os may have tidied up the memory when the receiver starts to map) /// (The os may have tidied up the memory when the receiver starts to map)
@ -750,7 +750,7 @@ where
SP: ShMemProvider, SP: ShMemProvider,
{ {
/// ID of this sender. /// ID of this sender.
pub id: u32, pub id: ClientId,
/// Ref to the last message this sender sent on the last page. /// Ref to the last message this sender sent on the last page.
/// If null, a new page (just) started. /// If null, a new page (just) started.
pub last_msg_sent: *const LlmpMsg, pub last_msg_sent: *const LlmpMsg,
@ -775,12 +775,16 @@ where
/// Create a new [`LlmpSender`] using a given [`ShMemProvider`], and `id`. /// Create a new [`LlmpSender`] using a given [`ShMemProvider`], and `id`.
/// If `keep_pages_forever` is `true`, `ShMem` will never be freed. /// If `keep_pages_forever` is `true`, `ShMem` will never be freed.
/// If it is `false`, the pages will be unmapped once they are full, and have been mapped by at least one `LlmpReceiver`. /// If it is `false`, the pages will be unmapped once they are full, and have been mapped by at least one `LlmpReceiver`.
pub fn new(mut shmem_provider: SP, id: u32, keep_pages_forever: bool) -> Result<Self, Error> { pub fn new(
mut shmem_provider: SP,
id: ClientId,
keep_pages_forever: bool,
) -> Result<Self, Error> {
Ok(Self { Ok(Self {
id, id,
last_msg_sent: ptr::null_mut(), last_msg_sent: ptr::null_mut(),
out_shmems: vec![LlmpSharedMap::new( out_shmems: vec![LlmpSharedMap::new(
0, id,
shmem_provider.new_shmem(LLMP_CFG_INITIAL_MAP_SIZE)?, shmem_provider.new_shmem(LLMP_CFG_INITIAL_MAP_SIZE)?,
)], )],
// drop pages to the broker if it already read them // drop pages to the broker if it already read them
@ -795,6 +799,7 @@ where
/// This is only useful if all connected llmp parties start over, for example after a crash. /// This is only useful if all connected llmp parties start over, for example after a crash.
/// # Safety /// # Safety
/// Only safe if you really really restart the page on everything connected /// Only safe if you really really restart the page on everything connected
/// No receiver should read from this page at a different location.
pub unsafe fn reset(&mut self) { pub unsafe fn reset(&mut self) {
_llmp_page_init( _llmp_page_init(
&mut self.out_shmems.last_mut().unwrap().shmem, &mut self.out_shmems.last_mut().unwrap().shmem,
@ -903,7 +908,7 @@ where
}; };
Ok(Self { Ok(Self {
id: 0, id: unsafe { (*out_shmem.page()).sender_id },
last_msg_sent, last_msg_sent,
out_shmems: vec![out_shmem], out_shmems: vec![out_shmem],
// drop pages to the broker if it already read them // drop pages to the broker if it already read them
@ -1117,7 +1122,7 @@ where
// Create a new shard page. // Create a new shard page.
let mut new_map_shmem = LlmpSharedMap::new( let mut new_map_shmem = LlmpSharedMap::new(
(*old_map).sender, (*old_map).sender_id,
self.shmem_provider self.shmem_provider
.new_shmem(next_shmem_size((*old_map).max_alloc_size))?, .new_shmem(next_shmem_size((*old_map).max_alloc_size))?,
); );
@ -1135,7 +1140,6 @@ where
println!("Setting max alloc size: {:?}", (*old_map).max_alloc_size); println!("Setting max alloc size: {:?}", (*old_map).max_alloc_size);
(*new_map).max_alloc_size = (*old_map).max_alloc_size; (*new_map).max_alloc_size = (*old_map).max_alloc_size;
(*new_map).sender = self.id;
/* On the old map, place a last message linking to the new map for the clients /* On the old map, place a last message linking to the new map for the clients
* to consume */ * to consume */
@ -2536,12 +2540,13 @@ where
pub fn new( pub fn new(
mut shmem_provider: SP, mut shmem_provider: SP,
initial_broker_shmem: LlmpSharedMap<SP::ShMem>, initial_broker_shmem: LlmpSharedMap<SP::ShMem>,
sender_id: ClientId,
) -> Result<Self, Error> { ) -> Result<Self, Error> {
Ok(Self { Ok(Self {
sender: LlmpSender { sender: LlmpSender {
id: 0, id: sender_id,
last_msg_sent: ptr::null_mut(), last_msg_sent: ptr::null_mut(),
out_shmems: vec![LlmpSharedMap::new(0, { out_shmems: vec![LlmpSharedMap::new(sender_id, {
shmem_provider.new_shmem(LLMP_CFG_INITIAL_MAP_SIZE)? shmem_provider.new_shmem(LLMP_CFG_INITIAL_MAP_SIZE)?
})], })],
// drop pages to the broker if it already read them // drop pages to the broker if it already read them
@ -2647,7 +2652,8 @@ where
/// Creates a new [`LlmpClient`], reading the map id and len from env /// Creates a new [`LlmpClient`], reading the map id and len from env
pub fn create_using_env(mut shmem_provider: SP, env_var: &str) -> Result<Self, Error> { pub fn create_using_env(mut shmem_provider: SP, env_var: &str) -> Result<Self, Error> {
let map = LlmpSharedMap::existing(shmem_provider.existing_from_env(env_var)?); let map = LlmpSharedMap::existing(shmem_provider.existing_from_env(env_var)?);
Self::new(shmem_provider, map) let client_id = unsafe { (*map.page()).sender_id };
Self::new(shmem_provider, map, client_id)
} }
#[cfg(feature = "std")] #[cfg(feature = "std")]
@ -2689,7 +2695,9 @@ where
let map = LlmpSharedMap::existing( let map = LlmpSharedMap::existing(
shmem_provider.shmem_from_description(broker_shmem_description)?, shmem_provider.shmem_from_description(broker_shmem_description)?,
); );
let mut ret = Self::new(shmem_provider, map)?;
// We'll set `sender_id` later
let mut ret = Self::new(shmem_provider, map, 0)?;
let client_hello_req = TcpRequest::LocalClientHello { let client_hello_req = TcpRequest::LocalClientHello {
shmem_description: ret.sender.out_shmems.first().unwrap().shmem.description(), shmem_description: ret.sender.out_shmems.first().unwrap().shmem.description(),
@ -2712,7 +2720,7 @@ where
ret.sender.id = client_id; ret.sender.id = client_id;
// Also set the sender on our initial llmp map correctly. // Also set the sender on our initial llmp map correctly.
unsafe { unsafe {
(*ret.sender.out_shmems.first_mut().unwrap().page_mut()).sender = client_id; (*ret.sender.out_shmems.first_mut().unwrap().page_mut()).sender_id = client_id;
} }
Ok(ret) Ok(ret)

3
libafl/src/events/llmp.rs
View File

@ -839,7 +839,7 @@ where
let mut ctr: u64 = 0; let mut ctr: u64 = 0;
// Client->parent loop // Client->parent loop
loop { loop {
dbg!("Spawning next client (id {})", ctr); println!("Spawning next client (id {})", ctr);
// On Unix, we fork // On Unix, we fork
#[cfg(all(unix, feature = "fork"))] #[cfg(all(unix, feature = "fork"))]
@ -975,6 +975,7 @@ mod tests {
let mut llmp_client = LlmpClient::new( let mut llmp_client = LlmpClient::new(
shmem_provider.clone(), shmem_provider.clone(),
LlmpSharedMap::new(0, shmem_provider.new_shmem(1024).unwrap()), LlmpSharedMap::new(0, shmem_provider.new_shmem(1024).unwrap()),
0,
) )
.unwrap(); .unwrap();

2
libafl/src/events/simple.rs
View File

@ -340,7 +340,7 @@ where
let mut ctr: u64 = 0; let mut ctr: u64 = 0;
// Client->parent loop // Client->parent loop
loop { loop {
dbg!("Spawning next client (id {})", ctr); println!("Spawning next client (id {})", ctr);
// On Unix, we fork // On Unix, we fork
#[cfg(all(unix, feature = "fork"))] #[cfg(all(unix, feature = "fork"))]

1
libafl/src/monitors/mod.rs
View File

@ -906,7 +906,6 @@ pub mod pybind {
self.get_mut_monitor().display(event_msg, sender_id); self.get_mut_monitor().display(event_msg, sender_id);
} }
} }
/// Register the classes to the python module /// Register the classes to the python module
pub fn register(_py: Python, m: &PyModule) -> PyResult<()> { pub fn register(_py: Python, m: &PyModule) -> PyResult<()> {
m.add_class::<PythonSimpleMonitor>()?; m.add_class::<PythonSimpleMonitor>()?;