SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

first attempts

Browse Source
This commit is contained in:
van Hauser 2020-12-17 17:25:01 +01:00
parent 468c5f6bfa
commit 16a79bfbbc
4 changed files with 78 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzzers/libfuzzer/Cargo.toml
View File

@ -17,6 +17,7 @@ opt-level = 3
debug = true
[dependencies]
clap = "2.32.0"
afl = { path = "../../afl/" }
[lib]

2
fuzzers/libfuzzer/compiler
View File

@ -53,7 +53,7 @@ def ld_mode():
args += sys.argv[1:]
args += [
os.path.join(script_dir, "runtime", "rt.o"),
os.path.join(script_dir, "target", "release", "liblibfuzzer.a"),
os.path.join(script_dir, "target", "debug", "liblibfuzzer.a"),
]
args += ["-fsanitize-coverage=trace-pc-guard,trace-cmp"]

70
fuzzers/libfuzzer/src/lib.rs
View File

@ -1,7 +1,12 @@
#![cfg_attr(not(feature = "std"), no_std)]
#[macro_use]
extern crate clap;
extern crate alloc;
use clap::{App, Arg};
use std::env;
use afl::corpus::InMemoryCorpus;
use afl::engines::Engine;
use afl::engines::Fuzzer;
@ -23,6 +28,9 @@ extern "C" {
/// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32;
/// int LLVMFuzzerInitialize(int argc, char **argv)
fn LLVMFuzzerInitialize(argc: u32, argv: *const *const u8) -> i32;
static __lafl_edges_map: *mut u8;
static __lafl_cmp_map: *mut u8;
static __lafl_max_edges_size: u32;
@ -39,8 +47,68 @@ const NAME_COV_MAP: &str = "cov_map";
#[no_mangle]
pub extern "C" fn afl_libfuzzer_main() {
let mut rand = StdRand::new(0);
let matches = App::new("libAFLrs fuzzer harness")
.about("libAFLrs fuzzer harness help options.")
.arg(
Arg::with_name("dictionary")
.short("x")
.value_name("DICTIONARY")
.takes_value(true)
.multiple(true)
.help("Dictionary file to use, can be specified multiple times."),
)
.arg(
Arg::with_name("statstime")
.short("T")
.value_name("STATSTIME")
.takes_value(true)
.help("How often to print statistics in seconds [default: 5, disable: 0]"),
)
.arg(Arg::with_name("workdir")
.help("Where to write the corpus, also reads the data on start. If more than one is supplied the first will be the work directory, all others will just be initially read from.")
.multiple(true)
.value_name("WORKDIR")
)
.get_matches();
let statstime = value_t!(matches, "statstime", u32).unwrap_or(5);
let workdir = if matches.is_present("workdir") {
matches.value_of("workdir").unwrap().to_string()
} else {
env::current_dir().unwrap().to_string_lossy().to_string()
};
let mut dictionary: Option<Vec<String>> = None;
if matches.is_present("dictionary") {
dictionary = Some(values_t!(matches, "dictionary", String).unwrap_or_else(|e| e.exit()));
}
let mut input: Option<Vec<String>> = None;
if matches.is_present("workdir") {
input = Some(values_t!(matches, "workdir", String).unwrap_or_else(|e| e.exit()));
}
// debug prints
println!("workdir: {}", workdir);
if dictionary != None {
for file in dictionary.unwrap() {
println!("dic: {}", file);
}
}
if input != None {
for indir in input.unwrap() {
println!("in: {}", indir);
}
}
// original code
let mut rand = StdRand::new(0);
let mut corpus = InMemoryCorpus::new();
let mut generator = RandPrintablesGenerator::new(32);

13
fuzzers/libfuzzer/test.sh
View File

@ -1,11 +1,12 @@
#!/bin/sh
cargo build --release
make -C runtime
cargo build || exit 1
make -C runtime || exit 1
./compiler -flto=thin -c test/test.c -o test_fuzz.o
./compiler -flto=thin -fuse-ld=lld test_fuzz.o -o test_fuzz.elf
rm -f test_fuzz.elf test_fuzz.o
./compiler -flto=thin -c test/test.c -o test_fuzz.o || exit 1
./compiler -flto=thin test_fuzz.o -o test_fuzz.elf || exit 1
RUST_BACKTRACE=1 ./test_fuzz.elf -x a -x b foo bar
RUST_BACKTRACE=1 ./test_fuzz.elf
#rm ./test_fuzz.elf