SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Forkserver: Add file input support (#880)

Browse Source 
* make use of clap derive in forkserver_simple

* (re)introduce use_shmem_testcase flag to ForkserverExecutor

* set use_shmem_testcase flag automatically based on forkserver handshake

* remove illegal_state and just .unwrap instead as the None case is unreachable

* fix: removed pub method

* cargo fmt

* remove illegal_state #2 and just .unwrap instead as the None case is unreachable

* change shmem unwrap to unwrap_unchecked

* fix double mut

* removed @@ warning
This commit is contained in:
Lukas Seidel 2022-11-10 15:25:52 +01:00 committed by GitHub
parent 977415cad2
commit 17a0d9e8f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 109 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/src/core_concepts/executor.md
View File

@ -40,10 +40,9 @@ Here we make a shared memory region; `shmem`, and write this to environmental va
Another feature of the `ForkserverExecutor` to mention is the shared memory testcases. In normal cases, the mutated input is passed between the forkserver and the instrumented binary via `.cur_input` file. You can improve your forkserver fuzzer's performance by passing the input with shared memory. Another feature of the `ForkserverExecutor` to mention is the shared memory testcases. In normal cases, the mutated input is passed between the forkserver and the instrumented binary via `.cur_input` file. You can improve your forkserver fuzzer's performance by passing the input with shared memory.
If the target is configured to use shared memory testcases, the `ForkserverExecutor` will notice this during the handshake and will automatically set up things accordingly.
See AFL++'s [_documentation_](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md#5-shared-memory-fuzzing) or the fuzzer example in `forkserver_simple/src/program.c` for reference. See AFL++'s [_documentation_](https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.persistent_mode.md#5-shared-memory-fuzzing) or the fuzzer example in `forkserver_simple/src/program.c` for reference.
It is very simple, when you call `ForkserverExecutor::new()` with `use_shmem_testcase` true, the `ForkserverExecutor` sets things up and your harness can just fetch the input from `__AFL_FUZZ_TESTCASE_BUF`
## InprocessForkExecutor ## InprocessForkExecutor
Finally, we'll talk about the `InProcessForkExecutor`. Finally, we'll talk about the `InProcessForkExecutor`.

4
fuzzers/forkserver_simple/Cargo.toml
View File

@ -16,6 +16,6 @@ codegen-units = 1
opt-level = 3 opt-level = 3
[dependencies] [dependencies]
libafl = { path = "../../libafl/" } libafl = { path = "../../libafl/", features = ["std", "derive"] }
clap = { version = "3.2", features = ["default"] } clap = { version = "4.0", features = ["derive"] }
nix = "0.25" nix = "0.25"

127
fuzzers/forkserver_simple/src/main.rs
View File

@ -1,7 +1,7 @@
use core::time::Duration; use core::time::Duration;
use std::path::PathBuf; use std::path::PathBuf;
use clap::{Arg, Command}; use clap::{self, Parser};
#[cfg(not(target_vendor = "apple"))] #[cfg(not(target_vendor = "apple"))]
use libafl::bolts::shmem::StdShMemProvider; use libafl::bolts::shmem::StdShMemProvider;
#[cfg(target_vendor = "apple")] #[cfg(target_vendor = "apple")]
@ -30,53 +30,68 @@ use libafl::{
}; };
use nix::sys::signal::Signal; use nix::sys::signal::Signal;
/// The commandline args this fuzzer accepts
#[derive(Debug, Parser)]
#[command(
name = "forkserver_simple",
about = "This is a simple example fuzzer to fuzz a executable instrumented by afl-cc.",
author = "tokatoka <tokazerkje@outlook.com>"
)]
struct Opt {
#[arg(
help = "The instrumented binary we want to fuzz",
name = "EXEC",
required = true
)]
executable: String,
#[arg(
help = "The directory to read initial inputs from ('seeds')",
name = "INPUT_DIR",
required = true
)]
in_dir: PathBuf,
#[arg(
help = "Timeout for each individual execution, in milliseconds",
short = 't',
long = "timeout",
default_value = "1200"
)]
timeout: u64,
#[arg(
help = "If not set, the child's stdout and stderror will be redirected to /dev/null",
short = 'd',
long = "debug-child",
default_value = "false"
)]
debug_child: bool,
#[arg(
help = "Arguments passed to the target",
name = "arguments",
num_args(1..),
allow_hyphen_values = true,
default_value = "[].to_vec()"
)]
arguments: Vec<String>,
#[arg(
help = "Signal used to stop child",
short = 's',
long = "signal",
value_parser = str::parse::<Signal>,
default_value = "SIGKILL"
)]
signal: Signal,
}
#[allow(clippy::similar_names)] #[allow(clippy::similar_names)]
pub fn main() { pub fn main() {
let res = Command::new("forkserver_simple") let opt = Opt::parse();
.about("Example Forkserver fuzer")
.arg(
Arg::new("executable")
.help("The instrumented binary we want to fuzz")
.required(true)
.takes_value(true),
)
.arg(
Arg::new("in")
.help("The directory to read initial inputs from ('seeds')")
.required(true)
.takes_value(true),
)
.arg(
Arg::new("timeout")
.help("Timeout for each individual execution, in milliseconds")
.short('t')
.long("timeout")
.default_value("1200"),
)
.arg(
Arg::new("debug_child")
.help("If not set, the child's stdout and stderror will be redirected to /dev/null")
.short('d')
.long("debug-child"),
)
.arg(
Arg::new("arguments")
.help("Arguments passed to the target")
.multiple_values(true)
.takes_value(true),
)
.arg(
Arg::new("signal")
.help("Signal used to stop child")
.short('s')
.long("signal")
.default_value("SIGKILL"),
)
.get_matches();
let corpus_dirs = vec![PathBuf::from( let corpus_dirs: Vec<PathBuf> = [opt.in_dir].to_vec();
res.get_one::<String>("in").unwrap().to_string(),
)];
const MAP_SIZE: usize = 65536; const MAP_SIZE: usize = 65536;
@ -151,17 +166,14 @@ pub fn main() {
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective); let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
// If we should debug the child // If we should debug the child
let debug_child = res.is_present("debug_child"); let debug_child = opt.debug_child;
// Create the executor for the forkserver // Create the executor for the forkserver
let args = match res.values_of("arguments") { let args = opt.arguments;
Some(vec) => vec.map(|s| s.to_string()).collect::<Vec<String>>().to_vec(),
None => [].to_vec(),
};
let mut tokens = Tokens::new(); let mut tokens = Tokens::new();
let forkserver = ForkserverExecutor::builder() let forkserver = ForkserverExecutor::builder()
.program(res.get_one::<String>("executable").unwrap()) .program(opt.executable)
.debug_child(debug_child) .debug_child(debug_child)
.shmem_provider(&mut shmem_provider) .shmem_provider(&mut shmem_provider)
.autotokens(&mut tokens) .autotokens(&mut tokens)
@ -171,17 +183,8 @@ pub fn main() {
let mut executor = TimeoutForkserverExecutor::with_signal( let mut executor = TimeoutForkserverExecutor::with_signal(
forkserver, forkserver,
Duration::from_millis( Duration::from_millis(opt.timeout),
res.get_one::<String>("timeout") opt.signal,
.unwrap()
.to_string()
.parse()
.expect("Could not parse timeout in milliseconds"),
),
res.get_one::<String>("signal")
.unwrap()
.parse::<Signal>()
.unwrap(),
) )
.expect("Failed to create the executor."); .expect("Failed to create the executor.");

69
libafl/src/executors/forkserver.rs
View File

@ -369,6 +369,9 @@ pub trait HasForkserver {
/// The map of the fuzzer, mutable /// The map of the fuzzer, mutable
fn shmem_mut(&mut self) -> &mut Option<<<Self as HasForkserver>::SP as ShMemProvider>::ShMem>; fn shmem_mut(&mut self) -> &mut Option<<<Self as HasForkserver>::SP as ShMemProvider>::ShMem>;
/// Whether testcases are expected in shared memory
fn uses_shmem_testcase(&self) -> bool;
} }
/// The timeout forkserver executor that wraps around the standard forkserver executor and sets a timeout before each run. /// The timeout forkserver executor that wraps around the standard forkserver executor and sets a timeout before each run.
@ -417,21 +420,19 @@ where
let last_run_timed_out = self.executor.forkserver().last_run_timed_out(); let last_run_timed_out = self.executor.forkserver().last_run_timed_out();
match &mut self.executor.shmem_mut() { if self.executor.uses_shmem_testcase() {
Some(shmem) => { let shmem = unsafe { self.executor.shmem_mut().as_mut().unwrap_unchecked() };
let target_bytes = input.target_bytes(); let target_bytes = input.target_bytes();
let size = target_bytes.as_slice().len(); let size = target_bytes.as_slice().len();
let size_in_bytes = size.to_ne_bytes(); let size_in_bytes = size.to_ne_bytes();
// The first four bytes tells the size of the shmem. // The first four bytes tells the size of the shmem.
shmem.as_mut_slice()[..4].copy_from_slice(&size_in_bytes[..4]); shmem.as_mut_slice()[..4].copy_from_slice(&size_in_bytes[..4]);
shmem.as_mut_slice()[SHMEM_FUZZ_HDR_SIZE..(SHMEM_FUZZ_HDR_SIZE + size)] shmem.as_mut_slice()[SHMEM_FUZZ_HDR_SIZE..(SHMEM_FUZZ_HDR_SIZE + size)]
.copy_from_slice(target_bytes.as_slice()); .copy_from_slice(target_bytes.as_slice());
} } else {
None => { self.executor
self.executor .input_file_mut()
.input_file_mut() .write_buf(input.target_bytes().as_slice())?;
.write_buf(input.target_bytes().as_slice())?;
}
} }
let send_len = self let send_len = self
@ -503,6 +504,7 @@ where
target: OsString, target: OsString,
args: Vec<OsString>, args: Vec<OsString>,
input_file: InputFile, input_file: InputFile,
uses_shmem_testcase: bool,
forkserver: Forkserver, forkserver: Forkserver,
observers: OT, observers: OT,
map: Option<SP::ShMem>, map: Option<SP::ShMem>,
@ -521,6 +523,7 @@ where
.field("target", &self.target) .field("target", &self.target)
.field("args", &self.args) .field("args", &self.args)
.field("input_file", &self.input_file) .field("input_file", &self.input_file)
.field("use_shmem_testcase", &self.uses_shmem_testcase)
.field("forkserver", &self.forkserver) .field("forkserver", &self.forkserver)
.field("observers", &self.observers) .field("observers", &self.observers)
.field("map", &self.map) .field("map", &self.map)
@ -572,6 +575,7 @@ pub struct ForkserverExecutorBuilder<'a, SP> {
envs: Vec<(OsString, OsString)>, envs: Vec<(OsString, OsString)>,
debug_child: bool, debug_child: bool,
use_stdin: bool, use_stdin: bool,
uses_shmem_testcase: bool,
is_persistent: bool, is_persistent: bool,
is_deferred_frksrv: bool, is_deferred_frksrv: bool,
autotokens: Option<&'a mut Tokens>, autotokens: Option<&'a mut Tokens>,
@ -651,6 +655,7 @@ impl<'a, SP> ForkserverExecutorBuilder<'a, SP> {
if (status & FS_OPT_SHDMEM_FUZZ == FS_OPT_SHDMEM_FUZZ) && map.is_some() { if (status & FS_OPT_SHDMEM_FUZZ == FS_OPT_SHDMEM_FUZZ) && map.is_some() {
println!("Using SHARED MEMORY FUZZING feature."); println!("Using SHARED MEMORY FUZZING feature.");
send_status |= FS_OPT_SHDMEM_FUZZ; send_status |= FS_OPT_SHDMEM_FUZZ;
self.uses_shmem_testcase = true;
} }
if (status & FS_OPT_AUTODICT == FS_OPT_AUTODICT) && self.autotokens.is_some() { if (status & FS_OPT_AUTODICT == FS_OPT_AUTODICT) && self.autotokens.is_some() {
@ -704,6 +709,7 @@ impl<'a, SP> ForkserverExecutorBuilder<'a, SP> {
target, target,
args: self.arguments.clone(), args: self.arguments.clone(),
input_file, input_file,
uses_shmem_testcase: self.uses_shmem_testcase,
forkserver, forkserver,
observers, observers,
map, map,
@ -765,6 +771,7 @@ impl<'a> ForkserverExecutorBuilder<'a, StdShMemProvider> {
envs: vec![], envs: vec![],
debug_child: false, debug_child: false,
use_stdin: true, use_stdin: true,
uses_shmem_testcase: false,
is_persistent: false, is_persistent: false,
is_deferred_frksrv: false, is_deferred_frksrv: false,
autotokens: None, autotokens: None,
@ -882,6 +889,7 @@ impl<'a> ForkserverExecutorBuilder<'a, StdShMemProvider> {
envs: self.envs, envs: self.envs,
debug_child: self.debug_child, debug_child: self.debug_child,
use_stdin: self.use_stdin, use_stdin: self.use_stdin,
uses_shmem_testcase: self.uses_shmem_testcase,
is_persistent: self.is_persistent, is_persistent: self.is_persistent,
is_deferred_frksrv: self.is_deferred_frksrv, is_deferred_frksrv: self.is_deferred_frksrv,
autotokens: self.autotokens, autotokens: self.autotokens,
@ -917,20 +925,18 @@ where
let mut exit_kind = ExitKind::Ok; let mut exit_kind = ExitKind::Ok;
// Write to testcase // Write to testcase
match &mut self.map { if self.uses_shmem_testcase {
Some(map) => { let map = unsafe { self.map.as_mut().unwrap_unchecked() };
let target_bytes = input.target_bytes(); let target_bytes = input.target_bytes();
let size = target_bytes.as_slice().len(); let size = target_bytes.as_slice().len();
let size_in_bytes = size.to_ne_bytes(); let size_in_bytes = size.to_ne_bytes();
// The first four bytes tells the size of the shmem. // The first four bytes tells the size of the shmem.
map.as_mut_slice()[..SHMEM_FUZZ_HDR_SIZE] map.as_mut_slice()[..SHMEM_FUZZ_HDR_SIZE]
.copy_from_slice(&size_in_bytes[..SHMEM_FUZZ_HDR_SIZE]); .copy_from_slice(&size_in_bytes[..SHMEM_FUZZ_HDR_SIZE]);
map.as_mut_slice()[SHMEM_FUZZ_HDR_SIZE..(SHMEM_FUZZ_HDR_SIZE + size)] map.as_mut_slice()[SHMEM_FUZZ_HDR_SIZE..(SHMEM_FUZZ_HDR_SIZE + size)]
.copy_from_slice(target_bytes.as_slice()); .copy_from_slice(target_bytes.as_slice());
} } else {
None => { self.input_file.write_buf(input.target_bytes().as_slice())?;
self.input_file.write_buf(input.target_bytes().as_slice())?;
}
} }
let send_len = self let send_len = self
@ -1061,6 +1067,11 @@ where
fn shmem_mut(&mut self) -> &mut Option<SP::ShMem> { fn shmem_mut(&mut self) -> &mut Option<SP::ShMem> {
&mut self.map &mut self.map
} }
#[inline]
fn uses_shmem_testcase(&self) -> bool {
self.uses_shmem_testcase
}
} }
impl<E> UsesState for TimeoutForkserverExecutor<E> impl<E> UsesState for TimeoutForkserverExecutor<E>