SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Specify that InProcessForkExecutor should abort on panic (#2803)

Browse Source 
* Revert "New year new clippy (#2797)"

This reverts commit deb76555b75ca2ccac83b83a6db1a276c07080b5.

* Mention that program should panic when using InProcessForkExecutor

* Reapply "New year new clippy (#2797)"

This reverts commit 529213ef6334fc18e1898f3cfbd8bed24c312522.
This commit is contained in:
henri2h 2025-01-02 15:57:57 +01:00 committed by GitHub
parent deb76555b7
commit 187e06cb11
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/src/core_concepts/executor.md
View File

@ -14,6 +14,7 @@ In Rust, we bind this concept to the [`Executor`](https://docs.rs/libafl/latest/
By default, we implement some commonly used Executors such as [`InProcessExecutor`](https://docs.rs/libafl/latest/libafl/executors/inprocess/type.InProcessExecutor.html) in which the target is a harness function providing in-process crash detection. Another Executor is the [`ForkserverExecutor`](https://docs.rs/libafl/latest/libafl/executors/forkserver/struct.ForkserverExecutor.html) that implements an AFL-like mechanism to spawn child processes to fuzz. By default, we implement some commonly used Executors such as [`InProcessExecutor`](https://docs.rs/libafl/latest/libafl/executors/inprocess/type.InProcessExecutor.html) in which the target is a harness function providing in-process crash detection. Another Executor is the [`ForkserverExecutor`](https://docs.rs/libafl/latest/libafl/executors/forkserver/struct.ForkserverExecutor.html) that implements an AFL-like mechanism to spawn child processes to fuzz.
## InProcessExecutor ## InProcessExecutor
Let's begin with the base case; `InProcessExecutor`. Let's begin with the base case; `InProcessExecutor`.
This executor executes the harness program (function) inside the fuzzer process. This executor executes the harness program (function) inside the fuzzer process.
@ -22,6 +23,7 @@ When you want to execute the harness as fast as possible, you will most probably
One thing to note here is, when your harness is likely to have heap corruption bugs, you want to use another allocator so that corrupted heap does not affect the fuzzer itself. (For example, we adopt MiMalloc in some of our fuzzers.). Alternatively you can compile your harness with address sanitizer to make sure you can catch these heap bugs. One thing to note here is, when your harness is likely to have heap corruption bugs, you want to use another allocator so that corrupted heap does not affect the fuzzer itself. (For example, we adopt MiMalloc in some of our fuzzers.). Alternatively you can compile your harness with address sanitizer to make sure you can catch these heap bugs.
## ForkserverExecutor ## ForkserverExecutor
Next, we'll take a look at the `ForkserverExecutor`. In this case, it is `afl-cc` (from AFL/AFLplusplus) that compiles the harness code, and therefore, we can't use `EDGES_MAP` anymore. Fortunately we have [_a way_](https://github.com/AFLplusplus/AFLplusplus/blob/2e15661f184c77ac1fbb6f868c894e946cbb7f17/instrumentation/afl-compiler-rt.o.c#L270) to tell the forkserver which map to record the coverage in. Next, we'll take a look at the `ForkserverExecutor`. In this case, it is `afl-cc` (from AFL/AFLplusplus) that compiles the harness code, and therefore, we can't use `EDGES_MAP` anymore. Fortunately we have [_a way_](https://github.com/AFLplusplus/AFLplusplus/blob/2e15661f184c77ac1fbb6f868c894e946cbb7f17/instrumentation/afl-compiler-rt.o.c#L270) to tell the forkserver which map to record the coverage in.
As you can see from the forkserver example, As you can see from the forkserver example,
@ -66,3 +68,16 @@ unsafe{
``` ```
Again, you can pass this shmem map to your `Observer` and `Feedback` to obtain coverage feedbacks. Again, you can pass this shmem map to your `Observer` and `Feedback` to obtain coverage feedbacks.
Additionaly to allow the fuzzer to know when the child has crashed, the program should abort instead of unwinding upon a panic.
Without it, no crashes are saved by the fuzzer.
Cargo.toml:
```toml
[profile.dev]
panic = "abort"
[profile.release]
panic = "abort"
```