diff --git a/fuzzers/libfuzzer_libpng/Cargo.toml b/fuzzers/libfuzzer_libpng/Cargo.toml index 80b836a0cc..dc8ed1d228 100644 --- a/fuzzers/libfuzzer_libpng/Cargo.toml +++ b/fuzzers/libfuzzer_libpng/Cargo.toml @@ -18,7 +18,7 @@ opt-level = 3 debug = true [build-dependencies] -cc = "1.0" +cc = { version = "1.0", features = ["parallel"] } num_cpus = "1.0" [dependencies] diff --git a/fuzzers/libfuzzer_libpng/build.rs b/fuzzers/libfuzzer_libpng/build.rs index cc702048da..f15c5f7bb9 100644 --- a/fuzzers/libfuzzer_libpng/build.rs +++ b/fuzzers/libfuzzer_libpng/build.rs @@ -16,7 +16,7 @@ fn main() { println!("cargo:rerun-if-changed=harness.cc"); cc::Build::new() - .file("./runtime/rt.c") + .file("../libfuzzer_runtime/rt.c") .file("./harness.cc") .compile("libfuzzer-sys"); diff --git a/fuzzers/libfuzzer_libpng/test.sh b/fuzzers/libfuzzer_libpng/test.sh new file mode 100644 index 0000000000..d62ee24987 --- /dev/null +++ b/fuzzers/libfuzzer_libpng/test.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +cargo build --release || exit 1 +cp ./target/release/libfuzzer ./.libfuzzer_test.elf + +RUST_BACKTRACE=1 taskset -c 0 ./.libfuzzer_test.elf & + +test "$!" -gt 0 && { + + usleep 250 + RUST_BACKTRACE=1 taskset -c 1 ./.libfuzzer_test.elf & + +} + +sleep 20 +echo "[+] Done" +killall .libfuzzer_test.elf +rm -rf ./.libfuzzer_test.elf \ No newline at end of file diff --git a/fuzzers/libfuzzer_libpng/runtime/rt.c b/fuzzers/libfuzzer_runtime/rt.c similarity index 100% rename from fuzzers/libfuzzer_libpng/runtime/rt.c rename to fuzzers/libfuzzer_runtime/rt.c diff --git a/fuzzers/libfuzzer_test/Cargo.toml b/fuzzers/libfuzzer_test/Cargo.toml index ba4027e0de..ac1c980c90 100644 --- a/fuzzers/libfuzzer_test/Cargo.toml +++ b/fuzzers/libfuzzer_test/Cargo.toml @@ -18,7 +18,7 @@ opt-level = 3 debug = true [build-dependencies] -cc = "1.0" +cc = { version = "1.0", features = ["parallel"] } num_cpus = "1.0" [dependencies] diff --git a/fuzzers/libfuzzer_test/build.rs b/fuzzers/libfuzzer_test/build.rs index 757bc7b0d5..501ea55fb5 100644 --- a/fuzzers/libfuzzer_test/build.rs +++ b/fuzzers/libfuzzer_test/build.rs @@ -9,14 +9,14 @@ fn main() { let out_dir = out_dir.to_string_lossy().to_string(); let _out_dir_path = Path::new(&out_dir); - println!("cargo:rerun-if-changed=./runtime/rt.c",); + println!("cargo:rerun-if-changed=../libfuzzer_runtime/rt.c",); println!("cargo:rerun-if-changed=./test/test.c"); // We need clang for pc-guard support std::env::set_var("CC", "clang"); cc::Build::new() - .file("./runtime/rt.c") + .file("../libfuzzer_runtime/rt.c") .compile("libfuzzer-sys-rt"); cc::Build::new() diff --git a/fuzzers/libfuzzer_test/in2/b b/fuzzers/libfuzzer_test/in2/b new file mode 100644 index 0000000000..2e65efe2a1 --- /dev/null +++ b/fuzzers/libfuzzer_test/in2/b @@ -0,0 +1 @@ +a \ No newline at end of file diff --git a/fuzzers/libfuzzer_test/runtime/rt.c b/fuzzers/libfuzzer_test/runtime/rt.c deleted file mode 100644 index 164c3351cc..0000000000 --- a/fuzzers/libfuzzer_test/runtime/rt.c +++ /dev/null @@ -1,146 +0,0 @@ -#include -#include - -#define MAP_SIZE 65536 - -int orig_argc; -char **orig_argv; -char **orig_envp; - -uint8_t __lafl_dummy_map[MAP_SIZE]; - -uint8_t *__lafl_edges_map = __lafl_dummy_map; -uint8_t *__lafl_cmp_map = __lafl_dummy_map; - -uint32_t __lafl_max_edges_size = 0; - -void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { - - __lafl_edges_map[*guard]++; - -} - -void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { - - if (start == stop || *start) return; - - *(start++) = (++__lafl_max_edges_size) & (MAP_SIZE -1); - - while (start < stop) { - - *start = (++__lafl_max_edges_size) & (MAP_SIZE -1); - start++; - - } - -} - -#define MAX(a, b) \ - ({ \ - \ - __typeof__(a) _a = (a); \ - __typeof__(b) _b = (b); \ - _a > _b ? _a : _b; \ - \ - }) - -#if defined(__APPLE__) - #pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1 - #pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2 - #pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4 - #pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8 -#else -void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__sanitizer_cov_trace_cmp1"))); -void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2) - __attribute__((alias("__sanitizer_cov_trace_cmp2"))); -void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2) - __attribute__((alias("__sanitizer_cov_trace_cmp4"))); -void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2) - __attribute__((alias("__sanitizer_cov_trace_cmp8"))); -#endif - -void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) { - - uintptr_t k = (uintptr_t)__builtin_return_address(0); - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(arg1 ^ arg2)))); - -} - -void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { - - uintptr_t rt = (uintptr_t)__builtin_return_address(0); - if (cases[1] == 64) { - - for (uint64_t i = 0; i < cases[0]; i++) { - - uintptr_t k = rt + i; - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(val ^ cases[i + 2])))); - - } - - } else { - - for (uint64_t i = 0; i < cases[0]; i++) { - - uintptr_t k = rt + i; - k = (k >> 4) ^ (k << 8); - k &= MAP_SIZE - 1; - __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(val ^ cases[i + 2])))); - - } - - } - -} - - - static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) { - orig_argc = argc; - orig_argv = argv; - orig_envp = envp; -} - -__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args; - -__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); -void afl_libfuzzer_main(); - -int afl_libfuzzer_init() { - - if (LLVMFuzzerInitialize) - return LLVMFuzzerInitialize(&orig_argc, &orig_argv); - else - return 0; - -} diff --git a/fuzzers/libfuzzer_test/test.sh b/fuzzers/libfuzzer_test/test.sh index baa2ef0030..0f970622bc 100644 --- a/fuzzers/libfuzzer_test/test.sh +++ b/fuzzers/libfuzzer_test/test.sh @@ -3,15 +3,16 @@ cargo build --release || exit 1 cp ./target/release/libfuzzer ./.libfuzzer_test.elf -RUST_BACKTRACE=1 ./.libfuzzer_test.elf & +RUST_BACKTRACE=1 taskset -c 0 ./.libfuzzer_test.elf & test "$!" -gt 0 && { usleep 250 - RUST_BACKTRACE=1 ./.libfuzzer_test.elf -x a -x b -T5 in1 in2 & + RUST_BACKTRACE=1 taskset -c 1 ./.libfuzzer_test.elf -x a -x b -T5 in1 in2 & } sleep 10 +echo "[+] Done" killall .libfuzzer_test.elf rm -rf ./.libfuzzer_test.elf \ No newline at end of file