SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tidied some more

Browse Source
This commit is contained in:
Dominik Maier 2020-12-31 17:18:37 +01:00
parent d2765c0277
commit 1a88cac145
9 changed files with 27 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/libfuzzer_libpng/Cargo.toml
View File

@ -18,7 +18,7 @@ opt-level = 3
debug = true debug = true
[build-dependencies] [build-dependencies]
cc = "1.0" cc = { version = "1.0", features = ["parallel"] }
num_cpus = "1.0" num_cpus = "1.0"
[dependencies] [dependencies]

2
fuzzers/libfuzzer_libpng/build.rs
View File

@ -16,7 +16,7 @@ fn main() {
println!("cargo:rerun-if-changed=harness.cc"); println!("cargo:rerun-if-changed=harness.cc");
cc::Build::new() cc::Build::new()
.file("./runtime/rt.c") .file("../libfuzzer_runtime/rt.c")
.file("./harness.cc") .file("./harness.cc")
.compile("libfuzzer-sys"); .compile("libfuzzer-sys");

18
fuzzers/libfuzzer_libpng/test.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
cargo build --release || exit 1
cp ./target/release/libfuzzer ./.libfuzzer_test.elf
RUST_BACKTRACE=1 taskset -c 0 ./.libfuzzer_test.elf &
test "$!" -gt 0 && {
usleep 250
RUST_BACKTRACE=1 taskset -c 1 ./.libfuzzer_test.elf &
}
sleep 20
echo "[+] Done"
killall .libfuzzer_test.elf
rm -rf ./.libfuzzer_test.elf

0
fuzzers/libfuzzer_libpng/runtime/rt.c → fuzzers/libfuzzer_runtime/rt.c
View File

2
fuzzers/libfuzzer_test/Cargo.toml
View File

@ -18,7 +18,7 @@ opt-level = 3
debug = true debug = true
[build-dependencies] [build-dependencies]
cc = "1.0" cc = { version = "1.0", features = ["parallel"] }
num_cpus = "1.0" num_cpus = "1.0"
[dependencies] [dependencies]

4
fuzzers/libfuzzer_test/build.rs
View File

@ -9,14 +9,14 @@ fn main() {
let out_dir = out_dir.to_string_lossy().to_string(); let out_dir = out_dir.to_string_lossy().to_string();
let _out_dir_path = Path::new(&out_dir); let _out_dir_path = Path::new(&out_dir);
println!("cargo:rerun-if-changed=./runtime/rt.c",); println!("cargo:rerun-if-changed=../libfuzzer_runtime/rt.c",);
println!("cargo:rerun-if-changed=./test/test.c"); println!("cargo:rerun-if-changed=./test/test.c");
// We need clang for pc-guard support // We need clang for pc-guard support
std::env::set_var("CC", "clang"); std::env::set_var("CC", "clang");
cc::Build::new() cc::Build::new()
.file("./runtime/rt.c") .file("../libfuzzer_runtime/rt.c")
.compile("libfuzzer-sys-rt"); .compile("libfuzzer-sys-rt");
cc::Build::new() cc::Build::new()

1
fuzzers/libfuzzer_test/in2/b Normal file
View File

@ -0,0 +1 @@
a

146
fuzzers/libfuzzer_test/runtime/rt.c
View File

@ -1,146 +0,0 @@
#include <stdio.h>
#include <stdint.h>
#define MAP_SIZE 65536
int orig_argc;
char **orig_argv;
char **orig_envp;
uint8_t __lafl_dummy_map[MAP_SIZE];
uint8_t *__lafl_edges_map = __lafl_dummy_map;
uint8_t *__lafl_cmp_map = __lafl_dummy_map;
uint32_t __lafl_max_edges_size = 0;
void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
__lafl_edges_map[*guard]++;
}
void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
if (start == stop || *start) return;
*(start++) = (++__lafl_max_edges_size) & (MAP_SIZE -1);
while (start < stop) {
*start = (++__lafl_max_edges_size) & (MAP_SIZE -1);
start++;
}
}
#define MAX(a, b) \
({ \
\
__typeof__(a) _a = (a); \
__typeof__(b) _b = (b); \
_a > _b ? _a : _b; \
\
})
#if defined(__APPLE__)
#pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1
#pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2
#pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4
#pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8
#else
void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__sanitizer_cov_trace_cmp1")));
void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2)
__attribute__((alias("__sanitizer_cov_trace_cmp2")));
void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2)
__attribute__((alias("__sanitizer_cov_trace_cmp4")));
void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2)
__attribute__((alias("__sanitizer_cov_trace_cmp8")));
#endif
void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) {
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
__lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2))));
}
void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) {
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
__lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2))));
}
void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) {
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
__lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2))));
}
void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) {
uintptr_t k = (uintptr_t)__builtin_return_address(0);
k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
__lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(arg1 ^ arg2))));
}
void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
uintptr_t rt = (uintptr_t)__builtin_return_address(0);
if (cases[1] == 64) {
for (uint64_t i = 0; i < cases[0]; i++) {
uintptr_t k = rt + i;
k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
__lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(val ^ cases[i + 2]))));
}
} else {
for (uint64_t i = 0; i < cases[0]; i++) {
uintptr_t k = rt + i;
k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
__lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(val ^ cases[i + 2]))));
}
}
}
static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) {
orig_argc = argc;
orig_argv = argv;
orig_envp = envp;
}
__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args;
__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
void afl_libfuzzer_main();
int afl_libfuzzer_init() {
if (LLVMFuzzerInitialize)
return LLVMFuzzerInitialize(&orig_argc, &orig_argv);
else
return 0;
}

5
fuzzers/libfuzzer_test/test.sh
View File

@ -3,15 +3,16 @@
cargo build --release || exit 1 cargo build --release || exit 1
cp ./target/release/libfuzzer ./.libfuzzer_test.elf cp ./target/release/libfuzzer ./.libfuzzer_test.elf
RUST_BACKTRACE=1 ./.libfuzzer_test.elf & RUST_BACKTRACE=1 taskset -c 0 ./.libfuzzer_test.elf &
test "$!" -gt 0 && { test "$!" -gt 0 && {
usleep 250 usleep 250
RUST_BACKTRACE=1 ./.libfuzzer_test.elf -x a -x b -T5 in1 in2 & RUST_BACKTRACE=1 taskset -c 1 ./.libfuzzer_test.elf -x a -x b -T5 in1 in2 &
} }
sleep 10 sleep 10
echo "[+] Done"
killall .libfuzzer_test.elf killall .libfuzzer_test.elf
rm -rf ./.libfuzzer_test.elf rm -rf ./.libfuzzer_test.elf