tidied some more

2020-12-31 17:18:37 +01:00 · 2020-12-31 17:18:37 +01:00 · 1a88cac145
commit 1a88cac145
parent d2765c0277
9 changed files with 27 additions and 153 deletions
--- a/fuzzers/libfuzzer_libpng/Cargo.toml
+++ b/fuzzers/libfuzzer_libpng/Cargo.toml
@ -18,7 +18,7 @@ opt-level = 3
 debug = true

 [build-dependencies]
-cc = "1.0"
+cc = { version = "1.0", features = ["parallel"] }
 num_cpus = "1.0"

 [dependencies]
--- a/fuzzers/libfuzzer_libpng/build.rs
+++ b/fuzzers/libfuzzer_libpng/build.rs
@ -16,7 +16,7 @@ fn main() {
    println!("cargo:rerun-if-changed=harness.cc");

    cc::Build::new()
-        .file("./runtime/rt.c")
+        .file("../libfuzzer_runtime/rt.c")
        .file("./harness.cc")
        .compile("libfuzzer-sys");

--- a/fuzzers/libfuzzer_libpng/test.sh
+++ b/fuzzers/libfuzzer_libpng/test.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+
+cargo build --release || exit 1
+cp ./target/release/libfuzzer ./.libfuzzer_test.elf
+
+RUST_BACKTRACE=1 taskset -c 0 ./.libfuzzer_test.elf &
+
+test "$!" -gt 0 && {
+
+  usleep 250
+  RUST_BACKTRACE=1 taskset -c 1 ./.libfuzzer_test.elf &
+
+}
+
+sleep 20
+echo "[+] Done"
+killall .libfuzzer_test.elf
+rm -rf ./.libfuzzer_test.elf
--- a/fuzzers/libfuzzer_libpng/runtime/rt.c
+++ b/fuzzers/libfuzzer_libpng/runtime/rt.c
--- a/fuzzers/libfuzzer_test/Cargo.toml
+++ b/fuzzers/libfuzzer_test/Cargo.toml
@ -18,7 +18,7 @@ opt-level = 3
 debug = true

 [build-dependencies]
-cc = "1.0"
+cc = { version = "1.0", features = ["parallel"] }
 num_cpus = "1.0"

 [dependencies]
--- a/fuzzers/libfuzzer_test/build.rs
+++ b/fuzzers/libfuzzer_test/build.rs
@ -9,14 +9,14 @@ fn main() {
    let out_dir = out_dir.to_string_lossy().to_string();
    let _out_dir_path = Path::new(&out_dir);

-    println!("cargo:rerun-if-changed=./runtime/rt.c",);
+    println!("cargo:rerun-if-changed=../libfuzzer_runtime/rt.c",);
    println!("cargo:rerun-if-changed=./test/test.c");

    // We need clang for pc-guard support
    std::env::set_var("CC", "clang");

    cc::Build::new()
-        .file("./runtime/rt.c")
+        .file("../libfuzzer_runtime/rt.c")
        .compile("libfuzzer-sys-rt");

    cc::Build::new()
--- a/fuzzers/libfuzzer_test/in2/b
+++ b/fuzzers/libfuzzer_test/in2/b
@ -0,0 +1 @@
+a
--- a/fuzzers/libfuzzer_test/runtime/rt.c
+++ b/fuzzers/libfuzzer_test/runtime/rt.c
@ -1,146 +0,0 @@
-#include <stdio.h>
-#include <stdint.h>
-
-#define MAP_SIZE 65536
-
-int orig_argc;
-char **orig_argv;
-char **orig_envp;
-
-uint8_t  __lafl_dummy_map[MAP_SIZE];
-
-uint8_t *__lafl_edges_map = __lafl_dummy_map;
-uint8_t *__lafl_cmp_map = __lafl_dummy_map;
-
-uint32_t __lafl_max_edges_size = 0;
-
-void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
-
-  __lafl_edges_map[*guard]++;
-
-}
-
-void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
-
-  if (start == stop || *start) return;
-
-  *(start++) = (++__lafl_max_edges_size) & (MAP_SIZE -1);
-
-  while (start < stop) {
-
-    *start = (++__lafl_max_edges_size) & (MAP_SIZE -1);
-    start++;
-
-  }
-
-}
-
-#define MAX(a, b)           \
-  ({                        \
-                            \
-    __typeof__(a) _a = (a); \
-    __typeof__(b) _b = (b); \
-    _a > _b ? _a : _b;      \
-                            \
-  })
-
-#if defined(__APPLE__)
-  #pragma weak __sanitizer_cov_trace_const_cmp1 = __sanitizer_cov_trace_cmp1
-  #pragma weak __sanitizer_cov_trace_const_cmp2 = __sanitizer_cov_trace_cmp2
-  #pragma weak __sanitizer_cov_trace_const_cmp4 = __sanitizer_cov_trace_cmp4
-  #pragma weak __sanitizer_cov_trace_const_cmp8 = __sanitizer_cov_trace_cmp8
-#else
-void __sanitizer_cov_trace_const_cmp1(uint8_t arg1, uint8_t arg2) __attribute__((alias("__sanitizer_cov_trace_cmp1")));
-void __sanitizer_cov_trace_const_cmp2(uint16_t arg1, uint16_t arg2)
-    __attribute__((alias("__sanitizer_cov_trace_cmp2")));
-void __sanitizer_cov_trace_const_cmp4(uint32_t arg1, uint32_t arg2)
-    __attribute__((alias("__sanitizer_cov_trace_cmp4")));
-void __sanitizer_cov_trace_const_cmp8(uint64_t arg1, uint64_t arg2)
-    __attribute__((alias("__sanitizer_cov_trace_cmp8")));
-#endif
-
-void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) {
-
-  uintptr_t k = (uintptr_t)__builtin_return_address(0);
-  k = (k >> 4) ^ (k << 8);
-  k &= MAP_SIZE - 1;
-  __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2))));
-
-}
-
-void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) {
-
-  uintptr_t k = (uintptr_t)__builtin_return_address(0);
-  k = (k >> 4) ^ (k << 8);
-  k &= MAP_SIZE - 1;
-  __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2))));
-
-}
-
-void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) {
-
-  uintptr_t k = (uintptr_t)__builtin_return_address(0);
-  k = (k >> 4) ^ (k << 8);
-  k &= MAP_SIZE - 1;
-  __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(arg1 ^ arg2))));
-
-}
-
-void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) {
-
-  uintptr_t k = (uintptr_t)__builtin_return_address(0);
-  k = (k >> 4) ^ (k << 8);
-  k &= MAP_SIZE - 1;
-  __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(arg1 ^ arg2))));
-
-}
-
-void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
-
-  uintptr_t rt = (uintptr_t)__builtin_return_address(0);
-  if (cases[1] == 64) {
-
-    for (uint64_t i = 0; i < cases[0]; i++) {
-
-      uintptr_t k = rt + i;
-      k = (k >> 4) ^ (k << 8);
-      k &= MAP_SIZE - 1;
-      __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcountll(~(val ^ cases[i + 2]))));
-
-    }
-
-  } else {
-
-    for (uint64_t i = 0; i < cases[0]; i++) {
-
-      uintptr_t k = rt + i;
-      k = (k >> 4) ^ (k << 8);
-      k &= MAP_SIZE - 1;
-      __lafl_cmp_map[k] = MAX(__lafl_cmp_map[k], (__builtin_popcount(~(val ^ cases[i + 2]))));
-
-    }
-
-  }
-
-}
-
-
- static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) {
-   orig_argc = argc;
-   orig_argv = argv;
-   orig_envp = envp;
-}
-
-__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args;
-
-__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
-void afl_libfuzzer_main();
-
-int afl_libfuzzer_init() {
-
-  if (LLVMFuzzerInitialize)
-    return LLVMFuzzerInitialize(&orig_argc, &orig_argv);
-  else
-   return 0;
-
-}
--- a/fuzzers/libfuzzer_test/test.sh
+++ b/fuzzers/libfuzzer_test/test.sh
@ -3,15 +3,16 @@
 cargo build --release || exit 1
 cp ./target/release/libfuzzer ./.libfuzzer_test.elf

-RUST_BACKTRACE=1 ./.libfuzzer_test.elf &
+RUST_BACKTRACE=1 taskset -c 0 ./.libfuzzer_test.elf &

 test "$!" -gt 0 && {

  usleep 250
-  RUST_BACKTRACE=1 ./.libfuzzer_test.elf -x a -x b -T5 in1 in2 &
+  RUST_BACKTRACE=1 taskset -c 1 ./.libfuzzer_test.elf -x a -x b -T5 in1 in2 &

 }

 sleep 10
+echo "[+] Done"
 killall .libfuzzer_test.elf
 rm -rf ./.libfuzzer_test.elf