SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixed testcases

Browse Source
This commit is contained in:
Dominik Maier 2021-02-04 21:17:08 +01:00
parent beca91e3d3
commit 2440aaedfc
9 changed files with 53 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
afl/src/events/mod.rs
View File

@ -14,13 +14,13 @@ use serde::{Deserialize, Serialize};
use crate::shmem::AflShmem;
use crate::{
corpus::Corpus,
engines::State,
feedbacks::FeedbacksTuple,
inputs::Input,
llmp::{self, LlmpClient, LlmpClientDescription, Tag},
observers::ObserversTuple,
serde_anymap::Ptr,
shmem::ShMem,
state::State,
utils::{current_time, Rand},
AflError,
};

6
afl/src/executors/inmemory.rs
View File

@ -4,12 +4,12 @@ use os_signals::set_oncrash_ptrs;
use crate::{
corpus::Corpus,
engines::State,
events::EventManager,
executors::{Executor, ExitKind, HasObservers},
feedbacks::FeedbacksTuple,
inputs::{HasTargetBytes, Input},
observers::ObserversTuple,
state::State,
tuples::Named,
utils::Rand,
AflError,
@ -205,8 +205,8 @@ pub mod unix_signals {
};
use crate::{
corpus::Corpus, engines::State, events::EventManager, feedbacks::FeedbacksTuple,
inputs::Input, observers::ObserversTuple, utils::Rand,
corpus::Corpus, events::EventManager, feedbacks::FeedbacksTuple, inputs::Input,
observers::ObserversTuple, state::State, utils::Rand,
};
/// Pointers to values only needed on crash. As the program will not continue after a crash,

2
afl/src/executors/mod.rs
View File

@ -9,11 +9,11 @@ use core::marker::PhantomData;
use crate::{
corpus::Corpus,
engines::State,
events::EventManager,
feedbacks::FeedbacksTuple,
inputs::{HasTargetBytes, Input},
observers::ObserversTuple,
state::State,
tuples::{MatchNameAndType, MatchType, Named, TupleList},
utils::Rand,
AflError,

2
afl/src/lib.rs
View File

@ -10,7 +10,6 @@ extern crate alloc;
extern crate static_assertions;
pub mod corpus;
pub mod engines;
pub mod events;
pub mod executors;
pub mod feedbacks;
@ -23,6 +22,7 @@ pub mod observers;
pub mod serde_anymap;
pub mod shmem;
pub mod stages;
pub mod state;
pub mod tuples;
pub mod utils;

33
afl/src/stages/mod.rs
View File

@ -3,12 +3,12 @@ pub use mutational::StdMutationalStage;
use crate::{
corpus::Corpus,
engines::State,
events::EventManager,
executors::{Executor, ExecutorsTuple, HasObservers},
executors::{Executor, HasObservers},
feedbacks::FeedbacksTuple,
inputs::Input,
observers::ObserversTuple,
state::State,
tuples::TupleList,
utils::Rand,
AflError,
@ -16,13 +16,12 @@ use crate::{
/// A stage is one step in the fuzzing process.
/// Multiple stages will be scheduled one by one for each input.
pub trait Stage<EM, E, OT, FT, ET, C, I, R>
pub trait Stage<EM, E, OT, FT, C, I, R>
where
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -39,13 +38,12 @@ where
) -> Result<(), AflError>;
}
pub trait StagesTuple<EM, E, OT, FT, ET, C, I, R>
pub trait StagesTuple<EM, E, OT, FT, C, I, R>
where
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -59,17 +57,16 @@ where
manager: &mut EM,
corpus_idx: usize,
) -> Result<(), AflError>;
fn for_each(&self, f: fn(&dyn Stage<EM, E, OT, FT, ET, C, I, R>));
fn for_each_mut(&mut self, f: fn(&mut dyn Stage<EM, E, OT, FT, ET, C, I, R>));
fn for_each(&self, f: fn(&dyn Stage<EM, E, OT, FT, C, I, R>));
fn for_each_mut(&mut self, f: fn(&mut dyn Stage<EM, E, OT, FT, C, I, R>));
}
impl<EM, E, OT, FT, ET, C, I, R> StagesTuple<EM, E, OT, FT, ET, C, I, R> for ()
impl<EM, E, OT, FT, C, I, R> StagesTuple<EM, E, OT, FT, C, I, R> for ()
where
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -85,20 +82,18 @@ where
) -> Result<(), AflError> {
Ok(())
}
fn for_each(&self, _f: fn(&dyn Stage<EM, E, OT, FT, ET, C, I, R>)) {}
fn for_each_mut(&mut self, _f: fn(&mut dyn Stage<EM, E, OT, FT, ET, C, I, R>)) {}
fn for_each(&self, _f: fn(&dyn Stage<EM, E, OT, FT, C, I, R>)) {}
fn for_each_mut(&mut self, _f: fn(&mut dyn Stage<EM, E, OT, FT, C, I, R>)) {}
}
impl<Head, Tail, EM, E, OT, FT, ET, C, I, R> StagesTuple<EM, E, OT, FT, ET, C, I, R>
for (Head, Tail)
impl<Head, Tail, EM, E, OT, FT, C, I, R> StagesTuple<EM, E, OT, FT, C, I, R> for (Head, Tail)
where
Head: Stage<EM, E, OT, FT, ET, C, I, R>,
Tail: StagesTuple<EM, E, OT, FT, ET, C, I, R> + TupleList,
Head: Stage<EM, E, OT, FT, C, I, R>,
Tail: StagesTuple<EM, E, OT, FT, C, I, R> + TupleList,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -118,12 +113,12 @@ where
.perform_all(rand, executor, state, corpus, manager, corpus_idx)
}
fn for_each(&self, f: fn(&dyn Stage<EM, E, OT, FT, ET, C, I, R>)) {
fn for_each(&self, f: fn(&dyn Stage<EM, E, OT, FT, C, I, R>)) {
f(&self.0);
self.1.for_each(f)
}
fn for_each_mut(&mut self, f: fn(&mut dyn Stage<EM, E, OT, FT, ET, C, I, R>)) {
fn for_each_mut(&mut self, f: fn(&mut dyn Stage<EM, E, OT, FT, C, I, R>)) {
f(&mut self.0);
self.1.for_each_mut(f)
}

26
afl/src/stages/mutational.rs
View File

@ -1,15 +1,15 @@
use core::marker::PhantomData;
use crate::{
engines::State,
events::EventManager,
executors::{Executor, ExecutorsTuple, HasObservers},
executors::{Executor, HasObservers},
feedbacks::FeedbacksTuple,
inputs::Input,
mutators::Mutator,
observers::ObserversTuple,
stages::Corpus,
stages::Stage,
state::State,
utils::Rand,
AflError,
};
@ -19,15 +19,13 @@ use crate::{
/// A Mutational stage is the stage in a fuzzing run that mutates inputs.
/// Mutational stages will usually have a range of mutations that are
/// being applied to the input one by one, between executions.
pub trait MutationalStage<M, EM, E, OT, FT, ET, C, I, R>:
Stage<EM, E, OT, FT, ET, C, I, R>
pub trait MutationalStage<M, EM, E, OT, FT, C, I, R>: Stage<EM, E, OT, FT, C, I, R>
where
M: Mutator<C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -88,31 +86,29 @@ where
#[derive(Clone, Debug)]
/// The default mutational stage
pub struct StdMutationalStage<M, EM, E, OT, FT, ET, C, I, R>
pub struct StdMutationalStage<M, EM, E, OT, FT, C, I, R>
where
M: Mutator<C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
{
mutator: M,
phantom: PhantomData<(EM, E, OT, FT, ET, C, I, R)>,
phantom: PhantomData<(EM, E, OT, FT, C, I, R)>,
}
impl<M, EM, E, OT, FT, ET, C, I, R> MutationalStage<M, EM, E, OT, FT, ET, C, I, R>
for StdMutationalStage<M, EM, E, OT, FT, ET, C, I, R>
impl<M, EM, E, OT, FT, C, I, R> MutationalStage<M, EM, E, OT, FT, C, I, R>
for StdMutationalStage<M, EM, E, OT, FT, C, I, R>
where
M: Mutator<C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -130,15 +126,14 @@ where
}
}
impl<M, EM, E, OT, FT, ET, C, I, R> Stage<EM, E, OT, FT, ET, C, I, R>
for StdMutationalStage<M, EM, E, OT, FT, ET, C, I, R>
impl<M, EM, E, OT, FT, C, I, R> Stage<EM, E, OT, FT, C, I, R>
for StdMutationalStage<M, EM, E, OT, FT, C, I, R>
where
M: Mutator<C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -157,14 +152,13 @@ where
}
}
impl<M, EM, E, OT, FT, ET, C, I, R> StdMutationalStage<M, EM, E, OT, FT, ET, C, I, R>
impl<M, EM, E, OT, FT, C, I, R> StdMutationalStage<M, EM, E, OT, FT, C, I, R>
where
M: Mutator<C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,

37
afl/src/engines/mod.rs → afl/src/state/mod.rs
View File

@ -1,4 +1,4 @@
//! The engine is the core piece of every good fuzzer
//! The fuzzer, and state are the core pieces of every good fuzzer
use core::{fmt::Debug, marker::PhantomData};
use serde::{Deserialize, Serialize};
@ -11,7 +11,7 @@ use std::{
use crate::{
corpus::{Corpus, Testcase},
events::EventManager,
executors::{Executor, ExecutorsTuple, HasObservers},
executors::{Executor, HasObservers},
feedbacks::FeedbacksTuple,
generators::Generator,
inputs::Input,
@ -288,7 +288,7 @@ where
}
}
pub fn generate_initial_inputs<G, C, E, OT, ET, EM>(
pub fn generate_initial_inputs<G, C, E, OT, EM>(
&mut self,
rand: &mut R,
executor: &mut E,
@ -302,7 +302,6 @@ where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
ET: ExecutorsTuple<I>,
EM: EventManager<I>,
{
let mut added = 0;
@ -332,14 +331,13 @@ where
}
}
pub trait Fuzzer<ST, EM, E, OT, FT, ET, C, I, R>
pub trait Fuzzer<ST, EM, E, OT, FT, C, I, R>
where
ST: StagesTuple<EM, E, OT, FT, ET, C, I, R>,
ST: StagesTuple<EM, E, OT, FT, C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -386,31 +384,29 @@ where
}
#[derive(Clone, Debug)]
pub struct StdFuzzer<ST, EM, E, OT, FT, ET, C, I, R>
pub struct StdFuzzer<ST, EM, E, OT, FT, C, I, R>
where
ST: StagesTuple<EM, E, OT, FT, ET, C, I, R>,
ST: StagesTuple<EM, E, OT, FT, C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
{
stages: ST,
phantom: PhantomData<(EM, E, OT, FT, ET, C, I, R)>,
phantom: PhantomData<(EM, E, OT, FT, C, I, R)>,
}
impl<ST, EM, E, OT, FT, ET, C, I, R> Fuzzer<ST, EM, E, OT, FT, ET, C, I, R>
for StdFuzzer<ST, EM, E, OT, FT, ET, C, I, R>
impl<ST, EM, E, OT, FT, C, I, R> Fuzzer<ST, EM, E, OT, FT, C, I, R>
for StdFuzzer<ST, EM, E, OT, FT, C, I, R>
where
ST: StagesTuple<EM, E, OT, FT, ET, C, I, R>,
ST: StagesTuple<EM, E, OT, FT, C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -424,14 +420,13 @@ where
}
}
impl<ST, EM, E, OT, FT, ET, C, I, R> StdFuzzer<ST, EM, E, OT, FT, ET, C, I, R>
impl<ST, EM, E, OT, FT, C, I, R> StdFuzzer<ST, EM, E, OT, FT, C, I, R>
where
ST: StagesTuple<EM, E, OT, FT, ET, C, I, R>,
ST: StagesTuple<EM, E, OT, FT, C, I, R>,
EM: EventManager<I>,
E: Executor<I> + HasObservers<OT>,
OT: ObserversTuple,
FT: FeedbacksTuple<I>,
ET: ExecutorsTuple<I>,
C: Corpus<I, R>,
I: Input,
R: Rand,
@ -451,11 +446,11 @@ mod tests {
use crate::{
corpus::{Corpus, InMemoryCorpus, Testcase},
engines::{Fuzzer, State, StdFuzzer},
executors::{Executor, ExitKind, InMemoryExecutor},
inputs::{BytesInput, Input},
mutators::{mutation_bitflip, ComposedByMutations, StdScheduledMutator},
stages::StdMutationalStage,
state::{Fuzzer, State, StdFuzzer},
tuples::tuple_list,
utils::StdRand,
};
@ -468,7 +463,7 @@ mod tests {
}
#[test]
fn test_engine() {
fn test_fuzzer() {
let mut rand = StdRand::new(0);
let mut corpus = InMemoryCorpus::<BytesInput, StdRand>::new();
@ -481,7 +476,7 @@ mod tests {
println!("{}", s);
}));
let executor = InMemoryExecutor::new(
let mut executor = InMemoryExecutor::new(
"main",
harness,
tuple_list!(),

2
afl/src/utils.rs
View File

@ -11,11 +11,11 @@ use std::time::{SystemTime, UNIX_EPOCH};
use crate::{
corpus::Corpus,
engines::State,
events::{LlmpEventManager, Stats},
feedbacks::FeedbacksTuple,
inputs::Input,
shmem::ShMem,
state::State,
AflError,
};

14
fuzzers/libfuzzer_libpng/src/mod.rs
View File

@ -1,12 +1,11 @@
#[macro_use]
extern crate clap;
use clap::{App, Arg};
use std::{env, path::PathBuf, process::Command};
use afl::{
corpus::{Corpus, InMemoryCorpus},
engines::{Engine, Fuzzer, State, StdFuzzer},
events::{LlmpEventManager, SimpleStats},
executors::{inmemory::InMemoryExecutor, Executor, ExitKind},
feedbacks::MaxMapFeedback,
@ -17,6 +16,7 @@ use afl::{
observers::StdMapObserver,
shmem::{AflShmem, ShMem},
stages::mutational::StdMutationalStage,
state::{Fuzzer, State, StdFuzzer},
tuples::tuple_list,
utils::{deserialize_state_corpus_mgr, StdRand},
AflError,
@ -229,7 +229,7 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
*/
// Create the engine
let executor = InMemoryExecutor::new(
let mut executor = InMemoryExecutor::new(
"Libfuzzer",
harness,
tuple_list!(edges_observer),
@ -238,13 +238,11 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
&mut mgr,
);
let mut engine = Engine::new(executor);
// in case the corpus is empty (on first run), reset
if corpus.count() < 1 {
match input {
Some(x) => state
.load_initial_inputs(&mut corpus, &mut generator, &mut engine, &mut mgr, &x)
.load_initial_inputs(&mut executor, &mut corpus, &mut generator, &mut mgr, &x)
.expect(&format!("Failed to load initial corpus at {:?}", &x)),
None => (),
}
@ -255,9 +253,9 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
state
.generate_initial_inputs(
&mut rand,
&mut executor,
&mut corpus,
&mut generator,
&mut engine,
&mut mgr,
4,
)
@ -271,5 +269,5 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
let stage = StdMutationalStage::new(mutator);
let mut fuzzer = StdFuzzer::new(tuple_list!(stage));
fuzzer.fuzz_loop(&mut rand, &mut state, &mut corpus, &mut engine, &mut mgr)
fuzzer.fuzz_loop(&mut rand, &mut executor, &mut state, &mut corpus, &mut mgr)
}