From 2440aaedfc000675e24cba5195e6437904bebe2f Mon Sep 17 00:00:00 2001 From: Dominik Maier Date: Thu, 4 Feb 2021 21:17:08 +0100 Subject: [PATCH] fixed testcases --- afl/src/events/mod.rs | 2 +- afl/src/executors/inmemory.rs | 6 ++--- afl/src/executors/mod.rs | 2 +- afl/src/lib.rs | 2 +- afl/src/stages/mod.rs | 33 +++++++++++-------------- afl/src/stages/mutational.rs | 26 ++++++++------------ afl/src/{engines => state}/mod.rs | 37 +++++++++++++---------------- afl/src/utils.rs | 2 +- fuzzers/libfuzzer_libpng/src/mod.rs | 14 +++++------ 9 files changed, 53 insertions(+), 71 deletions(-) rename afl/src/{engines => state}/mod.rs (93%) diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index c56242673d..bd49f69515 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -14,13 +14,13 @@ use serde::{Deserialize, Serialize}; use crate::shmem::AflShmem; use crate::{ corpus::Corpus, - engines::State, feedbacks::FeedbacksTuple, inputs::Input, llmp::{self, LlmpClient, LlmpClientDescription, Tag}, observers::ObserversTuple, serde_anymap::Ptr, shmem::ShMem, + state::State, utils::{current_time, Rand}, AflError, }; diff --git a/afl/src/executors/inmemory.rs b/afl/src/executors/inmemory.rs index a9d6153a9e..e4e28de457 100644 --- a/afl/src/executors/inmemory.rs +++ b/afl/src/executors/inmemory.rs @@ -4,12 +4,12 @@ use os_signals::set_oncrash_ptrs; use crate::{ corpus::Corpus, - engines::State, events::EventManager, executors::{Executor, ExitKind, HasObservers}, feedbacks::FeedbacksTuple, inputs::{HasTargetBytes, Input}, observers::ObserversTuple, + state::State, tuples::Named, utils::Rand, AflError, @@ -205,8 +205,8 @@ pub mod unix_signals { }; use crate::{ - corpus::Corpus, engines::State, events::EventManager, feedbacks::FeedbacksTuple, - inputs::Input, observers::ObserversTuple, utils::Rand, + corpus::Corpus, events::EventManager, feedbacks::FeedbacksTuple, inputs::Input, + observers::ObserversTuple, state::State, utils::Rand, }; /// Pointers to values only needed on crash. As the program will not continue after a crash, diff --git a/afl/src/executors/mod.rs b/afl/src/executors/mod.rs index cea7d92114..4d315a0ee7 100644 --- a/afl/src/executors/mod.rs +++ b/afl/src/executors/mod.rs @@ -9,11 +9,11 @@ use core::marker::PhantomData; use crate::{ corpus::Corpus, - engines::State, events::EventManager, feedbacks::FeedbacksTuple, inputs::{HasTargetBytes, Input}, observers::ObserversTuple, + state::State, tuples::{MatchNameAndType, MatchType, Named, TupleList}, utils::Rand, AflError, diff --git a/afl/src/lib.rs b/afl/src/lib.rs index 0b501a5bef..69335e9c47 100644 --- a/afl/src/lib.rs +++ b/afl/src/lib.rs @@ -10,7 +10,6 @@ extern crate alloc; extern crate static_assertions; pub mod corpus; -pub mod engines; pub mod events; pub mod executors; pub mod feedbacks; @@ -23,6 +22,7 @@ pub mod observers; pub mod serde_anymap; pub mod shmem; pub mod stages; +pub mod state; pub mod tuples; pub mod utils; diff --git a/afl/src/stages/mod.rs b/afl/src/stages/mod.rs index bc4fd8e9fd..d654eee3c5 100644 --- a/afl/src/stages/mod.rs +++ b/afl/src/stages/mod.rs @@ -3,12 +3,12 @@ pub use mutational::StdMutationalStage; use crate::{ corpus::Corpus, - engines::State, events::EventManager, - executors::{Executor, ExecutorsTuple, HasObservers}, + executors::{Executor, HasObservers}, feedbacks::FeedbacksTuple, inputs::Input, observers::ObserversTuple, + state::State, tuples::TupleList, utils::Rand, AflError, @@ -16,13 +16,12 @@ use crate::{ /// A stage is one step in the fuzzing process. /// Multiple stages will be scheduled one by one for each input. -pub trait Stage +pub trait Stage where EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -39,13 +38,12 @@ where ) -> Result<(), AflError>; } -pub trait StagesTuple +pub trait StagesTuple where EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -59,17 +57,16 @@ where manager: &mut EM, corpus_idx: usize, ) -> Result<(), AflError>; - fn for_each(&self, f: fn(&dyn Stage)); - fn for_each_mut(&mut self, f: fn(&mut dyn Stage)); + fn for_each(&self, f: fn(&dyn Stage)); + fn for_each_mut(&mut self, f: fn(&mut dyn Stage)); } -impl StagesTuple for () +impl StagesTuple for () where EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -85,20 +82,18 @@ where ) -> Result<(), AflError> { Ok(()) } - fn for_each(&self, _f: fn(&dyn Stage)) {} - fn for_each_mut(&mut self, _f: fn(&mut dyn Stage)) {} + fn for_each(&self, _f: fn(&dyn Stage)) {} + fn for_each_mut(&mut self, _f: fn(&mut dyn Stage)) {} } -impl StagesTuple - for (Head, Tail) +impl StagesTuple for (Head, Tail) where - Head: Stage, - Tail: StagesTuple + TupleList, + Head: Stage, + Tail: StagesTuple + TupleList, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -118,12 +113,12 @@ where .perform_all(rand, executor, state, corpus, manager, corpus_idx) } - fn for_each(&self, f: fn(&dyn Stage)) { + fn for_each(&self, f: fn(&dyn Stage)) { f(&self.0); self.1.for_each(f) } - fn for_each_mut(&mut self, f: fn(&mut dyn Stage)) { + fn for_each_mut(&mut self, f: fn(&mut dyn Stage)) { f(&mut self.0); self.1.for_each_mut(f) } diff --git a/afl/src/stages/mutational.rs b/afl/src/stages/mutational.rs index d67dfd23c3..c8ffeaa078 100644 --- a/afl/src/stages/mutational.rs +++ b/afl/src/stages/mutational.rs @@ -1,15 +1,15 @@ use core::marker::PhantomData; use crate::{ - engines::State, events::EventManager, - executors::{Executor, ExecutorsTuple, HasObservers}, + executors::{Executor, HasObservers}, feedbacks::FeedbacksTuple, inputs::Input, mutators::Mutator, observers::ObserversTuple, stages::Corpus, stages::Stage, + state::State, utils::Rand, AflError, }; @@ -19,15 +19,13 @@ use crate::{ /// A Mutational stage is the stage in a fuzzing run that mutates inputs. /// Mutational stages will usually have a range of mutations that are /// being applied to the input one by one, between executions. -pub trait MutationalStage: - Stage +pub trait MutationalStage: Stage where M: Mutator, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -88,31 +86,29 @@ where #[derive(Clone, Debug)] /// The default mutational stage -pub struct StdMutationalStage +pub struct StdMutationalStage where M: Mutator, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, { mutator: M, - phantom: PhantomData<(EM, E, OT, FT, ET, C, I, R)>, + phantom: PhantomData<(EM, E, OT, FT, C, I, R)>, } -impl MutationalStage - for StdMutationalStage +impl MutationalStage + for StdMutationalStage where M: Mutator, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -130,15 +126,14 @@ where } } -impl Stage - for StdMutationalStage +impl Stage + for StdMutationalStage where M: Mutator, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -157,14 +152,13 @@ where } } -impl StdMutationalStage +impl StdMutationalStage where M: Mutator, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, diff --git a/afl/src/engines/mod.rs b/afl/src/state/mod.rs similarity index 93% rename from afl/src/engines/mod.rs rename to afl/src/state/mod.rs index f0fc339f04..0808608cda 100644 --- a/afl/src/engines/mod.rs +++ b/afl/src/state/mod.rs @@ -1,4 +1,4 @@ -//! The engine is the core piece of every good fuzzer +//! The fuzzer, and state are the core pieces of every good fuzzer use core::{fmt::Debug, marker::PhantomData}; use serde::{Deserialize, Serialize}; @@ -11,7 +11,7 @@ use std::{ use crate::{ corpus::{Corpus, Testcase}, events::EventManager, - executors::{Executor, ExecutorsTuple, HasObservers}, + executors::{Executor, HasObservers}, feedbacks::FeedbacksTuple, generators::Generator, inputs::Input, @@ -288,7 +288,7 @@ where } } - pub fn generate_initial_inputs( + pub fn generate_initial_inputs( &mut self, rand: &mut R, executor: &mut E, @@ -302,7 +302,6 @@ where C: Corpus, E: Executor + HasObservers, OT: ObserversTuple, - ET: ExecutorsTuple, EM: EventManager, { let mut added = 0; @@ -332,14 +331,13 @@ where } } -pub trait Fuzzer +pub trait Fuzzer where - ST: StagesTuple, + ST: StagesTuple, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -386,31 +384,29 @@ where } #[derive(Clone, Debug)] -pub struct StdFuzzer +pub struct StdFuzzer where - ST: StagesTuple, + ST: StagesTuple, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, { stages: ST, - phantom: PhantomData<(EM, E, OT, FT, ET, C, I, R)>, + phantom: PhantomData<(EM, E, OT, FT, C, I, R)>, } -impl Fuzzer - for StdFuzzer +impl Fuzzer + for StdFuzzer where - ST: StagesTuple, + ST: StagesTuple, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -424,14 +420,13 @@ where } } -impl StdFuzzer +impl StdFuzzer where - ST: StagesTuple, + ST: StagesTuple, EM: EventManager, E: Executor + HasObservers, OT: ObserversTuple, FT: FeedbacksTuple, - ET: ExecutorsTuple, C: Corpus, I: Input, R: Rand, @@ -451,11 +446,11 @@ mod tests { use crate::{ corpus::{Corpus, InMemoryCorpus, Testcase}, - engines::{Fuzzer, State, StdFuzzer}, executors::{Executor, ExitKind, InMemoryExecutor}, inputs::{BytesInput, Input}, mutators::{mutation_bitflip, ComposedByMutations, StdScheduledMutator}, stages::StdMutationalStage, + state::{Fuzzer, State, StdFuzzer}, tuples::tuple_list, utils::StdRand, }; @@ -468,7 +463,7 @@ mod tests { } #[test] - fn test_engine() { + fn test_fuzzer() { let mut rand = StdRand::new(0); let mut corpus = InMemoryCorpus::::new(); @@ -481,7 +476,7 @@ mod tests { println!("{}", s); })); - let executor = InMemoryExecutor::new( + let mut executor = InMemoryExecutor::new( "main", harness, tuple_list!(), diff --git a/afl/src/utils.rs b/afl/src/utils.rs index ed3bf1a02e..f30fa48711 100644 --- a/afl/src/utils.rs +++ b/afl/src/utils.rs @@ -11,11 +11,11 @@ use std::time::{SystemTime, UNIX_EPOCH}; use crate::{ corpus::Corpus, - engines::State, events::{LlmpEventManager, Stats}, feedbacks::FeedbacksTuple, inputs::Input, shmem::ShMem, + state::State, AflError, }; diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/mod.rs index 7248bf12e8..5435b78792 100644 --- a/fuzzers/libfuzzer_libpng/src/mod.rs +++ b/fuzzers/libfuzzer_libpng/src/mod.rs @@ -1,12 +1,11 @@ #[macro_use] extern crate clap; - +use clap::{App, Arg}; use std::{env, path::PathBuf, process::Command}; use afl::{ corpus::{Corpus, InMemoryCorpus}, - engines::{Engine, Fuzzer, State, StdFuzzer}, events::{LlmpEventManager, SimpleStats}, executors::{inmemory::InMemoryExecutor, Executor, ExitKind}, feedbacks::MaxMapFeedback, @@ -17,6 +16,7 @@ use afl::{ observers::StdMapObserver, shmem::{AflShmem, ShMem}, stages::mutational::StdMutationalStage, + state::{Fuzzer, State, StdFuzzer}, tuples::tuple_list, utils::{deserialize_state_corpus_mgr, StdRand}, AflError, @@ -229,7 +229,7 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { */ // Create the engine - let executor = InMemoryExecutor::new( + let mut executor = InMemoryExecutor::new( "Libfuzzer", harness, tuple_list!(edges_observer), @@ -238,13 +238,11 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { &mut mgr, ); - let mut engine = Engine::new(executor); - // in case the corpus is empty (on first run), reset if corpus.count() < 1 { match input { Some(x) => state - .load_initial_inputs(&mut corpus, &mut generator, &mut engine, &mut mgr, &x) + .load_initial_inputs(&mut executor, &mut corpus, &mut generator, &mut mgr, &x) .expect(&format!("Failed to load initial corpus at {:?}", &x)), None => (), } @@ -255,9 +253,9 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { state .generate_initial_inputs( &mut rand, + &mut executor, &mut corpus, &mut generator, - &mut engine, &mut mgr, 4, ) @@ -271,5 +269,5 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { let stage = StdMutationalStage::new(mutator); let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); - fuzzer.fuzz_loop(&mut rand, &mut state, &mut corpus, &mut engine, &mut mgr) + fuzzer.fuzz_loop(&mut rand, &mut executor, &mut state, &mut corpus, &mut mgr) }