setup cmplog observer and mutator correctly

2021-06-09 12:03:57 +03:00 · 2021-06-09 12:03:57 +03:00 · 2451302575
commit 2451302575
parent e8295988f2
1 changed files with 48 additions and 19 deletions
--- a/fuzzers/frida_libpng/src/fuzzer.rs
+++ b/fuzzers/frida_libpng/src/fuzzer.rs
@ -29,6 +29,7 @@ use libafl::{
    inputs::{BytesInput, HasTargetBytes, Input},
    mutators::{
        scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
+        token_mutations::I2SRandReplace,
        token_mutations::Tokens,
    },
    observers::{HitcountsMapObserver, ObserversTuple, StdMapObserver, TimeObserver},
@ -417,6 +418,7 @@ unsafe fn fuzz(
            println!("We imported {} inputs from disk.", state.corpus().count());
        }

+        if frida_options.cmplog_enabled() {
            // Secondary harness due to mut ownership
            let mut frida_harness = |input: &BytesInput| {
                let target = input.target_bytes();
@ -425,18 +427,45 @@ unsafe fn fuzz(
                ExitKind::Ok
            };

+            // Secondary helper due to mut ownership
+            let mut frida_helper = FridaInstrumentationHelper::new(
+                &gum,
+                &frida_options,
+                module_name,
+                &modules_to_instrument,
+            );
+
            // Setup a tracing stage in which we log comparisons
-        let tracing = TracingStage::new(InProcessExecutor::new(
+            let tracing = TracingStage::new(FridaInProcessExecutor::new(
+                &gum,
+                InProcessExecutor::new(
                    &mut frida_harness,
-            tuple_list!(cmplog_observer),
+                    tuple_list!(cmplog_observer, AsanErrorsObserver::new(&ASAN_ERRORS)),
                    &mut fuzzer,
                    &mut state,
                    &mut mgr,
-        )?);
+                )?,
+                &mut frida_helper,
+                Duration::new(10, 0),
+            ));

-        let mut stages = tuple_list!(tracing, StdMutationalStage::new(mutator));
+            // Setup a randomic Input2State stage
+            let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(
+                I2SRandReplace::new()
+            )));
+
+            // Setup a basic mutator
+            let mutational = StdMutationalStage::new(mutator);
+
+            // The order of the stages matter!
+            let mut stages = tuple_list!(tracing, i2s, mutational);

            fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?;
+        } else {
+            let mut stages = tuple_list!(StdMutationalStage::new(mutator));
+
+            fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?;
+        };
        Ok(())
    };