SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add unsafe to AsanErrorsObserver, fix UBs, fix Frida Version missmatch (#1987)

Browse Source 
* Add unsafe to AsanErrorsObserver, fix UBs, fix Frida Version missmatch

* Clippy

* simpler API

* fix build

* fix
This commit is contained in:
Dominik Maier 2024-04-02 10:17:59 +02:00 committed by GitHub
parent 10f373d587
commit 26122b20a0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
13 changed files with 81 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/frida_executable_libpng/Cargo.toml
View File

@ -28,7 +28,7 @@ reqwest = { version = "0.11.4", features = ["blocking"] }
[dependencies]
libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli" ] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../libafl_bolts/" }
frida-gum = { version = "0.13.2", features = [ "auto-download", "event-sink", "invocation-listener"] }
frida-gum = { version = "0.13.6", features = [ "auto-download", "event-sink", "invocation-listener"] }
libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }
libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
libc = "0.2"

28
fuzzers/frida_executable_libpng/src/fuzzer.rs
View File

@ -39,7 +39,7 @@ use libafl_bolts::{
#[cfg(unix)]
use libafl_frida::asan::{
asan_rt::AsanRuntime,
errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS},
errors::{AsanErrorsFeedback, AsanErrorsObserver},
};
use libafl_frida::{
cmplog_rt::CmpLogRuntime,
@ -104,7 +104,7 @@ unsafe fn fuzz(
let coverage = CoverageRuntime::new();
#[cfg(unix)]
let asan = AsanRuntime::new(&options);
let asan = AsanRuntime::new(options);
#[cfg(unix)]
let mut frida_helper =
@ -183,11 +183,9 @@ unsafe fn fuzz(
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer);
@ -298,11 +296,9 @@ unsafe fn fuzz(
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer,);
@ -428,11 +424,9 @@ unsafe fn fuzz(
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer,);

2
fuzzers/frida_executable_libpng/src/lib.rs
View File

@ -48,7 +48,7 @@ pub unsafe extern "C" fn __libc_start_main(
ORIG_MAIN = main;
let orig_libc_start_main_addr: *mut c_void =
dlsym(RTLD_NEXT, "__libc_start_main\0".as_ptr().cast::<i8>());
dlsym(RTLD_NEXT, c"__libc_start_main".as_ptr());
let orig_libc_start_main: LibcStartMainFunc = transmute(orig_libc_start_main_addr);

2
fuzzers/frida_gdiplus/Cargo.toml
View File

@ -26,7 +26,7 @@ reqwest = { version = "0.11.4", features = ["blocking"] }
[dependencies]
libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli" ] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../libafl_bolts/" }
frida-gum = { version = "0.13.2", features = [ "auto-download", "event-sink", "invocation-listener"] }
frida-gum = { version = "0.13.6", features = [ "auto-download", "event-sink", "invocation-listener"] }
libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }
libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
libloading = "0.7"

26
fuzzers/frida_gdiplus/src/fuzzer.rs
View File

@ -45,7 +45,7 @@ use libafl_bolts::{
#[cfg(unix)]
use libafl_frida::asan::asan_rt::AsanRuntime;
#[cfg(unix)]
use libafl_frida::asan::errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS};
use libafl_frida::asan::errors::{AsanErrorsFeedback, AsanErrorsObserver};
use libafl_frida::{
cmplog_rt::CmpLogRuntime,
coverage_rt::{CoverageRuntime, MAP_SIZE},
@ -177,11 +177,9 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer);
@ -292,11 +290,9 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer,);
@ -423,11 +419,9 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer,);

2
fuzzers/frida_libpng/Cargo.toml
View File

@ -28,7 +28,7 @@ reqwest = { version = "0.11.4", features = ["blocking"] }
[dependencies]
libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli" ] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../libafl_bolts/" }
frida-gum = { version = "0.13.2", features = [ "auto-download", "event-sink", "invocation-listener"] }
frida-gum = { version = "0.13.6", features = [ "auto-download", "event-sink", "invocation-listener"] }
libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }
libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
libloading = "0.7"

22
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -39,7 +39,7 @@ use libafl_bolts::{
#[cfg(unix)]
use libafl_frida::asan::{
asan_rt::AsanRuntime,
errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS},
errors::{AsanErrorsFeedback, AsanErrorsObserver},
};
use libafl_frida::{
cmplog_rt::CmpLogRuntime,
@ -94,7 +94,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let coverage = CoverageRuntime::new();
#[cfg(unix)]
let asan = AsanRuntime::new(&options);
let asan = AsanRuntime::new(options);
#[cfg(unix)]
let mut frida_helper =
@ -173,11 +173,9 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer);
@ -289,11 +287,9 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
#[cfg(unix)]
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
);
let observers = tuple_list!(edges_observer, time_observer, unsafe {
AsanErrorsObserver::from_static_asan_errors()
});
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer,);
@ -422,7 +418,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let observers = tuple_list!(
edges_observer,
time_observer,
AsanErrorsObserver::new(&ASAN_ERRORS)
AsanErrorsObserver::from_static_asan_errors()
);
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer,);

22
libafl_bolts/src/ownedref.rs
View File

@ -761,6 +761,17 @@ pub enum OwnedPtr<T: Sized> {
Owned(Box<T>),
}
impl<T: Sized> OwnedPtr<T> {
/// Creates a new [`OwnedPtr`] from a raw pointer
///
/// # Safety
/// The raw pointer will later be dereferenced.
/// It must outlive this `OwnedPtr` type and remain valid.
pub unsafe fn from_raw(ptr: *const T) -> Self {
Self::Ptr(ptr)
}
}
impl<T: Sized + Serialize> Serialize for OwnedPtr<T> {
fn serialize<S>(&self, se: S) -> Result<S::Ok, S::Error>
where
@ -822,6 +833,17 @@ pub enum OwnedMutPtr<T: Sized> {
Owned(Box<T>),
}
impl<T: Sized> OwnedMutPtr<T> {
/// Creates a new [`OwnedMutPtr`] from a raw pointer
///
/// # Safety
/// The raw pointer will later be dereferenced.
/// It must outlive this `OwnedPtr` type and remain valid.
pub unsafe fn from_raw_mut(ptr: *mut T) -> Self {
Self::Ptr(ptr)
}
}
impl<T: Sized + Serialize> Serialize for OwnedMutPtr<T> {
fn serialize<S>(&self, se: S) -> Result<S::Ok, S::Error>
where

4
libafl_frida/Cargo.toml
View File

@ -55,12 +55,12 @@ nix = { version = "0.27", features = ["mman"] }
libc = "0.2"
hashbrown = "0.14"
rangemap = "1.3"
frida-gum-sys = { version = "0.8.1", features = [
frida-gum-sys = { version = "0.13.6", features = [
"auto-download",
"event-sink",
"invocation-listener",
] }
frida-gum = { version = "0.13.2", features = [
frida-gum = { version = "0.13.6", features = [
"auto-download",
"event-sink",
"invocation-listener",

22
libafl_frida/src/asan/errors.rs
View File

@ -1,5 +1,5 @@
//! Errors that can be caught by the `libafl_frida` address sanitizer.
use std::{fmt::Debug, io::Write, marker::PhantomData};
use std::{fmt::Debug, io::Write, marker::PhantomData, ptr::addr_of};
use backtrace::Backtrace;
use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity};
@ -576,12 +576,18 @@ impl Named for AsanErrorsObserver {
}
impl AsanErrorsObserver {
/// Creates a new `AsanErrorsObserver`, pointing to a constant `AsanErrors` field
/// Creates a new [`AsanErrorsObserver`], pointing to a constant `AsanErrors` field
#[must_use]
pub fn new(errors: *const Option<AsanErrors>) -> Self {
Self {
errors: OwnedPtr::Ptr(errors),
pub fn new(errors: OwnedPtr<Option<AsanErrors>>) -> Self {
Self { errors }
}
/// Creates a new [`AsanErrorsObserver`], pointing to the [`ASAN_ERRORS`] global static field.
///
/// # Safety
/// The field should not be accessed multiple times at the same time (i.e., from different threads)!
pub unsafe fn from_static_asan_errors() -> Self {
Self::from_ptr(addr_of!(ASAN_ERRORS))
}
/// Creates a new `AsanErrorsObserver`, owning the `AsanErrors`
@ -593,8 +599,12 @@ impl AsanErrorsObserver {
}
/// Creates a new `AsanErrorsObserver` from a raw ptr
///
/// # Safety
/// Will dereference this pointer at a later point in time.
/// The pointer *must* outlive this [`AsanErrorsObserver`]'s lifetime.
#[must_use]
pub fn from_mut_ptr(errors: *const Option<AsanErrors>) -> Self {
pub unsafe fn from_ptr(errors: *const Option<AsanErrors>) -> Self {
Self {
errors: OwnedPtr::Ptr(errors),
}

6
libafl_frida/src/lib.rs
View File

@ -346,7 +346,7 @@ impl Default for FridaOptions {
#[cfg(test)]
mod tests {
use std::{ptr::addr_of, sync::OnceLock};
use std::sync::OnceLock;
use clap::Parser;
use frida_gum::Gum;
@ -370,7 +370,7 @@ mod tests {
use crate::{
asan::{
asan_rt::AsanRuntime,
errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS},
errors::{AsanErrorsFeedback, AsanErrorsObserver},
},
coverage_rt::CoverageRuntime,
executor::FridaInProcessExecutor,
@ -438,7 +438,7 @@ mod tests {
let mut fuzzer = StdFuzzer::new(StdScheduler::new(), feedback, objective);
let observers = tuple_list!(
AsanErrorsObserver::new(addr_of!(ASAN_ERRORS)) //,
AsanErrorsObserver::from_static_asan_errors() //,
);
{

8
libafl_frida/src/pthread_hook.rs
View File

@ -1,11 +1,5 @@
use std::{
convert::{TryFrom, TryInto},
sync::RwLock,
};
/// Rust bindings for Apple's [`pthread_introspection`](https://opensource.apple.com/source/libpthread/libpthread-218.20.1/pthread/introspection.h.auto.html) hooks.
use libc;
use std::sync::RwLock;
const PTHREAD_INTROSPECTION_THREAD_CREATE: libc::c_uint = 1;
const PTHREAD_INTROSPECTION_THREAD_START: libc::c_uint = 2;
const PTHREAD_INTROSPECTION_THREAD_TERMINATE: libc::c_uint = 3;

4
libafl_frida/src/utils.rs
View File

@ -159,8 +159,8 @@ const X86_64_REGS: [(RegSpec, X86Register); 34] = [
];
/// The writer registers
/// frida registers: <https://docs.rs/frida-gum/0.4.0/frida_gum/instruction_writer/enum.X86Register.html>
/// capstone registers: <https://docs.rs/capstone-sys/0.14.0/capstone_sys/x86_reg/index.html>
/// frida registers: <https://docs.rs/frida-gum/latest/frida_gum/instruction_writer/enum.X86Register.html>
/// capstone registers: <https://docs.rs/capstone-sys/latest/capstone_sys/x86_reg/index.html>
#[cfg(target_arch = "x86_64")]
#[must_use]
#[inline]