From 2a8efa7d6db815208179131f8f6c0e10902ce272 Mon Sep 17 00:00:00 2001 From: epi <43392618+epi052@users.noreply.github.com> Date: Fri, 28 Jan 2022 11:09:04 -0600 Subject: [PATCH] extended inmemory; added exit to qemu (#506) --- libafl_sugar/src/inmemory.rs | 93 +++++++++++++++++++++++++++++++----- libafl_sugar/src/qemu.rs | 4 ++ 2 files changed, 85 insertions(+), 12 deletions(-) diff --git a/libafl_sugar/src/inmemory.rs b/libafl_sugar/src/inmemory.rs index dba079d872..85a0dbb1c5 100644 --- a/libafl_sugar/src/inmemory.rs +++ b/libafl_sugar/src/inmemory.rs @@ -19,7 +19,7 @@ use libafl::{ CachedOnDiskCorpus, Corpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus, QueueCorpusScheduler, }, - events::EventConfig, + events::{EventConfig, EventRestarter, LlmpRestartingEventManager}, executors::{inprocess::InProcessExecutor, ExitKind, ShadowExecutor, TimeoutExecutor}, feedback_or, feedback_or_fast, feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, @@ -50,18 +50,18 @@ where #[builder(default = None, setter(strip_option))] configuration: Option, /// Timeout of the executor - #[builder(default = None, setter(strip_option))] + #[builder(default = None)] timeout: Option, /// Input directories input_dirs: &'a [PathBuf], /// Output directory output_dir: PathBuf, /// Dictionary - #[builder(default = None, setter(strip_option))] + #[builder(default = None)] tokens_file: Option, /// Flag if use CmpLog - #[builder(default = false)] - use_cmplog: bool, + #[builder(default = None)] + use_cmplog: Option, /// The port used for communication between this fuzzer node and other fuzzer nodes #[builder(default = 1337_u16)] broker_port: u16, @@ -74,6 +74,9 @@ where /// Bytes harness #[builder(setter(strip_option))] harness: Option, + /// Fuzz `iterations` number of times, instead of indefinitely; implies use of `fuzz_loop_for` + #[builder(default = None)] + iterations: Option, } impl Debug for InMemoryBytesCoverageSugar<'_, H> @@ -137,7 +140,9 @@ where let monitor = MultiMonitor::new(|s| println!("{}", s)); - let mut run_client = |state: Option>, mut mgr, _core_id| { + let mut run_client = |state: Option>, + mut mgr: LlmpRestartingEventManager<_, _, _, _>, + _core_id| { // Create an observation channel using the coverage map let edges = unsafe { &mut EDGES_MAP[0..MAX_EDGES_NUM] }; let edges_observer = HitcountsMapObserver::new(StdMapObserver::new("edges", edges)); @@ -262,12 +267,36 @@ where let mutational = StdMutationalStage::new(mutator); // The order of the stages matter! - if self.use_cmplog { + if self.use_cmplog.unwrap_or(false) { let mut stages = tuple_list!(tracing, i2s, mutational); - fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + if let Some(iters) = self.iterations { + fuzzer.fuzz_loop_for( + &mut stages, + &mut executor, + &mut state, + &mut mgr, + iters, + )?; + mgr.on_restart(&mut state)?; + std::process::exit(0); + } else { + fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + } } else { let mut stages = tuple_list!(mutational); - fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + if let Some(iters) = self.iterations { + fuzzer.fuzz_loop_for( + &mut stages, + &mut executor, + &mut state, + &mut mgr, + iters, + )?; + mgr.on_restart(&mut state)?; + std::process::exit(0); + } else { + fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + } } } else { // Setup a basic mutator @@ -275,12 +304,36 @@ where let mutational = StdMutationalStage::new(mutator); // The order of the stages matter! - if self.use_cmplog { + if self.use_cmplog.unwrap_or(false) { let mut stages = tuple_list!(tracing, i2s, mutational); - fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + if let Some(iters) = self.iterations { + fuzzer.fuzz_loop_for( + &mut stages, + &mut executor, + &mut state, + &mut mgr, + iters, + )?; + mgr.on_restart(&mut state)?; + std::process::exit(0); + } else { + fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + } } else { let mut stages = tuple_list!(mutational); - fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + if let Some(iters) = self.iterations { + fuzzer.fuzz_loop_for( + &mut stages, + &mut executor, + &mut state, + &mut mgr, + iters, + )?; + mgr.on_restart(&mut state)?; + std::process::exit(0); + } else { + fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; + } } } @@ -322,6 +375,10 @@ pub mod pybind { output_dir: PathBuf, broker_port: u16, cores: Cores, + use_cmplog: Option, + iterations: Option, + tokens_file: Option, + timeout: Option, } #[pymethods] @@ -333,12 +390,20 @@ pub mod pybind { output_dir: PathBuf, broker_port: u16, cores: Vec, + use_cmplog: Option, + iterations: Option, + tokens_file: Option, + timeout: Option, ) -> Self { Self { input_dirs, output_dir, broker_port, cores: cores.into(), + use_cmplog, + iterations, + tokens_file, + timeout, } } @@ -358,6 +423,10 @@ pub mod pybind { }) .unwrap(); }) + .use_cmplog(self.use_cmplog) + .timeout(self.timeout) + .tokens_file(self.tokens_file.clone()) + .iterations(self.iterations) .build() .run(); } diff --git a/libafl_sugar/src/qemu.rs b/libafl_sugar/src/qemu.rs index be5412a182..466b20c9d0 100644 --- a/libafl_sugar/src/qemu.rs +++ b/libafl_sugar/src/qemu.rs @@ -286,6 +286,7 @@ where iters, )?; mgr.on_restart(&mut state)?; + std::process::exit(0); } else { fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; } @@ -306,6 +307,7 @@ where iters, )?; mgr.on_restart(&mut state)?; + std::process::exit(0); } else { fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; } @@ -377,6 +379,7 @@ where iters, )?; mgr.on_restart(&mut state)?; + std::process::exit(0); } else { fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; } @@ -397,6 +400,7 @@ where iters, )?; mgr.on_restart(&mut state)?; + std::process::exit(0); } else { fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?; }