SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move to Just (#2952)

Browse Source 
* move to just

* fuzzbench

* shell check

* version

* rme

* fixer

* fixing

* libpng friends

* pwd

* ps

* ps

* no fail fast.. for now

* windows

* l

* no powershell

* a

* fk

* fixer

* a

* Revert "fixer"

This reverts commit 76ae72d68686ead01ef914b658c5d8dac5aaee32.

* plzplz

* aaaa

* aa

* aa

* use absolute path, use LIBAFL_CC and LIBAFL_CXX

* why tabs????

* this job is not fun

* aa

* tmate debug

* disable cacheing

* del

* deldelg

* rename

* aaaa

* lol

* aaa

* lol

* lol

* 2nd tmate ...

* a

* lol

* lll

* shell ck

* please i'm about to cry

---------

Co-authored-by: Your Name <you@example.com>
Co-authored-by: Romain Malmain <romain.malmain@pm.me>
This commit is contained in:
Dongjia "toka" Zhang 2025-02-09 18:44:50 +01:00 committed by GitHub
parent 89e470250f
commit 2c741c8f38
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
70 changed files with 3207 additions and 3862 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/build_and_test.yml vendored
View File

@ -20,7 +20,6 @@ concurrency:
jobs: jobs:
common: common:
strategy: strategy:
fail-fast: false
matrix: matrix:
os: [ ubuntu-24.04, windows-latest, macOS-latest ] os: [ ubuntu-24.04, windows-latest, macOS-latest ]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
@ -238,7 +237,7 @@ jobs:
needs: needs:
- fuzzers-preflight - fuzzers-preflight
strategy: strategy:
fail-fast: true fail-fast: false
matrix: matrix:
os: [ ubuntu-24.04 ] os: [ ubuntu-24.04 ]
fuzzer: fuzzer:

4
.github/workflows/fuzzer-tester-prepare/action.yml vendored
View File

@ -26,6 +26,10 @@ runs:
uses: baptiste0928/cargo-install@v3 uses: baptiste0928/cargo-install@v3
with: with:
crate: cargo-make crate: cargo-make
- name: install just
uses: extractions/setup-just@v2
with:
just-version: 1.39.0
- name: install wasm-pack - name: install wasm-pack
uses: baptiste0928/cargo-install@v3 uses: baptiste0928/cargo-install@v3
with: with:

4
.github/workflows/qemu-fuzzer-tester-prepare/action.yml vendored
View File

@ -14,6 +14,10 @@ runs:
uses: baptiste0928/cargo-install@v3 uses: baptiste0928/cargo-install@v3
with: with:
crate: cargo-make crate: cargo-make
- name: install just
uses: extractions/setup-just@v2
with:
just-version: 1.39.0
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
submodules: true submodules: true

4
.github/workflows/windows-tester-prepare/action.yml vendored
View File

@ -18,3 +18,7 @@ runs:
- name: install cargo-make - name: install cargo-make
shell: pwsh shell: pwsh
run: cargo install --force cargo-make run: cargo install --force cargo-make
- name: install just
uses: extractions/setup-just@v2
with:
just-version: 1.39.0

34
fuzzers/baby/baby_fuzzer_custom_executor/Justfile Normal file
View File

@ -0,0 +1,34 @@
FUZZER_NAME := 'fuzzer_custom_executor'
PROJECT_DIR := absolute_path(".")
PROFILE := 'release'
PROFILE_DIR := 'release'
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
alias build := fuzzer
fuzzer:
cargo build --profile={{PROFILE}}
run: fuzzer
{{FUZZER}}
[linux]
[macos]
test: fuzzer
#!/bin/bash
timeout 30s {{FUZZER}} | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
cargo clean

50
fuzzers/baby/baby_fuzzer_custom_executor/Makefile.toml
View File

@ -1,50 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_custom_executor'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release" }
PROFILE_DIR = { value = "release" }
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
[tasks.build]
alias = "fuzzer"
[tasks.fuzzer]
description = "Build the fuzzer"
script = "cargo build --profile=${PROFILE}"
[tasks.run]
description = "Run the fuzzer"
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}"
dependencies = ["fuzzer"]
[tasks.test]
description = "Run a short test"
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
timeout 30s ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME} | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
cargo clean
'''

38
fuzzers/baby/baby_fuzzer_swap_differential/Justfile Normal file
View File

@ -0,0 +1,38 @@
FUZZER_NAME := 'fuzzer_sd'
PROJECT_DIR := absolute_path(".")
PROFILE := 'release'
PROFILE_DIR := 'release'
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
alias build := fuzzer
cc:
cargo build --profile={{PROFILE}} --bin libafl_cc
fuzzer: cc
cargo build --profile={{PROFILE}}
run: fuzzer
{{FUZZER}}
[linux]
[macos]
test: fuzzer
#!/bin/bash
timeout 30s {{FUZZER}} | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
cargo clean

58
fuzzers/baby/baby_fuzzer_swap_differential/Makefile.toml
View File

@ -1,58 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_sd'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release" }
PROFILE_DIR = { value = "release" }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
# Compilers
[tasks.cc]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--bin", "libafl_cc"]
# Harness
[tasks.fuzzer]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--bin", "${FUZZER_NAME}"]
dependencies = ["cc"]
[tasks.build]
alias = "fuzzer"
# Run the fuzzer
[tasks.run]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}"
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
timeout 30s ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME} | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
cargo clean
'''

75
fuzzers/forkserver/forkserver_libafl_cc/Justfile Normal file
View File

@ -0,0 +1,75 @@
FUZZER_NAME := 'fuzzer_libafl_cc'
FORKSERVER_NAME := 'forkserver_libafl_cc'
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
FORKSERVER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FORKSERVER_NAME
PROJECT_DIR := absolute_path(".")
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: cxx
{{LIBAFL_CC}} {{PROJECT_DIR}}/src/program.c -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
#!/bin/bash
taskset -c 1 {{FORKSERVER}} ./{{FUZZER_NAME}} ./corpus/ -t 1000
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
timeout 30s {{FORKSERVER}} ./{{FUZZER_NAME}} ./corpus/ -t 1000 | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

141
fuzzers/forkserver/forkserver_libafl_cc/Makefile.toml
View File

@ -1,141 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libafl_cc'
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.crash_cxx]
linux_alias = "crash_cxx_unix"
mac_alias = "crash_cxx_unix"
windows_alias = "unsupported"
[tasks.crash_cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
[tasks.crash_cc]
linux_alias = "crash_cc_unix"
mac_alias = "crash_cc_unix"
windows_alias = "unsupported"
[tasks.crash_cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc"
args = ["${PROJECT_DIR}/src/program.c", "-o", "${FUZZER_NAME}", "-lm"]
dependencies = ["cxx", "cc"]
# Crashing Harness
[tasks.fuzzer_crash]
linux_alias = "fuzzer_crash_unix"
mac_alias = "fuzzer_crash_unix"
windows_alias = "unsupported"
[tasks.fuzzer_crash_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc"
args = ["${PROJECT_DIR}/src/program.c", "-o", "${FUZZER_NAME}_crash", "-lm"]
dependencies = ["crash_cxx", "crash_cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
taskset -c 1 ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${CARGO_MAKE_PROJECT_NAME} ./${FUZZER_NAME} ./corpus/ -t 1000
'''
dependencies = ["fuzzer"]
# Run the fuzzer with a crash
[tasks.crash]
linux_alias = "crash_unix"
mac_alias = "crash_unix"
windows_alias = "unsupported"
[tasks.crash_unix]
script_runner = "@shell"
script = '''
taskset -c 1 ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${CARGO_MAKE_PROJECT_NAME} ./${FUZZER_NAME}_crash ./corpus/ -t 1000
'''
dependencies = ["fuzzer_crash"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
timeout 30s ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${CARGO_MAKE_PROJECT_NAME} ./${FUZZER_NAME} ./corpus/ -t 1000 | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
cargo clean
'''

261
fuzzers/forkserver/libafl-fuzz/Justfile Normal file
View File

@ -0,0 +1,261 @@
PROJECT_DIR := absolute_path(".")
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
FUZZER_NAME := 'libafl-fuzz'
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LLVM_CONFIG := env("LLVM_CONFIG", "llvm-config-18")
AFL_VERSION := "5777ceaf23f48ae4ceae60e4f3a79263802633c6"
AFL_DIR := PROJECT_DIR / "AFLplusplus"
AFL_CC_PATH := AFL_DIR / "afl-clang-fast"
CC := "clang"
build_afl:
#!/bin/bash
if [ ! -d {{AFL_DIR}} ]; then
git clone https://github.com/AFLplusplus/AFLplusplus.git
cd {{AFL_DIR}}
git checkout {{AFL_VERSION}}
LLVM_CONFIG={{LLVM_CONFIG}} make
fi
build_frida_mode:
#!/bin/bash
cd {{AFL_DIR}}
cd frida_mode
LLVM_CONFIG={{LLVM_CONFIG}} make
cd ../..
build_qemuafl: build_afl
#!/bin/bash
cd {{AFL_DIR}}/qemu_mode
./build_qemu_support.sh
cd ../..
build_unicorn_mode: build_afl
#!/bin/bash
cd {{AFL_DIR}}/unicorn_mode
./build_unicorn_support.sh
cd ../..
test: build_afl test_instr test_cmplog test_frida test_qemu test_unicorn_mode test_instr_fuzzbench
#!/bin/bash
echo done
build_libafl_fuzz:
#!/bin/bash
cargo build --profile {{PROFILE}}
build_libafl_fuzz_fuzzbench:
#!/bin/bash
cargo build --profile {{PROFILE}} --features fuzzbench
test_instr: build_afl build_libafl_fuzz
#!/bin/bash
AFL_PATH={{AFL_DIR}} {{AFL_CC_PATH}} ./test/test-instr.c -o ./test/out-instr
export LIBAFL_DEBUG_OUTPUT=1
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 5 {{FUZZER}} -i ./test/seeds -o ./test/output ./test/out-instr || true
test -n "$( ls ./test/output/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found"
exit 1
}
test -n "$( ls ./test/output/fuzzer_main/fuzzer_stats 2>/dev/null )" || {
echo "No fuzzer_stats file found"
exit 1
}
test -n "$( ls ./test/output/fuzzer_main/plot_data 2>/dev/null )" || {
echo "No plot_data found"
exit 1
}
test -d "./test/output/fuzzer_main/hangs" || {
echo "No hangs directory found"
exit 1
}
test -d "./test/output/fuzzer_main/crashes" || {
echo "No crashes directory found"
exit 1
}
test_instr_fuzzbench: build_afl build_libafl_fuzz_fuzzbench
#!/bin/bash
AFL_PATH={{AFL_DIR}} {{AFL_CC_PATH}} ./test/test-instr.c -o ./test/out-instr
export LIBAFL_DEBUG_OUTPUT=1
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 5 {{FUZZER}} -i ./test/seeds -o ./test/output-fuzzbench ./test/out-instr || true
test -n "$( ls ./test/output-fuzzbench/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found"
exit 1
}
test -n "$( ls ./test/output-fuzzbench/fuzzer_main/fuzzer_stats 2>/dev/null )" || {
echo "No fuzzer_stats file found"
exit 1
}
test -n "$( ls ./test/output-fuzzbench/fuzzer_main/plot_data 2>/dev/null )" || {
echo "No plot_data found"
exit 1
}
test -d "./test/output-fuzzbench/fuzzer_main/hangs" || {
echo "No hangs directory found"
exit 1
}
test -d "./test/output-fuzzbench/fuzzer_main/crashes" || {
echo "No crashes directory found"
exit 1
}
test_cmplog: build_afl build_libafl_fuzz
#!/bin/bash
# cmplog TODO: AFL_BENCH_UNTIL_CRASH=1 instead of timeout 15s
AFL_LLVM_CMPLOG=1 AFL_PATH={{AFL_DIR}} {{AFL_CC_PATH}} ./test/test-cmplog.c -o ./test/out-cmplog
LIBAFL_DEBUG_OUTPUT=1 AFL_CORES=0 timeout 15 {{FUZZER}} -Z -l 3 -m 0 -V30 -i ./test/seeds_cmplog -o ./test/output-cmplog -c 0 ./test/out-cmplog || true
test -n "$( ls {{PROJECT_DIR}}/test/output-cmplog/fuzzer_main/hangs/id:0000* {{PROJECT_DIR}}/test/output-cmplog/fuzzer_main/crashes/id:0000*)" || {
echo "No crashes found"
exit 1
}
test_frida: build_afl build_frida_mode build_libafl_fuzz
#!/bin/bash
{{CC}} -no-pie ./test/test-instr.c -o ./test/out-frida
export AFL_PATH={{AFL_DIR}}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 15 {{FUZZER}} -m 0 -O -i ./test/seeds_frida -o ./test/output-frida -- ./test/out-frida || true
test -n "$( ls ./test/output-frida/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for FRIDA mode"
exit 1
}
{{CC}} ./test/test-cmpcov.c -o ./test/out-frida-cmpcov
AFL_FRIDA_VERBOSE=1 timeout 15 {{FUZZER}} -m 0 -O -c 0 -l 3 -i ./test/seeds_frida -o ./test/output-frida-cmpcov -- ./test/out-frida-cmpcov || true
test -n "$( ls ./test/output-frida-cmpcov/fuzzer_main/queue/id:000003* 2>/dev/null )" || {
echo "No new corpus entries found for FRIDA cmplog mode"
exit 1
}
export AFL_FRIDA_PERSISTENT_ADDR=0x`nm ./test/out-frida | grep -Ei "T _main|T main" | awk '{print $1}'`
timeout 15 {{FUZZER}} -m 0 -O -i ./test/seeds_frida -o ./test/output-frida-persistent -- ./test/out-frida || true
test -n "$( ls ./test/output-frida-persistent/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for FRIDA persistent mode"
exit 1
}
RUNTIME_PERSISTENT=`grep execs_done ./test/output-frida-persistent/fuzzer_main/fuzzer_stats | awk '{print$3}'`
RUNTIME=`grep execs_done ./test/output-frida/fuzzer_main/fuzzer_stats | awk '{print$3}'`
test -n "$RUNTIME" -a -n "$RUNTIME_PERSISTENT" && {
DIFF=`expr $RUNTIME_PERSISTENT / $RUNTIME`
test "$DIFF" -gt 1 && { # must be at least twice as fast
echo "persistent frida_mode was noticeably faster than standard frida_mode"
} || {
echo "persistent frida_mode" $RUNTIME_PERSISTENT "was not noticeably faster than standard frida_mode" $RUNTIME
exit 1
}
} || {
echo "we got no data on executions performed? weird!"
}
unset AFL_FRIDA_PERSISTENT_ADDR
test_qemu: build_afl build_qemuafl build_libafl_fuzz
#!/bin/bash
{{CC}} -pie -fPIE ./test/test-instr.c -o ./test/out-qemu
{{CC}} -o ./test/out-qemu-cmpcov ./test/test-cmpcov.c
export AFL_PATH={{AFL_DIR}}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 15 {{FUZZER}} -m 0 -Q -i ./test/seeds_qemu -o ./test/output-qemu -- ./test/out-qemu || true
test -n "$( ls ./test/output-qemu/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for QEMU mode"
exit 1
}
export AFL_ENTRYPOINT=`printf 1 | AFL_DEBUG=1 {{AFL_DIR}}/afl-qemu-trace ./test/out-qemu 2>&1 >/dev/null | awk '/forkserver/{print $4; exit}'`
timeout 15 {{FUZZER}} -m 0 -Q -i ./test/seeds_qemu -o ./test/output-qemu-entrypoint -- ./test/out-qemu || true
test -n "$( ls ./test/output-qemu-entrypoint/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for QEMU mode with AFL_ENTRYPOINT"
exit 1
}
unset AFL_ENTRYPOINT
export AFL_PRELOAD={{AFL_DIR}}/libcompcov.so
export AFL_COMPCOV_LEVEL=2
timeout 15 {{FUZZER}} -Q -i ./test/seeds_qemu -o ./test/output-qemu-cmpcov -- ./test/out-qemu-cmpcov || true
test -n "$( ls ./test/output-qemu-cmpcov/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for QEMU mode"
exit 1
}
test_unicorn_mode: build_libafl_fuzz build_afl build_unicorn_mode
#!/bin/bash
export AFL_PATH={{AFL_DIR}}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
# TODO: test unicorn persistent mode once it's fixed on AFL++
LIBAFL_DEBUG_OUTPUT=1 AFL_DEBUG=1 AFL_DEBUG_CHILD=1 timeout 15s {{FUZZER}} -m 0 -U -i ./test/seeds_unicorn -o ./test/output-unicorn-python -- python3 {{AFL_DIR}}/unicorn_mode/samples/python_simple/simple_test_harness.py @@ || true
test -n "$( ls ./test/output-unicorn-python/fuzzer_main/queue/id:000003* 2>/dev/null )" || {
echo "No new corpus entries found for Unicorn python3 mode"
exit 1
}
export AFL_COMPCOV_LEVEL=2
LIBAFL_DEBUG_OUTPUT=1 AFL_DEBUG=1 AFL_DEBUG_CHILD=1 timeout 15s {{FUZZER}} -m 0 -U -i ./test/seeds_unicorn_cmpcov -o ./test/output-unicorn-cmpcov -- python3 {{AFL_DIR}}/unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ || true
test -n "$( ls ./test/output-unicorn-cmpcov/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for Unicorn cmpcov mode"
exit 1
}
test_nyx_mode: build_afl build_libafl_fuzz
#!/bin/bash
export AFL_PATH={{AFL_DIR}}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
export AFL_DEBUG=1
export LIBAFL_DEBUG_OUTPUT=1
AFL_PATH={{AFL_DIR}} {{AFL_CC_PATH}} ./test/test-instr.c -o ./test/out-instr
rm -rf ./test/nyx-test
cd ../../../libafl_nyx
rm -rf packer
git clone https://github.com/nyx-fuzz/packer.git
python3 packer/packer/nyx_packer.py \
../fuzzers/forkserver/libafl-fuzz/test/out-instr \
../fuzzers/forkserver/libafl-fuzz/test/out-nyx \
afl \
instrumentation \
--fast_reload_mode \
--purge
python3 packer/packer/nyx_config_gen.py ../fuzzers/forkserver/libafl-fuzz/test/out-nyx Kernel
cd ../fuzzers/forkserver/libafl-fuzz/
timeout 15s {{FUZZER}} -i ./test/seeds_nyx -o ./test/output-nyx -X -- ./test/out-nyx
test -n "$( ls ./test/output-nyx/fuzzer_main/queue/id:000003* 2>/dev/null )" || {
echo "No new corpus entries found for Nyx mode!"
exit 1
}
# since we cannot test nyx mode on CI, let's build it
build_nyx_mode:
#!/bin/bash
cargo build --profile {{PROFILE}} --features nyx
clean:
#!/bin/bash
rm -rf AFLplusplus
rm -rf ./test/output
rm -rf ./test/cmplog-output
rm -rf ./test/output-frida*
rm -rf ./test/output-cmplog
rm -rf ./test/output-qemu*
rm -rf ./test/output-unicorn*
rm ./test/out-*

322
fuzzers/forkserver/libafl-fuzz/Makefile.toml
View File

@ -1,322 +0,0 @@
[env]
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
FUZZER_NAME = 'libafl-fuzz'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
LLVM_CONFIG = { value = "llvm-config-18", condition = { env_not_set = [
"LLVM_CONFIG",
] } }
AFL_VERSION = "5777ceaf23f48ae4ceae60e4f3a79263802633c6"
AFL_DIR = { value = "${PROJECT_DIR}/AFLplusplus" }
AFL_CC_PATH = { value = "${AFL_DIR}/afl-clang-fast" }
CC = { value = "clang" }
[tasks.build_afl]
script_runner = "@shell"
script = '''
if [ ! -d "$AFL_DIR" ]; then
git clone https://github.com/AFLplusplus/AFLplusplus.git
cd ${AFL_DIR}
git checkout ${AFL_VERSION}
LLVM_CONFIG=${LLVM_CONFIG} make
fi
'''
[tasks.build_frida_mode]
script_runner = '@shell'
script = '''
cd ${AFL_DIR}
cd frida_mode
LLVM_CONFIG=${LLVM_CONFIG} make
cd ../..
'''
[tasks.build_qemuafl]
script_runner = "@shell"
script = '''
cd ${AFL_DIR}/qemu_mode
./build_qemu_support.sh
cd ../..
'''
dependencies = ["build_afl"]
[tasks.build_unicorn_mode]
script_runner = "@shell"
script = '''
cd ${AFL_DIR}/unicorn_mode
./build_unicorn_support.sh
cd ../..
'''
dependencies = ["build_afl"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = "echo done"
dependencies = [
"build_afl",
"test_instr",
"test_cmplog",
"test_frida",
"test_qemu",
"test_unicorn_mode",
# nyx
# since we cannot test nyx mode on CI, let's build it
# "build_nyx_mode",
# fuzzbench
"test_instr_fuzzbench",
]
[tasks.build_libafl_fuzz]
script_runner = "@shell"
script = "cargo build --profile ${PROFILE}"
[tasks.build_libafl_fuzz_fuzzbench]
script_runner = "@shell"
script = "cargo build --profile ${PROFILE} --features fuzzbench"
[tasks.test_instr]
script_runner = "@shell"
script = '''
AFL_PATH=${AFL_DIR} ${AFL_CC_PATH} ./test/test-instr.c -o ./test/out-instr
export LIBAFL_DEBUG_OUTPUT=1
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 5 ${FUZZER} -i ./test/seeds -o ./test/output ./test/out-instr || true
test -n "$( ls ./test/output/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found"
exit 1
}
test -n "$( ls ./test/output/fuzzer_main/fuzzer_stats 2>/dev/null )" || {
echo "No fuzzer_stats file found"
exit 1
}
test -n "$( ls ./test/output/fuzzer_main/plot_data 2>/dev/null )" || {
echo "No plot_data found"
exit 1
}
test -d "./test/output/fuzzer_main/hangs" || {
echo "No hangs directory found"
exit 1
}
test -d "./test/output/fuzzer_main/crashes" || {
echo "No crashes directory found"
exit 1
}
'''
dependencies = ["build_afl", "build_libafl_fuzz"]
[tasks.test_instr_fuzzbench]
script_runner = "@shell"
script = '''
AFL_PATH=${AFL_DIR} ${AFL_CC_PATH} ./test/test-instr.c -o ./test/out-instr
export LIBAFL_DEBUG_OUTPUT=1
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 5 ${FUZZER} -i ./test/seeds -o ./test/output-fuzzbench ./test/out-instr || true
test -n "$( ls ./test/output-fuzzbench/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found"
exit 1
}
test -n "$( ls ./test/output-fuzzbench/fuzzer_main/fuzzer_stats 2>/dev/null )" || {
echo "No fuzzer_stats file found"
exit 1
}
test -n "$( ls ./test/output-fuzzbench/fuzzer_main/plot_data 2>/dev/null )" || {
echo "No plot_data found"
exit 1
}
test -d "./test/output-fuzzbench/fuzzer_main/hangs" || {
echo "No hangs directory found"
exit 1
}
test -d "./test/output-fuzzbench/fuzzer_main/crashes" || {
echo "No crashes directory found"
exit 1
}
'''
dependencies = ["build_afl", "build_libafl_fuzz_fuzzbench"]
[tasks.test_cmplog]
script_runner = "@shell"
script = '''
# cmplog TODO: AFL_BENCH_UNTIL_CRASH=1 instead of timeout 15s
AFL_LLVM_CMPLOG=1 AFL_PATH=${AFL_DIR} ${AFL_CC_PATH} ./test/test-cmplog.c -o ./test/out-cmplog
LIBAFL_DEBUG_OUTPUT=1 AFL_CORES=0 timeout 15 ${FUZZER} -Z -l 3 -m 0 -V30 -i ./test/seeds_cmplog -o ./test/output-cmplog -c 0 ./test/out-cmplog || true
test -n "$( ls ${PROJECT_DIR}/test/output-cmplog/fuzzer_main/hangs/id:0000* ${PROJECT_DIR}/test/output-cmplog/fuzzer_main/crashes/id:0000*)" || {
echo "No crashes found"
exit 1
}
'''
dependencies = ["build_afl", "build_libafl_fuzz"]
[tasks.test_frida]
script_runner = "@shell"
script = '''
${CC} -no-pie ./test/test-instr.c -o ./test/out-frida
export AFL_PATH=${AFL_DIR}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 15 ${FUZZER} -m 0 -O -i ./test/seeds_frida -o ./test/output-frida -- ./test/out-frida || true
test -n "$( ls ./test/output-frida/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for FRIDA mode"
exit 1
}
${CC} ./test/test-cmpcov.c -o ./test/out-frida-cmpcov
AFL_FRIDA_VERBOSE=1 timeout 15 ${FUZZER} -m 0 -O -c 0 -l 3 -i ./test/seeds_frida -o ./test/output-frida-cmpcov -- ./test/out-frida-cmpcov || true
test -n "$( ls ./test/output-frida-cmpcov/fuzzer_main/queue/id:000003* 2>/dev/null )" || {
echo "No new corpus entries found for FRIDA cmplog mode"
exit 1
}
export AFL_FRIDA_PERSISTENT_ADDR=0x`nm ./test/out-frida | grep -Ei "T _main|T main" | awk '{print $1}'`
timeout 15 ${FUZZER} -m 0 -O -i ./test/seeds_frida -o ./test/output-frida-persistent -- ./test/out-frida || true
test -n "$( ls ./test/output-frida-persistent/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for FRIDA persistent mode"
exit 1
}
RUNTIME_PERSISTENT=`grep execs_done ./test/output-frida-persistent/fuzzer_main/fuzzer_stats | awk '{print$3}'`
RUNTIME=`grep execs_done ./test/output-frida/fuzzer_main/fuzzer_stats | awk '{print$3}'`
test -n "$RUNTIME" -a -n "$RUNTIME_PERSISTENT" && {
DIFF=`expr $RUNTIME_PERSISTENT / $RUNTIME`
test "$DIFF" -gt 1 && { # must be at least twice as fast
echo "persistent frida_mode was noticeably faster than standard frida_mode"
} || {
echo "persistent frida_mode" $RUNTIME_PERSISTENT "was not noticeably faster than standard frida_mode" $RUNTIME
exit 1
}
} || {
echo "we got no data on executions performed? weird!"
}
unset AFL_FRIDA_PERSISTENT_ADDR
'''
dependencies = ["build_afl", "build_frida_mode", "build_libafl_fuzz"]
[tasks.test_qemu]
script_runner = "@shell"
script = '''
${CC} -pie -fPIE ./test/test-instr.c -o ./test/out-qemu
${CC} -o ./test/out-qemu-cmpcov ./test/test-cmpcov.c
export AFL_PATH=${AFL_DIR}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
timeout 15 ${FUZZER} -m 0 -Q -i ./test/seeds_qemu -o ./test/output-qemu -- ./test/out-qemu || true
test -n "$( ls ./test/output-qemu/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for QEMU mode"
exit 1
}
export AFL_ENTRYPOINT=`printf 1 | AFL_DEBUG=1 ${AFL_DIR}/afl-qemu-trace ./test/out-qemu 2>&1 >/dev/null | awk '/forkserver/{print $4; exit}'`
timeout 15 ${FUZZER} -m 0 -Q -i ./test/seeds_qemu -o ./test/output-qemu-entrypoint -- ./test/out-qemu || true
test -n "$( ls ./test/output-qemu-entrypoint/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for QEMU mode with AFL_ENTRYPOINT"
exit 1
}
unset AFL_ENTRYPOINT
export AFL_PRELOAD=${AFL_DIR}/libcompcov.so
export AFL_COMPCOV_LEVEL=2
timeout 15 ${FUZZER} -Q -i ./test/seeds_qemu -o ./test/output-qemu-cmpcov -- ./test/out-qemu-cmpcov || true
test -n "$( ls ./test/output-qemu-cmpcov/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for QEMU mode"
exit 1
}
'''
dependencies = ["build_afl", "build_qemuafl", "build_libafl_fuzz"]
[tasks.test_unicorn_mode]
script_runner = "@shell"
script = '''
export AFL_PATH=${AFL_DIR}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
# TODO: test unicorn persistent mode once it's fixed on AFL++
LIBAFL_DEBUG_OUTPUT=1 AFL_DEBUG=1 AFL_DEBUG_CHILD=1 timeout 15s ${FUZZER} -m 0 -U -i ./test/seeds_unicorn -o ./test/output-unicorn-python -- python3 ${AFL_DIR}/unicorn_mode/samples/python_simple/simple_test_harness.py @@ || true
test -n "$( ls ./test/output-unicorn-python/fuzzer_main/queue/id:000003* 2>/dev/null )" || {
echo "No new corpus entries found for Unicorn python3 mode"
exit 1
}
export AFL_COMPCOV_LEVEL=2
LIBAFL_DEBUG_OUTPUT=1 AFL_DEBUG=1 AFL_DEBUG_CHILD=1 timeout 15s ${FUZZER} -m 0 -U -i ./test/seeds_unicorn_cmpcov -o ./test/output-unicorn-cmpcov -- python3 ${AFL_DIR}/unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ || true
test -n "$( ls ./test/output-unicorn-cmpcov/fuzzer_main/queue/id:000002* 2>/dev/null )" || {
echo "No new corpus entries found for Unicorn cmpcov mode"
exit 1
}
'''
dependencies = ["build_libafl_fuzz", "build_afl", "build_unicorn_mode"]
[tasks.test_nyx_mode]
script_runner = "@shell"
script = '''
export AFL_PATH=${AFL_DIR}
export AFL_CORES=0
export AFL_STATS_INTERVAL=1
export AFL_DEBUG=1
export LIBAFL_DEBUG_OUTPUT=1
AFL_PATH=${AFL_DIR} ${AFL_CC_PATH} ./test/test-instr.c -o ./test/out-instr
rm -rf ./test/nyx-test
cd ../../../libafl_nyx
rm -rf packer
git clone https://github.com/nyx-fuzz/packer.git
python3 packer/packer/nyx_packer.py \
../fuzzers/forkserver/libafl-fuzz/test/out-instr \
../fuzzers/forkserver/libafl-fuzz/test/out-nyx \
afl \
instrumentation \
--fast_reload_mode \
--purge
python3 packer/packer/nyx_config_gen.py ../fuzzers/forkserver/libafl-fuzz/test/out-nyx Kernel
cd ../fuzzers/forkserver/libafl-fuzz/
timeout 15s ${FUZZER} -i ./test/seeds_nyx -o ./test/output-nyx -X -- ./test/out-nyx
test -n "$( ls ./test/output-nyx/fuzzer_main/queue/id:000003* 2>/dev/null )" || {
echo "No new corpus entries found for Nyx mode!"
exit 1
}
'''
dependencies = ["build_afl", "build_libafl_fuzz"]
# since we cannot test nyx mode on CI, let's build it
[tasks.build_nyx_mode]
script_runner = "@shell"
script = "cargo build --profile ${PROFILE} --features nyx"
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
script_runner = "@shell"
script = '''
rm -rf AFLplusplus
rm -rf ./test/output
rm -rf ./test/cmplog-output
rm -rf ./test/output-frida*
rm -rf ./test/output-cmplog
rm -rf ./test/output-qemu*
rm -rf ./test/output-unicorn*
rm ./test/out-*
'''

22
fuzzers/fuzz_anything/baby_fuzzer_wasm/Justfile Normal file
View File

@ -0,0 +1,22 @@
FUZZER_NAME := 'fuzzer_wasm'
PROJECT_DIR := absolute_path(".")
PROFILE := 'release'
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
build:
cargo build --target web
[linux]
[macos]
test:
wasm-pack test --chrome --headless
[windows]
test:
echo "Unsupported on this platform"
clean:
cargo clean

29
fuzzers/fuzz_anything/baby_fuzzer_wasm/Makefile.toml
View File

@ -1,29 +0,0 @@
[env]
FUZZER_NAME = "fuzzer"
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Fuzzer
[tasks.build]
command = "wasm-pack"
args = ["build", "--target", "web"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
command = "wasm-pack"
args = ["test", "--chrome", "--headless"]
# Clean
[tasks.clean]
command = "cargo"
args = ["clean"]

26
fuzzers/fuzz_anything/baby_no_std/Justfile Normal file
View File

@ -0,0 +1,26 @@
FUZZER_NAME := 'fuzzer_no_std'
PROJECT_DIR := absolute_path(".")
PROFILE := 'release'
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
build:
cargo build --profile={{PROFILE}} -Zbuild-std=core,alloc --target x86_64-unknown-linux-gnu
build_aarch:
cargo +nightly build -Zbuild-std=core,alloc --target aarch64-unknown-none -v --profile {{PROFILE}}
[linux]
test: build
cargo run -Zbuild-std=core,alloc --target x86_64-unknown-linux-gnu || true
[macos]
[windows]
test: build
echo "Unsupported on this platform"
clean:
cargo clean

45
fuzzers/fuzz_anything/baby_no_std/Makefile.toml
View File

@ -1,45 +0,0 @@
[env]
FUZZER_NAME = "fuzzer"
PROJECT_DIR = { script = ["pwd"] }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Fuzzer
[tasks.build]
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"-Zbuild-std=core,alloc",
"--target",
"x86_64-unknown-linux-gnu",
]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix]
script = '''
cargo run -Zbuild-std=core,alloc --target x86_64-unknown-linux-gnu || true
'''
dependencies = ["build"]
[tasks.build_aarch]
script = "cargo +nightly build -Zbuild-std=core,alloc --target aarch64-unknown-none -v --profile ${PROFILE}"
# Clean
[tasks.clean]
command = "cargo"
args = ["clean"]

27
fuzzers/fuzz_anything/cargo_fuzz/Justfile Normal file
View File

@ -0,0 +1,27 @@
install_llvm_tools:
rustup toolchain install nightly --component llvm-tools-preview
install_cargo_fuzz:
cargo install cargo-fuzz
build: install_cargo_fuzz install_llvm_tools
cargo +nightly fuzz build fuzz_target_1
[linux]
test: build
#!/bin/bash
timeout 30s cargo +nightly fuzz run fuzz_target_1 2>&1 | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[macos]
[windows]
test: build
echo "Unsupported on this platform"
clean:
rm -rf fuzz/target

44
fuzzers/fuzz_anything/cargo_fuzz/Makefile.toml
View File

@ -1,44 +0,0 @@
[env]
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
[tasks.install_llvm_tools]
command = "rustup"
args = ["toolchain", "install", "nightly", "--component", "llvm-tools-preview"]
[tasks.install_cargo_fuzz]
command = "cargo"
args = ["install", "cargo-fuzz"]
# Fuzzer
[tasks.build]
command = "cargo"
args = ["+nightly", "fuzz", "build", "fuzz_target_1"]
dependencies = ["install_cargo_fuzz", "install_llvm_tools"]
[tasks.test]
linux_alias = "test_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix]
script = '''
timeout 30s cargo +nightly fuzz run fuzz_target_1 2>&1 | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["build"]
# Clean
[tasks.clean]
command = "rm "
args = ["-rf", "fuzz/target"]

51
fuzzers/inprocess/dynamic_analysis/Cargo.toml
View File

@ -1,51 +0,0 @@
[package]
name = "dynamic_analysis"
version = "0.15.1"
authors = [
"Andrea Fioraldi <andreafioraldi@gmail.com>",
"Dominik Maier <domenukk@gmail.com>",
]
edition = "2021"
[features]
default = ["std"]
std = []
no_link_main = ["libafl_targets/libfuzzer_no_link_main"]
[profile.release]
lto = true
codegen-units = 1
opt-level = 3
debug = true
[profile.release-fuzzbench]
inherits = "release"
debug = false
strip = true
[build-dependencies]
cc = { version = "1.1.21", features = ["parallel"] }
which = "6.0.3"
[dependencies]
env_logger = "0.11.5"
once_cell = "1.19.0"
libafl = { path = "../../../libafl" }
libafl_bolts = { path = "../../../libafl_bolts" }
libafl_targets = { path = "../../../libafl_targets", features = [
"sancov_pcguard_hitcounts",
"sancov_cmplog",
"libfuzzer",
"function-logging",
] }
# TODO Include it only when building cc
libafl_cc = { path = "../../../libafl_cc" }
clap = { version = "4.5.18", features = ["default"] }
log = { version = "0.4.22", features = ["release_max_level_info"] }
nix = { version = "0.29.0", features = ["fs"] }
mimalloc = { version = "0.1.43", default-features = false }
[lib]
name = "fuzzbench"
crate-type = ["staticlib"]

129
fuzzers/inprocess/dynamic_analysis/Makefile.toml
View File

@ -1,129 +0,0 @@
[env]
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
FUZZER_NAME = "fuzzer"
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# fuzz.o File
[tasks.fuzz_o]
linux_alias = "fuzz_o_unix"
mac_alias = "fuzz_o_unix"
windows_alias = "unsupported"
[tasks.fuzz_o_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"--libafl-no-link",
"-O3",
"-I",
"./Little-CMS/include",
"-c",
"cms_transform_fuzzer.cc",
"-o",
"cms_transform_fuzzer.o",
]
dependencies = ["cc", "cxx"]
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"--libafl",
"cms_transform_fuzzer.o",
"./Little-CMS/src/.libs/liblcms2.a",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["cc", "cxx", "fuzz_o"]
# Run
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
./${FUZZER_NAME} -o out -i in
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./${FUZZER_NAME} -o out -i in | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
'''
dependencies = ["fuzzer"]
# Clean
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
script_runner = "@shell"
script = '''
rm ./${FUZZER_NAME} || true
rm fuzz.o || true
'''

12
fuzzers/inprocess/dynamic_analysis/README.md
View File

@ -1,12 +0,0 @@
# Dynamic Analysis Fuzzer
This fuzzer is to show how you can collect runtime analysis information during fuzzing using LibAFL. We use the [Little-CMS](https://github.com/mm2/Little-CMS) project for the example.
First, this fuzzer requires `nlohmann-json3-dev` to work.
To run the fuzzer:
1. Compile the fuzzer with `cargo build --release`
2. `mkdir analysis` and run `build.sh`. This will compile Little-CMS to extract the analysis information and generate a json file for each module.
3. run `python3 concatenator.py analysis`. This will concatenate all the json into one single file. This json file maps a function id to its analysis information.
4. Compile the fuzzer with `cargo make fuzzer`. This will instrument the fuzzer at every function entry point. Therefore, whenever we reach the entry of any function, we can log its id and logs what functions we executed.
5. Run the fuzzer `RUST_LOG=info ./fuzzer --input ./corpus --output ./out`. You'll see a stream of analysis data

23
fuzzers/inprocess/dynamic_analysis/build.rs
View File

@ -1,23 +0,0 @@
use std::{env, process::Command};
fn main() {
let current_dir = env::current_dir().unwrap();
let lcms_dir = current_dir.join("Little-CMS");
if !lcms_dir.exists() {
println!("cargo:warning=Downloading Little-CMS");
// Clone the Little-CMS repository if the directory doesn't exist
let status = Command::new("git")
.args([
"clone",
"https://github.com/mm2/Little-CMS",
lcms_dir.to_str().unwrap(),
])
.status()
.expect("Failed to clone Little-CMS repository");
assert!(status.success(), "Failed to clone Little-CMS repository");
}
// Tell Cargo that if the given file changes, to rerun this build script
println!("cargo:rerun-if-changed=build.rs");
}

14
fuzzers/inprocess/dynamic_analysis/build.sh
View File

@ -1,14 +0,0 @@
export CC=$(pwd)/target/release/libafl_cc
export CXX=$(pwd)/target/release/libafl_cxx
export CXXFLAGS='--libafl'
export CFLAGS='--libafl'
export LDFLAGS='--libafl'
export ANALYSIS_OUTPUT=`pwd`/analysis
cd Little-CMS
./autogen.sh
./configure
make -j $(nproc)
$CXX $CXXFLAGS ../cms_transform_fuzzer.cc -I include/ src/.libs/liblcms2.a -o ../fuzzer

5
fuzzers/inprocess/dynamic_analysis/clean.sh
View File

@ -1,5 +0,0 @@
export ANALYSIS_OUTPUT=`pwd`/analysis
rm -rf analysis/*
pushd Little-CMS
make clean
popd

63
fuzzers/inprocess/dynamic_analysis/cms_transform_fuzzer.cc
View File

@ -1,63 +0,0 @@
// Copyright 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include <stdint.h>
#include "lcms2.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size);
if (!srcProfile) return 0;
cmsHPROFILE dstProfile = cmsCreate_sRGBProfile();
if (!dstProfile) {
cmsCloseProfile(srcProfile);
return 0;
}
cmsColorSpaceSignature srcCS = cmsGetColorSpace(srcProfile);
cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS);
cmsUInt32Number srcFormat;
if (srcCS == cmsSigLabData) {
srcFormat =
COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0);
} else {
srcFormat =
COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1);
}
cmsUInt32Number intent = 0;
cmsUInt32Number flags = 0;
cmsHTRANSFORM hTransform = cmsCreateTransform(
srcProfile, srcFormat, dstProfile, TYPE_BGR_8, intent, flags);
cmsCloseProfile(srcProfile);
cmsCloseProfile(dstProfile);
if (!hTransform) return 0;
uint8_t output[4];
if (T_BYTES(srcFormat) == 0) { // 0 means double
double input[nSrcComponents];
for (uint32_t i = 0; i < nSrcComponents; i++)
input[i] = 0.5f;
cmsDoTransform(hTransform, input, output, 1);
} else {
uint8_t input[nSrcComponents];
for (uint32_t i = 0; i < nSrcComponents; i++)
input[i] = 128;
cmsDoTransform(hTransform, input, output, 1);
}
cmsDeleteTransform(hTransform);
return 0;
}

38
fuzzers/inprocess/dynamic_analysis/concatenator.py
View File

@ -1,38 +0,0 @@
#!/usr/bin/python3
import os
import json
import sys
def concatenate_json_files(input_dir):
json_files = []
for root, dirs, files in os.walk(input_dir):
for file in files:
if file.endswith(".json"):
json_files.append(os.path.join(root, file))
data = dict()
for json_file in json_files:
with open(json_file, "r") as file:
if os.stat(json_file).st_size == 0:
# skip empty file else json.load() fails
continue
json_data = json.load(file)
print(type(json_data), file)
data = data | json_data
output_file = os.path.join(os.getcwd(), "concatenated.json")
with open(output_file, "w") as file:
json.dump([data], file)
print(f"JSON files concatenated successfully! Output file: {output_file}")
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python script.py <directory_path>")
sys.exit(1)
input_directory = sys.argv[1]
concatenate_json_files(input_directory)

BIN
fuzzers/inprocess/dynamic_analysis/corpus/seed
View File

Binary file not shown.

47
fuzzers/inprocess/dynamic_analysis/src/bin/libafl_cc.rs
View File

@ -1,47 +0,0 @@
use std::env;
use libafl_cc::{ClangWrapper, CompilerWrapper, LLVMPasses, ToolWrapper};
pub fn main() {
let mut args: Vec<String> = env::args().collect();
if args.len() > 1 {
let mut dir = env::current_exe().unwrap();
let wrapper_name = dir.file_name().unwrap().to_str().unwrap();
let is_cpp = match wrapper_name[wrapper_name.len()-2..].to_lowercase().as_str() {
"cc" => false,
"++" | "pp" | "xx" => true,
_ => panic!("Could not figure out if c or c++ wrapper was called. Expected {dir:?} to end with c or cxx"),
};
dir.pop();
// Must be always present, even without --libafl
args.push("-fsanitize-coverage=trace-pc-guard,trace-cmp".into());
let mut cc = ClangWrapper::new();
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
cc.add_pass(LLVMPasses::AutoTokens);
if let Some(code) = cc
.cpp(is_cpp)
// silence the compiler wrapper output, needed for some configure scripts.
.silence(true)
// add arguments only if --libafl or --libafl-no-link are present
.need_libafl_arg(true)
.parse_args(&args)
.expect("Failed to parse the command line")
.link_staticlib(&dir, "fuzzbench")
.add_pass(LLVMPasses::CmpLogRtn)
.add_pass(LLVMPasses::FunctionLogging)
.add_pass(LLVMPasses::Profiling)
.run()
.expect("Failed to run the wrapped compiler")
{
std::process::exit(code);
}
} else {
panic!("LibAFL CC: No Arguments given");
}
}

5
fuzzers/inprocess/dynamic_analysis/src/bin/libafl_cxx.rs
View File

@ -1,5 +0,0 @@
pub mod libafl_cc;
fn main() {
libafl_cc::main();
}

417
fuzzers/inprocess/dynamic_analysis/src/lib.rs
View File

@ -1,417 +0,0 @@
//! A singlethreaded libfuzzer-like fuzzer that can auto-restart.
use mimalloc::MiMalloc;
#[global_allocator]
static GLOBAL: MiMalloc = MiMalloc;
use core::{cell::RefCell, time::Duration};
#[cfg(unix)]
use std::os::unix::io::{AsRawFd, FromRawFd};
use std::{
env,
fs::{self, File, OpenOptions},
io::{self, Read, Write},
path::PathBuf,
process,
};
use clap::{Arg, Command};
use libafl::{
corpus::{Corpus, InMemoryOnDiskCorpus, OnDiskCorpus},
events::SimpleRestartingEventManager,
executors::{inprocess::HookableInProcessExecutor, ExitKind},
feedback_or,
feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback},
fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes},
monitors::SimpleMonitor,
mutators::{
havoc_mutations, token_mutations::I2SRandReplace, tokens_mutations, StdMOptMutator,
StdScheduledMutator, Tokens,
},
observers::{CanTrack, HitcountsMapObserver, ProfilingObserver, TimeObserver},
schedulers::{
powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, StdWeightedScheduler,
},
stages::{
calibrate::CalibrationStage, power::StdPowerMutationalStage, StdMutationalStage,
TracingStage,
},
state::{HasCorpus, StdState},
Error, HasMetadata,
};
use libafl_bolts::{
current_time,
os::dup2,
ownedref::OwnedMutPtr,
rands::StdRand,
shmem::{ShMemProvider, StdShMemProvider},
tuples::{tuple_list, Merge},
AsSlice,
};
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
use libafl_targets::autotokens;
use libafl_targets::{
libfuzzer_initialize, libfuzzer_test_one_input, std_edges_map_observer, CallHook,
CmpLogObserver, FUNCTION_LIST,
};
#[cfg(unix)]
use nix::unistd::dup;
use once_cell::sync::Lazy;
/// The fuzzer main (as `no_mangle` C function)
#[no_mangle]
pub extern "C" fn libafl_main() {
// Registry the metadata types used in this fuzzer
// Needed only on no_std
// unsafe { RegistryBuilder::register::<Tokens>(); }
env_logger::init();
let res = match Command::new(env!("CARGO_PKG_NAME"))
.version(env!("CARGO_PKG_VERSION"))
.author("AFLplusplus team")
.about("LibAFL-based fuzzer for Fuzzbench")
.arg(
Arg::new("out")
.short('o')
.long("output")
.help("The directory to place finds in ('corpus')"),
)
.arg(
Arg::new("in")
.short('i')
.long("input")
.help("The directory to read initial inputs from ('seeds')"),
)
.arg(
Arg::new("tokens")
.short('x')
.long("tokens")
.help("A file to read tokens from, to be used during fuzzing"),
)
.arg(
Arg::new("logfile")
.short('l')
.long("logfile")
.help("Duplicates all output to this file")
.default_value("libafl.log"),
)
.arg(
Arg::new("timeout")
.short('t')
.long("timeout")
.help("Timeout for each individual execution, in milliseconds")
.default_value("1200"),
)
.arg(Arg::new("remaining"))
.try_get_matches()
{
Ok(res) => res,
Err(err) => {
println!(
"Syntax: {}, [-x dictionary] -o corpus_dir -i seed_dir\n{:?}",
env::current_exe()
.unwrap_or_else(|_| "fuzzer".into())
.to_string_lossy(),
err,
);
return;
}
};
println!(
"Workdir: {:?}",
env::current_dir().unwrap().to_string_lossy().to_string()
);
if let Some(filenames) = res.get_many::<String>("remaining") {
let filenames: Vec<&str> = filenames.map(String::as_str).collect();
if !filenames.is_empty() {
run_testcases(&filenames);
return;
}
}
// For fuzzbench, crashes and finds are inside the same `corpus` directory, in the "queue" and "crashes" subdir.
let mut out_dir = PathBuf::from(
res.get_one::<String>("out")
.expect("The --output parameter is missing")
.to_string(),
);
if fs::create_dir(&out_dir).is_err() {
println!("Out dir at {:?} already exists.", &out_dir);
if !out_dir.is_dir() {
println!("Out dir at {:?} is not a valid directory!", &out_dir);
return;
}
}
let mut crashes = out_dir.clone();
crashes.push("crashes");
out_dir.push("queue");
let in_dir = PathBuf::from(
res.get_one::<String>("in")
.expect("The --input parameter is missing")
.to_string(),
);
if !in_dir.is_dir() {
println!("In dir at {:?} is not a valid directory!", &in_dir);
return;
}
let tokens = res.get_one::<String>("tokens").map(PathBuf::from);
let logfile = PathBuf::from(res.get_one::<String>("logfile").unwrap().to_string());
let timeout = Duration::from_millis(
res.get_one::<String>("timeout")
.unwrap()
.to_string()
.parse()
.expect("Could not parse timeout in milliseconds"),
);
fuzz(out_dir, crashes, &in_dir, tokens, &logfile, timeout)
.expect("An error occurred while fuzzing");
}
fn run_testcases(filenames: &[&str]) {
// The actual target run starts here.
// Call LLVMFUzzerInitialize() if present.
let args: Vec<String> = env::args().collect();
if unsafe { libfuzzer_initialize(&args) } == -1 {
println!("Warning: LLVMFuzzerInitialize failed with -1");
}
println!(
"You are not fuzzing, just executing {} testcases",
filenames.len()
);
for fname in filenames {
println!("Executing {fname}");
let mut file = File::open(fname).expect("No file found");
let mut buffer = vec![];
file.read_to_end(&mut buffer).expect("Buffer overflow");
unsafe {
libfuzzer_test_one_input(&buffer);
}
}
}
/// The actual fuzzer
#[expect(clippy::too_many_lines)]
fn fuzz(
corpus_dir: PathBuf,
objective_dir: PathBuf,
seed_dir: &PathBuf,
tokenfile: Option<PathBuf>,
logfile: &PathBuf,
timeout: Duration,
) -> Result<(), Error> {
let log = RefCell::new(OpenOptions::new().append(true).create(true).open(logfile)?);
#[cfg(unix)]
let mut stdout_cpy = unsafe {
let new_fd = dup(io::stdout().as_raw_fd())?;
File::from_raw_fd(new_fd)
};
#[cfg(unix)]
let file_null = File::open("/dev/null")?;
// 'While the monitor are state, they are usually used in the broker - which is likely never restarted
let monitor = SimpleMonitor::new(|s| {
#[cfg(unix)]
writeln!(&mut stdout_cpy, "{s}").unwrap();
#[cfg(windows)]
println!("{s}");
writeln!(log.borrow_mut(), "{:?} {s}", current_time()).unwrap();
});
// We need a shared map to store our state before a crash.
// This way, we are able to continue fuzzing afterwards.
let mut shmem_provider = StdShMemProvider::new()?;
let (state, mut mgr) = match SimpleRestartingEventManager::launch(monitor, &mut shmem_provider)
{
// The restarting state will spawn the same process again as child, then restarted it each time it crashes.
Ok(res) => res,
Err(err) => match err {
Error::ShuttingDown => {
return Ok(());
}
_ => {
panic!("Failed to setup the restarter: {err}");
}
},
};
// Create an observation channel using the coverage map
// We don't use the hitcounts (see the Cargo.toml, we use pcguard_edges)
let edges_observer =
HitcountsMapObserver::new(unsafe { std_edges_map_observer("edges") }).track_indices();
// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
// TODO: This will break soon, fix me! See https://github.com/AFLplusplus/LibAFL/issues/2786
#[allow(static_mut_refs)] // only a problem in nightly
let func_list = unsafe { OwnedMutPtr::from_raw_mut(Lazy::force_mut(&mut FUNCTION_LIST)) };
let profiling_observer = ProfilingObserver::new("concatenated.json", func_list)?;
let callhook = CallHook::new();
let cmplog_observer = CmpLogObserver::new("cmplog", true);
let map_feedback = MaxMapFeedback::new(&edges_observer);
let calibration = CalibrationStage::new(&map_feedback);
// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
map_feedback,
// Time feedback, this one does not need a feedback state
TimeFeedback::new(&time_observer)
);
// A feedback to choose if an input is a solution or not
let mut objective = CrashFeedback::new();
// If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| {
StdState::new(
// RNG
StdRand::new(),
// Corpus that will be evolved, we keep it in memory for performance
InMemoryOnDiskCorpus::new(corpus_dir).unwrap(),
// Corpus in which we store solutions (crashes in this example),
// on disk so the user can get them after stopping the fuzzer
OnDiskCorpus::new(objective_dir).unwrap(),
// States of the feedbacks.
// The feedbacks can report the data that should persist in the State.
&mut feedback,
// Same for objective feedbacks
&mut objective,
)
.unwrap()
});
println!("Let's fuzz :)");
// The actual target run starts here.
// Call LLVMFUzzerInitialize() if present.
let args: Vec<String> = env::args().collect();
if unsafe { libfuzzer_initialize(&args) } == -1 {
println!("Warning: LLVMFuzzerInitialize failed with -1");
}
// Setup a randomic Input2State stage
let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new())));
// Setup a MOPT mutator
let mutator = StdMOptMutator::new(
&mut state,
havoc_mutations().merge(tokens_mutations()),
7,
5,
)?;
let power: StdPowerMutationalStage<_, _, BytesInput, _, _, _> =
StdPowerMutationalStage::new(mutator);
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(
&edges_observer,
StdWeightedScheduler::with_schedule(
&mut state,
&edges_observer,
Some(PowerSchedule::fast()),
),
);
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
// The wrapped harness function, calling out to the LLVM-style harness
let mut harness = |input: &BytesInput| {
let target = input.target_bytes();
let buf = target.as_slice();
unsafe {
libfuzzer_test_one_input(buf);
}
ExitKind::Ok
};
let mut tracing_harness = harness;
// Create the executor for an in-process function with one observer for edge coverage and one for the execution time
let mut executor = HookableInProcessExecutor::with_timeout_generic(
tuple_list!(callhook.clone()),
&mut harness,
tuple_list!(edges_observer, time_observer, profiling_observer),
&mut fuzzer,
&mut state,
&mut mgr,
timeout,
)?;
// Setup a tracing stage in which we log comparisons
let tracing = TracingStage::new(
HookableInProcessExecutor::with_timeout_generic(
tuple_list!(callhook),
&mut tracing_harness,
tuple_list!(cmplog_observer),
&mut fuzzer,
&mut state,
&mut mgr,
timeout * 10,
)?,
// Give it more time!
);
// The order of the stages matter!
let mut stages = tuple_list!(calibration, tracing, i2s, power);
// Read tokens
if state.metadata_map().get::<Tokens>().is_none() {
let mut toks = Tokens::default();
if let Some(tokenfile) = tokenfile {
toks.add_from_file(tokenfile)?;
}
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
{
toks += autotokens()?;
}
if !toks.is_empty() {
state.add_metadata(toks);
}
}
// In case the corpus is empty (on first run), reset
if state.must_load_initial_inputs() {
state
.load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &[seed_dir.clone()])
.unwrap_or_else(|_| {
println!("Failed to load initial corpus at {:?}", &seed_dir);
process::exit(0);
});
println!("We imported {} inputs from disk.", state.corpus().count());
}
// Remove target output (logs still survive)
#[cfg(unix)]
{
let null_fd = file_null.as_raw_fd();
dup2(null_fd, io::stdout().as_raw_fd())?;
if std::env::var("LIBAFL_FUZZBENCH_DEBUG").is_err() {
// dup2(null_fd, io::stderr().as_raw_fd())?;
}
}
// reopen file to make sure we're at the end
log.replace(OpenOptions::new().append(true).create(true).open(logfile)?);
fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?;
// Never reached
Ok(())
}

34
fuzzers/inprocess/dynamic_analysis/stub_rt.c
View File

@ -1,34 +0,0 @@
#include <stdint.h>
__attribute__((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start,
uint32_t *stop) {
}
__attribute__((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
}
__attribute__((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) {
}
__attribute__((weak)) void __cmplog_rtn_gcc_stdstring_cstring(
uint8_t *stdstring, uint8_t *cstring) {
}
__attribute__((weak)) void __cmplog_rtn_gcc_stdstring_stdstring(
uint8_t *stdstring1, uint8_t *stdstring2) {
}
__attribute__((weak)) void __cmplog_rtn_llvm_stdstring_cstring(
uint8_t *stdstring, uint8_t *cstring) {
}
__attribute__((weak)) void __cmplog_rtn_llvm_stdstring_stdstring(
uint8_t *stdstring1, uint8_t *stdstring2) {
}
extern void libafl_main(void);
int main(int argc, char **argv) {
libafl_main();
return 0;
}

77
fuzzers/inprocess/fuzzbench/Justfile Normal file
View File

@ -0,0 +1,77 @@
FUZZER_NAME := 'fuzzbench'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
alias build := fuzzer
alias cc := cxx
[linux]
[macos]
cxx:
cargo build --profile={{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
fuzz_o: cxx
{{CARGO_TARGET_DIR}}/{{PROFILE_DIR}}/libafl_cc --libafl-no-link -O3 -c fuzz.c -o fuzz.o
[windows]
fuzz_o:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: cxx fuzz_o
{{CARGO_TARGET_DIR}}/{{PROFILE_DIR}}/libafl_cxx --libafl fuzz.o -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: cxx fuzz_o
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
./{{FUZZER_NAME}} -o out -i in
[windows]
run:
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./{{FUZZER_NAME}} -o out -i in | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
cargo clean

112
fuzzers/inprocess/fuzzbench/Makefile.toml
View File

@ -1,112 +0,0 @@
[env]
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
FUZZER_NAME = "fuzzer"
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# fuzz.o File
[tasks.fuzz_o]
linux_alias = "fuzz_o_unix"
mac_alias = "fuzz_o_unix"
windows_alias = "unsupported"
[tasks.fuzz_o_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc"
args = ["--libafl-no-link", "-O3", "-c", "fuzz.c", "-o", "fuzz.o"]
dependencies = ["cc", "cxx"]
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = ["--libafl", "fuzz.o", "-o", "${FUZZER_NAME}", "-lm", "-lz"]
dependencies = ["cc", "cxx", "fuzz_o"]
# Run
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
./${FUZZER_NAME} -o out -i in
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./${FUZZER_NAME} -o out -i in | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
'''
dependencies = ["fuzzer"]
# Clean
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
script_runner = "@shell"
script = '''
rm ./${FUZZER_NAME} || true
rm fuzz.o || true
'''

77
fuzzers/inprocess/fuzzbench_ctx/Justfile Normal file
View File

@ -0,0 +1,77 @@
FUZZER_NAME := 'fuzzbench_ctx'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
alias build := fuzzer
alias cc := cxx
[linux]
[macos]
cxx:
cargo build --profile={{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
fuzz_o: cxx
{{CARGO_TARGET_DIR}}/{{PROFILE_DIR}}/libafl_cc --libafl-no-link -O3 -c fuzz.c -o fuzz.o
[windows]
fuzz_o:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: cxx fuzz_o
{{CARGO_TARGET_DIR}}/{{PROFILE_DIR}}/libafl_cxx --libafl fuzz.o -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: cxx fuzz_o
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
./{{FUZZER_NAME}} -o out -i in
[windows]
run:
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./{{FUZZER_NAME}} -o out -i in | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
cargo clean

112
fuzzers/inprocess/fuzzbench_ctx/Makefile.toml
View File

@ -1,112 +0,0 @@
[env]
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
FUZZER_NAME = "fuzzer"
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# fuzz.o File
[tasks.fuzz_o]
linux_alias = "fuzz_o_unix"
mac_alias = "fuzz_o_unix"
windows_alias = "unsupported"
[tasks.fuzz_o_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc"
args = ["--libafl-no-link", "-O3", "-c", "fuzz.c", "-o", "fuzz.o"]
dependencies = ["cc", "cxx"]
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = ["--libafl", "fuzz.o", "-o", "${FUZZER_NAME}", "-lm", "-lz"]
dependencies = ["cc", "cxx", "fuzz_o"]
# Run
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
./${FUZZER_NAME} -o out -i in
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./${FUZZER_NAME} -o out -i in | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
'''
dependencies = ["fuzzer"]
# Clean
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
script_runner = "@shell"
script = '''
rm ./${FUZZER_NAME} || true
rm fuzz.o || true
'''

77
fuzzers/inprocess/fuzzbench_text/Justfile Normal file
View File

@ -0,0 +1,77 @@
FUZZER_NAME := 'fuzzbench'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
alias build := fuzzer
alias cc := cxx
[linux]
[macos]
cxx:
cargo build --profile={{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
fuzz_o: cxx
{{CARGO_TARGET_DIR}}/{{PROFILE_DIR}}/libafl_cc --libafl-no-link -O3 -c fuzz.c -o fuzz.o
[windows]
fuzz_o:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: cxx fuzz_o
{{CARGO_TARGET_DIR}}/{{PROFILE_DIR}}/libafl_cxx --libafl fuzz.o -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: cxx fuzz_o
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
./{{FUZZER_NAME}} -o out -i in
[windows]
run:
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./{{FUZZER_NAME}} -o out -i in | tee fuzz_stdout.log || true
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
cargo clean

114
fuzzers/inprocess/fuzzbench_text/Makefile.toml
View File

@ -1,114 +0,0 @@
[env]
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
FUZZER_NAME = "fuzzer"
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# fuzz.o File
[tasks.fuzz_o]
linux_alias = "fuzz_o_unix"
mac_alias = "fuzz_o_unix"
windows_alias = "unsupported"
[tasks.fuzz_o_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc"
args = ["--libafl-no-link", "-O3", "-c", "fuzz.c", "-o", "fuzz.o"]
dependencies = ["cc", "cxx"]
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = ["--libafl", "fuzz.o", "-o", "${FUZZER_NAME}", "-lm", "-lz"]
dependencies = ["cc", "cxx", "fuzz_o"]
# Run
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
./${FUZZER_NAME} -o out -i in
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
mkdir in || true
echo a > in/a
# Allow sigterm as exit code
timeout 31s ./${FUZZER_NAME} -o out -i in | tee fuzz_stdout.log || true
cat fuzz_stdout.log
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
rm -rf out || true
rm -rf in || true
'''
dependencies = ["fuzzer"]
# Clean
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
script_runner = "@shell"
script = '''
rm ./${FUZZER_NAME} || true
rm fuzz.o || true
'''

92
fuzzers/inprocess/libfuzzer_libmozjpeg/Justfile Normal file
View File

@ -0,0 +1,92 @@
FUZZER_NAME := 'fuzzer_mozjpeg'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
mozjpg:
#!/bin/bash
if [ ! -f v4.0.3.tar.gz ]; then
wget https://github.com/mozilla/mozjpeg/archive/v4.0.3.tar.gz
fi
tar -xzvf v4.0.3.tar.gz
[windows]
mozjpg:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: mozjpg cxx
#!/bin/bash
cd mozjpeg-4.0.3 && cmake . -DENABLE_SHARED=false -DPNG_SUPPORTED=false -DCMAKE_C_COMPILER="{{LIBAFL_CC}}" -DCMAKE_CXX_COMPILER="{{LIBAFL_CXX}}" -G "Unix Makefiles"
cd {{PROJECT_DIR}}
make -C mozjpeg-4.0.3
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/mozjpeg-4.0.3/libjpeg.a {{PROJECT_DIR}}/mozjpeg-4.0.3/libturbojpeg.a -I {{PROJECT_DIR}}/mozjpeg-4.0.3/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
#!/bin/bash
./{{FUZZER_NAME}} &
sleep 0.2
./{{FUZZER_NAME}}
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./{{FUZZER_NAME}} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./{{FUZZER_NAME}} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C mozjpeg-4.0.3 clean || true
cargo clean

147
fuzzers/inprocess/libfuzzer_libmozjpeg/Makefile.toml
View File

@ -1,147 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_mozjpeg'
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
# libpng
[tasks.mozjpeg]
linux_alias = "mozjpeg_unix"
mac_alias = "mozjpeg_unix"
windows_alias = "unsupported"
[tasks.mozjpeg_unix]
condition = { files_not_exist = ["./mozjpeg-4.0.3"] }
script_runner = "@shell"
script = '''
wget https://github.com/mozilla/mozjpeg/archive/v4.0.3.tar.gz
tar -xzvf v4.0.3.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script = '''
cd mozjpeg-4.0.3 && cmake . -DENABLE_SHARED=false -DPNG_SUPPORTED=false -DCMAKE_C_COMPILER="${LIBAFL_CC}" -DCMAKE_CXX_COMPILER="${LIBAFL_CXX}" -G "Unix Makefiles"
cd "${PROJECT_DIR}"
make -C mozjpeg-4.0.3
'''
dependencies = ["mozjpeg", "cxx", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/mozjpeg-4.0.3/libjpeg.a",
"${PROJECT_DIR}/mozjpeg-4.0.3/libturbojpeg.a",
"-I",
"${PROJECT_DIR}/mozjpeg-4.0.3/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} &
sleep 0.2
./${FUZZER_NAME}
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_linux"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_linux]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script = '''
echo "Skipping build on MacOS as libpng in Github is ancient, see LibAFL GH issue #254"
'''
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C mozjpeg-4.0.3 clean
cargo clean
'''

136
fuzzers/inprocess/libfuzzer_libpng/Justfile Normal file
View File

@ -0,0 +1,136 @@
FUZZER_NAME := 'fuzzer_libpng'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
crash_cxx:
cargo build --profile {{PROFILE}} --features=crash
[windows]
crash_cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
crash_lib: libpng crash_cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
crash_lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
crash_fuzzer: crash_lib crash_cxx
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
crash_fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
#!/bin/bash
./{{FUZZER_NAME}} &
sleep 0.2
./{{FUZZER_NAME}} 2>/dev/null
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
crash: crash_fuzzer
#!/bin/bash
./{{FUZZER_NAME}} &
sleep 0.2
./{{FUZZER_NAME}} 2>/dev/null
[windows]
crash: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./{{FUZZER_NAME}} 2>/dev/null | tee fuzz_stdout.log || true) &
sleep 0.2
timeout 30s ./{{FUZZER_NAME}} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

221
fuzzers/inprocess/libfuzzer_libpng/Makefile.toml
View File

@ -1,221 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.crash_cxx]
linux_alias = "crash_cxx_unix"
mac_alias = "crash_cxx_unix"
windows_alias = "unsupported"
[tasks.crash_cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
[tasks.crash_cc]
linux_alias = "crash_cc_unix"
mac_alias = "crash_cc_unix"
windows_alias = "unsupported"
[tasks.crash_cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cxx", "cc"]
# Library
[tasks.crash_lib]
linux_alias = "crash_lib_unix"
mac_alias = "crash_lib_unix"
windows_alias = "unsupported"
[tasks.crash_lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "crash_cxx", "crash_cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Crashing Harness
[tasks.fuzzer_crash]
linux_alias = "fuzzer_crash_unix"
mac_alias = "fuzzer_crash_unix"
windows_alias = "unsupported"
[tasks.fuzzer_crash_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}_crash",
"-lm",
"-lz",
]
dependencies = ["crash_lib", "crash_cxx", "crash_cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} &
sleep 0.2
./${FUZZER_NAME} 2>/dev/null
'''
dependencies = ["fuzzer"]
# Run the fuzzer with a crash
[tasks.crash]
linux_alias = "crash_unix"
mac_alias = "crash_unix"
windows_alias = "unsupported"
[tasks.crash_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME}_crash &
sleep 0.2
./${FUZZER_NAME}_crash 2>/dev/null
'''
dependencies = ["fuzzer_crash"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

87
fuzzers/inprocess/libfuzzer_libpng_accounting/Justfile Normal file
View File

@ -0,0 +1,87 @@
FUZZER_NAME := 'fuzzer_libpng_accounting'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
./{{FUZZER_NAME}} --cores 0 --input ./corpus
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 31s ./{{FUZZER_NAME}} --cores 0 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

146
fuzzers/inprocess/libfuzzer_libpng_accounting/Makefile.toml
View File

@ -1,146 +0,0 @@
# Variables
[env]
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
FUZZER_NAME = 'fuzzer_libpng_accounting'
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cxx", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} --cores 0 --input ./corpus
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0 --input ./corpus | tee fuzz_stdout.log 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0 --input ./corpus | tee fuzz_stdout.log 2>/dev/null || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

87
fuzzers/inprocess/libfuzzer_libpng_centralized/Justfile Normal file
View File

@ -0,0 +1,87 @@
FUZZER_NAME := 'fuzzer_libpng_centralized'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
./{{FUZZER_NAME}} --cores 0-1 --input ./corpus
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 31s ./{{FUZZER_NAME}} --cores 0-1 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

146
fuzzers/inprocess/libfuzzer_libpng_centralized/Makefile.toml
View File

@ -1,146 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng_launcher'
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cxx", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} --cores 0-1 --input ./corpus
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0-1 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

136
fuzzers/inprocess/libfuzzer_libpng_cmin/Justfile Normal file
View File

@ -0,0 +1,136 @@
FUZZER_NAME := 'fuzzer_libpng_cmin'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
crash_cxx:
cargo build --profile {{PROFILE}} --features=crash
[windows]
crash_cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
crash_lib: libpng crash_cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
crash_lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz -lz3
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
crash_fuzzer: crash_lib crash_cxx
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz -lz3
[windows]
crash_fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
#!/bin/bash
./{{FUZZER_NAME}} &
sleep 0.2
./{{FUZZER_NAME}} 2>/dev/null
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
crash: crash_fuzzer
#!/bin/bash
./{{FUZZER_NAME}} &
sleep 0.2
./{{FUZZER_NAME}} 2>/dev/null
[windows]
crash: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./{{FUZZER_NAME}} 2>/dev/null | tee fuzz_stdout.log|| true) &
sleep 0.2
timeout 30s ./{{FUZZER_NAME}} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

223
fuzzers/inprocess/libfuzzer_libpng_cmin/Makefile.toml
View File

@ -1,223 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.crash_cxx]
linux_alias = "crash_cxx_unix"
mac_alias = "crash_cxx_unix"
windows_alias = "unsupported"
[tasks.crash_cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
[tasks.crash_cc]
linux_alias = "crash_cc_unix"
mac_alias = "crash_cc_unix"
windows_alias = "unsupported"
[tasks.crash_cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cxx", "cc"]
# Library
[tasks.crash_lib]
linux_alias = "crash_lib_unix"
mac_alias = "crash_lib_unix"
windows_alias = "unsupported"
[tasks.crash_lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "crash_cxx", "crash_cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
"-lz3",
]
dependencies = ["lib", "cxx", "cc"]
# Crashing Harness
[tasks.fuzzer_crash]
linux_alias = "fuzzer_crash_unix"
mac_alias = "fuzzer_crash_unix"
windows_alias = "unsupported"
[tasks.fuzzer_crash_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}_crash",
"-lm",
"-lz",
"-lz3",
]
dependencies = ["crash_lib", "crash_cxx", "crash_cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} &
sleep 0.2
./${FUZZER_NAME} 2>/dev/null
'''
dependencies = ["fuzzer"]
# Run the fuzzer with a crash
[tasks.crash]
linux_alias = "crash_unix"
mac_alias = "crash_unix"
windows_alias = "unsupported"
[tasks.crash_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME}_crash &
sleep 0.2
./${FUZZER_NAME}_crash 2>/dev/null
'''
dependencies = ["fuzzer_crash"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

88
fuzzers/inprocess/libfuzzer_libpng_launcher/Justfile Normal file
View File

@ -0,0 +1,88 @@
FUZZER_NAME := 'fuzzer_libpng_launcher'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
LIBTOOL := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_libtool"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && CC={{LIBAFL_CC}} CXX={{LIBAFL_CXX}} ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}" LIBTOOL="{{LIBTOOL}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
./{{FUZZER_NAME}}.coverage --broker-port 21337 --cores 0 --input ./corpus
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 31s ./{{FUZZER_NAME}}.coverage --broker-port 21337 --cores 0 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

147
fuzzers/inprocess/libfuzzer_libpng_launcher/Makefile.toml
View File

@ -1,147 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng_launcher'
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
LIBAFL_LIBTOOL = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_libtool'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx" ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx" LIBTOOL=${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_libtool
'''
dependencies = ["libpng", "cxx", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME}.coverage --broker-port 21337 --cores 0 --input ./corpus
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME}.coverage --broker-port 21337 --cores 0 --input ./corpus | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

130
fuzzers/inprocess/libfuzzer_libpng_norestart/Justfile Normal file
View File

@ -0,0 +1,130 @@
FUZZER_NAME := 'fuzzer_libpng_norestart'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
crash_cxx:
cargo build --profile {{PROFILE}} --features=crash
[windows]
crash_cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
crash_lib: libpng crash_cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
crash_lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
crash_fuzzer: crash_lib crash_cxx
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
crash_fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
#!/bin/bash
./{{FUZZER_NAME}} --cores 0 --input ./corpus
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
crash: crash_fuzzer
#!/bin/bash
./{{FUZZER_NAME}} --cores 0 --input ./corpus
[windows]
crash: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 31s ./{{FUZZER_NAME}} --cores 0 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

135
fuzzers/inprocess/libfuzzer_libpng_norestart/Makefile.toml
View File

@ -1,135 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng_launcher'
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
rm -rf corpus/ || true
mkdir corpus/ || true
cp seeds/* corpus/ || true
./${FUZZER_NAME} --cores 0 --input ./corpus
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
rm -rf corpus/ || true
mkdir corpus/ || true
cp seeds/* corpus/ || true
timeout 31s ./${FUZZER_NAME} --cores 0 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -rf corpus/ || true
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

0
fuzzers/inprocess/libfuzzer_libpng_norestart/seeds/not_kitty.png → fuzzers/inprocess/libfuzzer_libpng_norestart/corpus/not_kitty.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 218 B

After

Width:  |  Height:  |  Size: 218 B

0
fuzzers/inprocess/libfuzzer_libpng_norestart/seeds/not_kitty_alpha.png → fuzzers/inprocess/libfuzzer_libpng_norestart/corpus/not_kitty_alpha.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 376 B

After

Width:  |  Height:  |  Size: 376 B

0
fuzzers/inprocess/libfuzzer_libpng_norestart/seeds/not_kitty_gamma.png → fuzzers/inprocess/libfuzzer_libpng_norestart/corpus/not_kitty_gamma.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 228 B

After

Width:  |  Height:  |  Size: 228 B

0
fuzzers/inprocess/libfuzzer_libpng_norestart/seeds/not_kitty_icc.png → fuzzers/inprocess/libfuzzer_libpng_norestart/corpus/not_kitty_icc.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 427 B

After

Width:  |  Height:  |  Size: 427 B

87
fuzzers/inprocess/libfuzzer_libpng_tcp_manager/Justfile Normal file
View File

@ -0,0 +1,87 @@
FUZZER_NAME := 'fuzzer_libpng_tcp_manager'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
./{{FUZZER_NAME}} --cores 0-1 --input ./corpus
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 31s ./{{FUZZER_NAME}} --cores 0-1 --input ./corpus 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

221
fuzzers/inprocess/libfuzzer_libpng_tcp_manager/Makefile.toml
View File

@ -1,221 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.crash_cxx]
linux_alias = "crash_cxx_unix"
mac_alias = "crash_cxx_unix"
windows_alias = "unsupported"
[tasks.crash_cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
[tasks.crash_cc]
linux_alias = "crash_cc_unix"
mac_alias = "crash_cc_unix"
windows_alias = "unsupported"
[tasks.crash_cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}", "--features=crash"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cxx", "cc"]
# Library
[tasks.crash_lib]
linux_alias = "crash_lib_unix"
mac_alias = "crash_lib_unix"
windows_alias = "unsupported"
[tasks.crash_lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "crash_cxx", "crash_cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Crashing Harness
[tasks.fuzzer_crash]
linux_alias = "fuzzer_crash_unix"
mac_alias = "fuzzer_crash_unix"
windows_alias = "unsupported"
[tasks.fuzzer_crash_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}_crash",
"-lm",
"-lz",
]
dependencies = ["crash_lib", "crash_cxx", "crash_cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} &
sleep 0.2
./${FUZZER_NAME} 2>/dev/null
'''
dependencies = ["fuzzer"]
# Run the fuzzer with a crash
[tasks.crash]
linux_alias = "crash_unix"
mac_alias = "crash_unix"
windows_alias = "unsupported"
[tasks.crash_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME}_crash &
sleep 0.2
./${FUZZER_NAME}_crash 2>/dev/null
'''
dependencies = ["fuzzer_crash"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

52
fuzzers/inprocess/libfuzzer_stb_image/Justfile Normal file
View File

@ -0,0 +1,52 @@
FUZZER_NAME := 'libfuzzer_stb_image'
PROJECT_DIR := absolute_path(".")
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
EXTENSION := if os() == "windows" {".exe"} else { "" }
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc" + EXTENSION
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx" + EXTENSION
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME + EXTENSION
alias cc := cxx
cxx:
cargo build --profile {{PROFILE}}
fuzzer: cxx
#!/bin/bash
cargo build --profile {{PROFILE}}
cp {{FUZZER}} .
[linux]
[macos]
run: fuzzer
#!/bin/bash
./{{FUZZER}} &
sleep 0.2
[windows]
run: fuzzer
echo "Not integrated into cargo-make yet."
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./{{FUZZER_NAME}} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./{{FUZZER_NAME}} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
clean:
#!/bin/bash
rm -f {{FUZZER_NAME}}
cargo clean

106
fuzzers/inprocess/libfuzzer_stb_image/Makefile.toml
View File

@ -1,106 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'libfuzzer_stb_image'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release" }
PROFILE_DIR = { value = "release" }
LIBAFL_CC = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc', mapping = { "windows" = '.\\target\\${PROFILE_DIR}\\libafl_cc.exe' } }
LIBAFL_CXX = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx', mapping = { "windows" = '.\\target\\${PROFILE_DIR}\\libafl_cxx.exe' } }
FUZZER = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libfuzzer_stb_image', mapping = { "windows" = '.\\target\\${PROFILE_DIR}\\libfuzzer_stb_image.exe' } }
# Compilers
[tasks.cxx]
condition = { files_not_exist = ["${LIBAFL_CXX}"] }
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
condition = { files_not_exist = ["${LIBAFL_CC}"] }
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Build the fuzzer
[tasks.fuzzer]
script_runner = "@shell"
script = '''
cargo build --profile ${PROFILE}
cp ${FUZZER} .
'''
dependencies = ["cc", "cxx"]
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "run_windows"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} &
sleep 0.2
./${FUZZER_NAME}
'''
dependencies = ["fuzzer"]
[tasks.run_windows]
# Do nothing
script_runner = "@shell"
script = '''
echo "Not integrated into cargo-make yet."
'''
dependencies = ["fuzzer"]
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "test_windows"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./${FUZZER_NAME} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./${FUZZER_NAME} >/dev/null 2>/dev/null || true
'''
dependencies = ["fuzzer"]
[tasks.test_windows]
# Do nothing
script_runner = "@shell"
script = '''
echo "Not integrated into cargo-make yet."
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
cargo clean
'''

52
fuzzers/inprocess/libfuzzer_stb_image_sugar/Justfile Normal file
View File

@ -0,0 +1,52 @@
FUZZER_NAME := 'libfuzzer_stb_image_sugar'
PROJECT_DIR := absolute_path(".")
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
EXTENSION := if os() == "windows" {".exe"} else { "" }
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc" + EXTENSION
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx" + EXTENSION
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME + EXTENSION
alias cc := cxx
cxx:
cargo build --profile {{PROFILE}}
fuzzer: cxx
#!/bin/bash
cargo build --profile {{PROFILE}}
cp {{FUZZER}} .
[linux]
[macos]
run: fuzzer
#!/bin/bash
./{{FUZZER}} &
sleep 0.2
[windows]
run: fuzzer
echo "Not integrated into cargo-make yet."
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
(timeout 31s ./{{FUZZER_NAME}} | tee fuzz_stdout.log 2>/dev/null || true) &
sleep 0.2
timeout 30s ./{{FUZZER_NAME}} >/dev/null 2>/dev/null || true
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
clean:
#!/bin/bash
rm -f {{FUZZER_NAME}}
cargo clean

92
fuzzers/inprocess/libfuzzer_stb_image_sugar/Makefile.toml
View File

@ -1,92 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'libfuzzer_stb_image_sugar'
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release" }
PROFILE_DIR = { value = "release" }
LIBAFL_CC = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc", mapping = { "windows" = '.\\target\\${PROFILE_DIR}\\libafl_cc.exe' } }
LIBAFL_CXX = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx", mapping = { "windows" = '.\\target\\${PROFILE_DIR}\\libafl_cxx.exe' } }
FUZZER = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libfuzzer_stb_image_sugar", mapping = { "windows" = '.\\target\\${PROFILE_DIR}\\libfuzzer_stb_image_sugar.exe' } }
# Compilers
[tasks.cxx]
condition = { files_not_exist = ["${LIBAFL_CXX}"] }
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
condition = { files_not_exist = ["${LIBAFL_CC}"] }
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Build the fuzzer
[tasks.fuzzer]
script_runner = "@shell"
script = '''
cargo build --profile ${PROFILE}
cp ${FUZZER} .
'''
dependencies = ["cc", "cxx"]
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "run_windows"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} &
'''
dependencies = ["fuzzer"]
[tasks.run_windows]
# Do nothing
script_runner = "@shell"
script = '''
echo "Not integrated into cargo-make yet."
'''
dependencies = ["fuzzer"]
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "test_windows"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} 2>/dev/null | tee fuzz_stdout.log || true
if [ -z "$(grep "corpus: 30" fuzz_stdout.log)" ]; then
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
else
echo "Fuzzer is working"
fi
'''
dependencies = ["fuzzer"]
[tasks.test_windows]
# Do nothing
script_runner = "@shell"
script = '''
echo "Not integrated into cargo-make yet."
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
cargo clean
'''

57
fuzzers/inprocess/libfuzzer_windows_asan/Justfile Normal file
View File

@ -0,0 +1,57 @@
FUZZER_NAME := 'libfuzzer_windows_asan'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
LIBAFL_CXX := CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
set shell := ["cmd.exe", "/c"]
alias cc := cxx
[windows]
cxx:
cargo build --profile {{PROFILE}}
[linux]
[macos]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
fuzzer: cxx
.\target\{{PROFILE}}\libafl_cxx .\harness.cpp -o {{FUZZER_NAME}}.exe
[linux]
[macos]
fuzzer:
echo "Unsupported on this platform"
[windows]
test: fuzzer
start {{FUZZER_NAME}}.exe
start {{FUZZER_NAME}}.exe
ping -n 10 127.0.0.1>NUL && taskkill /im {{FUZZER_NAME}}.exe /F
dir /a-d crashes && (echo Files exist) || (exit /b 1337)
[linux]
[macos]
test:
echo "Unsupported on this platform"
[windows]
clean:
del ./{{FUZZER_NAME}}
cargo clean
[linux]
[macos]
clean:
echo "Unsupported on this platform"

109
fuzzers/inprocess/libfuzzer_windows_asan/Makefile.toml
View File

@ -1,109 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'libfuzzer_windows_asan'
CARGO_TARGET_DIR = { value = "./target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Compilers
[tasks.cxx]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "cxx_unix"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "cc_unix"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.crash_cxx]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.crash_cc]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "unsupported"
# Library
[tasks.lib]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "lib_unix"
[tasks.lib_unix]
dependencies = ["cxx", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "fuzzer_windows"
[tasks.fuzzer_windows]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = ["./harness.cpp", "-o", "${FUZZER_NAME}.exe"]
dependencies = ["lib", "cxx", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "run_windows" # TODO
[tasks.run_windows]
script_runner = "@shell"
script = '''
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "test_windows" # TODO
[tasks.test_windows]
script_runner = "@shell"
script = '''
start "" "${FUZZER_NAME}.exe"
start "" "${FUZZER_NAME}.exe"
#ping is for timeout
ping -n 10 127.0.0.1>NUL && taskkill /im ${FUZZER_NAME}.exe /F
>nul 2>nul dir /a-d "crashes\*" && (echo Files exist) || (exit /b 1337)
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "clean_windows"
[tasks.clean_windows]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
del ./${FUZZER_NAME}
cargo clean
'''

61
fuzzers/structure_aware/libfuzzer_stb_image_concolic/Makefile.toml
View File

@ -1,61 +0,0 @@
# Variables
[env]
PROJECT_DIR = { script = ["pwd"] }
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release" }
PROFILE_DIR = { value = "release" }
FUZZER_NAME = 'libfuzzer_stb_image_concolic'
# Compilers
[tasks.runtime]
linux_alias = "runtime_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.runtime_unix]
condition = { files_not_exist = ["${CARGO_TARGET_DIR}/libSymRuntime.so"] }
script_runner = "@shell"
script = '''
cd runtime
cargo build --profile ${PROFILE}
'''
# Build the fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
dependencies = ["runtime"]
script_runner = "@shell"
script = '''
cd fuzzer
cargo build --profile ${PROFILE}
'''
[tasks.test]
alias = "fuzzer"
[tasks.unsupported]
# Do nothing
script_runner = "@shell"
script = '''
echo "Not supported on this platform."
'''
# Clean up
[tasks.clean]
# Disable default `clean` definition
clear = true
script = '''
cd fuzzer
cargo clean
cd ..
cd ./runtime
cargo clean
cd ..
cargo clean
'''

97
fuzzers/structure_aware/nautilus_sync/Justfile Normal file
View File

@ -0,0 +1,97 @@
FUZZER_NAME := 'fuzzer_libpng_nautilus'
PROJECT_DIR := absolute_path(".")
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cc"
LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "libafl_cxx"
alias cc := cxx
[linux]
[macos]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[windows]
libpng:
echo "Unsupported on this platform"
[linux]
[macos]
cxx:
cargo build --profile {{PROFILE}}
[windows]
cxx:
echo "Unsupported on this platform"
[linux]
[macos]
lib: libpng cxx
#!/bin/bash
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd {{PROJECT_DIR}}
make -C libpng-1.6.37 CC="{{LIBAFL_CC}}" CXX="{{LIBAFL_CXX}}"
[windows]
lib:
echo "Unsupported on this platform"
[linux]
[macos]
fuzzer: lib cxx
pwd
{{LIBAFL_CXX}} {{PROJECT_DIR}}/harness.cc {{PROJECT_DIR}}/libpng-1.6.37/.libs/libpng16.a -I {{PROJECT_DIR}}/libpng-1.6.37/ -o {{FUZZER_NAME}} -lm -lz
[windows]
fuzzer:
echo "Unsupported on this platform"
[linux]
[macos]
run: fuzzer
./{{FUZZER_NAME}} --cores 0
[windows]
run: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
run_unix_sync: fuzzer
./{{FUZZER_NAME}} --cores 0 -b 1337
[windows]
run_unix_sync: fuzzer
echo "Unsupported on this platform"
[linux]
[macos]
test: fuzzer
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 31s ./{{FUZZER_NAME}} --cores 0 2>/dev/null | tee fuzz_stdout.log || true
if grep -qa "corpus: 8" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
test: fuzzer
echo "Unsupported on this platform"
clean:
rm -rf {{FUZZER_NAME}}
make -C libpng-1.6.37 clean || true
cargo clean

154
fuzzers/structure_aware/nautilus_sync/Makefile.toml
View File

@ -1,154 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'fuzzer_libpng_nautilus'
CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
LIBAFL_CC = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc'
LIBAFL_CXX = '${CARGO_TARGET_DIR}/${PROFILE}/libafl_cxx'
FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
PROJECT_DIR = { script = ["pwd"] }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Compilers
[tasks.cxx]
linux_alias = "cxx_unix"
mac_alias = "cxx_unix"
windows_alias = "unsupported"
[tasks.cxx_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.cc]
linux_alias = "cc_unix"
mac_alias = "cc_unix"
windows_alias = "unsupported"
[tasks.cc_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd "${PROJECT_DIR}"
cp ../../structure_aware/baby_fuzzer_nautilus/grammar.json .
make -C libpng-1.6.37 CC="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cc" CXX="${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
'''
dependencies = ["libpng", "cxx", "cc"]
# Harness
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/libafl_cxx"
args = [
"${PROJECT_DIR}/../../inprocess/libfuzzer_libpng/harness.cc",
"${PROJECT_DIR}/libpng-1.6.37/.libs/libpng16.a",
"-I",
"${PROJECT_DIR}/libpng-1.6.37/",
"-o",
"${FUZZER_NAME}",
"-lm",
"-lz",
]
dependencies = ["lib", "cxx", "cc"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} --cores 0
'''
dependencies = ["fuzzer"]
[tasks.run_unix_sync]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} --cores 0 -b 1337
'''
dependencies = ["fuzzer"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0 | tee fuzz_stdout.log 2>/dev/null || true
if grep -qa "corpus: 8" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer"]
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 31s ./${FUZZER_NAME} --cores 0 | tee fuzz_stdout.log 2>/dev/null || true
'''
dependencies = ["fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

1184
fuzzers/structure_aware/nautilus_sync/grammar.json Normal file
View File

File diff suppressed because it is too large Load Diff

191
fuzzers/structure_aware/nautilus_sync/harness.cc Normal file
View File

@ -0,0 +1,191 @@
// libpng_read_fuzzer.cc
// Copyright 2017-2018 Glenn Randers-Pehrson
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that may
// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
// Last changed in libpng 1.6.35 [July 15, 2018]
// The modifications in 2017 by Glenn Randers-Pehrson include
// 1. addition of a PNG_CLEANUP macro,
// 2. setting the option to ignore ADLER32 checksums,
// 3. adding "#include <string.h>" which is needed on some platforms
// to provide memcpy().
// 4. adding read_end_info() and creating an end_info structure.
// 5. adding calls to png_set_*() transforms commonly used by browsers.
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <vector>
#define PNG_INTERNAL
#include "png.h"
#define PNG_CLEANUP \
if (png_handler.png_ptr) { \
if (png_handler.row_ptr) { \
png_free(png_handler.png_ptr, png_handler.row_ptr); \
} \
if (png_handler.end_info_ptr) { \
png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr, \
&png_handler.end_info_ptr); \
} else if (png_handler.info_ptr) { \
png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr, \
nullptr); \
} else { \
png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
} \
png_handler.png_ptr = nullptr; \
png_handler.row_ptr = nullptr; \
png_handler.info_ptr = nullptr; \
png_handler.end_info_ptr = nullptr; \
}
struct BufState {
const uint8_t *data;
size_t bytes_left;
};
struct PngObjectHandler {
png_infop info_ptr = nullptr;
png_structp png_ptr = nullptr;
png_infop end_info_ptr = nullptr;
png_voidp row_ptr = nullptr;
BufState *buf_state = nullptr;
~PngObjectHandler() {
if (row_ptr) { png_free(png_ptr, row_ptr); }
if (end_info_ptr) {
png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
} else if (info_ptr) {
png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
} else {
png_destroy_read_struct(&png_ptr, nullptr, nullptr);
}
delete buf_state;
}
};
void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
BufState *buf_state = static_cast<BufState *>(png_get_io_ptr(png_ptr));
if (length > buf_state->bytes_left) { png_error(png_ptr, "read error"); }
memcpy(data, buf_state->data, length);
buf_state->bytes_left -= length;
buf_state->data += length;
}
static const int kPngHeaderSize = 8;
// Entry point for LibFuzzer.
// Roughly follows the libpng book example:
// http://www.libpng.org/pub/png/book/chapter13.html
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size < kPngHeaderSize) { return 0; }
std::vector<unsigned char> v(data, data + size);
if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
// not a PNG.
return 0;
}
PngObjectHandler png_handler;
png_handler.png_ptr = nullptr;
png_handler.row_ptr = nullptr;
png_handler.info_ptr = nullptr;
png_handler.end_info_ptr = nullptr;
png_handler.png_ptr =
png_create_read_struct(PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
if (!png_handler.png_ptr) { return 0; }
png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
if (!png_handler.info_ptr) {
PNG_CLEANUP
return 0;
}
png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
if (!png_handler.end_info_ptr) {
PNG_CLEANUP
return 0;
}
png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
#ifdef PNG_IGNORE_ADLER32
png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
#endif
// Setting up reading from buffer.
png_handler.buf_state = new BufState();
png_handler.buf_state->data = data + kPngHeaderSize;
png_handler.buf_state->bytes_left = size - kPngHeaderSize;
png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
PNG_CLEANUP
return 0;
}
// Reading.
png_read_info(png_handler.png_ptr, png_handler.info_ptr);
// reset error handler to put png_deleter into scope.
if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
PNG_CLEANUP
return 0;
}
png_uint_32 width, height;
int bit_depth, color_type, interlace_type, compression_type;
int filter_type;
if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width, &height,
&bit_depth, &color_type, &interlace_type, &compression_type,
&filter_type)) {
PNG_CLEANUP
return 0;
}
// This is going to be too slow.
if (width && height > 100000000 / width) {
PNG_CLEANUP
#ifdef HAS_DUMMY_CRASH
#ifdef __aarch64__
asm volatile(".word 0xf7f0a000\n");
#else
asm("ud2");
#endif
#endif
return 0;
}
// Set several transforms that browsers typically use:
png_set_gray_to_rgb(png_handler.png_ptr);
png_set_expand(png_handler.png_ptr);
png_set_packing(png_handler.png_ptr);
png_set_scale_16(png_handler.png_ptr);
png_set_tRNS_to_alpha(png_handler.png_ptr);
int passes = png_set_interlace_handling(png_handler.png_ptr);
png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);
png_handler.row_ptr =
png_malloc(png_handler.png_ptr,
png_get_rowbytes(png_handler.png_ptr, png_handler.info_ptr));
for (int pass = 0; pass < passes; ++pass) {
for (png_uint_32 y = 0; y < height; ++y) {
png_read_row(png_handler.png_ptr,
static_cast<png_bytep>(png_handler.row_ptr), nullptr);
}
}
png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);
PNG_CLEANUP
return 0;
}

70
scripts/build_all_fuzzers.sh
View File

@ -1,70 +0,0 @@
#!/bin/bash
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
cd "$SCRIPT_DIR/.." || exit 1
# TODO: This should be rewritten in rust, a Makefile, or some platform-independent language
if [[ -z "${RUN_ON_CI}" ]]; then
fuzzers=$(find ./fuzzers -mindepth 2 -maxdepth 2 -type d)
backtrace_fuzzers=$(find ./fuzzers/baby/backtrace_baby_fuzzers -mindepth 1 -maxdepth 1 -type d)
else
cargo build -p build_and_test_fuzzers
fuzzers=$(cargo run -p build_and_test_fuzzers -- "remotes/origin/main" "HEAD^")
backtrace_fuzzers=""
export PROFILE=dev
export PROFILE_DIR=debug
fi
fuzzers=$(echo "$fuzzers" | tr ' ' '\n')
backtrace_fuzzers=$(echo "$backtrace_fuzzers" | tr ' ' '\n')
libafl=$(pwd)
# build with a shared target dir for all fuzzers. this should speed up
# compilation a bit, and allows for easier artifact management (caching and
# cargo clean).
export CARGO_TARGET_DIR="$libafl/target"
mkdir -p "$CARGO_TARGET_DIR"
git submodule init && git submodule update
# override default profile settings for speed
# export RUSTFLAGS="-C prefer-dynamic"
for profile in DEV RELEASE; # loop for all profiles
do
export CARGO_PROFILE_"$profile"_OPT_LEVEL=z # optimize for size
# runs into shared target dir bug:
# [pid 351769] openat(AT_FDCWD, "LibAFL/target/release/deps/libc-dbff77a14da5d893.libc.5deb7d4a-cgu.0.rcgu.dwo", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
# error: failed to build archive: No such file or directory
# export CARGO_PROFILE_"$profile"_SPLIT_DEBUGINFO=unpacked # minimize debug info
# export CARGO_PROFILE_"$profile"_PANIC=abort
# export CARGO_PROFILE_"$profile"_INCREMENTAL=true
done
# shellcheck disable=SC2116
for fuzzer in $(echo "$fuzzers" "$backtrace_fuzzers");
do
# skip nyx test on non-linux platforms
if [[ $fuzzer == *"nyx_"* ]]; then
continue
fi
cd "$fuzzer" || exit 1
# Clippy checks
echo "[*] Checking fmt for $fuzzer"
cargo +nightly fmt --all || exit 1
if [ -e ./Makefile.toml ]; then
echo "[*] Building $fuzzer"
cargo make build || exit 1
echo "[+] Done building $fuzzer"
else
echo "[*] Building $fuzzer"
cargo build || exit 1
echo "[+] Done building $fuzzer"
fi
# no cleaning -- this is a local test, we want to cache here
cd "$libafl" || exit 1
echo ""
done

21
scripts/test_fuzzer.sh
View File

@ -15,14 +15,10 @@ else
export PROFILE_DIR=debug export PROFILE_DIR=debug
fi fi
libafl=$(pwd)
echo "Testing" "$fuzzer_to_test" echo "Testing" "$fuzzer_to_test"
# build with a shared target dir for all fuzzers. this should speed up # build with a shared target dir for all fuzzers. this should speed up
# compilation a bit, and allows for easier artifact management (caching and # compilation a bit, and allows for easier artifact management (caching and
# cargo clean). # cargo clean).
export CARGO_TARGET_DIR="$libafl/target"
mkdir -p "$CARGO_TARGET_DIR"
git submodule init && git submodule update git submodule init && git submodule update
@ -64,22 +60,13 @@ do
echo "[*] Testing $fuzzer" echo "[*] Testing $fuzzer"
cargo make test || exit 1 cargo make test || exit 1
echo "[+] Done testing $fuzzer" echo "[+] Done testing $fuzzer"
elif [ -e ./Justfile ]; then
echo "[*] Testing $fuzzer"
just test || exit 1
echo "[+] Done testing $fuzzer"
else else
echo "[*] Building $fuzzer" echo "[*] Building $fuzzer"
cargo build || exit 1 cargo build || exit 1
echo "[+] Done building $fuzzer" echo "[+] Done building $fuzzer"
fi fi
du -sh "$CARGO_TARGET_DIR"
# Save disk space
cargo clean -p "$(basename "$fuzzer")"
cargo clean --release -p "$(basename "$fuzzer")" 2> /dev/null
# Leaving these in the cache results in lots of duplicate build artifacts
# (many different feature flag combinations, ...), so let's prune them.
for clean_pkgid in libafl libafl_targets libafl_sugar; do
cargo clean -p "$clean_pkgid" 2> /dev/null
cargo clean --release -p "$clean_pkgid" 2> /dev/null
done
du -sh "$CARGO_TARGET_DIR"
cd "$libafl" || exit 1
echo ""
done done