From 40a730134478f1a6978c94673cc83823b735f811 Mon Sep 17 00:00:00 2001
From: Dominik Maier <domenukk@gmail.com>
Date: Tue, 9 Feb 2021 09:42:19 +0100
Subject: [PATCH] inmem fuzzer -> inprocess fuzzer

---
 .../executors/{inmemory.rs => inprocess.rs}   | 16 ++---
 afl/src/executors/mod.rs                      |  4 +-
 afl/src/lib.rs                                |  4 +-
 afl/src/mutators/mutations.rs                 |  2 +-
 afl/src/mutators/token_mutations.rs           | 68 +++++++++++++++++++
 fuzzers/libfuzzer_libpng/src/mod.rs           |  4 +-
 fuzzers/libfuzzer_test/src/mod.rs             |  4 +-
 fuzzers/qemufuzzer/src/lib.rs                 |  4 +-
 8 files changed, 87 insertions(+), 19 deletions(-)
 rename afl/src/executors/{inmemory.rs => inprocess.rs} (96%)
 create mode 100644 afl/src/mutators/token_mutations.rs

diff --git a/afl/src/executors/inmemory.rs b/afl/src/executors/inprocess.rs
similarity index 96%
rename from afl/src/executors/inmemory.rs
rename to afl/src/executors/inprocess.rs
index 64ddd01bd5..599cc8adae 100644
--- a/afl/src/executors/inmemory.rs
+++ b/afl/src/executors/inprocess.rs
@@ -31,7 +31,7 @@ use self::os_signals::setup_crash_handlers;
 type HarnessFunction<E> = fn(&E, &[u8]) -> ExitKind;
 
 /// The inmem executor simply calls a target function, then returns afterwards.
-pub struct InMemoryExecutor<I, OT>
+pub struct InProcessExecutor<I, OT>
 where
     I: Input + HasTargetBytes,
     OT: ObserversTuple,
@@ -45,7 +45,7 @@ where
     phantom: PhantomData<I>,
 }
 
-impl<I, OT> Executor<I> for InMemoryExecutor<I, OT>
+impl<I, OT> Executor<I> for InProcessExecutor<I, OT>
 where
     I: Input + HasTargetBytes,
     OT: ObserversTuple,
@@ -100,7 +100,7 @@ where
     }
 }
 
-impl<I, OT> Named for InMemoryExecutor<I, OT>
+impl<I, OT> Named for InProcessExecutor<I, OT>
 where
     I: Input + HasTargetBytes,
     OT: ObserversTuple,
@@ -110,7 +110,7 @@ where
     }
 }
 
-impl<I, OT> HasObservers<OT> for InMemoryExecutor<I, OT>
+impl<I, OT> HasObservers<OT> for InProcessExecutor<I, OT>
 where
     I: Input + HasTargetBytes,
     OT: ObserversTuple,
@@ -126,7 +126,7 @@ where
     }
 }
 
-impl<I, OT> InMemoryExecutor<I, OT>
+impl<I, OT> InProcessExecutor<I, OT>
 where
     I: Input + HasTargetBytes,
     OT: ObserversTuple,
@@ -376,7 +376,7 @@ mod tests {
     use core::marker::PhantomData;
 
     use crate::{
-        executors::{Executor, ExitKind, InMemoryExecutor},
+        executors::{Executor, ExitKind, InProcessExecutor},
         inputs::Input,
         tuples::tuple_list,
     };
@@ -389,7 +389,7 @@ mod tests {
     fn test_inmem_exec() {
         use crate::inputs::NopInput;
 
-        let mut in_mem_executor = InMemoryExecutor::<NopInput, ()> {
+        let mut in_process_executor = InProcessExecutor::<NopInput, ()> {
             harness_fn: test_harness_fn_nop,
             // TODO: on_crash_fn: Box::new(|_, _, _, _, _| ()),
             observers: tuple_list!(),
@@ -397,6 +397,6 @@ mod tests {
             phantom: PhantomData,
         };
         let mut input = NopInput {};
-        assert!(in_mem_executor.run_target(&mut input).is_ok());
+        assert!(in_process_executor.run_target(&mut input).is_ok());
     }
 }
diff --git a/afl/src/executors/mod.rs b/afl/src/executors/mod.rs
index d93e3e956a..ad075c8a75 100644
--- a/afl/src/executors/mod.rs
+++ b/afl/src/executors/mod.rs
@@ -1,7 +1,7 @@
 //! Executors take input, and run it in the target.
 
-pub mod inmemory;
-pub use inmemory::InMemoryExecutor;
+pub mod inprocess;
+pub use inprocess::InProcessExecutor;
 #[cfg(feature = "runtime")]
 pub mod runtime;
 
diff --git a/afl/src/lib.rs b/afl/src/lib.rs
index a41ebe7819..7652dc75bc 100644
--- a/afl/src/lib.rs
+++ b/afl/src/lib.rs
@@ -245,7 +245,7 @@ mod tests {
 
     use crate::{
         corpus::{Corpus, InMemoryCorpus, Testcase},
-        executors::{Executor, ExitKind, InMemoryExecutor},
+        executors::{Executor, ExitKind, InProcessExecutor},
         inputs::{BytesInput, Input},
         mutators::{mutation_bitflip, ComposedByMutations, StdScheduledMutator},
         stages::StdMutationalStage,
@@ -277,7 +277,7 @@ mod tests {
         });
         let mut event_manager = LoggerEventManager::new(stats);
 
-        let mut executor = InMemoryExecutor::new(
+        let mut executor = InProcessExecutor::new(
             "main",
             harness,
             tuple_list!(),
diff --git a/afl/src/mutators/mutations.rs b/afl/src/mutators/mutations.rs
index 7ca88c8ddc..9b019e0793 100644
--- a/afl/src/mutators/mutations.rs
+++ b/afl/src/mutators/mutations.rs
@@ -914,7 +914,7 @@ mod tests {
     use super::*;
     use crate::{
         corpus::{Corpus, InMemoryCorpus},
-        executors::InMemoryExecutor,
+        executors::InProcessExecutor,
         inputs::BytesInput,
         state::State,
         utils::StdRand,
diff --git a/afl/src/mutators/token_mutations.rs b/afl/src/mutators/token_mutations.rs
new file mode 100644
index 0000000000..8622947f47
--- /dev/null
+++ b/afl/src/mutators/token_mutations.rs
@@ -0,0 +1,68 @@
+
+
+struct Tokens {
+    vec: Vec<Vec<u8>>,
+}
+
+impl AsAny for Tokens {
+
+}
+
+/// Insert a dictionary token
+pub fn mutation_tokeninsert<I, M, R, S>(
+    mutator: &mut M,
+    rand: &mut R,
+    state: &mut S,
+    input: &mut I,
+) -> Result<MutationResult, AflError>
+where
+    M: HasMaxSize,
+    I: Input + HasBytesVec,
+    R: Rand,
+    S: HasMetadata,
+{
+    let tokens: &Tokens = &state.metadata().get::<Tokens>().unwrap();
+    let tokens = tokens.token_vec;
+    if mutator.tokens.size() == 0 {
+        return Ok(MutationResult::Skipped);
+    }
+    let token = &mutator.tokens[rand.below(token.size())];
+    let token_len = token.size();
+    let size = input.bytes().len();
+    let off = if size == 0 {
+        0
+    } else {
+        rand.below(core::cmp::min(
+            size,
+            (mutator.max_size() - token_len) as u64,
+        )) as usize
+    } as usize;
+
+    input.bytes_mut().resize(size + token_len, 0);
+    mem_move(input.bytes_mut(), token, 0, off, len);
+    Ok(MutationResult::Mutated)
+}
+
+/// Overwrite with a dictionary token
+pub fn mutation_tokenreplace<I, M, R, S>(
+    mutator: &mut M,
+    rand: &mut R,
+    state: &S,
+    input: &mut I,
+) -> Result<MutationResult, AflError>
+where
+    M: HasMaxSize,
+    I: Input + HasBytesVec,
+    R: Rand,
+    S: HasMetadata,
+{
+    if mutator.tokens.size() > len || !len {
+        return Ok(MutationResult::Skipped);
+    }
+    let token = &mutator.tokens[rand.below(token.size())];
+    let token_len = token.size();
+    let size = input.bytes().len();
+    let off = rand.below((mutator.max_size() - token_len) as u64) as usize;
+    mem_move(input.bytes_mut(), token, 0, off, len);
+    Ok(MutationResult::Mutated)
+}
diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/mod.rs
index e9b15a7e41..a7495c6118 100644
--- a/fuzzers/libfuzzer_libpng/src/mod.rs
+++ b/fuzzers/libfuzzer_libpng/src/mod.rs
@@ -7,7 +7,7 @@ use std::{env, path::PathBuf, process::Command};
 use afl::{
     corpus::{Corpus, InMemoryCorpus},
     events::{LlmpEventManager, SimpleStats},
-    executors::{inmemory::InMemoryExecutor, Executor, ExitKind},
+    executors::{inprocess::InProcessExecutor, Executor, ExitKind},
     feedbacks::MaxMapFeedback,
     generators::RandPrintablesGenerator,
     inputs::{BytesInput, Input},
@@ -229,7 +229,7 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
     */
 
     // Create the engine
-    let mut executor = InMemoryExecutor::new(
+    let mut executor = InProcessExecutor::new(
         "Libfuzzer",
         harness,
         tuple_list!(edges_observer),
diff --git a/fuzzers/libfuzzer_test/src/mod.rs b/fuzzers/libfuzzer_test/src/mod.rs
index 64c4561b35..a4d677e067 100644
--- a/fuzzers/libfuzzer_test/src/mod.rs
+++ b/fuzzers/libfuzzer_test/src/mod.rs
@@ -15,7 +15,7 @@ use afl::engines::Fuzzer;
 use afl::engines::State;
 use afl::engines::StdFuzzer;
 use afl::events::{LlmpEventManager, SimpleStats};
-use afl::executors::inmemory::InMemoryExecutor;
+use afl::executors::inmemory::InProcessExecutor;
 use afl::executors::{Executor, ExitKind};
 use afl::feedbacks::MaxMapFeedback;
 use afl::generators::RandPrintablesGenerator;
@@ -121,7 +121,7 @@ pub fn main() {
         });
     let edges_feedback = MaxMapFeedback::new_with_observer(&NAME_COV_MAP, &edges_observer);
 
-    let executor = InMemoryExecutor::new("Libfuzzer", harness, tuple_list!(edges_observer));
+    let executor = InProcessExecutor::new("Libfuzzer", harness, tuple_list!(edges_observer));
     let mut state = State::new(tuple_list!(edges_feedback));
 
     let mut engine = Engine::new(executor);
diff --git a/fuzzers/qemufuzzer/src/lib.rs b/fuzzers/qemufuzzer/src/lib.rs
index 2413611ca1..8ed917e4b0 100644
--- a/fuzzers/qemufuzzer/src/lib.rs
+++ b/fuzzers/qemufuzzer/src/lib.rs
@@ -8,7 +8,7 @@ use afl::engines::Fuzzer;
 use afl::engines::State;
 use afl::engines::StdFuzzer;
 use afl::events::{LlmpEventManager, SimpleStats};
-use afl::executors::inmemory::InMemoryExecutor;
+use afl::executors::inmemory::InProcessExecutor;
 use afl::executors::{Executor, ExitKind};
 use afl::feedbacks::MaxMapFeedback;
 use afl::generators::RandPrintablesGenerator;
@@ -72,7 +72,7 @@ pub extern "C" fn fuzz_main_loop() {
         });
     let edges_feedback = MaxMapFeedback::new_with_observer(&NAME_COV_MAP, &edges_observer);
 
-    let executor = InMemoryExecutor::new("QEMUFuzzer", harness, tuple_list!(edges_observer));
+    let executor = InProcessExecutor::new("QEMUFuzzer", harness, tuple_list!(edges_observer));
     let mut state = State::new(tuple_list!(edges_feedback));
 
     let mut engine = Engine::new(executor);