inmem fuzzer -> inprocess fuzzer

2021-02-09 09:42:19 +01:00 · 2021-02-09 09:42:19 +01:00 · 40a7301344
commit 40a7301344
parent 75972653fe
8 changed files with 87 additions and 19 deletions
--- a/afl/src/executors/inprocess.rs
+++ b/afl/src/executors/inprocess.rs
@ -31,7 +31,7 @@ use self::os_signals::setup_crash_handlers;
 type HarnessFunction<E> = fn(&E, &[u8]) -> ExitKind;

 /// The inmem executor simply calls a target function, then returns afterwards.
-pub struct InMemoryExecutor<I, OT>
+pub struct InProcessExecutor<I, OT>
 where
    I: Input + HasTargetBytes,
    OT: ObserversTuple,
@ -45,7 +45,7 @@ where
    phantom: PhantomData<I>,
 }

-impl<I, OT> Executor<I> for InMemoryExecutor<I, OT>
+impl<I, OT> Executor<I> for InProcessExecutor<I, OT>
 where
    I: Input + HasTargetBytes,
    OT: ObserversTuple,
@ -100,7 +100,7 @@ where
    }
 }

-impl<I, OT> Named for InMemoryExecutor<I, OT>
+impl<I, OT> Named for InProcessExecutor<I, OT>
 where
    I: Input + HasTargetBytes,
    OT: ObserversTuple,
@ -110,7 +110,7 @@ where
    }
 }

-impl<I, OT> HasObservers<OT> for InMemoryExecutor<I, OT>
+impl<I, OT> HasObservers<OT> for InProcessExecutor<I, OT>
 where
    I: Input + HasTargetBytes,
    OT: ObserversTuple,
@ -126,7 +126,7 @@ where
    }
 }

-impl<I, OT> InMemoryExecutor<I, OT>
+impl<I, OT> InProcessExecutor<I, OT>
 where
    I: Input + HasTargetBytes,
    OT: ObserversTuple,
@ -376,7 +376,7 @@ mod tests {
    use core::marker::PhantomData;

    use crate::{
-        executors::{Executor, ExitKind, InMemoryExecutor},
+        executors::{Executor, ExitKind, InProcessExecutor},
        inputs::Input,
        tuples::tuple_list,
    };
@ -389,7 +389,7 @@ mod tests {
    fn test_inmem_exec() {
        use crate::inputs::NopInput;

-        let mut in_mem_executor = InMemoryExecutor::<NopInput, ()> {
+        let mut in_process_executor = InProcessExecutor::<NopInput, ()> {
            harness_fn: test_harness_fn_nop,
            // TODO: on_crash_fn: Box::new(|_, _, _, _, _| ()),
            observers: tuple_list!(),
@ -397,6 +397,6 @@ mod tests {
            phantom: PhantomData,
        };
        let mut input = NopInput {};
-        assert!(in_mem_executor.run_target(&mut input).is_ok());
+        assert!(in_process_executor.run_target(&mut input).is_ok());
    }
 }
--- a/afl/src/executors/mod.rs
+++ b/afl/src/executors/mod.rs
@ -1,7 +1,7 @@
 //! Executors take input, and run it in the target.

-pub mod inmemory;
-pub use inmemory::InMemoryExecutor;
+pub mod inprocess;
+pub use inprocess::InProcessExecutor;
 #[cfg(feature = "runtime")]
 pub mod runtime;

--- a/afl/src/lib.rs
+++ b/afl/src/lib.rs
@ -245,7 +245,7 @@ mod tests {

    use crate::{
        corpus::{Corpus, InMemoryCorpus, Testcase},
-        executors::{Executor, ExitKind, InMemoryExecutor},
+        executors::{Executor, ExitKind, InProcessExecutor},
        inputs::{BytesInput, Input},
        mutators::{mutation_bitflip, ComposedByMutations, StdScheduledMutator},
        stages::StdMutationalStage,
@ -277,7 +277,7 @@ mod tests {
        });
        let mut event_manager = LoggerEventManager::new(stats);

-        let mut executor = InMemoryExecutor::new(
+        let mut executor = InProcessExecutor::new(
            "main",
            harness,
            tuple_list!(),
--- a/afl/src/mutators/mutations.rs
+++ b/afl/src/mutators/mutations.rs
@ -914,7 +914,7 @@ mod tests {
    use super::*;
    use crate::{
        corpus::{Corpus, InMemoryCorpus},
-        executors::InMemoryExecutor,
+        executors::InProcessExecutor,
        inputs::BytesInput,
        state::State,
        utils::StdRand,
--- a/afl/src/mutators/token_mutations.rs
+++ b/afl/src/mutators/token_mutations.rs
@ -0,0 +1,68 @@
+
+
+struct Tokens {
+    vec: Vec<Vec<u8>>,
+}
+
+impl AsAny for Tokens {
+
+}
+
+/// Insert a dictionary token
+pub fn mutation_tokeninsert<I, M, R, S>(
+    mutator: &mut M,
+    rand: &mut R,
+    state: &mut S,
+    input: &mut I,
+) -> Result<MutationResult, AflError>
+where
+    M: HasMaxSize,
+    I: Input + HasBytesVec,
+    R: Rand,
+    S: HasMetadata,
+{
+    let tokens: &Tokens = &state.metadata().get::<Tokens>().unwrap();
+    let tokens = tokens.token_vec;
+    if mutator.tokens.size() == 0 {
+        return Ok(MutationResult::Skipped);
+    }
+    let token = &mutator.tokens[rand.below(token.size())];
+    let token_len = token.size();
+    let size = input.bytes().len();
+    let off = if size == 0 {
+        0
+    } else {
+        rand.below(core::cmp::min(
+            size,
+            (mutator.max_size() - token_len) as u64,
+        )) as usize
+    } as usize;
+
+    input.bytes_mut().resize(size + token_len, 0);
+    mem_move(input.bytes_mut(), token, 0, off, len);
+    Ok(MutationResult::Mutated)
+}
+
+/// Overwrite with a dictionary token
+pub fn mutation_tokenreplace<I, M, R, S>(
+    mutator: &mut M,
+    rand: &mut R,
+    state: &S,
+    input: &mut I,
+) -> Result<MutationResult, AflError>
+where
+    M: HasMaxSize,
+    I: Input + HasBytesVec,
+    R: Rand,
+    S: HasMetadata,
+{
+    if mutator.tokens.size() > len || !len {
+        return Ok(MutationResult::Skipped);
+    }
+    let token = &mutator.tokens[rand.below(token.size())];
+    let token_len = token.size();
+    let size = input.bytes().len();
+    let off = rand.below((mutator.max_size() - token_len) as u64) as usize;
+    mem_move(input.bytes_mut(), token, 0, off, len);
+    Ok(MutationResult::Mutated)
+}
--- a/fuzzers/libfuzzer_libpng/src/mod.rs
+++ b/fuzzers/libfuzzer_libpng/src/mod.rs
@ -7,7 +7,7 @@ use std::{env, path::PathBuf, process::Command};
 use afl::{
    corpus::{Corpus, InMemoryCorpus},
    events::{LlmpEventManager, SimpleStats},
-    executors::{inmemory::InMemoryExecutor, Executor, ExitKind},
+    executors::{inprocess::InProcessExecutor, Executor, ExitKind},
    feedbacks::MaxMapFeedback,
    generators::RandPrintablesGenerator,
    inputs::{BytesInput, Input},
@ -229,7 +229,7 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
    */

    // Create the engine
-    let mut executor = InMemoryExecutor::new(
+    let mut executor = InProcessExecutor::new(
        "Libfuzzer",
        harness,
        tuple_list!(edges_observer),
--- a/fuzzers/libfuzzer_test/src/mod.rs
+++ b/fuzzers/libfuzzer_test/src/mod.rs
@ -15,7 +15,7 @@ use afl::engines::Fuzzer;
 use afl::engines::State;
 use afl::engines::StdFuzzer;
 use afl::events::{LlmpEventManager, SimpleStats};
-use afl::executors::inmemory::InMemoryExecutor;
+use afl::executors::inmemory::InProcessExecutor;
 use afl::executors::{Executor, ExitKind};
 use afl::feedbacks::MaxMapFeedback;
 use afl::generators::RandPrintablesGenerator;
@ -121,7 +121,7 @@ pub fn main() {
        });
    let edges_feedback = MaxMapFeedback::new_with_observer(&NAME_COV_MAP, &edges_observer);

-    let executor = InMemoryExecutor::new("Libfuzzer", harness, tuple_list!(edges_observer));
+    let executor = InProcessExecutor::new("Libfuzzer", harness, tuple_list!(edges_observer));
    let mut state = State::new(tuple_list!(edges_feedback));

    let mut engine = Engine::new(executor);
--- a/fuzzers/qemufuzzer/src/lib.rs
+++ b/fuzzers/qemufuzzer/src/lib.rs
@ -8,7 +8,7 @@ use afl::engines::Fuzzer;
 use afl::engines::State;
 use afl::engines::StdFuzzer;
 use afl::events::{LlmpEventManager, SimpleStats};
-use afl::executors::inmemory::InMemoryExecutor;
+use afl::executors::inmemory::InProcessExecutor;
 use afl::executors::{Executor, ExitKind};
 use afl::feedbacks::MaxMapFeedback;
 use afl::generators::RandPrintablesGenerator;
@ -72,7 +72,7 @@ pub extern "C" fn fuzz_main_loop() {
        });
    let edges_feedback = MaxMapFeedback::new_with_observer(&NAME_COV_MAP, &edges_observer);

-    let executor = InMemoryExecutor::new("QEMUFuzzer", harness, tuple_list!(edges_observer));
+    let executor = InProcessExecutor::new("QEMUFuzzer", harness, tuple_list!(edges_observer));
    let mut state = State::new(tuple_list!(edges_feedback));

    let mut engine = Engine::new(executor);