SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Send stability in calibration stage & FridaInstrumentationHelper retunrs Result<Self, Error> (#1056)

Browse Source 
* fix

* fix

* clippy
This commit is contained in:
Dongjia "toka" Zhang 2023-02-13 05:35:09 +09:00 committed by GitHub
parent b7a0b823c6
commit 4d78878c02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 37 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
fuzzers/frida_gdiplus/src/fuzzer.rs
View File

@ -102,10 +102,10 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
#[cfg(unix)] #[cfg(unix)]
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan))?;
#[cfg(windows)] #[cfg(windows)]
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage))?;
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
@ -221,7 +221,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let cmplog = CmpLogRuntime::new(); let cmplog = CmpLogRuntime::new();
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, cmplog)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, cmplog))?;
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
@ -351,7 +351,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let coverage = CoverageRuntime::new(); let coverage = CoverageRuntime::new();
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage))?;
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(

8
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -99,10 +99,10 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
#[cfg(unix)] #[cfg(unix)]
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan))?;
#[cfg(windows)] #[cfg(windows)]
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, &options, tuple_list!(coverage)); FridaInstrumentationHelper::new(&gum, &options, tuple_list!(coverage))?;
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
@ -219,7 +219,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let cmplog = CmpLogRuntime::new(); let cmplog = CmpLogRuntime::new();
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, cmplog)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, cmplog))?;
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
@ -349,7 +349,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let coverage = CoverageRuntime::new(); let coverage = CoverageRuntime::new();
let mut frida_helper = let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage)); FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage))?;
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(

24
libafl/src/events/mod.rs
View File

@ -3,11 +3,7 @@
pub mod simple; pub mod simple;
pub use simple::*; pub use simple::*;
pub mod llmp; pub mod llmp;
use alloc::{ use alloc::{boxed::Box, string::String, vec::Vec};
boxed::Box,
string::{String, ToString},
vec::Vec,
};
#[cfg(all(unix, feature = "std"))] #[cfg(all(unix, feature = "std"))]
use core::ffi::c_void; use core::ffi::c_void;
use core::{ use core::{
@ -33,7 +29,6 @@ use crate::{
inputs::Input, inputs::Input,
monitors::UserStats, monitors::UserStats,
observers::ObserversTuple, observers::ObserversTuple,
stages::calibrate::UnstableEntriesMetadata,
state::{HasClientPerfMonitor, HasExecutions, HasMetadata}, state::{HasClientPerfMonitor, HasExecutions, HasMetadata},
Error, Error,
}; };
@ -462,23 +457,6 @@ where
}, },
)?; )?;
// Send the stability event to the broker
if let Some(meta) = state.metadata().get::<UnstableEntriesMetadata>() {
let unstable_entries = meta.unstable_entries().len();
let map_len = meta.map_len();
self.fire(
state,
Event::UpdateUserStats {
name: "stability".to_string(),
value: UserStats::Ratio(
(map_len - unstable_entries) as u64,
map_len as u64,
),
phantom: PhantomData,
},
)?;
}
// If performance monitor are requested, fire the `UpdatePerfMonitor` event // If performance monitor are requested, fire the `UpdatePerfMonitor` event
#[cfg(feature = "introspection")] #[cfg(feature = "introspection")]
{ {

5
libafl/src/executors/inprocess.rs
View File

@ -186,7 +186,7 @@ where
OF: Feedback<S>, OF: Feedback<S>,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>,
{ {
let handlers = InProcessHandlers::new::<Self, EM, OF, Z, H>()?; let handlers = InProcessHandlers::new::<Self, EM, OF, Z>()?;
#[cfg(windows)] #[cfg(windows)]
// Some initialization necessary for windows. // Some initialization necessary for windows.
unsafe { unsafe {
@ -337,14 +337,13 @@ impl InProcessHandlers {
} }
/// Create new [`InProcessHandlers`]. /// Create new [`InProcessHandlers`].
pub fn new<E, EM, OF, Z, H>() -> Result<Self, Error> pub fn new<E, EM, OF, Z>() -> Result<Self, Error>
where where
E: Executor<EM, Z> + HasObservers, E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor, E::State: HasSolutions + HasClientPerfMonitor,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>,
H: FnMut(&<E::State as UsesInput>::Input) -> ExitKind + ?Sized,
{ {
#[cfg(unix)] #[cfg(unix)]
unsafe { unsafe {

17
libafl/src/stages/calibrate.rs
View File

@ -13,7 +13,7 @@ use serde::{Deserialize, Serialize};
use crate::{ use crate::{
bolts::{current_time, tuples::Named, AsIter}, bolts::{current_time, tuples::Named, AsIter},
corpus::{Corpus, CorpusId, SchedulerTestcaseMetaData}, corpus::{Corpus, CorpusId, SchedulerTestcaseMetaData},
events::{EventFirer, LogSeverity}, events::{Event, EventFirer, LogSeverity},
executors::{Executor, ExitKind, HasObservers}, executors::{Executor, ExitKind, HasObservers},
feedbacks::{ feedbacks::{
map::{IsNovel, MapFeedback, MapFeedbackMetadata, Reducer}, map::{IsNovel, MapFeedback, MapFeedbackMetadata, Reducer},
@ -21,6 +21,7 @@ use crate::{
}, },
fuzzer::Evaluator, fuzzer::Evaluator,
inputs::UsesInput, inputs::UsesInput,
monitors::UserStats,
observers::{MapObserver, ObserversTuple}, observers::{MapObserver, ObserversTuple},
schedulers::powersched::SchedulerMetadata, schedulers::powersched::SchedulerMetadata,
stages::Stage, stages::Stage,
@ -285,6 +286,20 @@ where
data.set_handicap(handicap); data.set_handicap(handicap);
} }
// Send the stability event to the broker
if let Some(meta) = state.metadata().get::<UnstableEntriesMetadata>() {
let unstable_entries = meta.unstable_entries().len();
let map_len = meta.map_len();
mgr.fire(
state,
Event::UpdateUserStats {
name: "stability".to_string(),
value: UserStats::Ratio((map_len - unstable_entries) as u64, map_len as u64),
phantom: PhantomData,
},
)?;
}
Ok(()) Ok(())
} }
} }

19
libafl_frida/src/helper.rs
View File

@ -165,8 +165,7 @@ where
{ {
/// Constructor function to create a new [`FridaInstrumentationHelper`], given a `module_name`. /// Constructor function to create a new [`FridaInstrumentationHelper`], given a `module_name`.
#[allow(clippy::too_many_lines)] #[allow(clippy::too_many_lines)]
#[must_use] pub fn new(gum: &'a Gum, options: &'a FuzzerOptions, runtimes: RT) -> Result<Self, Error> {
pub fn new(gum: &'a Gum, options: &'a FuzzerOptions, runtimes: RT) -> Self {
// workaround frida's frida-gum-allocate-near bug: // workaround frida's frida-gum-allocate-near bug:
#[cfg(unix)] #[cfg(unix)]
unsafe { unsafe {
@ -179,7 +178,8 @@ where
-1, -1,
0, 0,
) )
.expect("Failed to map dummy regions for frida workaround"); .map_err(|_| Error::unknown("Failed to map dummy regions for frida workaround"))?;
mmap( mmap(
None, None,
std::num::NonZeroUsize::new_unchecked(4 * 1024 * 1024), std::num::NonZeroUsize::new_unchecked(4 * 1024 * 1024),
@ -188,14 +188,14 @@ where
-1, -1,
0, 0,
) )
.expect("Failed to map dummy regions for frida workaround"); .map_err(|_| Error::unknown("Failed to map dummy regions for frida workaround"))?;
} }
} }
let mut modules_to_instrument = vec![options let mut modules_to_instrument = vec![options
.harness .harness
.as_ref() .as_ref()
.unwrap() .ok_or_else(|| Error::unknown("No modueles to instrument"))?
.to_string_lossy() .to_string_lossy()
.to_string()]; .to_string()];
modules_to_instrument.append(&mut options.libs_to_instrument.clone()); modules_to_instrument.append(&mut options.libs_to_instrument.clone());
@ -209,14 +209,14 @@ where
.mode(arch::arm64::ArchMode::Arm) .mode(arch::arm64::ArchMode::Arm)
.detail(true) .detail(true)
.build() .build()
.expect("Failed to create Capstone object"), .map_err(|_| Error::unknown("Failed to create Capstone object"))?,
#[cfg(all(target_arch = "x86_64", unix))] #[cfg(all(target_arch = "x86_64", unix))]
capstone: Capstone::new() capstone: Capstone::new()
.x86() .x86()
.mode(arch::x86::ArchMode::Mode64) .mode(arch::x86::ArchMode::Mode64)
.detail(true) .detail(true)
.build() .build()
.expect("Failed to create Capstone object"), .map_err(|_| Error::unknown("Failed to create Capstone object"))?,
ranges: RangeMap::new(), ranges: RangeMap::new(),
module_map: ModuleMap::new_from_names(gum, &modules_to_instrument), module_map: ModuleMap::new_from_names(gum, &modules_to_instrument),
options, options,
@ -235,7 +235,8 @@ where
} }
if !options.dont_instrument.is_empty() { if !options.dont_instrument.is_empty() {
for (module_name, offset) in options.dont_instrument.clone() { for (module_name, offset) in options.dont_instrument.clone() {
let module_details = ModuleDetails::with_name(module_name).unwrap(); let module_details = ModuleDetails::with_name(module_name.clone())
.ok_or_else(|| Error::unknown("Module {module_name} not found"))?;
let lib_start = module_details.range().base_address().0 as usize; let lib_start = module_details.range().base_address().0 as usize;
// println!("removing address: {:#x}", lib_start + offset); // println!("removing address: {:#x}", lib_start + offset);
helper helper
@ -365,7 +366,7 @@ where
helper.transformer = Some(transformer); helper.transformer = Some(transformer);
helper Ok(helper)
} }
/// Return the runtime /// Return the runtime