SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix LLVMFuzzerCustomMutator with different sizes (#2347)

Browse Source 
* Fix LLVMFuzzerCustomMutator with different sizes

* removed needles extra thingy

* clippy

* more clip
This commit is contained in:
Dominik Maier 2024-06-28 16:40:41 +02:00 committed by GitHub
parent 50d75422c8
commit 602bce446f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 30 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
libafl_qemu/src/helpers/injections.rs
View File

@ -303,9 +303,8 @@ where
} else { } else {
libs.iter() libs.iter()
.filter_map(|lib| find_function(qemu, &lib.name, name, lib.off).unwrap()) .filter_map(|lib| find_function(qemu, &lib.name, name, lib.off).unwrap())
.map(|func_pc| { .inspect(|&func_pc| {
log::info!("Injections: Function {name} found at {func_pc:#x}",); log::info!("Injections: Function {name} found at {func_pc:#x}");
func_pc
}) })
.collect() .collect()
}; };

47
libafl_targets/src/libfuzzer/mutators.rs
View File

@ -19,7 +19,7 @@ use libafl::{
state::{HasCorpus, HasMaxSize, HasRand}, state::{HasCorpus, HasMaxSize, HasRand},
Error, Error,
}; };
use libafl_bolts::{rands::Rand, AsSlice, Named}; use libafl_bolts::{rands::Rand, AsSlice, HasLen, Named};
extern "C" { extern "C" {
fn libafl_targets_has_libfuzzer_custom_mutator() -> bool; fn libafl_targets_has_libfuzzer_custom_mutator() -> bool;
@ -322,10 +322,9 @@ where
input: &mut S::Input, input: &mut S::Input,
) -> Result<MutationResult, Error> { ) -> Result<MutationResult, Error> {
let seed = state.rand_mut().next(); let seed = state.rand_mut().next();
let target = input.bytes(); let len_orig = input.bytes().len();
let mut bytes = Vec::with_capacity(state.max_size()); let len_max = state.max_size();
bytes.extend_from_slice(target.as_slice()); input.resize(len_max, 0);
bytes.resize(state.max_size(), 0);
// we assume that the fuzzer did not use this mutator, but instead utilised their own // we assume that the fuzzer did not use this mutator, but instead utilised their own
let result = Rc::new(RefCell::new(Ok(MutationResult::Mutated))); let result = Rc::new(RefCell::new(Ok(MutationResult::Mutated)));
@ -334,11 +333,11 @@ where
let mut mutator = mutator.borrow_mut(); let mut mutator = mutator.borrow_mut();
mutator.replace(Box::new(proxy.weak())) mutator.replace(Box::new(proxy.weak()))
}); });
let new_size = unsafe { let new_len = unsafe {
libafl_targets_libfuzzer_custom_mutator( libafl_targets_libfuzzer_custom_mutator(
bytes.as_mut_ptr(), input.bytes_mut().as_mut_ptr(),
target.as_slice().len(), len_orig,
bytes.len(), len_max,
seed as u32, seed as u32,
) )
}; };
@ -350,15 +349,17 @@ where
if result.deref().borrow().is_err() { if result.deref().borrow().is_err() {
return result.replace(Ok(MutationResult::Skipped)); return result.replace(Ok(MutationResult::Skipped));
} }
bytes.truncate(new_size); if new_len > len_max {
input.bytes_mut().copy_from_slice(&bytes); return Err(Error::illegal_state("LLVMFuzzerCustomMutator returned more bytes than allowed. Expected up to {max_len} but got {new_len}"));
}
input.resize(new_len, 0);
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)
} }
} }
impl<MT, SM> Named for LLVMCustomMutator<MT, SM, true> { impl<MT, SM> Named for LLVMCustomMutator<MT, SM, true> {
fn name(&self) -> &Cow<'static, str> { fn name(&self) -> &Cow<'static, str> {
static NAME: Cow<'static, str> = Cow::Borrowed("LLVMCustomCrossover"); static NAME: Cow<'static, str> = Cow::Borrowed("LLVMCustomMutator");
&NAME &NAME
} }
} }
@ -411,7 +412,11 @@ where
let seed = state.rand_mut().next(); let seed = state.rand_mut().next();
let mut out = vec![0u8; state.max_size()]; let mut out = vec![0u8; state.max_size()];
let data1 = input.bytes();
let len_max = state.max_size();
let len_orig = input.len();
input.resize(len_max, 0);
// we assume that the fuzzer did not use this mutator, but instead utilised their own // we assume that the fuzzer did not use this mutator, but instead utilised their own
let result = Rc::new(RefCell::new(Ok(MutationResult::Mutated))); let result = Rc::new(RefCell::new(Ok(MutationResult::Mutated)));
@ -420,14 +425,14 @@ where
let mut mutator = mutator.borrow_mut(); let mut mutator = mutator.borrow_mut();
mutator.replace(Box::new(proxy.weak())) mutator.replace(Box::new(proxy.weak()))
}); });
let new_size = unsafe { let new_len = unsafe {
libafl_targets_libfuzzer_custom_crossover( libafl_targets_libfuzzer_custom_crossover(
data1.as_ptr(), input.bytes_mut().as_mut_ptr(),
data1.len(), len_orig,
data2.as_ptr(), data2.as_ptr(),
data2.len(), data2.len(),
out.as_mut_ptr(), out.as_mut_ptr(),
out.len(), len_max,
seed as u32, seed as u32,
) )
}; };
@ -439,8 +444,12 @@ where
if result.deref().borrow().is_err() { if result.deref().borrow().is_err() {
return result.replace(Ok(MutationResult::Skipped)); return result.replace(Ok(MutationResult::Skipped));
} }
out.truncate(new_size);
input.bytes_mut().copy_from_slice(&out); if new_len > len_max {
return Err(Error::illegal_state("LLVMFuzzerCustomCrossOver returned more bytes than allowed. Expected up to {max_len} but got {new_len}"));
}
input.resize(new_len, 0);
Ok(MutationResult::Mutated) Ok(MutationResult::Mutated)
} }
} }