allow all input from env

2022-11-03 10:38:17 +01:00 · 2022-11-03 10:38:17 +01:00 · 60e49f2377
commit 60e49f2377
parent efef29f877
1 changed files with 16 additions and 8 deletions
--- a/fuzzers/qemu_fret/src/fuzzer.rs
+++ b/fuzzers/qemu_fret/src/fuzzer.rs
@ -93,10 +93,15 @@ pub fn fuzz() {

    emu.remove_breakpoint(test_one_input_ptr); // LLVMFuzzerTestOneInput
    emu.set_breakpoint(ret_addr); // LLVMFuzzerTestOneInput ret addr
-
-    let input_addr = emu
-        .map_private(0, MAX_INPUT_SIZE, MmapPerms::ReadWrite)
-        .unwrap();
+    let input_addr = match env::var("DIRECT_WRITE") { 
+        Ok(_) => elf
+            .resolve_symbol(&env::var("FUZZ_INPUT").expect("FUZZ_INPUT not set"), emu.load_addr())
+            .expect("FUZZ_INPUT symbol not found"),
+        _ => emu
+            .map_private(0, MAX_INPUT_SIZE, MmapPerms::ReadWrite)
+            .unwrap(),
+    };
+        
    println!("Placing input at {:#x}", input_addr);

    // The wrapped harness function, calling out to the LLVM-style harness
@ -112,10 +117,13 @@ pub fn fuzz() {
        unsafe {
            emu.write_mem(input_addr, buf);

-            emu.write_reg(Regs::Rdi, input_addr).unwrap();
-            emu.write_reg(Regs::Rsi, len).unwrap();
-            emu.write_reg(Regs::Rip, test_one_input_ptr).unwrap();
-            emu.write_reg(Regs::Rsp, stack_ptr).unwrap();
+            if env::var("DIRECT_WRITE").is_err() {
+                println!("Write reg");
+                emu.write_reg(Regs::Rdi, input_addr).unwrap();
+                emu.write_reg(Regs::Rsi, len).unwrap();
+            }
+                emu.write_reg(Regs::Rip, test_one_input_ptr).unwrap();
+                emu.write_reg(Regs::Rsp, stack_ptr).unwrap();

            emu.run();
        }