From 60e49f2377973e2a5754cceb5d526eec2b8916c5 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Thu, 3 Nov 2022 10:38:17 +0100 Subject: [PATCH] allow all input from env --- fuzzers/qemu_fret/src/fuzzer.rs | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/fuzzers/qemu_fret/src/fuzzer.rs b/fuzzers/qemu_fret/src/fuzzer.rs index 6d0bc2bd17..97cfb7ae63 100644 --- a/fuzzers/qemu_fret/src/fuzzer.rs +++ b/fuzzers/qemu_fret/src/fuzzer.rs @@ -93,10 +93,15 @@ pub fn fuzz() { emu.remove_breakpoint(test_one_input_ptr); // LLVMFuzzerTestOneInput emu.set_breakpoint(ret_addr); // LLVMFuzzerTestOneInput ret addr - - let input_addr = emu - .map_private(0, MAX_INPUT_SIZE, MmapPerms::ReadWrite) - .unwrap(); + let input_addr = match env::var("DIRECT_WRITE") { + Ok(_) => elf + .resolve_symbol(&env::var("FUZZ_INPUT").expect("FUZZ_INPUT not set"), emu.load_addr()) + .expect("FUZZ_INPUT symbol not found"), + _ => emu + .map_private(0, MAX_INPUT_SIZE, MmapPerms::ReadWrite) + .unwrap(), + }; + println!("Placing input at {:#x}", input_addr); // The wrapped harness function, calling out to the LLVM-style harness @@ -112,10 +117,13 @@ pub fn fuzz() { unsafe { emu.write_mem(input_addr, buf); - emu.write_reg(Regs::Rdi, input_addr).unwrap(); - emu.write_reg(Regs::Rsi, len).unwrap(); - emu.write_reg(Regs::Rip, test_one_input_ptr).unwrap(); - emu.write_reg(Regs::Rsp, stack_ptr).unwrap(); + if env::var("DIRECT_WRITE").is_err() { + println!("Write reg"); + emu.write_reg(Regs::Rdi, input_addr).unwrap(); + emu.write_reg(Regs::Rsi, len).unwrap(); + } + emu.write_reg(Regs::Rip, test_one_input_ptr).unwrap(); + emu.write_reg(Regs::Rsp, stack_ptr).unwrap(); emu.run(); }