SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

showmap debug options

Browse Source
This commit is contained in:
Alwin Berger 2022-02-10 14:40:42 +01:00
parent 99bd30c233
commit 64dfd6a642
2 changed files with 49 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzzers/wcet_qemu_sys/Cargo.toml
View File

@ -20,3 +20,4 @@ ron = "0.7" # write serialized data - including hashmaps
hashbrown = { version = "0.11", features = ["serde", "ahash-compile-time-rng"], default-features=false } # A faster hashmap, nostd compatible hashbrown = { version = "0.11", features = ["serde", "ahash-compile-time-rng"], default-features=false } # A faster hashmap, nostd compatible
nix = "0.23.0" nix = "0.23.0"
goblin = "0.4.2" goblin = "0.4.2"
either = "1.6.1"

64
fuzzers/wcet_qemu_sys/src/bin/showmap.rs
View File

@ -17,16 +17,19 @@ use libafl::{
rands::StdRand, rands::StdRand,
tuples::{tuple_list}, tuples::{tuple_list},
}, },
corpus::{InMemoryCorpus,QueueCorpusScheduler}, corpus::{Corpus,InMemoryCorpus,QueueCorpusScheduler},
executors::{ExitKind}, executors::{ExitKind},
fuzzer::{StdFuzzer}, fuzzer::{StdFuzzer},
inputs::{Input,BytesInput, HasTargetBytes}, inputs::{Input,BytesInput, HasTargetBytes},
observers::{VariableMapObserver}, observers::{VariableMapObserver},
state::{StdState}, state::{HasCorpus,StdState},
Error, Error,
Evaluator, Evaluator,
stats::SimpleStats, stats::SimpleStats,
events::SimpleEventManager, events::SimpleEventManager,
stages::StdMutationalStage,
mutators::BitFlipMutator,
Fuzzer,
}; };
use libafl_qemu::{ use libafl_qemu::{
edges, edges,
@ -39,6 +42,7 @@ use libafl_qemu::{
QemuExecutor, QemuExecutor,
}; };
use either::{Either,Left,Right};
/// The fuzzer main /// The fuzzer main
pub fn main() { pub fn main() {
@ -95,6 +99,11 @@ pub fn main() {
.required(true) .required(true)
.takes_value(true), .takes_value(true),
) )
.arg(
Arg::new("single")
.long("libafl-single")
.takes_value(true)
)
.try_get_matches_from(filter_qemu_args()) .try_get_matches_from(filter_qemu_args())
{ {
Ok(res) => res, Ok(res) => res,
@ -128,11 +137,17 @@ pub fn main() {
worstcases.push("worstcase"); worstcases.push("worstcase");
out_dir.push("queue"); out_dir.push("queue");
let seed = match res.value_of("single") {
Some(s) => Left(s.to_string()),
None => {
let in_dir = PathBuf::from(res.value_of("in").unwrap().to_string()); let in_dir = PathBuf::from(res.value_of("in").unwrap().to_string());
if !in_dir.is_dir() { if !in_dir.is_dir() {
println!("In dir at {:?} is not a valid directory!", &in_dir); println!("In dir at {:?} is not a valid directory!", &in_dir);
return; return;
} }
Right(in_dir)
},
};
let kernel = PathBuf::from(res.value_of("k").unwrap().to_string()); let kernel = PathBuf::from(res.value_of("k").unwrap().to_string());
let edges = match res.value_of("edges") { let edges = match res.value_of("edges") {
@ -142,7 +157,7 @@ pub fn main() {
let snapshot = PathBuf::from(res.value_of("snapshot").unwrap().to_string()); let snapshot = PathBuf::from(res.value_of("snapshot").unwrap().to_string());
fuzz(in_dir, kernel, edges, snapshot) fuzz(seed, kernel, edges, snapshot)
.expect("An error occurred while fuzzing"); .expect("An error occurred while fuzzing");
} }
@ -161,7 +176,7 @@ fn virt2phys(vaddr : u64, tab : &goblin::elf::Elf) -> u64 {
/// The actual fuzzer /// The actual fuzzer
fn fuzz( fn fuzz(
seed_dir: PathBuf, seed: Either<String,PathBuf>,
kernel: PathBuf, kernel: PathBuf,
dump_edges: Option<PathBuf>, dump_edges: Option<PathBuf>,
snapshot: PathBuf, snapshot: PathBuf,
@ -317,10 +332,30 @@ fn fuzz(
&mut state, &mut state,
&mut mgr, &mut mgr,
)?; )?;
let firstinput = match seed_dir.clone().is_dir() { match seed {
true => seed_dir.clone().read_dir().expect("Directory not a directory?").next().expect("Directory empty?").expect("File not in directory?").path(), Right(pb) => {
false => seed_dir.clone() if state.corpus().count() < 1 {
}; state
.load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &[pb.clone()])
.unwrap_or_else(|_| {
println!("Failed to load initial corpus at {:?}", &pb);
return;
});
println!("We imported {} inputs from disk.", state.corpus().count());
}
fuzzer
.fuzz_one(&mut tuple_list!(StdMutationalStage::new(BitFlipMutator::new())), &mut executor, &mut state, &mut mgr)
.expect("Error in the fuzzing loop");
},
Left(s) => {
fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, BytesInput::new(s.as_bytes().to_vec())).expect("Evaluation failed");
}
}
// let firstinput = match seed.clone().is_dir() {
// true => seed.clone().read_dir().expect("Directory not a directory?").next().expect("Directory empty?").expect("File not in directory?").path(),
// false => seed.clone()
// };
// let secondinput = match seed_dir.clone().is_dir() { // let secondinput = match seed_dir.clone().is_dir() {
// true => { // true => {
// let mut a = seed_dir.clone().read_dir().expect("Directory not a directory?"); // let mut a = seed_dir.clone().read_dir().expect("Directory not a directory?");
@ -329,20 +364,7 @@ fn fuzz(
// }, // },
// false => seed_dir.clone() // false => seed_dir.clone()
// }; // };
fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, Input::from_file(&firstinput).expect("Could not load file")).expect("Evaluation failed");
// fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, Input::from_file(&secondinput).expect("Could not load file")).expect("Evaluation failed"); // fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, Input::from_file(&secondinput).expect("Could not load file")).expect("Evaluation failed");
// println!("Nach Eval"); // println!("Nach Eval");
// if state.corpus().count() < 1 {
// state
// .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &[seed_dir.clone()])
// .unwrap_or_else(|_| {
// println!("Failed to load initial corpus at {:?}", &seed_dir);
// return;
// });
// println!("We imported {} inputs from disk.", state.corpus().count());
// }
// fuzzer
// .fuzz_one(&mut tuple_list!(StdMutationalStage::new(BitFlipMutator::new())), &mut executor, &mut state, &mut mgr)
// .expect("Error in the fuzzing loop");
return Ok(()); return Ok(());
} }