From 6ad82092cdaca343eca5d6569b8de8648ece548c Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Sun, 17 Jan 2021 11:11:15 +0100 Subject: [PATCH] linpng example compiles --- afl/src/engines/mod.rs | 5 +-- afl/src/executors/inmemory.rs | 53 ++++++++++++----------------- afl/src/executors/mod.rs | 34 ++++++++++-------- afl/src/stages/mutational.rs | 3 +- fuzzers/libfuzzer_libpng/src/mod.rs | 25 +++++++++----- 5 files changed, 62 insertions(+), 58 deletions(-) diff --git a/afl/src/engines/mod.rs b/afl/src/engines/mod.rs index f554ef7244..9fca52c995 100644 --- a/afl/src/engines/mod.rs +++ b/afl/src/engines/mod.rs @@ -89,7 +89,8 @@ where println!("Loading file {:?} ...", &path); let bytes = std::fs::read(&path)?; let input = BytesInput::new(bytes); - let fitness = self.evaluate_input(&input, engine.executor_mut(), corpus, manager)?; + let fitness = + self.evaluate_input(&input, engine.executor_mut(), corpus, manager)?; if self.add_if_interesting(corpus, input, fitness)?.is_none() { println!("File {:?} was not interesting, skipped.", &path); } @@ -232,7 +233,7 @@ where executor.pre_exec(&self, corpus, event_mgr, input)?; executor.run_target(input)?; executor.post_exec(&self, corpus, event_mgr, input)?; - + self.set_executions(self.executions() + 1); executor.post_exec_observers()?; diff --git a/afl/src/executors/inmemory.rs b/afl/src/executors/inmemory.rs index b0cdb54c11..d72c4612d5 100644 --- a/afl/src/executors/inmemory.rs +++ b/afl/src/executors/inmemory.rs @@ -1,5 +1,5 @@ -use os_signals::set_oncrash_ptrs; use core::marker::PhantomData; +use os_signals::set_oncrash_ptrs; use crate::{ corpus::Corpus, @@ -45,42 +45,39 @@ where I: Input + HasTargetBytes, OT: ObserversTuple, { - fn pre_exec( &mut self, state: &State, corpus: &C, event_mgr: &mut EM, input: &I, - ) -> Result<(), AflError> where - R: Rand , + ) -> Result<(), AflError> + where + R: Rand, FT: FeedbacksTuple, C: Corpus, EM: EventManager, - { - #[cfg(unix)] + { + #[cfg(unix)] unsafe { - set_oncrash_ptrs::( - state, - corpus, - event_mgr, - input, - ); + set_oncrash_ptrs::(state, corpus, event_mgr, input); } Ok(()) } - + fn post_exec( &mut self, _state: &State, _corpus: &C, _event_mgr: &mut EM, _input: &I, - ) -> Result<(), AflError> where - R: Rand , + ) -> Result<(), AflError> + where + R: Rand, FT: FeedbacksTuple, C: Corpus, - EM: EventManager, { + EM: EventManager, + { #[cfg(unix)] unsafe { reset_oncrash_ptrs::(); @@ -89,10 +86,7 @@ where } #[inline] - fn run_target( - &mut self, - input: &I, - ) -> Result { + fn run_target(&mut self, input: &I) -> Result { let bytes = input.target_bytes(); let ret = (self.harness_fn)(self, bytes.as_slice()); Ok(ret) @@ -145,11 +139,13 @@ where _state: &State, _corpus: &C, _event_mgr: &mut EM, - ) -> Self where - R: Rand , + ) -> Self + where + R: Rand, FT: FeedbacksTuple, C: Corpus, - EM: EventManager, { + EM: EventManager, + { #[cfg(feature = "std")] unsafe { setup_crash_handlers::(); @@ -159,7 +155,7 @@ where harness_fn, observers, name, - phantom: PhantomData + phantom: PhantomData, } } } @@ -203,13 +199,8 @@ pub mod unix_signals { }; use crate::{ - corpus::Corpus, - engines::State, - events::EventManager, - feedbacks::FeedbacksTuple, - inputs::Input, - observers::ObserversTuple, - utils::Rand, + corpus::Corpus, engines::State, events::EventManager, feedbacks::FeedbacksTuple, + inputs::Input, observers::ObserversTuple, utils::Rand, }; /// Pointers to values only needed on crash. As the program will not continue after a crash, diff --git a/afl/src/executors/mod.rs b/afl/src/executors/mod.rs index a9cd1f3eea..52256e7be2 100644 --- a/afl/src/executors/mod.rs +++ b/afl/src/executors/mod.rs @@ -6,14 +6,14 @@ pub mod runtime; use core::marker::PhantomData; use crate::{ - engines::State, corpus::Corpus, - feedbacks::FeedbacksTuple, + engines::State, events::EventManager, - utils::Rand, + feedbacks::FeedbacksTuple, inputs::{HasTargetBytes, Input}, observers::ObserversTuple, tuples::{MatchNameAndType, MatchType, Named, TupleList}, + utils::Rand, AflError, }; @@ -84,30 +84,34 @@ where _corpus: &C, _event_mgr: &mut EM, _input: &I, - ) -> Result<(), AflError> where - R: Rand , + ) -> Result<(), AflError> + where + R: Rand, FT: FeedbacksTuple, C: Corpus, - EM: EventManager, { Ok(()) } - + EM: EventManager, + { + Ok(()) + } + fn post_exec( &mut self, _state: &State, _corpus: &C, _event_mgr: &mut EM, _input: &I, - ) -> Result<(), AflError> where - R: Rand , + ) -> Result<(), AflError> + where + R: Rand, FT: FeedbacksTuple, C: Corpus, - EM: EventManager, { Ok(()) } + EM: EventManager, + { + Ok(()) + } /// Instruct the target about the input and run - fn run_target( - &mut self, - input: &I - ) -> Result; - + fn run_target(&mut self, input: &I) -> Result; } pub trait ExecutorsTuple: MatchType + MatchNameAndType diff --git a/afl/src/stages/mutational.rs b/afl/src/stages/mutational.rs index 1937769fd7..c836b0dea7 100644 --- a/afl/src/stages/mutational.rs +++ b/afl/src/stages/mutational.rs @@ -61,7 +61,8 @@ where self.mutator_mut() .mutate(rand, corpus, &mut input_mut, i as i32)?; - let fitness = state.evaluate_input(&input_mut, engine.executor_mut(), corpus, manager)?; + let fitness = + state.evaluate_input(&input_mut, engine.executor_mut(), corpus, manager)?; self.mutator_mut() .post_exec(fitness, &input_mut, i as i32)?; diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/mod.rs index c7f24abf0e..de48bcb1ee 100644 --- a/fuzzers/libfuzzer_libpng/src/mod.rs +++ b/fuzzers/libfuzzer_libpng/src/mod.rs @@ -16,7 +16,7 @@ use afl::{ executors::{inmemory::InMemoryExecutor, Executor, ExitKind}, feedbacks::MaxMapFeedback, generators::RandPrintablesGenerator, - inputs::BytesInput, + inputs::{BytesInput, Input}, mutators::{scheduled::HavocBytesMutator, HasMaxSize}, observers::StdMapObserver, stages::mutational::StdMutationalStage, @@ -48,7 +48,11 @@ extern "C" { } /// The wrapped harness function, calling out to the llvm-style libfuzzer harness -fn harness(_executor: &dyn Executor, buf: &[u8]) -> ExitKind { +fn harness(_executor: &E, buf: &[u8]) -> ExitKind +where + E: Executor, + I: Input, +{ unsafe { LLVMFuzzerTestOneInput(buf.as_ptr(), buf.len()); } @@ -208,12 +212,8 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { // We reset the sender, the next sender and receiver (after crash) will reuse the page from the initial message. unsafe { sender.reset_last_page() }; - // Create the engine - let executor = InMemoryExecutor::<_, _, _, LlmpEventManager<_, _, _>, _, _>::new( - "Libfuzzer", - harness, - tuple_list!(edges_observer), - Box::new(move |exit_kind, input, state, corpus, mgr| { + /* + move |exit_kind, input, state, corpus, mgr| { match exit_kind { ExitKind::Timeout => mgr.timeout(input).expect(&format!( "Error sending Timeout event for input {:?}", @@ -228,7 +228,14 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { let state_corpus_serialized = serialize_state_corpus_mgr(state, corpus, mgr).unwrap(); println!("bar: {:?}", &state_corpus_serialized); sender.send_buf(0x1, &state_corpus_serialized).unwrap(); - }), + } + */ + + // Create the engine + let executor = InMemoryExecutor::new( + "Libfuzzer", + harness, + tuple_list!(edges_observer), &state, &corpus, &mut mgr,