SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

resolve zero-sized allocation in swap diff fuzzer (#1139)

Browse Source
This commit is contained in:
Addison Crump 2023-03-12 23:24:22 +01:00 committed by GitHub
parent b72bf55555
commit 786af9f6a9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/baby_fuzzer_swap_differential/Makefile.toml
View File

@ -32,7 +32,7 @@ windows_alias = "unsupported"
script_runner = "@shell" script_runner = "@shell"
script=''' script='''
timeout 10s ${CARGO_TARGET_DIR}/release/${FUZZER_NAME} >fuzz_stdout.log || true timeout 10s ${CARGO_TARGET_DIR}/release/${FUZZER_NAME} >fuzz_stdout.log || true
if [ -z "$(grep "corpus: 30" fuzz_stdout.log)" ]; then if [ -z "$(grep "objectives: 1" fuzz_stdout.log)" ]; then
echo "Fuzzer does not generate any testcases or any crashes" echo "Fuzzer does not generate any testcases or any crashes"
exit 1 exit 1
else else

25
fuzzers/baby_fuzzer_swap_differential/src/main.rs
View File

@ -24,7 +24,7 @@ use libafl::{
stages::mutational::StdMutationalStage, stages::mutational::StdMutationalStage,
state::{HasSolutions, StdState}, state::{HasSolutions, StdState},
}; };
use libafl_targets::{DifferentialAFLMapSwapObserver, MAX_EDGES_NUM}; use libafl_targets::{edges_max_num, DifferentialAFLMapSwapObserver};
#[cfg(not(miri))] #[cfg(not(miri))]
use mimalloc::MiMalloc; use mimalloc::MiMalloc;
@ -89,13 +89,15 @@ pub fn main() {
} }
}; };
let num_edges: usize = edges_max_num();
#[cfg(feature = "multimap")] #[cfg(feature = "multimap")]
let (first_map_observer, second_map_observer, map_swapper, map_observer) = { let (first_map_observer, second_map_observer, map_swapper, map_observer) = {
// initialize the maps // initialize the maps
unsafe { unsafe {
let layout = Layout::from_size_align(MAX_EDGES_NUM, 64).unwrap(); let layout = Layout::from_size_align(num_edges, 64).unwrap();
FIRST_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), MAX_EDGES_NUM); FIRST_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges);
SECOND_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), MAX_EDGES_NUM); SECOND_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges);
COMBINED_EDGES = [&mut FIRST_EDGES, &mut SECOND_EDGES]; COMBINED_EDGES = [&mut FIRST_EDGES, &mut SECOND_EDGES];
} }
@ -128,19 +130,18 @@ pub fn main() {
let (first_map_observer, second_map_observer, map_swapper, map_observer) = { let (first_map_observer, second_map_observer, map_swapper, map_observer) = {
// initialize the map // initialize the map
unsafe { unsafe {
let layout = Layout::from_size_align(MAX_EDGES_NUM * 2, 64).unwrap(); let layout = Layout::from_size_align(num_edges * 2, 64).unwrap();
EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), MAX_EDGES_NUM * 2); EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges * 2);
} }
// create the base maps used to observe the different executors by splitting a slice // create the base maps used to observe the different executors by splitting a slice
let mut first_map_observer = unsafe { let mut first_map_observer =
StdMapObserver::from_mut_ptr("first-edges", EDGES.as_mut_ptr(), MAX_EDGES_NUM) unsafe { StdMapObserver::from_mut_ptr("first-edges", EDGES.as_mut_ptr(), num_edges) };
};
let mut second_map_observer = unsafe { let mut second_map_observer = unsafe {
StdMapObserver::from_mut_ptr( StdMapObserver::from_mut_ptr(
"second-edges", "second-edges",
EDGES.as_mut_ptr().add(MAX_EDGES_NUM), EDGES.as_mut_ptr().add(num_edges),
MAX_EDGES_NUM, num_edges,
) )
}; };
@ -155,7 +156,7 @@ pub fn main() {
HitcountsMapObserver::new(StdMapObserver::differential_from_mut_ptr( HitcountsMapObserver::new(StdMapObserver::differential_from_mut_ptr(
"combined-edges", "combined-edges",
EDGES.as_mut_ptr(), EDGES.as_mut_ptr(),
MAX_EDGES_NUM * 2, num_edges * 2,
)) ))
}; };