added pc_guard runtime in rust

afl/Cargo.toml

@@ -30,7 +30,8 @@ debug = true
 
 [features]
 default = ["std"]
-std = []
+std = [] # print, sharedmap, ... support
+runtime = [] # a runtime for clang inmem-executor
 
 [[example]]
 name = "llmp_test"

afl/src/executors/mod.rs

@@ -1,4 +1,6 @@
 pub mod inmemory;
+#[cfg(feature = "runtime")]
+pub mod runtime;
 
 use core::marker::PhantomData;
 

afl/src/executors/runtime.rs

@@ -0,0 +1,45 @@
+//#![feature(asm)]
+
+#[no_mangle]
+pub static mut __lafl_dummy_map: [u8; 65536] = [0; 65536];
+#[no_mangle]
+pub static mut __lafl_edges_map: *mut u8 = unsafe { __lafl_dummy_map.as_ptr() as *mut _ };
+#[no_mangle]
+pub static mut __lafl_cmp_map: *mut u8 = unsafe { __lafl_dummy_map.as_ptr() as *mut _ };
+#[no_mangle]
+pub static mut __lafl_max_edges_size: u32 = 0;
+
+#[no_mangle]
+#[inline]
+pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: &u32) {
+    let ref mut trace_byte = *__lafl_edges_map.offset(*guard as isize);
+    /* TODO: translate to RUST inline ASM
+    #[cfg(any(target_arch = "x86", target_arch = "x86_64"))]
+    asm! volatile(                     \
+      "addb $1, (%0, %1, 1)\n"      \
+      "adcb $0, (%0, %1, 1)\n"      \
+      : /* no out */                \
+      : "r"(afl_area_ptr), "r"(loc) \
+      : "memory", "eax")
+
+    #[cfg(not(any(target_arch = "x86", target_arch = "x86_64")))]
+    */
+    *trace_byte = (*trace_byte).wrapping_add(1);
+}
+
+#[no_mangle]
+#[inline]
+pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard_init(mut start: *mut u32, stop: *mut u32) {
+    if start == stop || *start != 0 {
+        return;
+    }
+    __lafl_max_edges_size = __lafl_max_edges_size.wrapping_add(1);
+    let fresh1 = start;
+    start = start.offset(1);
+    *fresh1 = __lafl_max_edges_size & (65536 as libc::c_int - 1 as libc::c_int) as libc::c_uint;
+    while start < stop {
+        __lafl_max_edges_size = __lafl_max_edges_size.wrapping_add(1);
+        *start = __lafl_max_edges_size & (65536 as libc::c_int - 1 as libc::c_int) as libc::c_uint;
+        start = start.offset(1)
+    }
+}

fuzzers/libfuzzer_test/Cargo.toml

@@ -23,7 +23,7 @@ num_cpus = "1.0"
 
 [dependencies]
 clap = "2.32.0"
-afl = { path = "../../afl/" }
+afl = { path = "../../afl/", features = ["std", "runtime"] }
 
 [[bin]]
 name = "libfuzzer"

fuzzers/libfuzzer_test/build.rs

@@ -15,13 +15,15 @@ fn main() {
     // We need clang for pc-guard support
     std::env::set_var("CC", "clang");
 
+    /*
     cc::Build::new()
         .file("../libfuzzer_runtime/rt.c")
         .compile("libfuzzer-sys-rt");
+        */
 
     cc::Build::new()
         .file("./test/test.c")
-        .flag("-fsanitize-coverage=trace-pc-guard,trace-cmp")
+        .flag("-fsanitize-coverage=trace-pc-guard")
         .compile("libfuzzer-sys-target");
 
     println!("cargo:rustc-link-search=native={}", &out_dir);

fuzzers/libfuzzer_test/src/mod.rs

@@ -30,9 +30,6 @@ extern "C" {
     /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
     fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32;
 
-    // afl_libfuzzer_init calls LLVMFUzzerInitialize()
-    fn afl_libfuzzer_init() -> i32;
-
     static __lafl_edges_map: *mut u8;
     static __lafl_cmp_map: *mut u8;
     static __lafl_max_edges_size: u32;
@@ -129,13 +126,6 @@ pub fn main() {
 
     let mut engine = Engine::new(executor);
 
-    // Call LLVMFUzzerInitialize() if present.
-    unsafe {
-        if afl_libfuzzer_init() == -1 {
-            println!("Warning: LLVMFuzzerInitialize failed with -1")
-        }
-    }
-
     match input {
         Some(x) => state
             .load_initial_inputs(&mut corpus, &mut generator, &mut engine, &mut mgr, &x)

fuzzers/libfuzzer_test/test.sh

@@ -12,7 +12,7 @@ test "$!" -gt 0 && {
 
 }
 
-sleep 10
+sleep 15
 echo "[+] Done"
 killall .libfuzzer_test.elf
 rm -rf ./.libfuzzer_test.elf