SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use hitcounts in libfuzzer rt

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-03-01 10:20:08 +01:00
parent dc39a5591a
commit 7c9fc88e66
4 changed files with 7 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzzers/libfuzzer_libpng/build.rs
View File

@ -95,6 +95,7 @@ fn main() {
cc::Build::new() cc::Build::new()
.include(&libpng_path) .include(&libpng_path)
.flag("-fsanitize-coverage=trace-pc-guard") .flag("-fsanitize-coverage=trace-pc-guard")
// .define("HAS_DUMMY_CRASH", "1")
.file("./harness.cc") .file("./harness.cc")
.compile("libfuzzer-harness"); .compile("libfuzzer-harness");

7
fuzzers/libfuzzer_libpng/harness.cc
View File

@ -20,8 +20,6 @@
#include <vector> #include <vector>
#define HAS_BUG 1
#define PNG_INTERNAL #define PNG_INTERNAL
#include "png.h" #include "png.h"
@ -159,8 +157,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
// This is going to be too slow. // This is going to be too slow.
if (width && height > 100000000 / width) { if (width && height > 100000000 / width) {
PNG_CLEANUP PNG_CLEANUP
if (HAS_BUG) #ifdef HAS_DUMMY_CRASH
asm("ud2"); asm("ud2");
#endif
return 0; return 0;
} }

1
fuzzers/libfuzzer_libpng/src/fuzzer.rs
View File

@ -124,7 +124,6 @@ fn fuzz(corpus_dirs: Vec<PathBuf>, objective_dir: PathBuf, broker_port: u16) ->
// A fuzzer with just one stage and a minimization+queue policy to get testcasess from the corpus // A fuzzer with just one stage and a minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new()); let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
//let scheduler = QueueCorpusScheduler::new();
let fuzzer = StdFuzzer::new(scheduler, tuple_list!(stage)); let fuzzer = StdFuzzer::new(scheduler, tuple_list!(stage));
// Create the executor for an in-process function with just one observer for edge coverage // Create the executor for an in-process function with just one observer for edge coverage

6
fuzzers/libfuzzer_runtime/rt.c
View File

@ -17,9 +17,9 @@ uint32_t __lafl_max_edges_size = 0;
void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
uint32_t pos = *guard; uint32_t pos = *guard;
//uint16_t val = __lafl_edges_map[pos] + 1; uint16_t val = __lafl_edges_map[pos] + 1;
//__lafl_edges_map[pos] = ((uint8_t) val) + (uint8_t) (val >> 8); __lafl_edges_map[pos] = ((uint8_t) val) + (uint8_t) (val >> 8);
__lafl_edges_map[pos] = 1; //__lafl_edges_map[pos] = 1;
} }