SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Insert into corpus if feedback is_interesting on crash/timeout (#1327)

Browse Source 
* Insert into corpus if feedback is_interesting on crash/timeout

* Use correct import for HasExecutions

* Windows add missing import

* QemuExecutor add HasFeedback

* Windows asan fix

* Add missing call to scheduler.on_add

* Add missing HasExecutions for windows frida

* QemuExecutor missing HasScheduler

* QemuExecutor missing HasCorput
This commit is contained in:
s1341 2023-06-29 00:53:51 +03:00 committed by GitHub
parent 71aa0221a0
commit 871dfa0a01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 169 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

210
libafl/src/executors/inprocess.rs
View File

@ -44,13 +44,15 @@ use crate::bolts::os::windows_exceptions::setup_exception_handler;
#[cfg(all(feature = "std", unix))] #[cfg(all(feature = "std", unix))]
use crate::bolts::shmem::ShMemProvider; use crate::bolts::shmem::ShMemProvider;
use crate::{ use crate::{
bolts::current_time,
events::{EventFirer, EventRestarter}, events::{EventFirer, EventRestarter},
executors::{Executor, ExitKind, HasObservers}, executors::{Executor, ExitKind, HasObservers},
feedbacks::Feedback, feedbacks::Feedback,
fuzzer::HasObjective, fuzzer::{HasFeedback, HasObjective, HasScheduler},
inputs::UsesInput, inputs::UsesInput,
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::{HasClientPerfMonitor, HasCorpus, HasSolutions, UsesState}, schedulers::Scheduler,
state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions, UsesState},
Error, Error,
}; };
@ -167,7 +169,7 @@ where
H: FnMut(&<S as UsesInput>::Input) -> ExitKind + ?Sized, H: FnMut(&<S as UsesInput>::Input) -> ExitKind + ?Sized,
HB: BorrowMut<H>, HB: BorrowMut<H>,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
S: HasSolutions + HasClientPerfMonitor + HasCorpus, S: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
{ {
/// Create a new in mem executor. /// Create a new in mem executor.
/// Caution: crash and restart in one of them will lead to odd behavior if multiple are used, /// Caution: crash and restart in one of them will lead to odd behavior if multiple are used,
@ -175,7 +177,7 @@ where
/// * `harness_fn` - the harness, executing the function /// * `harness_fn` - the harness, executing the function
/// * `observers` - the observers observing the target during execution /// * `observers` - the observers observing the target during execution
/// This may return an error on unix, if signal handler setup fails /// This may return an error on unix, if signal handler setup fails
pub fn new<EM, OF, Z>( pub fn new<CF, EM, OF, Z>(
harness_fn: HB, harness_fn: HB,
observers: OT, observers: OT,
_fuzzer: &mut Z, _fuzzer: &mut Z,
@ -185,10 +187,13 @@ where
where where
Self: Executor<EM, Z, State = S>, Self: Executor<EM, Z, State = S>,
EM: EventFirer<State = S> + EventRestarter, EM: EventFirer<State = S> + EventRestarter,
CF: Feedback<S>,
OF: Feedback<S>, OF: Feedback<S>,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>
+ HasFeedback<Feedback = CF, State = S>
+ HasScheduler,
{ {
let handlers = InProcessHandlers::new::<Self, EM, OF, Z>()?; let handlers = InProcessHandlers::new::<CF, Self, EM, OF, Z>()?;
#[cfg(windows)] #[cfg(windows)]
// Some initialization necessary for windows. // Some initialization necessary for windows.
unsafe { unsafe {
@ -251,7 +256,7 @@ where
H: FnMut(&<S as UsesInput>::Input) -> ExitKind + ?Sized, H: FnMut(&<S as UsesInput>::Input) -> ExitKind + ?Sized,
HB: BorrowMut<H>, HB: BorrowMut<H>,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
S: HasSolutions + HasClientPerfMonitor + HasCorpus, S: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
{ {
/// the timeout handler /// the timeout handler
#[inline] #[inline]
@ -341,27 +346,30 @@ impl InProcessHandlers {
/// Create new [`InProcessHandlers`]. /// Create new [`InProcessHandlers`].
#[cfg(not(all(windows, feature = "std")))] #[cfg(not(all(windows, feature = "std")))]
pub fn new<E, EM, OF, Z>() -> Result<Self, Error> pub fn new<CF, E, EM, OF, Z>() -> Result<Self, Error>
where where
E: Executor<EM, Z> + HasObservers, E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
#[cfg(unix)] #[cfg(unix)]
#[cfg_attr(miri, allow(unused_variables))] #[cfg_attr(miri, allow(unused_variables))]
unsafe { unsafe {
let data = &mut GLOBAL_STATE; let data = &mut GLOBAL_STATE;
#[cfg(feature = "std")] #[cfg(feature = "std")]
unix_signal_handler::setup_panic_hook::<E, EM, OF, Z>(); unix_signal_handler::setup_panic_hook::<CF, E, EM, OF, Z>();
#[cfg(not(miri))] #[cfg(not(miri))]
setup_signal_handler(data)?; setup_signal_handler(data)?;
compiler_fence(Ordering::SeqCst); compiler_fence(Ordering::SeqCst);
Ok(Self { Ok(Self {
crash_handler: unix_signal_handler::inproc_crash_handler::<E, EM, OF, Z> crash_handler: unix_signal_handler::inproc_crash_handler::<CF, E, EM, OF, Z>
as *const c_void, as *const c_void,
timeout_handler: unix_signal_handler::inproc_timeout_handler::<E, EM, OF, Z> timeout_handler: unix_signal_handler::inproc_timeout_handler::<CF, E, EM, OF, Z>
as *const _, as *const _,
}) })
} }
@ -371,25 +379,28 @@ impl InProcessHandlers {
/// Create new [`InProcessHandlers`]. /// Create new [`InProcessHandlers`].
#[cfg(all(windows, feature = "std"))] #[cfg(all(windows, feature = "std"))]
pub fn new<E, EM, OF, Z>() -> Result<Self, Error> pub fn new<CF, E, EM, OF, Z>() -> Result<Self, Error>
where where
E: Executor<EM, Z> + HasObservers + HasInProcessHandlers, E: Executor<EM, Z> + HasObservers + HasInProcessHandlers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
unsafe { unsafe {
let data = &mut GLOBAL_STATE; let data = &mut GLOBAL_STATE;
#[cfg(feature = "std")] #[cfg(feature = "std")]
windows_exception_handler::setup_panic_hook::<E, EM, OF, Z>(); windows_exception_handler::setup_panic_hook::<CF, E, EM, OF, Z>();
setup_exception_handler(data)?; setup_exception_handler(data)?;
compiler_fence(Ordering::SeqCst); compiler_fence(Ordering::SeqCst);
Ok(Self { Ok(Self {
crash_handler: windows_exception_handler::inproc_crash_handler::<E, EM, OF, Z> crash_handler: windows_exception_handler::inproc_crash_handler::<CF, E, EM, OF, Z>
as *const _, as *const _,
timeout_handler: windows_exception_handler::inproc_timeout_handler::<E, EM, OF, Z> timeout_handler: windows_exception_handler::inproc_timeout_handler::<CF, E, EM, OF, Z>
as *const c_void, as *const c_void,
}) })
} }
@ -560,7 +571,7 @@ use crate::{
#[inline] #[inline]
#[allow(clippy::too_many_arguments)] #[allow(clippy::too_many_arguments)]
/// Save state if it is an objective /// Save state if it is an objective
pub fn run_observers_and_save_state<E, EM, OF, Z>( pub fn run_observers_and_save_state<CF, E, EM, OF, Z>(
executor: &mut E, executor: &mut E,
state: &mut E::State, state: &mut E::State,
input: &<E::State as UsesInput>::Input, input: &<E::State as UsesInput>::Input,
@ -570,9 +581,12 @@ pub fn run_observers_and_save_state<E, EM, OF, Z>(
) where ) where
E: HasObservers, E: HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
let observers = executor.observers_mut(); let observers = executor.observers_mut();
@ -580,6 +594,44 @@ pub fn run_observers_and_save_state<E, EM, OF, Z>(
.post_exec_all(state, input, &exitkind) .post_exec_all(state, input, &exitkind)
.expect("Observers post_exec_all failed"); .expect("Observers post_exec_all failed");
let interesting_for_corpus = fuzzer
.feedback_mut()
.is_interesting(state, event_mgr, input, observers, &exitkind)
.expect("In run_observers_and_save_state feedback failure.");
if interesting_for_corpus {
let mut new_testcase = Testcase::with_executions(input.clone(), *state.executions());
new_testcase.add_metadata(exitkind);
new_testcase.set_parent_id_optional(*state.corpus().current());
fuzzer
.feedback_mut()
.append_metadata(state, observers, &mut new_testcase)
.expect("Failed adding metadata");
let idx = state
.corpus_mut()
.add(new_testcase)
.expect("In run_observers_and_save_state corpus failure.");
fuzzer
.scheduler_mut()
.on_add(state, idx)
.expect("Could not add to scheduler in run_observers_and_save_state.");
event_mgr
.fire(
state,
Event::NewTestcase {
input: input.clone(),
observers_buf: None,
exit_kind: exitkind,
corpus_size: state.corpus().count(),
client_config: event_mgr.configuration(),
time: current_time(),
executions: *state.executions(),
forward_id: None,
},
)
.expect("Could not add the testcase in run_observers_and_save_state");
}
let interesting = fuzzer let interesting = fuzzer
.objective_mut() .objective_mut()
.is_interesting(state, event_mgr, input, observers, &exitkind) .is_interesting(state, event_mgr, input, observers, &exitkind)
@ -636,9 +688,9 @@ mod unix_signal_handler {
Executor, ExitKind, HasObservers, Executor, ExitKind, HasObservers,
}, },
feedbacks::Feedback, feedbacks::Feedback,
fuzzer::HasObjective, fuzzer::{HasFeedback, HasObjective, HasScheduler},
inputs::UsesInput, inputs::UsesInput,
state::{HasClientPerfMonitor, HasCorpus, HasSolutions}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions},
}; };
pub(crate) type HandlerFuncPtr = pub(crate) type HandlerFuncPtr =
@ -692,13 +744,16 @@ mod unix_signal_handler {
/// invokes the `post_exec` hook on all observer in case of panic /// invokes the `post_exec` hook on all observer in case of panic
#[cfg(feature = "std")] #[cfg(feature = "std")]
pub fn setup_panic_hook<E, EM, OF, Z>() pub fn setup_panic_hook<CF, E, EM, OF, Z>()
where where
E: HasObservers, E: HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
let old_hook = panic::take_hook(); let old_hook = panic::take_hook();
panic::set_hook(Box::new(move |panic_info| { panic::set_hook(Box::new(move |panic_info| {
@ -712,7 +767,7 @@ mod unix_signal_handler {
let fuzzer = data.fuzzer_mut::<Z>(); let fuzzer = data.fuzzer_mut::<Z>();
let event_mgr = data.event_mgr_mut::<EM>(); let event_mgr = data.event_mgr_mut::<EM>();
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -729,7 +784,7 @@ mod unix_signal_handler {
} }
#[cfg(unix)] #[cfg(unix)]
pub(crate) unsafe fn inproc_timeout_handler<E, EM, OF, Z>( pub(crate) unsafe fn inproc_timeout_handler<CF, E, EM, OF, Z>(
_signal: Signal, _signal: Signal,
_info: siginfo_t, _info: siginfo_t,
_context: &mut ucontext_t, _context: &mut ucontext_t,
@ -737,9 +792,12 @@ mod unix_signal_handler {
) where ) where
E: HasObservers, E: HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
if !data.timeout_executor_ptr.is_null() if !data.timeout_executor_ptr.is_null()
&& data.timeout_executor_mut::<E>().handle_timeout(data) && data.timeout_executor_mut::<E>().handle_timeout(data)
@ -760,7 +818,7 @@ mod unix_signal_handler {
log::error!("Timeout in fuzz run."); log::error!("Timeout in fuzz run.");
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -778,7 +836,7 @@ mod unix_signal_handler {
/// Will be used for signal handling. /// Will be used for signal handling.
/// It will store the current State to shmem, then exit. /// It will store the current State to shmem, then exit.
#[allow(clippy::too_many_lines)] #[allow(clippy::too_many_lines)]
pub(crate) unsafe fn inproc_crash_handler<E, EM, OF, Z>( pub(crate) unsafe fn inproc_crash_handler<CF, E, EM, OF, Z>(
signal: Signal, signal: Signal,
_info: siginfo_t, _info: siginfo_t,
_context: &mut ucontext_t, _context: &mut ucontext_t,
@ -786,9 +844,12 @@ mod unix_signal_handler {
) where ) where
E: Executor<EM, Z> + HasObservers, E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
#[cfg(all(target_os = "android", target_arch = "aarch64"))] #[cfg(all(target_os = "android", target_arch = "aarch64"))]
let _context = &mut *(((_context as *mut _ as *mut libc::c_void as usize) + 128) let _context = &mut *(((_context as *mut _ as *mut libc::c_void as usize) + 128)
@ -819,7 +880,7 @@ mod unix_signal_handler {
log::error!("{}", std::str::from_utf8(&bsod).unwrap()); log::error!("{}", std::str::from_utf8(&bsod).unwrap());
} }
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -893,20 +954,23 @@ pub mod windows_asan_handler {
Executor, ExitKind, HasObservers, Executor, ExitKind, HasObservers,
}, },
feedbacks::Feedback, feedbacks::Feedback,
fuzzer::HasObjective, fuzzer::{HasFeedback, HasObjective, HasScheduler},
inputs::UsesInput, inputs::UsesInput,
state::{HasClientPerfMonitor, HasCorpus, HasSolutions}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions},
}; };
/// # Safety /// # Safety
/// ASAN deatch handler /// ASAN deatch handler
pub unsafe extern "C" fn asan_death_handler<E, EM, OF, Z>() pub unsafe extern "C" fn asan_death_handler<CF, E, EM, OF, Z>()
where where
E: Executor<EM, Z> + HasObservers, E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
let data = &mut GLOBAL_STATE; let data = &mut GLOBAL_STATE;
// Have we set a timer_before? // Have we set a timer_before?
@ -960,7 +1024,7 @@ pub mod windows_asan_handler {
// Make sure we don't crash in the crash handler forever. // Make sure we don't crash in the crash handler forever.
let input = data.take_current_input::<<E::State as UsesInput>::Input>(); let input = data.take_current_input::<<E::State as UsesInput>::Input>();
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -1005,9 +1069,9 @@ mod windows_exception_handler {
Executor, ExitKind, HasObservers, Executor, ExitKind, HasObservers,
}, },
feedbacks::Feedback, feedbacks::Feedback,
fuzzer::HasObjective, fuzzer::{HasFeedback, HasObjective, HasScheduler},
inputs::UsesInput, inputs::UsesInput,
state::{HasClientPerfMonitor, HasCorpus, HasSolutions}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions},
}; };
pub(crate) type HandlerFuncPtr = pub(crate) type HandlerFuncPtr =
@ -1041,13 +1105,16 @@ mod windows_exception_handler {
/// invokes the `post_exec` hook on all observer in case of panic /// invokes the `post_exec` hook on all observer in case of panic
#[cfg(feature = "std")] #[cfg(feature = "std")]
pub fn setup_panic_hook<E, EM, OF, Z>() pub fn setup_panic_hook<CF, E, EM, OF, Z>()
where where
E: HasObservers, E: HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
let old_hook = panic::take_hook(); let old_hook = panic::take_hook();
panic::set_hook(Box::new(move |panic_info| { panic::set_hook(Box::new(move |panic_info| {
@ -1079,7 +1146,7 @@ mod windows_exception_handler {
let input = data.take_current_input::<<E::State as UsesInput>::Input>(); let input = data.take_current_input::<<E::State as UsesInput>::Input>();
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -1097,16 +1164,19 @@ mod windows_exception_handler {
} }
/// Timeout handler for windows /// Timeout handler for windows
pub unsafe extern "system" fn inproc_timeout_handler<E, EM, OF, Z>( pub unsafe extern "system" fn inproc_timeout_handler<CF, E, EM, OF, Z>(
_p0: *mut u8, _p0: *mut u8,
global_state: *mut c_void, global_state: *mut c_void,
_p1: *mut u8, _p1: *mut u8,
) where ) where
E: HasObservers + HasInProcessHandlers, E: HasObservers + HasInProcessHandlers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
let data: &mut InProcessExecutorHandlerData = let data: &mut InProcessExecutorHandlerData =
&mut *(global_state as *mut InProcessExecutorHandlerData); &mut *(global_state as *mut InProcessExecutorHandlerData);
@ -1148,7 +1218,7 @@ mod windows_exception_handler {
.unwrap(); .unwrap();
data.timeout_input_ptr = ptr::null_mut(); data.timeout_input_ptr = ptr::null_mut();
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -1173,15 +1243,18 @@ mod windows_exception_handler {
} }
#[allow(clippy::too_many_lines)] #[allow(clippy::too_many_lines)]
pub(crate) unsafe fn inproc_crash_handler<E, EM, OF, Z>( pub(crate) unsafe fn inproc_crash_handler<CF, E, EM, OF, Z>(
exception_pointers: *mut EXCEPTION_POINTERS, exception_pointers: *mut EXCEPTION_POINTERS,
data: &mut InProcessExecutorHandlerData, data: &mut InProcessExecutorHandlerData,
) where ) where
E: Executor<EM, Z> + HasObservers, E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
// Have we set a timer_before? // Have we set a timer_before?
if !(data.tp_timer as *mut windows::Win32::System::Threading::TP_TIMER).is_null() { if !(data.tp_timer as *mut windows::Win32::System::Threading::TP_TIMER).is_null() {
@ -1271,7 +1344,7 @@ mod windows_exception_handler {
if is_crash { if is_crash {
let input = data.take_current_input::<<E::State as UsesInput>::Input>(); let input = data.take_current_input::<<E::State as UsesInput>::Input>();
run_observers_and_save_state::<E, EM, OF, Z>( run_observers_and_save_state::<CF, E, EM, OF, Z>(
executor, executor,
state, state,
input, input,
@ -1789,11 +1862,11 @@ impl<'a, H, OT, S, SP> InProcessForkExecutor<'a, H, OT, S, SP>
where where
H: FnMut(&S::Input) -> ExitKind + ?Sized, H: FnMut(&S::Input) -> ExitKind + ?Sized,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
S: UsesInput, S: UsesInput + HasCorpus,
SP: ShMemProvider, SP: ShMemProvider,
{ {
/// Creates a new [`InProcessForkExecutor`] /// Creates a new [`InProcessForkExecutor`]
pub fn new<EM, OF, Z>( pub fn new<CF, EM, OF, Z>(
harness_fn: &'a mut H, harness_fn: &'a mut H,
observers: OT, observers: OT,
_fuzzer: &mut Z, _fuzzer: &mut Z,
@ -1803,9 +1876,12 @@ where
) -> Result<Self, Error> ) -> Result<Self, Error>
where where
EM: EventFirer<State = S> + EventRestarter, EM: EventFirer<State = S> + EventRestarter,
CF: Feedback<S>,
OF: Feedback<S>, OF: Feedback<S>,
S: HasSolutions + HasClientPerfMonitor, S: HasSolutions + HasClientPerfMonitor,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>
+ HasFeedback<Feedback = CF, State = S>
+ HasScheduler,
{ {
let handlers = InChildProcessHandlers::new::<Self>()?; let handlers = InChildProcessHandlers::new::<Self>()?;
Ok(Self { Ok(Self {
@ -1834,13 +1910,13 @@ where
impl<'a, H, OT, S, SP> TimeoutInProcessForkExecutor<'a, H, OT, S, SP> impl<'a, H, OT, S, SP> TimeoutInProcessForkExecutor<'a, H, OT, S, SP>
where where
H: FnMut(&S::Input) -> ExitKind + ?Sized, H: FnMut(&S::Input) -> ExitKind + ?Sized,
S: UsesInput, S: UsesInput + HasCorpus,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
SP: ShMemProvider, SP: ShMemProvider,
{ {
/// Creates a new [`TimeoutInProcessForkExecutor`] /// Creates a new [`TimeoutInProcessForkExecutor`]
#[cfg(target_os = "linux")] #[cfg(target_os = "linux")]
pub fn new<EM, OF, Z>( pub fn new<CF, EM, OF, Z>(
harness_fn: &'a mut H, harness_fn: &'a mut H,
observers: OT, observers: OT,
_fuzzer: &mut Z, _fuzzer: &mut Z,
@ -1851,9 +1927,12 @@ where
) -> Result<Self, Error> ) -> Result<Self, Error>
where where
EM: EventFirer<State = S> + EventRestarter<State = S>, EM: EventFirer<State = S> + EventRestarter<State = S>,
CF: Feedback<S>,
OF: Feedback<S>, OF: Feedback<S>,
S: HasSolutions + HasClientPerfMonitor, S: HasSolutions + HasClientPerfMonitor,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>
+ HasFeedback<Feedback = CF, State = S>
+ HasScheduler,
{ {
let handlers = InChildProcessHandlers::with_timeout::<Self>()?; let handlers = InChildProcessHandlers::with_timeout::<Self>()?;
let milli_sec = timeout.as_millis(); let milli_sec = timeout.as_millis();
@ -1882,7 +1961,7 @@ where
/// Creates a new [`TimeoutInProcessForkExecutor`], non linux /// Creates a new [`TimeoutInProcessForkExecutor`], non linux
#[cfg(not(target_os = "linux"))] #[cfg(not(target_os = "linux"))]
pub fn new<EM, OF, Z>( pub fn new<CF, EM, OF, Z>(
harness_fn: &'a mut H, harness_fn: &'a mut H,
observers: OT, observers: OT,
_fuzzer: &mut Z, _fuzzer: &mut Z,
@ -1893,9 +1972,12 @@ where
) -> Result<Self, Error> ) -> Result<Self, Error>
where where
EM: EventFirer<State = S> + EventRestarter<State = S>, EM: EventFirer<State = S> + EventRestarter<State = S>,
CF: Feedback<S>,
OF: Feedback<S>, OF: Feedback<S>,
S: HasSolutions + HasClientPerfMonitor, S: HasSolutions + HasClientPerfMonitor,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>
+ HasFeedback<Feedback = CF, State = S>
+ HasScheduler,
{ {
let handlers = InChildProcessHandlers::with_timeout::<Self>()?; let handlers = InChildProcessHandlers::with_timeout::<Self>()?;
let milli_sec = timeout.as_millis(); let milli_sec = timeout.as_millis();

4
libafl_frida/src/executor.rs
View File

@ -8,7 +8,7 @@ use frida_gum::{
#[cfg(windows)] #[cfg(windows)]
use libafl::{ use libafl::{
executors::inprocess::{HasInProcessHandlers, InProcessHandlers}, executors::inprocess::{HasInProcessHandlers, InProcessHandlers},
state::{HasClientPerfMonitor, HasCorpus, HasSolutions}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions},
}; };
use libafl::{ use libafl::{
executors::{Executor, ExitKind, HasObservers, InProcessExecutor}, executors::{Executor, ExitKind, HasObservers, InProcessExecutor},
@ -200,7 +200,7 @@ impl<'a, 'b, 'c, H, OT, RT, S> HasInProcessHandlers
for FridaInProcessExecutor<'a, 'b, 'c, H, OT, RT, S> for FridaInProcessExecutor<'a, 'b, 'c, H, OT, RT, S>
where where
H: FnMut(&S::Input) -> ExitKind, H: FnMut(&S::Input) -> ExitKind,
S: UsesInput + HasClientPerfMonitor + HasSolutions + HasCorpus, S: UsesInput + HasClientPerfMonitor + HasSolutions + HasCorpus + HasExecutions,
S::Input: HasTargetBytes, S::Input: HasTargetBytes,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
RT: FridaRuntimeTuple, RT: FridaRuntimeTuple,

18
libafl_qemu/src/executor.rs
View File

@ -10,7 +10,7 @@ use libafl::{
events::{EventFirer, EventRestarter}, events::{EventFirer, EventRestarter},
executors::{Executor, ExitKind, HasObservers, InProcessExecutor}, executors::{Executor, ExitKind, HasObservers, InProcessExecutor},
feedbacks::Feedback, feedbacks::Feedback,
fuzzer::HasObjective, fuzzer::{HasFeedback, HasObjective, HasScheduler},
inputs::UsesInput, inputs::UsesInput,
observers::{ObserversTuple, UsesObservers}, observers::{ObserversTuple, UsesObservers},
state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions, State, UsesState}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions, State, UsesState},
@ -53,7 +53,7 @@ where
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
QT: QemuHelperTuple<S>, QT: QemuHelperTuple<S>,
{ {
pub fn new<EM, OF, Z>( pub fn new<CF, EM, OF, Z>(
hooks: &'a mut QemuHooks<'a, QT, S>, hooks: &'a mut QemuHooks<'a, QT, S>,
harness_fn: &'a mut H, harness_fn: &'a mut H,
observers: OT, observers: OT,
@ -63,9 +63,12 @@ where
) -> Result<Self, Error> ) -> Result<Self, Error>
where where
EM: EventFirer<State = S> + EventRestarter<State = S>, EM: EventFirer<State = S> + EventRestarter<State = S>,
CF: Feedback<S>,
OF: Feedback<S>, OF: Feedback<S>,
S: State + HasExecutions + HasCorpus + HasSolutions + HasClientPerfMonitor, S: State + HasExecutions + HasCorpus + HasSolutions + HasClientPerfMonitor,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>
+ HasFeedback<Feedback = CF, State = S>
+ HasScheduler,
{ {
Ok(Self { Ok(Self {
first_exec: true, first_exec: true,
@ -201,12 +204,12 @@ where
impl<'a, H, OT, QT, S, SP> QemuForkExecutor<'a, H, OT, QT, S, SP> impl<'a, H, OT, QT, S, SP> QemuForkExecutor<'a, H, OT, QT, S, SP>
where where
H: FnMut(&S::Input) -> ExitKind, H: FnMut(&S::Input) -> ExitKind,
S: UsesInput, S: UsesInput + HasCorpus,
OT: ObserversTuple<S>, OT: ObserversTuple<S>,
QT: QemuHelperTuple<S>, QT: QemuHelperTuple<S>,
SP: ShMemProvider, SP: ShMemProvider,
{ {
pub fn new<EM, OF, Z>( pub fn new<CF, EM, OF, Z>(
hooks: &'a mut QemuHooks<'a, QT, S>, hooks: &'a mut QemuHooks<'a, QT, S>,
harness_fn: &'a mut H, harness_fn: &'a mut H,
observers: OT, observers: OT,
@ -217,9 +220,12 @@ where
) -> Result<Self, Error> ) -> Result<Self, Error>
where where
EM: EventFirer<State = S> + EventRestarter, EM: EventFirer<State = S> + EventRestarter,
CF: Feedback<S>,
OF: Feedback<S>, OF: Feedback<S>,
S: HasSolutions + HasClientPerfMonitor, S: HasSolutions + HasClientPerfMonitor,
Z: HasObjective<Objective = OF, State = S>, Z: HasObjective<Objective = OF, State = S>
+ HasFeedback<Feedback = CF, State = S>
+ HasScheduler,
{ {
assert!(!QT::HOOKS_DO_SIDE_EFFECTS, "When using QemuForkExecutor, the hooks must not do any side effect as they will happen in the child process and then discarded"); assert!(!QT::HOOKS_DO_SIDE_EFFECTS, "When using QemuForkExecutor, the hooks must not do any side effect as they will happen in the child process and then discarded");

15
libafl_targets/src/windows_asan.rs
View File

@ -4,8 +4,8 @@ use libafl::{
events::{EventFirer, EventRestarter}, events::{EventFirer, EventRestarter},
executors::{inprocess::windows_asan_handler::asan_death_handler, Executor, HasObservers}, executors::{inprocess::windows_asan_handler::asan_death_handler, Executor, HasObservers},
feedbacks::Feedback, feedbacks::Feedback,
state::{HasClientPerfMonitor, HasCorpus, HasSolutions}, state::{HasClientPerfMonitor, HasCorpus, HasExecutions, HasSolutions},
HasObjective, HasFeedback, HasObjective, HasScheduler,
}; };
/// Asan death callback type /// Asan death callback type
@ -27,13 +27,16 @@ extern "C" {
/// ///
/// # Safety /// # Safety
/// Calls the unsafe `__sanitizer_set_death_callback` symbol, but should be safe to call otherwise. /// Calls the unsafe `__sanitizer_set_death_callback` symbol, but should be safe to call otherwise.
pub unsafe fn setup_asan_callback<E, EM, OF, Z>(_executor: &E, _event_mgr: &EM, _fuzzer: &Z) pub unsafe fn setup_asan_callback<CF, E, EM, OF, Z>(_executor: &E, _event_mgr: &EM, _fuzzer: &Z)
where where
E: Executor<EM, Z> + HasObservers, E: Executor<EM, Z> + HasObservers,
EM: EventFirer<State = E::State> + EventRestarter<State = E::State>, EM: EventFirer<State = E::State> + EventRestarter<State = E::State>,
CF: Feedback<E::State>,
OF: Feedback<E::State>, OF: Feedback<E::State>,
E::State: HasSolutions + HasClientPerfMonitor + HasCorpus, E::State: HasSolutions + HasClientPerfMonitor + HasCorpus + HasExecutions,
Z: HasObjective<Objective = OF, State = E::State>, Z: HasObjective<Objective = OF, State = E::State>
+ HasFeedback<Feedback = CF, State = E::State>
+ HasScheduler,
{ {
__sanitizer_set_death_callback(asan_death_handler::<E, EM, OF, Z>); __sanitizer_set_death_callback(asan_death_handler::<CF, E, EM, OF, Z>);
} }