diff --git a/Cargo.toml b/Cargo.toml index d2809b476e..4e03584182 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -3,4 +3,4 @@ members = [ "afl", "fuzzers/libfuzzer_libpng", -] \ No newline at end of file +] diff --git a/afl/Cargo.toml b/afl/Cargo.toml index 303573d06b..a5e92dc3e1 100644 --- a/afl/Cargo.toml +++ b/afl/Cargo.toml @@ -50,4 +50,4 @@ erased-serde = "0.3.12" postcard = { version = "0.5.1", features = ["alloc"] } # no_std compatible serde serialization fromat static_assertions = "1.1.0" serde_json = { version = "1.0", default-features = false, features = ["alloc"] } # an easy way to debug print SerdeAnyMap -#TODO: for llmp brotli = { version = "3.3.0", default-features = false } # brotli compression \ No newline at end of file +#TODO: for llmp brotli = { version = "3.3.0", default-features = false } # brotli compression diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 77dc6f8c2f..70c6dc12bf 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -915,8 +915,10 @@ where /// A restarting state is a combination of restarter and runner, that can be used on systems without `fork`. /// The restarter will start a new process each time the child crashes or timeouts. #[cfg(feature = "std")] -pub fn setup_restarting_state( - mgr: &mut LlmpEventManager, +pub fn setup_restarting_mgr( + //mgr: &mut LlmpEventManager, + stats: ST, + broker_port: u16, ) -> Result< ( Option>, @@ -932,32 +934,44 @@ where SH: ShMem, ST: Stats, { + let mut mgr; + // We start ourself as child process to actually fuzz if std::env::var(ENV_FUZZER_SENDER).is_err() { - mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL); - // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts. - let sender = LlmpSender::new(0, false)?; - let receiver = LlmpReceiver::on_existing_map( - AflShmem::clone_ref(&sender.out_maps.last().unwrap().shmem)?, - None, - )?; - // Store the information to a map. - sender.to_env(ENV_FUZZER_SENDER)?; - receiver.to_env(ENV_FUZZER_RECEIVER)?; + mgr = LlmpEventManager::::new_on_port(stats, broker_port)?; + if mgr.is_broker() { + // Yep, broker. Just loop here. + println!("Doing broker things. Run this tool again to start fuzzing in a client."); + mgr.broker_loop()?; + } else { + + mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL); - let mut ctr = 0; - // Client->parent loop - loop { - dbg!("Spawning next client"); - Command::new(env::current_exe()?) - .current_dir(env::current_dir()?) - .args(env::args()) - .status()?; - ctr += 1; - if ctr == 10 { - todo!("Fix this"); + // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts. + let sender = LlmpSender::new(0, false)?; + let receiver = LlmpReceiver::on_existing_map( + AflShmem::clone_ref(&sender.out_maps.last().unwrap().shmem)?, + None, + )?; + // Store the information to a map. + sender.to_env(ENV_FUZZER_SENDER)?; + receiver.to_env(ENV_FUZZER_RECEIVER)?; + + let mut ctr = 0; + // Client->parent loop + loop { + dbg!("Spawning next client"); + Command::new(env::current_exe()?) + .current_dir(env::current_dir()?) + .args(env::args()) + .status()?; + ctr += 1; + if ctr == 10 { + todo!("Fix this"); + } } + } } diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index a2ededcad3..176fc56715 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -208,7 +208,7 @@ where let idx = self.scheduled.schedule(14, rand, input); let mutation = match idx { 0 => mutation_bitflip, - 1 => mutation_byteflip, + /*1 => mutation_byteflip, 2 => mutation_byteinc, 3 => mutation_bytedec, 4 => mutation_byteneg, @@ -219,7 +219,7 @@ where 8 => mutation_dwordadd, 9 => mutation_byteinteresting, 10 => mutation_wordinteresting, - 11 => mutation_dwordinteresting, + 11 => mutation_dwordinteresting,*/ _ => mutation_splice, }; mutation(self, rand, state, input)?; @@ -277,7 +277,7 @@ where pub fn new_default() -> Self { let mut scheduled = StdScheduledMutator::::new(); scheduled.add_mutation(mutation_bitflip); - scheduled.add_mutation(mutation_byteflip); + /*scheduled.add_mutation(mutation_byteflip); scheduled.add_mutation(mutation_byteinc); scheduled.add_mutation(mutation_bytedec); scheduled.add_mutation(mutation_byteneg); @@ -301,7 +301,7 @@ where scheduled.add_mutation(mutation_bytesset); scheduled.add_mutation(mutation_bytesrandset); scheduled.add_mutation(mutation_bytescopy); - scheduled.add_mutation(mutation_bytesswap); + scheduled.add_mutation(mutation_bytesswap);*/ /* TODO scheduled.add_mutation(mutation_tokeninsert); diff --git a/fuzzers/libfuzzer_libpng/harness.cc b/fuzzers/libfuzzer_libpng/harness.cc index baf1544e6d..dd16883cd9 100644 --- a/fuzzers/libfuzzer_libpng/harness.cc +++ b/fuzzers/libfuzzer_libpng/harness.cc @@ -156,14 +156,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; } -#ifdef HAS_BUG // This is going to be too slow. if (width && height > 100000000 / width) { PNG_CLEANUP +#ifdef HAS_BUG asm("ud2"); +#endif return 0; } -#endif // Set several transforms that browsers typically use: png_set_gray_to_rgb(png_handler.png_ptr); diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/mod.rs index 9721336f9e..ee7b1467b9 100644 --- a/fuzzers/libfuzzer_libpng/src/mod.rs +++ b/fuzzers/libfuzzer_libpng/src/mod.rs @@ -4,13 +4,14 @@ #[macro_use] extern crate clap; +use afl::shmem::AflShmem; use clap::{App, Arg}; use std::{env, path::PathBuf}; use afl::{ corpus::{Corpus, InMemoryCorpus}, - events::setup_restarting_state, - events::{LlmpEventManager, SimpleStats}, + events::setup_restarting_mgr, + events::{SimpleStats}, executors::{inprocess::InProcessExecutor, Executor, ExitKind}, feedbacks::MaxMapFeedback, inputs::Input, @@ -119,39 +120,36 @@ fn fuzz(input: Option>, broker_port: u16) -> Result<(), AflError> { let mut rand = StdRand::new(0); // 'While the stats are state, they are usually used in the broker - which is likely never restarted let stats = SimpleStats::new(|s| println!("{}", s)); - - let mut mgr = LlmpEventManager::new_on_port_std(stats, broker_port)?; - if mgr.is_broker() { - // Yep, broker. Just loop here. - println!("Doing broker things. Run this tool again to start fuzzing in a client."); - mgr.broker_loop()?; - } + + // The restarting state will spawn the same process again as child, then restartet it each time it crashes. + let (state_opt, mut restarting_mgr) = + setup_restarting_mgr::<_, _, _, _, AflShmem, _>(stats, broker_port).expect("Failed to setup the restarter".into()); let edges_observer = - StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe { - __lafl_max_edges_size as usize - }); + StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe { + __lafl_max_edges_size as usize + }); + + let mut state = match state_opt { + Some(s) => s, + None => { + State::new( + InMemoryCorpus::new(), + tuple_list!(MaxMapFeedback::new_with_observer( + &NAME_COV_MAP, + &edges_observer + )), + ) + }, + }; + + println!("We're a client, let's fuzz :)"); let mut mutator = HavocBytesMutator::new_default(); mutator.set_max_size(4096); let stage = StdMutationalStage::new(mutator); let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); - // The restarting state will spawn the same process again as child, then restartet it each time it crashes. - let (state_opt, mut restarting_mgr) = - setup_restarting_state(&mut mgr).expect("Failed to setup the restarter".into()); - let mut state = match state_opt { - Some(s) => s, - None => State::new( - InMemoryCorpus::new(), - tuple_list!(MaxMapFeedback::new_with_observer( - &NAME_COV_MAP, - &edges_observer - )), - ), - }; - - println!("We're a client, let's fuzz :)"); // Create the executor let mut executor = InProcessExecutor::new(