SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix restating mgr routine

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-02-11 14:46:28 +01:00
parent ce499f858f
commit 886aa605a8
6 changed files with 70 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
afl/src/events/mod.rs
View File

@ -915,8 +915,10 @@ where
/// A restarting state is a combination of restarter and runner, that can be used on systems without `fork`. /// A restarting state is a combination of restarter and runner, that can be used on systems without `fork`.
/// The restarter will start a new process each time the child crashes or timeouts. /// The restarter will start a new process each time the child crashes or timeouts.
#[cfg(feature = "std")] #[cfg(feature = "std")]
pub fn setup_restarting_state<I, C, FT, R, SH, ST>( pub fn setup_restarting_mgr<I, C, FT, R, SH, ST>(
mgr: &mut LlmpEventManager<I, SH, ST>, //mgr: &mut LlmpEventManager<I, SH, ST>,
stats: ST,
broker_port: u16,
) -> Result< ) -> Result<
( (
Option<State<C, FT, I, R>>, Option<State<C, FT, I, R>>,
@ -932,8 +934,18 @@ where
SH: ShMem, SH: ShMem,
ST: Stats, ST: Stats,
{ {
let mut mgr;
// We start ourself as child process to actually fuzz // We start ourself as child process to actually fuzz
if std::env::var(ENV_FUZZER_SENDER).is_err() { if std::env::var(ENV_FUZZER_SENDER).is_err() {
mgr = LlmpEventManager::<I, SH, ST>::new_on_port(stats, broker_port)?;
if mgr.is_broker() {
// Yep, broker. Just loop here.
println!("Doing broker things. Run this tool again to start fuzzing in a client.");
mgr.broker_loop()?;
} else {
mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL); mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL);
// First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts. // First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts.
@ -959,6 +971,8 @@ where
todo!("Fix this"); todo!("Fix this");
} }
} }
}
} }
println!("We're a client, let's fuzz :)"); println!("We're a client, let's fuzz :)");

8
afl/src/mutators/scheduled.rs
View File

@ -208,7 +208,7 @@ where
let idx = self.scheduled.schedule(14, rand, input); let idx = self.scheduled.schedule(14, rand, input);
let mutation = match idx { let mutation = match idx {
0 => mutation_bitflip, 0 => mutation_bitflip,
1 => mutation_byteflip, /*1 => mutation_byteflip,
2 => mutation_byteinc, 2 => mutation_byteinc,
3 => mutation_bytedec, 3 => mutation_bytedec,
4 => mutation_byteneg, 4 => mutation_byteneg,
@ -219,7 +219,7 @@ where
8 => mutation_dwordadd, 8 => mutation_dwordadd,
9 => mutation_byteinteresting, 9 => mutation_byteinteresting,
10 => mutation_wordinteresting, 10 => mutation_wordinteresting,
11 => mutation_dwordinteresting, 11 => mutation_dwordinteresting,*/
_ => mutation_splice, _ => mutation_splice,
}; };
mutation(self, rand, state, input)?; mutation(self, rand, state, input)?;
@ -277,7 +277,7 @@ where
pub fn new_default() -> Self { pub fn new_default() -> Self {
let mut scheduled = StdScheduledMutator::<C, I, R, S>::new(); let mut scheduled = StdScheduledMutator::<C, I, R, S>::new();
scheduled.add_mutation(mutation_bitflip); scheduled.add_mutation(mutation_bitflip);
scheduled.add_mutation(mutation_byteflip); /*scheduled.add_mutation(mutation_byteflip);
scheduled.add_mutation(mutation_byteinc); scheduled.add_mutation(mutation_byteinc);
scheduled.add_mutation(mutation_bytedec); scheduled.add_mutation(mutation_bytedec);
scheduled.add_mutation(mutation_byteneg); scheduled.add_mutation(mutation_byteneg);
@ -301,7 +301,7 @@ where
scheduled.add_mutation(mutation_bytesset); scheduled.add_mutation(mutation_bytesset);
scheduled.add_mutation(mutation_bytesrandset); scheduled.add_mutation(mutation_bytesrandset);
scheduled.add_mutation(mutation_bytescopy); scheduled.add_mutation(mutation_bytescopy);
scheduled.add_mutation(mutation_bytesswap); scheduled.add_mutation(mutation_bytesswap);*/
/* TODO /* TODO
scheduled.add_mutation(mutation_tokeninsert); scheduled.add_mutation(mutation_tokeninsert);

4
fuzzers/libfuzzer_libpng/harness.cc
View File

@ -156,14 +156,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return 0; return 0;
} }
#ifdef HAS_BUG
// This is going to be too slow. // This is going to be too slow.
if (width && height > 100000000 / width) { if (width && height > 100000000 / width) {
PNG_CLEANUP PNG_CLEANUP
#ifdef HAS_BUG
asm("ud2"); asm("ud2");
#endif
return 0; return 0;
} }
#endif
// Set several transforms that browsers typically use: // Set several transforms that browsers typically use:
png_set_gray_to_rgb(png_handler.png_ptr); png_set_gray_to_rgb(png_handler.png_ptr);

34
fuzzers/libfuzzer_libpng/src/mod.rs
View File

@ -4,13 +4,14 @@
#[macro_use] #[macro_use]
extern crate clap; extern crate clap;
use afl::shmem::AflShmem;
use clap::{App, Arg}; use clap::{App, Arg};
use std::{env, path::PathBuf}; use std::{env, path::PathBuf};
use afl::{ use afl::{
corpus::{Corpus, InMemoryCorpus}, corpus::{Corpus, InMemoryCorpus},
events::setup_restarting_state, events::setup_restarting_mgr,
events::{LlmpEventManager, SimpleStats}, events::{SimpleStats},
executors::{inprocess::InProcessExecutor, Executor, ExitKind}, executors::{inprocess::InProcessExecutor, Executor, ExitKind},
feedbacks::MaxMapFeedback, feedbacks::MaxMapFeedback,
inputs::Input, inputs::Input,
@ -120,39 +121,36 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
// 'While the stats are state, they are usually used in the broker - which is likely never restarted // 'While the stats are state, they are usually used in the broker - which is likely never restarted
let stats = SimpleStats::new(|s| println!("{}", s)); let stats = SimpleStats::new(|s| println!("{}", s));
let mut mgr = LlmpEventManager::new_on_port_std(stats, broker_port)?; // The restarting state will spawn the same process again as child, then restartet it each time it crashes.
if mgr.is_broker() { let (state_opt, mut restarting_mgr) =
// Yep, broker. Just loop here. setup_restarting_mgr::<_, _, _, _, AflShmem, _>(stats, broker_port).expect("Failed to setup the restarter".into());
println!("Doing broker things. Run this tool again to start fuzzing in a client.");
mgr.broker_loop()?;
}
let edges_observer = let edges_observer =
StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe { StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe {
__lafl_max_edges_size as usize __lafl_max_edges_size as usize
}); });
let mut mutator = HavocBytesMutator::new_default();
mutator.set_max_size(4096);
let stage = StdMutationalStage::new(mutator);
let mut fuzzer = StdFuzzer::new(tuple_list!(stage));
// The restarting state will spawn the same process again as child, then restartet it each time it crashes.
let (state_opt, mut restarting_mgr) =
setup_restarting_state(&mut mgr).expect("Failed to setup the restarter".into());
let mut state = match state_opt { let mut state = match state_opt {
Some(s) => s, Some(s) => s,
None => State::new( None => {
State::new(
InMemoryCorpus::new(), InMemoryCorpus::new(),
tuple_list!(MaxMapFeedback::new_with_observer( tuple_list!(MaxMapFeedback::new_with_observer(
&NAME_COV_MAP, &NAME_COV_MAP,
&edges_observer &edges_observer
)), )),
), )
},
}; };
println!("We're a client, let's fuzz :)"); println!("We're a client, let's fuzz :)");
let mut mutator = HavocBytesMutator::new_default();
mutator.set_max_size(4096);
let stage = StdMutationalStage::new(mutator);
let mut fuzzer = StdFuzzer::new(tuple_list!(stage));
// Create the executor // Create the executor
let mut executor = InProcessExecutor::new( let mut executor = InProcessExecutor::new(
"Libfuzzer", "Libfuzzer",