SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix restating mgr routine

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-02-11 14:46:28 +01:00
parent ce499f858f
commit 886aa605a8
6 changed files with 70 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Cargo.toml
View File

@ -3,4 +3,4 @@
members = [
"afl",
"fuzzers/libfuzzer_libpng",
]
]

2
afl/Cargo.toml
View File

@ -50,4 +50,4 @@ erased-serde = "0.3.12"
postcard = { version = "0.5.1", features = ["alloc"] } # no_std compatible serde serialization fromat
static_assertions = "1.1.0"
serde_json = { version = "1.0", default-features = false, features = ["alloc"] } # an easy way to debug print SerdeAnyMap
#TODO: for llmp brotli = { version = "3.3.0", default-features = false } # brotli compression
#TODO: for llmp brotli = { version = "3.3.0", default-features = false } # brotli compression

60
afl/src/events/mod.rs
View File

@ -915,8 +915,10 @@ where
/// A restarting state is a combination of restarter and runner, that can be used on systems without `fork`.
/// The restarter will start a new process each time the child crashes or timeouts.
#[cfg(feature = "std")]
pub fn setup_restarting_state<I, C, FT, R, SH, ST>(
mgr: &mut LlmpEventManager<I, SH, ST>,
pub fn setup_restarting_mgr<I, C, FT, R, SH, ST>(
//mgr: &mut LlmpEventManager<I, SH, ST>,
stats: ST,
broker_port: u16,
) -> Result<
(
Option<State<C, FT, I, R>>,
@ -932,32 +934,44 @@ where
SH: ShMem,
ST: Stats,
{
let mut mgr;
// We start ourself as child process to actually fuzz
if std::env::var(ENV_FUZZER_SENDER).is_err() {
mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL);
// First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts.
let sender = LlmpSender::new(0, false)?;
let receiver = LlmpReceiver::on_existing_map(
AflShmem::clone_ref(&sender.out_maps.last().unwrap().shmem)?,
None,
)?;
// Store the information to a map.
sender.to_env(ENV_FUZZER_SENDER)?;
receiver.to_env(ENV_FUZZER_RECEIVER)?;
mgr = LlmpEventManager::<I, SH, ST>::new_on_port(stats, broker_port)?;
if mgr.is_broker() {
// Yep, broker. Just loop here.
println!("Doing broker things. Run this tool again to start fuzzing in a client.");
mgr.broker_loop()?;
} else {
mgr.to_env(ENV_FUZZER_BROKER_CLIENT_INITIAL);
let mut ctr = 0;
// Client->parent loop
loop {
dbg!("Spawning next client");
Command::new(env::current_exe()?)
.current_dir(env::current_dir()?)
.args(env::args())
.status()?;
ctr += 1;
if ctr == 10 {
todo!("Fix this");
// First, create a channel from the fuzzer (sender) to us (receiver) to report its state for restarts.
let sender = LlmpSender::new(0, false)?;
let receiver = LlmpReceiver::on_existing_map(
AflShmem::clone_ref(&sender.out_maps.last().unwrap().shmem)?,
None,
)?;
// Store the information to a map.
sender.to_env(ENV_FUZZER_SENDER)?;
receiver.to_env(ENV_FUZZER_RECEIVER)?;
let mut ctr = 0;
// Client->parent loop
loop {
dbg!("Spawning next client");
Command::new(env::current_exe()?)
.current_dir(env::current_dir()?)
.args(env::args())
.status()?;
ctr += 1;
if ctr == 10 {
todo!("Fix this");
}
}
}
}

8
afl/src/mutators/scheduled.rs
View File

@ -208,7 +208,7 @@ where
let idx = self.scheduled.schedule(14, rand, input);
let mutation = match idx {
0 => mutation_bitflip,
1 => mutation_byteflip,
/*1 => mutation_byteflip,
2 => mutation_byteinc,
3 => mutation_bytedec,
4 => mutation_byteneg,
@ -219,7 +219,7 @@ where
8 => mutation_dwordadd,
9 => mutation_byteinteresting,
10 => mutation_wordinteresting,
11 => mutation_dwordinteresting,
11 => mutation_dwordinteresting,*/
_ => mutation_splice,
};
mutation(self, rand, state, input)?;
@ -277,7 +277,7 @@ where
pub fn new_default() -> Self {
let mut scheduled = StdScheduledMutator::<C, I, R, S>::new();
scheduled.add_mutation(mutation_bitflip);
scheduled.add_mutation(mutation_byteflip);
/*scheduled.add_mutation(mutation_byteflip);
scheduled.add_mutation(mutation_byteinc);
scheduled.add_mutation(mutation_bytedec);
scheduled.add_mutation(mutation_byteneg);
@ -301,7 +301,7 @@ where
scheduled.add_mutation(mutation_bytesset);
scheduled.add_mutation(mutation_bytesrandset);
scheduled.add_mutation(mutation_bytescopy);
scheduled.add_mutation(mutation_bytesswap);
scheduled.add_mutation(mutation_bytesswap);*/
/* TODO
scheduled.add_mutation(mutation_tokeninsert);

4
fuzzers/libfuzzer_libpng/harness.cc
View File

@ -156,14 +156,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
return 0;
}
#ifdef HAS_BUG
// This is going to be too slow.
if (width && height > 100000000 / width) {
PNG_CLEANUP
#ifdef HAS_BUG
asm("ud2");
#endif
return 0;
}
#endif
// Set several transforms that browsers typically use:
png_set_gray_to_rgb(png_handler.png_ptr);

52
fuzzers/libfuzzer_libpng/src/mod.rs
View File

@ -4,13 +4,14 @@
#[macro_use]
extern crate clap;
use afl::shmem::AflShmem;
use clap::{App, Arg};
use std::{env, path::PathBuf};
use afl::{
corpus::{Corpus, InMemoryCorpus},
events::setup_restarting_state,
events::{LlmpEventManager, SimpleStats},
events::setup_restarting_mgr,
events::{SimpleStats},
executors::{inprocess::InProcessExecutor, Executor, ExitKind},
feedbacks::MaxMapFeedback,
inputs::Input,
@ -119,39 +120,36 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
let mut rand = StdRand::new(0);
// 'While the stats are state, they are usually used in the broker - which is likely never restarted
let stats = SimpleStats::new(|s| println!("{}", s));
let mut mgr = LlmpEventManager::new_on_port_std(stats, broker_port)?;
if mgr.is_broker() {
// Yep, broker. Just loop here.
println!("Doing broker things. Run this tool again to start fuzzing in a client.");
mgr.broker_loop()?;
}
// The restarting state will spawn the same process again as child, then restartet it each time it crashes.
let (state_opt, mut restarting_mgr) =
setup_restarting_mgr::<_, _, _, _, AflShmem, _>(stats, broker_port).expect("Failed to setup the restarter".into());
let edges_observer =
StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe {
__lafl_max_edges_size as usize
});
StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { __lafl_edges_map }, unsafe {
__lafl_max_edges_size as usize
});
let mut state = match state_opt {
Some(s) => s,
None => {
State::new(
InMemoryCorpus::new(),
tuple_list!(MaxMapFeedback::new_with_observer(
&NAME_COV_MAP,
&edges_observer
)),
)
},
};
println!("We're a client, let's fuzz :)");
let mut mutator = HavocBytesMutator::new_default();
mutator.set_max_size(4096);
let stage = StdMutationalStage::new(mutator);
let mut fuzzer = StdFuzzer::new(tuple_list!(stage));
// The restarting state will spawn the same process again as child, then restartet it each time it crashes.
let (state_opt, mut restarting_mgr) =
setup_restarting_state(&mut mgr).expect("Failed to setup the restarter".into());
let mut state = match state_opt {
Some(s) => s,
None => State::new(
InMemoryCorpus::new(),
tuple_list!(MaxMapFeedback::new_with_observer(
&NAME_COV_MAP,
&edges_observer
)),
),
};
println!("We're a client, let's fuzz :)");
// Create the executor
let mut executor = InProcessExecutor::new(