SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix UB for differential map observer example (#1140)

Browse Source 
* Fix UB for differential map observer example

* clippy

* undo submodule foo
This commit is contained in:
Dominik Maier 2023-03-14 13:50:50 +01:00 committed by GitHub
parent 460787196a
commit 8dfdee6fce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
fuzzers/baby_fuzzer_swap_differential/src/main.rs
View File

@ -46,16 +46,13 @@ use bindings::{inspect_first, inspect_second};
#[cfg(feature = "multimap")] #[cfg(feature = "multimap")]
mod multimap { mod multimap {
pub use libafl::observers::{HitcountsIterableMapObserver, MultiMapObserver}; pub use libafl::{
bolts::ownedref::OwnedMutSlice,
pub static mut FIRST_EDGES: &mut [u8] = &mut []; observers::{HitcountsIterableMapObserver, MultiMapObserver},
pub static mut SECOND_EDGES: &mut [u8] = &mut []; };
pub static mut COMBINED_EDGES: [&mut [u8]; 2] = [&mut [], &mut []];
} }
#[cfg(feature = "multimap")] #[cfg(feature = "multimap")]
use multimap::{ use multimap::{HitcountsIterableMapObserver, MultiMapObserver, OwnedMutSlice};
HitcountsIterableMapObserver, MultiMapObserver, COMBINED_EDGES, FIRST_EDGES, SECOND_EDGES,
};
#[cfg(not(feature = "multimap"))] #[cfg(not(feature = "multimap"))]
mod slicemap { mod slicemap {
@ -92,18 +89,32 @@ pub fn main() {
let num_edges: usize = edges_max_num(); let num_edges: usize = edges_max_num();
#[cfg(feature = "multimap")] #[cfg(feature = "multimap")]
let (first_map_observer, second_map_observer, map_swapper, map_observer) = { let (
first_map_observer,
second_map_observer,
map_swapper,
map_observer,
layout,
first_edges,
second_edges,
) = {
// initialize the maps // initialize the maps
unsafe { let layout = Layout::from_size_align(num_edges, 64).unwrap();
let layout = Layout::from_size_align(num_edges, 64).unwrap(); let first_edges = unsafe { (alloc_zeroed(layout), num_edges) };
FIRST_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges); let second_edges = unsafe { (alloc_zeroed(layout), num_edges) };
SECOND_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges);
COMBINED_EDGES = [&mut FIRST_EDGES, &mut SECOND_EDGES]; let combined_edges = unsafe {
} vec![
OwnedMutSlice::from_raw_parts_mut(first_edges.0, first_edges.1),
OwnedMutSlice::from_raw_parts_mut(second_edges.0, second_edges.1),
]
};
// create the base maps used to observe the different executors from two independent maps // create the base maps used to observe the different executors from two independent maps
let mut first_map_observer = unsafe { StdMapObserver::new("first-edges", FIRST_EDGES) }; let mut first_map_observer =
let mut second_map_observer = unsafe { StdMapObserver::new("second-edges", SECOND_EDGES) }; unsafe { StdMapObserver::from_mut_ptr("first-edges", first_edges.0, first_edges.1) };
let mut second_map_observer =
unsafe { StdMapObserver::from_mut_ptr("second-edges", second_edges.0, second_edges.1) };
// create a map swapper so that we can replace the coverage map pointer (requires feature pointer_maps!) // create a map swapper so that we can replace the coverage map pointer (requires feature pointer_maps!)
let map_swapper = let map_swapper =
@ -112,18 +123,19 @@ pub fn main() {
// create a combined map observer, e.g. for calibration // create a combined map observer, e.g. for calibration
// we use MultiMapObserver::differential to indicate that we want to use the observer in // we use MultiMapObserver::differential to indicate that we want to use the observer in
// differential mode // differential mode
let map_observer = unsafe { let map_observer = HitcountsIterableMapObserver::new(MultiMapObserver::differential(
HitcountsIterableMapObserver::new(MultiMapObserver::differential( "combined-edges",
"combined-edges", combined_edges,
&mut COMBINED_EDGES, ));
))
};
( (
first_map_observer, first_map_observer,
second_map_observer, second_map_observer,
map_swapper, map_swapper,
map_observer, map_observer,
layout,
first_edges,
second_edges,
) )
}; };
#[cfg(not(feature = "multimap"))] #[cfg(not(feature = "multimap"))]
@ -134,15 +146,13 @@ pub fn main() {
EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges * 2); EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges * 2);
} }
let edges_ptr = unsafe { EDGES.as_mut_ptr() };
// create the base maps used to observe the different executors by splitting a slice // create the base maps used to observe the different executors by splitting a slice
let mut first_map_observer = let mut first_map_observer =
unsafe { StdMapObserver::from_mut_ptr("first-edges", EDGES.as_mut_ptr(), num_edges) }; unsafe { StdMapObserver::from_mut_ptr("first-edges", edges_ptr, num_edges) };
let mut second_map_observer = unsafe { let mut second_map_observer = unsafe {
StdMapObserver::from_mut_ptr( StdMapObserver::from_mut_ptr("second-edges", edges_ptr.add(num_edges), num_edges)
"second-edges",
EDGES.as_mut_ptr().add(num_edges),
num_edges,
)
}; };
// create a map swapper so that we can replace the coverage map pointer (requires feature pointer_maps!) // create a map swapper so that we can replace the coverage map pointer (requires feature pointer_maps!)
@ -155,7 +165,7 @@ pub fn main() {
let map_observer = unsafe { let map_observer = unsafe {
HitcountsMapObserver::new(StdMapObserver::differential_from_mut_ptr( HitcountsMapObserver::new(StdMapObserver::differential_from_mut_ptr(
"combined-edges", "combined-edges",
EDGES.as_mut_ptr(), edges_ptr,
num_edges * 2, num_edges * 2,
)) ))
}; };
@ -263,4 +273,10 @@ pub fn main() {
) )
.expect("Error in the fuzzing loop"); .expect("Error in the fuzzing loop");
} }
#[cfg(feature = "multimap")]
unsafe {
std::alloc::dealloc(first_edges.0, layout);
std::alloc::dealloc(second_edges.0, layout);
}
} }

24
libafl/src/observers/map.rs
View File

@ -1828,21 +1828,15 @@ where
{ {
/// Creates a new [`MultiMapObserver`], maybe in differential mode /// Creates a new [`MultiMapObserver`], maybe in differential mode
#[must_use] #[must_use]
fn new_maybe_differential(name: &'static str, maps: &'a mut [&'a mut [T]]) -> Self { fn new_maybe_differential(name: &'static str, maps: Vec<OwnedMutSlice<'a, T>>) -> Self {
let mut idx = 0; let mut idx = 0;
let mut v = 0;
let mut builder = vec![]; let mut builder = vec![];
let maps: Vec<_> = maps for (v, x) in maps.iter().enumerate() {
.iter_mut() let l = x.as_slice().len();
.map(|x| { let r = (idx..(idx + l), v);
let l = x.len(); idx += l;
let r = (idx..(idx + l), v); builder.push(r);
idx += l; }
builder.push(r);
v += 1;
OwnedMutSlice::from(x)
})
.collect();
Self { Self {
maps, maps,
intervals: builder.into_iter().collect::<IntervalTree<usize, usize>>(), intervals: builder.into_iter().collect::<IntervalTree<usize, usize>>(),
@ -1860,7 +1854,7 @@ where
{ {
/// Creates a new [`MultiMapObserver`] in differential mode /// Creates a new [`MultiMapObserver`] in differential mode
#[must_use] #[must_use]
pub fn differential(name: &'static str, maps: &'a mut [&'a mut [T]]) -> Self { pub fn differential(name: &'static str, maps: Vec<OwnedMutSlice<'a, T>>) -> Self {
Self::new_maybe_differential(name, maps) Self::new_maybe_differential(name, maps)
} }
} }
@ -1871,7 +1865,7 @@ where
{ {
/// Creates a new [`MultiMapObserver`] /// Creates a new [`MultiMapObserver`]
#[must_use] #[must_use]
pub fn new(name: &'static str, maps: &'a mut [&'a mut [T]]) -> Self { pub fn new(name: &'static str, maps: Vec<OwnedMutSlice<'a, T>>) -> Self {
Self::new_maybe_differential(name, maps) Self::new_maybe_differential(name, maps)
} }