SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

conflicts

Browse Source
This commit is contained in:
Andrea Fioraldi 2020-12-09 10:30:28 +01:00
commit 94736f0b31
6 changed files with 1118 additions and 1717 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
afl/Cargo.toml
View File

@ -33,4 +33,4 @@ num = "*"
xxhash-rust = { version = "0.8.0", features = ["xxh3"] } # xxh3 hashing for rust xxhash-rust = { version = "0.8.0", features = ["xxh3"] } # xxh3 hashing for rust
serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
erased-serde = "0.3.12" erased-serde = "0.3.12"
postcard = "0.5.1" # no_std compatible serde serialization fromat postcard = "0.5.1" # no_std compatible serde serialization fromat

138
afl/llmp_test/src/main.rs
View File

@ -1,60 +1,33 @@
#[macro_use]
extern crate alloc; extern crate alloc;
use core::convert::TryInto; use core::convert::TryInto;
use core::ffi::c_void; use core::time::Duration;
use core::mem::size_of;
use core::ptr;
use std::thread; use std::thread;
use std::time; use std::time;
use afl::events::llmp_translated::*; use afl::events::llmp;
const TAG_SIMPLE_U32_V1: u32 = 0x51300321; const TAG_SIMPLE_U32_V1: u32 = 0x51300321;
const TAG_MATH_RESULT_V1: u32 = 0x77474331; const TAG_MATH_RESULT_V1: u32 = 0x77474331;
unsafe fn llmp_test_clientloop(client: *mut LlmpClient, _data: *mut c_void) -> ! { fn adder_loop(port: u16) -> ! {
let mut counter: u32 = 0; let mut client = llmp::LlmpClient::create_attach_to_tcp(port).unwrap();
loop {
counter += 1;
let msg = llmp_client_alloc_next(client, size_of::<u32>());
core::ptr::copy(
counter.to_be_bytes().as_ptr(),
(*msg).buf.as_mut_ptr(),
size_of::<u32>(),
);
(*msg).tag = TAG_SIMPLE_U32_V1;
llmp_client_send(client, msg).unwrap();
thread::sleep(time::Duration::from_millis(100));
}
}
unsafe fn u32_from_msg(msg: *const LlmpMsg) -> u32 {
u32::from_be_bytes(
alloc::slice::from_raw_parts((*msg).buf.as_ptr(), size_of::<u32>())
.try_into()
.unwrap(),
)
}
unsafe fn test_adder_clientloop(client: *mut LlmpClient, _data: *mut c_void) -> ! {
let mut last_result: u32 = 0; let mut last_result: u32 = 0;
let mut current_result: u32 = 0; let mut current_result: u32 = 0;
loop { loop {
let mut msg_counter = 0; let mut msg_counter = 0;
loop { loop {
let last_msg = llmp_client_recv(client); let (tag, buf) = match client.recv_buf().unwrap() {
if last_msg == 0 as *mut LlmpMsg { None => break,
break; Some(msg) => msg,
} };
msg_counter += 1; msg_counter += 1;
match (*last_msg).tag { match tag {
TAG_SIMPLE_U32_V1 => { TAG_SIMPLE_U32_V1 => {
current_result = current_result.wrapping_add(u32_from_msg(last_msg)); current_result =
current_result.wrapping_add(u32::from_le_bytes(buf.try_into().unwrap()));
} }
_ => println!("Adder Client ignored unknown message {}", (*last_msg).tag), _ => println!("Adder Client ignored unknown message {}", tag),
}; };
} }
@ -64,14 +37,9 @@ unsafe fn test_adder_clientloop(client: *mut LlmpClient, _data: *mut c_void) ->
msg_counter, current_result msg_counter, current_result
); );
let msg = llmp_client_alloc_next(client, size_of::<u32>()); client
core::ptr::copy( .send_buf(TAG_MATH_RESULT_V1, &current_result.to_le_bytes())
current_result.to_be_bytes().as_ptr(), .unwrap();
(*msg).buf.as_mut_ptr(),
size_of::<u32>(),
);
(*msg).tag = TAG_MATH_RESULT_V1;
llmp_client_send(client, msg).unwrap();
last_result = current_result; last_result = current_result;
} }
@ -80,61 +48,69 @@ unsafe fn test_adder_clientloop(client: *mut LlmpClient, _data: *mut c_void) ->
} }
unsafe fn broker_message_hook( unsafe fn broker_message_hook(
_broker: *mut LlmpBroker, client_id: u32,
client_metadata: *mut LlmpBrokerClientMetadata, message: *mut llmp::LlmpMsg,
message: *mut LlmpMsg, ) -> llmp::LlmpMsgHookResult {
_data: *mut c_void,
) -> LlmpMsgHookResult {
match (*message).tag { match (*message).tag {
TAG_SIMPLE_U32_V1 => { TAG_SIMPLE_U32_V1 => {
println!( println!(
"Client {:?} sent message: {:?}", "Client {:?} sent message: {:?}",
(*client_metadata).pid, client_id,
u32_from_msg(message) u32::from_le_bytes((*message).as_slice().try_into().unwrap())
); );
LlmpMsgHookResult::ForwardToClients llmp::LlmpMsgHookResult::ForwardToClients
} }
TAG_MATH_RESULT_V1 => { TAG_MATH_RESULT_V1 => {
println!( println!(
"Adder Client has this current result: {:?}", "Adder Client has this current result: {:?}",
u32_from_msg(message) u32::from_le_bytes((*message).as_slice().try_into().unwrap())
); );
LlmpMsgHookResult::Handled llmp::LlmpMsgHookResult::Handled
} }
_ => { _ => {
println!("Unknwon message id received!"); println!("Unknwon message id received!");
LlmpMsgHookResult::ForwardToClients llmp::LlmpMsgHookResult::ForwardToClients
} }
} }
} }
fn main() { fn main() {
/* The main node has a broker, and a few worker threads */ /* The main node has a broker, and a few worker threads */
let threads_total = num_cpus::get();
let counter_thread_count = threads_total - 2; let mode = std::env::args()
println!( .nth(1)
"Running with 1 broker, 1 adder, and {} counter clients", .expect("no mode specified, chose 'broker', 'ctr', or 'adder'");
counter_thread_count let port: u16 = std::env::args()
); .nth(2)
.unwrap_or("1337".into())
.parse::<u16>()
.unwrap();
println!("Launching in mode {} on port {}", mode, port);
unsafe { match mode.as_str() {
let mut broker = LlmpBroker::new().expect("Failed to create llmp broker"); "broker" => {
for i in 0..counter_thread_count { let mut broker: llmp::LlmpBroker = llmp::LlmpBroker::new().unwrap();
println!("Adding client {}", i); broker.launch_tcp_listener(port).unwrap();
broker broker.add_message_hook(broker_message_hook);
.register_childprocess_clientloop(llmp_test_clientloop, ptr::null_mut()) broker.loop_forever(Some(Duration::from_millis(5)))
.expect("could not add child clientloop"); }
"ctr" => {
let mut client = llmp::LlmpClient::create_attach_to_tcp(port).unwrap();
let mut counter: u32 = 0;
loop {
counter = counter.wrapping_add(1);
client
.send_buf(TAG_SIMPLE_U32_V1, &counter.to_le_bytes())
.unwrap();
println!("CTR Client writing {}", counter);
thread::sleep(Duration::from_secs(1))
}
}
"adder" => {
adder_loop(port);
}
_ => {
println!("No valid mode supplied");
} }
broker
.register_childprocess_clientloop(test_adder_clientloop, ptr::null_mut())
.expect("Error registering childprocess");
println!("Spawning broker");
broker.add_message_hook(broker_message_hook, ptr::null_mut());
broker.run();
} }
} }

1078
afl/src/events/llmp.rs
View File

File diff suppressed because it is too large Load Diff

89
afl/src/events/llmp_manager.rs Normal file
View File

@ -0,0 +1,89 @@
use core::marker::PhantomData;
use core::ptr;
use std::{ffi::c_void, io::Read, io::Write, net::TcpListener};
use crate::{
corpus::Corpus, engines::State, executors::Executor, inputs::Input, utils::Rand, AflError,
};
use super::{
llmp_translated::{LlmpBroker, LlmpClient, LlmpClientloopFn, LlmpMsgHookFn},
Event, EventManager,
};
/// Eventmanager for multi-processed application
#[cfg(feature = "std")]
pub struct LLMPEventManager<C, E, I, R>
where
C: Corpus<I, R>,
I: Input,
E: Executor<I>,
R: Rand,
//CE: CustomEvent<C, E, I, R>,
{
// TODO...
phantom: PhantomData<(C, E, I, R)>,
is_broker: bool,
}
#[cfg(feature = "std")]
impl<C, E, I, R> EventManager<C, E, I, R> for LLMPEventManager<C, E, I, R>
where
C: Corpus<I, R>,
E: Executor<I>,
I: Input,
R: Rand,
//CE: CustomEvent<C, E, I, R>,
{
fn enabled(&self) -> bool {
true
}
fn fire(&mut self, _event: Event<C, E, I, R>) -> Result<(), AflError> {
//self.events.push(event);
// TODO: Serde serialize, llmp send
Ok(())
}
fn process(&mut self, _state: &mut State<I, R>, _corpus: &mut C) -> Result<usize, AflError> {
// TODO: iterators
/*
let mut handled = vec![];
for x in self.events.iter() {
handled.push(x.handle_in_broker(state, corpus)?);
}
handled
.iter()
.zip(self.events.iter())
.map(|(x, event)| match x {
BrokerEventResult::Forward => event.handle_in_client(state, corpus),
// Ignore broker-only events
BrokerEventResult::Handled => Ok(()),
})
.for_each(drop);
let count = self.events.len();
dbg!("Handled {} events", count);
self.events.clear();
let num = self.events.len();
for event in &self.events {}
self.events.clear();
*/
Ok(0)
}
}
#[cfg(feature = "std")]
impl<C, E, I, R> LLMPEventManager<C, E, I, R>
where
C: Corpus<I, R>,
I: Input,
E: Executor<I>,
R: Rand,
{
}

1478
afl/src/events/llmp_translated.rs
View File

File diff suppressed because it is too large Load Diff

50
afl/src/events/shmem_translated.rs
View File

@ -1,5 +1,5 @@
use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_ushort, c_void}; use libc::{c_char, c_int, c_long, c_uchar, c_uint, c_ulong, c_ushort, c_void};
use std::ffi::CStr; use std::{ffi::CStr, mem::size_of};
use crate::AflError; use crate::AflError;
@ -59,12 +59,11 @@ const AFL_RET_SUCCESS: c_uint = 0;
// too.) // too.)
#[derive(Clone)] #[derive(Clone)]
#[repr(C)]
pub struct AflShmem { pub struct AflShmem {
pub shm_str: [u8; 20], pub shm_str: [u8; 20],
pub shm_id: c_int, pub shm_id: c_int,
pub map: *mut c_uchar, pub map: *mut c_uchar,
pub map_size: c_ulong, pub map_size: usize,
} }
/// Deinit on drop /// Deinit on drop
@ -87,20 +86,28 @@ const fn afl_shmem_unitialized() -> AflShmem {
} }
impl AflShmem { impl AflShmem {
fn from_str(shm_str: &CStr, map_size: c_ulong) -> Result<Self, AflError> { pub fn from_str(shm_str: &CStr, map_size: usize) -> Result<Self, AflError> {
let mut ret = afl_shmem_unitialized(); let mut ret = afl_shmem_unitialized();
let map = unsafe { afl_shmem_init(&mut ret, map_size) }; let map = unsafe { afl_shmem_by_str(&mut ret, shm_str, map_size) };
if map != 0 as *mut u8 { if map != 0 as *mut u8 {
Ok(ret) Ok(ret)
} else { } else {
Err(AflError::Unknown(format!( Err(AflError::Unknown(format!(
"Could not allocate map with id {:?}", "Could not allocate map with id {:?} and size {}",
shm_str shm_str, map_size
))) )))
} }
} }
fn new(map_size: c_ulong) -> Result<Self, AflError> { /// Generate a shared map with a fixed byte array of 20
pub fn from_name_slice(shm_str: &[u8; 20], map_size: usize) -> Result<Self, AflError> {
unsafe {
let str_bytes = shm_str as *const [u8; 20] as *const libc::c_char;
Self::from_str(CStr::from_ptr(str_bytes), map_size)
}
}
pub fn new(map_size: usize) -> Result<Self, AflError> {
let mut ret = afl_shmem_unitialized(); let mut ret = afl_shmem_unitialized();
let map = unsafe { afl_shmem_init(&mut ret, map_size) }; let map = unsafe { afl_shmem_init(&mut ret, map_size) };
if map != 0 as *mut u8 { if map != 0 as *mut u8 {
@ -115,7 +122,7 @@ impl AflShmem {
/// Sets this shm id as env variable with the given name /// Sets this shm id as env variable with the given name
/// Also write the map size as name#_SIZE env /// Also write the map size as name#_SIZE env
fn to_env_var(&self, env_name: &CStr) -> Result<(), AflError> { pub fn to_env_var(&self, env_name: &CStr) -> Result<(), AflError> {
if unsafe { afl_shmem_to_env_var(&self, env_name) } == AFL_RET_SUCCESS { if unsafe { afl_shmem_to_env_var(&self, env_name) } == AFL_RET_SUCCESS {
Ok(()) Ok(())
} else { } else {
@ -141,12 +148,12 @@ pub unsafe fn afl_shmem_deinit(shm: *mut AflShmem) {
/// Functions to create Shared memory region, for observation channels and /// Functions to create Shared memory region, for observation channels and
/// opening inputs and stuff. /// opening inputs and stuff.
pub unsafe fn afl_shmem_init(shm: *mut AflShmem, map_size: c_ulong) -> *mut c_uchar { pub unsafe fn afl_shmem_init(shm: *mut AflShmem, map_size: usize) -> *mut c_uchar {
(*shm).map_size = map_size; (*shm).map_size = map_size;
(*shm).map = 0 as *mut c_uchar; (*shm).map = 0 as *mut c_uchar;
(*shm).shm_id = shmget( (*shm).shm_id = shmget(
0 as c_int, 0 as c_int,
map_size, map_size as c_ulong,
0o1000 as c_int | 0o2000 as c_int | 0o600 as c_int, 0o1000 as c_int | 0o2000 as c_int | 0o600 as c_int,
); );
if (*shm).shm_id < 0 as c_int { if (*shm).shm_id < 0 as c_int {
@ -155,12 +162,13 @@ pub unsafe fn afl_shmem_init(shm: *mut AflShmem, map_size: c_ulong) -> *mut c_uc
} }
snprintf( snprintf(
(*shm).shm_str.as_mut_ptr() as *mut i8, (*shm).shm_str.as_mut_ptr() as *mut i8,
::std::mem::size_of::<[c_char; 20]>() as c_ulong, size_of::<[c_char; 20]>() as c_ulong,
b"%d\x00" as *const u8 as *const c_char, b"%d\x00" as *const u8 as *const c_char,
(*shm).shm_id, (*shm).shm_id,
); );
(*shm).shm_str[(::std::mem::size_of::<[c_char; 20]>() as c_ulong) (*shm).shm_str
.wrapping_sub(1 as c_int as c_ulong) as usize] = '\u{0}' as u8; [(size_of::<[c_char; 20]>() as c_ulong).wrapping_sub(1 as c_int as c_ulong) as usize] =
'\u{0}' as u8;
(*shm).map = shmat((*shm).shm_id, 0 as *const c_void, 0 as c_int) as *mut c_uchar; (*shm).map = shmat((*shm).shm_id, 0 as *const c_void, 0 as c_int) as *mut c_uchar;
if (*shm).map == -(1 as c_int) as *mut c_void as *mut c_uchar || (*shm).map.is_null() { if (*shm).map == -(1 as c_int) as *mut c_void as *mut c_uchar || (*shm).map.is_null() {
shmctl((*shm).shm_id, 0 as c_int, 0 as *mut shmid_ds); shmctl((*shm).shm_id, 0 as c_int, 0 as *mut shmid_ds);
@ -175,7 +183,7 @@ pub unsafe fn afl_shmem_init(shm: *mut AflShmem, map_size: c_ulong) -> *mut c_uc
pub unsafe fn afl_shmem_by_str( pub unsafe fn afl_shmem_by_str(
shm: *mut AflShmem, shm: *mut AflShmem,
shm_str: &CStr, shm_str: &CStr,
map_size: c_ulong, map_size: usize,
) -> *mut c_uchar { ) -> *mut c_uchar {
if shm.is_null() || shm_str.to_bytes().len() == 0 || map_size == 0 { if shm.is_null() || shm_str.to_bytes().len() == 0 || map_size == 0 {
return 0 as *mut c_uchar; return 0 as *mut c_uchar;
@ -185,7 +193,7 @@ pub unsafe fn afl_shmem_by_str(
strncpy( strncpy(
(*shm).shm_str.as_mut_ptr() as *mut c_char, (*shm).shm_str.as_mut_ptr() as *mut c_char,
shm_str.as_ptr() as *const c_char, shm_str.as_ptr() as *const c_char,
(::std::mem::size_of::<[c_char; 20]>() as c_ulong).wrapping_sub(1 as c_int as c_ulong), (size_of::<[c_char; 20]>() as c_ulong).wrapping_sub(1 as c_int as c_ulong),
); );
(*shm).shm_id = shm_str (*shm).shm_id = shm_str
.to_str() .to_str()
@ -195,8 +203,8 @@ pub unsafe fn afl_shmem_by_str(
(*shm).map = shmat((*shm).shm_id, 0 as *const c_void, 0 as c_int) as *mut c_uchar; (*shm).map = shmat((*shm).shm_id, 0 as *const c_void, 0 as c_int) as *mut c_uchar;
if (*shm).map == -(1 as c_int) as *mut c_void as *mut c_uchar { if (*shm).map == -(1 as c_int) as *mut c_void as *mut c_uchar {
(*shm).map = 0 as *mut c_uchar; (*shm).map = 0 as *mut c_uchar;
(*shm).map_size = 0 as c_int as c_ulong; (*shm).map_size = 0;
(*shm).shm_str[0 as c_int as usize] = '\u{0}' as u8; (*shm).shm_str[0] = '\u{0}' as u8;
return 0 as *mut c_uchar; return 0 as *mut c_uchar;
} }
return (*shm).map; return (*shm).map;
@ -211,7 +219,7 @@ pub unsafe fn afl_shmem_to_env_var(shmem: &AflShmem, env_name: &CStr) -> c_uint
let mut shm_str: [c_char; 256] = [0; 256]; let mut shm_str: [c_char; 256] = [0; 256];
snprintf( snprintf(
shm_str.as_mut_ptr(), shm_str.as_mut_ptr(),
::std::mem::size_of::<[c_char; 256]>() as c_ulong, size_of::<[c_char; 256]>() as c_ulong,
b"%d\x00" as *const u8 as *const c_char, b"%d\x00" as *const u8 as *const c_char,
(*shmem).shm_id, (*shmem).shm_id,
); );
@ -227,13 +235,13 @@ pub unsafe fn afl_shmem_to_env_var(shmem: &AflShmem, env_name: &CStr) -> c_uint
let mut size_env_name: [c_char; 256] = [0; 256]; let mut size_env_name: [c_char; 256] = [0; 256];
snprintf( snprintf(
size_env_name.as_mut_ptr(), size_env_name.as_mut_ptr(),
::std::mem::size_of::<[c_char; 256]>() as c_ulong, size_of::<[c_char; 256]>() as c_ulong,
b"%s_SIZE\x00" as *const u8 as *const c_char, b"%s_SIZE\x00" as *const u8 as *const c_char,
env_name, env_name,
); );
snprintf( snprintf(
shm_str.as_mut_ptr(), shm_str.as_mut_ptr(),
::std::mem::size_of::<[c_char; 256]>() as c_ulong, size_of::<[c_char; 256]>() as c_ulong,
b"%d\x00" as *const u8 as *const c_char, b"%d\x00" as *const u8 as *const c_char,
(*shmem).shm_id, (*shmem).shm_id,
); );