From 9bc4d81b76c65a6942ba4ca3800f579d87aad13d Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Fri, 12 Feb 2021 23:06:32 +0100 Subject: [PATCH] max len done right --- afl/src/events/mod.rs | 8 ++++---- afl/src/events/stats.rs | 11 ++++++++--- afl/src/mutators/mutations.rs | 16 ++++++++-------- afl/src/mutators/scheduled.rs | 2 +- afl/src/mutators/token_mutations.rs | 2 +- afl/src/observers/mod.rs | 21 +++++++++++++++------ fuzzers/libfuzzer_libpng/src/mod.rs | 17 +++++++++++------ 7 files changed, 48 insertions(+), 29 deletions(-) diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 212b67869c..5cc68781fd 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -578,7 +578,7 @@ where corpus_size, observers_buf: _, time, - executions + executions, } => { let client = stats.client_stats_mut_for(sender_id); client.update_corpus_size(*corpus_size as u64); @@ -639,7 +639,7 @@ where corpus_size: _, observers_buf, time: _, - executions: _ + executions: _, } => { // TODO: here u should match client_config, if equal to the current one do not re-execute // we need to pass engine to process() too, TODO @@ -977,7 +977,7 @@ mod tests { corpus_size: 123, client_config: "conf".into(), time: current_time(), - executions: 0 + executions: 0, }; let serialized = postcard::to_allocvec(&e).unwrap(); @@ -990,7 +990,7 @@ mod tests { corpus_size: _, client_config: _, time: _, - executions: _ + executions: _, } => { let o = map.deserialize(&observers_buf).unwrap(); let test_observer = o.match_name_type::>("test").unwrap(); diff --git a/afl/src/events/stats.rs b/afl/src/events/stats.rs index fef11c21fb..9799c69123 100644 --- a/afl/src/events/stats.rs +++ b/afl/src/events/stats.rs @@ -26,7 +26,9 @@ pub struct ClientStats { impl ClientStats { /// We got a new information about executions for this client, insert them. pub fn update_executions(&mut self, executions: u64, cur_time: time::Duration) { - let diff = cur_time.checked_sub(self.last_window_time).map_or(0, |d| d.as_secs()); + let diff = cur_time + .checked_sub(self.last_window_time) + .map_or(0, |d| d.as_secs()); if diff > CLIENT_STATS_TIME_WINDOW_SECS { let _ = self.execs_per_sec(cur_time); self.last_window_time = cur_time; @@ -46,7 +48,9 @@ impl ClientStats { return 0; } - let elapsed = cur_time.checked_sub(self.last_window_time).map_or(0, |d| d.as_secs()); + let elapsed = cur_time + .checked_sub(self.last_window_time) + .map_or(0, |d| d.as_secs()); if elapsed == 0 { return self.last_execs_per_sec as u64; } @@ -62,7 +66,8 @@ impl ClientStats { self.last_execs_per_sec = cur_avg; } - self.last_execs_per_sec = self.last_execs_per_sec * (1.0 - 1.0 / 16.0) + cur_avg * (1.0 / 16.0); + self.last_execs_per_sec = + self.last_execs_per_sec * (1.0 - 1.0 / 16.0) + cur_avg * (1.0 / 16.0); self.last_execs_per_sec as u64 } } diff --git a/afl/src/mutators/mutations.rs b/afl/src/mutators/mutations.rs index 09009bd561..d9d70b49e1 100644 --- a/afl/src/mutators/mutations.rs +++ b/afl/src/mutators/mutations.rs @@ -504,7 +504,7 @@ where input.bytes_mut().resize(size + len, 0); buffer_self_copy(input.bytes_mut(), off, off + len, size - off); - + Ok(MutationResult::Mutated) } @@ -533,7 +533,7 @@ where return Ok(MutationResult::Skipped); } } - + let val = input.bytes()[rand.below(size as u64) as usize]; input.bytes_mut().resize(size + len, 0); @@ -568,7 +568,7 @@ where return Ok(MutationResult::Skipped); } } - + let val = rand.below(256) as u8; input.bytes_mut().resize(size + len, 0); @@ -618,7 +618,7 @@ where } let off = rand.below(size as u64) as usize; let len = 1 + rand.below(min(16, size - off) as u64) as usize; - + let val = rand.below(256) as u8; buffer_set(input.bytes_mut(), off, len, val); @@ -705,8 +705,8 @@ where return Ok(MutationResult::Skipped); } - let from = rand.below(other_size as u64 -1) as usize; - let to = rand.below(size as u64 -1) as usize; + let from = rand.below(other_size as u64 - 1) as usize; + let to = rand.below(size as u64 - 1) as usize; let len = rand.below((other_size - from) as u64) as usize; input.bytes_mut().resize(max(size, to + (2 * len) + 1), 0); @@ -745,9 +745,9 @@ where return Ok(MutationResult::Skipped); } - let from = rand.below(other_size as u64 -1) as usize; + let from = rand.below(other_size as u64 - 1) as usize; let len = rand.below(min(other_size - from, size) as u64) as usize; - let to = rand.below((size - len) as u64 -1) as usize; + let to = rand.below((size - len) as u64 - 1) as usize; buffer_copy(input.bytes_mut(), other.bytes(), from, to, len); diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index f154d70899..f402a46bd9 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -307,7 +307,7 @@ where scheduled.add_mutation(mutation_tokeninsert); scheduled.add_mutation(mutation_tokenreplace); */ - + scheduled.add_mutation(mutation_crossover_insert); scheduled.add_mutation(mutation_crossover_replace); //scheduled.add_mutation(mutation_splice); diff --git a/afl/src/mutators/token_mutations.rs b/afl/src/mutators/token_mutations.rs index f1fe11c17a..6a2eebe013 100644 --- a/afl/src/mutators/token_mutations.rs +++ b/afl/src/mutators/token_mutations.rs @@ -69,7 +69,7 @@ where input.bytes_mut().resize(size + token_len, 0); buffer_copy(input.bytes_mut(), token, 0, off, size); - + Ok(MutationResult::Mutated) } diff --git a/afl/src/observers/mod.rs b/afl/src/observers/mod.rs index 8a384ef223..355acc31c0 100644 --- a/afl/src/observers/mod.rs +++ b/afl/src/observers/mod.rs @@ -383,7 +383,6 @@ where } } - /// Map observer with hitcounts postprocessing #[derive(Serialize, Deserialize, Clone, Debug)] #[serde(bound = "M: serde::de::DeserializeOwned")] @@ -394,7 +393,20 @@ where base: M, } -static COUNT_CLASS_LOOKUP: [u8; 256] = [0, 1, 2, 0, 8, 8, 8, 8, 16, 16, 16, 16, 16, 16, 16, 16, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128]; +static COUNT_CLASS_LOOKUP: [u8; 256] = [ + 0, 1, 2, 0, 8, 8, 8, 8, 16, 16, 16, 16, 16, 16, 16, 16, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, + 32, 32, 32, 32, 32, 32, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, + 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, + 64, 64, 64, 64, 64, 64, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, + 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, + 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, + 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, + 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, + 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, + 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, +]; impl Observer for HitcountsMapObserver where @@ -465,13 +477,10 @@ where { /// Creates a new MapObserver pub fn new(base: M) -> Self { - Self { - base: base, - } + Self { base: base } } } - #[cfg(feature = "std")] #[cfg(test)] mod tests { diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/mod.rs index c8f120c1a9..fe2646db5b 100644 --- a/fuzzers/libfuzzer_libpng/src/mod.rs +++ b/fuzzers/libfuzzer_libpng/src/mod.rs @@ -13,7 +13,7 @@ use afl::{ executors::{inprocess::InProcessExecutor, Executor, ExitKind}, feedbacks::MaxMapFeedback, inputs::Input, - mutators::{scheduled::HavocBytesMutator, HasMaxSize}, + mutators::scheduled::HavocBytesMutator, observers::StdMapObserver, stages::mutational::StdMutationalStage, state::{HasCorpus, State}, @@ -51,7 +51,10 @@ where /// The main fn, parsing parameters, and starting the fuzzer pub fn main() { - println!("Workdir: {:?}", env::current_dir().unwrap().to_string_lossy().to_string()); + println!( + "Workdir: {:?}", + env::current_dir().unwrap().to_string_lossy().to_string() + ); fuzz(vec![PathBuf::from("./corpus")], 1337).expect("An error occurred while fuzzing"); } @@ -81,8 +84,7 @@ fn fuzz(corpus_dirs: Vec, broker_port: u16) -> Result<(), AflError> { println!("We're a client, let's fuzz :)"); - let mut mutator = HavocBytesMutator::new_default(); - mutator.set_max_size(4096); + let mutator = HavocBytesMutator::new_default(); let stage = StdMutationalStage::new(mutator); let mut fuzzer = StdFuzzer::new(tuple_list!(stage)); @@ -103,12 +105,15 @@ fn fuzz(corpus_dirs: Vec, broker_port: u16) -> Result<(), AflError> { println!("Warning: LLVMFuzzerInitialize failed with -1") } } - + // in case the corpus is empty (on first run), reset if state.corpus().count() < 1 { state .load_initial_inputs(&mut executor, &mut restarting_mgr, &corpus_dirs) - .expect(&format!("Failed to load initial corpus at {:?}", &corpus_dirs)); + .expect(&format!( + "Failed to load initial corpus at {:?}", + &corpus_dirs + )); println!("We imported {} inputs from disk.", state.corpus().count()); }