SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

forward NewTestcase, executor as arg to EventManager::process

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-02-15 15:27:55 +01:00
parent 092f65bbbd
commit a599a9f998
9 changed files with 60 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
afl/src/events/llmp.rs
View File

@ -16,6 +16,8 @@ use crate::{
llmp::{self, LlmpClient, LlmpClientDescription, Tag},
shmem::ShMem,
},
executors::{HasObservers, Executor},
observers::ObserversTuple,
corpus::Corpus,
events::{BrokerEventResult, Event, EventManager},
executors::ExitKind,
@ -248,18 +250,21 @@ where
}
// Handle arriving events in the client
fn handle_in_client<C, FT, OC, OFT, R>(
fn handle_in_client<C, E, FT, OC, OFT, OT, R>(
&mut self,
state: &mut State<C, FT, I, OC, OFT, R>,
_sender_id: u32,
sender_id: u32,
event: Event<I>,
_executor: &mut E,
) -> Result<(), Error>
where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
FT: FeedbacksTuple<I>,
R: Rand,
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>,
OT: ObserversTuple
{
match event {
Event::NewTestcase {
@ -273,11 +278,17 @@ where
// TODO: here u should match client_config, if equal to the current one do not re-execute
// we need to pass engine to process() too, TODO
#[cfg(feature = "std")]
println!("Received new Testcase");
let observers = postcard::from_bytes(&observers_buf)?;
println!("Received new Testcase from {}", sender_id);
let observers: OT = postcard::from_bytes(&observers_buf)?;
// TODO include ExitKind in NewTestcase
let interestingness = state.is_interesting(&input, &observers, ExitKind::Ok)?;
state.add_if_interesting(input, interestingness)?;
let fitness = state.is_interesting(&input, &observers, ExitKind::Ok)?;
if fitness > 0 {
if !state.add_if_interesting(input, fitness)?.is_none() {
#[cfg(feature = "std")]
println!("Added received Testcase");
}
}
Ok(())
}
_ => Err(Error::Unknown(format!(
@ -306,16 +317,19 @@ where
}
}
fn process<C, FT, OC, OFT, R>(
fn process<C, E, FT, OC, OFT, OT, R>(
&mut self,
state: &mut State<C, FT, I, OC, OFT, R>,
executor: &mut E,
) -> Result<usize, Error>
where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
FT: FeedbacksTuple<I>,
R: Rand,
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>,
OT: ObserversTuple
{
// TODO: Get around local event copy by moving handle_in_client
let mut events = vec![];
@ -340,7 +354,7 @@ where
let count = events.len();
events
.drain(..)
.try_for_each(|(sender_id, event)| self.handle_in_client(state, sender_id, event))?;
.try_for_each(|(sender_id, event)| self.handle_in_client(state, sender_id, event, executor))?;
Ok(count)
}
@ -451,18 +465,21 @@ where
.send_buf(_LLMP_TAG_RESTART, &state_corpus_serialized)
}
fn process<C, FT, OC, OFT, R>(
fn process<C, E, FT, OC, OFT, OT, R>(
&mut self,
state: &mut State<C, FT, I, OC, OFT, R>,
executor: &mut E,
) -> Result<usize, Error>
where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
FT: FeedbacksTuple<I>,
R: Rand,
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>,
OT: ObserversTuple
{
self.llmp_mgr.process(state)
self.llmp_mgr.process(state, executor)
}
fn fire<C, FT, OC, OFT, R>(

13
afl/src/events/logger.rs
View File

@ -5,6 +5,8 @@ use alloc::{string::ToString, vec::Vec};
use crate::{
corpus::Corpus,
events::{BrokerEventResult, Event, EventManager},
executors::{HasObservers, Executor},
observers::ObserversTuple,
feedbacks::FeedbacksTuple,
inputs::Input,
state::State,
@ -31,21 +33,24 @@ where
I: Input,
ST: Stats, //CE: CustomEvent<I, OT>,
{
fn process<C, FT, OC, OFT, R>(
fn process<C, E, FT, OC, OFT, OT, R>(
&mut self,
state: &mut State<C, FT, I, OC, OFT, R>,
_executor: &mut E,
) -> Result<usize, Error>
where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
FT: FeedbacksTuple<I>,
R: Rand,
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>,
OT: ObserversTuple
{
let count = self.events.len();
while self.events.len() > 0 {
let event = self.events.pop().unwrap();
self.handle_in_client(state, 0, event)?;
self.handle_in_client(state, event)?;
}
Ok(count)
}
@ -62,7 +67,7 @@ where
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>,
{
match Self::handle_in_broker(&mut self.stats, 0, &event)? {
match Self::handle_in_broker(&mut self.stats, &event)? {
BrokerEventResult::Forward => self.events.push(event),
BrokerEventResult::Handled => (),
};
@ -85,7 +90,6 @@ where
// Handle arriving events in the broker
fn handle_in_broker(
stats: &mut ST,
_sender_id: u32,
event: &Event<I>,
) -> Result<BrokerEventResult, Error> {
match event {
@ -134,7 +138,6 @@ where
fn handle_in_client<C, FT, OC, OFT, R>(
&mut self,
_state: &mut State<C, FT, I, OC, OFT, R>,
_sender_id: u32,
event: Event<I>,
) -> Result<(), Error>
where

20
afl/src/events/mod.rs
View File

@ -10,6 +10,7 @@ use serde::{Deserialize, Serialize};
use crate::{
corpus::Corpus, feedbacks::FeedbacksTuple, inputs::Input, observers::ObserversTuple,
executors::{HasObservers, Executor},
state::State, utils::Rand, Error,
};
@ -156,16 +157,19 @@ where
/// Lookup for incoming events and process them.
/// Return the number of processes events or an error
fn process<C, FT, OC, OFT, R>(
fn process<C, E, FT, OC, OFT, OT, R>(
&mut self,
state: &mut State<C, FT, I, OC, OFT, R>,
executor: &mut E,
) -> Result<usize, Error>
where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
FT: FeedbacksTuple<I>,
R: Rand,
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>;
OFT: FeedbacksTuple<I>,
OT: ObserversTuple;
/// Serialize all observers for this type and manager
fn serialize_observers<OT>(&mut self, observers: &OT) -> Result<Vec<u8>, Error>
@ -226,16 +230,19 @@ impl<I> EventManager<I> for NopEventManager<I>
where
I: Input,
{
fn process<C, FT, OC, OFT, R>(
fn process<C, E, FT, OC, OFT, OT, R>(
&mut self,
_state: &mut State<C, FT, I, OC, OFT, R>,
_executor: &mut E,
) -> Result<usize, Error>
where
C: Corpus<I, R>,
E: Executor<I> + HasObservers<OT>,
FT: FeedbacksTuple<I>,
R: Rand,
OC: Corpus<I, R>,
OFT: FeedbacksTuple<I>,
OT: ObserversTuple,
{
Ok(0)
}
@ -259,10 +266,9 @@ where
#[cfg(test)]
mod tests {
use crate::bolts::tuples::{tuple_list, MatchNameAndType, Named};
use crate::bolts::tuples::{tuple_list};
use crate::events::Event;
use crate::inputs::bytes::BytesInput;
use crate::observers::ObserversTuple;
use crate::observers::StdMapObserver;
use crate::utils::current_time;
@ -272,7 +278,7 @@ mod tests {
fn test_event_serde() {
let obv = StdMapObserver::new("test", unsafe { &mut MAP });
let map = tuple_list!(obv);
let observers_buf = map.serialize().unwrap();
let observers_buf = postcard::to_allocvec(&map).unwrap();
let i = BytesInput::new(vec![0]);
let e = Event::NewTestcase {
@ -296,7 +302,7 @@ mod tests {
time: _,
executions: _,
} => {
let o = map.deserialize(&observers_buf).unwrap();
let o: tuple_list!(StdMapObserver::<u32>) = postcard::from_bytes(&observers_buf).unwrap();
let test_observer = o.match_name_type::<StdMapObserver<u32>>("test").unwrap();
assert_eq!("test", test_observer.name());
}

2
afl/src/lib.rs
View File

@ -68,7 +68,7 @@ where
self.stages_mut()
.perform_all(rand, executor, state, manager, idx)?;
manager.process(state)?;
manager.process(state, executor)?;
Ok(idx)
}

4
afl/src/mutators/scheduled.rs
View File

@ -277,7 +277,7 @@ where
pub fn new_default() -> Self {
let mut scheduled = StdScheduledMutator::<C, I, R, S>::new();
scheduled.add_mutation(mutation_bitflip);
scheduled.add_mutation(mutation_byteflip);
/*scheduled.add_mutation(mutation_byteflip);
scheduled.add_mutation(mutation_byteinc);
scheduled.add_mutation(mutation_bytedec);
scheduled.add_mutation(mutation_byteneg);
@ -307,7 +307,7 @@ where
scheduled.add_mutation(mutation_tokenreplace);
scheduled.add_mutation(mutation_crossover_insert);
scheduled.add_mutation(mutation_crossover_replace);
scheduled.add_mutation(mutation_crossover_replace);*/
//scheduled.add_mutation(mutation_splice);
HavocBytesMutator {

10
afl/src/observers/mod.rs
View File

@ -57,18 +57,10 @@ pub trait ObserversTuple:
/// Do whatever you need to do after a run.
/// This is called right after the last execution
fn post_exec_all(&mut self) -> Result<(), Error>;
//fn for_each(&self, f: fn(&dyn Observer));
//fn for_each_mut(&mut self, f: fn(&mut dyn Observer));
/// Serialize this tuple to a buf
fn serialize(&self) -> Result<Vec<u8>, Error> {
Ok(postcard::to_allocvec(&self)?)
}
/// Deserilaize
fn deserialize(&self, serialized: &[u8]) -> Result<Self, Error> {
Ok(postcard::from_bytes(serialized)?)
}
}
impl ObserversTuple for () {

4
afl/src/state/mod.rs
View File

@ -159,7 +159,7 @@ where
phantom: PhantomData,
},
)?;
manager.process(self)?;
manager.process(self, executor)?;
Ok(())
}
}
@ -456,7 +456,7 @@ where
phantom: PhantomData,
},
)?;
manager.process(self)?;
manager.process(self, executor)?;
Ok(())
}

10
fuzzers/libfuzzer_dummy/src/mod.rs
View File

@ -8,9 +8,9 @@ use afl::{
bolts::{tuples::tuple_list, shmem::UnixShMem},
corpus::{Corpus, InMemoryCorpus},
events::setup_restarting_mgr,
events::{SimpleStats},
stats::{SimpleStats},
executors::{inprocess::InProcessExecutor, Executor, ExitKind},
feedbacks::MaxMapFeedback,
feedbacks::{CrashFeedback, MaxMapFeedback},
inputs::Input,
mutators::{scheduled::HavocBytesMutator, HasMaxSize},
observers::StdMapObserver,
@ -40,7 +40,7 @@ where
__lafl_edges_map[2] = 1;
if buf.len() > 1 && buf[1] == 'b' as u8 {
__lafl_edges_map[3] = 1;
std::process::abort();
//std::process::abort();
}
}
}
@ -64,7 +64,7 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), Error> {
// The restarting state will spawn the same process again as child, then restartet it each time it crashes.
let (state_opt, mut restarting_mgr) =
setup_restarting_mgr::<_, _, _, _, UnixShMem, _>(stats, broker_port).expect("Failed to setup the restarter".into());
setup_restarting_mgr::<_, _, _, _, _, _, UnixShMem, _>(stats, broker_port).expect("Failed to setup the restarter".into());
let edges_observer =
StdMapObserver::new_from_ptr(&NAME_COV_MAP, unsafe { &mut __lafl_edges_map[0] as *mut u8 }, __lafl_max_edges_size as usize);
@ -78,6 +78,8 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), Error> {
&NAME_COV_MAP,
&edges_observer
)),
InMemoryCorpus::new(),
tuple_list!(CrashFeedback::new()),
)
},
};

200
fuzzers/libfuzzer_libpng/ccc
View File

@ -1,200 +0,0 @@
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
Connected to port 1337
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
First run. Let's set it all up
We're a client, let's fuzz :)
Loading file "./corpus/not_kitty_alpha.png" ...
Loading file "./corpus/not_kitty.png" ...
Loading file "./corpus/not_kitty_icc.png" ...
Loading file "./corpus/not_kitty_gamma.png" ...
We imported 4 inputs from disk.
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 44163 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 45491 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 46731 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 47582 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 47827 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 48092 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 49215 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 50339 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 50610 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 51319 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 51560 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 52084 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 52352 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 53343 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 55900 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 56577 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 57101 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 57367 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 58069 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 58335 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 59147 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 60457 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 60723 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 60989 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 61386 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 61643 bytes from previous instance)
We're a client, let's fuzz :)
Child crashed!
Waiting for broker...
Bye!
Workdir: "/home/andrea/Desktop/libAFLrs/fuzzers/libfuzzer_libpng"
We're a client, let's fuzz :)
Subsequent run. Let's load all data from shmem (received 62747 bytes from previous instance)
We're a client, let's fuzz :)