SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

merged

Browse Source
This commit is contained in:
Dominik Maier 2020-12-20 16:26:22 +01:00
commit ad9eedf4cd
4 changed files with 53 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
afl/src/corpus/mod.rs
View File

@ -149,6 +149,12 @@ where
I: Input, I: Input,
R: Rand, R: Rand,
{ {
/// Returns the number of elements
#[inline]
fn count(&self) -> usize {
self.entries().len()
}
/// Gets the next entry /// Gets the next entry
#[inline] #[inline]
fn next(&mut self, rand: &mut R) -> Result<(&RefCell<Testcase<I>>, usize), AflError> { fn next(&mut self, rand: &mut R) -> Result<(&RefCell<Testcase<I>>, usize), AflError> {

18
fuzzers/libfuzzer/runtime/rt.c
View File

@ -1,7 +1,12 @@
#include <stdio.h>
#include <stdint.h> #include <stdint.h>
#define MAP_SIZE 65536 #define MAP_SIZE 65536
int orig_argc;
char **orig_argv;
char **orig_envp;
uint8_t __lafl_dummy_map[MAP_SIZE]; uint8_t __lafl_dummy_map[MAP_SIZE];
uint8_t *__lafl_edges_map = __lafl_dummy_map; uint8_t *__lafl_edges_map = __lafl_dummy_map;
@ -119,13 +124,22 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
} }
static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) {
orig_argc = argc;
orig_argv = argv;
orig_envp = envp;
}
__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args;
__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
void afl_libfuzzer_main(); void afl_libfuzzer_main();
int afl_libfuzzer_init(int argc, char **argv) { int afl_libfuzzer_init() {
if (LLVMFuzzerInitialize) if (LLVMFuzzerInitialize)
return LLVMFuzzerInitialize(&argc, &argv); return LLVMFuzzerInitialize(&orig_argc, &orig_argv);
else else
return 0; return 0;

51
fuzzers/libfuzzer/src/lib.rs
View File

@ -8,6 +8,7 @@ use clap::{App, Arg};
use std::env; use std::env;
use std::path::PathBuf; use std::path::PathBuf;
use afl::corpus::Corpus;
use afl::corpus::InMemoryCorpus; use afl::corpus::InMemoryCorpus;
use afl::engines::Engine; use afl::engines::Engine;
use afl::engines::Fuzzer; use afl::engines::Fuzzer;
@ -29,8 +30,8 @@ extern "C" {
/// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32;
/// int LLVMFuzzerInitialize(int argc, char **argv) // afl_libfuzzer_init calls LLVMFUzzerInitialize()
fn afl_libfuzzer_init(argc: u32, argv: *const *const u8) -> i32; fn afl_libfuzzer_init() -> i32;
static __lafl_edges_map: *mut u8; static __lafl_edges_map: *mut u8;
static __lafl_cmp_map: *mut u8; static __lafl_cmp_map: *mut u8;
@ -108,20 +109,9 @@ pub extern "C" fn afl_libfuzzer_main() {
println!("workdir: {:?}", workdir); println!("workdir: {:?}", workdir);
match dictionary { match dictionary {
Some(ref x) => { Some(x) => for file in x {
for file in x {
println!("dic: {:?}", file); println!("dic: {:?}", file);
} },
}
None => (),
}
match input {
Some(ref x) => {
for indir in x {
println!("in: {:?}", indir);
}
}
None => (), None => (),
} }
@ -150,17 +140,28 @@ pub extern "C" fn afl_libfuzzer_main() {
let mut engine = Engine::new(executor); let mut engine = Engine::new(executor);
// unsafe { // Call LLVMFUzzerInitialize() if present.
// if afl_libfuzzer_init(...) == -1 { unsafe {
// println("Warning: LLVMFuzzerInitialize failed with -1") if afl_libfuzzer_init() == -1 {
// } println!("Warning: LLVMFuzzerInitialize failed with -1")
// } }
}
match input { match input {
Some(x) => state Some(x) => {
for indir in &x {
println!("in: {:?}", indir);
};
state
.load_initial_inputs(&mut corpus, &mut generator, &mut engine, &mut mgr, &x) .load_initial_inputs(&mut corpus, &mut generator, &mut engine, &mut mgr, &x)
.expect("Failed to load initial corpus"), .expect("Failed to load initial corpus")
None => state },
None => (),
}
if corpus.count() < 1 {
state
.generate_initial_inputs( .generate_initial_inputs(
&mut rand, &mut rand,
&mut corpus, &mut corpus,
@ -169,9 +170,11 @@ pub extern "C" fn afl_libfuzzer_main() {
&mut mgr, &mut mgr,
4, 4,
) )
.expect("Failed to load initial inputs"), .expect("Failed to generate initial inputs");
} }
println!("We have {} inputs.", corpus.count());
let mut mutator = HavocBytesMutator::new_default(); let mut mutator = HavocBytesMutator::new_default();
mutator.set_max_size(4096); mutator.set_max_size(4096);

9
fuzzers/libfuzzer/test.sh
View File

@ -8,15 +8,14 @@ rm -f test_fuzz.elf test_fuzz.o
./compiler -flto=thin test_fuzz.o -o test_fuzz.elf || exit 1 ./compiler -flto=thin test_fuzz.o -o test_fuzz.elf || exit 1
RUST_BACKTRACE=1 ./test_fuzz.elf & RUST_BACKTRACE=1 ./test_fuzz.elf &
PID1=$!
test "$PID1" -gt 0 && { test "$!" -gt 0 && {
usleep 250 usleep 250
RUST_BACKTRACE=1 ./test_fuzz.elf -x a -x b -T5 in1 in2 & RUST_BACKTRACE=1 ./test_fuzz.elf -x a -x b -T5 in1 in2 &
sleep 10
kill $!
} }
sleep 10 sleep 10
kill $PID1 killall test_fuzz.elf