From c848397c8b6767c67f4d3b6f43a882140bc73013 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 20 Dec 2020 15:21:22 +0100 Subject: [PATCH 1/2] run llvmfuzzerinitialize at the correct time, only generate inputs if no inputs were given --- afl/src/corpus/mod.rs | 6 ++++++ afl/src/engines/mod.rs | 7 ++----- fuzzers/libfuzzer/runtime/rt.c | 18 ++++++++++++++++-- fuzzers/libfuzzer/src/lib.rs | 24 +++++++++++++++--------- fuzzers/libfuzzer/test.sh | 9 ++++----- 5 files changed, 43 insertions(+), 21 deletions(-) diff --git a/afl/src/corpus/mod.rs b/afl/src/corpus/mod.rs index 92d047adf4..c2688e00fc 100644 --- a/afl/src/corpus/mod.rs +++ b/afl/src/corpus/mod.rs @@ -149,6 +149,12 @@ where I: Input, R: Rand, { + /// Returns the number of elements + #[inline] + fn count(&self) -> usize { + self.entries().len() + } + /// Gets the next entry #[inline] fn next(&mut self, rand: &mut R) -> Result<(&RefCell>, usize), AflError> { diff --git a/afl/src/engines/mod.rs b/afl/src/engines/mod.rs index d611f6179b..ab27a80313 100644 --- a/afl/src/engines/mod.rs +++ b/afl/src/engines/mod.rs @@ -230,7 +230,7 @@ where println!("Load file {:?}", &path); let input = std::fs::read(path)?; let input = BytesInput::new(input); - let fitness = self.evaluate_input(&input, engine.executor_mut())?; + //let fitness = self.evaluate_input(&input, engine.executor_mut())?; //self.add_if_interesting(corpus, input, fitness)? } else if attr.is_dir() { self.load_from_directory(corpus, generator, engine, manager, &path)?; @@ -258,10 +258,7 @@ where for directory in &in_dir { self.load_from_directory(corpus, generator, engine, manager, Path::new(directory))?; } - manager.log( - 0, - format!("Loaded {} initial testcases", 123), // get corpus count - )?; + manager.log(0, format!("Loaded {} initial testcases", corpus.count()))?; manager.process(self, corpus)?; Ok(()) } diff --git a/fuzzers/libfuzzer/runtime/rt.c b/fuzzers/libfuzzer/runtime/rt.c index 5e36f19922..43ccccc2f7 100644 --- a/fuzzers/libfuzzer/runtime/rt.c +++ b/fuzzers/libfuzzer/runtime/rt.c @@ -1,7 +1,12 @@ +#include #include #define MAP_SIZE 65536 +int orig_argc; +char **orig_argv; +char **orig_envp; + uint8_t __lafl_dummy_map[MAP_SIZE]; uint8_t *__lafl_edges_map = __lafl_dummy_map; @@ -119,13 +124,22 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { } + + static void afl_libfuzzer_copy_args(int argc, char** argv, char** envp) { + orig_argc = argc; + orig_argv = argv; + orig_envp = envp; +} + +__attribute__((section(".init_array"))) void (* p_afl_libfuzzer_copy_args)(int,char*[],char*[]) = &afl_libfuzzer_copy_args; + __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv); void afl_libfuzzer_main(); -int afl_libfuzzer_init(int argc, char **argv) { +int afl_libfuzzer_init() { if (LLVMFuzzerInitialize) - return LLVMFuzzerInitialize(&argc, &argv); + return LLVMFuzzerInitialize(&orig_argc, &orig_argv); else return 0; diff --git a/fuzzers/libfuzzer/src/lib.rs b/fuzzers/libfuzzer/src/lib.rs index dd56dc5c24..f99313c5e2 100644 --- a/fuzzers/libfuzzer/src/lib.rs +++ b/fuzzers/libfuzzer/src/lib.rs @@ -7,6 +7,7 @@ extern crate alloc; use clap::{App, Arg}; use std::env; +use afl::corpus::Corpus; use afl::corpus::InMemoryCorpus; use afl::engines::Engine; use afl::engines::Fuzzer; @@ -28,8 +29,8 @@ extern "C" { /// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) fn LLVMFuzzerTestOneInput(data: *const u8, size: usize) -> i32; - /// int LLVMFuzzerInitialize(int argc, char **argv) - fn afl_libfuzzer_init(argc: u32, argv: *const *const u8) -> i32; + // afl_libfuzzer_init calls LLVMFUzzerInitialize() + fn afl_libfuzzer_init() -> i32; static __lafl_edges_map: *mut u8; static __lafl_cmp_map: *mut u8; @@ -143,11 +144,12 @@ pub extern "C" fn afl_libfuzzer_main() { let mut engine = Engine::new(executor); - // unsafe { - // if afl_libfuzzer_init(...) == -1 { - // println("Warning: LLVMFuzzerInitialize failed with -1") - // } - // } + // Call LLVMFUzzerInitialize() if present. + unsafe { + if afl_libfuzzer_init() == -1 { + println!("Warning: LLVMFuzzerInitialize failed with -1") + } + } if input != None { state @@ -159,7 +161,9 @@ pub extern "C" fn afl_libfuzzer_main() { input.unwrap(), ) .expect("Failed to load initial corpus"); - } else { + } + + if corpus.count() < 1 { state .generate_initial_inputs( &mut rand, @@ -169,9 +173,11 @@ pub extern "C" fn afl_libfuzzer_main() { &mut mgr, 4, ) - .expect("Failed to load initial inputs"); + .expect("Failed to generate initial inputs"); } + println!("We have {} inputs.", corpus.count()); + let mut mutator = HavocBytesMutator::new_default(); mutator.set_max_size(4096); diff --git a/fuzzers/libfuzzer/test.sh b/fuzzers/libfuzzer/test.sh index b9fd14c809..f319c9c783 100755 --- a/fuzzers/libfuzzer/test.sh +++ b/fuzzers/libfuzzer/test.sh @@ -8,15 +8,14 @@ rm -f test_fuzz.elf test_fuzz.o ./compiler -flto=thin test_fuzz.o -o test_fuzz.elf || exit 1 RUST_BACKTRACE=1 ./test_fuzz.elf & -PID1=$! -test "$PID1" -gt 0 && { +test "$!" -gt 0 && { usleep 250 RUST_BACKTRACE=1 ./test_fuzz.elf -x a -x b -T5 in1 in2 & - sleep 10 - kill $! } + sleep 10 -kill $PID1 +killall test_fuzz.elf + From 299acded8e99820b12697a9018e82c1b93ba79d3 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Sun, 20 Dec 2020 15:52:07 +0100 Subject: [PATCH 2/2] only one more piece missing --- afl/src/engines/mod.rs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/afl/src/engines/mod.rs b/afl/src/engines/mod.rs index ab27a80313..61a1286e5c 100644 --- a/afl/src/engines/mod.rs +++ b/afl/src/engines/mod.rs @@ -227,11 +227,12 @@ where let attr = attributes?; if attr.is_file() { - println!("Load file {:?}", &path); + println!("Loading file {:?}", &path); let input = std::fs::read(path)?; let input = BytesInput::new(input); - //let fitness = self.evaluate_input(&input, engine.executor_mut())?; - //self.add_if_interesting(corpus, input, fitness)? + let input = do_whatever_magic_function(input); + let fitness = self.evaluate_input(&input, engine.executor_mut())?; + self.add_if_interesting(corpus, input, fitness)?; } else if attr.is_dir() { self.load_from_directory(corpus, generator, engine, manager, &path)?; }