From b07f7ccbca7c809cd9aad756682f23292beae27f Mon Sep 17 00:00:00 2001
From: Alwin Berger <alwin.berger@tu-dortmund.de>
Date: Mon, 12 Dec 2022 17:41:33 +0100
Subject: [PATCH] add arguments

---
 fuzzers/FRET/Cargo.toml    |   3 +-
 fuzzers/FRET/fuzzer.sh     |   8 +++
 fuzzers/FRET/src/fuzzer.rs | 112 ++++++++++++++++++++++---------------
 3 files changed, 77 insertions(+), 46 deletions(-)
 create mode 100755 fuzzers/FRET/fuzzer.sh

diff --git a/fuzzers/FRET/Cargo.toml b/fuzzers/FRET/Cargo.toml
index e4fde35f39..ef2a0b6750 100644
--- a/fuzzers/FRET/Cargo.toml
+++ b/fuzzers/FRET/Cargo.toml
@@ -5,10 +5,11 @@ authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenuk
 edition = "2021"
 
 [features]
-default = ["std", "snapshot_fast"]
+default = ["std", "snapshot_fast", "singlecore"]
 std = []
 snapshot_restore = []
 snapshot_fast = [ "snapshot_restore" ]
+singlecore = []
 
 [profile.release]
 lto = true
diff --git a/fuzzers/FRET/fuzzer.sh b/fuzzers/FRET/fuzzer.sh
new file mode 100755
index 0000000000..2e49804663
--- /dev/null
+++ b/fuzzers/FRET/fuzzer.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+[ -n "$1" -a "$1" != "+" -a -z "$KERNEL" ] && export KERNEL="$1"
+[ -n "$2" -a "$2" != "+" -a -z "$FUZZ_MAIN" ]   && export FUZZ_MAIN="$2"
+[ -n "$3" -a "$3" != "+" -a -z "$FUZZ_INPUT" ]  && export FUZZ_INPUT="$3"
+[ -n "$4" -a "$4" != "+" -a -z "$BREAKPOINT" ]  && export BREAKPOINT="$4"
+[ -n "$5" -a "$5" != "+" -a -z "$DO_SHOWMAP" ]  && export DO_SHOWMAP="$5"
+[ -n "$6" -a "$6" != "+" -a -z "$SHOWMAP_TEXTINPUT" ]  && export SHOWMAP_TEXTINPUT="$6"
+target/debug/qemu_systemmode -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S
\ No newline at end of file
diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs
index 3c9f4c364e..583c174ae9 100644
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@@ -1,7 +1,7 @@
 //! A fuzzer using qemu in systemmode for binary-only coverage of kernels
 //!
 use core::time::Duration;
-use std::{env, path::PathBuf, process};
+use std::{env, path::PathBuf, process, io::Read, fs};
 
 use libafl::{
     bolts::{
@@ -28,7 +28,7 @@ use libafl::{
     stages::StdMutationalStage,
     state::{HasCorpus, StdState},
     Error,
-    //prelude::{SimpleMonitor, SimpleEventManager},
+    prelude::{SimpleMonitor, SimpleEventManager},
 };
 use libafl_qemu::{
     edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
@@ -68,7 +68,7 @@ pub fn fuzz() {
     println!("FUZZ_INPUT @ {:#x}", input_addr);
 
     let main_addr = elf
-        .resolve_symbol("main", 0)
+        .resolve_symbol(&env::var("FUZZ_MAIN").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), 0)
         .expect("Symbol main not found");
     println!("main address = {:#x}", main_addr);
 
@@ -86,11 +86,11 @@ pub fn fuzz() {
         let env: Vec<(String, String)> = env::vars().collect();
         let emu = Emulator::new(&args, &env);
 
-        emu.set_breakpoint(main_addr);
-        unsafe {
-            emu.run();
-        }
-        emu.remove_breakpoint(main_addr);
+        // emu.set_breakpoint(main_addr);
+        // unsafe {
+        //     emu.run();
+        // }
+        // emu.remove_breakpoint(main_addr);
 
         emu.set_breakpoint(breakpoint); // BREAKPOINT
 
@@ -183,50 +183,72 @@ pub fn fuzz() {
         // Wrap the executor to keep track of the timeout
         let mut executor = TimeoutExecutor::new(executor, timeout);
 
-        if state.corpus().count() < 1 {
-            state
-                .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &corpus_dirs)
-                .unwrap_or_else(|_| {
-                    println!("Failed to load initial corpus at {:?}", &corpus_dirs);
-                    process::exit(0);
-                });
-            println!("We imported {} inputs from disk.", state.corpus().count());
-        }
-
         // Setup an havoc mutator with a mutational stage
         let mutator = StdScheduledMutator::new(havoc_mutations());
         let mut stages = tuple_list!(StdMutationalStage::new(mutator));
 
-        fuzzer
-            .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
-            .unwrap();
+        if env::var("DO_SHOWMAP").is_ok() {
+            let s = &env::var("DO_SHOWMAP").unwrap();
+            let show_input = if s=="-" {
+                    let mut buf = Vec::<u8>::new();
+                    std::io::stdin().read_to_end(&mut buf).expect("Could not read Stdin");
+                    buf
+                } else if s=="$" {
+                    env::var("SHOWMAP_TEXTINPUT").expect("SHOWMAP_TEXTINPUT not set").as_bytes().to_owned()
+                } else {
+                    fs::read(s).expect("Input file for DO_SHOWMAP can not be read")
+                };
+            fuzzer.execute_input(&mut state, &mut executor, &mut mgr, &BytesInput::new(show_input))
+                .unwrap();
+        } else {
+            if state.corpus().count() < 1 {
+                state
+                    .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &corpus_dirs)
+                    .unwrap_or_else(|_| {
+                        println!("Failed to load initial corpus at {:?}", &corpus_dirs);
+                        process::exit(0);
+                    });
+                println!("We imported {} inputs from disk.", state.corpus().count());
+            }
+
+            fuzzer
+                .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
+                .unwrap();
+        }
+        #[cfg(not(feature = "singlecore"))]
         Ok(())
     };
 
-    // The shared memory allocator
-    let shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
-
-    // The stats reporter for the broker
-    let monitor = MultiMonitor::new(|s| println!("{}", s));
-
-    // let monitor = SimpleMonitor::new(|s| println!("{}", s));
-    // let mut mgr = SimpleEventManager::new(monitor);
-    // run_client(None, mgr, 0);
-
-    // Build and run a Launcher
-    match Launcher::builder()
-        .shmem_provider(shmem_provider)
-        .broker_port(broker_port)
-        .configuration(EventConfig::from_build_id())
-        .monitor(monitor)
-        .run_client(&mut run_client)
-        .cores(&cores)
-        // .stdout_file(Some("/dev/null"))
-        .build()
-        .launch()
+    #[cfg(feature = "singlecore")]
     {
-        Ok(()) => (),
-        Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
-        Err(err) => panic!("Failed to run launcher: {:?}", err),
+        let monitor = SimpleMonitor::new(|s| println!("{}", s));
+        let mgr = SimpleEventManager::new(monitor);
+        run_client(None, mgr, 0);
+    }
+    // else -> multicore
+    #[cfg(not(feature = "singlecore"))]
+    {
+        // The shared memory allocator
+        let shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
+
+        // The stats reporter for the broker
+        let monitor = MultiMonitor::new(|s| println!("{}", s));
+
+        // Build and run a Launcher
+        match Launcher::builder()
+            .shmem_provider(shmem_provider)
+            .broker_port(broker_port)
+            .configuration(EventConfig::from_build_id())
+            .monitor(monitor)
+            .run_client(&mut run_client)
+            .cores(&cores)
+            // .stdout_file(Some("/dev/null"))
+            .build()
+            .launch()
+        {
+            Ok(()) => (),
+            Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
+            Err(err) => panic!("Failed to run launcher: {:?}", err),
+        }
     }
 }
\ No newline at end of file