add arguments

fuzzers/FRET/Cargo.toml

@@ -5,10 +5,11 @@ authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenuk
 edition = "2021"
 
 [features]
-default = ["std", "snapshot_fast"]
+default = ["std", "snapshot_fast", "singlecore"]
 std = []
 snapshot_restore = []
 snapshot_fast = [ "snapshot_restore" ]
+singlecore = []
 
 [profile.release]
 lto = true

fuzzers/FRET/fuzzer.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+[ -n "$1" -a "$1" != "+" -a -z "$KERNEL" ] && export KERNEL="$1"
+[ -n "$2" -a "$2" != "+" -a -z "$FUZZ_MAIN" ]   && export FUZZ_MAIN="$2"
+[ -n "$3" -a "$3" != "+" -a -z "$FUZZ_INPUT" ]  && export FUZZ_INPUT="$3"
+[ -n "$4" -a "$4" != "+" -a -z "$BREAKPOINT" ]  && export BREAKPOINT="$4"
+[ -n "$5" -a "$5" != "+" -a -z "$DO_SHOWMAP" ]  && export DO_SHOWMAP="$5"
+[ -n "$6" -a "$6" != "+" -a -z "$SHOWMAP_TEXTINPUT" ]  && export SHOWMAP_TEXTINPUT="$6"
+target/debug/qemu_systemmode -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 -S

fuzzers/FRET/src/fuzzer.rs

@@ -1,7 +1,7 @@
 //! A fuzzer using qemu in systemmode for binary-only coverage of kernels
 //!
 use core::time::Duration;
-use std::{env, path::PathBuf, process};
+use std::{env, path::PathBuf, process, io::Read, fs};
 
 use libafl::{
     bolts::{
@@ -28,7 +28,7 @@ use libafl::{
     stages::StdMutationalStage,
     state::{HasCorpus, StdState},
     Error,
-    //prelude::{SimpleMonitor, SimpleEventManager},
+    prelude::{SimpleMonitor, SimpleEventManager},
 };
 use libafl_qemu::{
     edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
@@ -68,7 +68,7 @@ pub fn fuzz() {
     println!("FUZZ_INPUT @ {:#x}", input_addr);
 
     let main_addr = elf
-        .resolve_symbol("main", 0)
+        .resolve_symbol(&env::var("FUZZ_MAIN").unwrap_or_else(|_| "FUZZ_INPUT".to_owned()), 0)
         .expect("Symbol main not found");
     println!("main address = {:#x}", main_addr);
 
@@ -86,11 +86,11 @@ pub fn fuzz() {
         let env: Vec<(String, String)> = env::vars().collect();
         let emu = Emulator::new(&args, &env);
 
-        emu.set_breakpoint(main_addr);
-        unsafe {
-            emu.run();
-        }
-        emu.remove_breakpoint(main_addr);
+        // emu.set_breakpoint(main_addr);
+        // unsafe {
+        //     emu.run();
+        // }
+        // emu.remove_breakpoint(main_addr);
 
         emu.set_breakpoint(breakpoint); // BREAKPOINT
 
@@ -183,6 +183,24 @@ pub fn fuzz() {
         // Wrap the executor to keep track of the timeout
         let mut executor = TimeoutExecutor::new(executor, timeout);
 
+        // Setup an havoc mutator with a mutational stage
+        let mutator = StdScheduledMutator::new(havoc_mutations());
+        let mut stages = tuple_list!(StdMutationalStage::new(mutator));
+
+        if env::var("DO_SHOWMAP").is_ok() {
+            let s = &env::var("DO_SHOWMAP").unwrap();
+            let show_input = if s=="-" {
+                    let mut buf = Vec::<u8>::new();
+                    std::io::stdin().read_to_end(&mut buf).expect("Could not read Stdin");
+                    buf
+                } else if s=="$" {
+                    env::var("SHOWMAP_TEXTINPUT").expect("SHOWMAP_TEXTINPUT not set").as_bytes().to_owned()
+                } else {
+                    fs::read(s).expect("Input file for DO_SHOWMAP can not be read")
+                };
+            fuzzer.execute_input(&mut state, &mut executor, &mut mgr, &BytesInput::new(show_input))
+                .unwrap();
+        } else {
             if state.corpus().count() < 1 {
                 state
                     .load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &corpus_dirs)
@@ -193,26 +211,29 @@ pub fn fuzz() {
                 println!("We imported {} inputs from disk.", state.corpus().count());
             }
 
-        // Setup an havoc mutator with a mutational stage
-        let mutator = StdScheduledMutator::new(havoc_mutations());
-        let mut stages = tuple_list!(StdMutationalStage::new(mutator));
-
             fuzzer
                 .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
                 .unwrap();
+        }
+        #[cfg(not(feature = "singlecore"))]
         Ok(())
     };
 
+    #[cfg(feature = "singlecore")]
+    {
+        let monitor = SimpleMonitor::new(|s| println!("{}", s));
+        let mgr = SimpleEventManager::new(monitor);
+        run_client(None, mgr, 0);
+    }
+    // else -> multicore
+    #[cfg(not(feature = "singlecore"))]
+    {
         // The shared memory allocator
         let shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
 
         // The stats reporter for the broker
         let monitor = MultiMonitor::new(|s| println!("{}", s));
 
-    // let monitor = SimpleMonitor::new(|s| println!("{}", s));
-    // let mut mgr = SimpleEventManager::new(monitor);
-    // run_client(None, mgr, 0);
-
         // Build and run a Launcher
         match Launcher::builder()
             .shmem_provider(shmem_provider)
@@ -229,4 +250,5 @@ pub fn fuzz() {
             Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
             Err(err) => panic!("Failed to run launcher: {:?}", err),
         }
+    }
 }