diff --git a/fuzzers/frida_libpng/src/fuzzer.rs b/fuzzers/frida_libpng/src/fuzzer.rs index 376a35cae4..cbccf1b39c 100644 --- a/fuzzers/frida_libpng/src/fuzzer.rs +++ b/fuzzers/frida_libpng/src/fuzzer.rs @@ -110,6 +110,7 @@ struct Opt { )] output: PathBuf, + /* #[structopt( parse(try_from_str = timeout_from_millis_str), short, @@ -129,7 +130,7 @@ struct Opt { multiple = true )] tokens: Vec, - + */ #[structopt( long, help = "The configuration this fuzzer runs with, for multiprocessing", diff --git a/libafl/src/bolts/launcher.rs b/libafl/src/bolts/launcher.rs index b8f8d9eda1..8e37c40635 100644 --- a/libafl/src/bolts/launcher.rs +++ b/libafl/src/bolts/launcher.rs @@ -112,11 +112,9 @@ where println!("spawning on cores: {:?}", self.cores); #[cfg(feature = "std")] - let stdout_file = if let Some(filename) = self.stdout_file { - Some(File::create(filename).unwrap()) - } else { - None - }; + let stdout_file = self + .stdout_file + .map(|filename| File::create(filename).unwrap()); // Spawn clients let mut index = 0_u64; diff --git a/libafl_frida/src/alloc.rs b/libafl_frida/src/alloc.rs index f9c4ae2bb9..6badfdea44 100644 --- a/libafl_frida/src/alloc.rs +++ b/libafl_frida/src/alloc.rs @@ -10,7 +10,7 @@ use backtrace::Backtrace; use libc::{sysconf, _SC_PAGESIZE}; use rangemap::RangeSet; use serde::{Deserialize, Serialize}; -use std::{ffi::c_void, io}; +use std::{collections::BTreeMap, ffi::c_void, io}; use crate::{ asan::errors::{AsanError, AsanErrors}, @@ -26,7 +26,7 @@ pub struct Allocator { pre_allocated_shadow: bool, allocations: HashMap, shadow_pages: RangeSet, - allocation_queue: HashMap>, + allocation_queue: BTreeMap>, largest_allocation: usize, total_allocation_size: usize, base_mapping_addr: usize, @@ -118,8 +118,13 @@ impl Allocator { shadow_bit = try_shadow_bit; } } - assert!(shadow_bit != 0); + #[cfg(not(any( + target_os = "linux", + all(target_arch = "aarch64", target_os = "android") + )))] + todo!("Shadow region not yet supported for this platform!"); + assert!(shadow_bit != 0); // attempt to pre-map the entire shadow-memory space let addr: usize = 1 << shadow_bit; @@ -146,7 +151,7 @@ impl Allocator { shadow_bit, allocations: HashMap::new(), shadow_pages: RangeSet::new(), - allocation_queue: HashMap::new(), + allocation_queue: BTreeMap::new(), largest_allocation: 0, total_allocation_size: 0, base_mapping_addr: addr + addr + addr, @@ -173,15 +178,12 @@ impl Allocator { } fn find_smallest_fit(&mut self, size: usize) -> Option { - let mut current_size = size; - while current_size <= self.largest_allocation { - if self.allocation_queue.contains_key(¤t_size) { - if let Some(metadata) = self.allocation_queue.entry(current_size).or_default().pop() - { + for (current_size, list) in &mut self.allocation_queue { + if *current_size >= size { + if let Some(metadata) = list.pop() { return Some(metadata); } } - current_size *= 2; } None } diff --git a/libafl_frida/src/asan/asan_rt.rs b/libafl_frida/src/asan/asan_rt.rs index 799c079a21..566b12748f 100644 --- a/libafl_frida/src/asan/asan_rt.rs +++ b/libafl_frida/src/asan/asan_rt.rs @@ -6,13 +6,10 @@ even if the target would not have crashed under normal conditions. this helps finding mem errors early. */ -use frida_gum::NativePointer; -use frida_gum::{ModuleDetails, RangeDetails}; -use hashbrown::HashMap; - -use nix::sys::mman::{mmap, mprotect, MapFlags, ProtFlags}; - use backtrace::Backtrace; +use frida_gum::{ModuleDetails, NativePointer, RangeDetails}; +use hashbrown::HashMap; +use nix::sys::mman::{mmap, MapFlags, ProtFlags}; use crate::helper::FridaInstrumentationHelper; @@ -182,10 +179,9 @@ impl AsanRuntime { } self.hook_functions(_gum); - + /* unsafe { let mem = self.allocator.alloc(0xac + 2, 8); - unsafe { mprotect( (self.shadow_check_func.unwrap() as usize & 0xffffffffffff000) as *mut c_void, 0x1000, @@ -256,6 +252,7 @@ impl AsanRuntime { } // assert!((self.shadow_check_func.unwrap())(((mem2 as usize) + 8875) as *const c_void, 4)); } + */ } /// Reset all allocations so that they can be reused for new allocation requests. diff --git a/libafl_frida/src/asan/errors.rs b/libafl_frida/src/asan/errors.rs index bbd42e7528..f0e641764c 100644 --- a/libafl_frida/src/asan/errors.rs +++ b/libafl_frida/src/asan/errors.rs @@ -1,10 +1,11 @@ +#[cfg(target_arch = "x86_64")] +use crate::asan::asan_rt::ASAN_SAVE_REGISTER_NAMES; use backtrace::Backtrace; use capstone::{arch::BuildsCapstone, Capstone}; use color_backtrace::{default_output_stream, BacktracePrinter, Verbosity}; #[cfg(target_arch = "aarch64")] use frida_gum::interceptor::Interceptor; use frida_gum::ModuleDetails; - use libafl::{ bolts::{ownedref::OwnedPtr, tuples::Named}, corpus::Testcase, @@ -20,9 +21,6 @@ use serde::{Deserialize, Serialize}; use std::io::Write; use termcolor::{Color, ColorSpec, WriteColor}; -#[cfg(target_arch = "x86_64")] -use crate::asan::asan_rt::ASAN_SAVE_REGISTER_NAMES; - use crate::{alloc::AllocationMetadata, asan::asan_rt::ASAN_SAVE_REGISTER_COUNT, FridaOptions}; #[derive(Debug, Clone, Serialize, Deserialize)] diff --git a/libafl_frida/src/drcov_rt.rs b/libafl_frida/src/drcov_rt.rs index 66bdf2271c..c30ba95c9b 100644 --- a/libafl_frida/src/drcov_rt.rs +++ b/libafl_frida/src/drcov_rt.rs @@ -1,16 +1,24 @@ +//! Generates `DrCov` traces use ahash::AHasher; -use libafl::inputs::{HasTargetBytes, Input}; -use libafl::Error; +use libafl::{ + inputs::{HasTargetBytes, Input}, + Error, +}; use libafl_targets::drcov::{DrCovBasicBlock, DrCovWriter}; use rangemap::RangeMap; use std::hash::Hasher; +/// Generates `DrCov` traces +#[derive(Clone, Debug)] pub struct DrCovRuntime { + /// The basic blocks of this execution pub drcov_basic_blocks: Vec, + /// The memory ragnes of this target ranges: RangeMap, } impl DrCovRuntime { + /// Creates a new [`DrCovRuntime`] #[must_use] pub fn new() -> Self { Self { @@ -19,15 +27,19 @@ impl DrCovRuntime { } } + /// initializes this runtime wiith the given `ranges` pub fn init(&mut self, ranges: &RangeMap) { self.ranges = ranges.clone(); } + /// Called before execution, does nothing #[allow(clippy::unused_self)] pub fn pre_exec(&mut self, _input: &I) -> Result<(), Error> { Ok(()) } + /// Called after execution, writes the trace to a unique `DrCov` file for this trace + /// into `./coverage/.drcov` pub fn post_exec(&mut self, input: &I) -> Result<(), Error> { let mut hasher = AHasher::new_with_keys(0, 0); hasher.write(input.target_bytes().as_slice()); @@ -39,3 +51,9 @@ impl DrCovRuntime { Ok(()) } } + +impl Default for DrCovRuntime { + fn default() -> Self { + Self::new() + } +} diff --git a/libafl_frida/src/executor.rs b/libafl_frida/src/executor.rs index ab6b7448cb..c71c5d82d2 100644 --- a/libafl_frida/src/executor.rs +++ b/libafl_frida/src/executor.rs @@ -55,7 +55,7 @@ where mgr: &mut EM, input: &I, ) -> Result { - self.helper.pre_exec(input); + self.helper.pre_exec(input)?; if self.helper.stalker_enabled() { if self.followed { self.stalker.activate(NativePointer(core::ptr::null_mut())); diff --git a/libafl_frida/src/helper.rs b/libafl_frida/src/helper.rs index bd45710d65..680fced438 100644 --- a/libafl_frida/src/helper.rs +++ b/libafl_frida/src/helper.rs @@ -125,7 +125,9 @@ impl<'a> FridaHelper<'a> for FridaInstrumentationHelper<'a> { } fn post_exec(&mut self, input: &I) -> Result<(), Error> { - self.drcov_runtime.post_exec(input)?; + if self.options().enable_drcov { + self.drcov_runtime.post_exec(input)?; + } #[cfg(unix)] if self.options.asan_enabled() { if self.options.asan_detect_leaks() {