SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch frida_libpng to ShadowExecutor when using cmplog

Browse Source
This commit is contained in:
s1341 2021-06-10 12:30:57 +03:00
parent 3d84a8d081
commit bea557a48a
1 changed files with 8 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
fuzzers/frida_libpng/src/fuzzer.rs
View File

@ -21,7 +21,7 @@ use libafl::{
}, },
executors::{ executors::{
inprocess::InProcessExecutor, timeout::TimeoutExecutor, Executor, ExitKind, inprocess::InProcessExecutor, timeout::TimeoutExecutor, Executor, ExitKind,
HasExecHooksTuple, HasObservers, HasObserversHooks, HasExecHooksTuple, HasObservers, HasObserversHooks, ShadowExecutor
}, },
feedback_or, feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
@ -33,7 +33,7 @@ use libafl::{
token_mutations::Tokens, token_mutations::Tokens,
}, },
observers::{HitcountsMapObserver, ObserversTuple, StdMapObserver, TimeObserver}, observers::{HitcountsMapObserver, ObserversTuple, StdMapObserver, TimeObserver},
stages::{StdMutationalStage, TracingStage}, stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, HasMetadata, StdState}, state::{HasCorpus, HasMetadata, StdState},
stats::MultiStats, stats::MultiStats,
Error, Error,
@ -318,9 +318,6 @@ unsafe fn fuzz(
&modules_to_instrument, &modules_to_instrument,
); );
// Create an observation channel using cmplog map
let cmplog_observer = CmpLogObserver::new("cmplog", &mut CMPLOG_MAP, true);
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::new_from_ptr( let edges_observer = HitcountsMapObserver::new(StdMapObserver::new_from_ptr(
"edges", "edges",
@ -406,7 +403,7 @@ unsafe fn fuzz(
&mut mgr, &mut mgr,
)?, )?,
&mut frida_helper, &mut frida_helper,
Duration::new(10, 0), Duration::new(30, 0),
); );
// In case the corpus is empty (on first run), reset // In case the corpus is empty (on first run), reset
@ -418,35 +415,13 @@ unsafe fn fuzz(
} }
if frida_options.cmplog_enabled() { if frida_options.cmplog_enabled() {
// Secondary harness due to mut ownership
let mut frida_harness = |input: &BytesInput| {
let target = input.target_bytes();
let buf = target.as_slice();
(target_func)(buf.as_ptr(), buf.len());
ExitKind::Ok
};
// Secondary helper due to mut ownership // Create an observation channel using cmplog map
let mut frida_helper = FridaInstrumentationHelper::new( let cmplog_observer = CmpLogObserver::new("cmplog", &mut CMPLOG_MAP, true);
&gum,
&frida_options,
module_name,
&modules_to_instrument,
);
// Setup a tracing stage in which we log comparisons let mut executor = ShadowExecutor::new(executor, tuple_list!(cmplog_observer));
let tracing = TracingStage::new(FridaInProcessExecutor::new(
&gum, let tracing = ShadowTracingStage::new(&mut executor);
InProcessExecutor::new(
&mut frida_harness,
tuple_list!(cmplog_observer, AsanErrorsObserver::new(&ASAN_ERRORS)),
&mut fuzzer,
&mut state,
&mut mgr,
)?,
&mut frida_helper,
Duration::new(10, 0),
));
// Setup a randomic Input2State stage // Setup a randomic Input2State stage
let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!( let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(