Example fuzzers with less UB (#1212)

* Example fuzzers with even less UB

* more less ub, fixes

* unused dep

.gitignore

@@ -47,6 +47,7 @@ a
 forkserver_test
 __pycache__
 *.lafl_lock
+*.metadata
 
 *atomic_file_testfile*
 **/libxml2

fuzzers/baby_fuzzer_gramatron/src/main.rs

@@ -28,10 +28,11 @@ use libafl::{
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { std::ptr::write(SIGNALS_PTR.add(idx), 1) };
 }
 */
 
@@ -57,7 +58,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);

fuzzers/baby_fuzzer_minimizing/src/main.rs

@@ -1,15 +1,16 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};
 
 use libafl::prelude::*;
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
 #[allow(clippy::similar_names)]
@@ -32,8 +33,7 @@ pub fn main() -> Result<(), Error> {
     };
 
     // Create an observation channel using the signals map
-    let observer =
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
-        unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) };
 
     let factory = MapEqualityFactory::with_observer(&observer);
 

fuzzers/baby_fuzzer_nautilus/src/main.rs

@@ -4,7 +4,7 @@ use std::ptr::write_volatile;
 
 use libafl::{
     bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
-    corpus::{InMemoryCorpus, InMemoryOnDiskCorpus, OnDiskCorpus},
+    corpus::{InMemoryCorpus, OnDiskCorpus},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
     feedback_or,
@@ -24,10 +24,11 @@ use libafl::{
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { str::ptr::write(SIGNALS_PTR.add(idx), 1) };
 }
 */
 
@@ -46,7 +47,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = feedback_or!(

fuzzers/baby_fuzzer_tokens/src/main.rs

@@ -1,6 +1,6 @@
 #[cfg(windows)]
 use std::ptr::write_volatile;
-use std::{fs, io::Read, path::PathBuf};
+use std::{fs, io::Read, path::PathBuf, ptr::write};
 
 use libafl::{
     bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
@@ -20,10 +20,12 @@ use libafl::{
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
+
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 */
 
@@ -65,8 +67,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer =
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
-        unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);

fuzzers/baby_fuzzer_with_forkexecutor/src/main.rs

@@ -1,6 +1,6 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};
 
 use libafl::{
     bolts::{
@@ -29,11 +29,11 @@ use libafl::{
 pub fn main() {
     let mut shmem_provider = unix_shmem::UnixShMemProvider::new().unwrap();
     let mut signals = shmem_provider.new_shmem(16).unwrap();
-    let mut signals_clone = signals.clone();
+    let signals_len = signals.as_slice().len();
+    let signals_ptr = signals.as_mut_slice().as_mut_ptr();
 
-    let mut signals_set = |idx: usize| {
+    let signals_set = |idx: usize| {
-        let a = signals.as_mut_slice();
+        unsafe { write(signals_ptr.add(idx), 1) };
-        a[idx] = 1;
     };
 
     // The closure that we want to fuzz
@@ -64,7 +64,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", signals_clone.as_mut_slice()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", signals_ptr, signals_len) };
     // Create a stacktrace observer to add the observers tuple
 
     // Feedback to rate the interestingness of an input, obtained by ANDing the interestingness of both feedbacks

fuzzers/baby_no_std/src/main.rs

@@ -8,6 +8,7 @@ extern crate alloc;
 use alloc::ffi::CString;
 #[cfg(not(any(windows)))]
 use core::panic::PanicInfo;
+use core::ptr::write;
 
 use libafl::{
     bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
@@ -46,10 +47,11 @@ fn panic(_info: &PanicInfo) -> ! {
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
 /// Provide custom time in `no_std` environment
@@ -85,7 +87,7 @@ pub extern "C" fn main(_argc: isize, _argv: *const *const u8) -> isize {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
 
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::new(&observer);

fuzzers/backtrace_baby_fuzzers/rust_code_with_fork_executor/src/main.rs

@@ -1,6 +1,6 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};
 
 use libafl::{
     bolts::{
@@ -30,12 +30,12 @@ use libafl::{
 pub fn main() {
     let mut shmem_provider = unix_shmem::UnixShMemProvider::new().unwrap();
     let mut signals = shmem_provider.new_shmem(16).unwrap();
-    let mut signals_clone = signals.clone();
+    let signals_len = signals.len();
+    let signals_ptr = signals.as_mut_slice().as_mut_ptr();
     let mut bt = shmem_provider.new_shmem_object::<Option<u64>>().unwrap();
 
-    let mut signals_set = |idx: usize| {
+    let signals_set = |idx: usize| {
-        let a = signals.as_mut_slice();
+        unsafe { write(signals_ptr.add(idx), 1) };
-        a[idx] = 1;
     };
 
     // The closure that we want to fuzz
@@ -65,7 +65,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", signals_clone.as_mut_slice()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", signals_ptr, signals_len) };
     // Create a stacktrace observer
     let bt_observer = BacktraceObserver::new(
         "BacktraceObserver",

fuzzers/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/src/main.rs

@@ -1,6 +1,6 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};
 
 use libafl::{
     bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
@@ -22,10 +22,11 @@ use libafl::{
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
 #[allow(clippy::similar_names)]
@@ -58,7 +59,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
     // Create a stacktrace observer to add the observers tuple
     let mut bt = None;
     let bt_observer = BacktraceObserver::new(