Example fuzzers with less UB (#1212)

* Example fuzzers with even less UB * more less ub, fixes * unused dep
2023-04-16 14:29:41 +02:00 · 2023-04-16 14:29:41 +02:00 · c881dc996d
commit c881dc996d
parent cdd3d8ace0
9 changed files with 37 additions and 30 deletions
--- a/.gitignore
+++ b/.gitignore
@ -47,6 +47,7 @@ a
 forkserver_test
 __pycache__
 *.lafl_lock
+*.metadata

 *atomic_file_testfile*
 **/libxml2
--- a/fuzzers/baby_fuzzer_gramatron/src/main.rs
+++ b/fuzzers/baby_fuzzer_gramatron/src/main.rs
@ -28,10 +28,11 @@ use libafl::{

 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { std::ptr::write(SIGNALS_PTR.add(idx), 1) };
 }
 */

@ -57,7 +58,7 @@ pub fn main() {
    };

    // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };

    // Feedback to rate the interestingness of an input
    let mut feedback = MaxMapFeedback::new(&observer);
--- a/fuzzers/baby_fuzzer_minimizing/src/main.rs
+++ b/fuzzers/baby_fuzzer_minimizing/src/main.rs
@ -1,15 +1,16 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};

 use libafl::prelude::*;

 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };

 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }

 #[allow(clippy::similar_names)]
@ -32,8 +33,7 @@ pub fn main() -> Result<(), Error> {
    };

    // Create an observation channel using the signals map
-    let observer =
-        unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };

    let factory = MapEqualityFactory::with_observer(&observer);

--- a/fuzzers/baby_fuzzer_nautilus/src/main.rs
+++ b/fuzzers/baby_fuzzer_nautilus/src/main.rs
@ -4,7 +4,7 @@ use std::ptr::write_volatile;

 use libafl::{
    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
-    corpus::{InMemoryCorpus, InMemoryOnDiskCorpus, OnDiskCorpus},
+    corpus::{InMemoryCorpus, OnDiskCorpus},
    events::SimpleEventManager,
    executors::{inprocess::InProcessExecutor, ExitKind},
    feedback_or,
@ -24,10 +24,11 @@ use libafl::{

 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { str::ptr::write(SIGNALS_PTR.add(idx), 1) };
 }
 */

@ -46,7 +47,7 @@ pub fn main() {
    };

    // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };

    // Feedback to rate the interestingness of an input
    let mut feedback = feedback_or!(
--- a/fuzzers/baby_fuzzer_tokens/src/main.rs
+++ b/fuzzers/baby_fuzzer_tokens/src/main.rs
@ -1,6 +1,6 @@
 #[cfg(windows)]
 use std::ptr::write_volatile;
-use std::{fs, io::Read, path::PathBuf};
+use std::{fs, io::Read, path::PathBuf, ptr::write};

 use libafl::{
    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
@ -20,10 +20,12 @@ use libafl::{

 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
+
 /*
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 */

@ -65,8 +67,7 @@ pub fn main() {
    };

    // Create an observation channel using the signals map
-    let observer =
-        unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };

    // Feedback to rate the interestingness of an input
    let mut feedback = MaxMapFeedback::new(&observer);
--- a/fuzzers/baby_fuzzer_with_forkexecutor/src/main.rs
+++ b/fuzzers/baby_fuzzer_with_forkexecutor/src/main.rs
@ -1,6 +1,6 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};

 use libafl::{
    bolts::{
@ -29,11 +29,11 @@ use libafl::{
 pub fn main() {
    let mut shmem_provider = unix_shmem::UnixShMemProvider::new().unwrap();
    let mut signals = shmem_provider.new_shmem(16).unwrap();
-    let mut signals_clone = signals.clone();
+    let signals_len = signals.as_slice().len();
+    let signals_ptr = signals.as_mut_slice().as_mut_ptr();

-    let mut signals_set = |idx: usize| {
-        let a = signals.as_mut_slice();
-        a[idx] = 1;
+    let signals_set = |idx: usize| {
+        unsafe { write(signals_ptr.add(idx), 1) };
    };

    // The closure that we want to fuzz
@ -64,7 +64,7 @@ pub fn main() {
    };

    // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", signals_clone.as_mut_slice()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", signals_ptr, signals_len) };
    // Create a stacktrace observer to add the observers tuple

    // Feedback to rate the interestingness of an input, obtained by ANDing the interestingness of both feedbacks
--- a/fuzzers/baby_no_std/src/main.rs
+++ b/fuzzers/baby_no_std/src/main.rs
@ -8,6 +8,7 @@ extern crate alloc;
 use alloc::ffi::CString;
 #[cfg(not(any(windows)))]
 use core::panic::PanicInfo;
+use core::ptr::write;

 use libafl::{
    bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
@ -46,10 +47,11 @@ fn panic(_info: &PanicInfo) -> ! {

 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };

 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }

 /// Provide custom time in `no_std` environment
@ -85,7 +87,7 @@ pub extern "C" fn main(_argc: isize, _argv: *const *const u8) -> isize {
    };

    // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };

    // Feedback to rate the interestingness of an input
    let mut feedback = MaxMapFeedback::new(&observer);
--- a/fuzzers/backtrace_baby_fuzzers/rust_code_with_fork_executor/src/main.rs
+++ b/fuzzers/backtrace_baby_fuzzers/rust_code_with_fork_executor/src/main.rs
@ -1,6 +1,6 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};

 use libafl::{
    bolts::{
@ -30,12 +30,12 @@ use libafl::{
 pub fn main() {
    let mut shmem_provider = unix_shmem::UnixShMemProvider::new().unwrap();
    let mut signals = shmem_provider.new_shmem(16).unwrap();
-    let mut signals_clone = signals.clone();
+    let signals_len = signals.len();
+    let signals_ptr = signals.as_mut_slice().as_mut_ptr();
    let mut bt = shmem_provider.new_shmem_object::<Option<u64>>().unwrap();

-    let mut signals_set = |idx: usize| {
-        let a = signals.as_mut_slice();
-        a[idx] = 1;
+    let signals_set = |idx: usize| {
+        unsafe { write(signals_ptr.add(idx), 1) };
    };

    // The closure that we want to fuzz
@ -65,7 +65,7 @@ pub fn main() {
    };

    // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", signals_clone.as_mut_slice()) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", signals_ptr, signals_len) };
    // Create a stacktrace observer
    let bt_observer = BacktraceObserver::new(
        "BacktraceObserver",
--- a/fuzzers/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/src/main.rs
+++ b/fuzzers/backtrace_baby_fuzzers/rust_code_with_inprocess_executor/src/main.rs
@ -1,6 +1,6 @@
-use std::path::PathBuf;
 #[cfg(windows)]
 use std::ptr::write_volatile;
+use std::{path::PathBuf, ptr::write};

 use libafl::{
    bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
@ -22,10 +22,11 @@ use libafl::{

 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };

 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }

 #[allow(clippy::similar_names)]
@ -58,7 +59,7 @@ pub fn main() {
    };

    // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
    // Create a stacktrace observer to add the observers tuple
    let mut bt = None;
    let bt_observer = BacktraceObserver::new(