diff --git a/afl/examples/llmp_test/main.rs b/afl/examples/llmp_test/main.rs index 5f5bccf3b3..754ff1590e 100644 --- a/afl/examples/llmp_test/main.rs +++ b/afl/examples/llmp_test/main.rs @@ -6,10 +6,7 @@ extern crate alloc; use core::{convert::TryInto, time::Duration}; use std::{thread, time}; -use afl::{ - events::{llmp, shmem::AflShmem}, - AflError, -}; +use afl::{llmp, shmem::AflShmem, AflError}; const TAG_SIMPLE_U32_V1: u32 = 0x51300321; const TAG_MATH_RESULT_V1: u32 = 0x77474331; diff --git a/afl/src/corpus/inmemory.rs b/afl/src/corpus/inmemory.rs index b4cf3248ba..d7fec793cf 100644 --- a/afl/src/corpus/inmemory.rs +++ b/afl/src/corpus/inmemory.rs @@ -1,4 +1,4 @@ -use alloc::vec::Vec; +use alloc::{borrow::ToOwned, vec::Vec}; use core::{cell::RefCell, marker::PhantomData}; use serde::{Deserialize, Serialize}; diff --git a/afl/src/corpus/mod.rs b/afl/src/corpus/mod.rs index 222e5dcf62..d1e80b944f 100644 --- a/afl/src/corpus/mod.rs +++ b/afl/src/corpus/mod.rs @@ -12,7 +12,7 @@ pub use ondisk::OnDiskCorpus; pub mod queue; pub use queue::QueueCorpus; -use alloc::vec::Vec; +use alloc::{borrow::ToOwned, vec::Vec}; use core::{cell::RefCell, ptr}; use crate::{inputs::Input, utils::Rand, AflError}; diff --git a/afl/src/corpus/queue.rs b/afl/src/corpus/queue.rs index 0781a69308..3699ffc421 100644 --- a/afl/src/corpus/queue.rs +++ b/afl/src/corpus/queue.rs @@ -1,4 +1,4 @@ -use alloc::vec::Vec; +use alloc::{borrow::ToOwned, vec::Vec}; use core::{cell::RefCell, marker::PhantomData}; use serde::{Deserialize, Serialize}; diff --git a/afl/src/events/mod.rs b/afl/src/events/mod.rs index 46e96a40ca..0612f77646 100644 --- a/afl/src/events/mod.rs +++ b/afl/src/events/mod.rs @@ -1,6 +1,3 @@ -pub mod llmp; -pub mod shmem; - use alloc::{ string::{String, ToString}, vec::Vec, @@ -11,22 +8,20 @@ use core::{ }; use serde::{Deserialize, Serialize}; -use self::{ - llmp::{LlmpClient, LlmpClientDescription, Tag}, - shmem::ShMem, -}; +#[cfg(feature = "std")] +use crate::shmem::AflShmem; use crate::{ corpus::Corpus, engines::State, feedbacks::FeedbacksTuple, inputs::Input, + llmp::{self, LlmpClient, LlmpClientDescription, Tag}, observers::ObserversTuple, serde_anymap::Ptr, + shmem::ShMem, utils::{current_time, Rand}, AflError, }; -#[cfg(feature = "std")] -use shmem::AflShmem; #[derive(Debug, Copy, Clone)] /// Indicate if an event worked or not @@ -662,10 +657,12 @@ where Ok(BrokerEventResult::Handled) } LLMPEventKind::Crash { input: _ } => { + #[cfg(feature = "std")] println!("LLMPEvent::Crash"); Ok(BrokerEventResult::Handled) } LLMPEventKind::Timeout { input: _ } => { + #[cfg(feature = "std")] println!("LLMPEvent::Timeout"); Ok(BrokerEventResult::Handled) } diff --git a/afl/src/inputs/bytes.rs b/afl/src/inputs/bytes.rs index f2e5d8829e..308ff26e59 100644 --- a/afl/src/inputs/bytes.rs +++ b/afl/src/inputs/bytes.rs @@ -59,7 +59,7 @@ impl BytesInput { #[cfg(test)] mod tests { - use crate::utils::{next_pow2, Rand, StdRand}; + use crate::utils::{Rand, StdRand}; #[test] fn test_input() { @@ -70,13 +70,4 @@ mod tests { assert_eq!(rand.between(10, 10), 10); assert!(rand.between(11, 20) > 10); } - - #[test] - fn test_next_pow2() { - assert_eq!(next_pow2(0), 0); - assert_eq!(next_pow2(1), 1); - assert_eq!(next_pow2(2), 2); - assert_eq!(next_pow2(3), 4); - assert_eq!(next_pow2(1000), 1024); - } } diff --git a/afl/src/lib.rs b/afl/src/lib.rs index 92a4c2b6fe..0b501a5bef 100644 --- a/afl/src/lib.rs +++ b/afl/src/lib.rs @@ -16,10 +16,12 @@ pub mod executors; pub mod feedbacks; pub mod generators; pub mod inputs; +pub mod llmp; pub mod metamap; pub mod mutators; pub mod observers; pub mod serde_anymap; +pub mod shmem; pub mod stages; pub mod tuples; pub mod utils; diff --git a/afl/src/events/llmp.rs b/afl/src/llmp.rs similarity index 99% rename from afl/src/events/llmp.rs rename to afl/src/llmp.rs index 43446acec1..429e9a9a0c 100644 --- a/afl/src/events/llmp.rs +++ b/afl/src/llmp.rs @@ -67,7 +67,6 @@ use std::{ }; use super::shmem::{ShMem, ShMemDescription}; -use crate::utils::next_pow2; use crate::AflError; /// We'll start off with 256 megabyte maps per fuzzer client @@ -155,10 +154,11 @@ fn msg_offset_from_env(env_name: &str) -> Result, AflError> { /// largest messages we encountered (plus message one new_page message). #[inline] fn new_map_size(max_alloc: usize) -> usize { - next_pow2(max( + max( max_alloc * 2 + EOP_MSG_SIZE + LLMP_PAGE_HEADER_LEN, LLMP_PREF_INITIAL_MAP_SIZE, - ) as u64) as usize + ) + .next_power_of_two() } /// Initialize a new llmp_page. size should be relative to @@ -1609,7 +1609,7 @@ mod tests { Tag, }; #[cfg(feature = "std")] - use crate::events::shmem::AflShmem; + use crate::shmem::AflShmem; #[cfg(feature = "std")] #[test] diff --git a/afl/src/mutators/scheduled.rs b/afl/src/mutators/scheduled.rs index 787adc8fba..08b2eb930a 100644 --- a/afl/src/mutators/scheduled.rs +++ b/afl/src/mutators/scheduled.rs @@ -326,7 +326,7 @@ mod tests { let mut input = testcase.borrow_mut().load_input().unwrap().clone(); rand.set_seed(5); - let mut mutator = StdScheduledMutator::new(); + let mut mutator = StdScheduledMutator::, _, _>::new(); mutation_splice(&mut mutator, &mut rand, &mut corpus, &mut input).unwrap(); diff --git a/afl/src/events/shmem.rs b/afl/src/shmem.rs similarity index 100% rename from afl/src/events/shmem.rs rename to afl/src/shmem.rs diff --git a/afl/src/utils.rs b/afl/src/utils.rs index 35d5d09fda..3fe482abe1 100644 --- a/afl/src/utils.rs +++ b/afl/src/utils.rs @@ -11,9 +11,10 @@ use std::time::{SystemTime, UNIX_EPOCH}; use crate::{ corpus::Corpus, engines::State, - events::{shmem::ShMem, LlmpEventManager, Stats}, + events::{LlmpEventManager, Stats}, feedbacks::FeedbacksTuple, inputs::Input, + shmem::ShMem, AflError, }; @@ -452,23 +453,11 @@ impl XKCDRand { } } -/// Get the next higher power of two -#[inline] -pub const fn next_pow2(val: u64) -> u64 { - let mut out = val.wrapping_sub(1); - out |= out >> 1; - out |= out >> 2; - out |= out >> 4; - out |= out >> 8; - out |= out >> 16; - out.wrapping_add(1) -} - #[cfg(test)] mod tests { //use xxhash_rust::xxh3::xxh3_64_with_seed; - use crate::utils::{next_pow2, Rand, StdRand}; + use crate::utils::{Rand, StdRand}; #[test] fn test_rand() { @@ -492,14 +481,4 @@ mod tests { assert_eq!(rand.between(10, 10), 10); assert!(rand.between(11, 20) > 10); } - - #[test] - fn test_next_pow2() { - assert_eq!(next_pow2(0), 0); - assert_eq!(next_pow2(1), 1); - assert_eq!(next_pow2(2), 2); - assert_eq!(next_pow2(3), 4); - assert_eq!(next_pow2(1000), 1024); - assert_eq!(next_pow2(0xFFFFFFFF as u64), (0xFFFFFFFF as u64) + 1); - } } diff --git a/fuzzers/libfuzzer_libpng/harness.cc b/fuzzers/libfuzzer_libpng/harness.cc index f8d9f40124..a615f70a43 100644 --- a/fuzzers/libfuzzer_libpng/harness.cc +++ b/fuzzers/libfuzzer_libpng/harness.cc @@ -154,12 +154,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { return 0; } +#ifdef HAS_BUG // This is going to be too slow. if (width && height > 100000000 / width) { PNG_CLEANUP asm("ud2"); return 0; } +#endif // Set several transforms that browsers typically use: png_set_gray_to_rgb(png_handler.png_ptr); diff --git a/fuzzers/libfuzzer_libpng/src/mod.rs b/fuzzers/libfuzzer_libpng/src/mod.rs index de48bcb1ee..58c1ee55cf 100644 --- a/fuzzers/libfuzzer_libpng/src/mod.rs +++ b/fuzzers/libfuzzer_libpng/src/mod.rs @@ -7,18 +7,15 @@ use std::{env, path::PathBuf, process::Command}; use afl::{ corpus::{Corpus, InMemoryCorpus}, engines::{Engine, Fuzzer, State, StdFuzzer}, - events::{ - llmp::LlmpReceiver, - llmp::LlmpSender, - shmem::{AflShmem, ShMem}, - EventManager, LlmpEventManager, SimpleStats, - }, + events::{EventManager, LlmpEventManager, SimpleStats}, executors::{inmemory::InMemoryExecutor, Executor, ExitKind}, feedbacks::MaxMapFeedback, generators::RandPrintablesGenerator, inputs::{BytesInput, Input}, + llmp::{LlmpSender, LlmpReceiver}, mutators::{scheduled::HavocBytesMutator, HasMaxSize}, observers::StdMapObserver, + shmem::{AflShmem, ShMem}, stages::mutational::StdMutationalStage, tuples::tuple_list, utils::{deserialize_state_corpus_mgr, serialize_state_corpus_mgr, StdRand},