Merge branch 'main' of github.com:AFLplusplus/LibAFLrs into main

2021-01-13 21:37:50 +01:00 · 2021-01-13 21:37:50 +01:00 · d2ddef2823
commit d2ddef2823
parent 50ec648a82 e2be16607e
5 changed files with 39 additions and 12 deletions
--- a/afl/src/events/mod.rs
+++ b/afl/src/events/mod.rs
@ -17,13 +17,13 @@ use self::{
 };
 use crate::{
    corpus::Corpus,
+    engines::State,
    feedbacks::FeedbacksTuple,
    inputs::Input,
    observers::ObserversTuple,
    serde_anymap::Ptr,
-    utils::Rand,
+    utils::{current_time, Rand},
    AflError,
-    {engines::State, utils},
 };
 #[cfg(feature = "std")]
 use shmem::AflShmem;
@ -104,7 +104,7 @@ pub trait Stats {
    /// Executions per second
    #[inline]
    fn execs_per_sec(&mut self) -> u64 {
-        let cur_time = utils::current_time();
+        let cur_time = current_time();
        self.client_stats()
            .iter()
            .fold(0u64, |acc, x| acc + x.execs_per_sec(cur_time))
@ -115,7 +115,7 @@ pub trait Stats {
        let client_stat_count = self.client_stats().len();
        for _ in client_stat_count..(client_id + 1) as usize {
            self.client_stats_mut().push(ClientStats {
-                last_window_time: utils::current_time(),
+                last_window_time: current_time(),
                ..Default::default()
            })
        }
@ -173,7 +173,7 @@ where
    pub fn new(print_fn: F) -> Self {
        Self {
            print_fn: print_fn,
-            start_time: utils::current_time(),
+            start_time: current_time(),
            corpus_size: 0,
            client_stats: vec![],
        }
--- a/afl/src/executors/inmemory.rs
+++ b/afl/src/executors/inmemory.rs
@ -265,7 +265,19 @@ pub mod unix_signals {
            );
        }

-        // TODO: send LLMP.
+        /* TODO: If we want to be on the safe side, we really need to do this:
+        match manager.llmp {
+            IsClient { client } => {
+                let map = client.out_maps.last().unwrap();
+                /// wait until we can drop the message safely.
+                map.await_save_to_unmap_blocking();
+                /// Make sure all pages are unmapped.
+                drop(manager);
+            }
+            _ => (),
+        }
+        */
+
        println!("Timeout in fuzz run.");
        let _ = stdout().flush();
        process::abort();
--- a/afl/src/feedbacks/mod.rs
+++ b/afl/src/feedbacks/mod.rs
@ -225,7 +225,13 @@ where

 impl<T, R, O, I> Feedback<I> for MapFeedback<T, R, O>
 where
-    T: Integer + Default + Copy + 'static + serde::Serialize + serde::de::DeserializeOwned,
+    T: Integer
+        + Default
+        + Copy
+        + 'static
+        + serde::Serialize
+        + serde::de::DeserializeOwned
+        + core::fmt::Debug,
    R: Reducer<T>,
    O: MapObserver<T>,
    I: Input,
@ -239,6 +245,7 @@ where
        // TODO optimize
        let observer = observers.match_name_type::<O>(&self.name).unwrap();
        let size = observer.usable_count();
+        //println!("count: {:?}, map: {:?}, history: {:?}", size, observer.map(), &self.history_map);
        for i in 0..size {
            let history = self.history_map[i];
            let item = observer.map()[i];
@ -249,6 +256,9 @@ where
            }
        }

+        //println!("..interesting: {:?}, new_history: {:?}\n", interesting, &self.history_map);
+        //std::thread::sleep(std::time::Duration::from_millis(100));
+
        Ok(interesting)
    }
 }
--- a/fuzzers/libfuzzer_libpng/build.rs
+++ b/fuzzers/libfuzzer_libpng/build.rs
@ -20,6 +20,10 @@ fn main() {
    let libpng_path = Path::new(&libpng);
    let libpng_tar = format!("{}/libpng-1.6.37.tar.xz", &cwd);

+    // Enforce clang for its -fsanitize-coverage support.
+    std::env::set_var("CC", "clang");
+    std::env::set_var("CXX", "clang++");
+
    if !libpng_path.is_dir() {
        if !Path::new(&libpng_tar).is_file() {
            println!("cargo:warning=Libpng not found, downloading...");
@ -84,13 +88,10 @@ fn main() {
            .unwrap();
    }

-    std::env::set_var("CC", "clang");
-    std::env::set_var("CXX", "clang++");
-
    cc::Build::new()
        .file("../libfuzzer_runtime/rt.c")
        .compile("libfuzzer-sys");
-    
+
    cc::Build::new()
        .include(&libpng_path)
        .flag("-fsanitize-coverage=trace-pc-guard")
--- a/fuzzers/libfuzzer_libpng/src/mod.rs
+++ b/fuzzers/libfuzzer_libpng/src/mod.rs
@ -181,6 +181,7 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
    // If we're restarting, deserialize the old state.
    let (mut state, mut corpus, mut mgr) = match receiver.recv_buf()? {
        None => {
+            println!("First run. Let's set it all up");
            // Mgr to send and receive msgs from/to all other fuzzer instances
            mgr = LlmpEventManager::<BytesInput, _, _>::existing_client_from_env_std(
                ENV_FUZZER_BROKER_CLIENT_INITIAL,
@ -194,7 +195,10 @@ fn fuzz(input: Option<Vec<PathBuf>>, broker_port: u16) -> Result<(), AflError> {
            (state, corpus, mgr)
        }
        // Restoring from a previous run, deserialize state and corpus.
-        Some((_sender, _tag, msg)) => deserialize_state_corpus_mgr(&msg, stats)?,
+        Some((_sender, _tag, msg)) => {
+            println!("Subsequent run. Let's load all data from shmem (received {} bytes from previous instance)", msg.len());
+            deserialize_state_corpus_mgr(&msg, stats)?
+        }
    };
    // We reset the sender, the next sender and receiver (after crash) will reuse the page from the initial message.
    unsafe { sender.reset_last_page() };