Moved fuzzer to examples

2021-02-26 08:35:18 +01:00 · 2021-02-26 08:35:18 +01:00 · d48524168a
commit d48524168a
parent 691c9d4bf6
8 changed files with 76 additions and 26 deletions
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@ -11,31 +11,37 @@ jobs:
    steps:
    - uses: actions/checkout@v2
    - name: Build
-      run: cd libafl && cargo build --verbose
-  build-all:
+      run: cargo build --verbose
+  all-features-build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Build
-      run: cd libafl &&cargo build --no-default-features --features runtime --features std --features anymapdbg --verbose
+      run: cargo build --all-features --verbose
  test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Test
-      run: cd libafl && cargo test --verbose
-  build-no-std:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Build
-      run: cd libafl && cargo build --no-default-features --verbose
-  test-no-std:
+      run: cargo test --verbose
+  examples-build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Test
-      run: cd libafl && cargo test --no-default-features --verbose
+      run: cargo build --examples --verbose
+  no-std-build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Build
+      run: cargo build --no-default-features --verbose
+  no-std-test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Test
+      run: cargo test --no-default-features --verbose
  docs:
    runs-on: ubuntu-latest
    steps:
--- a/Cargo.toml
+++ b/Cargo.toml
@ -0,0 +1,14 @@
+
+[profile.release]
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[workspace]
+members = [
+    "libafl",
+
+    #example fuzzers
+    "fuzzers/libfuzzer_libpng",
+]
--- a/README.md
+++ b/README.md
@ -12,6 +12,7 @@ It is released as Free and Open Source Software under the GNU Lesser General Pub

 We collect example fuzzers in `./fuzzers`.
 The best-tested fuzzer is `./fuzzers/libfuzzer_libpng`, a clone of libfuzzer using libafl for a libpng harness.
+See its readme (here)[./fuzzers/libfuzzer_libpng/README.md].

 If you want to get a quick overview, run `cargo doc`.
 Feel free to open issues or contact us directly. Thank you for your support. <3
--- a/fuzzers/libfuzzer_libpng/Cargo.toml
+++ b/fuzzers/libfuzzer_libpng/Cargo.toml
@ -11,11 +11,11 @@ build = "build.rs"
 default = ["std"]
 std = []

-[profile.release]
-lto = true
-codegen-units = 1
-opt-level = 3
-debug = true
+#[profile.release]
+#lto = true
+#codegen-units = 1
+#opt-level = 3
+#debug = true

 [build-dependencies]
 cc = { version = "1.0", features = ["parallel"] }
@ -24,8 +24,8 @@ num_cpus = "1.0"
 [dependencies]
 libafl = { path = "../../libafl/" }

-[[bin]]
+[[example]]
 name = "libfuzzer_libpng"
-path = "./src/mod.rs"
+path = "./src/fuzzer.rs"
 test = false
 bench = false
--- a/fuzzers/libfuzzer_libpng/README.md
+++ b/fuzzers/libfuzzer_libpng/README.md
@ -0,0 +1,22 @@
+# Libfuzzer for libpng
+
+This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
+It has been tested on Linux.
+
+## Build
+
+To build this example, run `cargo build --example libfuzzer_libpng --release`.
+This will call (the build.rs)[./builld.rs], which in turn downloads a libpng archive from the web.
+Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the c++ harness)[./harness.cc] and the instrumented `libpng`.
+Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng`.
+
+## Run
+
+The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel.
+
+Each following execution will run a fuzzer client.
+As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`).
+This means each client will start itself again to listen for crashes and timeouts.
+By restarting the actual fuzzer, it can recover from these exit conditions.
+
+For convenience, you may just run `./test.sh` in this folder.
--- a/fuzzers/libfuzzer_libpng/src/fuzzer.rs
+++ b/fuzzers/libfuzzer_libpng/src/fuzzer.rs
--- a/fuzzers/libfuzzer_libpng/test.sh
+++ b/fuzzers/libfuzzer_libpng/test.sh
@ -2,9 +2,16 @@

 mkdir -p ./crashes

-cargo build --release || exit 1
-cp ../../target/release/libfuzzer ./.libfuzzer_test.elf
+cargo build --example libfuzzer_libpng --release || exit 1
+cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf

-RUST_BACKTRACE=full ./.libfuzzer_test.elf
+# The broker
+RUST_BACKTRACE=full ./.libfuzzer_test.elf &
+# Give the broker time to spawn
+sleep 2
+echo "Spawning client"
+# The 1st fuzzer client
+RUST_BACKTRACE=full ./.libfuzzer_test.elf 2>/dev/null

+killall .libfuzzer_test.elf
 rm -rf ./.libfuzzer_test.elf
--- a/libafl/Cargo.toml
+++ b/libafl/Cargo.toml
@ -24,10 +24,10 @@ harness = false
 name = "hash_speeds"
 harness = false

-[profile.release]
-lto = true
-opt-level = 3
-debug = true
+#[profile.release]
+#lto = true
+#opt-level = 3
+#debug = true

 [features]
 default = ["std", "anymapdbg"]