SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make cmp_extend_encoding panic-less (#1857)

Browse Source 
* Add a panic check for aflpp

* aa

---------

Co-authored-by: novafacing <rowanbhart@gmail.com>
This commit is contained in:
Dongjia "toka" Zhang 2024-02-14 11:46:09 +01:00 committed by GitHub
parent c837d0df7a
commit db88412738
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 47 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
libafl/src/mutators/token_mutations.rs
View File

@ -661,7 +661,7 @@ impl AFLppRedQueen {
input_len: usize, input_len: usize,
hshape: usize, hshape: usize,
vec: &mut Vec<Vec<u8>>, vec: &mut Vec<Vec<u8>>,
) -> bool { ) -> Result<bool, Error> {
// TODO: ascii2num (we need check q->is_ascii (in calibration stage(?))) // TODO: ascii2num (we need check q->is_ascii (in calibration stage(?)))
// try Transform // try Transform
@ -679,7 +679,7 @@ impl AFLppRedQueen {
_ => 8, _ => 8,
}; };
// prevent overflow // prevent overflow
bytes = core::cmp::min(bytes, input_len - buf_idx); bytes = core::cmp::min(bytes, input_len.wrapping_sub(buf_idx));
let (b_val, o_b_val, mask): (u64, u64, u64) = match bytes { let (b_val, o_b_val, mask): (u64, u64, u64) = match bytes {
0 => { 0 => {
@ -735,9 +735,9 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} }
@ -762,10 +762,10 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} }
@ -790,10 +790,10 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} }
@ -818,15 +818,15 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} }
} }
let its_len = core::cmp::min(input_len - buf_idx, taint_len); let its_len = core::cmp::min(input_len.wrapping_sub(buf_idx), taint_len);
// Try pattern matching // Try pattern matching
// println!("Pattern match"); // println!("Pattern match");
@ -840,29 +840,29 @@ impl AFLppRedQueen {
let mut cloned = buf.to_vec(); let mut cloned = buf.to_vec();
cloned[buf_idx] = repl as u8; cloned[buf_idx] = repl as u8;
vec.push(cloned); vec.push(cloned);
return true; return Ok(true);
} }
} }
2 | 3 => { 2 | 3 => {
if its_len >= 2 { if its_len >= 2 {
let buf_16 = u16::from_be_bytes(buf[buf_idx..buf_idx + 2].try_into().unwrap()); let buf_16 = u16::from_be_bytes(buf[buf_idx..buf_idx + 2].try_into()?);
let another_buf_16 = let another_buf_16 =
u16::from_be_bytes(another_buf[buf_idx..buf_idx + 2].try_into().unwrap()); u16::from_be_bytes(another_buf[buf_idx..buf_idx + 2].try_into()?);
if buf_16 == pattern as u16 && another_buf_16 == another_pattern as u16 { if buf_16 == pattern as u16 && another_buf_16 == another_pattern as u16 {
let mut cloned = buf.to_vec(); let mut cloned = buf.to_vec();
cloned[buf_idx + 1] = (repl & 0xff) as u8; cloned[buf_idx + 1] = (repl & 0xff) as u8;
cloned[buf_idx] = (repl >> 8 & 0xff) as u8; cloned[buf_idx] = (repl >> 8 & 0xff) as u8;
vec.push(cloned); vec.push(cloned);
return true; return Ok(true);
} }
} }
} }
4..=7 => { 4..=7 => {
if its_len >= 4 { if its_len >= 4 {
let buf_32 = u32::from_be_bytes(buf[buf_idx..buf_idx + 4].try_into().unwrap()); let buf_32 = u32::from_be_bytes(buf[buf_idx..buf_idx + 4].try_into()?);
let another_buf_32 = let another_buf_32 =
u32::from_be_bytes(another_buf[buf_idx..buf_idx + 4].try_into().unwrap()); u32::from_be_bytes(another_buf[buf_idx..buf_idx + 4].try_into()?);
// println!("buf: {buf_32} {another_buf_32} {pattern} {another_pattern}"); // println!("buf: {buf_32} {another_buf_32} {pattern} {another_pattern}");
if buf_32 == pattern as u32 && another_buf_32 == another_pattern as u32 { if buf_32 == pattern as u32 && another_buf_32 == another_pattern as u32 {
let mut cloned = buf.to_vec(); let mut cloned = buf.to_vec();
@ -872,15 +872,15 @@ impl AFLppRedQueen {
cloned[buf_idx] = (repl >> 24 & 0xff) as u8; cloned[buf_idx] = (repl >> 24 & 0xff) as u8;
vec.push(cloned); vec.push(cloned);
return true; return Ok(true);
} }
} }
} }
_ => { _ => {
if its_len >= 8 { if its_len >= 8 {
let buf_64 = u64::from_be_bytes(buf[buf_idx..buf_idx + 8].try_into().unwrap()); let buf_64 = u64::from_be_bytes(buf[buf_idx..buf_idx + 8].try_into()?);
let another_buf_64 = let another_buf_64 =
u64::from_be_bytes(another_buf[buf_idx..buf_idx + 8].try_into().unwrap()); u64::from_be_bytes(another_buf[buf_idx..buf_idx + 8].try_into()?);
if buf_64 == pattern && another_buf_64 == another_pattern { if buf_64 == pattern && another_buf_64 == another_pattern {
let mut cloned = buf.to_vec(); let mut cloned = buf.to_vec();
@ -895,7 +895,7 @@ impl AFLppRedQueen {
cloned[buf_idx] = (repl >> 48 & 0xff) as u8; cloned[buf_idx] = (repl >> 48 & 0xff) as u8;
vec.push(cloned); vec.push(cloned);
return true; return Ok(true);
} }
} }
} }
@ -904,7 +904,7 @@ impl AFLppRedQueen {
// Try arith // Try arith
if self.enable_arith || attr != CMP_ATTRIBUTE_IS_TRANSFORM { if self.enable_arith || attr != CMP_ATTRIBUTE_IS_TRANSFORM {
if (attr & (CMP_ATTRIBUTE_IS_GREATER | CMP_ATTRIBUTE_IS_LESSER)) == 0 || hshape < 4 { if (attr & (CMP_ATTRIBUTE_IS_GREATER | CMP_ATTRIBUTE_IS_LESSER)) == 0 || hshape < 4 {
return false; return Ok(false);
} }
// Transform >= to < and <= to > // Transform >= to < and <= to >
@ -934,7 +934,7 @@ impl AFLppRedQueen {
g += 1.0; g += 1.0;
repl_new = g as u64; repl_new = g as u64;
} else { } else {
return false; return Ok(false);
} }
let ret = self.cmp_extend_encoding( let ret = self.cmp_extend_encoding(
@ -950,9 +950,9 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} else { } else {
if hshape == 4 && its_len >= 4 { if hshape == 4 && its_len >= 4 {
@ -964,7 +964,7 @@ impl AFLppRedQueen {
g -= 1.0; g -= 1.0;
repl_new = g as u64; repl_new = g as u64;
} else { } else {
return false; return Ok(false);
} }
let ret = self.cmp_extend_encoding( let ret = self.cmp_extend_encoding(
@ -980,9 +980,9 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} }
} else if attr < CMP_ATTRIBUTE_IS_FP { } else if attr < CMP_ATTRIBUTE_IS_FP {
@ -1002,10 +1002,10 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} else { } else {
let repl_new = repl.wrapping_sub(1); let repl_new = repl.wrapping_sub(1);
@ -1023,18 +1023,18 @@ impl AFLppRedQueen {
input_len, input_len,
hshape, hshape,
vec, vec,
); )?;
if ret { if ret {
return true; return Ok(true);
} }
} }
} else { } else {
return false; return Ok(false);
} }
} }
false Ok(false)
} }
/// rtn part from AFL++ /// rtn part from AFL++
@ -1057,7 +1057,7 @@ impl AFLppRedQueen {
let ol0 = o_pattern.len(); let ol0 = o_pattern.len();
let lmax = core::cmp::max(l0, ol0); let lmax = core::cmp::max(l0, ol0);
let its_len = core::cmp::min( let its_len = core::cmp::min(
core::cmp::min(input_len - buf_idx, taint_len), core::cmp::min(input_len.wrapping_sub(buf_idx), taint_len),
core::cmp::min(lmax, hshape), core::cmp::min(lmax, hshape),
); );
@ -1315,7 +1315,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
// Swapped // Swapped
// Compare v0 against v1 // Compare v0 against v1
@ -1332,7 +1332,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
} }
if new_v1 != orig_v1 && orig_v0 != orig_v1 { if new_v1 != orig_v1 && orig_v0 != orig_v1 {
@ -1350,7 +1350,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
// Swapped // Swapped
self.cmp_extend_encoding( self.cmp_extend_encoding(
@ -1366,7 +1366,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
} }
/* /*
@ -1404,7 +1404,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
// swapped // swapped
// Compare v0 against v1 // Compare v0 against v1
@ -1421,7 +1421,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
} }
if new_v1 != orig_v1 && orig_v0 != orig_v1 { if new_v1 != orig_v1 && orig_v0 != orig_v1 {
@ -1439,7 +1439,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
// Swapped // Swapped
// Compare v1 against v0 // Compare v1 against v0
@ -1456,7 +1456,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
} }
if !cmp_found { if !cmp_found {
@ -1497,7 +1497,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
// Swapped // Swapped
// Compare v0 against v1 // Compare v0 against v1
@ -1514,7 +1514,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
} }
if new_v1 != orig_v1 && orig_v0 != orig_v1 { if new_v1 != orig_v1 && orig_v0 != orig_v1 {
@ -1532,7 +1532,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
// Swapped // Swapped
// Compare v1 against v0 // Compare v1 against v0
@ -1549,7 +1549,7 @@ where
input_len, input_len,
hshape, hshape,
&mut ret, &mut ret,
); )?;
} }
if !cmp_found { if !cmp_found {
@ -1894,7 +1894,6 @@ token2="B"
#[cfg(feature = "std")] #[cfg(feature = "std")]
#[test] #[test]
#[cfg_attr(feature = "panic_checks", no_panic::no_panic)]
fn test_token_mutations() { fn test_token_mutations() {
let rq = AFLppRedQueen::with_cmplog_options(true, true); let rq = AFLppRedQueen::with_cmplog_options(true, true);
let pattern = 0; let pattern = 0;