SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix EdgeCoverageModuleBuilder (#2931)

Browse Source
This commit is contained in:
Dongjia "toka" Zhang 2025-02-04 14:34:11 +01:00 committed by GitHub
parent a27da1b8be
commit defb475d28
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml
View File

@ -90,7 +90,7 @@ windows_alias = "unsupported"
script_runner = "@shell" script_runner = "@shell"
script = ''' script = '''
timeout 15s ${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_fork_qemu ${PROJECT_DIR}/harness -- --libafl-in ${PROJECT_DIR}/../../inprocess/libfuzzer_libpng/corpus --libafl-out ${PROJECT_DIR}/out ${PROJECT_DIR}/harness | tee fuzz_stdout.log timeout 15s ${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_fork_qemu ${PROJECT_DIR}/harness -- --libafl-in ${PROJECT_DIR}/../../inprocess/libfuzzer_libpng/corpus --libafl-out ${PROJECT_DIR}/out ${PROJECT_DIR}/harness | tee fuzz_stdout.log
if grep -qa "objectives: 1" fuzz_stdout.log; then if grep -qa "corpus: 5" fuzz_stdout.log; then
echo "Fuzzer is working" echo "Fuzzer is working"
else else
echo "Fuzzer does not generate any testcases or any crashes" echo "Fuzzer does not generate any testcases or any crashes"

3
fuzzers/binary_only/fuzzbench_fork_qemu/src/fuzzer.rs
View File

@ -56,7 +56,7 @@ use libafl_qemu::{
Emulator, GuestReg, MmapPerms, QemuExitError, QemuExitReason, QemuForkExecutor, Emulator, GuestReg, MmapPerms, QemuExitError, QemuExitReason, QemuForkExecutor,
QemuShutdownCause, Regs, QemuShutdownCause, Regs,
}; };
use libafl_targets::{EDGES_MAP_DEFAULT_SIZE, EDGES_MAP_PTR}; use libafl_targets::EDGES_MAP_DEFAULT_SIZE;
#[cfg(unix)] #[cfg(unix)]
use nix::unistd::dup; use nix::unistd::dup;
@ -155,7 +155,6 @@ fn fuzz(
let mut edges_shmem = shmem_provider.new_shmem(EDGES_MAP_DEFAULT_SIZE).unwrap(); let mut edges_shmem = shmem_provider.new_shmem(EDGES_MAP_DEFAULT_SIZE).unwrap();
let edges = edges_shmem.as_slice_mut(); let edges = edges_shmem.as_slice_mut();
unsafe { EDGES_MAP_PTR = edges.as_mut_ptr() };
// Create an observation channel using the coverage map // Create an observation channel using the coverage map
let mut edges_observer = unsafe { let mut edges_observer = unsafe {

11
libafl_qemu/src/modules/edges/mod.rs
View File

@ -194,11 +194,20 @@ impl<AF, PF, V, const IS_INITIALIZED: bool, const IS_CONST_MAP: bool, const MAP_
#[must_use] #[must_use]
pub fn const_map_observer<O, const NEW_MAP_SIZE: usize>( pub fn const_map_observer<O, const NEW_MAP_SIZE: usize>(
self, self,
_const_map_observer: &mut O, map_observer: &mut O,
) -> EdgeCoverageModuleBuilder<AF, PF, V, true, true, NEW_MAP_SIZE> ) -> EdgeCoverageModuleBuilder<AF, PF, V, true, true, NEW_MAP_SIZE>
where where
O: ConstLenMapObserver<NEW_MAP_SIZE>, O: ConstLenMapObserver<NEW_MAP_SIZE>,
{ {
let map_ptr = map_observer.map_slice_mut().as_mut_ptr() as *mut u8;
unsafe {
LIBAFL_QEMU_EDGES_MAP_PTR = map_ptr;
// LIBAFL_QEMU_EDGES_MAP_SIZE_PTR = size_ptr; do i need this ?
LIBAFL_QEMU_EDGES_MAP_ALLOCATED_SIZE = NEW_MAP_SIZE;
LIBAFL_QEMU_EDGES_MAP_MASK_MAX = NEW_MAP_SIZE - 1;
}
EdgeCoverageModuleBuilder::<AF, PF, V, true, true, NEW_MAP_SIZE>::new( EdgeCoverageModuleBuilder::<AF, PF, V, true, true, NEW_MAP_SIZE>::new(
self.variant, self.variant,
self.address_filter, self.address_filter,