SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Forkserver: 1. Add mem barrier 2. Don't send the initial 4 bytes message when it uses dynamic map option only (#1073)

Browse Source 
* fix

* Real fix

* a
This commit is contained in:
Dongjia "toka" Zhang 2023-02-16 09:42:28 +09:00 committed by GitHub
parent 26aace6073
commit e7ef6ae8b7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 32 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
libafl/src/executors/forkserver.rs
View File

@ -4,6 +4,7 @@ use alloc::{borrow::ToOwned, string::ToString, vec::Vec};
use core::{ use core::{
fmt::{self, Debug, Formatter}, fmt::{self, Debug, Formatter},
marker::PhantomData, marker::PhantomData,
sync::atomic::{compiler_fence, Ordering},
time::Duration, time::Duration,
}; };
use std::{ use std::{
@ -733,22 +734,6 @@ impl<'a, SP> ForkserverExecutorBuilder<'a, SP> {
return Err(Error::unknown("Failed to start a forkserver".to_string())); return Err(Error::unknown("Failed to start a forkserver".to_string()));
} }
log::info!("All right - fork server is up."); log::info!("All right - fork server is up.");
// If forkserver is responding, we then check if there's any option enabled.
// We'll send 4-bytes message back to the forkserver to tell which features to use
// The forkserver is listening to our response if either shmem fuzzing is enabled or auto dict is enabled
// <https://github.com/AFLplusplus/AFLplusplus/blob/147654f8715d237fe45c1657c87b2fe36c4db22a/instrumentation/afl-compiler-rt.o.c#L1026>
if status & FS_OPT_ENABLED == FS_OPT_ENABLED
&& (status & FS_OPT_SHDMEM_FUZZ == FS_OPT_SHDMEM_FUZZ
|| status & FS_OPT_AUTODICT == FS_OPT_AUTODICT
|| status & FS_OPT_MAPSIZE == FS_OPT_MAPSIZE)
{
let mut send_status = FS_OPT_ENABLED;
if (status & FS_OPT_SHDMEM_FUZZ == FS_OPT_SHDMEM_FUZZ) && map.is_some() {
log::info!("Using SHARED MEMORY FUZZING feature.");
send_status |= FS_OPT_SHDMEM_FUZZ;
self.uses_shmem_testcase = true;
}
if status & FS_OPT_MAPSIZE == FS_OPT_MAPSIZE { if status & FS_OPT_MAPSIZE == FS_OPT_MAPSIZE {
let mut map_size = fs_opt_get_mapsize(status); let mut map_size = fs_opt_get_mapsize(status);
@ -772,6 +757,23 @@ impl<'a, SP> ForkserverExecutorBuilder<'a, SP> {
self.map_size = Some(map_size as usize); self.map_size = Some(map_size as usize);
} }
// Only with SHMEM or AUTODICT we can send send_status back or it breaks!
// If forkserver is responding, we then check if there's any option enabled.
// We'll send 4-bytes message back to the forkserver to tell which features to use
// The forkserver is listening to our response if either shmem fuzzing is enabled or auto dict is enabled
// <https://github.com/AFLplusplus/AFLplusplus/blob/147654f8715d237fe45c1657c87b2fe36c4db22a/instrumentation/afl-compiler-rt.o.c#L1026>
if status & FS_OPT_ENABLED == FS_OPT_ENABLED
&& (status & FS_OPT_SHDMEM_FUZZ == FS_OPT_SHDMEM_FUZZ
|| status & FS_OPT_AUTODICT == FS_OPT_AUTODICT)
{
let mut send_status = FS_OPT_ENABLED;
if (status & FS_OPT_SHDMEM_FUZZ == FS_OPT_SHDMEM_FUZZ) && map.is_some() {
log::info!("Using SHARED MEMORY FUZZING feature.");
send_status |= FS_OPT_SHDMEM_FUZZ;
self.uses_shmem_testcase = true;
}
let send_len = forkserver.write_ctl(send_status)?; let send_len = forkserver.write_ctl(send_status)?;
if send_len != 4 { if send_len != 4 {
return Err(Error::unknown("Writing to forkserver failed.".to_string())); return Err(Error::unknown("Writing to forkserver failed.".to_string()));
@ -1046,6 +1048,9 @@ where
self.input_file.write_buf(input.target_bytes().as_slice())?; self.input_file.write_buf(input.target_bytes().as_slice())?;
} }
// Don't tell the forkserver to spawn a new process before clearing the cov map
compiler_fence(Ordering::SeqCst);
let send_len = self let send_len = self
.forkserver .forkserver
.write_ctl(self.forkserver().last_run_timed_out())?; .write_ctl(self.forkserver().last_run_timed_out())?;
@ -1098,6 +1103,9 @@ where
self.forkserver.set_child_pid(Pid::from_raw(0)); self.forkserver.set_child_pid(Pid::from_raw(0));
// Clear the observer map after the execution is finished
compiler_fence(Ordering::SeqCst);
Ok(exit_kind) Ok(exit_kind)
} }
} }

2
libafl/src/observers/mod.rs
View File

@ -29,7 +29,6 @@ use alloc::{
vec::Vec, vec::Vec,
}; };
use core::{fmt::Debug, time::Duration}; use core::{fmt::Debug, time::Duration};
#[cfg(feature = "std")] #[cfg(feature = "std")]
use std::time::Instant; use std::time::Instant;
@ -38,7 +37,6 @@ pub use value::*;
#[cfg(feature = "no_std")] #[cfg(feature = "no_std")]
use crate::bolts::current_time; use crate::bolts::current_time;
use crate::{ use crate::{
bolts::{ bolts::{
ownedref::OwnedMutPtr, ownedref::OwnedMutPtr,