From f25862cb90ccae61f94987c2188f9129d9e4d33c Mon Sep 17 00:00:00 2001 From: Andrea Fioraldi Date: Mon, 26 Apr 2021 09:41:35 +0200 Subject: [PATCH] fix baby fuzzer --- fuzzers/baby_fuzzer/README.md | 4 ++++ fuzzers/baby_fuzzer/src/main.rs | 13 +++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/fuzzers/baby_fuzzer/README.md b/fuzzers/baby_fuzzer/README.md index 917277dc7b..d7766a569b 100644 --- a/fuzzers/baby_fuzzer/README.md +++ b/fuzzers/baby_fuzzer/README.md @@ -1,3 +1,7 @@ # Baby fuzzer +This is a minimalistic example about how to create a libafl based fuzzer. +It runs on a single core until a crash occurs and then exits. + +The tested program is a simple Rust function without any instrumentation. diff --git a/fuzzers/baby_fuzzer/src/main.rs b/fuzzers/baby_fuzzer/src/main.rs index fbba174e3e..d53dfec70a 100644 --- a/fuzzers/baby_fuzzer/src/main.rs +++ b/fuzzers/baby_fuzzer/src/main.rs @@ -16,16 +16,21 @@ use libafl::{ utils::{current_nanos, StdRand}, }; +// Coverage map with explicit assignments due to the lack of instrumentation static mut SIGNALS: [u8; 16] = [0; 16]; +fn signals_set(idx: usize) { + unsafe { SIGNALS[idx] = 1 }; +} + pub fn main() { // The closure that we want to fuzz let mut harness = |buf: &[u8]| { - unsafe { SIGNALS[0] = 1 }; + signals_set(0); if buf.len() > 0 && buf[0] == 'a' as u8 { - unsafe { SIGNALS[1] = 1 }; + signals_set(1); if buf.len() > 1 && buf[1] == 'b' as u8 { - unsafe { SIGNALS[2] = 1 }; + signals_set(2); if buf.len() > 2 && buf[2] == 'c' as u8 { panic!("=)"); } @@ -52,7 +57,7 @@ pub fn main() { // Corpus that will be evolved, we keep it in memory for performance InMemoryCorpus::new(), // Feedbacks to rate the interestingness of an input - tuple_list!(MaxMapFeedback::new(&observer)), + tuple_list!(MaxMapFeedback::new_with_observer(&observer)), // Corpus in which we store solutions (crashes in this example), // on disk so the user can get them after stopping the fuzzer OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),