diff --git a/fuzzers/baby_fuzzer_swap_differential/common.c b/fuzzers/baby_fuzzer_swap_differential/common.c index ca4abefadf..984bd7a2bf 100644 --- a/fuzzers/baby_fuzzer_swap_differential/common.c +++ b/fuzzers/baby_fuzzer_swap_differential/common.c @@ -3,9 +3,7 @@ bool both_require(const uint8_t *bytes, size_t len) { if (len >= 1 && bytes[0] == 'a') { if (len >= 2 && bytes[1] == 'b') { - if (len >= 3 && bytes[2] == 'c') { - return ACCEPT; - } + if (len >= 3 && bytes[2] == 'c') { return ACCEPT; } } } return REJECT; diff --git a/fuzzers/baby_fuzzer_swap_differential/first.c b/fuzzers/baby_fuzzer_swap_differential/first.c index f2e1270953..d258d9b6af 100644 --- a/fuzzers/baby_fuzzer_swap_differential/first.c +++ b/fuzzers/baby_fuzzer_swap_differential/first.c @@ -2,9 +2,7 @@ bool inspect_first(const uint8_t *bytes, size_t len) { if (both_require(bytes, len)) { - if (len >= 4 && bytes[3] == 'd') { - return ACCEPT; - } + if (len >= 4 && bytes[3] == 'd') { return ACCEPT; } } return REJECT; } diff --git a/fuzzers/baby_fuzzer_swap_differential/second.c b/fuzzers/baby_fuzzer_swap_differential/second.c index b05be5a2a3..21353656a0 100644 --- a/fuzzers/baby_fuzzer_swap_differential/second.c +++ b/fuzzers/baby_fuzzer_swap_differential/second.c @@ -2,9 +2,7 @@ bool inspect_second(const uint8_t *bytes, size_t len) { if (both_require(bytes, len)) { - if (len >= 5 && bytes[4] == 'e') { - return ACCEPT; - } + if (len >= 5 && bytes[4] == 'e') { return ACCEPT; } } return REJECT; } \ No newline at end of file diff --git a/fuzzers/fuzzbench/fuzz.c b/fuzzers/fuzzbench/fuzz.c index 83fbb181d9..0460dd63d2 100644 --- a/fuzzers/fuzzbench/fuzz.c +++ b/fuzzers/fuzzbench/fuzz.c @@ -6,9 +6,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } char buf[8] = {'a', 'b', 'c', 'd'}; - if (memcmp(Data, buf, 4) == 0) { - abort(); - } + if (memcmp(Data, buf, 4) == 0) { abort(); } return 0; } diff --git a/fuzzers/fuzzbench/stub_rt.c b/fuzzers/fuzzbench/stub_rt.c index 6204fc82e2..825d6780af 100644 --- a/fuzzers/fuzzbench/stub_rt.c +++ b/fuzzers/fuzzbench/stub_rt.c @@ -1,26 +1,34 @@ #include -__attribute__ ((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { +__attribute__((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, + uint32_t *stop) { } -__attribute__ ((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { +__attribute__((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { } -__attribute__ ((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) { +__attribute__((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) { } -__attribute__ ((weak)) void __cmplog_rtn_gcc_stdstring_cstring(uint8_t *stdstring, uint8_t *cstring) { +__attribute__((weak)) void __cmplog_rtn_gcc_stdstring_cstring( + uint8_t *stdstring, uint8_t *cstring) { } -__attribute__ ((weak)) void __cmplog_rtn_gcc_stdstring_stdstring(uint8_t *stdstring1, uint8_t *stdstring2) { +__attribute__((weak)) void __cmplog_rtn_gcc_stdstring_stdstring( + uint8_t *stdstring1, uint8_t *stdstring2) { } -__attribute__ ((weak)) void __cmplog_rtn_llvm_stdstring_cstring(uint8_t *stdstring, uint8_t *cstring) { +__attribute__((weak)) void __cmplog_rtn_llvm_stdstring_cstring( + uint8_t *stdstring, uint8_t *cstring) { } -__attribute__ ((weak)) void __cmplog_rtn_llvm_stdstring_stdstring(uint8_t *stdstring1, uint8_t *stdstring2) { +__attribute__((weak)) void __cmplog_rtn_llvm_stdstring_stdstring( + uint8_t *stdstring1, uint8_t *stdstring2) { } extern void libafl_main(void); -int main(int argc, char **argv) { libafl_main(); return 0; } +int main(int argc, char **argv) { + libafl_main(); + return 0; +} diff --git a/fuzzers/libfuzzer_stb_image/harness.c b/fuzzers/libfuzzer_stb_image/harness.c index b560ce511a..dbf367e47e 100644 --- a/fuzzers/libfuzzer_stb_image/harness.c +++ b/fuzzers/libfuzzer_stb_image/harness.c @@ -12,16 +12,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int x, y, channels; - if (!stbi_info_from_memory(data, size, &x, &y, &channels)) {return 0;} + if (!stbi_info_from_memory(data, size, &x, &y, &channels)) { return 0; } /* exit if the image is larger than ~80MB */ - if (y && x > (80000000 / 4) / y){ return 0;} + if (y && x > (80000000 / 4) / y) { return 0; } unsigned char *img = stbi_load_from_memory(data, size, &x, &y, &channels, 4); - free(img); - - // if (x > 10000) free(img); // free crash + free(img); + + // if (x > 10000) free(img); // free crash // if (x > 10000) {free(img);} // free crash diff --git a/fuzzers/qemu_systemmode/example/main.c b/fuzzers/qemu_systemmode/example/main.c index 1d34d135de..858251ba2b 100644 --- a/fuzzers/qemu_systemmode/example/main.c +++ b/fuzzers/qemu_systemmode/example/main.c @@ -1,37 +1,30 @@ int BREAKPOINT() { - for (;;) - { - } + for (;;) {} } -int LLVMFuzzerTestOneInput(unsigned int* Data, unsigned int Size) { - //if (Data[3] == 0) {while(1){}} // cause a timeout - for (int i=0; i 0xFFd0 && Data[i] < 0xFFFF) {return 1;} // cause qemu to crash - for (int j=i+1; jData[i]) { +int LLVMFuzzerTestOneInput(unsigned int *Data, unsigned int Size) { + // if (Data[3] == 0) {while(1){}} // cause a timeout + for (int i = 0; i < Size; i++) { + // if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;} // cause qemu to + // crash + for (int j = i + 1; j < Size; j++) { + if (Data[j] == 0) { continue; } + if (Data[j] > Data[i]) { int tmp = Data[i]; - Data[i]=Data[j]; - Data[j]=tmp; - if (Data[i] <= 100) {j--;} + Data[i] = Data[j]; + Data[j] = tmp; + if (Data[i] <= 100) { j--; } } } } return BREAKPOINT(); } - unsigned int FUZZ_INPUT[] = { - 101,201,700,230,860, - 234,980,200,340,678, - 230,134,900,236,900, - 123,800,123,658,607, - 246,804,567,568,207, - 407,246,678,457,892, - 834,456,878,246,699, - 854,234,844,290,125, - 324,560,852,928,910, - 790,853,345,234,586, - }; +unsigned int FUZZ_INPUT[] = { + 101, 201, 700, 230, 860, 234, 980, 200, 340, 678, 230, 134, 900, + 236, 900, 123, 800, 123, 658, 607, 246, 804, 567, 568, 207, 407, + 246, 678, 457, 892, 834, 456, 878, 246, 699, 854, 234, 844, 290, + 125, 324, 560, 852, 928, 910, 790, 853, 345, 234, 586, +}; int main() { LLVMFuzzerTestOneInput(FUZZ_INPUT, 50); diff --git a/fuzzers/qemu_systemmode/example/startup.c b/fuzzers/qemu_systemmode/example/startup.c index 3b3acb56b8..36be3cf55a 100644 --- a/fuzzers/qemu_systemmode/example/startup.c +++ b/fuzzers/qemu_systemmode/example/startup.c @@ -2,22 +2,23 @@ * FreeRTOS V202112.00 * Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. * - * Permission is hereby granted, free of charge, to any person obtaining a copy of - * this software and associated documentation files (the "Software"), to deal in - * the Software without restriction, including without limitation the rights to - * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of - * the Software, and to permit persons to whom the Software is furnished to do so, - * subject to the following conditions: + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS - * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR - * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER - * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. * * https://www.FreeRTOS.org * https://github.com/FreeRTOS @@ -31,84 +32,76 @@ extern int main(); extern uint32_t _estack, _sidata, _sdata, _edata, _sbss, _ebss; /* Prevent optimization so gcc does not replace code with memcpy */ -__attribute__( ( optimize( "O0" ) ) ) -__attribute__( ( naked ) ) -void Reset_Handler( void ) -{ - /* set stack pointer */ - __asm volatile ( "ldr r0, =_estack" ); - __asm volatile ( "mov sp, r0" ); +__attribute__((optimize("O0"))) __attribute__((naked)) void Reset_Handler( + void) { + /* set stack pointer */ + __asm volatile("ldr r0, =_estack"); + __asm volatile("mov sp, r0"); - /* copy .data section from flash to RAM */ - // Not needed for this example, see linker script - // for( uint32_t * src = &_sidata, * dest = &_sdata; dest < &_edata; ) - // { - // *dest++ = *src++; - // } + /* copy .data section from flash to RAM */ + // Not needed for this example, see linker script + // for( uint32_t * src = &_sidata, * dest = &_sdata; dest < &_edata; ) + // { + // *dest++ = *src++; + // } - /* zero out .bss section */ - for( uint32_t * dest = &_sbss; dest < &_ebss; ) - { - *dest++ = 0; - } + /* zero out .bss section */ + for (uint32_t *dest = &_sbss; dest < &_ebss;) { + *dest++ = 0; + } - /* jump to board initialisation */ - void _start( void ); - _start(); + /* jump to board initialisation */ + void _start(void); + _start(); } -const uint32_t * isr_vector[] __attribute__( ( section( ".isr_vector" ) ) ) = -{ - ( uint32_t * ) &_estack, - ( uint32_t * ) &Reset_Handler, /* Reset -15 */ - 0, /* NMI_Handler -14 */ - 0, /* HardFault_Handler -13 */ - 0, /* MemManage_Handler -12 */ - 0, /* BusFault_Handler -11 */ - 0, /* UsageFault_Handler -10 */ - 0, /* reserved */ - 0, /* reserved */ - 0, /* reserved */ - 0, /* reserved -6 */ - 0, /* SVC_Handler -5 */ - 0, /* DebugMon_Handler -4 */ - 0, /* reserved */ - 0, /* PendSV handler -2 */ - 0, /* SysTick_Handler -1 */ - 0, /* uart0 receive 0 */ - 0, /* uart0 transmit */ - 0, /* uart1 receive */ - 0, /* uart1 transmit */ - 0, /* uart 2 receive */ - 0, /* uart 2 transmit */ - 0, /* GPIO 0 combined interrupt */ - 0, /* GPIO 2 combined interrupt */ - 0, /* Timer 0 */ - 0, /* Timer 1 */ - 0, /* Dial Timer */ - 0, /* SPI0 SPI1 */ - 0, /* uart overflow 1, 2,3 */ - 0, /* Ethernet 13 */ +const uint32_t *isr_vector[] __attribute__((section(".isr_vector"))) = { + (uint32_t *)&_estack, + (uint32_t *)&Reset_Handler, /* Reset -15 */ + 0, /* NMI_Handler -14 */ + 0, /* HardFault_Handler -13 */ + 0, /* MemManage_Handler -12 */ + 0, /* BusFault_Handler -11 */ + 0, /* UsageFault_Handler -10 */ + 0, /* reserved */ + 0, /* reserved */ + 0, /* reserved */ + 0, /* reserved -6 */ + 0, /* SVC_Handler -5 */ + 0, /* DebugMon_Handler -4 */ + 0, /* reserved */ + 0, /* PendSV handler -2 */ + 0, /* SysTick_Handler -1 */ + 0, /* uart0 receive 0 */ + 0, /* uart0 transmit */ + 0, /* uart1 receive */ + 0, /* uart1 transmit */ + 0, /* uart 2 receive */ + 0, /* uart 2 transmit */ + 0, /* GPIO 0 combined interrupt */ + 0, /* GPIO 2 combined interrupt */ + 0, /* Timer 0 */ + 0, /* Timer 1 */ + 0, /* Dial Timer */ + 0, /* SPI0 SPI1 */ + 0, /* uart overflow 1, 2,3 */ + 0, /* Ethernet 13 */ }; -__attribute__( ( naked ) ) void exit(__attribute__((unused)) int status ) -{ - /* Force qemu to exit using ARM Semihosting */ - __asm volatile ( - "mov r1, r0\n" - "cmp r1, #0\n" - "bne .notclean\n" - "ldr r1, =0x20026\n" /* ADP_Stopped_ApplicationExit, a clean exit */ - ".notclean:\n" - "movs r0, #0x18\n" /* SYS_EXIT */ - "bkpt 0xab\n" - "end: b end\n" - ); +__attribute__((naked)) void exit(__attribute__((unused)) int status) { + /* Force qemu to exit using ARM Semihosting */ + __asm volatile( + "mov r1, r0\n" + "cmp r1, #0\n" + "bne .notclean\n" + "ldr r1, =0x20026\n" /* ADP_Stopped_ApplicationExit, a clean exit */ + ".notclean:\n" + "movs r0, #0x18\n" /* SYS_EXIT */ + "bkpt 0xab\n" + "end: b end\n"); } -void _start( void ) -{ - main( ); - exit( 0 ); +void _start(void) { + main(); + exit(0); } - diff --git a/fuzzers/tutorial/target.c b/fuzzers/tutorial/target.c index 678a48ea22..8fc07f2f0c 100644 --- a/fuzzers/tutorial/target.c +++ b/fuzzers/tutorial/target.c @@ -15,57 +15,53 @@ typedef enum _packet_type { #pragma pack(1) typedef struct _packet_data { packet_type type; - uint64_t offset; - uint64_t length; - char data[0]; + uint64_t offset; + uint64_t length; + char data[0]; } packet_data; - int LLVMFuzzerTestOneInput(const uint8_t *packet_buffer, size_t packet_length) { - ssize_t saved_data_length = 0; - char* saved_data = NULL; - int err = 0; - packet_data* datagram = NULL; + ssize_t saved_data_length = 0; + char *saved_data = NULL; + int err = 0; + packet_data *datagram = NULL; if (packet_length < sizeof(packet_data) || packet_length > MAX_PACKET_SIZE) { return 1; } - datagram = (packet_data*)packet_buffer; + datagram = (packet_data *)packet_buffer; switch (datagram->type) { -case data_read: - if (saved_data != NULL && datagram->offset + datagram->length <= saved_data_length) { - write(0, packet_buffer + datagram->offset, datagram->length); - } - break; + case data_read: + if (saved_data != NULL && + datagram->offset + datagram->length <= saved_data_length) { + write(0, packet_buffer + datagram->offset, datagram->length); + } + break; -case data_write: - // NOTE: Who cares about checking the offset? Nobody would ever provide bad data - if (saved_data != NULL && datagram->length <= saved_data_length) { - memcpy(saved_data + datagram->offset, datagram->data, datagram->length); - } - break; + case data_write: + // NOTE: Who cares about checking the offset? Nobody would ever provide + // bad data + if (saved_data != NULL && datagram->length <= saved_data_length) { + memcpy(saved_data + datagram->offset, datagram->data, datagram->length); + } + break; -case data_reset: - if (datagram->length > packet_length - sizeof(*datagram)) { + case data_reset: + if (datagram->length > packet_length - sizeof(*datagram)) { return 1; } + + if (saved_data != NULL) { free(saved_data); } + + saved_data = malloc(datagram->length); + saved_data_length = datagram->length; + + memcpy(saved_data, datagram->data, datagram->length); + break; + + default: return 1; - } - - if (saved_data != NULL) { - free(saved_data); - } - - saved_data = malloc(datagram->length); - saved_data_length = datagram->length; - - memcpy(saved_data, datagram->data, datagram->length); - break; - -default: - return 1; } return 0; } - diff --git a/libafl_targets/src/cmplog.c b/libafl_targets/src/cmplog.c index 3c5aac9a43..48792827a2 100644 --- a/libafl_targets/src/cmplog.c +++ b/libafl_targets/src/cmplog.c @@ -165,13 +165,14 @@ void __cmplog_rtn_hook_str(const uint8_t *ptr1, uint8_t *ptr2) { if (!libafl_cmplog_enabled) { return; } if (unlikely(!ptr1 || !ptr2)) return; - // these strnlen could indeed fail. but if it fails here it will sigsegv in the following hooked function call anyways + // these strnlen could indeed fail. but if it fails here it will sigsegv in + // the following hooked function call anyways int len1 = strnlen(ptr1, 30) + 1; int len2 = strnlen(ptr2, 30) + 1; int l = MAX(len1, len2); - l = MIN(l, area_is_valid(ptr1, l + 1)); // can we really access it? check - l = MIN(l, area_is_valid(ptr2, l + 1)); // can we really access it? check + l = MIN(l, area_is_valid(ptr1, l + 1)); // can we really access it? check + l = MIN(l, area_is_valid(ptr2, l + 1)); // can we really access it? check if (l < 2) return; @@ -188,14 +189,15 @@ void __cmplog_rtn_hook_strn(uint8_t *ptr1, uint8_t *ptr2, uint64_t len) { if (!libafl_cmplog_enabled) { return; } if (unlikely(!ptr1 || !ptr2)) return; - int len0 = MIN(len, 31); // cap by 31 - // these strnlen could indeed fail. but if it fails here it will sigsegv in the following hooked function call anyways + int len0 = MIN(len, 31); // cap by 31 + // these strnlen could indeed fail. but if it fails here it will sigsegv in + // the following hooked function call anyways int len1 = strnlen(ptr1, len0); int len2 = strnlen(ptr2, len0); int l = MAX(len1, len2); - l = MIN(l, area_is_valid(ptr1, l + 1)); // can we really access it? check - l = MIN(l, area_is_valid(ptr2, l + 1)); // can we really access it? check + l = MIN(l, area_is_valid(ptr1, l + 1)); // can we really access it? check + l = MIN(l, area_is_valid(ptr2, l + 1)); // can we really access it? check if (l < 2) return; diff --git a/libafl_targets/src/common.c b/libafl_targets/src/common.c index 01d54464bf..de7c5861d0 100644 --- a/libafl_targets/src/common.c +++ b/libafl_targets/src/common.c @@ -3,7 +3,7 @@ #ifdef DEFAULT_SANITIZERS_OPTIONS // TODO MSan and LSan. however they don't support abort_on_error -const char* __asan_default_options() { +const char *__asan_default_options() { return "abort_on_error=1:detect_leaks=0:" "malloc_context_size=0:symbolize=0:" "allocator_may_return_null=1:" @@ -12,7 +12,7 @@ const char* __asan_default_options() { "handle_sigfpe=0:handle_sigill=0"; } -const char* __ubsan_default_options() { +const char *__ubsan_default_options() { return "abort_on_error=1:" "allocator_release_to_os_interval_ms=500:" "handle_abort=0:handle_segv=0:" @@ -20,4 +20,4 @@ const char* __ubsan_default_options() { "handle_sigill=0:print_stacktrace=0:" "symbolize=0:symbolize_inline_frames=0"; } -#endif // DEFAULT_SANITIZERS_OPTIONS +#endif // DEFAULT_SANITIZERS_OPTIONS diff --git a/libafl_targets/src/libfuzzer.c b/libafl_targets/src/libfuzzer.c index 72a18ae965..eea3228090 100644 --- a/libafl_targets/src/libfuzzer.c +++ b/libafl_targets/src/libfuzzer.c @@ -33,11 +33,11 @@ EXT_FUNC_IMPL(main, int, (int argc, char **argv), false) { libafl_main(); return 0; } -#ifdef FUZZER_DEFINE_RUN_DRIVER + #ifdef FUZZER_DEFINE_RUN_DRIVER return LLVMFuzzerRunDriver(&argc, &argv, &LLVMFuzzerTestOneInput); -#else + #else return 0; -#endif + #endif } #if defined(_WIN32) diff --git a/libafl_targets/src/sancov_cmp.c b/libafl_targets/src/sancov_cmp.c index 256447e811..35304153a1 100644 --- a/libafl_targets/src/sancov_cmp.c +++ b/libafl_targets/src/sancov_cmp.c @@ -143,7 +143,8 @@ void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1, if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; } } - __libafl_targets_cmplog_routines_len(k, (const uint8_t *) s1, (const uint8_t *) s2, actual_len); + __libafl_targets_cmplog_routines_len(k, (const uint8_t *)s1, + (const uint8_t *)s2, actual_len); } } @@ -164,7 +165,8 @@ void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1, if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; } } - __libafl_targets_cmplog_routines_len(k, (const uint8_t *) s1, (const uint8_t *) s2, actual_len); + __libafl_targets_cmplog_routines_len(k, (const uint8_t *)s1, + (const uint8_t *)s2, actual_len); } }