SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Format C (#1602)

Browse Source
This commit is contained in:
Dongjia "toka" Zhang 2023-10-03 13:40:19 +02:00 committed by GitHub
parent a9014a9419
commit fc16b70a65
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 172 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fuzzers/baby_fuzzer_swap_differential/common.c
View File

@ -3,9 +3,7 @@
bool both_require(const uint8_t *bytes, size_t len) { bool both_require(const uint8_t *bytes, size_t len) {
if (len >= 1 && bytes[0] == 'a') { if (len >= 1 && bytes[0] == 'a') {
if (len >= 2 && bytes[1] == 'b') { if (len >= 2 && bytes[1] == 'b') {
if (len >= 3 && bytes[2] == 'c') { if (len >= 3 && bytes[2] == 'c') { return ACCEPT; }
return ACCEPT;
}
} }
} }
return REJECT; return REJECT;

4
fuzzers/baby_fuzzer_swap_differential/first.c
View File

@ -2,9 +2,7 @@
bool inspect_first(const uint8_t *bytes, size_t len) { bool inspect_first(const uint8_t *bytes, size_t len) {
if (both_require(bytes, len)) { if (both_require(bytes, len)) {
if (len >= 4 && bytes[3] == 'd') { if (len >= 4 && bytes[3] == 'd') { return ACCEPT; }
return ACCEPT;
}
} }
return REJECT; return REJECT;
} }

4
fuzzers/baby_fuzzer_swap_differential/second.c
View File

@ -2,9 +2,7 @@
bool inspect_second(const uint8_t *bytes, size_t len) { bool inspect_second(const uint8_t *bytes, size_t len) {
if (both_require(bytes, len)) { if (both_require(bytes, len)) {
if (len >= 5 && bytes[4] == 'e') { if (len >= 5 && bytes[4] == 'e') { return ACCEPT; }
return ACCEPT;
}
} }
return REJECT; return REJECT;
} }

4
fuzzers/fuzzbench/fuzz.c
View File

@ -6,9 +6,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); } if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); }
char buf[8] = {'a', 'b', 'c', 'd'}; char buf[8] = {'a', 'b', 'c', 'd'};
if (memcmp(Data, buf, 4) == 0) { if (memcmp(Data, buf, 4) == 0) { abort(); }
abort();
}
return 0; return 0;
} }

20
fuzzers/fuzzbench/stub_rt.c
View File

@ -1,6 +1,7 @@
#include <stdint.h> #include <stdint.h>
__attribute__ ((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) { __attribute__((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start,
uint32_t *stop) {
} }
__attribute__((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) { __attribute__((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
@ -9,18 +10,25 @@ __attribute__ ((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
__attribute__((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) { __attribute__((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) {
} }
__attribute__ ((weak)) void __cmplog_rtn_gcc_stdstring_cstring(uint8_t *stdstring, uint8_t *cstring) { __attribute__((weak)) void __cmplog_rtn_gcc_stdstring_cstring(
uint8_t *stdstring, uint8_t *cstring) {
} }
__attribute__ ((weak)) void __cmplog_rtn_gcc_stdstring_stdstring(uint8_t *stdstring1, uint8_t *stdstring2) { __attribute__((weak)) void __cmplog_rtn_gcc_stdstring_stdstring(
uint8_t *stdstring1, uint8_t *stdstring2) {
} }
__attribute__ ((weak)) void __cmplog_rtn_llvm_stdstring_cstring(uint8_t *stdstring, uint8_t *cstring) { __attribute__((weak)) void __cmplog_rtn_llvm_stdstring_cstring(
uint8_t *stdstring, uint8_t *cstring) {
} }
__attribute__ ((weak)) void __cmplog_rtn_llvm_stdstring_stdstring(uint8_t *stdstring1, uint8_t *stdstring2) { __attribute__((weak)) void __cmplog_rtn_llvm_stdstring_stdstring(
uint8_t *stdstring1, uint8_t *stdstring2) {
} }
extern void libafl_main(void); extern void libafl_main(void);
int main(int argc, char **argv) { libafl_main(); return 0; } int main(int argc, char **argv) {
libafl_main();
return 0;
}

21
fuzzers/qemu_systemmode/example/main.c
View File

@ -1,13 +1,12 @@
int BREAKPOINT() { int BREAKPOINT() {
for (;;) for (;;) {}
{
}
} }
int LLVMFuzzerTestOneInput(unsigned int *Data, unsigned int Size) { int LLVMFuzzerTestOneInput(unsigned int *Data, unsigned int Size) {
// if (Data[3] == 0) {while(1){}} // cause a timeout // if (Data[3] == 0) {while(1){}} // cause a timeout
for (int i = 0; i < Size; i++) { for (int i = 0; i < Size; i++) {
//if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;} // cause qemu to crash // if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;} // cause qemu to
// crash
for (int j = i + 1; j < Size; j++) { for (int j = i + 1; j < Size; j++) {
if (Data[j] == 0) { continue; } if (Data[j] == 0) { continue; }
if (Data[j] > Data[i]) { if (Data[j] > Data[i]) {
@ -21,16 +20,10 @@ int LLVMFuzzerTestOneInput(unsigned int* Data, unsigned int Size) {
return BREAKPOINT(); return BREAKPOINT();
} }
unsigned int FUZZ_INPUT[] = { unsigned int FUZZ_INPUT[] = {
101,201,700,230,860, 101, 201, 700, 230, 860, 234, 980, 200, 340, 678, 230, 134, 900,
234,980,200,340,678, 236, 900, 123, 800, 123, 658, 607, 246, 804, 567, 568, 207, 407,
230,134,900,236,900, 246, 678, 457, 892, 834, 456, 878, 246, 699, 854, 234, 844, 290,
123,800,123,658,607, 125, 324, 560, 852, 928, 910, 790, 853, 345, 234, 586,
246,804,567,568,207,
407,246,678,457,892,
834,456,878,246,699,
854,234,844,290,125,
324,560,852,928,910,
790,853,345,234,586,
}; };
int main() { int main() {

49
fuzzers/qemu_systemmode/example/startup.c
View File

@ -2,22 +2,23 @@
* FreeRTOS V202112.00 * FreeRTOS V202112.00
* Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. * Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* *
* Permission is hereby granted, free of charge, to any person obtaining a copy of * Permission is hereby granted, free of charge, to any person obtaining a copy
* this software and associated documentation files (the "Software"), to deal in * of this software and associated documentation files (the "Software"), to deal
* the Software without restriction, including without limitation the rights to * in the Software without restriction, including without limitation the rights
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* the Software, and to permit persons to whom the Software is furnished to do so, * copies of the Software, and to permit persons to whom the Software is
* subject to the following conditions: * furnished to do so, subject to the following conditions:
* *
* The above copyright notice and this permission notice shall be included in all * The above copyright notice and this permission notice shall be included in
* copies or substantial portions of the Software. * all copies or substantial portions of the Software.
* *
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
* *
* https://www.FreeRTOS.org * https://www.FreeRTOS.org
* https://github.com/FreeRTOS * https://github.com/FreeRTOS
@ -31,10 +32,8 @@ extern int main();
extern uint32_t _estack, _sidata, _sdata, _edata, _sbss, _ebss; extern uint32_t _estack, _sidata, _sdata, _edata, _sbss, _ebss;
/* Prevent optimization so gcc does not replace code with memcpy */ /* Prevent optimization so gcc does not replace code with memcpy */
__attribute__( ( optimize( "O0" ) ) ) __attribute__((optimize("O0"))) __attribute__((naked)) void Reset_Handler(
__attribute__( ( naked ) ) void) {
void Reset_Handler( void )
{
/* set stack pointer */ /* set stack pointer */
__asm volatile("ldr r0, =_estack"); __asm volatile("ldr r0, =_estack");
__asm volatile("mov sp, r0"); __asm volatile("mov sp, r0");
@ -47,8 +46,7 @@ void Reset_Handler( void )
// } // }
/* zero out .bss section */ /* zero out .bss section */
for( uint32_t * dest = &_sbss; dest < &_ebss; ) for (uint32_t *dest = &_sbss; dest < &_ebss;) {
{
*dest++ = 0; *dest++ = 0;
} }
@ -57,8 +55,7 @@ void Reset_Handler( void )
_start(); _start();
} }
const uint32_t * isr_vector[] __attribute__( ( section( ".isr_vector" ) ) ) = const uint32_t *isr_vector[] __attribute__((section(".isr_vector"))) = {
{
(uint32_t *)&_estack, (uint32_t *)&_estack,
(uint32_t *)&Reset_Handler, /* Reset -15 */ (uint32_t *)&Reset_Handler, /* Reset -15 */
0, /* NMI_Handler -14 */ 0, /* NMI_Handler -14 */
@ -91,8 +88,7 @@ const uint32_t * isr_vector[] __attribute__( ( section( ".isr_vector" ) ) ) =
0, /* Ethernet 13 */ 0, /* Ethernet 13 */
}; };
__attribute__( ( naked ) ) void exit(__attribute__((unused)) int status ) __attribute__((naked)) void exit(__attribute__((unused)) int status) {
{
/* Force qemu to exit using ARM Semihosting */ /* Force qemu to exit using ARM Semihosting */
__asm volatile( __asm volatile(
"mov r1, r0\n" "mov r1, r0\n"
@ -102,13 +98,10 @@ __attribute__( ( naked ) ) void exit(__attribute__((unused)) int status )
".notclean:\n" ".notclean:\n"
"movs r0, #0x18\n" /* SYS_EXIT */ "movs r0, #0x18\n" /* SYS_EXIT */
"bkpt 0xab\n" "bkpt 0xab\n"
"end: b end\n" "end: b end\n");
);
} }
void _start( void ) void _start(void) {
{
main(); main();
exit(0); exit(0);
} }

16
fuzzers/tutorial/target.c
View File

@ -20,7 +20,6 @@ typedef struct _packet_data {
char data[0]; char data[0];
} packet_data; } packet_data;
int LLVMFuzzerTestOneInput(const uint8_t *packet_buffer, size_t packet_length) { int LLVMFuzzerTestOneInput(const uint8_t *packet_buffer, size_t packet_length) {
ssize_t saved_data_length = 0; ssize_t saved_data_length = 0;
char *saved_data = NULL; char *saved_data = NULL;
@ -35,26 +34,24 @@ int LLVMFuzzerTestOneInput(const uint8_t *packet_buffer, size_t packet_length) {
switch (datagram->type) { switch (datagram->type) {
case data_read: case data_read:
if (saved_data != NULL && datagram->offset + datagram->length <= saved_data_length) { if (saved_data != NULL &&
datagram->offset + datagram->length <= saved_data_length) {
write(0, packet_buffer + datagram->offset, datagram->length); write(0, packet_buffer + datagram->offset, datagram->length);
} }
break; break;
case data_write: case data_write:
// NOTE: Who cares about checking the offset? Nobody would ever provide bad data // NOTE: Who cares about checking the offset? Nobody would ever provide
// bad data
if (saved_data != NULL && datagram->length <= saved_data_length) { if (saved_data != NULL && datagram->length <= saved_data_length) {
memcpy(saved_data + datagram->offset, datagram->data, datagram->length); memcpy(saved_data + datagram->offset, datagram->data, datagram->length);
} }
break; break;
case data_reset: case data_reset:
if (datagram->length > packet_length - sizeof(*datagram)) { if (datagram->length > packet_length - sizeof(*datagram)) { return 1; }
return 1;
}
if (saved_data != NULL) { if (saved_data != NULL) { free(saved_data); }
free(saved_data);
}
saved_data = malloc(datagram->length); saved_data = malloc(datagram->length);
saved_data_length = datagram->length; saved_data_length = datagram->length;
@ -68,4 +65,3 @@ default:
return 0; return 0;
} }

6
libafl_targets/src/cmplog.c
View File

@ -165,7 +165,8 @@ void __cmplog_rtn_hook_str(const uint8_t *ptr1, uint8_t *ptr2) {
if (!libafl_cmplog_enabled) { return; } if (!libafl_cmplog_enabled) { return; }
if (unlikely(!ptr1 || !ptr2)) return; if (unlikely(!ptr1 || !ptr2)) return;
// these strnlen could indeed fail. but if it fails here it will sigsegv in the following hooked function call anyways // these strnlen could indeed fail. but if it fails here it will sigsegv in
// the following hooked function call anyways
int len1 = strnlen(ptr1, 30) + 1; int len1 = strnlen(ptr1, 30) + 1;
int len2 = strnlen(ptr2, 30) + 1; int len2 = strnlen(ptr2, 30) + 1;
int l = MAX(len1, len2); int l = MAX(len1, len2);
@ -189,7 +190,8 @@ void __cmplog_rtn_hook_strn(uint8_t *ptr1, uint8_t *ptr2, uint64_t len) {
if (unlikely(!ptr1 || !ptr2)) return; if (unlikely(!ptr1 || !ptr2)) return;
int len0 = MIN(len, 31); // cap by 31 int len0 = MIN(len, 31); // cap by 31
// these strnlen could indeed fail. but if it fails here it will sigsegv in the following hooked function call anyways // these strnlen could indeed fail. but if it fails here it will sigsegv in
// the following hooked function call anyways
int len1 = strnlen(ptr1, len0); int len1 = strnlen(ptr1, len0);
int len2 = strnlen(ptr2, len0); int len2 = strnlen(ptr2, len0);
int l = MAX(len1, len2); int l = MAX(len1, len2);

6
libafl_targets/src/sancov_cmp.c
View File

@ -143,7 +143,8 @@ void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1,
if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; } if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; }
} }
__libafl_targets_cmplog_routines_len(k, (const uint8_t *) s1, (const uint8_t *) s2, actual_len); __libafl_targets_cmplog_routines_len(k, (const uint8_t *)s1,
(const uint8_t *)s2, actual_len);
} }
} }
@ -164,7 +165,8 @@ void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1,
if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; } if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; }
} }
__libafl_targets_cmplog_routines_len(k, (const uint8_t *) s1, (const uint8_t *) s2, actual_len); __libafl_targets_cmplog_routines_len(k, (const uint8_t *)s1,
(const uint8_t *)s2, actual_len);
} }
} }