SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Format C (#1602)

Browse Source
This commit is contained in:
Dongjia "toka" Zhang 2023-10-03 13:40:19 +02:00 committed by GitHub
parent a9014a9419
commit fc16b70a65
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 172 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fuzzers/baby_fuzzer_swap_differential/common.c
View File

@ -3,9 +3,7 @@
bool both_require(const uint8_t *bytes, size_t len) {
if (len >= 1 && bytes[0] == 'a') {
if (len >= 2 && bytes[1] == 'b') {
if (len >= 3 && bytes[2] == 'c') {
return ACCEPT;
}
if (len >= 3 && bytes[2] == 'c') { return ACCEPT; }
}
}
return REJECT;

4
fuzzers/baby_fuzzer_swap_differential/first.c
View File

@ -2,9 +2,7 @@
bool inspect_first(const uint8_t *bytes, size_t len) {
if (both_require(bytes, len)) {
if (len >= 4 && bytes[3] == 'd') {
return ACCEPT;
}
if (len >= 4 && bytes[3] == 'd') { return ACCEPT; }
}
return REJECT;
}

4
fuzzers/baby_fuzzer_swap_differential/second.c
View File

@ -2,9 +2,7 @@
bool inspect_second(const uint8_t *bytes, size_t len) {
if (both_require(bytes, len)) {
if (len >= 5 && bytes[4] == 'e') {
return ACCEPT;
}
if (len >= 5 && bytes[4] == 'e') { return ACCEPT; }
}
return REJECT;
}

4
fuzzers/fuzzbench/fuzz.c
View File

@ -6,9 +6,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size >= 8 && *(uint32_t *)Data == 0xaabbccdd) { abort(); }
char buf[8] = {'a', 'b', 'c', 'd'};
if (memcmp(Data, buf, 4) == 0) {
abort();
}
if (memcmp(Data, buf, 4) == 0) { abort(); }
return 0;
}

24
fuzzers/fuzzbench/stub_rt.c
View File

@ -1,26 +1,34 @@
#include <stdint.h>
__attribute__ ((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop) {
__attribute__((weak)) void __sanitizer_cov_trace_pc_guard_init(uint32_t *start,
uint32_t *stop) {
}
__attribute__ ((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
__attribute__((weak)) void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
}
__attribute__ ((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) {
__attribute__((weak)) void __cmplog_rtn_hook(uint8_t *ptr1, uint8_t *ptr2) {
}
__attribute__ ((weak)) void __cmplog_rtn_gcc_stdstring_cstring(uint8_t *stdstring, uint8_t *cstring) {
__attribute__((weak)) void __cmplog_rtn_gcc_stdstring_cstring(
uint8_t *stdstring, uint8_t *cstring) {
}
__attribute__ ((weak)) void __cmplog_rtn_gcc_stdstring_stdstring(uint8_t *stdstring1, uint8_t *stdstring2) {
__attribute__((weak)) void __cmplog_rtn_gcc_stdstring_stdstring(
uint8_t *stdstring1, uint8_t *stdstring2) {
}
__attribute__ ((weak)) void __cmplog_rtn_llvm_stdstring_cstring(uint8_t *stdstring, uint8_t *cstring) {
__attribute__((weak)) void __cmplog_rtn_llvm_stdstring_cstring(
uint8_t *stdstring, uint8_t *cstring) {
}
__attribute__ ((weak)) void __cmplog_rtn_llvm_stdstring_stdstring(uint8_t *stdstring1, uint8_t *stdstring2) {
__attribute__((weak)) void __cmplog_rtn_llvm_stdstring_stdstring(
uint8_t *stdstring1, uint8_t *stdstring2) {
}
extern void libafl_main(void);
int main(int argc, char **argv) { libafl_main(); return 0; }
int main(int argc, char **argv) {
libafl_main();
return 0;
}

4
fuzzers/libfuzzer_stb_image/harness.c
View File

@ -12,10 +12,10 @@
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
int x, y, channels;
if (!stbi_info_from_memory(data, size, &x, &y, &channels)) {return 0;}
if (!stbi_info_from_memory(data, size, &x, &y, &channels)) { return 0; }
/* exit if the image is larger than ~80MB */
if (y && x > (80000000 / 4) / y){ return 0;}
if (y && x > (80000000 / 4) / y) { return 0; }
unsigned char *img = stbi_load_from_memory(data, size, &x, &y, &channels, 4);

43
fuzzers/qemu_systemmode/example/main.c
View File

@ -1,37 +1,30 @@
int BREAKPOINT() {
for (;;)
{
}
for (;;) {}
}
int LLVMFuzzerTestOneInput(unsigned int* Data, unsigned int Size) {
//if (Data[3] == 0) {while(1){}} // cause a timeout
for (int i=0; i<Size; i++) {
//if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;} // cause qemu to crash
for (int j=i+1; j<Size; j++) {
if (Data[j] == 0) {continue;}
if (Data[j]>Data[i]) {
int LLVMFuzzerTestOneInput(unsigned int *Data, unsigned int Size) {
// if (Data[3] == 0) {while(1){}} // cause a timeout
for (int i = 0; i < Size; i++) {
// if (Data[i] > 0xFFd0 && Data[i] < 0xFFFF) {return 1;} // cause qemu to
// crash
for (int j = i + 1; j < Size; j++) {
if (Data[j] == 0) { continue; }
if (Data[j] > Data[i]) {
int tmp = Data[i];
Data[i]=Data[j];
Data[j]=tmp;
if (Data[i] <= 100) {j--;}
Data[i] = Data[j];
Data[j] = tmp;
if (Data[i] <= 100) { j--; }
}
}
}
return BREAKPOINT();
}
unsigned int FUZZ_INPUT[] = {
101,201,700,230,860,
234,980,200,340,678,
230,134,900,236,900,
123,800,123,658,607,
246,804,567,568,207,
407,246,678,457,892,
834,456,878,246,699,
854,234,844,290,125,
324,560,852,928,910,
790,853,345,234,586,
};
unsigned int FUZZ_INPUT[] = {
101, 201, 700, 230, 860, 234, 980, 200, 340, 678, 230, 134, 900,
236, 900, 123, 800, 123, 658, 607, 246, 804, 567, 568, 207, 407,
246, 678, 457, 892, 834, 456, 878, 246, 699, 854, 234, 844, 290,
125, 324, 560, 852, 928, 910, 790, 853, 345, 234, 586,
};
int main() {
LLVMFuzzerTestOneInput(FUZZ_INPUT, 50);

65
fuzzers/qemu_systemmode/example/startup.c
View File

@ -2,22 +2,23 @@
* FreeRTOS V202112.00
* Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://www.FreeRTOS.org
* https://github.com/FreeRTOS
@ -31,13 +32,11 @@ extern int main();
extern uint32_t _estack, _sidata, _sdata, _edata, _sbss, _ebss;
/* Prevent optimization so gcc does not replace code with memcpy */
__attribute__( ( optimize( "O0" ) ) )
__attribute__( ( naked ) )
void Reset_Handler( void )
{
__attribute__((optimize("O0"))) __attribute__((naked)) void Reset_Handler(
void) {
/* set stack pointer */
__asm volatile ( "ldr r0, =_estack" );
__asm volatile ( "mov sp, r0" );
__asm volatile("ldr r0, =_estack");
__asm volatile("mov sp, r0");
/* copy .data section from flash to RAM */
// Not needed for this example, see linker script
@ -47,20 +46,18 @@ void Reset_Handler( void )
// }
/* zero out .bss section */
for( uint32_t * dest = &_sbss; dest < &_ebss; )
{
for (uint32_t *dest = &_sbss; dest < &_ebss;) {
*dest++ = 0;
}
/* jump to board initialisation */
void _start( void );
void _start(void);
_start();
}
const uint32_t * isr_vector[] __attribute__( ( section( ".isr_vector" ) ) ) =
{
( uint32_t * ) &_estack,
( uint32_t * ) &Reset_Handler, /* Reset -15 */
const uint32_t *isr_vector[] __attribute__((section(".isr_vector"))) = {
(uint32_t *)&_estack,
(uint32_t *)&Reset_Handler, /* Reset -15 */
0, /* NMI_Handler -14 */
0, /* HardFault_Handler -13 */
0, /* MemManage_Handler -12 */
@ -91,10 +88,9 @@ const uint32_t * isr_vector[] __attribute__( ( section( ".isr_vector" ) ) ) =
0, /* Ethernet 13 */
};
__attribute__( ( naked ) ) void exit(__attribute__((unused)) int status )
{
__attribute__((naked)) void exit(__attribute__((unused)) int status) {
/* Force qemu to exit using ARM Semihosting */
__asm volatile (
__asm volatile(
"mov r1, r0\n"
"cmp r1, #0\n"
"bne .notclean\n"
@ -102,13 +98,10 @@ __attribute__( ( naked ) ) void exit(__attribute__((unused)) int status )
".notclean:\n"
"movs r0, #0x18\n" /* SYS_EXIT */
"bkpt 0xab\n"
"end: b end\n"
);
"end: b end\n");
}
void _start( void )
{
main( );
exit( 0 );
void _start(void) {
main();
exit(0);
}

30
fuzzers/tutorial/target.c
View File

@ -20,41 +20,38 @@ typedef struct _packet_data {
char data[0];
} packet_data;
int LLVMFuzzerTestOneInput(const uint8_t *packet_buffer, size_t packet_length) {
ssize_t saved_data_length = 0;
char* saved_data = NULL;
char *saved_data = NULL;
int err = 0;
packet_data* datagram = NULL;
packet_data *datagram = NULL;
if (packet_length < sizeof(packet_data) || packet_length > MAX_PACKET_SIZE) {
return 1;
}
datagram = (packet_data*)packet_buffer;
datagram = (packet_data *)packet_buffer;
switch (datagram->type) {
case data_read:
if (saved_data != NULL && datagram->offset + datagram->length <= saved_data_length) {
case data_read:
if (saved_data != NULL &&
datagram->offset + datagram->length <= saved_data_length) {
write(0, packet_buffer + datagram->offset, datagram->length);
}
break;
case data_write:
// NOTE: Who cares about checking the offset? Nobody would ever provide bad data
case data_write:
// NOTE: Who cares about checking the offset? Nobody would ever provide
// bad data
if (saved_data != NULL && datagram->length <= saved_data_length) {
memcpy(saved_data + datagram->offset, datagram->data, datagram->length);
}
break;
case data_reset:
if (datagram->length > packet_length - sizeof(*datagram)) {
return 1;
}
case data_reset:
if (datagram->length > packet_length - sizeof(*datagram)) { return 1; }
if (saved_data != NULL) {
free(saved_data);
}
if (saved_data != NULL) { free(saved_data); }
saved_data = malloc(datagram->length);
saved_data_length = datagram->length;
@ -62,10 +59,9 @@ case data_reset:
memcpy(saved_data, datagram->data, datagram->length);
break;
default:
default:
return 1;
}
return 0;
}

6
libafl_targets/src/cmplog.c
View File

@ -165,7 +165,8 @@ void __cmplog_rtn_hook_str(const uint8_t *ptr1, uint8_t *ptr2) {
if (!libafl_cmplog_enabled) { return; }
if (unlikely(!ptr1 || !ptr2)) return;
// these strnlen could indeed fail. but if it fails here it will sigsegv in the following hooked function call anyways
// these strnlen could indeed fail. but if it fails here it will sigsegv in
// the following hooked function call anyways
int len1 = strnlen(ptr1, 30) + 1;
int len2 = strnlen(ptr2, 30) + 1;
int l = MAX(len1, len2);
@ -189,7 +190,8 @@ void __cmplog_rtn_hook_strn(uint8_t *ptr1, uint8_t *ptr2, uint64_t len) {
if (unlikely(!ptr1 || !ptr2)) return;
int len0 = MIN(len, 31); // cap by 31
// these strnlen could indeed fail. but if it fails here it will sigsegv in the following hooked function call anyways
// these strnlen could indeed fail. but if it fails here it will sigsegv in
// the following hooked function call anyways
int len1 = strnlen(ptr1, len0);
int len2 = strnlen(ptr2, len0);
int l = MAX(len1, len2);

4
libafl_targets/src/common.c
View File

@ -3,7 +3,7 @@
#ifdef DEFAULT_SANITIZERS_OPTIONS
// TODO MSan and LSan. however they don't support abort_on_error
const char* __asan_default_options() {
const char *__asan_default_options() {
return "abort_on_error=1:detect_leaks=0:"
"malloc_context_size=0:symbolize=0:"
"allocator_may_return_null=1:"
@ -12,7 +12,7 @@ const char* __asan_default_options() {
"handle_sigfpe=0:handle_sigill=0";
}
const char* __ubsan_default_options() {
const char *__ubsan_default_options() {
return "abort_on_error=1:"
"allocator_release_to_os_interval_ms=500:"
"handle_abort=0:handle_segv=0:"

6
libafl_targets/src/libfuzzer.c
View File

@ -33,11 +33,11 @@ EXT_FUNC_IMPL(main, int, (int argc, char **argv), false) {
libafl_main();
return 0;
}
#ifdef FUZZER_DEFINE_RUN_DRIVER
#ifdef FUZZER_DEFINE_RUN_DRIVER
return LLVMFuzzerRunDriver(&argc, &argv, &LLVMFuzzerTestOneInput);
#else
#else
return 0;
#endif
#endif
}
#if defined(_WIN32)

6
libafl_targets/src/sancov_cmp.c
View File

@ -143,7 +143,8 @@ void __sanitizer_weak_hook_strncmp(void *called_pc, const char *s1,
if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; }
}
__libafl_targets_cmplog_routines_len(k, (const uint8_t *) s1, (const uint8_t *) s2, actual_len);
__libafl_targets_cmplog_routines_len(k, (const uint8_t *)s1,
(const uint8_t *)s2, actual_len);
}
}
@ -164,7 +165,8 @@ void __sanitizer_weak_hook_strcmp(void *called_pc, const char *s1,
if (s1[actual_len] == 0 || s2[actual_len] == 0) { break; }
}
__libafl_targets_cmplog_routines_len(k, (const uint8_t *) s1, (const uint8_t *) s2, actual_len);
__libafl_targets_cmplog_routines_len(k, (const uint8_t *)s1,
(const uint8_t *)s2, actual_len);
}
}