* Fix fuzzers after HasTestcase (#1123)
* Make the trait a trait
* Implement HasTestcase for Corpora
* fix
* fix
* a
* a
* fix
* wasm32
* a
* f
* f
* aa
---------
Co-authored-by: tokatoka <tokazerkje@outlook.com>
* Created macro to get the metadata form State and Testcase
* Expanded the macros for mutable, or not, State and Testcase metadata
* Created functions on traits HasMetadata and HasNamedMetadatato get, mutable or not, metadata
* Created the functions to get metadata
* Added #[inline] attribute and renamed the functions
* Renamed the functions and added #[inline] attribute
* Temporarily added testcase() function
* Added testcase() function
* Changed Ref import to core::cell:Ref
* Added testcase_mut() and renamed occurences of metadata() and metadata_mut()
* Renamed more occurences
* Renamed the metadata() on impl HasMetadata for NopState
---------
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
* fix multiple subtle bugs with grimoire, mutators, and state
* obey the clippy overlord
* grimoire: skip over token after splice
* remove extraneous length check
* Associated types for Corpus, State
* cleanup
* fix no_std
* drop unused clauses
* Corpus
* cleanup
* adding things
* fixed fuzzer
* remove phantom data
* python
* progress?
* more more
* oof
* wow it builds?
* python fixes, tests
* fix python fun
* black fmt for python
* clippy, added Nop things
* fixes
* fix merge
* make it compile (#836)
* doc-test fixes, prelude-b-gone for cargo-hack compat
* fixes for windows, concolic
* really fix windows, maybe
* imagine using windows
* ...
* elide I generic when used with S: State
* Elide many, many generics, but at what cost?
* progress on push
* Constraint HasCorpus, HasSolutions at trait definition
* remove unused feature
* remove unstable usage since we constrained HasCorpus at definition
* compiled, but still no type inference for MaxMapFeedback
* cleanup inprocess
* resolve some std conflicts
* simplify map
* undo unnecessary cfg specification
* fix breaking test case for CI on no-std
* fix concolic build failures
* fix macos build
* fixes for windows build
* timeout fixes for windows build
* fix pybindings issues
* fixup qemu
* fix outstanding local build issues
* maybe fix windows inprocess
* doc fixes
* unbridled fury
* de-associate State from Feedback, replace with generic as AT inference is not sufficient to derive specialisation for MapFeedback
* merge update
* refactor + speed up fuzzer builds by sharing build work
* cleanup lingering compiler errors
* lol missed one
* revert QEMU-Nyx change, not sure how I did that
* move HasInput to inputs
* HasInput => KnowsInput
* update bounds to enforce via associated types
* disentangle observers with fuzzer
* revert --target; update some fuzzers to match new API
* resolve outstanding fuzzer build blockers (that I can run on my system)
* fixes for non-linux unixes
* fix for windows
* Knows => Uses, final fixes for windows
* <guttural screaming>
* fixes for concolic
* loosen bound for frida executor so windows builds correctly
* cleanup generics for eventmanager/eventprocessor to drop observers requirement
* improve inference over fuzz_one and friends
* update migration notes
* fixes for python bindings
* fixes for generic counts in event managers
* finish migration notes
* post-merge fix
Co-authored-by: Addison Crump <addison.crump@cispa.de>
* autofix
* you're just asking for a clamping
* autofmt on linux
* fix nits
* change back nit
* unfixing as u64 for GuestAddr
* fix
* ignoring clippy for GuestAddress
Specifically for Has{Rand,Corpus,Solutions,FeedbackStates}
The Has* family of traits offer getters and get-mut-ers. The previous
implementation had a fully generic return type:
trait HasX<X: TraitX> {
get_x(&self) -> &Self::X;
get_mut_x(&mut self) -> &mut Self::X;
}
meaning a single type could implement both `HasRand<Romu>` and
`HasRand<XorShift>`. The advantage of having multiple implementations is
not clear at this time, so it vastly simplifies the trait (and its
impls) to bring the return type in the body as an associated type:
trait HasX {
type X: TraitX;
get_x(&self) -> &Self::X;
get_mut_x(&mut self) -> &mut Self::X;
}
This comes with the limitation that any type that impls these traits can
only do so once, choosing only one associated type.
* HasRand's only generic parameter (Rand) is now an associated type
* HasCorpus and HasSolutions are now only generic over the Input type
they store
* HasFeedbackStates generic parameter now associated type
* empty libafl_qemu crate
* fuzzbench qemu fuzzer skeleton
* emu.run() works without bp
* working emu loop
* resolve elf symbols
* running Qemu fuzzer without coverage
* qemu fuzzer with edge coverage
* merge into inprocess::GLOBAL_STATE
* create QemuExecutor and remove QemuEmulator
* qemu hooks and persist edges mapping storing them in State
* windows fix
* add libafl_qemu to workspace
* windows fix
* some clippy
* clippy
* fix fuzzbench_qemu
* fix fuzzbench_qemu makefile
* fuck you macos
* launcher in linux
* silence stdout and stderr linux
* arg parser and other changes
* retry instead of sleep
* no_std fixes
* reordered includes
* launcher for windows and kill clients when broker returns
* cargo fmt
* started launcher api cleanup
* use closures instead of functions
* small change
* reordered launcher params
* fixed clippy warnings
* fixed no_std
* moved launcher example to own folder
* docu
* cleanup launcher
* more docs
* Fix merge issues
* Rework the launcher code to provide a cleaner API
* Open file before spawning clients
* launcher: fix merge issue, sleep for a different amount for each core
* fixed no_std
* Tcp Broker to Broker Communication (#66)
* initial b2b implementation
* no_std and clippy fixes
* b2b testcase added
* more correct testcases
* fixed b2b
* typo
* fixed unused warning
* some clippy warning ignored
* using clippy.sh
* Update README.md
* fixed clippy run in workflow
* fixing clippy::match-same-arms
* make clippy less pedantic
* fixed some minor typos in the book
* launcher: use s1341's fork of core_affinity
* Build warning fix proposal, mostly about reference to packed fields. (#79)
* Observers refactor (#84)
* new observer structure with HasExecHooks
* adapt libafl_frida to new observers
* docstrings
* Composing feedback (#85)
* composing feedbacks as logic operations and bump to 0.2
* adapt fuzzers and libafl_frida
* fix windows build
* fixed clippy warnings
* Frida suppress instrumentation locations option (#87)
* Implement frida option
* Format
* add append/discard_metadata for and/or/not feedback (#86)
* add append/discard_metadata for and/or/not feedback
* fix
* Call append_metadata on crash (#88)
* Call append_metadata on crash
* Formatting
* Reachability example (#65)
* add reachability observer/feedback
* add fuzzer exmaple
* fmt
* remove reachabilityobserver, use stdmapobserver instead
* update diff.patch
* update README
* fix the clippy warning
* Squashed commit of the following:
commit f20524ebd77011481e86b420c925e8504bd11308
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Tue May 4 16:00:39 2021 +0200
Composing feedback (#85)
* composing feedbacks as logic operations and bump to 0.2
* adapt fuzzers and libafl_frida
* fix windows build
commit e06efaa03bc96ef71740d7376c7381572bf11c6c
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Tue May 4 13:54:46 2021 +0200
Observers refactor (#84)
* new observer structure with HasExecHooks
* adapt libafl_frida to new observers
* docstrings
commit 17c6fcd31cb746c099654be2b7a168bd04d46381
Merge: 08a2d43 a78a4b7
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Mon May 3 11:16:49 2021 +0200
Merge branch 'main' into dev
commit 08a2d43790797d8864565fec99e7043289a46283
Author: David CARLIER <devnexen@gmail.com>
Date: Mon May 3 10:15:28 2021 +0100
Build warning fix proposal, mostly about reference to packed fields. (#79)
commit 88fe8fa532ac34cbc10782f5f71264f620385dda
Merge: d5d46ad d2e7719
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date: Mon May 3 11:05:42 2021 +0200
Merge pull request #80 from marcograss/book-typos
fixed some minor typos in the book
commit a78a4b73fa798c1ed7a3d053369cca435e57aa07
Author: s1341 <s1341@users.noreply.github.com>
Date: Mon May 3 10:34:15 2021 +0300
frida-asan: Un-inline report funclet to reduce code bloat (#81)
* frida-asan: Outline report funclet to reduce code bloat
* fmt
commit d2e7719a8bea3a993394c187e2183d3e91f02c75
Author: Marco Grassi <marco.gra@gmail.com>
Date: Sun May 2 21:58:33 2021 +0800
fixed some minor typos in the book
commit d5d46ad7e440fd4a2925352ed1ccb9ced5d9463d
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 23:09:10 2021 +0200
make clippy less pedantic
commit 52d25e979e23589587c885803641058dc36aa998
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 22:23:59 2021 +0200
fixing clippy::match-same-arms
commit cd66f880dea830d1e38e89fd1bf3c20fd89c9d70
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 14:02:07 2021 +0200
fixed clippy run in workflow
commit ddcf086acde2b703c36e4ec3976588313fc3d591
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 13:53:29 2021 +0200
Update README.md
commit c715f1fe6e42942e53bd13ea6a23214620f6c829
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 13:48:38 2021 +0200
using clippy.sh
commit 9374b26b1d2d44c6042fdd653a8d960ce698592c
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 13:47:44 2021 +0200
some clippy warning ignored
commit b9e75c0c98fdfb1e70778e6f3612a94b71dcd21a
Author: Dominik Maier <domenukk@gmail.com>
Date: Sat May 1 13:24:02 2021 +0200
Tcp Broker to Broker Communication (#66)
* initial b2b implementation
* no_std and clippy fixes
* b2b testcase added
* more correct testcases
* fixed b2b
* typo
* fixed unused warning
* feedbacks now return a boolean value
* use feedback_or, and modify Cargo.toml
* fix diff between dev and this branch
* fmt
Co-authored-by: Dominik Maier <domenukk@gmail.com>
* clippy fixes
* clippy fixes
* clippy fixes, x86_64 warnings
* more docs
* Observers lifetime (#89)
* introduce MatchName and alow lifetimes in observers
* adapt fuzzers to observers with lifetime
* introduce type_eq when on nightly
* fix no_std
* fmt
* Better docu (#90)
* more docs
* more docs:
* more docu
* more docu
* finished docs
* cleaned up markup
* must_use tags added
* more docs
* more docu, less clippy
* more fixes
* Clippy fixes (#92)
* more docs
* more docs:
* more docu
* more docu
* finished docs
* cleaned up markup
* must_use tags added
* more docs
* swapped if/else, as per clippy
* more docu, less clippy
* more fixes
* Fix merge issues
* Get rid of unneeded prints
* Fix merge errors
* added b2b to restarting interface
* Setting SO_REUSEPORT
* added b2b to launcher api
* more windows launcher
* Fix merge errors
* Add b2b support to frida_libpng
* make frida_libpng bind to a public address
* Convert launcher into a builder LauncherBuilder
* formatting
* Convert setup_restarting_mgr to a builder RestartingMgrBuilder; leave setup_restarting_mgr_std as is, so that fuzzers work
* RcShmem should be locked via a mutex
* Wait at least 1 second between broker and first client, to avoid race
* update frida_libpng README for cross-compiling to android (#100)
Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com>
* Fixed build for Windows
* no_std fixes
* reverted aa6773dcade93b3a66ce86e6b2cc75f55ce194e7 & windows fixes
* added pipes, moving to remove race conditions for rc shmem
* fix unix build
* fixed clippy:
* fixed no_std once more
* renamed b2b to remote_broker_addr
* you get a pre_fork, and you get a post_fork, forks for everyone
* switched to typed_builder
* Fix merge isseu
* Fix frida fuzzer with new Launcher builder
* Introspection (#97)
* Rework to put `ClientPerfStats` in `State` and pass that along. Still need to work on getting granular information from `Feedback` and `Observer`
* Add perf_stats feature to libafl/Cargo.toml
* Update feedbacks to have with_perf
* Remove unneeeded print statement
* cargo fmt all the things
* use local llvmint vs cpu specific asm for reading cycle counter
* Remove debug testing code
* Stats timeout to 3 seconds
* Inline smallish functions for ClientPerfStats
* Remove .libs/llvmint and have the correct conditional compilation of link_llvm_intrinsics on the perf_stats feature
* pub(crate) the NUM_FEEDBACK and NUM_STAGES consts
* Tcp Broker to Broker Communication (#66)
* initial b2b implementation
* no_std and clippy fixes
* b2b testcase added
* more correct testcases
* fixed b2b
* typo
* fixed unused warning
* clippy fixes
* fallback to systemtime on non-x86
* make clippy more strict
* small fixes
* bump 0.2.1
* readme
Co-authored-by: ctfhacker <cld251@gmail.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
* typos (please review)
* merged clippy.sh
* utils
* Add asan cores option (#102)
* added asan-cores option for frida fuzzer
When asan is enabled (via LIBBAFL_FRIDA_OPTIONS enable-asan), you can
filter exactly which of the cores asan should run on with the
asan-cores variable.
* add is_some check instead of !None
Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com>
* moved utils to bolts
* fixed typo
* no_std fixes
* unix fixes
* fixed unix no_std build
* fix llmp.rs
* adapt libfuzzer_libpng_launcher
* added all fuzzers to ci
* fmt, improved ci
* tests crate not ready for prime time
* clippy fixes
* make ci script executable
* trying to fix example fuzzers
* working libfuzzer_libpng_laucnher
* frida_libpng builds
* clippy
* bump version
* fix no_std
* fix dep version
* clippy fixes
* more fies
* clippy++
* warn again
* clearer readme
Co-authored-by: Vimal Joseph <vimaljoseph027@gmail.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: s1341 <github@shmarya.net>
Co-authored-by: Marco Grassi <marco.gra@gmail.com>
Co-authored-by: s1341 <s1341@users.noreply.github.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: Toka <tokazerkje@outlook.com>
Co-authored-by: r-e-l-z <azentner@gmail.com>
Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com>
Co-authored-by: ctfhacker <cld251@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
* save work
* it builds
* MutationalStage builds
* compile lib.rs test
* libafl tests work
* adapt stb_image example
* change fuzzer to not hold executor and event manager as type field
* libfuzzer_stb_image running example
* restore ReachabilityFeedback
* restore introspection
* adapt fuzzers except frida_libpng
* format
* compile on windows
* clippy
* fix libafl_frida
* adapt frida_libpng
* Rework to put `ClientPerfStats` in `State` and pass that along. Still need to work on getting granular information from `Feedback` and `Observer`
* Add perf_stats feature to libafl/Cargo.toml
* Update feedbacks to have with_perf
* Remove unneeeded print statement
* cargo fmt all the things
* use local llvmint vs cpu specific asm for reading cycle counter
* Remove debug testing code
* Stats timeout to 3 seconds
* Inline smallish functions for ClientPerfStats
* Remove .libs/llvmint and have the correct conditional compilation of link_llvm_intrinsics on the perf_stats feature
* pub(crate) the NUM_FEEDBACK and NUM_STAGES consts
* Tcp Broker to Broker Communication (#66)
* initial b2b implementation
* no_std and clippy fixes
* b2b testcase added
* more correct testcases
* fixed b2b
* typo
* fixed unused warning
* clippy fixes
* fallback to systemtime on non-x86
* make clippy more strict
* small fixes
* bump 0.2.1
* readme
Co-authored-by: ctfhacker <cld251@gmail.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
* more docs
* more docs:
* more docu
* more docu
* finished docs
* cleaned up markup
* must_use tags added
* more docs
* more docu, less clippy
* more fixes
* frida_asan: Implemented initial asan runtime library
* frida_asan: Switch to hashbrown
* Implemented GOT-based hooking to isolate the hooking of the memory functions. Implemented initial ASAN instrumentation
* WIP: Shadowing all used memory. Currently tracking pages using a BTreeSet. Slow AF!
* Add SigTrap to unix_signals and inprocess
* Working frida-asan, almost no speed degradation.
Currently the shadow check is reversed, so it checks only that the shadow is not 0.
We need to implement sub-8-byte checking.
* Format
* Cleanup and formatting
* Sub-qword and 16-byte checks implemented; Fixed unaligned access to QWORD
* Pass the ucontext_t to signal handlers. Initial regdump on crash
* Fix typo
* Make the context argument a mut ref
* Add missing files; Implement initial reporting
* Refactor out gothook; Move safety checkers to dynasm
* Get rid of const assembly blobs no longer needed
* Move to a handler function instead of using SIGTRAP.
This bloats the transformed code, but doesn't seem to have a major impact on performance.
Also, implemented pretty backtraces and assembly output.
* Formatting
* Get rid of all the pinning crap I wasted my day on, We don't need it
* windows fixes
* ashmem
* ashmem_service: server side ready
* ashmem_service: client side ready. Ready for integration
* ashmem_service: changes to UnixShMem to make it 'threadable'
* ashmem_service: format
* ashmem_service: Undo changes to UnixShMem, make the thread own the AshmemService instead; Fix protocol bug
* ashmem_service: working ashmem service. Fix merge issues
* use the newly released capston e 0.8.0; Fix a nasty bug where the afl_area an pc_pointer were reversed. Changed Vectors to Boxed [u8]
* Implement type detection for reporting; Implement double-free/unallocated free checking
* fmt
* Cleanup code a little
* frida-asan: This is an omnibus commit. Should probably have been a bunch of small commits, but I don't have the time/patience.
- Implemented DrCov support in order to debug a failing harness. This is actually
generic and should be moved out of libafl_frida.
- Implemented LIBAFL_FRIDA_OPTIONS env var to pass options to the frida helper,
to dynamically enable/disable asan and drcov.
- Implemented memory reuse - after each test case the used pages are recycled and
can be reused in the next test case.
- Implemented and tested vectorized instruction instrumentation.
- Implemented not instrumenting atomic load/store instructions. The cost of
trying to emulate their behaviour is too high at the moment.
- Implemented probing of shadow bit to determine the best match for the current
system.
- Implemented shadow memory pre-mapping where it is available. We probe for this
too.
- Implemented ability to specify a list of modules to instrument on the command
line. This allows fine-grained control of which modules are instrumented for
coverage/asan/drcov.
- Implemented unpoisoning of the Input target_bytes in a pre_exec hook.
- Added support for zero-sized allocations. We return 0x10 bytes at the moment.
- Added all known operator new/delete functions to hooks.
- Added workaround for frida_gum_allocate_near bug.
- Cleaned up reporting, added reporting for different error types.
* frida-asan: Implement leak detection
* Fix merge issues
* Rebased on dev to get llmp/shmem changes; Clippy fixes
* Add FridaOptions struct
* Add the Custom ExitKind; Get rid of Clone/PartialEq on ExitKind
* Make it possible to recover from an ASAN error
* Add SIGTRAP to crashing signals
* Add back (conditional) crashing on Asan errors.
* Fix too-large immediates in add instruction
* Implement RcShMemProvider, finally fix the EOP bug
* Clear ASAN_ERRORS before each test
* Fix warnings; Fix review issues
* Cleanup prints
* Add timeout to Frida mode
* Make allocation-/free-site backtraces optional
* CPU Context and backtrace (on android/aarch64 atm) on crash
* Make stalker conditional
* Add metadata to solution, and write metadata files
* Add addresses to backtrace; Add reporting of ASAN stack errors; Fix ASAN reporting bugs
* Remove meaningless backtrace on crash
* Fix the x0, x1 load in report
* use upstream color-backtrace
* use __builtin_thread_pointer instead of custom asm
* Don't unwrap ASAN_ERRORS if it isn't some
* Fix bug where we weren't clearing the drcov basicblocks after each run
* Fix bug where we were dropping an ashmem too soon
* Fix OwnedPtr instead of CPtr
* Fix gettls for all archs
* cfg guards for target arch, disabling Frida-ASAN/-DrCov if not on aarch64
* Cargo fmt
* Only panic in options when asan/drcov are turned on; Merge fixes
* gothook only supported on unix
* Fix gettls on msvc
* Another attempt to fix MSVC gettls
* Fix backtrace use
* nostd fixes; warning fixes
* formatting
* Migrate FridaEdgeCoverageHelper into libafl_frida, and rename to FridaInstrumentationHelper
* Clean up uses
* Move DrCovWriter to libafl_targets
* Refactor DrCovWriter to get a vec of DrCovBasicBlocks; formatting
* Update to newer backtrace which supports android with gimli
* windows fixes
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: andreafioraldi <andreafioraldi@gmail.com>
* add LogMutation trait
* change &self to &mut self
* move self.scheduler out of StdFuzzer
* reorder generics?, implement post_exec
* append metadata to the corresponding testcase in the corpus
* turn mutations into Mutators
* impl Named for mutations
* add LoggerScheduledMutator, add fn get_name() to MutatorTuple
* Fix BytesDeleteMutator, and format
* remove TupleList bound on Tail
* turn TokenInsert, TokenReplace into Mutator, fill havoc_mutations
* libfuzzer_libpng
* libfuzzer_libpng_cmpalloc
* libfuzzer_libmozjpeg
* fix tests
* fix libfuzzer_libmozjpeg
* fix tests
* fix LoggerScheduledMutator::mutate
* use vec<u8> instead of String
* fix post_exec and get_name
* fmt
* NamedTuple and HasNameIdTuple
* always clear mutations log
* fix tests
* format
* remove libafl_targets default features
* use vec<string> instead of vec<vec<u8>>
* add alloc::string::String
* format
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
