Full libfuzzer shimming (for cargo-fuzz libfuzzer alternative and other use cases)

.github/workflows/build_and_test.yml

@@ -114,6 +114,7 @@ jobs:
       with:
         profile: minimal
         toolchain: stable
+        components: llvm-tools
     - name: Install and cache deps
       uses: awalsh128/cache-apt-pkgs-action@v1.1.0
       with:

.gitignore

@@ -33,6 +33,8 @@ perf.data.old
 .vscode
 test.dict
 
+.idea/
+
 # Ignore all built fuzzers
 fuzzer_*
 AFLplusplus

Cargo.toml

@@ -10,6 +10,7 @@ members = [
     "libafl_concolic/test/runtime_test",
     "libafl_derive",
     "libafl_frida",
+    "libafl_libfuzzer",
     "libafl_nyx",
     "libafl_qemu",
     "libafl_sugar",

Dockerfile

@@ -78,6 +78,10 @@ COPY scripts/dummy.rs libafl_nyx/src/lib.rs
 COPY libafl_tinyinst/Cargo.toml libafl_tinyinst/
 COPY scripts/dummy.rs libafl_tinyinst/src/lib.rs
 
+# avoid pulling in the runtime, as this is quite an expensive build, until later
+COPY libafl_libfuzzer/Cargo.toml libafl_libfuzzer/
+COPY scripts/dummy.rs libafl_libfuzzer/src/lib.rs
+
 COPY utils utils
 
 RUN cargo build && cargo build --release
@@ -117,6 +121,10 @@ COPY libafl_concolic/symcc_runtime libafl_concolic/symcc_runtime
 COPY libafl_concolic/test libafl_concolic/test
 COPY libafl_nyx/src libafl_nyx/src
 RUN touch libafl_nyx/src/lib.rs
+COPY libafl_libfuzzer/src libafl_libfuzzer/src
+COPY libafl_libfuzzer/libafl_libfuzzer_runtime libafl_libfuzzer/libafl_libfuzzer_runtime
+COPY libafl_libfuzzer/build.rs libafl_libfuzzer/build.rs
+RUN touch libafl_libfuzzer/src/lib.rs
 RUN cargo build && cargo build --release
 
 # Copy fuzzers over

fuzzers/baby_fuzzer_wasm/pkg/package.json

@@ -11,5 +11,7 @@
   ],
   "module": "baby_fuzzer_wasm.js",
   "types": "baby_fuzzer_wasm.d.ts",
-  "sideEffects": false
+  "sideEffects": [
+    "./snippets/*"
+  ]
 }

fuzzers/baby_fuzzer_wasm/src/lib.rs

@@ -4,7 +4,7 @@ use libafl::{
     corpus::{Corpus, InMemoryCorpus},
     events::SimpleEventManager,
     executors::{ExitKind, InProcessExecutor},
-    feedbacks::{CrashFeedback, MaxMapFeedback},
+    feedbacks::{CrashFeedback, MapFeedbackMetadata, MaxMapFeedback},
     generators::RandPrintablesGenerator,
     inputs::{BytesInput, HasTargetBytes},
     monitors::SimpleMonitor,
@@ -15,7 +15,9 @@ use libafl::{
     state::{HasSolutions, StdState},
     Fuzzer, StdFuzzer,
 };
-use libafl_bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice};
+use libafl_bolts::{
+    current_nanos, rands::StdRand, serdeany::RegistryBuilder, tuples::tuple_list, AsSlice,
+};
 use wasm_bindgen::prelude::*;
 use web_sys::{Performance, Window};
 
@@ -37,6 +39,10 @@ pub extern "C" fn external_current_millis() -> u64 {
 pub fn fuzz() {
     set_panic_hook();
 
+    unsafe {
+        RegistryBuilder::register::<MapFeedbackMetadata<u8>>();
+    }
+
     let mut signals = [0u8; 64];
     let signals_ptr = signals.as_mut_ptr();
     let signals_set = |i: usize| unsafe {

libafl/src/corpus/cached.rs

@@ -1,6 +1,6 @@
 //! The [`CachedOnDiskCorpus`] stores [`Testcase`]s to disk, keeping a subset of them in memory/cache, evicting in a FIFO manner.
 
-use alloc::collections::vec_deque::VecDeque;
+use alloc::{collections::vec_deque::VecDeque, string::String};
 use core::cell::RefCell;
 use std::path::Path;
 
@@ -193,7 +193,7 @@ where
     pub fn with_meta_format<P>(
         dir_path: P,
         cache_max_len: usize,
-        meta_format: OnDiskMetadataFormat,
+        meta_format: Option<OnDiskMetadataFormat>,
     ) -> Result<Self, Error>
     where
         P: AsRef<Path>,
@@ -204,6 +204,31 @@ where
         )
     }
 
+    /// Creates the [`CachedOnDiskCorpus`] specifying the metadata format and the prefix to prepend
+    /// to each testcase.
+    ///
+    /// Will error, if [`std::fs::create_dir_all()`] failed for `dir_path`.
+    pub fn with_meta_format_and_prefix<P>(
+        dir_path: P,
+        cache_max_len: usize,
+        meta_format: Option<OnDiskMetadataFormat>,
+        prefix: Option<String>,
+        locking: bool,
+    ) -> Result<Self, Error>
+    where
+        P: AsRef<Path>,
+    {
+        Self::_new(
+            InMemoryOnDiskCorpus::with_meta_format_and_prefix(
+                dir_path,
+                meta_format,
+                prefix,
+                locking,
+            )?,
+            cache_max_len,
+        )
+    }
+
     /// Internal constructor `fn`
     fn _new(on_disk_corpus: InMemoryOnDiskCorpus<I>, cache_max_len: usize) -> Result<Self, Error> {
         if cache_max_len == 0 {
@@ -217,6 +242,11 @@ where
             cache_max_len,
         })
     }
+
+    /// Fetch the inner corpus
+    pub fn inner(&self) -> &InMemoryOnDiskCorpus<I> {
+        &self.inner
+    }
 }
 
 /// ``CachedOnDiskCorpus`` Python bindings

libafl/src/corpus/inmemory_ondisk.rs

@@ -50,6 +50,8 @@ where
     inner: InMemoryCorpus<I>,
     dir_path: PathBuf,
     meta_format: Option<OnDiskMetadataFormat>,
+    prefix: Option<String>,
+    locking: bool,
 }
 
 impl<I> UsesInput for InMemoryOnDiskCorpus<I>
@@ -209,20 +211,41 @@ where
     where
         P: AsRef<Path>,
     {
-        Self::_new(dir_path.as_ref(), Some(OnDiskMetadataFormat::JsonPretty))
+        Self::_new(
+            dir_path.as_ref(),
+            Some(OnDiskMetadataFormat::JsonPretty),
+            None,
+            true,
+        )
     }
 
     /// Creates the [`InMemoryOnDiskCorpus`] specifying the format in which `Metadata` will be saved to disk.
     ///
     /// Will error, if [`std::fs::create_dir_all()`] failed for `dir_path`.
     pub fn with_meta_format<P>(
         dir_path: P,
-        meta_format: OnDiskMetadataFormat,
+        meta_format: Option<OnDiskMetadataFormat>,
     ) -> Result<Self, Error>
     where
         P: AsRef<Path>,
     {
-        Self::_new(dir_path.as_ref(), Some(meta_format))
+        Self::_new(dir_path.as_ref(), meta_format, None, true)
+    }
+
+    /// Creates the [`InMemoryOnDiskCorpus`] specifying the format in which `Metadata` will be saved to disk
+    /// and the prefix for the filenames.
+    ///
+    /// Will error, if [`std::fs::create_dir_all()`] failed for `dir_path`.
+    pub fn with_meta_format_and_prefix<P>(
+        dir_path: P,
+        meta_format: Option<OnDiskMetadataFormat>,
+        prefix: Option<String>,
+        locking: bool,
+    ) -> Result<Self, Error>
+    where
+        P: AsRef<Path>,
+    {
+        Self::_new(dir_path.as_ref(), meta_format, prefix, locking)
     }
 
     /// Creates an [`InMemoryOnDiskCorpus`] that will not store .metadata files
@@ -232,16 +255,27 @@ where
     where
         P: AsRef<Path>,
     {
-        Self::_new(dir_path.as_ref(), None)
+        Self::_new(dir_path.as_ref(), None, None, true)
     }
 
     /// Private fn to crate a new corpus at the given (non-generic) path with the given optional `meta_format`
-    fn _new(dir_path: &Path, meta_format: Option<OnDiskMetadataFormat>) -> Result<Self, Error> {
-        fs::create_dir_all(dir_path)?;
+    fn _new(
+        dir_path: &Path,
+        meta_format: Option<OnDiskMetadataFormat>,
+        prefix: Option<String>,
+        locking: bool,
+    ) -> Result<Self, Error> {
+        match fs::create_dir_all(dir_path) {
+            Ok(()) => {}
+            Err(e) if e.kind() == std::io::ErrorKind::AlreadyExists => {}
+            Err(e) => return Err(e.into()),
+        }
         Ok(InMemoryOnDiskCorpus {
             inner: InMemoryCorpus::new(),
             dir_path: dir_path.into(),
             meta_format,
+            prefix,
+            locking,
         })
     }
 
@@ -265,19 +299,21 @@ where
                 return Ok(());
             }
 
-            let new_lock_filename = format!(".{new_filename}.lafl_lock");
+            if self.locking {
+                let new_lock_filename = format!(".{new_filename}.lafl_lock");
 
-            // Try to create lock file for new testcases
-            if OpenOptions::new()
-                .create(true)
-                .write(true)
-                .open(self.dir_path.join(new_lock_filename))
-                .is_err()
-            {
-                *testcase.filename_mut() = Some(old_filename);
-                return Err(Error::illegal_state(
-                    "unable to create lock file for new testcase",
-                ));
+                // Try to create lock file for new testcases
+                if OpenOptions::new()
+                    .create(true)
+                    .write(true)
+                    .open(self.dir_path.join(new_lock_filename))
+                    .is_err()
+                {
+                    *testcase.filename_mut() = Some(old_filename);
+                    return Err(Error::illegal_state(
+                        "unable to create lock file for new testcase",
+                    ));
+                }
             }
 
             let new_file_path = self.dir_path.join(&new_filename);
@@ -311,18 +347,15 @@ where
     fn save_testcase(&self, testcase: &mut Testcase<I>, idx: CorpusId) -> Result<(), Error> {
         let file_name_orig = testcase.filename_mut().take().unwrap_or_else(|| {
             // TODO walk entry metadata to ask for pieces of filename (e.g. :havoc in AFL)
-
             testcase.input().as_ref().unwrap().generate_name(idx.0)
         });
-        if testcase.file_path().is_some() {
-            // We already have a valid path, no need to do calculate anything
-            *testcase.filename_mut() = Some(file_name_orig);
-        } else {
-            // New testcase, we need to save it.
-            let mut file_name = file_name_orig.clone();
 
-            let mut ctr = 2;
-            let file_name = loop {
+        // New testcase, we need to save it.
+        let mut file_name = file_name_orig.clone();
+
+        let mut ctr = 2;
+        let file_name = if self.locking {
+            loop {
                 let lockfile_name = format!(".{file_name}.lafl_lock");
                 let lockfile_path = self.dir_path.join(lockfile_name);
 
@@ -337,11 +370,19 @@ where
 
                 file_name = format!("{file_name_orig}-{ctr}");
                 ctr += 1;
-            };
+            }
+        } else {
+            file_name
+        };
 
+        if testcase
+            .file_path()
+            .as_ref()
+            .map_or(true, |path| !path.starts_with(&self.dir_path))
+        {
             *testcase.file_path_mut() = Some(self.dir_path.join(&file_name));
-            *testcase.filename_mut() = Some(file_name);
         }
+        *testcase.filename_mut() = Some(file_name);
 
         if self.meta_format.is_some() {
             let metafile_name = format!(".{}.metadata", testcase.filename().as_ref().unwrap());
@@ -389,6 +430,12 @@ where
         }
         Ok(())
     }
+
+    /// Path to the corpus directory associated with this corpus
+    #[must_use]
+    pub fn dir_path(&self) -> &PathBuf {
+        &self.dir_path
+    }
 }
 
 #[cfg(feature = "python")]