Support Tinyinst on Linux (AFLplusplus#1316)

Fix the id of MmapShMem to the shared memory path instead of the fd number.

fuzzers/tinyinst_simple/Makefile.toml

@@ -10,32 +10,47 @@ echo "Cargo-make not integrated yet on this"
 
 # Harness
 [tasks.harness]
-linux_alias = "unsupported"
+linux_alias = "harness_linux"
 mac_alias = "unsupported"
 windows_alias = "harness_windows"
 
+[tasks.harness_linux]
+script='''
+clang test/test.cpp -g -o test.exe
+'''
+
 [tasks.harness_windows]
 script='''
 cl test\test.cpp -o test.exe
 '''
 
 # Fuzzer
 [tasks.fuzzer]
-linux_alias = "unsupported"
+linux_alias = "fuzzer_linux"
 mac_alias = "unsupported"
 windows_alias = "fuzzer_windows"
 
+[tasks.fuzzer_linux]
+dependencies = ["harness"]
+command = "cargo"
+args = ["build", "--profile", "${PROFILE}"]
+
 [tasks.fuzzer_windows]
 dependencies = ["harness"]
 command = "cargo"
 args = ["build", "--profile", "${PROFILE}"]
 
 # Run the fuzzer
 [tasks.run]
-linux_alias = "unsupported"
+linux_alias = "run_linux"
 mac_alias = "unsupported"
 windows_alias = "run_windows"
 
+[tasks.run_linux]
+dependencies = ["harness", "fuzzer"]
+command = "cargo"
+args = ["run", "--profile", "${PROFILE}"]
+
 [tasks.run_windows]
 dependencies = ["harness", "fuzzer"]
 command = "cargo"
@@ -44,10 +59,25 @@ args = ["run", "--profile", "${PROFILE}"]
 
 # Run the fuzzer
 [tasks.test]
-linux_alias = "unsupported"
+linux_alias = "test_linux"
 mac_alias = "unsupported"
 windows_alias = "test_windows"
 
+[tasks.test_linux]
+script_runner="@shell"
+script='''
+cp ./target/${PROFILE_DIR}/tinyinst_simple .
+echo running tests
+timeout 5s ./tinyinst_simple || true
+# corpus_discovered folder exists and is not empty
+if [ -d "corpus_discovered" ] && [ -n "$(ls -A corpus_discovered)" ]; then
+    echo "Fuzzer is working"
+else
+    exit 1
+fi
+'''
+dependencies = ["harness", "fuzzer"]
+
 [tasks.test_windows]
 script_runner = "@shell"
 script='''
@@ -57,4 +87,4 @@ start "" "tinyinst_simple.exe"
 ping -n 10 127.0.0.1>NUL && taskkill /im tinyinst_simple.exe /F
 >nul 2>nul dir /a-d "corpus_discovered\*" && (echo Files exist) || (exit /b 1337)
 '''
-dependencies = [ "harness", "fuzzer" ]
+dependencies = ["harness", "fuzzer"]

fuzzers/tinyinst_simple/README.md

@@ -1,11 +1,11 @@
 # Tinyinst example
-This is a fuzzer example to show how libafl_tinyinst works
+This is a fuzzer example to show how libafl_tinyinst works.
 
 ## How to build
 1. Build the harness with `cl test\test.cpp -o test.exe`
 2. Build the fuzzer with `cargo build --release`. The fuzzer is `target\release\tinyinst_simple.exe`
 
 ## Run with cargo-make
-Or, you can simple run it using cargo-make
-1. Open up developer powershell so that you have access to cl (Windows Default Compiler)
-2. Run `cargo make run` to run the fuzzer
+Or, you can simply run it using cargo-make
+1. If on Windows, open up a developer powershell so that you have access to cl (Windows Default Compiler)
+2. Run `cargo make run` to run the fuzzer

fuzzers/tinyinst_simple/src/main.rs

@@ -17,6 +17,8 @@ use libafl::{
 use libafl_bolts::shmem::UnixShMemProvider;
 #[cfg(windows)]
 use libafl_bolts::shmem::Win32ShMemProvider;
+#[cfg(target_os = "linux")]
+use libafl_bolts::shmem::MmapShMemProvider;
 use libafl_bolts::{
     rands::{RandomSeed, StdRand},
     shmem::ShMemProvider,
@@ -25,10 +27,10 @@ use libafl_bolts::{
 use libafl_tinyinst::executor::TinyInstExecutorBuilder;
 static mut COVERAGE: Vec<u64> = vec![];
 
-#[cfg(not(any(target_vendor = "apple", windows)))]
+#[cfg(not(any(target_vendor = "apple", windows, target_os = "linux")))]
 fn main() {}
 
-#[cfg(any(target_vendor = "apple", windows))]
+#[cfg(any(target_vendor = "apple", windows, target_os = "linux"))]
 fn main() {
     // Tinyinst things
     let tinyinst_args = vec!["-instrument_module".to_string(), "test.exe".to_string()];
@@ -47,6 +49,9 @@ fn main() {
     #[cfg(target_vendor = "apple")]
     let mut shmem_provider = UnixShMemProvider::new().unwrap();
 
+    #[cfg(target_os = "linux")]
+    let mut shmem_provider = MmapShMemProvider::new().unwrap();
+
     let input = BytesInput::new(b"bad".to_vec());
     let rand = StdRand::new();
     let mut corpus = CachedOnDiskCorpus::new(PathBuf::from("./corpus_discovered"), 64).unwrap();

fuzzers/tinyinst_simple/test/test.cpp

@@ -71,15 +71,15 @@ int setup_shmem(const char *name) {
   // get shared memory file descriptor (NOT a file)
   fd = shm_open(name, O_RDONLY, S_IRUSR | S_IWUSR);
   if (fd == -1) {
-    printf("Error in shm_open\n");
+    perror("Error in shm_open");
     return 0;
   }
 
   // map shared memory to process address space
   shm_data =
       (unsigned char *)mmap(NULL, SHM_SIZE, PROT_READ, MAP_SHARED, fd, 0);
   if (shm_data == MAP_FAILED) {
-    printf("Error in mmap\n");
+    perror("Error in mmap");
     return 0;
   }
 
@@ -101,7 +101,7 @@ char *crash = NULL;
 
 // actual target function
 
-void FUZZ_TARGET_MODIFIERS fuzz(char *name) {
+extern "C" void FUZZ_TARGET_MODIFIERS fuzz(char *name) {
   char    *sample_bytes = NULL;
   uint32_t sample_size = 0;
 

libafl_bolts/src/shmem.rs

@@ -640,6 +640,7 @@ pub mod unix_shmem {
                         process::id(),
                         rand_id
                     )?;
+                    filename_path[19] = 0; // Trucate to size 20
 
                     /* create the shared memory segment as if it was a file */
                     let shm_fd = shm_open(
@@ -683,7 +684,7 @@ pub mod unix_shmem {
                         map: map as *mut u8,
                         map_size,
                         shm_fd,
-                        id: ShMemId::from_string(&format!("{shm_fd}")),
+                        id: ShMemId::try_from_slice(&filename_path).unwrap(),
                     })
                 }
             }