Merge pull request #11 from AFLplusplus/main

Fix testcase set_filename (AFLplusplus#1092)

.github/workflows/build_and_test.yml

@@ -64,7 +64,7 @@ jobs:
     - name: Install and cache deps
       uses: awalsh128/cache-apt-pkgs-action@v1.1.0
       with:
-        packages: llvm llvm-dev clang ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev
+        packages: llvm llvm-dev clang ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev libz3-dev
     - name: get clang version
       run: command -v llvm-config && clang -v
     - name: Add nightly rustfmt and clippy
@@ -115,7 +115,7 @@ jobs:
     - name: Install and cache deps
       uses: awalsh128/cache-apt-pkgs-action@v1.1.0
       with:
-        packages: llvm llvm-dev clang ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev
+        packages: llvm llvm-dev clang ninja-build clang-format-13 shellcheck libgtk-3-dev gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libslirp-dev libz3-dev
     - name: get clang version
       run: command -v llvm-config && clang -v
     - name: Install cargo-hack
@@ -157,7 +157,7 @@ jobs:
         profile: minimal
         toolchain: stable
     - name: Install deps
-      run: sudo apt-get install -y llvm llvm-dev clang ninja-build python3-dev python3-pip python3-venv
+      run: sudo apt-get install -y llvm llvm-dev clang ninja-build python3-dev python3-pip python3-venv libz3-dev
     - name: Install maturin
       run: python3 -m pip install maturin
     - uses: actions/checkout@v3
@@ -193,7 +193,7 @@ jobs:
     - uses: lyricwulf/abc@v1
       with: 
         # todo: remove afl++-clang when nyx support samcov_pcguard
-        linux: llvm llvm-dev clang nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libgtk-3-dev afl++-clang pax-utils
+        linux: llvm llvm-dev clang nasm ninja-build gcc-arm-linux-gnueabi g++-arm-linux-gnueabi libgtk-3-dev afl++-clang pax-utils libz3-dev
         # update bash for macos to support `declare -A` command`
         macos: llvm libpng nasm coreutils z3 bash wget
     - name: pip install

README.md

@@ -71,7 +71,7 @@ cargo build --release
 cargo doc
 ```
 
-5. Browse the LibAFL book (WIP!) with (requires [mdbook](https://github.com/rust-lang/mdBook))
+5. Browse the LibAFL book (WIP!) with (requires [mdbook](https://rust-lang.github.io/mdBook/index.html))
 
 ```
 cd docs && mdbook serve

fuzzers/baby_fuzzer_grimoire/src/main.rs

@@ -1,6 +1,6 @@
 #[cfg(windows)]
 use std::ptr::write_volatile;
-use std::{fs, io::Read, path::PathBuf};
+use std::{fs, io::Read, path::PathBuf, ptr::write};
 
 use libafl::{
     bolts::{current_nanos, rands::StdRand, tuples::tuple_list, AsSlice},
@@ -24,10 +24,10 @@ use libafl::{
 
 /// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
-
+static mut SIGNALS_PTR: *mut u8 = unsafe { SIGNALS.as_mut_ptr() };
 /// Assign a signal to the signals map
 fn signals_set(idx: usize) {
-    unsafe { SIGNALS[idx] = 1 };
+    unsafe { write(SIGNALS_PTR.add(idx), 1) };
 }
 
 fn is_sub<T: PartialEq>(mut haystack: &[T], needle: &[T]) -> bool {
@@ -82,8 +82,7 @@ pub fn main() {
     };
 
     // Create an observation channel using the signals map
-    let observer = unsafe { StdMapObserver::new("signals", &mut SIGNALS) };
-
+    let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
     // Feedback to rate the interestingness of an input
     let mut feedback = MaxMapFeedback::tracking(&observer, false, true);
 

fuzzers/frida_executable_libpng/.gitignore

@@ -0,0 +1,5 @@
+libpng-*
+corpus_discovered
+libafl_frida
+frida_libpng
+zlib*

fuzzers/frida_executable_libpng/Cargo.toml

@@ -0,0 +1,46 @@
+[package]
+name = "frida_executable_fuzzer"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+name = "frida_executable_fuzzer"
+crate_type = ["cdylib"]
+
+[features]
+default = ["std"]
+std = []
+
+[profile.release]
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[build-dependencies]
+cc = { version = "1.0.42", features = ["parallel"] }
+which = "4.1"
+xz2 = "0.1.6"
+flate2 = "1.0.22"
+tar = "0.4.37"
+reqwest = { version = "0.11.4", features = ["blocking"] }
+
+
+
+
+[dependencies]
+libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public", "frida_cli" ] } #,  "llmp_small_maps", "llmp_debug"]}
+capstone = "0.11.0"
+frida-gum = { version = "0.8.1", features = [ "auto-download", "event-sink", "invocation-listener"] }
+libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }
+libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
+libc = "0.2"
+libloading = "0.7"
+num-traits = "0.2"
+rangemap = "1"
+clap = { version = "4.0", features = ["derive"] }
+serde = "1.0"
+mimalloc = { version = "*", default-features = false }
+
+backtrace = "0.3"
+color-backtrace = "0.5"

fuzzers/frida_executable_libpng/Makefile.toml

@@ -0,0 +1,115 @@
+# Variables
+[env]
+CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = ["CARGO_TARGET_DIR"] } }
+
+
+[tasks.unsupported]
+script_runner="@shell"
+script='''
+echo "Cargo-make not integrated yet on this"
+'''
+
+# libpng
+[tasks.libpng]
+linux_alias = "libpng_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.libpng_unix]
+condition = { files_not_exist = ["./libpng-1.6.37"]}
+script_runner="@shell"
+script='''
+wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
+tar -xvf libpng-1.6.37.tar.xz
+'''
+
+# Library
+[tasks.lib]
+linux_alias = "lib_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.lib_unix]
+script_runner="@shell"
+script='''
+cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
+cd ..
+make -C libpng-1.6.37
+'''
+dependencies = [ "libpng" ]
+
+# Harness
+[tasks.harness]
+linux_alias = "harness_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.harness_unix]
+script_runner="@shell"
+script='''
+clang++ -O0 -c -fPIC harness.cc -o harness.o
+clang++ -O0 harness.cc libpng-1.6.37/.libs/libpng16.a -lz -o libpng-harness -g
+'''
+dependencies = [ "lib" ]
+
+# Fuzzer
+[tasks.fuzzer]
+linux_alias = "fuzzer_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.fuzzer_unix]
+script_runner="@shell"
+script='''
+cargo build --release
+'''
+
+# Run the fuzzer
+[tasks.run]
+linux_alias = "run_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.run_unix]
+script_runner = "@shell"
+script='''
+LD_PRELOAD=$CARGO_TARGET_DIR/release/libfrida_executable_fuzzer.so ./libpng-harness -i corpus -o out -H ./libpng-harness
+'''
+dependencies = [ "fuzzer", "harness" ]
+
+# Test
+[tasks.test]
+linux_alias = "test_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.test_unix]
+script_runner = "@shell"
+script='''
+rm -rf libafl_unix_shmem_server || true
+LD_PRELOAD=$CARGO_TARGET_DIR/release/libfrida_executable_fuzzer.so ./libpng-harness -i corpus -o out -H ./libpng-harness > fuzz_stdout.log &
+sleep 10s && pkill libpng-harness
+if [ -z "$(grep "corpus: 30" fuzz_stdout.log)" ]; then
+    echo "Fuzzer does not generate any testcases or any crashes"
+    exit 1
+else
+    echo "Fuzzer is working"
+fi
+'''
+dependencies = [ "fuzzer", "harness" ]
+
+# Clean up
+[tasks.clean]
+linux_alias = "clean_unix"
+mac_alias = "unsupported"
+windows_alias = "unsupported"
+
+[tasks.clean_unix]
+# Disable default `clean` definition
+clear = true
+script_runner="@shell"
+script='''
+rm -f ./libpng-harness
+make -C libpng-1.6.37 clean
+cargo clean
+'''

fuzzers/frida_executable_libpng/README.md

@@ -0,0 +1,36 @@
+# Fuzzing libpng with frida as executale
+
+This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
+To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example.
+It has been tested on Linux.
+
+## Build
+
+To build this example, run `cargo build --release` in this folder.
+This will call (the build.rs)[./build.rs], which in turn downloads a libpng archive from the web.
+Then, it will build (the C++ harness)[./harness.cc] and the instrumented `libpng`.
+Then, it will create frida fuzzer shared library in `./target/release/libfrida_fuzzer.so`.
+On unix platforms, you'll need [libc++](https://libcxx.llvm.org/) to build it.
+
+Alternatively you can run `cargo make run` and this command will automatically build and run the fuzzer
+
+### Build For Android
+When building for android using a cross-compiler, make sure you have a [_standalone toolchain_](https://developer.android.com/ndk/guides/standalone_toolchain), and then add the following:
+1. In the ~/.cargo/config file add a target with the correct cross-compiler toolchain name (in this case aarch64-linux-android, but names may vary)
+`[target.aarch64-linux-android]`
+`linker="aarch64-linux-android-clang"`
+2. add path to installed toolchain to PATH env variable.
+3. define CLANG_PATH and add target to the build command line:
+`CLANG_PATH=<path to installed toolchain>/bin/aarch64-linux-android-clang cargo -v build --release --target=aarch64-linux-android`
+
+## Run
+
+This example uses in-process-fuzzing, using the `launcher` feature, in combination with a Restarting Event Manager.
+This means running --cores each client will start itself again to listen for crashes and timeouts.
+By restarting the actual fuzzer, it can recover from these exit conditions.
+
+After building the libpng-harness, you can run `find . -name libpng-harness` to find the location of your harness, then run
+
+```
+LD_PRELOAD=./target/release/libfrida_fuzzer.so ./libpng-harness -i corpus -o out -l ./libpng-harness.so
+```