Merge branch 'JS_compile_test_progs' into 'internal-dev'

Test Program Compilation See merge request github/killerbeez!62
grimm-co · Aug 1, 2018 · 2ad290d · 2ad290d
2 parents a6a894e + 66ed788
commit 2ad290d
Show file tree

Hide file tree

Showing 12 changed files with 70 additions and 50 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -32,6 +32,7 @@ include_directories (${CMAKE_SOURCE_DIR}/../killerbeez-utils/utils/)
 # compile mutators, which will compile utils
 add_subdirectory(${CMAKE_SOURCE_DIR}/../killerbeez-mutators/ ${CMAKE_BINARY_DIR}/killerbeez-mutators/)
 
+add_subdirectory(corpus) # test programs
 add_subdirectory(fuzzer) # instantiates & coordinates other parts
 add_subdirectory(driver) # starts program, feeds input, determines when program is done
 add_subdirectory(instrumentation) # inserts instructions to program to tell whether an input makes the binary take a new path

diff --git a/corpus/CMakeLists.txt b/corpus/CMakeLists.txt
@@ -0,0 +1,17 @@
+cmake_minimum_required (VERSION 2.8.8)
+project (corpus)
+
+# All of the Windows test programs have precompiled versions, as the DynamoRIO
+# instrumentation needs exact offsets into the program to know where to hook.
+# As such, we've included precompiled versions with and listed the offsets,
+# rather than having the user compile them.
+if (UNIX)
+SET( CMAKE_RUNTIME_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/corpus/ )
+SET( CMAKE_LIBRARY_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/corpus/ )
+SET( CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/corpus/ )
+
+add_subdirectory(hang)
+add_subdirectory(libtest)
+add_subdirectory(persist)
+add_subdirectory(test)
+endif ()
diff --git a/corpus/hang/CMakeLists.txt b/corpus/hang/CMakeLists.txt
@@ -0,0 +1,4 @@
+cmake_minimum_required (VERSION 2.8.8)
+project (hang-linux)
+
+add_executable(hang-linux ${PROJECT_SOURCE_DIR}/hang.c)
diff --git a/corpus/hang/hang-linux b/corpus/hang/hang-linux
diff --git a/corpus/libtest/CMakeLists.txt b/corpus/libtest/CMakeLists.txt
@@ -0,0 +1,12 @@
+cmake_minimum_required (VERSION 2.8.8)
+project (libtest)
+
+add_executable(libtest      ${PROJECT_SOURCE_DIR}/test.c)
+add_executable(libtest_pie  ${PROJECT_SOURCE_DIR}/test.c)
+add_library(test1 SHARED ${PROJECT_SOURCE_DIR}/lib1.c)
+add_library(test2 SHARED ${PROJECT_SOURCE_DIR}/lib2.c)
+
+set_target_properties(libtest PROPERTIES LINK_FLAGS "-no-pie")
+
+target_link_libraries(libtest     test1 test2)
+target_link_libraries(libtest_pie test1 test2)
diff --git a/corpus/libtest/Makefile b/corpus/libtest/Makefile
diff --git a/corpus/persist/CMakeLists.txt b/corpus/persist/CMakeLists.txt
@@ -0,0 +1,22 @@
+cmake_minimum_required (VERSION 2.8.8)
+project (persist)
+
+set(PERSIST_SRC ${PROJECT_SOURCE_DIR}/test.c)
+
+add_executable(nopersist       ${PERSIST_SRC})
+add_executable(persist         ${PERSIST_SRC})
+add_executable(persist_hang    ${PERSIST_SRC})
+add_executable(deferred        ${PERSIST_SRC})
+add_executable(deferred_nohook ${PERSIST_SRC})
+
+target_compile_definitions(persist         PUBLIC PERSIST)
+target_compile_definitions(persist_hang    PUBLIC PERSIST PUBLIC HANG)
+target_compile_definitions(deferred        PUBLIC SLOW_STARTUP)
+target_compile_definitions(deferred_nohook PUBLIC SLOW_STARTUP PUBLIC DEFERRED_NOHOOK)
+
+target_link_libraries(persist         forkserver)
+target_link_libraries(persist_hang    forkserver)
+target_link_libraries(deferred        forkserver)
+target_link_libraries(deferred_nohook forkserver)
+
+include_directories(${PROJECT_SOURCE_DIR}/../../instrumentation/)
diff --git a/corpus/persist/Makefile b/corpus/persist/Makefile
diff --git a/corpus/test/CMakeLists.txt b/corpus/test/CMakeLists.txt
@@ -0,0 +1,4 @@
+cmake_minimum_required (VERSION 2.8.8)
+project (test-linux)
+
+add_executable(test-linux ${PROJECT_SOURCE_DIR}/test.c)
diff --git a/corpus/test/test-linux b/corpus/test/test-linux
diff --git a/docs/IPT.md b/docs/IPT.md
@@ -155,7 +155,7 @@ command will cause a crash in the test-linux binary on the seventh iteration.
 The IPT instrumentation tracks the TNT and TIP packets that are generated from
 the main test-linux executable.
 ```
-./fuzzer stdin ipt bit_flip -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/test/test-linux\"}" -n 10 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
+./fuzzer stdin ipt bit_flip -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/test-linux\"}" -n 10 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
 ```
 
 If instead of tracking code coverage for the main executable, you wish to track
@@ -165,9 +165,8 @@ to track coverage information for. The below command illustrates how to use this
 option with the included example program. This command tracks the code coverage
 of libtest1.so and libtest2.so.
 ```
-env LD_LIBRARY_PATH=$HOME/killerbeez/killerbeez/corpus/libtest/ ./fuzzer stdin ipt bit_flip \
-  -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/libtest/test\"}" -n 10 \
-  -i '{"coverage_libraries":["$HOME/killerbeez/killerbeez/corpus/libtest/libtest1.so","$HOME/killerbeez/killerbeez/corpus/libtest/libtest2.so"]}' \
+./fuzzer stdin ipt bit_flip -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/libtest\"}" -n 10 \
+  -i "{\"coverage_libraries\":[\"$HOME/killerbeez/build/killerbeez/corpus/libtest1.so\",\"$HOME/killerbeez/build/killerbeez/corpus/libtest2.so\"]}" \
   -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
 ```
 
@@ -216,12 +215,12 @@ shown below. This example runs 5000 iterations of the persist binary, mutates
 the input with the afl mutator, and feeds the input over stdin to the target
 program. The IPT module will run 1000 iterations per persist process.
 ```
-./fuzzer stdin ipt afl -i "{\"persistence_max_cnt\":1000}" -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/persist/persist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
+./fuzzer stdin ipt afl -i "{\"persistence_max_cnt\":1000}" -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/persist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
 ```
 For comparison, a non-persistence mode run with a similar binary can be started
 with this command:
 ```
-./fuzzer stdin ipt afl -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/persist/nopersist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
+./fuzzer stdin ipt afl -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/nopersist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt
 ```
 
 # Deferred Startup Mode

diff --git a/docs/README.md b/docs/README.md
@@ -92,8 +92,7 @@ Here's an example of running it on a test program from our corpus.
 ```
 # assuming that you're in the same directory as above ($WORKDIR/build)
 cd ../build/killerbeez/
-./fuzzer file return_code honggfuzz -n 20 \
-	-sf /bin/bash -d '{"path":"../../killerbeez/corpus/test/test-linux","arguments":"@@"}'
+./fuzzer file return_code honggfuzz -n 20 -sf /bin/bash -d '{"path":"corpus/test-linux","arguments":"@@"}'
 ```
 
 If it ran correctly, you should see something like this:
@@ -138,9 +137,7 @@ containing ./fuzzer.
 ```
 # assuming that you're in the same directory as the above commands (%WORKDIR%/build)
 echo "ABC@" > test1  # ABC@ is one bit different than ABCD, the crashing input
-./fuzzer file return_code honggfuzz -n 2000 \
-	-sf ./test1 \
-	-d '{"path":"../../killerbeez/corpus/test/test-linux","arguments":"@@"}'
+./fuzzer file return_code honggfuzz -n 2000 -sf ./test1 -d '{"path":"corpus/test-linux","arguments":"@@"}'
 ```
 
 Which should yield output similar to this:
@@ -160,9 +157,9 @@ crash this target and reproduce the crash manually.
 ```
 $ ls output/crashes/
 2B81D0C867F76051FD33D8690AA2AC68  5220E572A6F9DAAF522EF5C5698EAF4C  59F885D0289BE9A83E711C5E7CFCBE4D  ED5D34C74E59D16BD6D5B3683DB655C3
-$ cat output/crashes/2B81D0C867F76051FD33D8690AA2AC68 ; echo
-ABCDJ
-$ ../../killerbeez/corpus/test/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D
+$ cat output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D ; echo
+ABCD
+$ corpus/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D
 Segmentation fault (core dumped)
 ```