Merge remote-tracking branch 'upstream/main'

Author: Marcondiro

.github/workflows/build_and_test.yml

@@ -275,6 +275,7 @@ jobs:
           - ./fuzzers/forkserver/forkserver_libafl_cc
           - ./fuzzers/forkserver/fuzzbench_forkserver
           - ./fuzzers/forkserver/fuzzbench_forkserver_cmplog
+          - ./fuzzers/forkserver/fuzzbench_forkserver_sand
           - ./fuzzers/forkserver/libafl-fuzz
           - ./fuzzers/forkserver/baby_fuzzer_with_forkexecutor
 

fuzzers/forkserver/fuzzbench_forkserver_sand/.gitignore

@@ -0,0 +1,2 @@
+libpng-*
+fuzzer

fuzzers/forkserver/fuzzbench_forkserver_sand/Cargo.toml

@@ -0,0 +1,53 @@
+[package]
+name = "fuzzbench_forkserver_sand"
+version = "0.15.1"
+authors = [
+  "Andrea Fioraldi <[email protected]>",
+  "Dominik Maier <[email protected]>",
+  "Ziqiao Kong <[email protected]>",
+]
+edition = "2021"
+
+[profile.release]
+lto = true
+codegen-units = 1
+opt-level = 3
+debug = true
+
+[profile.release-fuzzbench]
+inherits = "release"
+debug = false
+strip = true
+
+[build-dependencies]
+cc = { version = "1.1.22", features = ["parallel"] }
+which = "6.0.3"
+
+[dependencies]
+libafl = { path = "../../../libafl" }
+libafl_bolts = { path = "../../../libafl_bolts" }
+libafl_targets = { path = "../../../libafl_targets", features = [
+  "sancov_pcguard_hitcounts",
+  "libfuzzer",
+  "pointer_maps",
+] }
+libafl_cc = { path = "../../../libafl_cc" }
+log = { version = "0.4.22", features = ["release_max_level_info"] }
+clap = { version = "4.5.18", features = ["default"] }
+nix = { version = "0.29.0", features = ["signal"] }
+
+[[bin]]
+name = "sand_cc"
+path = "src/cc.rs"
+
+[[bin]]
+name = "sand_cxx"
+path = "src/cxx.rs"
+
+[[bin]]
+name = "fuzzbench_forkserver_sand"
+path = "src/main.rs"
+
+[lib]
+name = "forkserver_sand"
+crate-type = ["staticlib"]

fuzzers/forkserver/fuzzbench_forkserver_sand/Justfile

@@ -0,0 +1,73 @@
+FUZZER_NAME := 'fuzzbench_forkserver_sand'
+FORKSERVER_NAME := 'fuzzbench_forkserver_sand'
+CARGO_TARGET_DIR := env("CARGO_TARGET_DIR", "target")
+PROFILE := env("PROFILE", "release")
+PROFILE_DIR := if PROFILE == "release" { "release" } else if PROFILE == "dev" { "debug" } else { "debug" }
+LIBAFL_CC := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "sand_cc"
+LIBAFL_CXX := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / "sand_cxx"
+FUZZER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FUZZER_NAME
+FORKSERVER := PROJECT_DIR / CARGO_TARGET_DIR / PROFILE_DIR / FORKSERVER_NAME
+PROJECT_DIR := absolute_path(".")
+
+
+alias cc := cxx
+
+[linux]
+[macos]
+cxx:
+    cargo build --profile {{PROFILE}}
+
+[windows]
+cxx:
+    echo "Unsupported on this platform"
+
+[linux]
+[macos]
+fuzzer: cxx
+    {{LIBAFL_CC}} {{PROJECT_DIR}}/src/vuln.c -o vuln_native -lm -lz
+
+[windows]
+fuzzer:
+    echo "Unsupported on this platform"
+
+[linux]
+[macos]
+fuzzer_asan: cxx
+    AFL_SAN_NO_INST=1 {{LIBAFL_CC}} {{PROJECT_DIR}}/src/vuln.c -fsanitize=address -o vuln_asan -lm -lz
+
+[windows]
+fuzzer_asan:
+    echo "Unsupported on this platform"
+
+[linux]
+[macos]
+run: fuzzer fuzzer_asan
+    #!/bin/bash
+    mkdir -p input && echo "a" >> input/a
+    taskset -c 1 {{FUZZER}} -i input -o /tmp/out -a ./vuln_asan -t 1000 ./vuln_native
+
+[windows]
+run: fuzzer fuzzer_asan
+    echo "Unsupported on this platform"
+
+[linux]
+[macos]
+test: fuzzer fuzzer_asan
+    #!/bin/bash
+    mkdir -p input && echo "a" >> input/a
+    timeout 10s {{FUZZER}} -i input -o /tmp/out -a ./vuln_asan -t 1000 ./vuln_native | tee fuzz_stdout.log || true
+    if grep -qa "objectives: 1" fuzz_stdout.log; then
+        echo "Fuzzer is working"
+    else
+        echo "Fuzzer does not generate any testcases or any crashes"
+        exit 1
+    fi
+
+[windows]
+test: fuzzer fuzzer_asan
+    echo "Unsupported on this platform"
+
+clean:
+    rm -rf {{FUZZER}}
+    rm -rf vuln_native vuln_asan
+    cargo clean

fuzzers/forkserver/fuzzbench_forkserver_sand/src/cc.rs

@@ -0,0 +1,46 @@
+use std::env;
+
+use libafl_cc::{ClangWrapper, CompilerWrapper, ToolWrapper};
+
+pub fn main() {
+    let args: Vec<String> = env::args().collect();
+    if args.len() > 1 {
+        let mut dir = env::current_exe().unwrap();
+        let wrapper_name = dir.file_name().unwrap().to_str().unwrap();
+
+        let is_cpp = match wrapper_name[wrapper_name.len()-2..].to_lowercase().as_str() {
+            "cc" => false,
+            "++" | "pp" | "xx" => true,
+            _ => panic!("Could not figure out if c or c++ wrapper was called. Expected {dir:?} to end with c or cxx"),
+        };
+
+        let no_inst = std::env::var("AFL_SAN_NO_INST").ok().is_some();
+
+        dir.pop();
+
+        let mut cc = ClangWrapper::new();
+        if !no_inst {
+            cc.add_arg("-fsanitize-coverage=trace-pc-guard");
+        }
+        if let Some(code) = cc
+            .cpp(is_cpp)
+            // silence the compiler wrapper output, needed for some configure scripts.
+            .silence(true)
+            .parse_args(&args)
+            .expect("Failed to parse the command line")
+            // Imitate afl-cc's compile definitions 
+            .add_arg("-D__AFL_FUZZ_INIT()=int __afl_sharedmem_fuzzing = 1;extern unsigned int *__afl_fuzz_len;extern unsigned char *__afl_fuzz_ptr;unsigned char __afl_fuzz_alt[1048576];unsigned char *__afl_fuzz_alt_ptr = __afl_fuzz_alt;void libafl_start_forkserver(void)")
+            .add_arg("-D__AFL_FUZZ_TESTCASE_BUF=(__afl_fuzz_ptr ? __afl_fuzz_ptr : __afl_fuzz_alt_ptr)")
+            .add_arg("-D__AFL_FUZZ_TESTCASE_LEN=(__afl_fuzz_ptr ? *__afl_fuzz_len : (*__afl_fuzz_len = read(0, __afl_fuzz_alt_ptr, 1048576)) == 0xffffffff ? 0 : *__afl_fuzz_len)")
+            .add_arg("-D__AFL_INIT()=libafl_start_forkserver()")
+            // Link with libafl's forkserver implementation
+            .link_staticlib(&dir, "forkserver_sand")
+            .run()
+            .expect("Failed to run the wrapped compiler")
+        {
+            std::process::exit(code);
+        }
+    } else {
+        panic!("LibAFL CC: No Arguments given");
+    }
+}

fuzzers/forkserver/fuzzbench_forkserver_sand/src/cxx.rs

@@ -0,0 +1,5 @@
+pub mod cc;
+
+fn main() {
+    cc::main();
+}

fuzzers/forkserver/fuzzbench_forkserver_sand/src/lib.rs

@@ -0,0 +1,9 @@
+use libafl_targets::{map_shared_memory, start_forkserver};
+
+#[no_mangle]
+pub extern "C" fn libafl_start_forkserver() {
+    // Map shared memory region for the edge coverage map
+    map_shared_memory();
+    // Start the forkserver
+    start_forkserver();
+}