progress, some inline table issue?

google · Oct 18, 2024 · 7962c61 · 7962c61
1 parent 8c1e496
commit 7962c61
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 6 deletions.
diff --git a/fuzzers/fox/builder.Dockerfile b/fuzzers/fox/builder.Dockerfile
@@ -32,14 +32,34 @@ RUN apt-get update && \
         # for QEMU mode
         ninja-build \
         gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \
-        libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
+        libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev \
+        lsb-release \
+        software-properties-common \
+        gnupg
 
-# Download afl++.
+RUN wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 15
+RUN apt install llvm-15
+
+RUN for llvmbin in $(find $(dirname $(which llvm-link-15)) | grep -- '-15$'); do \
+      ln -s "$llvmbin" /usr/local/bin/$(basename "$llvmbin" | rev | cut -d'-' -f2- | rev); \
+    done && \
+    which llvm-link llvm-dis
+
+RUN curl -L https://go.dev/dl/go1.23.2.linux-amd64.tar.gz | \
+    tar -C /usr/local -xz
+
+ENV PATH="$PATH:/usr/local/go/bin:/root/go/bin"
+
+RUN go install github.com/SRI-CSL/gllvm/cmd/[email protected]
+
+# Download FOX.
 RUN git clone -b dev https://github.com/FOX-Fuzz/FOX /afl && \
     cd /afl && \
     git checkout 5265de4e3762c9424127d7278ac55c42dada82ce || \
     true
 
+COPY --chmod=755 second_stage.sh /second_stage.sh
+
 # Build without Python support as we don't need it.
 # Set AFL_NO_X86 to skip flaky tests.
 RUN cd /afl && \

diff --git a/fuzzers/fox/fuzzer.py b/fuzzers/fox/fuzzer.py
@@ -16,6 +16,7 @@
 
 import os
 import shutil
+import subprocess
 
 from fuzzers.afl import fuzzer as afl_fuzzer
 from fuzzers import utils
@@ -40,6 +41,10 @@ def build(*args):  # pylint: disable=too-many-branches,too-many-statements
     if 'BUILD_MODES' in os.environ:
         build_modes = os.environ['BUILD_MODES'].split(',')
 
+    # FOX builds with gclang for whole program bitcode
+    os.environ['AFL_CC'] = 'gclang'
+    os.environ['AFL_CXX'] = 'gclang++'
+
     # Placeholder comment.
     build_directory = os.environ['OUT']
 
@@ -225,6 +230,8 @@ def build(*args):  # pylint: disable=too-many-branches,too-many-statements
         print('Re-building benchmark for symcc fuzzing target')
         utils.build_benchmark(env=new_env)
 
+    subprocess.check_call(['/second_stage.sh'], cwd=build_directory)
+
     shutil.copy('/afl/afl-fuzz', build_directory)
     if os.path.exists('/afl/afl-qemu-trace'):
         shutil.copy('/afl/afl-qemu-trace', build_directory)
@@ -235,6 +242,49 @@ def build(*args):  # pylint: disable=too-many-branches,too-many-statements
         shutil.copy('/get_frida_entry.sh', build_directory)
 
 
+def run_afl_fuzz(input_corpus,
+                 output_corpus,
+                 target_binary,
+                 additional_flags=None,
+                 hide_output=False):
+    """Run afl-fuzz."""
+    # Spawn the afl fuzzing process.
+    print('[run_afl_fuzz] Running target with afl-fuzz')
+    command = [
+        './afl-fuzz',
+        '-i',
+        input_corpus,
+        '-o',
+        output_corpus,
+        # Use no memory limit as ASAN doesn't play nicely with one.
+        '-m',
+        'none',
+        '-t',
+        '1000+',  # Use same default 1 sec timeout, but add '+' to skip hangs.
+    ]
+    # Use '-d' to skip deterministic mode, as long as it it compatible with
+    # additional flags.
+    if not additional_flags or check_skip_det_compatible(additional_flags):
+        command.append('-d')
+    if additional_flags:
+        command.extend(additional_flags)
+    dictionary_path = utils.get_dictionary_path(target_binary)
+    if dictionary_path:
+        command.extend(['-x', dictionary_path])
+    # FOX-specific flags
+    command.extend(['-k', '-p', 'wd_scheduler'])
+    command += [
+        '--',
+        target_binary,
+        # Pass INT_MAX to afl the maximize the number of persistent loops it
+        # performs.
+        '2147483647'
+    ]
+    print('[run_afl_fuzz] Running command: ' + ' '.join(command))
+    output_stream = subprocess.DEVNULL if hide_output else None
+    subprocess.check_call(command, stdout=output_stream, stderr=output_stream)
+
+
 # pylint: disable=too-many-arguments
 def fuzz(input_corpus,
          output_corpus,
@@ -276,7 +326,7 @@ def fuzz(input_corpus,
         if 'ADDITIONAL_ARGS' in os.environ:
             flags += os.environ['ADDITIONAL_ARGS'].split(' ')
 
-    afl_fuzzer.run_afl_fuzz(input_corpus,
-                            output_corpus,
-                            target_binary,
-                            additional_flags=flags)
+    run_afl_fuzz(input_corpus,
+                 output_corpus,
+                 target_binary,
+                 additional_flags=flags)
diff --git a/fuzzers/fox/second_stage.sh b/fuzzers/fox/second_stage.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+# based on targets/mbedtls/build_aflpp.sh from adamstorek/fox: https://github.com/FOX-Fuzz/FOX/blob/main/README_StandAlone.md
+
+get-bc $FUZZ_TARGET
+llvm-dis $FUZZ_TARGET.bc
+python /afl/fix_long_fun_name.py $FUZZ_TARGET.ll
+mkdir -p cfg_out_$FUZZ_TARGET
+cd cfg_out_$FUZZ_TARGET
+opt -dot-cfg ../$FUZZ_TARGET\_fix.ll
+for f in $(ls -a | grep '^\.*'|grep dot);do mv $f ${f:1};done
+cd ..
+
+python /afl/gen_graph_dev_refactor.py $FUZZ_TARGET\_fix.ll cfg_out_$FUZZ_TARGET $PWD/$FUZZ_TARGET instrument_meta_data