Reachability example (AFLplusplus#65)

* add reachability observer/feedback

* add fuzzer exmaple

* fmt

* remove reachabilityobserver, use stdmapobserver instead

* update diff.patch

* update README

* fix the clippy warning

* Squashed commit of the following:

commit f20524e
Author: Andrea Fioraldi <[email protected]>
Date:   Tue May 4 16:00:39 2021 +0200

    Composing feedback (AFLplusplus#85)

    * composing feedbacks as logic operations and bump to 0.2

    * adapt fuzzers and libafl_frida

    * fix windows build

commit e06efaa
Author: Andrea Fioraldi <[email protected]>
Date:   Tue May 4 13:54:46 2021 +0200

    Observers refactor (AFLplusplus#84)

    * new observer structure with HasExecHooks

    * adapt libafl_frida to new observers

    * docstrings

commit 17c6fcd
Merge: 08a2d43 a78a4b7
Author: Andrea Fioraldi <[email protected]>
Date:   Mon May 3 11:16:49 2021 +0200

    Merge branch 'main' into dev

commit 08a2d43
Author: David CARLIER <[email protected]>
Date:   Mon May 3 10:15:28 2021 +0100

    Build warning fix proposal, mostly about reference to packed fields. (AFLplusplus#79)

commit 88fe8fa
Merge: d5d46ad d2e7719
Author: Andrea Fioraldi <[email protected]>
Date:   Mon May 3 11:05:42 2021 +0200

    Merge pull request AFLplusplus#80 from marcograss/book-typos

    fixed some minor typos in the book

commit a78a4b7
Author: s1341 <[email protected]>
Date:   Mon May 3 10:34:15 2021 +0300

    frida-asan: Un-inline report funclet to reduce code bloat (AFLplusplus#81)

    * frida-asan: Outline report funclet to reduce code bloat

    * fmt

commit d2e7719
Author: Marco Grassi <[email protected]>
Date:   Sun May 2 21:58:33 2021 +0800

    fixed some minor typos in the book

commit d5d46ad
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 23:09:10 2021 +0200

    make clippy less pedantic

commit 52d25e9
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 22:23:59 2021 +0200

    fixing clippy::match-same-arms

commit cd66f88
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 14:02:07 2021 +0200

    fixed clippy run in workflow

commit ddcf086
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:53:29 2021 +0200

    Update README.md

commit c715f1f
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:48:38 2021 +0200

    using clippy.sh

commit 9374b26
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:47:44 2021 +0200

    some clippy warning ignored

commit b9e75c0
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:24:02 2021 +0200

    Tcp Broker to Broker Communication (AFLplusplus#66)

    * initial b2b implementation

    * no_std and clippy fixes

    * b2b testcase added

    * more correct testcases

    * fixed b2b

    * typo

    * fixed unused warning

* feedbacks now return a boolean value

* use feedback_or, and modify Cargo.toml

* fix diff between dev and this branch

* fmt

Co-authored-by: Dominik Maier <[email protected]>

fuzzers/libfuzzer_reachability/.gitignore

@@ -0,0 +1 @@
+libpng-*

fuzzers/libfuzzer_reachability/Cargo.toml

@@ -0,0 +1,30 @@
+[package]
+name = "libfuzzer_reachability"
+version = "0.2.0"
+authors = ["Andrea Fioraldi <[email protected]>", "Dominik Maier <[email protected]>"]
+edition = "2018"
+
+[features]
+default = ["std"]
+std = []
+
+#[profile.release]
+#lto = true
+#codegen-units = 1
+#opt-level = 3
+#debug = true
+
+[build-dependencies]
+cc = { version = "1.0", features = ["parallel"] }
+which = { version = "4.0.2" }
+num_cpus = "1.0"
+
+[dependencies]
+libafl = { path = "../../libafl/" }
+libafl_targets = { path = "../../libafl_targets/", features = ["pcguard_hitcounts", "libfuzzer"] }
+# TODO Include it only when building cc
+libafl_cc = { path = "../../libafl_cc/" }
+
+[lib]
+name = "libfuzzer_libpng"
+crate-type = ["staticlib"]

fuzzers/libfuzzer_reachability/README.md

@@ -0,0 +1,79 @@
+# Libfuzzer for libpng
+
+This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
+
+In contrast to other fuzzer examples, this setup uses `fuzz_loop_for`, to occasionally respawn the fuzzer executor.
+While this costs performance, it can be useful for targets with memory leaks or other instabilities.
+If your target is really instable, however, consider exchanging the `InProcessExecutor` for a `ForkserverExecutor` instead.
+
+To show off crash detection, we added a `ud2` instruction to the harness, edit harness.cc if you want a non-crashing example.
+It has been tested on Linux.
+
+## Build
+
+To build this example, run
+
+```bash
+cargo build --release
+```
+
+This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback.
+In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target.
+
+The compiler wrappers, `libafl_cc` and libafl_cxx`, will end up in `./target/release/` (or `./target/debug`, in case you did not build with the `--release` flag).
+
+Then download libpng, and unpack the archive:
+```bash
+wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
+tar -xvf libpng-1.6.37.tar.xz
+```
+Run `patch libpng-1.6.37/png.c diff.patch` before compiling the libpng
+Now compile libpng, using the libafl_cc compiler wrapper:
+
+```bash
+cd libpng-1.6.37
+./configure
+make CC=$(realpath ../target/release/libafl_cc) CXX=$(realpath ../target/release/libafl_cxx) -j `nproc`
+```
+
+You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`.
+
+Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.
+
+```
+cd ..
+./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm
+```
+
+Afterward, the fuzzer will be ready to run.
+Note that, unless you use the `launcher`, you will have to run the binary multiple times to actually start the fuzz process, see `Run` in the following.
+This allows you to run multiple different builds of the same fuzzer alongside, for example, with and without ASAN (`-fsanitize=address`) or with different mutators.
+
+## Run
+
+The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. Currently you must run the clients from the libfuzzer_libpng directory for them to be able to access the PNG corpus.
+
+```
+./fuzzer_libpng
+
+[libafl/src/bolts/llmp.rs:407] "We're the broker" = "We\'re the broker"
+Doing broker things. Run this tool again to start fuzzing in a client.
+```
+
+And after running the above again in a separate terminal:
+
+```
+[libafl/src/bolts/llmp.rs:1464] "New connection" = "New connection"
+[libafl/src/bolts/llmp.rs:1464] addr = 127.0.0.1:33500
+[libafl/src/bolts/llmp.rs:1464] stream.peer_addr().unwrap() = 127.0.0.1:33500
+[LOG Debug]: Loaded 4 initial testcases.
+[New Testcase #2] clients: 3, corpus: 6, objectives: 0, executions: 5, exec/sec: 0
+< fuzzing stats >
+```
+
+As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`).
+This means each client will start itself again to listen for crashes and timeouts.
+By restarting the actual fuzzer, it can recover from these exit conditions.
+
+In any real-world scenario, you should use `taskset` to pin each client to an empty CPU core, the lib does not pick an empty core automatically (yet).
+

fuzzers/libfuzzer_reachability/diff.patch

@@ -0,0 +1,9 @@
+15a16,19
+> #define TARGET_SIZE 4
+> 
+> size_t __lafl_dummy_list[TARGET_SIZE] = {0};
+> size_t *__libafl_target_list = __lafl_dummy_list;
+2562a2567
+>       __lafl_dummy_list[0] = 1;
+2584a2590
+>       __lafl_dummy_list[1] = 1;

fuzzers/libfuzzer_reachability/harness.cc

@@ -0,0 +1,197 @@
+// libpng_read_fuzzer.cc
+// Copyright 2017-2018 Glenn Randers-Pehrson
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that may
+// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
+
+// Last changed in libpng 1.6.35 [July 15, 2018]
+
+// The modifications in 2017 by Glenn Randers-Pehrson include
+// 1. addition of a PNG_CLEANUP macro,
+// 2. setting the option to ignore ADLER32 checksums,
+// 3. adding "#include <string.h>" which is needed on some platforms
+//    to provide memcpy().
+// 4. adding read_end_info() and creating an end_info structure.
+// 5. adding calls to png_set_*() transforms commonly used by browsers.
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include <vector>
+
+#define PNG_INTERNAL
+#include "png.h"
+
+#define PNG_CLEANUP \
+  if(png_handler.png_ptr) \
+  { \
+    if (png_handler.row_ptr) \
+      png_free(png_handler.png_ptr, png_handler.row_ptr); \
+    if (png_handler.end_info_ptr) \
+      png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
+        &png_handler.end_info_ptr); \
+    else if (png_handler.info_ptr) \
+      png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
+        nullptr); \
+    else \
+      png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
+    png_handler.png_ptr = nullptr; \
+    png_handler.row_ptr = nullptr; \
+    png_handler.info_ptr = nullptr; \
+    png_handler.end_info_ptr = nullptr; \
+  }
+
+struct BufState {
+  const uint8_t* data;
+  size_t bytes_left;
+};
+
+struct PngObjectHandler {
+  png_infop info_ptr = nullptr;
+  png_structp png_ptr = nullptr;
+  png_infop end_info_ptr = nullptr;
+  png_voidp row_ptr = nullptr;
+  BufState* buf_state = nullptr;
+
+  ~PngObjectHandler() {
+    if (row_ptr)
+      png_free(png_ptr, row_ptr);
+    if (end_info_ptr)
+      png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
+    else if (info_ptr)
+      png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
+    else
+      png_destroy_read_struct(&png_ptr, nullptr, nullptr);
+    delete buf_state;
+  }
+};
+
+void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
+  BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
+  if (length > buf_state->bytes_left) {
+    png_error(png_ptr, "read error");
+  }
+  memcpy(data, buf_state->data, length);
+  buf_state->bytes_left -= length;
+  buf_state->data += length;
+}
+
+static const int kPngHeaderSize = 8;
+
+// Entry point for LibFuzzer.
+// Roughly follows the libpng book example:
+// http://www.libpng.org/pub/png/book/chapter13.html
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < kPngHeaderSize) {
+    return 0;
+  }
+
+  std::vector<unsigned char> v(data, data + size);
+  if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
+    // not a PNG.
+    return 0;
+  }
+
+  PngObjectHandler png_handler;
+  png_handler.png_ptr = nullptr;
+  png_handler.row_ptr = nullptr;
+  png_handler.info_ptr = nullptr;
+  png_handler.end_info_ptr = nullptr;
+
+  png_handler.png_ptr = png_create_read_struct
+    (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
+  if (!png_handler.png_ptr) {
+    return 0;
+  }
+
+  png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
+  if (!png_handler.info_ptr) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
+  if (!png_handler.end_info_ptr) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
+#ifdef PNG_IGNORE_ADLER32
+  png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
+#endif
+
+  // Setting up reading from buffer.
+  png_handler.buf_state = new BufState();
+  png_handler.buf_state->data = data + kPngHeaderSize;
+  png_handler.buf_state->bytes_left = size - kPngHeaderSize;
+  png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
+  png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
+
+  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  // Reading.
+  png_read_info(png_handler.png_ptr, png_handler.info_ptr);
+
+  // reset error handler to put png_deleter into scope.
+  if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  png_uint_32 width, height;
+  int bit_depth, color_type, interlace_type, compression_type;
+  int filter_type;
+
+  if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
+                    &height, &bit_depth, &color_type, &interlace_type,
+                    &compression_type, &filter_type)) {
+    PNG_CLEANUP
+    return 0;
+  }
+
+  // This is going to be too slow.
+  if (width && height > 100000000 / width) {
+    PNG_CLEANUP
+#ifdef HAS_DUMMY_CRASH
+ #ifdef __aarch64__
+      asm volatile (".word 0xf7f0a000\n");
+ #else
+      asm("ud2");
+ #endif
+#endif
+    return 0;
+  }
+
+  // Set several transforms that browsers typically use:
+  png_set_gray_to_rgb(png_handler.png_ptr);
+  png_set_expand(png_handler.png_ptr);
+  png_set_packing(png_handler.png_ptr);
+  png_set_scale_16(png_handler.png_ptr);
+  png_set_tRNS_to_alpha(png_handler.png_ptr);
+
+  int passes = png_set_interlace_handling(png_handler.png_ptr);
+
+  png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);
+
+  png_handler.row_ptr = png_malloc(
+      png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
+                                            png_handler.info_ptr));
+
+  for (int pass = 0; pass < passes; ++pass) {
+    for (png_uint_32 y = 0; y < height; ++y) {
+      png_read_row(png_handler.png_ptr,
+                   static_cast<png_bytep>(png_handler.row_ptr), nullptr);
+    }
+  }
+
+  png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);
+
+  PNG_CLEANUP
+  return 0;
+}
+

fuzzers/libfuzzer_reachability/src/bin/libafl_cc.rs

@@ -0,0 +1,33 @@
+use libafl_cc::{ClangWrapper, CompilerWrapper, LIB_EXT, LIB_PREFIX};
+use std::env;
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    if args.len() > 1 {
+        let mut dir = env::current_exe().unwrap();
+        dir.pop();
+
+        let mut cc = ClangWrapper::new("clang", "clang++");
+        cc.from_args(&args)
+            .unwrap()
+            .add_arg("-fsanitize-coverage=trace-pc-guard".into())
+            .unwrap()
+            .add_link_arg(
+                dir.join(format!("{}libfuzzer_libpng.{}", LIB_PREFIX, LIB_EXT))
+                    .display()
+                    .to_string(),
+            )
+            .unwrap();
+        // Libraries needed by libafl on Windows
+        #[cfg(windows)]
+        cc.add_link_arg("-lws2_32".into())
+            .unwrap()
+            .add_link_arg("-lBcrypt".into())
+            .unwrap()
+            .add_link_arg("-lAdvapi32".into())
+            .unwrap();
+        cc.run().unwrap();
+    } else {
+        panic!("LibAFL CC: No Arguments given");
+    }
+}

fuzzers/libfuzzer_reachability/src/bin/libafl_cxx.rs

@@ -0,0 +1,34 @@
+use libafl_cc::{ClangWrapper, CompilerWrapper, LIB_EXT, LIB_PREFIX};
+use std::env;
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    if args.len() > 1 {
+        let mut dir = env::current_exe().unwrap();
+        dir.pop();
+
+        let mut cc = ClangWrapper::new("clang", "clang++");
+        cc.is_cpp()
+            .from_args(&args)
+            .unwrap()
+            .add_arg("-fsanitize-coverage=trace-pc-guard".into())
+            .unwrap()
+            .add_link_arg(
+                dir.join(format!("{}libfuzzer_libpng.{}", LIB_PREFIX, LIB_EXT))
+                    .display()
+                    .to_string(),
+            )
+            .unwrap();
+        // Libraries needed by libafl on Windows
+        #[cfg(windows)]
+        cc.add_link_arg("-lws2_32".into())
+            .unwrap()
+            .add_link_arg("-lBcrypt".into())
+            .unwrap()
+            .add_link_arg("-lAdvapi32".into())
+            .unwrap();
+        cc.run().unwrap();
+    } else {
+        panic!("LibAFL CC: No Arguments given");
+    }
+}