Merge branch 'main' into fuzzing-types

srlabs · Jan 31, 2024 · 437d480 · 437d480
2 parents 85ea2d1 + 9baf36e
commit 437d480
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 74 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,7 +27,6 @@ glob = { version = "0.3.1", optional = true }
 honggfuzz = { package = "ziggy-honggfuzz-2", version = "0.5.55", optional = true }
 libc = { version = "0.2.147", optional = true }
 log = { version = "0.4.20", optional = true }
-rand = { version = "0.8", optional = true }
 semver = { version = "1.0", optional = true }
 serde_json = { version = "1.0.105", optional = true }
 strip-ansi-escapes = { version = "0.2.0", optional = true }
@@ -47,7 +46,6 @@ cli = [
     "log",
     "env_logger",
     "strip-ansi-escapes",
-    "rand",
     "libc",
     "time-humanize",
     "cargo_metadata",

diff --git a/src/bin/cargo-ziggy/fuzz.rs b/src/bin/cargo-ziggy/fuzz.rs
@@ -324,12 +324,7 @@ impl Fuzz {
                     2..=3 => "-Pexplore",
                     _ => "-Pexploit",
                 };
-                /* wait for afl crate update
-                let mutation_option = match job_num / 2 {
-                    0 => "-abinary",
-                    _ => "-adefault",
-                };
-                */
+                let input_format_option = self.config.input_format_flag();
                 let log_destination = || match job_num {
                     0 => File::create(format!("{}/logs/afl.log", self.output_target()))
                         .unwrap()
@@ -357,20 +352,20 @@ impl Fuzz {
                                 &format!("-g{}", self.min_length),
                                 &format!("-G{}", self.max_length),
                                 &use_shared_corpus,
-                                // &format!("-V{}", self.minimization_timeout + SECONDS_TO_WAIT_AFTER_KILL, &use_initial_corpus_dir),
                                 &use_initial_corpus_dir,
                                 old_queue_cycling,
                                 cmplog_options,
                                 mopt_mutator,
                                 mutation_option,
+                                input_format_option,
                                 &timeout_option_afl,
                                 &dictionary_option,
-                                &self.afl_flags.clone().unwrap_or_default(),
-                                &format!("./target/afl/debug/{}", self.target),
                             ]
                             .iter()
                             .filter(|a| a != &&""),
                         )
+                        .args(self.afl_flags.clone())
+                        .arg(format!("./target/afl/debug/{}", self.target))
                         .env("AFL_AUTORESUME", "1")
                         .env("AFL_TESTCACHE_SIZE", "100")
                         .env("AFL_FAST_CAL", "1")
@@ -381,8 +376,8 @@ impl Fuzz {
                         .env("AFL_NO_WARN_INSTABILITY", "1")
                         .env("AFL_FUZZER_STATS_UPDATE_INTERVAL", "10")
                         .env("AFL_IMPORT_FIRST", "1")
-                        .env(final_sync, "1") // upcoming in v4.09c
-                        .env("AFL_IGNORE_SEED_PROBLEMS", "1") // upcoming in v4.09c
+                        .env(final_sync, "1")
+                        .env("AFL_IGNORE_SEED_PROBLEMS", "1")
                         .stdout(log_destination())
                         .stderr(log_destination())
                         .spawn()?,
@@ -775,6 +770,31 @@ impl Fuzz {
     }
 }
 
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, ValueEnum, Debug)]
+pub enum FuzzingConfig {
+    Generic,
+    Binary,
+    Text,
+    Blockchain,
+}
+
+impl FuzzingConfig {
+    fn input_format_flag(&self) -> &str {
+        match self {
+            Self::Text => "-atext",
+            Self::Binary => "-abinary",
+            _ => "",
+        }
+    }
+}
+
+use std::fmt;
+impl fmt::Display for FuzzingConfig {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{:?}", self)
+    }
+}
+
 pub fn kill_subprocesses_recursively(pid: &str) -> Result<(), anyhow::Error> {
     let subprocesses = process::Command::new("pgrep")
         .arg(&format!("-P{pid}"))

diff --git a/src/bin/cargo-ziggy/main.rs b/src/bin/cargo-ziggy/main.rs
@@ -10,6 +10,8 @@ mod plot;
 mod run;
 mod triage;
 
+#[cfg(feature = "cli")]
+use crate::fuzz::FuzzingConfig;
 #[cfg(feature = "cli")]
 use anyhow::{anyhow, Context, Result};
 #[cfg(feature = "cli")]
@@ -151,7 +153,11 @@ pub struct Fuzz {
 
     /// Pass flags to AFL++ directly
     #[clap(short, long)]
-    afl_flags: Option<String>,
+    afl_flags: Vec<String>,
+
+    /// AFL++ configuration
+    #[clap(short = 'C', long, default_value = "generic")]
+    config: FuzzingConfig,
 }
 
 #[derive(Args)]