fix custom mutators and add real test cases

Author: vanhauser-thc

examples/custom_mutators/README.md

@@ -6,6 +6,9 @@ See [docs/custom_mutators.md](../docs/custom_mutators.md) for more information
 Note that if you compile with python3.7 you must use python3 scripts, and if
 you use python2.7 to compile python2 scripts!
 
+simple_example.c - most simplest example. generates a random sized buffer
+          filled with 'A'
+
 example.c - this is a simple example written in C and should be compiled to a
           shared library. Use make to compile it and produce libexamplemutator.so
 

examples/custom_mutators/example.py

@@ -21,6 +21,7 @@
     b"GET",
     b"PUT",
     b"DEL",
+    b"AAAAAAAAAAAAAAAAA",
 ]
 
 

examples/custom_mutators/simple_example.c

@@ -0,0 +1,74 @@
+// This simple example just creates random buffer <= 100 filled with 'A'
+// needs -I /path/to/AFLplusplus/include
+#include "custom_mutator_helpers.h"
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#ifndef _FIXED_CHAR
+  #define 0x41
+#endif
+
+typedef struct my_mutator {
+
+  afl_t *afl;
+
+  // Reused buffers:
+  BUF_VAR(u8, fuzz);
+
+} my_mutator_t;
+
+my_mutator_t *afl_custom_init(afl_t *afl, unsigned int seed) {
+
+  srand(seed);
+  my_mutator_t *data = calloc(1, sizeof(my_mutator_t));
+  if (!data) {
+
+    perror("afl_custom_init alloc");
+    return NULL;
+
+  }
+
+  data->afl = afl;
+
+  return data;
+
+}
+
+size_t afl_custom_fuzz(my_mutator_t *data, uint8_t *buf, size_t buf_size,
+                       u8 **out_buf, uint8_t *add_buf,
+                       size_t add_buf_size,  // add_buf can be NULL
+                       size_t max_size) {
+
+  int size = (rand() % 100) + 1;
+  if (size > max_size) size = max_size;
+  u8 *mutated_out = maybe_grow(BUF_PARAMS(data, fuzz), size);
+  if (!mutated_out) {
+
+    *out_buf = NULL;
+    perror("custom mutator allocation (maybe_grow)");
+    return 0;            /* afl-fuzz will very likely error out after this. */
+
+  }
+
+  memset(mutated_out, _FIXED_CHAR, size);
+
+  *out_buf = mutated_out;
+  return size;
+
+}
+
+/**
+ * Deinitialize everything
+ *
+ * @param data The data ptr from afl_custom_init
+ */
+void afl_custom_deinit(my_mutator_t *data) {
+
+  free(data->fuzz_buf);
+  free(data);
+
+}
+

src/afl-fuzz-mutators.c

@@ -117,7 +117,7 @@ void destroy_custom_mutators(afl_state_t *afl) {
     LIST_FOREACH_CLEAR(&afl->custom_mutator_list, struct custom_mutator, {
 
       if (!el->data) { FATAL("Deintializing NULL mutator"); }
-      el->afl_custom_deinit(el->data);
+      if (el->afl_custom_deinit) el->afl_custom_deinit(el->data);
       if (el->dh) dlclose(el->dh);
 
       if (el->pre_save_buf) {
@@ -166,32 +166,37 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
 
   }
 
+  /* "afl_custom_deinit", optional for backward compatibility */
+  mutator->afl_custom_deinit = dlsym(dh, "afl_custom_deinit");
+  if (!mutator->afl_custom_deinit) WARNF("Symbol 'afl_custom_init' not found.");
+
   /* "afl_custom_pre_save", optional */
   mutator->afl_custom_pre_save = dlsym(dh, "afl_custom_pre_save");
   if (!mutator->afl_custom_pre_save)
-    WARNF("Symbol 'afl_custom_pre_save' not found.");
+    ACTF("optional symbol 'afl_custom_pre_save' not found.");
 
   u8 notrim = 0;
   /* "afl_custom_init_trim", optional */
   mutator->afl_custom_init_trim = dlsym(dh, "afl_custom_init_trim");
   if (!mutator->afl_custom_init_trim)
-    WARNF("Symbol 'afl_custom_init_trim' not found.");
+    ACTF("optional symbol 'afl_custom_init_trim' not found.");
 
   /* "afl_custom_trim", optional */
   mutator->afl_custom_trim = dlsym(dh, "afl_custom_trim");
-  if (!mutator->afl_custom_trim) WARNF("Symbol 'afl_custom_trim' not found.");
+  if (!mutator->afl_custom_trim)
+    ACTF("optional symbol 'afl_custom_trim' not found.");
 
   /* "afl_custom_post_trim", optional */
   mutator->afl_custom_post_trim = dlsym(dh, "afl_custom_post_trim");
   if (!mutator->afl_custom_post_trim)
-    WARNF("Symbol 'afl_custom_post_trim' not found.");
+    ACTF("optional symbol 'afl_custom_post_trim' not found.");
 
   if (notrim) {
 
     mutator->afl_custom_init_trim = NULL;
     mutator->afl_custom_trim = NULL;
     mutator->afl_custom_post_trim = NULL;
-    WARNF(
+    ACTF(
         "Custom mutator does not implement all three trim APIs, standard "
         "trimming will be used.");
 
@@ -200,23 +205,23 @@ struct custom_mutator *load_custom_mutator(afl_state_t *afl, const char *fn) {
   /* "afl_custom_havoc_mutation", optional */
   mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation");
   if (!mutator->afl_custom_havoc_mutation)
-    WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
+    ACTF("optional symbol 'afl_custom_havoc_mutation' not found.");
 
   /* "afl_custom_havoc_mutation", optional */
   mutator->afl_custom_havoc_mutation_probability =
       dlsym(dh, "afl_custom_havoc_mutation_probability");
   if (!mutator->afl_custom_havoc_mutation_probability)
-    WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
+    ACTF("optional symbol 'afl_custom_havoc_mutation_probability' not found.");
 
   /* "afl_custom_queue_get", optional */
   mutator->afl_custom_queue_get = dlsym(dh, "afl_custom_queue_get");
   if (!mutator->afl_custom_queue_get)
-    WARNF("Symbol 'afl_custom_queue_get' not found.");
+    ACTF("optional symbol 'afl_custom_queue_get' not found.");
 
   /* "afl_custom_queue_new_entry", optional */
   mutator->afl_custom_queue_new_entry = dlsym(dh, "afl_custom_queue_new_entry");
   if (!mutator->afl_custom_queue_new_entry)
-    WARNF("Symbol 'afl_custom_queue_new_entry' not found");
+    ACTF("optional symbol 'afl_custom_queue_new_entry' not found");
 
   OKF("Custom mutator '%s' installed successfully.", fn);
 

test/test-multiple-mutators.c

@@ -12,11 +12,10 @@
 int main(int argc, char **argv) {
 
   int  a = 0;
-  char s[16];
-  memset(s, 0, 16);
-  read(0, s, 0xa0);
+  char s[100];
+  read(0, s, 100);
 
-  if (s[17] != '\x00') { abort(); }
+  if (s[7] == 'B') { abort(); }
 
   return 0;
 

test/test.sh

@@ -970,16 +970,17 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && {
       }
     }
     # Compile the custom mutator
-    make -C ../examples/custom_mutators libexamplemutator.so > /dev/null 2>&1
-    test -e test-custom-mutator -a -e ${CUSTOM_MUTATOR_PATH}/libexamplemutator.so && {
+    cc -D_FIXED_CHAR=0x41 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator.so > /dev/null 2>&1
+    cc -D_FIXED_CHAR=0x42 -g -fPIC -shared -I../include ../examples/custom_mutators/simple_example.c -o libexamplemutator2.so > /dev/null 2>&1
+    test -e test-custom-mutator -a -e ./libexamplemutator.so && {
       # Create input directory
       mkdir -p in
       echo "00000" > in/in
 
       # Run afl-fuzz w/ the C mutator
-      $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 10 seconds"
+      $ECHO "$GREY[*] running afl-fuzz for the C mutator, this will take approx 5 seconds"
       {
-        AFL_CUSTOM_MUTATOR_LIBRARY=${CUSTOM_MUTATOR_PATH}/libexamplemutator.so ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1
+        AFL_CUSTOM_MUTATOR_LIBRARY=./libexamplemutator.so AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1
       } >>errors 2>&1
 
       # Check results
@@ -996,10 +997,10 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && {
       # Clean
       rm -rf out errors
 
-      #Run afl-fuzz w/ multiple C mutators
-      $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 20 seconds"
+      # Run afl-fuzz w/ multiple C mutators
+      $ECHO "$GREY[*] running afl-fuzz with multiple custom C mutators, this will take approx 5 seconds"
       {
-        AFL_CUSTOM_MUTATOR_LIBRARY="${CUSTOM_MUTATOR_PATH}/libexamplemutator.so;${CUSTOM_MUTATOR_PATH}/libexamplemutator.so" ../afl-fuzz -V20 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1
+        AFL_CUSTOM_MUTATOR_LIBRARY="./libexamplemutator.so;./libexamplemutator2.so" AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V1 -m ${MEM_LIMIT} -i in -o out -- ./test-multiple-mutators >>errors 2>&1
       } >>errors 2>&1
 
       test -n "$( ls out/crashes/id:000000* 2>/dev/null )" && {  # TODO: update here
@@ -1016,11 +1017,11 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && {
       rm -rf out errors 
 
       # Run afl-fuzz w/ the Python mutator
-      $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 10 seconds"
+      $ECHO "$GREY[*] running afl-fuzz for the Python mutator, this will take approx 5 seconds"
       {
         export PYTHONPATH=${CUSTOM_MUTATOR_PATH}
         export AFL_PYTHON_MODULE=example
-        ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1
+        AFL_CUSTOM_MUTATOR_ONLY=1 ../afl-fuzz -V5 -m ${MEM_LIMIT} -i in -o out -- ./test-custom-mutator >>errors 2>&1
         unset PYTHONPATH
         unset AFL_PYTHON_MODULE
       } >>errors 2>&1
@@ -1039,7 +1040,7 @@ test "1" = "`../afl-fuzz | grep -i 'without python' >/dev/null; echo $?`" && {
       # Clean
       rm -rf in out errors
       rm -rf ${CUSTOM_MUTATOR_PATH}/__pycache__/
-      rm -f test-multiple-mutators
+      rm -f test-multiple-mutators test-custom-mutator libexamplemutator.so libexamplemutator2.so
     } || {
       ls .
       ls ${CUSTOM_MUTATOR_PATH}