Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pr/fasan multithreading fixes upstream #2955

Merged
merged 54 commits into from
Feb 14, 2025
Merged

Pr/fasan multithreading fixes upstream #2955

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
766c908
Fixing the test_harness library name
mkravchik Jan 10, 2025
ea9a3ab
Fasan works, but testing of all features is pending
mkravchik Aug 5, 2024
715d6d8
Tests pass, before fixing clippy and fmt
mkravchik Aug 25, 2024
d2c675d
CLippy+fmt
mkravchik Aug 26, 2024
03940d8
CLippy+fmt+tests running on linux
mkravchik Aug 26, 2024
f8929c0
Clippy
mkravchik Aug 26, 2024
e425797
Not stalkering the fuzzer. In the correct way
mkravchik Sep 17, 2024
20a7516
Removing the instrumentation upon crash. Proper hooking of UnmapViewO…
mkravchik Nov 6, 2024
edaf21f
Fixes after the merge from the upstream (before 0.15.0). Still need t…
mkravchik Jan 24, 2025
523aa3b
Adding the helper observer and using it in the test
mkravchik Jan 29, 2025
c1f1d61
Removing the observer from the wrong location
mkravchik Jan 29, 2025
bda1c68
Adapting to the new helper ownership model
mkravchik Jan 29, 2025
599ea9f
Adding an observer to shut down instrumentation upon crash
mkravchik Jan 29, 2025
19b6a43
Clippy + fmt
mkravchik Jan 29, 2025
dfe7f90
Merge with upstream/main at 0.15.0. Dependent on the fix of frida gli…
mkravchik Jan 31, 2025
b3897fb
Using mimalloc everywhere
mkravchik Jan 31, 2025
2b61856
Deactivating before activating with the harness. Otherwise, gets stuc…
mkravchik Feb 5, 2025
c1fe491
Fixing imports for windows
mkravchik Feb 5, 2025
3df9ccd
Using the new way of passing the handler
mkravchik Feb 5, 2025
53ff249
Using frida_helper_shutdown_observer
mkravchik Feb 5, 2025
bd5e193
Clippy+fmt
mkravchik Feb 5, 2025
7013144
no-std, clippy
mkravchik Feb 5, 2025
f882683
Merge branch 'pr/fasan-multithreading-fixes-upstream' of https://gith…
mkravchik Feb 5, 2025
1033f0a
Fmt
mkravchik Feb 5, 2025
be7daf0
Merge branch 'pr/fasan-multithreading-fixes-upstream' of https://gith…
mkravchik Feb 5, 2025
2ba593d
Stable thread_id
mkravchik Feb 5, 2025
a5eb759
Clippy 18
mkravchik Feb 5, 2025
55609bd
More clippy
mkravchik Feb 6, 2025
bb48783
Merge remote-tracking branch 'upstream/main' into main
mkravchik Feb 6, 2025
313a287
Formatting toml
mkravchik Feb 6, 2025
b1c7e30
Fixing apples
mkravchik Feb 6, 2025
b4b7394
Fixing apples 2
mkravchik Feb 6, 2025
d430976
Fixing apples 3
mkravchik Feb 6, 2025
67b4beb
Upping to 0.16.7 (necessary for Windows)
mkravchik Feb 7, 2025
4be02b0
Clippy+fmt
mkravchik Feb 7, 2025
d252b10
Enabling the allocator test after the fix and clarifying the importan…
mkravchik Feb 8, 2025
4f2de21
Moving has_tls to bolts
mkravchik Feb 9, 2025
2443a98
Proper handling of no-std, hopefully
mkravchik Feb 10, 2025
a56c4b3
Another attempt to fix win no-std
mkravchik Feb 10, 2025
2d606bb
Not mine clippy complaint...
mkravchik Feb 10, 2025
be7df84
Not mine clippy complaint #2...
mkravchik Feb 10, 2025
228f48e
Dlmalloc not used, removing from dependencies
mkravchik Feb 10, 2025
a4a147a
Restoring target in config.toml (otherwise fails CI on Linux)
mkravchik Feb 10, 2025
706c272
lots of digging around, pray for us
addisoncrump Feb 11, 2025
8f91ac1
Merge branch 'main' into pr/fasan-multithreading-fixes-upstream
addisoncrump Feb 11, 2025
1d7c5d4
fixup?
addisoncrump Feb 11, 2025
2640ddc
Merge branch 'main' into pr/fasan-multithreading-fixes-upstream
tokatoka Feb 13, 2025
61908b8
Merge branch 'main' into pr/fasan-multithreading-fixes-upstream
tokatoka Feb 13, 2025
185d5e0
Revert "lots of digging around, pray for us"
mkravchik Feb 14, 2025
1110f6f
Revert "fixup?"
mkravchik Feb 14, 2025
0c2a6c3
Revert artifact
mkravchik Feb 14, 2025
8f716aa
Revert fixups
mkravchik Feb 14, 2025
a4be351
Removing unused
mkravchik Feb 14, 2025
c8089ad
Reverting to upstream/main
mkravchik Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,3 +75,5 @@ harness
program
fuzzer_libpng*
forkserver_simple

*.patch
2 changes: 1 addition & 1 deletion fuzzers/binary_only/frida_executable_libpng/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ libafl = { path = "../../../libafl", features = [
"frida_cli",
] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../../libafl_bolts" }
frida-gum = { version = "0.16.5", features = [
frida-gum = { version = "0.16.7", features = [
"auto-download",
"event-sink",
"invocation-listener",
Expand Down
73 changes: 52 additions & 21 deletions fuzzers/binary_only/frida_executable_libpng/src/fuzzer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
//! A libfuzzer-like fuzzer with llmp-multithreading support and restarts
//! The example harness is built for libpng.
use std::{path::PathBuf, ptr::null};
use std::{cell::RefCell, path::PathBuf, ptr::null, rc::Rc};

use frida_gum::Gum;
use libafl::{
Expand Down Expand Up @@ -43,6 +43,7 @@ use libafl_frida::{
cmplog_rt::CmpLogRuntime,
coverage_rt::{CoverageRuntime, MAP_SIZE},
executor::FridaInProcessExecutor,
frida_helper_shutdown_observer::FridaHelperObserver,
helper::FridaInstrumentationHelper,
};
use libafl_targets::cmplog::CmpLogObserver;
Expand Down Expand Up @@ -113,16 +114,22 @@ unsafe fn fuzz(
let asan = AsanRuntime::new(options);

#[cfg(unix)]
let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, asan));
let frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
&gum,
options,
tuple_list!(coverage, asan),
)));
#[cfg(windows)]
let mut frida_helper =
FridaInstrumentationHelper::new(&gum, &options, tuple_list!(coverage));
let frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
&gum,
&options,
tuple_list!(coverage),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this always include asan?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code should all be deduplicated similar to what has been done in frida_libpng. (I.e. using IfElseRuntime)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As for your first question, I looked at this fuzzer's Makefile.toml and it looks that Windows is unsupported, also README tells so. I'm actually not sure what #[cfg(windows)] does there.
As for the second, this was not part of my change, and frankly speaking I'm not sure how to do it exactly. Is it just copy-paste from frida_libpng? Any documentation on this IfElseRuntime?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok Leave it. I will do it in a follow up PR.

)));

// Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
"edges",
frida_helper.map_mut_ptr().unwrap(),
frida_helper.borrow_mut().map_mut_ptr().unwrap(),
MAP_SIZE,
))
.track_indices();
Expand All @@ -131,6 +138,7 @@ unsafe fn fuzz(
let time_observer = TimeObserver::new("time");
#[cfg(unix)]
let asan_observer = AsanErrorsObserver::from_static_asan_errors();
let frida_helper_observer = FridaHelperObserver::new(Rc::clone(&frida_helper));

// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
Expand Down Expand Up @@ -196,9 +204,14 @@ unsafe fn fuzz(
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

#[cfg(unix)]
let observers = tuple_list!(edges_observer, time_observer, asan_observer);
let observers = tuple_list!(
frida_helper_observer,
edges_observer,
time_observer,
asan_observer
);
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer);
let observers = tuple_list!(frida_helper_observer, edges_observer, time_observer);

// Create the executor for an in-process function with just one observer for edge coverage
let mut executor = FridaInProcessExecutor::new(
Expand All @@ -210,7 +223,7 @@ unsafe fn fuzz(
&mut state,
&mut mgr,
)?,
&mut frida_helper,
Rc::clone(&frida_helper),
);

// In case the corpus is empty (on first run), reset
Expand Down Expand Up @@ -238,13 +251,16 @@ unsafe fn fuzz(
let coverage = CoverageRuntime::new();
let cmplog = CmpLogRuntime::new();

let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage, cmplog));
let mut frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
&gum,
options,
tuple_list!(coverage, cmplog),
)));

// Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
"edges",
frida_helper.map_mut_ptr().unwrap(),
frida_helper.borrow_mut().map_mut_ptr().unwrap(),
MAP_SIZE,
))
.track_indices();
Expand All @@ -253,6 +269,7 @@ unsafe fn fuzz(
let time_observer = TimeObserver::new("time");
#[cfg(unix)]
let asan_observer = AsanErrorsObserver::from_static_asan_errors();
let frida_helper_observer = FridaHelperObserver::new(Rc::clone(&frida_helper));

// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
Expand Down Expand Up @@ -316,9 +333,14 @@ unsafe fn fuzz(
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

#[cfg(unix)]
let observers = tuple_list!(edges_observer, time_observer, asan_observer);
let observers = tuple_list!(
frida_helper_observer,
edges_observer,
time_observer,
asan_observer
);
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer);
let observers = tuple_list!(frida_helper_observer, edges_observer, time_observer);

// Create the executor for an in-process function with just one observer for edge coverage
let mut executor = FridaInProcessExecutor::new(
Expand All @@ -330,7 +352,7 @@ unsafe fn fuzz(
&mut state,
&mut mgr,
)?,
&mut frida_helper,
Rc::clone(&frida_helper),
);

// In case the corpus is empty (on first run), reset
Expand Down Expand Up @@ -373,13 +395,16 @@ unsafe fn fuzz(

let coverage = CoverageRuntime::new();

let mut frida_helper =
FridaInstrumentationHelper::new(&gum, options, tuple_list!(coverage));
let mut frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
&gum,
options,
tuple_list!(coverage),
)));

// Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(StdMapObserver::from_mut_ptr(
"edges",
frida_helper.map_mut_ptr().unwrap(),
frida_helper.borrow_mut().map_mut_ptr().unwrap(),
MAP_SIZE,
))
.track_indices();
Expand All @@ -388,6 +413,7 @@ unsafe fn fuzz(
let time_observer = TimeObserver::new("time");
#[cfg(unix)]
let asan_observer = AsanErrorsObserver::from_static_asan_errors();
let frida_helper_observer = FridaHelperObserver::new(Rc::clone(&frida_helper));

// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
Expand Down Expand Up @@ -451,9 +477,14 @@ unsafe fn fuzz(
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

#[cfg(unix)]
let observers = tuple_list!(edges_observer, time_observer, asan_observer);
let observers = tuple_list!(
frida_helper_observer,
edges_observer,
time_observer,
asan_observer
);
#[cfg(windows)]
let observers = tuple_list!(edges_observer, time_observer);
let observers = tuple_list!(frida_helper_observer, edges_observer, time_observer);

// Create the executor for an in-process function with just one observer for edge coverage
let mut executor = FridaInProcessExecutor::new(
Expand All @@ -465,7 +496,7 @@ unsafe fn fuzz(
&mut state,
&mut mgr,
)?,
&mut frida_helper,
Rc::clone(&frida_helper),
);

// In case the corpus is empty (on first run), reset
Expand Down
2 changes: 1 addition & 1 deletion fuzzers/binary_only/frida_libpng/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ libafl = { path = "../../../libafl", features = [
"errors_backtrace",
] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../../libafl_bolts" }
frida-gum = { version = "0.16.5", features = [
frida-gum = { version = "0.16.7", features = [
"auto-download",
"event-sink",
"invocation-listener",
Expand Down
23 changes: 17 additions & 6 deletions fuzzers/binary_only/frida_libpng/src/fuzzer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
//! A libfuzzer-like fuzzer with llmp-multithreading support and restarts
//! The example harness is built for libpng.
use std::path::PathBuf;
use std::{cell::RefCell, path::PathBuf, rc::Rc};

use frida_gum::Gum;
use libafl::{
Expand Down Expand Up @@ -40,6 +40,7 @@ use libafl_frida::{
cmplog_rt::CmpLogRuntime,
coverage_rt::{CoverageRuntime, MAP_SIZE},
executor::FridaInProcessExecutor,
frida_helper_shutdown_observer::FridaHelperObserver,
helper::{FridaInstrumentationHelper, IfElseRuntime},
};
use libafl_targets::cmplog::CmpLogObserver;
Expand Down Expand Up @@ -104,7 +105,7 @@ fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let options_clone = options.clone();
let client_description_clone2 = client_description.clone();
let options_clone2 = options.clone();
let mut frida_helper = FridaInstrumentationHelper::new(
let frida_helper = Rc::new(RefCell::new(FridaInstrumentationHelper::new(
&gum,
options,
tuple_list!(
Expand All @@ -120,17 +121,22 @@ fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
),
coverage
),
);
)));

// Create an observation channel using the coverage map
let edges_observer = HitcountsMapObserver::new(unsafe {
StdMapObserver::from_mut_ptr("edges", frida_helper.map_mut_ptr().unwrap(), MAP_SIZE)
StdMapObserver::from_mut_ptr(
"edges",
frida_helper.borrow_mut().map_mut_ptr().unwrap(),
MAP_SIZE,
)
})
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
let asan_observer = AsanErrorsObserver::from_static_asan_errors();
let frida_helper_observer = FridaHelperObserver::new(Rc::clone(&frida_helper));

// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
Expand Down Expand Up @@ -187,7 +193,12 @@ fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);

let observers = tuple_list!(edges_observer, time_observer, asan_observer);
let observers = tuple_list!(
frida_helper_observer,
edges_observer,
time_observer,
asan_observer
);

// Create the executor for an in-process function with just one observer for edge coverage
let executor = FridaInProcessExecutor::new(
Expand All @@ -200,7 +211,7 @@ fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
&mut mgr,
options.timeout,
)?,
&mut frida_helper,
Rc::clone(&frida_helper),
);
// Create an observation channel using cmplog map
let cmplog_observer = CmpLogObserver::new("cmplog", true);
Expand Down
2 changes: 2 additions & 0 deletions fuzzers/binary_only/frida_windows_gdiplus/.cargo/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
[build]
rustflags = ["-C", "target-feature=+crt-static"]
2 changes: 1 addition & 1 deletion fuzzers/binary_only/frida_windows_gdiplus/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ libafl = { path = "../../../libafl", features = [
"errors_backtrace",
] } #, "llmp_small_maps", "llmp_debug"]}
libafl_bolts = { path = "../../../libafl_bolts" }
frida-gum = { version = "0.16.5", features = [
frida-gum = { version = "0.16.7", features = [
"auto-download",
"event-sink",
"invocation-listener",
Expand Down
2 changes: 2 additions & 0 deletions fuzzers/binary_only/frida_windows_gdiplus/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ To build this example, run `cargo build --release` in this folder.

Then compile the harness `cl.exe /LD harness.cc /link /dll gdiplus.lib ole32.lib`

Note: this fuzzer is **statically linked** with C runtime. This is achieved by specifying `rustflags = ["-C", "target-feature=+crt-static"]` in `.cargo/config.toml`. The static linking is necessary to avoid Asan function hooks to hook the calls from the fuzzer itself, as such self-hooking can eventually lead to deadlocks in internal Frida mechanisms.

## Run

To run the example `target\release\frida_windows_gdiplus.exe -H harness.dll -i corpus -o output --libs-to-instrument gdi32.dll --libs-to-instrument gdi32full.dll --libs-to-instrument gdiplus.dll --libs-to-instrument WindowsCodecs.dll --disable-excludes`
2 changes: 0 additions & 2 deletions fuzzers/binary_only/frida_windows_gdiplus/cargo/.config
View file
Open in desktop

This file was deleted.

Loading
Loading