Merge main

Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1.2
-FROM rust:1.73.0 AS libafl
+FROM rust:1.76.0 AS libafl
 LABEL "maintainer"="afl++ team <[email protected]>"
 LABEL "about"="LibAFL Docker image"
 

fuzzers/forkserver_libafl_cc/Cargo.toml

@@ -22,7 +22,7 @@ which = { version = "4.4" }
 
 [dependencies]
 clap = { version = "4.0", features = ["derive"] }
-nix = "0.26"
+nix = "0.27"
 libafl = { path = "../../libafl/" }
 libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_cc = { path = "../../libafl_cc/" }

fuzzers/forkserver_simple/Cargo.toml

@@ -19,4 +19,4 @@ opt-level = 3
 libafl = { path = "../../libafl/", features = ["std", "derive"] }
 libafl_bolts = { path = "../../libafl_bolts/" }
 clap = { version = "4.0", features = ["derive"] }
-nix = "0.26"
+nix = "0.27"

fuzzers/fuzzbench/Cargo.toml

@@ -31,7 +31,7 @@ libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_h
 # TODO Include it only when building cc
 libafl_cc = { path = "../../libafl_cc/" }
 clap = { version = "4.0", features = ["default"] }
-nix = "0.26"
+nix = { version = "0.27", features = ["fs"] }
 mimalloc = { version = "*", default-features = false }
 
 [lib]

fuzzers/fuzzbench_fork_qemu/Cargo.toml

@@ -25,4 +25,4 @@ libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_qemu = { path = "../../libafl_qemu/", features = ["x86_64", "usermode"] }
 
 clap = { version = "4.0", features = ["default"] }
-nix = "0.26"
+nix = { version = "0.27", features = ["fs"] }

fuzzers/fuzzbench_forkserver/Cargo.toml

@@ -24,4 +24,4 @@ libafl = { path = "../../libafl/" }
 libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_targets = { path = "../../libafl_targets/" }
 clap = { version = "4.0", features = ["default"] }
-nix = "0.26"
+nix = "0.27"

fuzzers/fuzzbench_forkserver_cmplog/Cargo.toml

@@ -24,4 +24,4 @@ libafl = { path = "../../libafl/" }
 libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_targets = { path = "../../libafl_targets/" }
 clap = { version = "4.0", features = ["default"] }
-nix = "0.26"
+nix = "0.27"

fuzzers/fuzzbench_qemu/Cargo.toml

@@ -25,5 +25,5 @@ libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_qemu = { path = "../../libafl_qemu/", features = ["x86_64", "usermode"] }
 
 clap = { version = "4.0", features = ["default"] }
-nix = "0.26"
+nix = { version = "0.27", features = ["fs"] }
 

fuzzers/fuzzbench_text/Cargo.toml

@@ -26,7 +26,7 @@ libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_h
 # TODO Include it only when building cc
 libafl_cc = { path = "../../libafl_cc/" }
 clap = { version = "4.0", features = ["default"] }
-nix = "0.26"
+nix = { version = "0.27", features = ["fs"] }
 mimalloc = { version = "*", default-features = false }
 content_inspector = "0.2.4"
 #log = "0.4"

fuzzers/qemu_launcher/Cargo.toml

@@ -41,7 +41,7 @@ libafl = { path = "../../libafl/" }
 libafl_bolts = { path = "../../libafl_bolts/" }
 libafl_qemu = { path = "../../libafl_qemu/", features = ["usermode"] }
 log = {version = "0.4.20" }
-nix = { version = "0.26" }
+nix = { version = "0.27", features = ["fs"] }
 rangemap = { version = "1.3" }
 readonly = { version = "0.2.10" }
 typed-builder = { version = "0.15.1" }

fuzzers/qemu_launcher/Makefile.toml

@@ -163,7 +163,8 @@ mkdir ${TARGET_DIR}/build-png/
 
 cd ${TARGET_DIR}/build-png/ && \
     CC=$CROSS_CC \
-    CFLAGS="${CROSS_CFLAGS} -I"${TARGET_DIR}/build-zlib/zlib/lib"" \
+    CFLAGS="${CROSS_CFLAGS}" \
+    CPPFLAGS="-I${TARGET_DIR}/build-zlib/zlib/include" \
     LDFLAGS=-L"${TARGET_DIR}/build-zlib/zlib/lib" \
     ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37/configure \
         --enable-shared=no \
@@ -212,7 +213,7 @@ ${CROSS_CXX} \
 	"${TARGET_DIR}/build-zlib/libz.a" \
     -I"${TARGET_DIR}/build-png" \
     -I"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37" \
-	-I"${TARGET_DIR}/build-zlib/zlib/lib" \
+	-I"${TARGET_DIR}/build-zlib/zlib/include" \
 	-L"${TARGET_DIR}/build-zlib/zlib/lib" \
     -o"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}" \
     -lm \

libafl/Cargo.toml

@@ -163,7 +163,7 @@ backtrace = {version = "0.3", optional = true} # Used to get the stacktrace in S
 typed-builder = { version = "0.16", optional = true } # Implement the builder pattern at compiletime
 
 serde_json = { version = "1.0", optional = true, default-features = false, features = ["alloc"] }
-nix = { version = "0.26", optional = true }
+nix = { version = "0.27", optional = true }
 regex = { version = "1", optional = true }
 uuid = { version = "1.4", optional = true, features = ["serde", "v4"] }
 libm = "0.2.2"

libafl/src/corpus/mod.rs

@@ -361,21 +361,23 @@ pub mod pybind {
         fn get(&self, idx: CorpusId) -> Result<&RefCell<Testcase<BytesInput>>, Error> {
             let ptr = unwrap_me!(self.wrapper, c, {
                 c.get(idx)
-                    .map(|v| v as *const RefCell<Testcase<BytesInput>>)
+                    .map(core::ptr::from_ref::<RefCell<Testcase<BytesInput>>>)
             })?;
             Ok(unsafe { ptr.as_ref().unwrap() })
         }
 
         #[inline]
         fn current(&self) -> &Option<CorpusId> {
-            let ptr = unwrap_me!(self.wrapper, c, { c.current() as *const Option<CorpusId> });
+            let ptr = unwrap_me!(self.wrapper, c, {
+                core::ptr::from_ref::<Option<CorpusId>>(c.current())
+            });
             unsafe { ptr.as_ref().unwrap() }
         }
 
         #[inline]
         fn current_mut(&mut self) -> &mut Option<CorpusId> {
             let ptr = unwrap_me_mut!(self.wrapper, c, {
-                c.current_mut() as *mut Option<CorpusId>
+                core::ptr::from_mut::<Option<CorpusId>>(c.current_mut())
             });
             unsafe { ptr.as_mut().unwrap() }
         }

libafl/src/events/centralized.rs

@@ -86,10 +86,19 @@ where
     ///
     /// The port must not be bound yet to have a broker.
     #[cfg(feature = "std")]
-    pub fn on_port(shmem_provider: SP, port: u16) -> Result<Self, Error> {
+    pub fn on_port(
+        shmem_provider: SP,
+        port: u16,
+        client_timeout: Option<Duration>,
+    ) -> Result<Self, Error> {
         Ok(Self {
             // TODO switch to false after solving the bug
-            llmp: LlmpBroker::with_keep_pages_attach_to_tcp(shmem_provider, port, true)?,
+            llmp: LlmpBroker::with_keep_pages_attach_to_tcp(
+                shmem_provider,
+                port,
+                true,
+                client_timeout,
+            )?,
             #[cfg(feature = "llmp_compression")]
             compressor: GzipCompressor::new(COMPRESS_THRESHOLD),
             phantom: PhantomData,

libafl/src/events/launcher.rs

@@ -24,7 +24,7 @@ use std::net::SocketAddr;
 #[cfg(all(feature = "std", any(windows, not(feature = "fork"))))]
 use std::process::Stdio;
 #[cfg(all(unix, feature = "std", feature = "fork"))]
-use std::{fs::File, os::unix::io::AsRawFd};
+use std::{fs::File, os::unix::io::AsRawFd, time::Duration};
 
 #[cfg(all(feature = "std", any(windows, not(feature = "fork"))))]
 use libafl_bolts::os::startable_self;
@@ -496,10 +496,9 @@ where
     S: State + HasExecutions,
     SP: ShMemProvider + 'static,
 {
-    /// Launch the broker and the clients and fuzz
     #[allow(clippy::similar_names)]
     #[allow(clippy::too_many_lines)]
-    pub fn launch(&mut self) -> Result<(), Error> {
+    fn launch_internal(&mut self, client_timeout: Option<Duration>) -> Result<(), Error> {
         if self.cores.ids.is_empty() {
             return Err(Error::illegal_argument(
                 "No cores to spawn on given, cannot launch anything.",
@@ -544,6 +543,7 @@ where
                     CentralizedLlmpEventBroker::on_port(
                         self.shmem_provider.clone(),
                         self.centralized_broker_port,
+                        client_timeout,
                     )?;
                 broker.broker_loop()?;
             }
@@ -643,4 +643,14 @@ where
 
         Ok(())
     }
+
+    /// Launch the broker and the clients and fuzz
+    pub fn launch(&mut self) -> Result<(), Error> {
+        self.launch_internal(None)
+    }
+
+    /// Launch the broker and the clients and fuzz with a given timeout for the clients
+    pub fn launch_with_client_timeout(&mut self, client_timeout: Duration) -> Result<(), Error> {
+        self.launch_internal(Some(client_timeout))
+    }
 }

libafl/src/events/llmp.rs

@@ -109,10 +109,15 @@ where
     ///
     /// The port must not be bound yet to have a broker.
     #[cfg(feature = "std")]
-    pub fn on_port(shmem_provider: SP, monitor: MT, port: u16) -> Result<Self, Error> {
+    pub fn on_port(
+        shmem_provider: SP,
+        monitor: MT,
+        port: u16,
+        client_timeout: Option<Duration>,
+    ) -> Result<Self, Error> {
         Ok(Self {
             monitor,
-            llmp: llmp::LlmpBroker::create_attach_to_tcp(shmem_provider, port)?,
+            llmp: llmp::LlmpBroker::create_attach_to_tcp(shmem_provider, port, client_timeout)?,
             #[cfg(feature = "llmp_compression")]
             compressor: GzipCompressor::new(COMPRESS_THRESHOLD),
             phantom: PhantomData,
@@ -1172,8 +1177,10 @@ where
         false
     }
 
-    /// Launch the restarting manager
-    pub fn launch(&mut self) -> Result<(Option<S>, LlmpRestartingEventManager<S, SP>), Error> {
+    fn launch_internal(
+        &mut self,
+        client_timeout: Option<Duration>,
+    ) -> Result<(Option<S>, LlmpRestartingEventManager<S, SP>), Error> {
         // We start ourself as child process to actually fuzz
         let (staterestorer, new_shmem_provider, core_id) = if std::env::var(_ENV_FUZZER_SENDER)
             .is_err()
@@ -1195,8 +1202,11 @@ where
             // We get here if we are on Unix, or we are a broker on Windows (or without forks).
             let (mgr, core_id) = match self.kind {
                 ManagerKind::Any => {
-                    let connection =
-                        LlmpConnection::on_port(self.shmem_provider.clone(), self.broker_port)?;
+                    let connection = LlmpConnection::on_port(
+                        self.shmem_provider.clone(),
+                        self.broker_port,
+                        client_timeout,
+                    )?;
                     match connection {
                         LlmpConnection::IsBroker { broker } => {
                             let event_broker = LlmpEventBroker::<S::Input, MT, SP>::new(
@@ -1224,6 +1234,7 @@ where
                         self.shmem_provider.clone(),
                         self.monitor.take().unwrap(),
                         self.broker_port,
+                        client_timeout,
                     )?;
 
                     broker_things(event_broker, self.remote_broker_addr)?;
@@ -1386,6 +1397,19 @@ where
 
         Ok((state, mgr))
     }
+
+    /// Launch the restarting manager
+    pub fn launch(&mut self) -> Result<(Option<S>, LlmpRestartingEventManager<S, SP>), Error> {
+        self.launch_internal(None)
+    }
+
+    /// Launch the restarting manager with a custom client timeout
+    pub fn launch_with_client_timeout(
+        &mut self,
+        client_timeout: Duration,
+    ) -> Result<(Option<S>, LlmpRestartingEventManager<S, SP>), Error> {
+        self.launch_internal(Some(client_timeout))
+    }
 }
 
 /// A manager-like llmp client that converts between input types

libafl/src/executors/differential.rs

@@ -205,8 +205,8 @@ where
 
 impl<A, B, DOT> ProxyObserversTuple<A, B, DOT> {
     fn set(&mut self, primary: &A, secondary: &B) {
-        self.primary = OwnedMutPtr::Ptr(primary as *const A as *mut A);
-        self.secondary = OwnedMutPtr::Ptr(secondary as *const B as *mut B);
+        self.primary = OwnedMutPtr::Ptr(core::ptr::from_ref::<A>(primary) as *mut A);
+        self.secondary = OwnedMutPtr::Ptr(core::ptr::from_ref::<B>(secondary) as *mut B);
     }
 }
 

libafl/src/executors/forkserver.rs

@@ -9,7 +9,10 @@ use core::{
 use std::{
     ffi::{OsStr, OsString},
     io::{self, prelude::*, ErrorKind},
-    os::unix::{io::RawFd, process::CommandExt},
+    os::{
+        fd::{AsRawFd, BorrowedFd},
+        unix::{io::RawFd, process::CommandExt},
+    },
     path::Path,
     process::{Child, Command, Stdio},
 };
@@ -439,11 +442,15 @@ impl Forkserver {
             )));
         };
 
+        // # Safety
+        // The FDs are valid as this point in time.
+        let st_read = unsafe { BorrowedFd::borrow_raw(st_read) };
+
         let mut readfds = FdSet::new();
-        readfds.insert(st_read);
+        readfds.insert(&st_read);
         // We'll pass a copied timeout to keep the original timeout intact, because select updates timeout to indicate how much time was left. See select(2)
         let sret = pselect(
-            Some(readfds.highest().unwrap() + 1),
+            Some(readfds.highest().unwrap().as_raw_fd() + 1),
             &mut readfds,
             None,
             None,
@@ -526,11 +533,16 @@ where
         &self.args
     }
 
-    /// The [`Forkserver`] instance.
+    /// Get a reference to the [`Forkserver`] instance.
     pub fn forkserver(&self) -> &Forkserver {
         &self.forkserver
     }
 
+    /// Get a mutable reference to the [`Forkserver`] instance.
+    pub fn forkserver_mut(&mut self) -> &mut Forkserver {
+        &mut self.forkserver
+    }
+
     /// The [`InputFile`] used by this [`Executor`].
     pub fn input_file(&self) -> &InputFile {
         &self.input_file

libafl/src/executors/hooks/timer.rs

@@ -299,7 +299,7 @@ impl TimerStruct {
                 let data = addr_of_mut!(GLOBAL_STATE);
                 write_volatile(
                     addr_of_mut!((*data).executor_ptr),
-                    self as *mut _ as *mut c_void,
+                    core::ptr::from_mut(self) as *mut c_void,
                 );
 
                 if self.executions == 0 {

libafl/src/executors/inprocess.rs

@@ -178,25 +178,25 @@ where
             let data = addr_of_mut!(GLOBAL_STATE);
             write_volatile(
                 addr_of_mut!((*data).current_input_ptr),
-                input as *const _ as *const c_void,
+                core::ptr::from_ref(input) as *const c_void,
             );
             write_volatile(
                 addr_of_mut!((*data).executor_ptr),
-                self as *const _ as *const c_void,
+                core::ptr::from_ref(self) as *const c_void,
             );
             // Direct raw pointers access /aliasing is pretty undefined behavior.
             // Since the state and event may have moved in memory, refresh them right before the signal may happen
             write_volatile(
                 addr_of_mut!((*data).state_ptr),
-                state as *mut _ as *mut c_void,
+                core::ptr::from_mut(state) as *mut c_void,
             );
             write_volatile(
                 addr_of_mut!((*data).event_mgr_ptr),
-                mgr as *mut _ as *mut c_void,
+                core::ptr::from_mut(mgr) as *mut c_void,
             );
             write_volatile(
                 addr_of_mut!((*data).fuzzer_ptr),
-                fuzzer as *mut _ as *mut c_void,
+                core::ptr::from_mut(fuzzer) as *mut c_void,
             );
             compiler_fence(Ordering::SeqCst);
         }
@@ -252,7 +252,8 @@ where
         )
     }
 
-    /// Create a new in mem executor with the default timeout and use batch mode(5 sec)
+    /// Create a new in mem executor with the default timeout and use batch mode (5 sec)
+    /// Do not use batched mode timeouts with cmplog cores. It is not supported
     #[cfg(all(feature = "std", target_os = "linux"))]
     pub fn batched_timeouts<EM, OF, Z>(
         harness_fn: &'a mut H,

libafl/src/executors/inprocess_fork.rs

@@ -278,15 +278,15 @@ where
             let data = addr_of_mut!(FORK_EXECUTOR_GLOBAL_DATA);
             write_volatile(
                 addr_of_mut!((*data).executor_ptr),
-                self as *const _ as *const c_void,
+                core::ptr::from_ref(self) as *const c_void,
             );
             write_volatile(
                 addr_of_mut!((*data).current_input_ptr),
-                input as *const _ as *const c_void,
+                core::ptr::from_ref(input) as *const c_void,
             );
             write_volatile(
                 addr_of_mut!((*data).state_ptr),
-                state as *mut _ as *mut c_void,
+                core::ptr::from_mut(state) as *mut c_void,
             );
             compiler_fence(Ordering::SeqCst);
         }