Introduce libafl-fuzz (AFLplusplus#2362)

* Introduce libafl-fuzz

* fix corpus file path

* simplify SeedFeedback

* fix incorrect comment

* add clap::ValueEnum to PowerSchedule as an optional derive if clap is enabled

* UnixShMemProvider replaced with StdShMemProvider for libafl-fuzz

* remove io_error_more feature constraint

* libafl-fuzz: make Ok(()) unreachable in CentralizedLauncher

* libafl-fuzz: make harness_input_stdin to harness_input_type with &'static

* libafl-fuzz: move each feedback to it's own file

* make run_fuzzer_with_stage into a function.
use CachedOnDiskCorpus instead of OnDiskCorpus for Corpora
remove utils file

* remove unecessary clone

* libafl-fuzz: cleanup AFLStatsStage

* move peak_rss_mb to libafl_bolts

* parse envs by hand

* add sensible defaults for map size and broker port

* fix test.sh and corpus_id padding

* add Makefile.toml

* libafl-fuzz update test suite

* libafl-fuzz: clippy

* rename peak_rss_mb to peak_rss_mb_children

* remove minor version constraint for clap

* libafl-fuzz: fix ELF check and instrumentation check in check_binary

* libafl-fuzz: improve Makefile.toml

* simplify fuzzer and cleanup typos

* libafl-fuzz: load corpus entries in a multicore fashion

* libafl-fuzz: create output dir if not exists (non-racey)

* libafl-fuzz: add sequential scheduling support
libafl-fuzz: add cmplog options
libafl-fuzz: add test-cmplog.c to CI

* rename peak_rss_mb_children to peak_rss_mb_child_processes

* fix race condition in SyncFromDiskStage, add interval based checking and support for multiple directories.
libafl-fuzz: add support for syncing with foreign fuzzers

* update README

* implement AflScheduler for QueueScheduler.
Add queue_cycles field to
AflScheduler

* libafl-fuzz: remove dependecy on SchedulerMetadata for AflStatsStage

* clippy

* remove queue_cycles from AflScheduler into int's own trait.
libafl-fuzz: simplify map observer tracking

* clippy

* libafl-fuzz: disable cmplog check in CI for now

* add missing constraints for libafl_qemu executor

* clippy

* libafl-fuzz: improve Makefile
libafl-fuzz: clippy

* libafl-fuzz: misc

* misc typos, beautify

---------

Co-authored-by: Dongjia "toka" Zhang <[email protected]>
Co-authored-by: Dominik Maier <[email protected]>

.github/workflows/build_and_test.yml

@@ -336,6 +336,7 @@ jobs:
           - ./fuzzers/backtrace_baby_fuzzers/forkserver_executor
           - ./fuzzers/backtrace_baby_fuzzers/c_code_with_inprocess_executor
           - ./fuzzers/backtrace_baby_fuzzers/rust_code_with_fork_executor
+          - ./fuzzers/libafl-fuzz
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v3

fuzzers/libafl-fuzz/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "libafl-fuzz"
+version = "0.0.1"
+edition = "2021"
+
+[dependencies]
+clap = { version = "4.5", features = ["derive", "env"] }
+env_logger = "0.11.3"
+libafl = { path = "../../libafl", features = ["std", "derive", "track_hit_feedbacks", "clap", "errors_backtrace"]}
+libafl_bolts = { path = "../../libafl_bolts", features = ["std", "errors_backtrace"]}
+libafl_targets = { path = "../../libafl_targets"}
+memmap2 = "0.9.4"
+nix = {version = "0.29", features = ["fs"]}
+regex = "1.10.5"
+serde = { version = "1.0.117", features = ["derive"] }
+
+[features]
+default = ["track_hit_feedbacks"]
+track_hit_feedbacks = ["libafl/track_hit_feedbacks"]

fuzzers/libafl-fuzz/Makefile.toml

@@ -0,0 +1,66 @@
+[env]
+PROJECT_DIR = { script = ["pwd"] }
+CARGO_TARGET_DIR = { value = "${PROJECT_DIR}/target", condition = { env_not_set = ["CARGO_TARGET_DIR"] } }
+PROFILE = { value = "release", condition = {env_not_set = ["PROFILE"]} }
+PROFILE_DIR = {value = "release", condition = {env_not_set = ["PROFILE_DIR"] }}
+FUZZER_NAME = 'libafl-fuzz'
+FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
+LLVM_CONFIG = {value = "llvm-config-18", condition = {env_not_set = ["LLVM_CONFIG"] }}
+AFL_VERSION = "4.21c"
+AFL_DIR_NAME= {value = "./AFLplusplus-${AFL_VERSION}"}
+AFL_CC_PATH= {value = "${AFL_DIR_NAME}/afl-clang-fast"}
+
+
+[tasks.build_afl]
+script_runner="@shell"
+script='''
+if [ ! -d "$AFL_DIR_NAME" ]; then
+	if [ -f "v${AFL_VERSION}.zip" ]; then
+		rm v${AFL_VERSION}.zip
+	fi
+	wget https://github.com/AFLplusplus/AFLplusplus/archive/refs/tags/v${AFL_VERSION}.zip
+	unzip v${AFL_VERSION}.zip
+	cd ${AFL_DIR_NAME}
+	LLVM_CONFIG=${LLVM_CONFIG} make 
+	cd ..
+fi
+
+'''
+# Test
+[tasks.test]
+linux_alias = "test_unix"
+mac_alias = "test_unix"
+windows_alias = "unsupported"
+
+[tasks.test_unix]
+script_runner="@shell"
+script='''
+cargo build --profile ${PROFILE}
+AFL_PATH=${AFL_DIR_NAME} ${AFL_CC_PATH} ./test/test-instr.c -o ./test/out-instr
+AFL_CORES=1 AFL_STATS_INTERVAL=1 timeout 5 ${FUZZER} -i ./test/seeds -o ./test/output ./test/out-instr || true
+test -n "$( ls ./test/output/fuzzer_main/queue/id:000002* 2>/dev/null )" || exit 1
+test -n "$( ls ./test/output/fuzzer_main/fuzzer_stats 2>/dev/null )" || exit 1
+test -n "$( ls ./test/output/fuzzer_main/plot_data 2>/dev/null )" || exit 1
+test -d "./test/output/fuzzer_main/hangs" || exit 1
+test -d "./test/output/fuzzer_main/crashes" || exit 1
+
+# cmplog TODO: AFL_BENCH_UNTIL_CRASH=1 instead of timeout 15s
+#AFL_LLVM_CMPLOG=1 AFL_PATH=${AFL_DIR_NAME} ${AFL_CC_PATH} ./test/test-cmplog.c -o ./test/out-cmplog
+#AFL_CORES=1 timeout 15 ${FUZZER} -Z -l 3 -m 0 -V30 -i ./test/seeds_cmplog -o ./test/cmplog-output -c ./test/out-cmplog ./test/out-cmplog >>errors 2>&1
+#test -n "$( ls ./test/cmplog-output/fuzzer_main/crashes/id:000000* ./test/cmplog-output/hangs/id:000000* 2>/dev/null )" || exit 1
+'''
+dependencies = ["build_afl"]
+
+[tasks.clean]
+linux_alias = "clean_unix"
+mac_alias = "clean_unix"
+windows_alias = "unsupported"
+
+[tasks.clean_unix]
+script_runner="@shell"
+script='''
+rm -rf AFLplusplus-${AFL_VERSION}
+rm v${AFL_VERSION}.zip
+rm -rf ./test/out-instr
+rm -rf ./test/output
+'''

fuzzers/libafl-fuzz/README.md

@@ -0,0 +1,70 @@
+Rewrite of afl-fuzz in Rust.
+
+# TODO
+- [x] AFL_HANG_TMOUT
+- [x] AFL_NO_AUTODICT
+- [x] AFL_MAP_SIZE
+- [x] AFL_KILL_SIGNAL
+- [x] AFL_BENCH_JUST_ONE
+- [x] AFL_DEBUG_CHILD
+- [x] AFL_PERSISTENT
+- [x] AFL_IGNORE_TIMEOUTS
+- [x] AFL_EXIT_ON_SEED_ISSUES
+- [x] AFL_BENCH_UNTIL_CRASH
+- [x] AFL_TMPDIR
+- [x] AFL_CRASH_EXITCODE
+- [x] AFL_TARGET_ENV
+- [x] AFL_IGNORE_SEED_PROBLEMS (renamed to AFL_IGNORE_SEED_ISSUES)
+- [x] AFL_CRASH_EXITCODE
+- [x] AFL_INPUT_LEN_MIN
+- [x] AFL_INPUT_LEN_MAX
+- [x] AFL_CYCLE_SCHEDULES
+- [x] AFL_CMPLOG_ONLY_NEW
+- [x] AFL_PRELOAD
+- [x] AFL_SKIP_BIN_CHECK
+- [x] AFL_NO_STARTUP_CALIBRATION (this is default in libafl, not sure if this needs to be changed?)
+- [x] AFL_FUZZER_STATS_UPDATE_INTERVAL
+- [x] AFL_DEFER_FORKSRV
+- [x] AFL_NO_WARN_INSTABILITY (we don't warn anyways, we should maybe?)
+- [x] AFL_SYNC_TIME 
+- [ ] AFL_FINAL_SYNC 
+- [x] AFL_AUTORESUME
+- [ ] AFL_CRASHING_SEEDS_AS_NEW_CRASH
+- [ ] AFL_IGNORE_UNKNOWN_ENVS
+- [ ] AFL_NO_UI
+- [ ] AFL_PIZZA_MODE :)
+- [ ] AFL_EXIT_WHEN_DONE
+- [ ] AFL_EXIT_ON_TIME
+- [ ] AFL_NO_AFFINITY
+- [ ] AFL_FORKSERVER_KILL_SIGNAL
+- [ ] AFL_EXPAND_HAVOC_NOW
+- [ ] AFL_NO_FORKSRV
+- [ ] AFL_FORKSRV_INIT_TMOUT
+- [ ] AFL_TRY_AFFINITY
+- [ ] AFL_FAST_CAL
+- [ ] AFL_NO_CRASH_README
+- [ ] AFL_KEEP_TIMEOUTS
+- [ ] AFL_PERSISTENT_RECORD
+- [ ] AFL_TESTCACHE_SIZE
+- [ ] AFL_NO_ARITH
+- [ ] AFL_DISABLE_TRIM
+- [ ] AFL_MAX_DET_EXTRAS
+- [ ] AFL_IGNORE_PROBLEMS
+- [ ] AFL_IGNORE_PROBLEMS_COVERAGE
+- [ ] AFL_STATSD_TAGS_FLAVOR
+- [ ] AFL_STATSD
+- [ ] AFL_STATSD_PORT
+- [ ] AFL_STATSD_HOST
+- [ ] AFL_IMPORT
+- [x] AFL_IMPORT_FIRST (implicit)
+- [ ] AFL_SHUFFLE_QUEUE
+- [ ] AFL_CUSTOM_QEMU_BIN
+- [ ] AFL_PATH
+- [ ] AFL_CUSTOM_MUTATOR_LIBRARY
+- [ ] AFL_CUSTOM_MUTATOR_ONLY
+- [ ] AFL_PYTHON_MODULE
+- [ ] AFL_DEBUG
+- [ ] AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES
+- [ ] AFL_DUMB_FORKSRV
+- [ ] AFL_EARLY_FORKSERVER
+- [ ] AFL_NO_SNAPSHOT