Merge branch 'main' into add-qemu-riscv-support

.github/workflows/build_and_test.yml

@@ -53,10 +53,13 @@ jobs:
         run: ./scripts/check_for_blobs.sh
       - name: Build libafl debug
         run: cargo build -p libafl
-      - name: Test the book
+      - name: Test the book (Linux)
         # TODO: fix books test fail with updated windows-rs
-        if: runner.os != 'Windows'
+        if: runner.os == 'Linux'
         run: cd docs && mdbook test -L ../target/debug/deps
+      - name: Test the book (MacOS)
+        if: runner.os == 'MacOS'
+        run: cd docs && mdbook test -L ../target/debug/deps $(python3-config --ldflags | cut -d ' ' -f1)
       - name: Run tests
         run: cargo test
       - name: Test libafl no_std
@@ -468,7 +471,7 @@ jobs:
       - name: Add nightly clippy
         run: rustup toolchain install nightly --component clippy --allow-downgrade && rustup default nightly
       - name: Install deps
-        run: brew install z3 gtk+3
+        run: brew install z3 gtk+3 python
       - name: Install cxxbridge
         run: cargo install cxxbridge-cmd
       - uses: actions/checkout@v4
@@ -491,7 +494,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: Swatinem/rust-cache@v2
       - name: Build iOS
-        run: cargo build --target aarch64-apple-ios && cd libafl_frida && cargo build --target aarch64-apple-ios && cd ..
+        run: PYO3_CROSS_PYTHON_VERSION=$(python3 -c "print('{}.{}'.format(__import__('sys').version_info.major, __import__('sys').version_info.minor))") cargo build --target aarch64-apple-ios && cd libafl_frida && cargo build --target aarch64-apple-ios && cd ..
 
   android:
     runs-on: ubuntu-24.04
@@ -509,7 +512,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: Swatinem/rust-cache@v2
       - name: Build Android
-        run: cd libafl && cargo ndk -t arm64-v8a build --release
+        run: cd libafl && PYO3_CROSS_PYTHON_VERSION=$(python3 -c "print('{}.{}'.format(__import__('sys').version_info.major, __import__('sys').version_info.minor))") cargo ndk -t arm64-v8a build --release
 
     #run: cargo build --target aarch64-linux-android
     # TODO: Figure out how to properly build stuff with clang

Cargo.toml

@@ -69,9 +69,6 @@ paste = "1.0.15"
 postcard = { version = "1.0.10", features = [
   "alloc",
 ], default-features = false } # no_std compatible serde serialization format
-pyo3 = "0.22.3"
-pyo3-build-config = "0.22.3"
-pyo3-log = "0.11.0"
 rangemap = "1.5.1"
 regex = "1.10.6"
 rustversion = "1.0.17"

fuzzers/baby/backtrace_baby_fuzzers/command_executor/src/main.rs

@@ -84,6 +84,7 @@ pub fn main() {
     #[derive(Debug)]
     struct MyExecutor {
         shmem_id: ShMemId,
+        timeout: Duration,
     }
 
     impl CommandConfigurator<BytesInput> for MyExecutor {
@@ -106,11 +107,16 @@ pub fn main() {
         }
 
         fn exec_timeout(&self) -> Duration {
-            Duration::from_secs(5)
+            self.timeout
+        }
+        fn exec_timeout_mut(&mut self) -> &mut Duration {
+            &mut self.timeout
         }
     }
 
-    let mut executor = MyExecutor { shmem_id }.into_executor(tuple_list!(observer, bt_observer));
+    let timeout = Duration::from_secs(5);
+    let mut executor =
+        MyExecutor { shmem_id, timeout }.into_executor(tuple_list!(observer, bt_observer));
 
     // Generator of printable bytearrays of max size 32
     let mut generator = RandPrintablesGenerator::new(nonzero!(32));

fuzzers/binary_only/frida_executable_libpng/Cargo.toml

@@ -25,10 +25,11 @@ libafl = { path = "../../../libafl", features = [
   "frida_cli",
 ] } #,  "llmp_small_maps", "llmp_debug"]}
 libafl_bolts = { path = "../../../libafl_bolts" }
-frida-gum = { version = "0.14.0", features = [
+frida-gum = { version = "0.14.2", features = [
   "auto-download",
   "event-sink",
   "invocation-listener",
+  "script",
 ] }
 libafl_frida = { path = "../../../libafl_frida", features = ["cmplog"] }
 libafl_targets = { path = "../../../libafl_targets", features = [

fuzzers/binary_only/frida_libpng/Cargo.toml

@@ -26,10 +26,11 @@ libafl = { path = "../../../libafl", features = [
   "errors_backtrace",
 ] } #,  "llmp_small_maps", "llmp_debug"]}
 libafl_bolts = { path = "../../../libafl_bolts" }
-frida-gum = { version = "0.14.0", features = [
+frida-gum = { version = "0.14.2", features = [
   "auto-download",
   "event-sink",
   "invocation-listener",
+  "script",
 ] }
 libafl_frida = { path = "../../../libafl_frida", features = ["cmplog"] }
 libafl_targets = { path = "../../../libafl_targets", features = [

fuzzers/binary_only/frida_libpng/build.rs

@@ -0,0 +1,3 @@
+fn main() {
+    println!("cargo:rustc-link-arg=-rdynamic");
+}

fuzzers/binary_only/frida_windows_gdiplus/Cargo.toml

@@ -23,10 +23,11 @@ libafl = { path = "../../../libafl", features = [
   "errors_backtrace",
 ] } #,  "llmp_small_maps", "llmp_debug"]}
 libafl_bolts = { path = "../../../libafl_bolts" }
-frida-gum = { version = "0.14.0", features = [
+frida-gum = { version = "0.14.2", features = [
   "auto-download",
   "event-sink",
   "invocation-listener",
+  "script",
 ] }
 libafl_frida = { path = "../../../libafl_frida", features = ["cmplog"] }
 libafl_targets = { path = "../../../libafl_targets", features = [

fuzzers/binary_only/qemu_launcher/src/instance.rs

@@ -23,8 +23,8 @@ use libafl::{
         powersched::PowerSchedule, IndexesLenTimeMinimizerScheduler, PowerQueueScheduler,
     },
     stages::{
-        calibrate::CalibrationStage, power::StdPowerMutationalStage, AflStatsStage, IfStage,
-        ShadowTracingStage, StagesTuple, StdMutationalStage,
+        calibrate::CalibrationStage, power::StdPowerMutationalStage, IfStage, ShadowTracingStage,
+        StagesTuple, StatsStage, StdMutationalStage,
     },
     state::{HasCorpus, StdState, UsesState},
     Error, HasMetadata, NopFuzzer,
@@ -138,7 +138,7 @@ impl<M: Monitor> Instance<'_, M> {
 
         let stats_stage = IfStage::new(
             |_, _, _, _| Ok(self.options.tui),
-            tuple_list!(AflStatsStage::new(Duration::from_secs(5))),
+            tuple_list!(StatsStage::new(Duration::from_secs(5))),
         );
 
         // Feedback to rate the interestingness of an input

fuzzers/forkserver/libafl-fuzz/Makefile.toml

@@ -12,7 +12,7 @@ FUZZER = '${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}'
 LLVM_CONFIG = { value = "llvm-config-18", condition = { env_not_set = [
   "LLVM_CONFIG",
 ] } }
-AFL_VERSION = "8b35dd49be5f846e945f6d6a9414623d195a99cb"
+AFL_VERSION = "78b7e14c73baacf1d88b3c03955e78f5080d17ba"
 AFL_DIR = { value = "${PROJECT_DIR}/AFLplusplus" }
 AFL_CC_PATH = { value = "${AFL_DIR}/afl-clang-fast" }
 CC = { value = "clang" }
@@ -25,12 +25,16 @@ if [ ! -d "$AFL_DIR" ]; then
 	cd ${AFL_DIR}
 	git checkout ${AFL_VERSION}
 	LLVM_CONFIG=${LLVM_CONFIG} make 
+fi
+'''
+[tasks.build_frida_mode]
+script_runner = '@shell'
+script = '''
+	cd ${AFL_DIR}
 	cd frida_mode
 	LLVM_CONFIG=${LLVM_CONFIG} make
 	cd ../..
-fi
 '''
-
 [tasks.build_qemuafl]
 script_runner = "@shell"
 script = '''
@@ -77,7 +81,7 @@ script = '''
 AFL_PATH=${AFL_DIR} ${AFL_CC_PATH} ./test/test-instr.c -o ./test/out-instr
 
 export LIBAFL_DEBUG_OUTPUT=1 
-export AFL_CORES=1 
+export AFL_CORES=0
 export AFL_STATS_INTERVAL=1 
 
 timeout 5 ${FUZZER} -i ./test/seeds -o ./test/output ./test/out-instr || true
@@ -109,7 +113,7 @@ script_runner = "@shell"
 script = '''
 # cmplog TODO: AFL_BENCH_UNTIL_CRASH=1 instead of timeout 15s
 AFL_LLVM_CMPLOG=1 AFL_PATH=${AFL_DIR} ${AFL_CC_PATH} ./test/test-cmplog.c -o ./test/out-cmplog
-AFL_CORES=1 timeout 5 ${FUZZER} -Z -l 3 -m 0 -V30 -i ./test/seeds_cmplog -o ./test/output-cmplog -c 0 ./test/out-cmplog || true
+LIBAFL_DEBUG_OUTPUT=1 AFL_CORES=0 timeout 10 ${FUZZER} -Z -l 3 -m 0 -V30 -i ./test/seeds_cmplog -o ./test/output-cmplog -c 0 ./test/out-cmplog || true
 test -n "$( ls ${PROJECT_DIR}/test/output-cmplog/fuzzer_main/hangs/id:0000* ${PROJECT_DIR}/test/output-cmplog/fuzzer_main/crashes/id:0000*)" || {
 	echo "No crashes found"
 	exit 1
@@ -123,7 +127,7 @@ script = '''
 ${CC} -no-pie ./test/test-instr.c -o ./test/out-frida
 
 export AFL_PATH=${AFL_DIR} 
-export AFL_CORES=1 
+export AFL_CORES=0
 export AFL_STATS_INTERVAL=1 
 
 timeout 5 ${FUZZER} -m 0  -O -i ./test/seeds_frida -o ./test/output-frida -- ./test/out-frida || true
@@ -162,7 +166,7 @@ test -n "$RUNTIME" -a -n "$RUNTIME_PERSISTENT" && {
 
 unset AFL_FRIDA_PERSISTENT_ADDR
 '''
-dependencies = ["build_afl", "build_libafl_fuzz"]
+dependencies = ["build_afl", "build_frida_mode", "build_libafl_fuzz"]
 
 [tasks.test_qemu]
 script_runner = "@shell"
@@ -171,7 +175,7 @@ ${CC} -pie -fPIE ./test/test-instr.c -o ./test/out-qemu
 ${CC} -o ./test/out-qemu-cmpcov ./test/test-cmpcov.c
 
 export AFL_PATH=${AFL_DIR}
-export AFL_CORES=1
+export AFL_CORES=0
 export AFL_STATS_INTERVAL=1
 
 timeout 5 ${FUZZER} -m 0  -Q -i ./test/seeds_qemu -o ./test/output-qemu -- ./test/out-qemu || true
@@ -202,7 +206,7 @@ dependencies = ["build_afl", "build_qemuafl", "build_libafl_fuzz"]
 script_runner = "@shell"
 script = '''
 export AFL_PATH=${AFL_DIR}
-export AFL_CORES=1
+export AFL_CORES=0
 export AFL_STATS_INTERVAL=1
 
 # TODO: test unicorn persistent mode once it's fixed on AFL++

fuzzers/forkserver/libafl-fuzz/src/corpus.rs

@@ -128,7 +128,7 @@ pub fn check_autoresume(fuzzer_dir: &Path, auto_resume: bool) -> Result<Flock<Fi
             }
         }
         if !auto_resume && last_update.saturating_sub(start_time) > OUTPUT_GRACE * 60 {
-            return Err(Error::illegal_state("The job output directory already exists and contains results! use AFL_AUTORESUME=true or provide \"-\" for -i "));
+            return Err(Error::illegal_state("The job output directory already exists and contains results! use AFL_AUTORESUME=1 or provide \"-\" for -i "));
         }
     }
     if !auto_resume {

fuzzers/forkserver/libafl-fuzz/src/env_parser.rs

@@ -1,6 +1,6 @@
 use std::{collections::HashMap, path::PathBuf, time::Duration};
 
-use libafl::Error;
+use libafl::{stages::afl_stats::AFL_FUZZER_STATS_UPDATE_INTERVAL_SECS, Error};
 use libafl_bolts::core_affinity::Cores;
 
 use crate::Opt;
@@ -73,6 +73,8 @@ pub fn parse_envs(opt: &mut Opt) -> Result<(), Error> {
     }
     if let Ok(res) = std::env::var("AFL_FUZZER_STATS_UPDATE_INTERVAL") {
         opt.stats_interval = res.parse()?;
+    } else {
+        opt.stats_interval = AFL_FUZZER_STATS_UPDATE_INTERVAL_SECS;
     }
     if let Ok(res) = std::env::var("AFL_BROKER_PORT") {
         opt.broker_port = Some(res.parse()?);

fuzzers/forkserver/libafl-fuzz/src/feedback/seed.rs

@@ -65,7 +65,7 @@ where
                     if !self.ignore_timeouts {
                         if !self.ignore_seed_issues || self.exit_on_seed_issues {
                             return Err(Error::invalid_corpus(
-                                "input led to a timeout; use AFL_IGNORE_SEED_ISSUES=true",
+                                "input led to a timeout; use AFL_IGNORE_SEED_ISSUES=1",
                             ));
                         }
                         return Ok(false);