Can arbitrary library be used under AFL?
0xfocu5 opened this issue · 3 comments
this is arbitrary:https://github.com/rust-fuzz/arbitrary
this is my harness code
use afl::fuzz;
use std::thread;
use std::time::Duration;
use arbitrary::Arbitrary;
#[derive(Arbitrary, Debug)]
struct MyData {
a: u32,
b: bool,
c: Vec<u8>,
}
fn main() {
afl::fuzz!(|data: MyData| {
thread::sleep(Duration::from_secs(20));
println!("1111");
});
}
and the seed is
-> % xxd seed
00000000: 0102 0304 0105 0607 08
I want the data is divided:
The first four bytes (01 02 03 04) are for a.
The next byte (01) is for b. In this case, 01 represents true.
The remaining bytes (05 06 07 08) are for c.
but I got this
pwndbg> p/x data
$1 = test::MyData {
a: <synthetic pointer>,
b: <synthetic pointer>,
c: alloc::vec::Vec<u8, alloc::alloc::Global> {
buf: alloc::raw_vec::RawVec<u8, alloc::alloc::Global> {
ptr: core::ptr::unique::Unique<u8> {
pointer: core::ptr::non_null::NonNull<u8> {
pointer: 0x5555557bbbc0
},
_marker: core::marker::PhantomData<u8>
},
cap: 0x8,
alloc: alloc::alloc::Global
},
len: <synthetic pointer>
}
}
pwndbg> x/2gx 0x5555557bbbc0
0x5555557bbbc0: 0x0000000000000806 0x0000000000000000
According to GDB, the result is incorrect. Is there a problem with my usage?
Hi, @0xfocu5. I'm afraid I don't know the internals of Arbitrary very well. I recommend asking on the Arbirary repository.
If you're wondering how afl.rs uses Arbitrary, the bytes read from standard input are used to construct an Unstructured directly:
Line 165 in 7e68715
So I think the problem reduces to understanding how Arbitrary constructs a MyData from those bytes.
If c's length is correct (i.e., 4), then I'd say maybe you're on the right track.
Sorry I cannot be of more help.
I recommend asking on the Arbirary repository.
Sorry, I see you already did: rust-fuzz/arbitrary#172
Let me see if I can help push the conversation forward.
thanks very much. I got it.