fixup for artifact generation

Author: addisoncrump

libafl_libfuzzer/libafl_libfuzzer_runtime/Cargo.toml

@@ -20,6 +20,7 @@ crate-type = ["staticlib", "rlib"]
 libafl = { path = "../../libafl", default-features = false, features = ["std", "derive", "llmp_compression", "rand_trait", "fork", "errors_backtrace"] }
 libafl_targets = { path = "../../libafl_targets", features = ["sancov_8bit", "sancov_cmplog", "libfuzzer", "libfuzzer_oom"] }
 libc = "0.2.139"
+log = "0.4.17"
 mimalloc = { version = "0.1.34", default-features = false }
 rand = "0.8.5"
 serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] } # serialization lib

libafl_libfuzzer/libafl_libfuzzer_runtime/src/feedbacks.rs

@@ -9,14 +9,16 @@ use libafl::{
     executors::ExitKind,
     feedbacks::Feedback,
     impl_serdeany,
-    inputs::UsesInput,
+    inputs::{BytesInput, Input, UsesInput},
     observers::ObserversTuple,
     state::{HasClientPerfMonitor, HasMetadata},
     Error,
 };
 use libafl_targets::OOMFeedback;
 use serde::{Deserialize, Serialize};
 
+use crate::options::ArtifactPrefix;
+
 #[derive(Debug)]
 pub struct LibfuzzerKeepFeedback {
     keep: Rc<RefCell<bool>>,
@@ -75,12 +77,14 @@ impl LibfuzzerCrashCauseMetadata {
 
 #[derive(Debug)]
 pub struct LibfuzzerCrashCauseFeedback {
+    artifact_prefix: Option<ArtifactPrefix>,
     exit_kind: ExitKind,
 }
 
 impl LibfuzzerCrashCauseFeedback {
-    pub fn new() -> Self {
+    pub fn new(artifact_prefix: Option<ArtifactPrefix>) -> Self {
         Self {
+            artifact_prefix,
             exit_kind: ExitKind::Ok,
         }
     }
@@ -92,9 +96,40 @@ impl Named for LibfuzzerCrashCauseFeedback {
     }
 }
 
+impl LibfuzzerCrashCauseFeedback {
+    fn set_filename<I: Input>(&self, prefix: &str, testcase: &mut Testcase<I>) {
+        let base = if let Some(filename) = testcase.filename() {
+            filename.clone()
+        } else {
+            let name = testcase.input().as_ref().unwrap().generate_name(0);
+            name
+        };
+        let filename = if let Some(artifact_prefix) = self.artifact_prefix.as_ref() {
+            if let Some(filename_prefix) = artifact_prefix.filename_prefix() {
+                artifact_prefix
+                    .dir()
+                    .join(format!("{}{}-{}", filename_prefix, prefix, base))
+                    .to_str()
+                    .expect("Invalid filename for testcase.")
+                    .to_string()
+            } else {
+                artifact_prefix
+                    .dir()
+                    .join(format!("{}-{}", prefix, base))
+                    .to_str()
+                    .expect("Invalid filename for testcase.")
+                    .to_string()
+            }
+        } else {
+            format!("{}-{}", prefix, base)
+        };
+        testcase.set_filename(filename);
+    }
+}
+
 impl<S> Feedback<S> for LibfuzzerCrashCauseFeedback
 where
-    S: UsesInput + HasClientPerfMonitor,
+    S: UsesInput<Input = BytesInput> + HasClientPerfMonitor,
 {
     fn is_interesting<EM, OT>(
         &mut self,
@@ -123,30 +158,25 @@ where
     {
         match self.exit_kind {
             ExitKind::Crash | ExitKind::Oom if OOMFeedback::oomed() => {
-                if let Some(filename) = testcase.filename_mut() {
-                    *filename = format!("oom-{}", filename);
-                }
+                self.set_filename("oom", testcase);
                 testcase.metadata_mut().insert(LibfuzzerCrashCauseMetadata {
                     kind: ExitKind::Oom,
                 });
             }
-            ExitKind::Crash | ExitKind::Oom => {
-                if let Some(filename) = testcase.filename_mut() {
-                    *filename = format!("crash-{}", filename);
-                }
+            ExitKind::Crash => {
+                self.set_filename("crash", testcase);
                 testcase.metadata_mut().insert(LibfuzzerCrashCauseMetadata {
                     kind: ExitKind::Crash,
                 });
             }
             ExitKind::Timeout => {
-                if let Some(filename) = testcase.filename_mut() {
-                    *filename = format!("timeout-{}", filename);
-                }
+                self.set_filename("timeout", testcase);
                 testcase.metadata_mut().insert(LibfuzzerCrashCauseMetadata {
                     kind: ExitKind::Timeout,
                 });
             }
             _ => {
+                self.set_filename("uncategorized", testcase);
                 testcase.metadata_mut().insert(LibfuzzerCrashCauseMetadata {
                     kind: self.exit_kind,
                 });

libafl_libfuzzer/libafl_libfuzzer_runtime/src/fuzz.rs

@@ -49,10 +49,12 @@ where
             ExitKind::Oom if !options.ignore_ooms() => halt = true,
             ExitKind::Crash if !options.ignore_crashes() => halt = true,
             ExitKind::Timeout if !options.ignore_timeouts() => halt = true,
-            _ => {}
+            _ => {
+                log::info!("Ignoring {kind:?} according to requested ignore rules.");
+            }
         }
         if halt {
-            eprintln!("Halting; the error on the next line is actually okay. :)");
+            log::info!("Halting; the error on the next line is actually okay. :)");
             return Err(Error::shutting_down());
         }
     }

libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs

@@ -61,7 +61,7 @@ macro_rules! fuzz_with {
             corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus},
             executors::{ExitKind, InProcessExecutor, TimeoutExecutor},
             feedback_and_fast, feedback_not, feedback_or, feedback_or_fast,
-            feedbacks::{CrashFeedback, MaxMapFeedback, NewHashFeedback, TimeFeedback, TimeoutFeedback},
+            feedbacks::{ConstFeedback, CrashFeedback, MaxMapFeedback, NewHashFeedback, TimeFeedback, TimeoutFeedback},
             generators::RandBytesGenerator,
             inputs::{BytesInput, HasTargetBytes},
             mutators::{
@@ -183,11 +183,11 @@ macro_rules! fuzz_with {
 
             // A feedback to choose if an input is a solution or not
             let mut objective = feedback_or_fast!(
-                LibfuzzerCrashCauseFeedback::new(),
+                LibfuzzerCrashCauseFeedback::new($options.artifact_prefix().cloned()),
                 OOMFeedback,
                 feedback_and_fast!(
                     CrashFeedback::new(),
-                    NewHashFeedback::new(&backtrace_observer)
+                    feedback_or_fast!(ConstFeedback::new($options.dedup()), NewHashFeedback::new(&backtrace_observer))
                 ),
                 TimeoutFeedback::new()
             );

libafl_libfuzzer/libafl_libfuzzer_runtime/src/options.rs

@@ -103,9 +103,10 @@ pub struct LibfuzzerOptions {
     ignore_timeouts: bool,
     ignore_ooms: bool,
     rss_limit: usize,
+    malloc_limit: usize,
+    dedup: bool,
     tui: bool,
     unknown: Vec<String>,
-    pub malloc_limit: usize,
 }
 
 impl LibfuzzerOptions {
@@ -178,6 +179,10 @@ impl LibfuzzerOptions {
         self.malloc_limit
     }
 
+    pub fn dedup(&self) -> bool {
+        self.dedup
+    }
+
     pub fn tui(&self) -> bool {
         self.tui
     }
@@ -202,6 +207,7 @@ struct LibfuzzerOptionsBuilder<'a> {
     rss_limit: Option<usize>,
     malloc_limit: Option<usize>,
     ignore_remaining: bool,
+    dedup: bool,
     tui: bool,
     unknown: Vec<&'a str>,
 }
@@ -279,6 +285,7 @@ impl<'a> LibfuzzerOptionsBuilder<'a> {
                         "ignore_remaining_args" => {
                             self.ignore_remaining = parse_or_bail!(name, value, u64) > 0
                         }
+                        "dedup" => self.dedup = parse_or_bail!(name, value, u64) > 0,
                         "tui" => self.tui = parse_or_bail!(name, value, u64) > 0,
                         _ => {
                             eprintln!("warning: unrecognised flag {name}");
@@ -316,6 +323,7 @@ impl<'a> LibfuzzerOptionsBuilder<'a> {
                 0 => usize::MAX,
                 value => value,
             },
+            dedup: self.dedup,
             tui: self.tui,
             unknown: self.unknown.into_iter().map(|s| s.to_string()).collect(),
         })