/// <summary>
/// Run method starts the .NET equivalent of AFL fork server.
/// It repeatedly executes the passed action and reports the
/// execution result to afl-fuzz. If the executable that is
/// calling it is not running under afl-fuzz, the action will
/// be executed only once.
/// </summary>
/// <param name="action">
/// Some action that calls the instrumented library. The stream
/// argument passed to the action contains the input data. If an
/// uncaught exception escapes the call, FAULT_CRASH execution
/// status code is reported to afl-fuzz.
/// </param>
public static unsafe void Run(Action <Stream> action)
{
ThrowIfNull(action, nameof(action));
var s = Environment.GetEnvironmentVariable("__AFL_SHM_ID");
using (var stdin = Console.OpenStandardInput())
using (var stream = new UnclosableStreamWrapper(stdin))
{
if (s is null || !Int32.TryParse(s, out var shmid))
{
RunWithoutAflFuzz(action, stream);
return;
}
using (var shmaddr = Native.shmat(shmid, IntPtr.Zero, 0))
using (var r = new BinaryReader(new AnonymousPipeClientStream(PipeDirection.In, "198")))
using (var w = new BinaryWriter(new AnonymousPipeClientStream(PipeDirection.Out, "199")))
{
var sharedMem = (byte *)shmaddr.DangerousGetHandle();
var trace = new TraceWrapper(sharedMem);
w.Write(0);
var pid = Process.GetCurrentProcess().Id;
using (var memory = new UnclosableStreamWrapper(new MemoryStream()))
{
// In the first run, we have to consume the input stream twice:
// first time to run the Setup function, second time to actually
// report the results. That's why we have to use the MemoryStream
// in order to be able to seek back to the beginning of the input.
stream.CopyTo(memory);
memory.Seek(0, SeekOrigin.Begin);
Setup(action, memory, sharedMem);
memory.Seek(0, SeekOrigin.Begin);
r.ReadInt32();
w.Write(pid);
trace.ResetPrevLocation();
w.Write(Execute(action, memory));
}
while (true)
{
r.ReadInt32();
w.Write(pid);
trace.ResetPrevLocation();
w.Write(Execute(action, stream));
}
}
}
}
/// <summary>
/// Run method starts the libFuzzer runner. It repeatedly executes
/// the passed action and reports the execution result to libFuzzer.
/// If the executable that is calling it is not running under libFuzzer,
/// the action will be executed normally, and will receive its input
/// from the file specified in the first command line parameter.
/// </summary>
/// <param name="action">
/// Some action that calls the instrumented library. The span argument
/// passed to the action contains the input data. If an uncaught
/// exception escapes the call, crash is reported to libFuzzer.
/// </param>
public static unsafe void Run(ReadOnlySpanAction action)
{
ThrowIfNull(action, nameof(action));
try
{
using (var ipc = new FuzzerIpc())
{
var sharedMem = ipc.InputPointer();
var trace = new TraceWrapper(sharedMem);
ipc.SetStatus(0);
try
{
var status = Fault.None;
// The program instrumented with libFuzzer will exit
// after the first error, so we should do the same.
while (status != Fault.Crash)
{
trace.ResetPrevLocation();
var size = ipc.InputSize();
var data = new ReadOnlySpan <byte>(sharedMem + MapSize, size);
try
{
action(data);
}
catch (Exception ex)
{
Console.Error.WriteLine(ex);
status = Fault.Crash;
}
ipc.SetStatus(status);
}
}
catch
{
// Error communicating with the parent process, most likely
// because it was terminated after the timeout expired, or
// it was killed by the user. In any case, the exception
// details don't matter here, so we can just exit silently.
return;
}
}
}
catch (FuzzerIpcEnvironmentException)
{
// Error establishing IPC with the parent process due to missing or
// definitely-invalid environment variables. This may be intentional.
// Instead of persistent fuzzing, fall back on testing a single input.
RunWithoutLibFuzzer(action);
return;
}
}
/// <summary>
/// Run method starts the libFuzzer runner. It repeatedly executes
/// the passed action and reports the execution result to libFuzzer.
/// If the executable that is calling it is not running under libFuzzer,
/// the action will be executed normally, and will receive its input
/// from the file specified in the first command line parameter.
/// </summary>
/// <param name="action">
/// Some action that calls the instrumented library. The span argument
/// passed to the action contains the input data. If an uncaught
/// exception escapes the call, crash is reported to libFuzzer.
/// </param>
public static unsafe void Run(ReadOnlySpanAction action)
{
ThrowIfNull(action, nameof(action));
var s = Environment.GetEnvironmentVariable("__LIBFUZZER_SHM_ID");
if (s is null || !Int32.TryParse(s, out var shmid))
{
RunWithoutLibFuzzer(action);
return;
}
using (var shmaddr = Native.shmat(shmid, IntPtr.Zero, 0))
using (var r = new BinaryReader(new AnonymousPipeClientStream(PipeDirection.In, "198")))
using (var w = new BinaryWriter(new AnonymousPipeClientStream(PipeDirection.Out, "199")))
{
var sharedMem = (byte *)shmaddr.DangerousGetHandle();
var trace = new TraceWrapper(sharedMem);
w.Write(0);
try
{
var status = Fault.None;
// The program instrumented with libFuzzer will exit
// after the first error, so we should do the same.
while (status != Fault.Crash)
{
trace.ResetPrevLocation();
var size = r.ReadInt32();
var data = new ReadOnlySpan <byte>(sharedMem + MapSize, size);
try
{
action(data);
}
catch (Exception ex)
{
Console.Error.WriteLine(ex);
status = Fault.Crash;
}
w.Write(status);
}
}
catch
{
// Error communicating with the parent process, most likely
// because it was terminated after the timeout expired, or
// it was killed by the user. In any case, the exception
// details don't matter here, so we can just exit silently.
return;
}
}
}