Added representative fuzzbench test and test for libxml (#893)

* Added representative fuzzbench test and test for libxml

* Added support for building FRIDA from source with FRIDA_SOURCE=1

Co-authored-by: Your Name <you@example.com>

13 files changed, 185 insertions, 4 deletions

diff --git a/.gitmodules b/.gitmodules
index c787ec0e..0b8ccd97 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -7,3 +7,7 @@
 [submodule "qemu_mode/qemuafl"]
 	path = qemu_mode/qemuafl
 	url = https://github.com/AFLplusplus/qemuafl
+[submodule "frida_mode/frida"]
+	path = frida_mode/frida
+	url = https://github.com/WorksButNotTested/frida.git
+	branch = x64_stalker_fix
diff --git a/frida_mode/GNUmakefile b/frida_mode/GNUmakefile
index d2f5ba4b..8199b337 100644
--- a/frida_mode/GNUmakefile
+++ b/frida_mode/GNUmakefile
@@ -5,6 +5,7 @@ SRC_DIR:=$(PWD)src/
 INCLUDES:=$(wildcard $(INC_DIR)*.h)
 BUILD_DIR:=$(PWD)build/
 OBJ_DIR:=$(BUILD_DIR)obj/
+
 SOURCES:=$(wildcard $(SRC_DIR)**/*.c) $(wildcard $(SRC_DIR)*.c)
 OBJS:=$(foreach src,$(SOURCES),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))
 CFLAGS+=-fPIC \
@@ -62,17 +63,24 @@ endif
 GUM_DEVKIT_VERSION=14.2.17
 GUM_DEVKIT_FILENAME=frida-gum-devkit-$(GUM_DEVKIT_VERSION)-$(OS)-$(ARCH).tar.xz
 GUM_DEVKIT_URL="https://github.com/frida/frida/releases/download/$(GUM_DEVKIT_VERSION)/$(GUM_DEVKIT_FILENAME)"
+
 GUM_DEVKIT_TARBALL:=$(FRIDA_BUILD_DIR)$(GUM_DEVKIT_FILENAME)
 GUM_DEVIT_LIBRARY=$(FRIDA_BUILD_DIR)libfrida-gum.a
 GUM_DEVIT_HEADER=$(FRIDA_BUILD_DIR)frida-gum.h
 
+FRIDA_DIR:=$(PWD)frida/
+FRIDA_MAKEFILE:=$(FRIDA_DIR)Makefile
+FRIDA_GUM:=$(FRIDA_DIR)build/frida-linux-x86_64/lib/libfrida-gum-1.0.a
+FRIDA_GUM_DEVKIT_DIR:=$(FRIDA_DIR)build/gum-devkit/
+FRIDA_GUM_DEVKIT_HEADER:=$(FRIDA_GUM_DEVKIT_DIR)frida-gum.h
+FRIDA_GUM_DEVKIT_TARBALL:=$(FRIDA_DIR)build/$(GUM_DEVKIT_FILENAME)
+
 AFL_COMPILER_RT_SRC:=$(ROOT)instrumentation/afl-compiler-rt.o.c
 AFL_COMPILER_RT_OBJ:=$(OBJ_DIR)afl-compiler-rt.o
 
-
 .PHONY: all clean format
 
-############################# FRIDA ############################################
+############################## ALL #############################################
 
 all: $(FRIDA_TRACE)
 	make -C $(ROOT)
@@ -83,11 +91,32 @@ $(BUILD_DIR):
 $(OBJ_DIR): | $(BUILD_DIR)
 	mkdir -p $@
 
+############################# FRIDA ############################################
+
+$(FRIDA_MAKEFILE):
+	git submodule update --init --recursive $(FRIDA_DIR)
+
+$(FRIDA_GUM): $(FRIDA_MAKEFILE)
+	cd $(FRIDA_DIR) && make gum-linux-$(ARCH)
+
+$(FRIDA_GUM_DEVKIT_HEADER): $(FRIDA_GUM)
+	$(FRIDA_DIR)releng/devkit.py frida-gum linux-$(ARCH) $(FRIDA_DIR)build/gum-devkit/
+
+$(FRIDA_GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_HEADER)
+	cd $(FRIDA_GUM_DEVKIT_DIR) && tar cJvf $(FRIDA_GUM_DEVKIT_TARBALL) .
+
+############################# DEVKIT ###########################################
+
 $(FRIDA_BUILD_DIR): | $(BUILD_DIR)
 	mkdir -p $@
 
+ifdef FRIDA_SOURCE
+$(GUM_DEVKIT_TARBALL): $(FRIDA_GUM_DEVKIT_TARBALL)| $(FRIDA_BUILD_DIR)
+	cp -v $< $@
+else
 $(GUM_DEVKIT_TARBALL): | $(FRIDA_BUILD_DIR)
 	wget -O $@ $(GUM_DEVKIT_URL)
+endif
 
 $(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL)
 	tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
@@ -95,6 +124,7 @@ $(GUM_DEVIT_LIBRARY): | $(GUM_DEVKIT_TARBALL)
 $(GUM_DEVIT_HEADER): | $(GUM_DEVKIT_TARBALL)
 	tar Jxvf $(GUM_DEVKIT_TARBALL) -C $(FRIDA_BUILD_DIR)
 
+############################## AFL #############################################
 $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC)
 	$(CC) \
 		$(CFLAGS) \
@@ -104,6 +134,7 @@ $(AFL_COMPILER_RT_OBJ): $(AFL_COMPILER_RT_SRC)
 		-o $@ \
 		-c $<
 
+############################# SOURCE ###########################################
 
 define BUILD_SOURCE
 $(2): $(1) GNUmakefile | $(OBJ_DIR)
@@ -118,6 +149,8 @@ endef
 
 $(foreach src,$(SOURCES),$(eval $(call BUILD_SOURCE,$(src),$(OBJ_DIR)$(notdir $(patsubst %.c, %.o, $(src))))))
 
+######################## AFL-FRIDA-TRACE #######################################
+
 $(FRIDA_TRACE): $(GUM_DEVIT_LIBRARY) $(GUM_DEVIT_HEADER) $(OBJS) $(AFL_COMPILER_RT_OBJ) GNUmakefile | $(BUILD_DIR)
 	$(CC) \
 		-o $@ \
diff --git a/frida_mode/frida b/frida_mode/frida
new file mode 160000
+Subproject 59457cf83f8411c62988f93da1dfe8b04e22824
diff --git a/frida_mode/test/exe/GNUmakefile b/frida_mode/test/exe/GNUmakefile
index 7719ad2b..c543cca8 100644
--- a/frida_mode/test/exe/GNUmakefile
+++ b/frida_mode/test/exe/GNUmakefile
@@ -40,7 +40,7 @@ qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 		-- \
 			$(TESTINSTBIN) @@
 
-frida: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	$(ROOT)afl-fuzz \
 		-D \
 		-O \
diff --git a/frida_mode/test/fuzzbench/GNUmakefile b/frida_mode/test/fuzzbench/GNUmakefile
new file mode 100644
index 00000000..38d8b91e
--- /dev/null
+++ b/frida_mode/test/fuzzbench/GNUmakefile
@@ -0,0 +1,61 @@
+PWD:=$(shell pwd)/
+ROOT:=$(shell realpath $(PWD)../../..)/
+SRC_DIR:=$(PWD)src/
+BUILD_DIR:=$(PWD)build/
+
+FUZZBENCH_DATA_DIR:=$(BUILD_DIR)in/
+R2_DICT:=$(BUILD_DIR)fuzz-target.dict
+R2_DICT_URL:=https://raw.githubusercontent.com/google/fuzzing/master/dictionaries/regexp.dict
+
+FRIDA_OUT:=$(BUILD_DIR)frida-out
+
+ASSETS_DIR:=$(BUILD_DIR)assets/
+ASSETS_SRC:=$(ROOT)frida_mode/build/afl-frida-trace.so \
+	    	$(R2_DICT) \
+			fuzzer \
+			$(SRC_DIR)run.sh
+
+ASSETS_DEST:=$(foreach asset,$(ASSETS_SRC),$(ASSETS_DIR)$(notdir $(asset)))
+
+.PHONY: all clean frida
+
+all: $(FUZZBENCH_DATA_DIR)
+	make -C $(ROOT)frida_mode/
+
+$(BUILD_DIR):
+	mkdir -p $@
+
+$(ASSETS_DIR): | $(BUILD_DIR)
+	mkdir -p $@
+
+$(R2_DICT): | $(BUILD_DIR)
+	wget -qO $@ $(R2_DICT_URL)
+
+$(FUZZBENCH_DATA_DIR): $(R2_DICT)
+	mkdir -p $@
+	split -l 1 -d -a 4 $(R2_DICT) $(FUZZBENCH_DATA_DIR)file
+
+define COPY_ASSET
+$(2): $(1) GNUmakefile | $(ASSETS_DIR)
+	cp -v $(1) $(2)
+endef
+
+$(foreach asset,$(ASSETS_SRC),$(eval $(call COPY_ASSET,$(asset),$(ASSETS_DIR)$(notdir $(asset)))))
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+frida: | $(FUZZBENCH_DATA_DIR)
+	AFL_QEMU_DRIVER_NO_HOOK=1 \
+	AFL_FRIDA_PERSISTENT_CNT=1000000 \
+	AFL_FRIDA_PERSISTENT_ADDR=0x55555599f6c0 \
+	$(ROOT)afl-fuzz \
+		-O \
+		-i $(FUZZBENCH_DATA_DIR) \
+		-o $(FRIDA_OUT) \
+		-- \
+			$(PWD)fuzzer
+
+docker: $(ASSETS_DEST)
+	docker build -t fuzzbench-frida-mode -f $(SRC_DIR)Dockerfile $(PWD)
+	docker run --rm -ti fuzzbench-frida-mode /run.sh
\ No newline at end of file
diff --git a/frida_mode/test/fuzzbench/Makefile b/frida_mode/test/fuzzbench/Makefile
new file mode 100644
index 00000000..e71185cc
--- /dev/null
+++ b/frida_mode/test/fuzzbench/Makefile
@@ -0,0 +1,12 @@
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
+
+clean:
+	@gmake clean
+
+frida:
+	@gmake frida
+
+docker:
+	@gmake docker
\ No newline at end of file
diff --git a/frida_mode/test/fuzzbench/fuzzer b/frida_mode/test/fuzzbench/fuzzer
new file mode 100755
index 00000000..5e8b7f70
--- /dev/null
+++ b/frida_mode/test/fuzzbench/fuzzer
Binary files differdiff --git a/frida_mode/test/fuzzbench/src/Dockerfile b/frida_mode/test/fuzzbench/src/Dockerfile
new file mode 100644
index 00000000..b64ce688
--- /dev/null
+++ b/frida_mode/test/fuzzbench/src/Dockerfile
@@ -0,0 +1,36 @@
+FROM gcr.io/fuzzbench/base-image
+
+RUN apt-get update && \
+    apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \
+                       libglib2.0-dev libpixman-1-dev python3-setuptools unzip \
+                       git clang
+
+# Download afl++
+RUN git clone https://github.com/AFLplusplus/AFLplusplus.git /afl && \
+    cd /afl && git checkout dev
+
+# Build afl++ without Python support as we don't need it.
+# Set AFL_NO_X86 to skip flaky tests.
+RUN cd /afl && \
+    unset CFLAGS && unset CXXFLAGS && \
+    AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \
+    make -C utils/aflpp_driver
+
+# This makes interactive docker runs painless:
+ENV AFL_SKIP_CPUFREQ=1
+ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+ENV AFL_TESTCACHE_SIZE=2
+
+RUN mkdir /frida-mode
+WORKDIR /frida-mode
+RUN cp /afl/afl-fuzz .
+COPY build/assets/afl-frida-trace.so .
+COPY build/assets/fuzz-target.dict .
+COPY build/assets/fuzzer .
+
+RUN mkdir /frida-mode/in
+RUN split -l 1 -d -a 4 fuzz-target.dict /frida-mode/in/
+
+WORKDIR /
+COPY build/assets/run.sh .
+RUN chmod +x /run.sh
diff --git a/frida_mode/test/fuzzbench/src/run.sh b/frida_mode/test/fuzzbench/src/run.sh
new file mode 100644
index 00000000..9a66b0f3
--- /dev/null
+++ b/frida_mode/test/fuzzbench/src/run.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+AFL_QEMU_DRIVER_NO_HOOK=1 \
+AFL_FRIDA_PERSISTENT_CNT=1000000 \
+AFL_FRIDA_PERSISTENT_ADDR=0x55555599f6c0 \
+/frida-mode/afl-fuzz \
+	-O \
+	-i /frida-mode/in \
+	-o /frida-mode/out \
+	-- \
+		/frida-mode/fuzzer
\ No newline at end of file
diff --git a/frida_mode/test/libxml/GNUmakefile b/frida_mode/test/libxml/GNUmakefile
new file mode 100644
index 00000000..652223e0
--- /dev/null
+++ b/frida_mode/test/libxml/GNUmakefile
@@ -0,0 +1,13 @@
+PWD:=$(shell pwd)/
+ROOT:=$(shell realpath $(PWD)../../..)/
+
+.PHONY: all frida
+
+all:
+	make -C $(ROOT)frida_mode/
+
+frida:
+	LD_PRELOAD=$(ROOT)frida_mode/build/afl-frida-trace.so ./xml
+
+debug:
+	gdb --ex 'set environment LD_PRELOAD=$(ROOT)frida_mode/build/afl-frida-trace.so' --args ./xml
\ No newline at end of file
diff --git a/frida_mode/test/libxml/Makefile b/frida_mode/test/libxml/Makefile
new file mode 100644
index 00000000..258e9de4
--- /dev/null
+++ b/frida_mode/test/libxml/Makefile
@@ -0,0 +1,12 @@
+all:
+	@echo trying to use GNU make...
+	@gmake all || echo please install GNUmake
+
+clean:
+	@gmake clean
+
+frida:
+	@gmake frida
+
+debug:
+	@gmake debug
\ No newline at end of file
diff --git a/frida_mode/test/libxml/xml b/frida_mode/test/libxml/xml
new file mode 100755
index 00000000..fb5c7c76
--- /dev/null
+++ b/frida_mode/test/libxml/xml
Binary files differdiff --git a/frida_mode/test/testinstr/GNUmakefile b/frida_mode/test/testinstr/GNUmakefile
index 9aa24ee5..4addbad8 100644
--- a/frida_mode/test/testinstr/GNUmakefile
+++ b/frida_mode/test/testinstr/GNUmakefile
@@ -40,7 +40,7 @@ qemu: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 		-- \
 			$(TESTINSTBIN) @@
 
-frida: $(FRIDA_TRACE) $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
+frida: $(TESTINSTBIN) $(TESTINSTR_DATA_FILE)
 	$(ROOT)afl-fuzz \
 		-D \
 		-O \