HexHive · srividya-p · May 29, 2025 · May 29, 2025 · May 29, 2025 · Feb 25, 2025
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,7 @@
+workdir*
+__pycache__/
+tools/benchd/*.json
+tools/report_df/out/
+cov_out/
+*.pkl
+*.html
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,4 +1,7 @@
-FROM ubuntu:18.04
+##
+# Stage: build core magma
+##
+FROM ubuntu:24.04 AS magma_core
 
 # TODO remove sudo for user "magma" to avoid unwanted priv escalation from
 # other attack vectors.
@@ -11,32 +14,34 @@ RUN apt-get update && apt-get install -y sudo
 ARG magma_root=./
 
 ## Path variables inside the container
-ENV MAGMA_R /magma
-ENV OUT		/magma_out
-ENV SHARED 	/magma_shared
-
-ENV CC  /usr/bin/gcc
-ENV CXX /usr/bin/g++
-ENV LD /usr/bin/ld
-ENV AR /usr/bin/ar
-ENV AS /usr/bin/as
-ENV NM /usr/bin/nm
-ENV RANLIB /usr/bin/ranlib
-
-ARG USER_ID=1000
-ARG GROUP_ID=1000
+ENV MAGMA_R=/magma
+ENV OUT=/magma_out
+ENV COV=/magma_cov
+ENV SHARED=/magma_shared
+
+ENV CC=/usr/bin/gcc
+ENV CXX=/usr/bin/g++
+ENV LD=/usr/bin/ld
+ENV AR=/usr/bin/ar
+ENV AS=/usr/bin/as
+ENV NM=/usr/bin/nm
+ENV RANLIB=/usr/bin/ranlib
+
+ARG USER_ID=1001
+ARG GROUP_ID=1001
 RUN mkdir -p /home && \
 	groupadd -g ${GROUP_ID} magma && \
 	useradd -l -u ${USER_ID} -K UMASK=0000 -d /home -g magma magma && \
 	chown magma:magma /home
 RUN	echo "magma:amgam" | chpasswd && usermod -a -G sudo magma
+RUN echo "magma ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
 
-RUN mkdir -p ${SHARED} ${OUT} && \
-	chown magma:magma ${SHARED} ${OUT} && \
-	chmod 744 ${SHARED} ${OUT}
+RUN mkdir -p ${SHARED} ${OUT} ${COV} && \
+	chown magma:magma ${SHARED} ${OUT} ${COV} && \
+	chmod 744 ${SHARED} ${OUT} ${COV}
 
 ARG magma_path=magma
-ENV MAGMA 	${MAGMA_R}/${magma_path}
+ENV MAGMA=${MAGMA_R}/${magma_path}
 USER root:root
 RUN mkdir -p ${MAGMA} && chown magma:magma ${MAGMA}
 COPY --chown=magma:magma ${magma_root}/${magma_path} ${MAGMA}/
@@ -46,24 +51,28 @@ RUN ${MAGMA}/prebuild.sh
 
 ARG fuzzer_name
 ARG fuzzer_path=fuzzers/${fuzzer_name}
-ENV FUZZER 	${MAGMA_R}/${fuzzer_path}
+ENV FUZZER=${MAGMA_R}/${fuzzer_path}
 USER root:root
 RUN mkdir -p ${FUZZER} && chown magma:magma ${FUZZER}
 COPY --chown=magma:magma ${magma_root}/${fuzzer_path} ${FUZZER}/
 RUN ${FUZZER}/preinstall.sh
 USER magma:magma
 RUN ${FUZZER}/fetch.sh
 RUN ${FUZZER}/build.sh
+RUN if [ -f ${FUZZER}/postinstall.sh ]; then /bin/bash ${FUZZER}/postinstall.sh; fi
 
 ARG target_name
 ARG target_path=targets/${target_name}
-ENV TARGET 	${MAGMA_R}/${target_path}
+ENV TARGET_NAME=${target_name}
+ENV TARGET=${MAGMA_R}/${target_path}
+ARG target_version
+ENV TARGET_VERSION=${target_version}
 USER root:root
 RUN mkdir -p ${TARGET} && chown magma:magma ${TARGET}
 COPY --chown=magma:magma ${magma_root}/${target_path} ${TARGET}/
 RUN ${TARGET}/preinstall.sh
 USER magma:magma
-RUN ${TARGET}/fetch.sh
+RUN ${MAGMA}/fetch_target.sh
 RUN ${MAGMA}/apply_patches.sh
 
 ## Configuration parameters
@@ -78,11 +87,74 @@ ARG CANARIES_FLAG=${canaries:+-DMAGMA_ENABLE_CANARIES}
 ARG FIXES_FLAG=${fixes:+-DMAGMA_ENABLE_FIXES}
 ARG BUILD_FLAGS="-include ${MAGMA}/src/canary.h ${CANARIES_FLAG} ${FIXES_FLAG} ${ISAN_FLAG} ${HARDEN_FLAG} -g -O0"
 
-ENV CFLAGS ${BUILD_FLAGS}
-ENV CXXFLAGS ${BUILD_FLAGS}
-ENV LIBS -l:magma.o -lrt
-ENV LDFLAGS -L"${OUT}" -g
+ENV CFLAGS=${BUILD_FLAGS}
+ENV CXXFLAGS=${BUILD_FLAGS}
+ENV LIBS="-l:magma.o -lrt"
+ENV LDFLAGS="-L${OUT} -g"
+
+ARG source_coverage
+ENV SOURCE_COVERAGE=${source_coverage:+1}
+ENV SOURCE_COVERAGE_FLAGS=${source_coverage:+"-fprofile-instr-generate -fcoverage-mapping"}
 
 RUN ${FUZZER}/instrument.sh
 
-ENTRYPOINT "${MAGMA}/run.sh"
+ENTRYPOINT ["/bin/bash", "-c", "${MAGMA}/run.sh"]
+
+
+##
+# Stage: build magma PoCs
+##
+FROM ubuntu:24.04 AS magma_pocs
+
+RUN apt-get update && apt-get install -y sudo g++ git
+
+ARG magma_root=./
+ARG poc_target_name
+ARG poc_target_version
+ARG poc_bug
+ENV MAGMA_R=/magma
+ENV OUT=/magma_out
+ENV CC=/usr/bin/gcc
+ENV CXX=/usr/bin/g++
+
+# set up user and group
+ARG USER_ID=1001
+ARG GROUP_ID=1001
+
+RUN mkdir -p /home && \
+	groupadd -g ${GROUP_ID} magma && \
+	useradd -l -u ${USER_ID} -K UMASK=0000 -d /home -g magma magma && \
+	chown magma:magma /home
+RUN	echo "magma:amgam" | chpasswd && usermod -a -G sudo magma
+RUN echo "magma ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+RUN mkdir -p ${OUT} && chown magma:magma ${OUT} && chmod 744 ${OUT}
+
+# copy over magma source code
+ARG magma_path=magma
+ENV MAGMA=${MAGMA_R}/${magma_path}
+
+USER root:root
+RUN mkdir -p ${MAGMA} && chown magma:magma ${MAGMA}
+COPY --chown=magma:magma ${magma_root}/${magma_path} ${MAGMA}/
+
+# build a clean install of the target with a specific bug
+ARG target_path=targets/${poc_target_name}
+ENV TARGET_NAME=${poc_target_name}
+ENV TARGET=${MAGMA_R}/${target_path}
+ENV TARGET_VERSION=${poc_target_version}
+ENV BUG_PATH=${TARGET}/patches/bugs/${poc_bug}.patch
+
+USER root:root
+RUN mkdir -p ${TARGET} && chown magma:magma ${TARGET}
+COPY --chown=magma:magma ${magma_root}/${target_path} ${TARGET}/
+RUN ${TARGET}/preinstall.sh
+RUN ${MAGMA}/fetch_target.sh
+RUN ${MAGMA}/apply_patches.sh ${BUG_PATH}
+RUN ${TARGET}/build_poc.sh
+
+# copy over the PoC input
+ARG CRASH_CONTAINER_PATH=/test/crash_input
+ARG CRASH_INPUT_PATH=${magma_root}/${target_path}/pocs/${poc_bug}.crash
+
+COPY --chown=magma:magma ${CRASH_INPUT_PATH} ${CRASH_CONTAINER_PATH}
diff --git a/fuzzers/aflplusplus/build.sh b/fuzzers/aflplusplus/build.sh
@@ -19,4 +19,4 @@ export PYTHON_INCLUDE=/
 make -j$(nproc) || exit 1
 make -C utils/aflpp_driver || exit 1
 
-mkdir -p "$OUT/afl" "$OUT/cmplog"
+mkdir -p "$OUT/afl" "$OUT/cmplog" "$COV/afl"
diff --git a/fuzzers/aflplusplus/coverage.sh b/fuzzers/aflplusplus/coverage.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+
+##
+# Pre-requirements:
+# - env SHARED: path to directory shared with host (to store results)
+##
+
+export DIRECTORY_TO_SEARCH=$SHARED/findings/default/queue
+chmod -R o+rx $SHARED/findings/default
+export PATTERN_TO_MATCH="id:*"
+cp $COV/afl/$PROGRAM $COV
diff --git a/fuzzers/aflplusplus/fetch.sh b/fuzzers/aflplusplus/fetch.sh
@@ -6,8 +6,11 @@ set -e
 # - env FUZZER: path to fuzzer work dir
 ##
 
+# Currently points to the first commit of 2025
+AFLPLUSPLUS_STABLE_HASH=1ddfb1fec2b8aa99886a5de35c07e8f2a7bd8b98
+
 git clone --no-checkout https://github.com/AFLplusplus/AFLplusplus "$FUZZER/repo"
-git -C "$FUZZER/repo" checkout 458eb0813a6f7d63eed97f18696bca8274533123
+git -C "$FUZZER/repo" checkout $AFLPLUSPLUS_STABLE_HASH
 
 # Fix: CMake-based build systems fail with duplicate (of main) or undefined references (of LLVMFuzzerTestOneInput)
 sed -i '{s/^int main/__attribute__((weak)) &/}' $FUZZER/repo/utils/aflpp_driver/aflpp_driver.c
@@ -24,15 +27,15 @@ EOF
 patch -p1 -d "$FUZZER/repo" << EOF
 --- a/utils/aflpp_driver/aflpp_driver.c
 +++ b/utils/aflpp_driver/aflpp_driver.c
-@@ -53,7 +53,7 @@
-   #include "hash.h"
+@@ -65,7 +65,7 @@
  #endif
 
+ // AFL++ shared memory fuzz cases
 -int                   __afl_sharedmem_fuzzing = 1;
 +int                   __afl_sharedmem_fuzzing = 0;
- extern unsigned int * __afl_fuzz_len;
+ extern unsigned int  *__afl_fuzz_len;
  extern unsigned char *__afl_fuzz_ptr;
- 
+
 @@ -111,7 +111,8 @@ extern unsigned int * __afl_fuzz_len;
  __attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv);
 

diff --git a/fuzzers/aflplusplus/instrument.sh b/fuzzers/aflplusplus/instrument.sh
@@ -7,6 +7,8 @@ set -e
 # - env TARGET: path to target work dir
 # - env MAGMA: path to Magma support files
 # - env OUT: path to directory where artifacts are stored
+# - env SOURCE_COVERAGE: if source-based code coverage is enabled
+# - env COV: path to directory where artifacts for source-base code coverage are stored
 # - env CFLAGS and CXXFLAGS must be set to link against Magma instrumentation
 ##
 
@@ -18,6 +20,7 @@ export LIBS="$LIBS -lc++ -lc++abi $FUZZER/repo/utils/aflpp_driver/libAFLDriver.a
 
 # AFL++'s driver is compiled against libc++
 export CXXFLAGS="$CXXFLAGS -stdlib=libc++"
+export LDFLAGS="$LDFLAGS -stdlib=libc++"
 
 # Build the AFL-only instrumented version
 (
@@ -44,3 +47,14 @@ export CXXFLAGS="$CXXFLAGS -stdlib=libc++"
 # NOTE: We pass $OUT directly to the target build.sh script, since the artifact
 #       itself is the fuzz target. In the case of Angora, we might need to
 #       replace $OUT by $OUT/fast and $OUT/track, for instance.
+
+if [ ! -z $SOURCE_COVERAGE ]; then
+    export CC=clang
+    export CXX=clang++
+    export CFLAGS="$SOURCE_COVERAGE_FLAGS"
+    export CXXFLAGS="$SOURCE_COVERAGE_FLAGS"
+    export LDFLAGS="$SOURCE_COVERAGE_FLAGS"
+    export LIBS=""
+    export LIB_FUZZING_ENGINE="-fsanitize=fuzzer"
+    OUT=$COV/afl TARGET=$COV "$TARGET/build.sh"
+fi
diff --git a/fuzzers/aflplusplus/preinstall.sh b/fuzzers/aflplusplus/preinstall.sh
@@ -1,35 +1,40 @@
 #!/bin/bash
 set -e
 
+export LLVM_VERSION=16
+
 apt-get update && \
-    apt-get install -y make clang-9 llvm-9-dev libc++-9-dev libc++abi-9-dev \
-        build-essential git wget gcc-7-plugin-dev
+    apt-get install -y make build-essential git wget \
+      clang-$LLVM_VERSION llvm-$LLVM_VERSION-dev \
+      libc++-$LLVM_VERSION-dev libc++abi-$LLVM_VERSION-dev \
+      gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev
 
 update-alternatives \
-  --install /usr/lib/llvm              llvm             /usr/lib/llvm-9  20 \
-  --slave   /usr/bin/llvm-config       llvm-config      /usr/bin/llvm-config-9  \
-    --slave   /usr/bin/llvm-ar           llvm-ar          /usr/bin/llvm-ar-9 \
-    --slave   /usr/bin/llvm-as           llvm-as          /usr/bin/llvm-as-9 \
-    --slave   /usr/bin/llvm-bcanalyzer   llvm-bcanalyzer  /usr/bin/llvm-bcanalyzer-9 \
-    --slave   /usr/bin/llvm-c-test       llvm-c-test      /usr/bin/llvm-c-test-9 \
-    --slave   /usr/bin/llvm-cov          llvm-cov         /usr/bin/llvm-cov-9 \
-    --slave   /usr/bin/llvm-diff         llvm-diff        /usr/bin/llvm-diff-9 \
-    --slave   /usr/bin/llvm-dis          llvm-dis         /usr/bin/llvm-dis-9 \
-    --slave   /usr/bin/llvm-dwarfdump    llvm-dwarfdump   /usr/bin/llvm-dwarfdump-9 \
-    --slave   /usr/bin/llvm-extract      llvm-extract     /usr/bin/llvm-extract-9 \
-    --slave   /usr/bin/llvm-link         llvm-link        /usr/bin/llvm-link-9 \
-    --slave   /usr/bin/llvm-mc           llvm-mc          /usr/bin/llvm-mc-9 \
-    --slave   /usr/bin/llvm-nm           llvm-nm          /usr/bin/llvm-nm-9 \
-    --slave   /usr/bin/llvm-objdump      llvm-objdump     /usr/bin/llvm-objdump-9 \
-    --slave   /usr/bin/llvm-ranlib       llvm-ranlib      /usr/bin/llvm-ranlib-9 \
-    --slave   /usr/bin/llvm-readobj      llvm-readobj     /usr/bin/llvm-readobj-9 \
-    --slave   /usr/bin/llvm-rtdyld       llvm-rtdyld      /usr/bin/llvm-rtdyld-9 \
-    --slave   /usr/bin/llvm-size         llvm-size        /usr/bin/llvm-size-9 \
-    --slave   /usr/bin/llvm-stress       llvm-stress      /usr/bin/llvm-stress-9 \
-    --slave   /usr/bin/llvm-symbolizer   llvm-symbolizer  /usr/bin/llvm-symbolizer-9 \
-    --slave   /usr/bin/llvm-tblgen       llvm-tblgen      /usr/bin/llvm-tblgen-9
+  --install /usr/lib/llvm              llvm             /usr/lib/llvm-$LLVM_VERSION  20 \
+  --slave   /usr/bin/llvm-config       llvm-config      /usr/bin/llvm-config-$LLVM_VERSION  \
+    --slave   /usr/bin/llvm-ar           llvm-ar          /usr/bin/llvm-ar-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-as           llvm-as          /usr/bin/llvm-as-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-bcanalyzer   llvm-bcanalyzer  /usr/bin/llvm-bcanalyzer-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-c-test       llvm-c-test      /usr/bin/llvm-c-test-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-cov          llvm-cov         /usr/bin/llvm-cov-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-profdata     llvm-profdata    /usr/bin/llvm-profdata-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-diff         llvm-diff        /usr/bin/llvm-diff-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-dis          llvm-dis         /usr/bin/llvm-dis-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-dwarfdump    llvm-dwarfdump   /usr/bin/llvm-dwarfdump-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-extract      llvm-extract     /usr/bin/llvm-extract-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-link         llvm-link        /usr/bin/llvm-link-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-mc           llvm-mc          /usr/bin/llvm-mc-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-nm           llvm-nm          /usr/bin/llvm-nm-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-objdump      llvm-objdump     /usr/bin/llvm-objdump-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-ranlib       llvm-ranlib      /usr/bin/llvm-ranlib-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-readobj      llvm-readobj     /usr/bin/llvm-readobj-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-rtdyld       llvm-rtdyld      /usr/bin/llvm-rtdyld-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-size         llvm-size        /usr/bin/llvm-size-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-stress       llvm-stress      /usr/bin/llvm-stress-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-symbolizer   llvm-symbolizer  /usr/bin/llvm-symbolizer-$LLVM_VERSION \
+    --slave   /usr/bin/llvm-tblgen       llvm-tblgen      /usr/bin/llvm-tblgen-$LLVM_VERSION
 
 update-alternatives \
-  --install /usr/bin/clang                 clang                  /usr/bin/clang-9     20 \
-  --slave   /usr/bin/clang++               clang++                /usr/bin/clang++-9 \
-  --slave   /usr/bin/clang-cpp             clang-cpp              /usr/bin/clang-cpp-9
+  --install /usr/bin/clang                 clang                  /usr/bin/clang-$LLVM_VERSION     20 \
+  --slave   /usr/bin/clang++               clang++                /usr/bin/clang++-$LLVM_VERSION \
+  --slave   /usr/bin/clang-cpp             clang-cpp              /usr/bin/clang-cpp-$LLVM_VERSION
diff --git a/fuzzers/aflplusplus/run.sh b/fuzzers/aflplusplus/run.sh
@@ -17,13 +17,19 @@ fi
 
 mkdir -p "$SHARED/findings"
 
-flag_cmplog=(-m none -c "$OUT/cmplog/$PROGRAM")
+# TODO: Figure out why cmplog gets stuck infinitely on PHP
+if [[ "$TARGET" == */php ]]; then
+    flag_cmplog=()
+else
+    flag_cmplog=(-m none -c "$OUT/cmplog/$PROGRAM")
+fi
 
 export AFL_SKIP_CPUFREQ=1
 export AFL_NO_AFFINITY=1
 export AFL_NO_UI=1
 export AFL_MAP_SIZE=256000
 export AFL_DRIVER_DONT_DEFER=1
+export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
 
 "$FUZZER/repo/afl-fuzz" -i "$TARGET/corpus/$PROGRAM" -o "$SHARED/findings" \
     "${flag_cmplog[@]}" -d \

diff --git a/fuzzers/aflplusplus/runonce.sh b/fuzzers/aflplusplus/runonce.sh
@@ -8,6 +8,7 @@
 # - env OUT: path to directory where artifacts are stored
 # - env PROGRAM: name of program to run (should be found in $OUT)
 # - env ARGS: extra arguments to pass to the program
+# - env SOURCE_COVERAGE: if source-based code coverage is enabled
 ##
 
 export TIMELIMIT=0.1s
@@ -24,5 +25,8 @@ if [ -z "$args" ]; then
     args="'$1'"
 fi
 
+if [ ! -z $SOURCE_COVERAGE ]; then
+    export LD_PRELOAD=$OUT/source_coverage.so
+fi
 timeout -s KILL --preserve-status $TIMELIMIT bash -c \
     "run_limited '$OUT/afl/$PROGRAM' $args"
diff --git a/fuzzers/honggfuzz/coverage.sh b/fuzzers/honggfuzz/coverage.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+##
+# Pre-requirements:
+# - env SHARED: path to directory shared with host (to store results)
+##
+
+export DIRECTORY_TO_SEARCH=$SHARED/output
+chmod -R o+rx $SHARED/output
+export PATTERN_TO_MATCH="*"