[forkserver_libafl_cc] Adjust test fuzzer

* Remove 1 second per testcase timeout.  The crashes are taking longer
  and are erroneously treated as a timeout. Under moderate load on my
  laptop, the crashes were being missed frequently.
* Add a max input length parameter akin to AFL++'s afl-fuzz CLI args so
  that the mutations are more likely to find the objective (crash)
  * Set the default test to length 10 as the two potential crashes can
    be found mutating the first 3 or 4 bytes
* Relying on grep'ing through the the log of the micro fuzz campaign
  is inheritly fraught as the printing is infrequent and
  non-deterministic. Switch to checking the filesystem for results

Author: rchildre3

fuzzers/forkserver/forkserver_libafl_cc/Justfile

@@ -56,14 +56,25 @@ run: fuzzer
 [macos]
 test: fuzzer
     #!/bin/bash
-    timeout 30s {{ FORKSERVER }} ./{{ FUZZER_NAME }} ./corpus/ -t 1000 | tee fuzz_stdout.log || true
-    if grep -qa "objectives: 1" fuzz_stdout.log; then
-        echo "Fuzzer is working"
+    CRASH_DIR="crashes"
+    QUEUE_DIR="corpus_discovered"
+    timeout 30s {{ FORKSERVER }} -G 10 -t 5000 ./{{ FUZZER_NAME }} ./corpus/ || true
+
+    # Print off the crashes/queue for testing before we delete, but don't fail the job
+    find "${CRASH_DIR}" "${QUEUE_DIR}" -type f -name '[0-9a-f]*' -print -exec od -A x -t x1 -c {} \; 2>/dev/null || true
+
+    if find "${CRASH_DIR}" -type f -name '[0-9a-f]*' -printf '.' 2>/dev/null | grep -q .; then
+        echo "Good, Fuzzer found a crash"
     else
-        echo "Fuzzer does not generate any testcases or any crashes"
+        echo "Fuzzer did not find a crashing input, and should have"
         exit 1
     fi
 
+    # Cleanup the crashes/queue dirs so that subsequent tests don't pick up
+    # previous crashes/findings.
+    # already exited if failed, keep around to debug
+    rm -r "${CRASH_DIR}" "${QUEUE_DIR}"
+
 [windows]
 test: fuzzer
     echo "Unsupported on this platform"

fuzzers/forkserver/forkserver_libafl_cc/src/main.rs

@@ -3,9 +3,12 @@ use std::path::PathBuf;
 
 use clap::Parser;
 use libafl::{
-    corpus::{Corpus, InMemoryCorpus, OnDiskCorpus},
+    corpus::{CachedOnDiskCorpus, Corpus, OnDiskCorpus},
     events::SimpleEventManager,
-    executors::{forkserver::ForkserverExecutor, HasObservers, StdChildArgs},
+    executors::{
+        forkserver::{ForkserverExecutor, MAX_INPUT_SIZE_DEFAULT},
+        HasObservers, StdChildArgs,
+    },
     feedback_and_fast, feedback_or,
     feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback},
     fuzzer::{Fuzzer, StdFuzzer},
@@ -42,6 +45,14 @@ struct Opt {
     )]
     executable: String,
 
+    #[arg(
+        help = "set max length of generated fuzz input",
+        short = 'G',
+        long = "maxlen",
+        default_value_t = MAX_INPUT_SIZE_DEFAULT
+    )]
+    max_input_len: usize,
+
     #[arg(
         help = "The directory to read initial inputs from ('seeds')",
         name = "INPUT_DIR",
@@ -53,7 +64,7 @@ struct Opt {
         help = "Timeout for each individual execution, in milliseconds",
         short = 't',
         long = "timeout",
-        default_value = "1200"
+        default_value = "3000"
     )]
     timeout: u64,
 
@@ -135,8 +146,8 @@ pub fn main() {
     let mut state = StdState::new(
         // RNG
         StdRand::new(),
-        // Corpus that will be evolved, we keep it in memory for performance
-        InMemoryCorpus::<BytesInput>::new(),
+        // Corpus that will be evolved, keep on disk to ensure instrumentation is working
+        CachedOnDiskCorpus::<BytesInput>::new(PathBuf::from("./corpus_discovered"), 64).unwrap(),
         // Corpus in which we store solutions (crashes in this example),
         // on disk so the user can get them after stopping the fuzzer
         OnDiskCorpus::new(PathBuf::from("./crashes")).unwrap(),
@@ -180,6 +191,7 @@ pub fn main() {
         .parse_afl_cmdline(args)
         .coverage_map_size(MAP_SIZE)
         .timeout(Duration::from_millis(opt.timeout))
+        .max_input_size(opt.max_input_len)
         .kill_signal(opt.signal)
         .build(tuple_list!(time_observer, edges_observer))
         .unwrap();