ref: 5ba227031c865aff55fdaf7c9a1b0e8abcbbabc4
parent: ecd868ac6e7ab3df4984ff29a16c7158339611a3
author: Ben Harris <[email protected]>
date: Mon Feb 20 16:51:18 EST 2023
Rough support for fuzzing with libFuzzer For AFL++ and Honggfuzz, our approach is to build a standard fuzzpuzz binary with extra hooks for interacting with an external fuzzer. This works well for AFL++ and tolerably for Honggfuzz. LibFuzzer, though, provides its own main() so that the resulting program has a very different command-line interface from the normal one. Also, since libFuzzer is a standard part of Clang, we can't decide whether to use it based on the behaviour of the compiler. So what I've done, at least for now, is to have CMake detect when we're using Clang and in that case build a separate binary called "fuzzpuzz-libfuzzer" which is built with -fsanitize=fuzzer, while the ordinary fuzzpuzz is built without. I'm not sure if this is the right approach, though.
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -282,6 +282,16 @@
cliprogram(fuzzpuzz fuzzpuzz.c list.c ${puzzle_sources}
COMPILE_DEFINITIONS COMBINED $<$<BOOL:${HAVE_HF_ITER}>:HAVE_HF_ITER>)
target_include_directories(fuzzpuzz PRIVATE ${generated_include_dir})
+
+ if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+ cliprogram(fuzzpuzz-libfuzzer fuzzpuzz.c list.c ${puzzle_sources}
+ COMPILE_DEFINITIONS COMBINED OMIT_MAIN)
+ target_include_directories(fuzzpuzz-libfuzzer
+ PRIVATE ${generated_include_dir})
+ target_compile_options(fuzzpuzz-libfuzzer PRIVATE -fsanitize=fuzzer)
+ set_target_properties(fuzzpuzz-libfuzzer
+ PROPERTIES LINK_FLAGS -fsanitize=fuzzer)
+ endif()
endif()
build_extras()
--- a/fuzzpuzz.c
+++ b/fuzzpuzz.c
@@ -43,6 +43,10 @@
extern int HF_ITER(unsigned char **, size_t *);
#endif
+/* This function is expected by libFuzzer. */
+
+int LLVMFuzzerTestOneInput(unsigned char *data, size_t size);
+
static const char *fuzz_one(bool (*readfn)(void *, void *, int), void *rctx,
void (*rewindfn)(void *),
void (*writefn)(void *, const void *, int),
@@ -104,6 +108,44 @@
fwrite(buf, 1, len, fp);
}
+struct memread {
+ const unsigned char *buf;
+ size_t pos;
+ size_t len;
+};
+
+static bool mem_read(void *wctx, void *buf, int len)
+{
+ struct memread *ctx = wctx;
+
+ if (ctx->pos + len > ctx->len) return false;
+ memcpy(buf, ctx->buf + ctx->pos, len);
+ ctx->pos += len;
+ return true;
+}
+
+static void mem_rewind(void *wctx)
+{
+ struct memread *ctx = wctx;
+
+ ctx->pos = 0;
+}
+
+static void null_write(void *wctx, const void *buf, int len)
+{
+}
+
+int LLVMFuzzerTestOneInput(unsigned char *data, size_t size) {
+ struct memread ctx;
+
+ ctx.buf = data;
+ ctx.len = size;
+ ctx.pos = 0;
+ fuzz_one(mem_read, &ctx, mem_rewind, null_write, NULL);
+ return 0;
+}
+
+#ifndef OMIT_MAIN
int main(int argc, char **argv)
{
const char *err;
@@ -165,3 +207,4 @@
}
return ret;
}
+#endif