alwin.berger/FRET-LibAFL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FRET-LibAFL/fuzzers/libfuzzer_libpng_accounting
History
Mrmaxmeier cedcee01c0
CI: Build fuzzers with shared cargo target dir (#845) 
* build fuzzers with shared cargo target dir

* Make external build scripts aware of CARGO_TARGET_DIR

* fix libmozjpeg fuzzer with shared target dir

* fix cargo-make default value for CARGO_TARGET_DIR

* avoid ./ in cargo-make for windows compat

* CI: cargo-hack's --feature-powerset is too powerful

* fuzzer_concolic: support CARGO_TARGET_DIR

* ci: install z3 to avoid building from source

* ci: update actions

* ci: test nightly features with nightly rust

* test_all_fuzzers: try pruning more compilation artifacts

* ci: fix nightly feature check

* ci: apply rust-cache action after checkout (d'oh)

The rust-cache action populates the checkout directory, which is promply
deleted by the checkout action during checkout.. whoops!
2022-10-20 21:38:58 +02:00
..
corpus
Implement coverage accounting (BB metric atm) (#507)
2022-02-01 14:08:38 +01:00
src
Update dependencies, removed unused deps, CI fixes (#839)
2022-10-18 20:36:43 +02:00
.gitignore
Implement coverage accounting (BB metric atm) (#507)
2022-02-01 14:08:38 +01:00
Cargo.toml
Update dependencies, removed unused deps, CI fixes (#839)
2022-10-18 20:36:43 +02:00
harness.cc
Format C/Cpp code in ./scripts/fmt_all.sh (#653)
2022-05-29 03:23:02 +02:00
Makefile.toml
CI: Build fuzzers with shared cargo target dir (#845)
2022-10-20 21:38:58 +02:00
README.md
Implement coverage accounting (BB metric atm) (#507)
2022-02-01 14:08:38 +01:00

README.md

Libfuzzer for libpng, with launcher

This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection. To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example. It has been tested on Linux.

In contrast to the normal libfuzzer libpng example, this uses the launcher feature, that automatically spawns n child processes, and binds them to a free core.

Build

To build this example, run

cargo build --release

This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback. In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target.

Then download libpng, and unpack the archive:

wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz

Now compile libpng, using the libafl_cc compiler wrapper:

cd libpng-1.6.37
./configure
make CC=../target/release/libafl_cc CXX=../target/release/libafl_cxx -j `nproc`

You can find the static lib at libpng-1.6.37/.libs/libpng16.a.

Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.

cd ..
./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm

Afterwards, the fuzzer will be ready to run.

Run

Just run once, the launcher feature should do the rest.