alwin.berger/FRET-LibAFL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FRET-LibAFL/fuzzers/libfuzzer_libmozjpeg
History
Dongjia "toka" Zhang ec38858b2d
Fix Makefile.toml (#893) 
* don't use submodules

* fix

* add

* fix

* a

* fix

* doesn't work 😩

* fix

* Update build_and_test.yml

* Update build_and_test.yml

* Update build_and_test.yml
2022-11-17 04:44:26 +09:00
..
corpus
Libmozjpeg example added (#15)
2021-03-01 17:54:47 +01:00
src
Add rustfmt.toml (#722)
2022-08-12 02:28:32 +02:00
.gitignore
added restarts to libfuzzer example, docu cleanup
2021-04-29 10:55:31 +02:00
build.rs
remove libfuzzer_runtime and use cc wrapper for mozjpeg
2021-03-29 15:56:54 +02:00
Cargo.toml
Bump to 0.8.2 and update versions script (#828)
2022-10-12 14:57:08 +02:00
harness.cc
Format C/Cpp code in ./scripts/fmt_all.sh (#653)
2022-05-29 03:23:02 +02:00
hook_allocs.c
Format C/Cpp code in ./scripts/fmt_all.sh (#653)
2022-05-29 03:23:02 +02:00
jpeg.dict
remove libfuzzer_runtime and use cc wrapper for mozjpeg
2021-03-29 15:56:54 +02:00
Makefile.toml
Fix Makefile.toml (#893)
2022-11-17 04:44:26 +09:00
README.md
Test fuzzers (#187)
2021-07-02 15:35:41 +02:00

README.md

Libfuzzer for libmozjpeg

This folder contains an example fuzzer for libmozjpeg, using LLMP for fast multi-process fuzzing and crash detection. Alongside the traditional edge coverage, this example shows how to use a value-profile like feedback to bypass CMPs and an allocations size maximization feedback to spot patological inputs in terms of memory usage. It has been tested on Linux.

Build

To build this example, run cargo build --release. This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer. the SanitizerCoverage runtime functions for edges and value-profile feedbacks and the hook_allocs.c C file that hooks the allocator to report the size to the fuzzer. In addition, it will build also two C and C++ compiler wrappers (bin/c(c/xx).rs) that you must use to compile the target.

Then download the mozjpeg source tarball from and unpack the archive:

wget https://github.com/mozilla/mozjpeg/archive/v4.0.3.tar.gz
tar -xzvf v4.0.3.tar.gz

Now compile it with:

cd mozjpeg-4.0.3
cmake --disable-shared . -DCMAKE_C_COMPILER="$(pwd)/../target/release/libafl_cc" -DCMAKE_CXX_COMPILER="$(pwd)/../target/release/libafl_cxx" -G "Unix Makefiles"
make -j `nproc`
cd ..

Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.

./target/debug/cxx ./harness.cc ./mozjpeg-4.0.3/*.a -I ./mozjpeg-4.0.3/ -o fuzzer_mozjpeg

Afterward, the fuzzer will be ready to run by simply executing ./fuzzer_mozjpeg. Note that, unless you use the launcher, you will have to run the binary multiple times to actually start the fuzz process, see Run in the following. This allows you to run multiple different builds of the same fuzzer alongside, for example, with and without ASAN (-fsanitize=address) or with different mutators.

Run

The first time you run the binary, the broker will open a tcp port (currently on port 1337), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel.

Each following execution will run a fuzzer client. As this example uses in-process fuzzing, we added a Restarting Event Manager (setup_restarting_mgr). This means each client will start itself again to listen for crashes and timeouts. By restarting the actual fuzzer, it can recover from these exit conditions.

In any real-world scenario, you should use taskset to pin each client to an empty CPU core, the lib does not pick an empty core automatically, unless you use the launcher.