862de53cf6
* squash libfuzzer edits * fixup: compat with custom mutators * use tui flag * add introspection support * use libfuzzer dep now that we've merged * force input loading * some fixes * begin docs, impl shrink * make whole-archive conditional and not default * make more copies of counters maps * lol, remember to add the observer * make size edge map observer an observer * fixup: make def of run driver conditional * add sanity checks for insertion * revert silencing of forks * add experimental tmin support; add default asan flags * use default options instead of specifying our own * implement lockless mode * fix merge * fixup lockless corpus * fixup for generalisation * remove erroneous drop_in_place * improve error logging in the case of corpus loading failure * ok, use lock files 😔 * fix tmin * implement merge (again); fix rare cases with maps being too small * implement a scheduler for removing excess * implement a walking strategy for corpus loading for large corpora * revert filename parameter; rename and remove duplicates * various cleanup and clippy satisfaction * fix no_std tests * clang-format * expand and satisfy the clippy gods * fix sanitizer_ifaces bindgen for no_std * fix wasm fuzzer * fixup clippy script * rename and provide a small amount of explanation for sanitizer_interfaces * fixup: HasLastReportTime * fix clippy oddities * restrict clippy checks to linux-only for libafl_libfuzzer_runtime * name the mutators * format * fix clippy warning * hope docker is fixed * fix cmin lint * clippy pass * more docs * more clippy * fix remaining clippy complaints * fix import * miri fixes (no constructors executed) * exclude libafl_libfuzzer from cargo-hack * fix clippy check for sanitizer_interfaces * fmt * fix CI (?) * deduplicate sancov 8bit for improved perf on ASAN * merge 8bit coverage regions + comment out insane deduplication * no erroring out on free hooks * fixup for non-forking merge * skip the corpus dir if we use it * fixup: recent libafl changes and feature flags * libafl_libfuzzer: use rust-lld for whole-archive feature * clarify cause of failure * mark unsafe * clippy :cursed_cowboy: * attempt to fix wasm * spooky unknowable bug 👻 * more clippy lints * clippy fix for merge * use the version pin * add unsafe to ::register * Serdeany autoreg fix * make type assert actionable * miri fixes --------- Co-authored-by: Dominik Maier <domenukk@gmail.com> Co-authored-by: Dominik Maier <dmnk@google.com> Co-authored-by: Mrmaxmeier <Mrmaxmeier@gmail.com>
Libfuzzer for libpng, with launcher
This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example.
It has been tested on Linux.
In contrast to the normal libfuzzer libpng example, this uses the launcher feature, that automatically spawns n child processes, and binds them to a free core.
Build
To build this example, run
cargo build --release
This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback. In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target.
Then download libpng, and unpack the archive:
wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz
Now compile libpng, using the libafl_cc compiler wrapper:
cd libpng-1.6.37
./configure
make CC=../target/release/libafl_cc CXX=../target/release/libafl_cxx -j `nproc`
You can find the static lib at libpng-1.6.37/.libs/libpng16.a.
Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.
cd ..
./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm
Afterwards, the fuzzer will be ready to run.
Run
Just run once, the launcher feature should do the rest.