diff options
author | robertswiecki <robert@swiecki.net> | 2017-06-02 02:55:01 +0200 |
---|---|---|
committer | Oliver Chang <oliverchang@users.noreply.github.com> | 2017-06-01 17:55:01 -0700 |
commit | 268d8052a28a8f165a675d1f46513feb5795fcee (patch) | |
tree | ab45ac8e1c7d87304406653c0158bd813dfc2658 | |
parent | 5401205191e850ce8c3b3a2db2c4b24287382718 (diff) |
Support honggfuzz as a FUZZING_ENGINE (#636)
-rw-r--r-- | docs/faq.md | 3 | ||||
-rw-r--r-- | infra/base-images/base-builder/Dockerfile | 10 | ||||
-rwxr-xr-x | infra/base-images/base-builder/compile_honggfuzz | 34 | ||||
-rw-r--r-- | infra/base-images/base-runner/Dockerfile | 2 | ||||
-rwxr-xr-x | infra/base-images/base-runner/run_fuzzer | 16 | ||||
-rwxr-xr-x | infra/base-images/base-runner/test_all | 10 | ||||
-rwxr-xr-x | infra/base-images/base-runner/test_report | 11 | ||||
-rwxr-xr-x | infra/gcb/build.py | 6 | ||||
-rwxr-xr-x | infra/helper.py | 2 |
9 files changed, 83 insertions, 11 deletions
diff --git a/docs/faq.md b/docs/faq.md index 9075b39b..866a07b3 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -88,3 +88,6 @@ In either case, look at the [coverage reports](clusterfuzz.md#coverage-reports) ## Does OSS-Fuzz support AFL? OSS-Fuzz *uses* [AFL](http://lcamtuf.coredump.cx/afl/) as one of its [fuzzing engines](glossary.md#fuzzing-engine) but this is an implementation detail. Just follow the [ideal integration guide](ideal_integration.md) and OSS-Fuzz will use all its fuzzing engines on your code. + +## Does OSS-Fuzz support Honggfuzz? +Analogically to [AFL](#does-oss-fuzz-support-afl). diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile index 40c1388e..cda382fe 100644 --- a/infra/base-images/base-builder/Dockerfile +++ b/infra/base-images/base-builder/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-clang MAINTAINER mike.aizatsky@gmail.com -RUN apt-get install -y git subversion jq python3 zip make +RUN apt-get install -y git subversion jq python3 zip make libunwind8-dev binutils-dev libblocksruntime-dev # Default build flags for various sanitizers. ENV SANITIZER_FLAGS_address "-fsanitize=address -fsanitize-address-use-after-scope" @@ -47,7 +47,13 @@ RUN mkdir afl && \ tar -xzv --strip-components=1 -f $SRC/afl-latest.tgz && \ rm -rf $SRC/afl-latest.tgz -COPY compile compile_afl compile_libfuzzer coverage_report srcmap /usr/local/bin/ +ADD https://github.com/google/honggfuzz/archive/oss-fuzz.tar.gz $SRC/ +RUN mkdir honggfuzz && \ + cd honggfuzz && \ + tar -xzv --strip-components=1 -f $SRC/oss-fuzz.tar.gz && \ + rm -rf $SRC/oss-fuzz.tar.gz + +COPY compile compile_afl compile_libfuzzer compile_honggfuzz coverage_report srcmap /usr/local/bin/ CMD ["compile"] diff --git a/infra/base-images/base-builder/compile_honggfuzz b/infra/base-images/base-builder/compile_honggfuzz new file mode 100755 index 00000000..1e86910b --- /dev/null +++ b/infra/base-images/base-builder/compile_honggfuzz @@ -0,0 +1,34 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +echo -n "Compiling honggfuzz to $LIB_FUZZING_ENGINE ..." + +pushd $SRC/honggfuzz > /dev/null +make clean +CC=clang CFLAGS= make +# libhfuzz.a willl be added by CC/CXX linker directly during linking, +# but its defined here to satisfy the build infrastructure +cp libhfuzz/libhfuzz.a $LIB_FUZZING_ENGINE +cp honggfuzz $OUT/ +popd > /dev/null + +# Relevant coverage flags are added by the compiler/linker +export COVERAGE_FLAGS= +export CC=$SRC/honggfuzz/hfuzz_cc/hfuzz-clang +export CXX=$SRC/honggfuzz/hfuzz_cc/hfuzz-clang++ + +echo " done." diff --git a/infra/base-images/base-runner/Dockerfile b/infra/base-images/base-runner/Dockerfile index 018ff274..61eca8dc 100644 --- a/infra/base-images/base-runner/Dockerfile +++ b/infra/base-images/base-runner/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-image MAINTAINER mike.aizatsky@gmail.com -RUN apt-get install -y zip file +RUN apt-get install -y zip file libunwind8 binutils libblocksruntime0 COPY llvm-symbolizer reproduce run_fuzzer test_all test_report \ /usr/local/bin/ diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer index f4c0befd..ea80d2cc 100755 --- a/infra/base-images/base-runner/run_fuzzer +++ b/infra/base-images/base-runner/run_fuzzer @@ -45,6 +45,22 @@ if [[ "$FUZZING_ENGINE" = afl ]]; then # AFL expects at least 1 file in the input dir. echo input > /tmp/input/input CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i /tmp/input -o /tmp/afl_output $@ $OUT/$FUZZER" +elif [[ "$FUZZING_ENGINE" = honggfuzz ]]; then + if [ -z "$CORPUS" ]; then + CORPUS=/tmp/input + fi + # Honggfuzz expects at least 1 file in the input dir. + echo input > $CORPUS/input + rm -rf /tmp/honggfuzz_workdir && mkdir /tmp/honggfuzz_workdir + # --exit_upon_crash: exit whith a first crash seen + # -R (report): save report file to this location + # -W (working dir): where the crashes and the report file go + # -v (verbose): don't use VTE UI, just stderr + # -z: use software-instrumentation of clang (trace-pc-guard....) + # -P: use persistent mode of fuzzing (i.e. LLVMFuzzerTestOneInput) + # -f: location of the initial (and destination) file corpus + # -n: number of fuzzing threads (and processes) + CMD_LINE="$OUT/honggfuzz -n 1 --exit_upon_crash -R /tmp/HONGGFUZZ.REPORT.TXT -W /tmp/honggfuzz_workdir -v -z -P -f \"$CORPUS\" $@ -- \"$OUT/$FUZZER\"" else CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $@ $CORPUS" diff --git a/infra/base-images/base-runner/test_all b/infra/base-images/base-runner/test_all index b7285e61..2a6473d2 100755 --- a/infra/base-images/base-runner/test_all +++ b/infra/base-images/base-runner/test_all @@ -24,12 +24,18 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do fi FUZZER=$(basename $FUZZER_BINARY) - if echo "$FUZZER" | grep "^afl-" > /dev/null 2>&1; then + if [[ "$FUZZER" == afl-* ]]; then + continue + fi + if [[ "$FUZZER" == honggfuzz ]]; then continue fi echo "testing $FUZZER" - if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then + + if [[ "$FUZZING_ENGINE" = honggfuzz ]]; then + timeout --preserve-status -s INT 20s run_fuzzer $FUZZER + elif [[ "$FUZZING_ENGINE" = libfuzzer ]]; then run_fuzzer $FUZZER -max_total_time=20 else export AFL_NO_UI=1 diff --git a/infra/base-images/base-runner/test_report b/infra/base-images/base-runner/test_report index 62365dab..3c0988bb 100755 --- a/infra/base-images/base-runner/test_report +++ b/infra/base-images/base-runner/test_report @@ -26,9 +26,10 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do if file "$FUZZER_BINARY" | grep -v ELF > /dev/null 2>&1; then continue fi - - FUZZER=$(basename $FUZZER_BINARY) - if echo "$FUZZER" | grep "^afl-" > /dev/null 2>&1; then + if [[ "$FUZZER" == afl-* ]]; then + continue + fi + if [[ "$FUZZER" == honggfuzz ]]; then continue fi @@ -37,7 +38,9 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do # run fuzzer. FUZZER_STDOUT=$(tempfile) - if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then + if [[ "$FUZZING_ENGINE" = honggfuzz ]]; then + timeout --preserve-status -s INT 20s run_fuzzer $FUZZER 2>&1 |& tee $FUZZER_STDOUT + elif [[ "$FUZZING_ENGINE" = libfuzzer ]]; then run_fuzzer $FUZZER -max_total_time=20 |& tee $FUZZER_STDOUT else export AFL_NO_UI=1 diff --git a/infra/gcb/build.py b/infra/gcb/build.py index 78e41930..b3a6a135 100755 --- a/infra/gcb/build.py +++ b/infra/gcb/build.py @@ -27,6 +27,7 @@ CONFIGURATIONS = { 'sanitizer-coverage' : [ 'SANITIZER=coverage' ], 'engine-libfuzzer' : [ 'FUZZING_ENGINE=libfuzzer' ], 'engine-afl' : [ 'FUZZING_ENGINE=afl' ], + 'engine-honggfuzz' : [ 'FUZZING_ENGINE=honggfuzz' ], } EngineInfo = collections.namedtuple( @@ -39,9 +40,12 @@ ENGINE_INFO = { 'afl': EngineInfo( upload_bucket='clusterfuzz-builds-afl', supported_sanitizers=['address']), + 'honggfuzz': EngineInfo( + upload_bucket='clusterfuzz-builds-honggfuzz', + supported_sanitizers=['address', 'memory', 'undefined']), } -DEFAULT_ENGINES = ['libfuzzer', 'afl'] +DEFAULT_ENGINES = ['libfuzzer', 'afl', 'honggfuzz'] DEFAULT_SANITIZERS = ['address', 'undefined'] diff --git a/infra/helper.py b/infra/helper.py index e8e0c221..25aa12e3 100755 --- a/infra/helper.py +++ b/infra/helper.py @@ -174,7 +174,7 @@ def _get_command_string(command): def _add_engine_args(parser): """Add common engine args.""" parser.add_argument('--engine', default='libfuzzer', - choices=['libfuzzer', 'afl']) + choices=['libfuzzer', 'afl', 'honggfuzz']) def _add_sanitizer_args(parser): |