diff options
author | 2017-02-16 15:09:37 -0800 | |
---|---|---|
committer | 2017-02-16 15:09:37 -0800 | |
commit | 2e00fe90d193f7cb8ab82ec27e9b37a3ad02956c (patch) | |
tree | 3a735af9d9c61d905d5ed0ef94ca21fd8fb8bf0c /infra/base-images | |
parent | 810b7fe47bf9e54a54ff36944f8860879af9dff2 (diff) |
[infra] (experimental) Support building with AFL (#396)
Diffstat (limited to 'infra/base-images')
-rw-r--r-- | infra/base-images/base-builder/Dockerfile | 2 | ||||
-rw-r--r-- | infra/base-images/base-builder/compile_afl | 5 | ||||
-rw-r--r-- | infra/base-images/base-runner/Dockerfile | 1 | ||||
-rwxr-xr-x | infra/base-images/base-runner/run_fuzzer | 33 | ||||
-rwxr-xr-x | infra/base-images/base-runner/test_all | 11 |
5 files changed, 41 insertions, 11 deletions
diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile index b9ad03c9..629132df 100644 --- a/infra/base-images/base-builder/Dockerfile +++ b/infra/base-images/base-builder/Dockerfile @@ -16,7 +16,7 @@ FROM ossfuzz/base-clang MAINTAINER mike.aizatsky@gmail.com -RUN apt-get install -y git subversion jq python3 zip +RUN apt-get install -y git subversion jq python3 zip make # Default build flags for various sanitizers. ENV SANITIZER_FLAGS_address "-fsanitize=address" diff --git a/infra/base-images/base-builder/compile_afl b/infra/base-images/base-builder/compile_afl index 27a8d55d..fae25410 100644 --- a/infra/base-images/base-builder/compile_afl +++ b/infra/base-images/base-builder/compile_afl @@ -29,5 +29,10 @@ ar r $LIB_FUZZING_ENGINE $WORK/afl/*.o popd > /dev/null rm -rf $WORK/afl +# Copy afl tools necessary for fuzzing. +pushd $SRC/afl > /dev/null +make clean && make +find . -name 'afl-*' -executable -type f | xargs cp -t $OUT +popd > /dev/null echo " done." diff --git a/infra/base-images/base-runner/Dockerfile b/infra/base-images/base-runner/Dockerfile index 07c0f89f..2a07c279 100644 --- a/infra/base-images/base-runner/Dockerfile +++ b/infra/base-images/base-runner/Dockerfile @@ -28,3 +28,4 @@ ENV ASAN_OPTIONS="alloc_dealloc_mismatch=0:allocator_may_return_null=1:allocator ENV MSAN_OPTIONS="print_stats=1:strip_path_prefix=/workspace/:symbolize=1" ENV UBSAN_OPTIONS="halt_on_error=1:print_stacktrace=1:print_summary=1:strip_path_prefix=/workspace/:symbolize=1" ENV FUZZER_ARGS="-rss_limit_mb=2048 -timeout=25" +ENV AFL_FUZZER_ARGS="-m 2048" diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer index 308afb26..9bce71a3 100755 --- a/infra/base-images/base-runner/run_fuzzer +++ b/infra/base-images/base-runner/run_fuzzer @@ -23,20 +23,35 @@ cd $OUT FUZZER=$1 shift -CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $@" -OPTIONS_FILE="${FUZZER}.options" -if [ -f $OPTIONS_FILE ]; then - OPTIONS_ARGS=$(grep "=" $OPTIONS_FILE | sed 's/\(\w*\)\W*=\W*\(.*\)/-\1=\2 /g' | tr '\n' ' ') - CMD_LINE="$CMD_LINE $OPTIONS_ARGS" -fi +rm -rf /tmp/input/ && mkdir /tmp/input/ SEED_CORPUS="${FUZZER}_seed_corpus.zip" if [ -f $SEED_CORPUS ]; then echo "Using seed corpus: $SEED_CORPUS" - rm -rf /tmp/seed_corpus/ && mkdir /tmp/seed_corpus/ - unzip -d /tmp/seed_corpus/ $SEED_CORPUS > /dev/null - CMD_LINE="$CMD_LINE /tmp/seed_corpus/" + unzip -d /tmp/input/ $SEED_CORPUS > /dev/null + CORPUS=/tmp/input +fi + +if [[ "$FUZZING_ENGINE" = afl ]]; then + # https://chromium.googlesource.com/chromium/src/+/master/third_party/afl/src/docs/env_variables.txt + export ASAN_OPTIONS="$ASAN_OPTIONS:abort_on_error=1:symbolize=0" + export MSAN_OPTIONS="$MSAN_OPTIONS:exit_code=86:symbolize=0" + export UBSAN_OPTIONS="$UBSAN_OPTIONS:symbolize=0" + export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 + export AFL_SKIP_CPUFREQ=1 + rm -rf /tmp/afl_output && mkdir /tmp/afl_output + # AFL expects at least 1 file in the input dir. + echo input > /tmp/input/input + CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i /tmp/input -o /tmp/afl_output $@ $OUT/$FUZZER" +else + CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $@ $CORPUS" + + OPTIONS_FILE="${FUZZER}.options" + if [ -f $OPTIONS_FILE ]; then + OPTIONS_ARGS=$(grep "=" $OPTIONS_FILE | sed 's/\(\w*\)\W*=\W*\(.*\)/-\1=\2 /g' | tr '\n' ' ') + CMD_LINE="$CMD_LINE $OPTIONS_ARGS" + fi fi echo $CMD_LINE diff --git a/infra/base-images/base-runner/test_all b/infra/base-images/base-runner/test_all index 388b3928..b7285e61 100755 --- a/infra/base-images/base-runner/test_all +++ b/infra/base-images/base-runner/test_all @@ -24,8 +24,17 @@ for FUZZER_BINARY in $(find $OUT/ -executable -type f); do fi FUZZER=$(basename $FUZZER_BINARY) + if echo "$FUZZER" | grep "^afl-" > /dev/null 2>&1; then + continue + fi + echo "testing $FUZZER" - run_fuzzer $FUZZER -max_total_time=20 + if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then + run_fuzzer $FUZZER -max_total_time=20 + else + export AFL_NO_UI=1 + timeout --preserve-status -s INT 20s run_fuzzer $FUZZER + fi N=$[$N+1] done |