Richard W.M. Jones
2022-Apr-07 09:42 UTC
[Libguestfs] [PATCH nbdkit v2 5/5] fuzzing: Recommend combining fuzzing with ASAN
ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
for out-of-bounds memory access, use-after-free and other memory
checks. It's useful to combine this with fuzzing.
Fuzzing can normally only detect paths which cause the binary to
crash. But some serious, latent bugs might not cause crashes (eg. a
rogue pointer overwrites another object in memory, but the other
object is not used or not used in a way that will cause a crash).
ASAN turns these kinds of bugs into crashes.
Note the -m 256 (limit memory) flag has been removed from the example
afl_fuzz command lines because it conflicts with ASAN. See the second
link below for detailed reasons.
See also:
https://clang.llvm.org/docs/AddressSanitizer.html
https://aflplus.plus/docs/notes_for_asan/
Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
RWMJ: Some modifications were required for fuzzing to work with nbdkit.
---
fuzzing/README | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fuzzing/README b/fuzzing/README
index eeab9744..928ad962 100644
--- a/fuzzing/README
+++ b/fuzzing/README
@@ -15,7 +15,9 @@ You will need to recompile nbdkit with AFL instrumentation:
To use clang instead (recommended with AFL++):
- ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
+ export AFL_USE_ASAN=1
+ ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ \
+ --disable-linker-script
make clean
make
@@ -29,14 +31,16 @@ Master:
mkdir -p fuzzing/sync_dir
export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
- afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
+ export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false
abort_on_error=1 symbolize=0"
+ afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
Slaves:
# replace fuzzNN with fuzz02, fuzz03, etc.
export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
- afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
+ export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false
abort_on_error=1 symbolize=0"
+ afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
Test Coverage
--
2.35.1
Laszlo Ersek
2022-Apr-07 14:42 UTC
[Libguestfs] [PATCH nbdkit v2 5/5] fuzzing: Recommend combining fuzzing with ASAN
On 04/07/22 11:42, Richard W.M. Jones wrote:> ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks > for out-of-bounds memory access, use-after-free and other memory > checks. It's useful to combine this with fuzzing. > > Fuzzing can normally only detect paths which cause the binary to > crash. But some serious, latent bugs might not cause crashes (eg. a > rogue pointer overwrites another object in memory, but the other > object is not used or not used in a way that will cause a crash). > ASAN turns these kinds of bugs into crashes. > > Note the -m 256 (limit memory) flag has been removed from the example > afl_fuzz command lines because it conflicts with ASAN. See the second > link below for detailed reasons. > > See also: > https://clang.llvm.org/docs/AddressSanitizer.html > https://aflplus.plus/docs/notes_for_asan/ > > Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8. > RWMJ: Some modifications were required for fuzzing to work with nbdkit. > --- > fuzzing/README | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > > diff --git a/fuzzing/README b/fuzzing/README > index eeab9744..928ad962 100644 > --- a/fuzzing/README > +++ b/fuzzing/README > @@ -15,7 +15,9 @@ You will need to recompile nbdkit with AFL instrumentation: > > To use clang instead (recommended with AFL++): > > - ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ > + export AFL_USE_ASAN=1 > + ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ \ > + --disable-linker-script > make clean > make > > @@ -29,14 +31,16 @@ Master: > > mkdir -p fuzzing/sync_dir > export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so > - afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \ > + export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false abort_on_error=1 symbolize=0" > + afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \ > ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M > > Slaves: > > # replace fuzzNN with fuzz02, fuzz03, etc. > export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so > - afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \ > + export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false abort_on_error=1 symbolize=0" > + afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \ > ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M > > Test Coverage >Looks reasonable. Acked-by: Laszlo Ersek <lersek at redhat.com>