more docu

2021-02-26 11:45:30 +01:00 · 2021-02-26 11:45:30 +01:00 · 4c392de98d
commit 4c392de98d
parent 15a64c3e17
2 changed files with 7 additions and 4 deletions
--- a/fuzzers/libfuzzer_libpng/README.md
+++ b/fuzzers/libfuzzer_libpng/README.md
@ -1,6 +1,7 @@
 # Libfuzzer for libpng

 This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
+To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example.
 It has been tested on Linux.

 ## Build
@ -19,4 +20,6 @@ As this example uses in-process fuzzing, we added a Restarting Event Manager (`s
 This means each client will start itself again to listen for crashes and timeouts.
 By restarting the actual fuzzer, it can recover from these exit conditions.

-For convenience, you may just run `./test.sh` in this folder.
+In any real-world scenario, you should use `taskset` to pin each client to an empty cpu core, the lib does not pick an empty core automatically (yet).
+
+For convenience, you may just run `./test.sh` in this folder to test it.
--- a/fuzzers/libfuzzer_libpng/test.sh
+++ b/fuzzers/libfuzzer_libpng/test.sh
@ -6,12 +6,12 @@ cargo build --example libfuzzer_libpng --release || exit 1
 cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf

 # The broker
-RUST_BACKTRACE=full ./.libfuzzer_test.elf &
+RUST_BACKTRACE=full taskset 0 ./.libfuzzer_test.elf &
 # Give the broker time to spawn
 sleep 2
 echo "Spawning client"
-# The 1st fuzzer client
-RUST_BACKTRACE=full ./.libfuzzer_test.elf 2>/dev/null
+# The 1st fuzzer client, pin to cpu 0x1
+RUST_BACKTRACE=full taskset 1 ./.libfuzzer_test.elf 2>/dev/null

 killall .libfuzzer_test.elf
 rm -rf ./.libfuzzer_test.elf