Test fuzzers (#187)

* build_all_fuzzer.shj

* run.sh

* output log

* ENABLE_SHARED off

* libc6-dev

* echo

* no need to cargo build twice

* replaced realpath (not available on macos) with /Users/domenukk/tmp/libaflrs/fuzzers/libfuzzer_libpng_launcher

* replaced PWD with pwd

* trying to get llvm-config working

* more sudo?

* slash

* trying to get all deps

* more info

* delete apt install from build_all_fuzzers.sh

* correct libfuzzer_libpng makefile

* fix build for libfuzzer_libpng

* fix other makefiles

* nproc not supported on macos

* no run.sh, use make short_test

* enable_shared=false

* just Linux

* fix

* forkserver makefile

* fix

* stb_image Makefile

Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>

.github/workflows/build_and_test.yml

@@ -36,6 +36,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+    - name: Install deps
+      run: sudo apt-get install -y llvm llvm-dev clang nasm
+    - name: get clang version
+      run: command -v llvm-config && clang -v
     - name: Install cargo-hack
       run: curl -LsSf https://github.com/taiki-e/cargo-hack/releases/latest/download/cargo-hack-x86_64-unknown-linux-gnu.tar.gz | tar xzf - -C ~/.cargo/bin
     - name: Run a normal build
@@ -76,6 +80,8 @@ jobs:
     - uses: actions/checkout@v2
     - name: MacOS Build
       run: cargo build --verbose
+    - name: Install deps
+      run: brew install llvm libpng nasm
     - name: Run clippy
       run: ./scripts/clippy.sh
     - name: Build fuzzers

fuzzers/forkserver_simple/Makefile

@@ -0,0 +1,23 @@
+FUZZER_NAME="forkserver_simple"
+PROJECT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+PHONY: all
+
+all: fuzzer
+
+fuzzer:
+	cargo build --release
+	cp $(PROJECT_DIR)/target/release/$(FUZZER_NAME) .
+
+clean:
+	rm ./$(FUZZER_NAME)
+
+run:  all
+	taskset -c 0 ./$(FUZZER_NAME) 2>/dev/null &
+	sleep 0.2
+
+short_test: all
+	timeout 11s taskset -c 0 ./$(FUZZER_NAME) 2>/dev/null &
+
+test: all
+	timeout 59s taskset -c 0 ./$(FUZZER_NAME) 2>/dev/null &

fuzzers/libfuzzer_libmozjpeg/Makefile

@@ -1,5 +1,5 @@
-PWD=`pwd`
 FUZZER_NAME="fuzzer_mozjpeg"
+PROJECT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
 PHONY: all
 
@@ -18,8 +18,8 @@ libafl_cxx: target/release/libafl_cxx
 libafl_cc: target/release/libafl_cxx
 
 mozjpeg-4.0.3-compiled: mozjpeg-4.0.3 libafl_cc
-	cd $(PWD)/mozjpeg-4.0.3 && cmake --disable-shared . -DCMAKE_C_COMPILER=$(abspath $(PWD)/../target/release/libafl_cc) -DCMAKE_CXX_COMPILER=$(abspath $(PWD)/../target/release/libafl_cxx) -G "Unix Makefiles"
+	cd mozjpeg-4.0.3 && cmake . -DENABLE_SHARED=false -DCMAKE_C_COMPILER=$(abspath $(PROJECT_DIR)/target/release/libafl_cc) -DCMAKE_CXX_COMPILER=$(abspath $(PROJECT_DIR)/target/release/libafl_cxx) -G "Unix Makefiles"
-	$(MAKE) -C $(PWD)/mozjpeg-4.0.3
+	$(MAKE) -C mozjpeg-4.0.3
 	
 
 fuzzer: mozjpeg-4.0.3-compiled libafl_cxx
@@ -28,9 +28,9 @@ fuzzer: mozjpeg-4.0.3-compiled libafl_cxx
 
   # Build the mozjpeg harness	
 	target/release/libafl_cxx \
-		$(PWD)/harness.cc \
+		$(PROJECT_DIR)/harness.cc \
-		$(PWD)/mozjpeg-4.0.3/*.a \
+		$(PROJECT_DIR)/mozjpeg-4.0.3/*.a \
-		-I$(PWD)/mozjpeg-4.0.3/ \
+		-I$(PROJECT_DIR)/mozjpeg-4.0.3/ \
 		-o $(FUZZER_NAME) \
 		-lm -lz
 

fuzzers/libfuzzer_libmozjpeg/README.md

@@ -20,7 +20,7 @@ Now compile it with:
 
 ```
 cd mozjpeg-4.0.3
-cmake --disable-shared . -DCMAKE_C_COMPILER=$(realpath ../target/release/libafl_cc) -DCMAKE_CXX_COMPILER=$(realpath ../target/release/libafl_cxx) -G "Unix Makefiles"
+cmake --disable-shared . -DCMAKE_C_COMPILER="$(pwd)/../target/release/libafl_cc" -DCMAKE_CXX_COMPILER="$(pwd)/../target/release/libafl_cxx" -G "Unix Makefiles"
 make -j `nproc`
 cd ..
 ```

fuzzers/libfuzzer_libpng/Makefile

@@ -1,5 +1,5 @@
-PWD=`pwd`
 FUZZER_NAME="fuzzer_libpng"
+PROJECT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
 PHONY: all
 
@@ -18,8 +18,8 @@ libafl_cxx: target/release/libafl_cxx
 libafl_cc: target/release/libafl_cxx
 
 libpng-1.6.37/.libs/libpng16.a: libpng-1.6.37 libafl_cc
-	cd libpng-1.6.37 && ./configure && cd ..
+	cd libpng-1.6.37 && ./configure
-	$(MAKE) -C libpng-1.6.37 CC=$(realpath target/release/libafl_cc) CXX=$(realpath target/release/libafl_cxx)
+	$(MAKE) -C libpng-1.6.37 CC="$(PROJECT_DIR)/target/release/libafl_cc" CXX="$(PROJECT_DIR)/target/release/libafl_cxx"
 
 
 fuzzer: libpng-1.6.37/.libs/libpng16.a libafl_cxx
@@ -28,9 +28,9 @@ fuzzer: libpng-1.6.37/.libs/libpng16.a libafl_cxx
 
     # Build the libpng harness	
 	target/release/libafl_cxx \
-		$(PWD)/harness.cc \
+		$(PROJECT_DIR)/harness.cc \
-		$(PWD)/libpng-1.6.37/.libs/libpng16.a \
+		$(PROJECT_DIR)/libpng-1.6.37/.libs/libpng16.a \
-		-I$(PWD)/libpng-1.6.37/ \
+		-I$(PROJECT_DIR)/libpng-1.6.37/ \
 		-o $(FUZZER_NAME) \
 		-lm -lz
 

fuzzers/libfuzzer_libpng/README.md

@@ -35,7 +35,7 @@ Now compile libpng, using the libafl_cc compiler wrapper:
 ```bash
 cd libpng-1.6.37
 ./configure
-make CC=$(realpath ../target/release/libafl_cc) CXX=$(realpath ../target/release/libafl_cxx) -j `nproc`
+make CC="$(pwd)/../target/release/libafl_cc" CXX="$(pwd)/../target/release/libafl_cxx" -j `nproc`
 ```
 
 You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`.

fuzzers/libfuzzer_libpng_launcher/Makefile

@@ -1,5 +1,5 @@
-PWD=`pwd`
 FUZZER_NAME="fuzzer_libpng"
+PROJECT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 
 PHONY: all
 
@@ -18,19 +18,19 @@ libafl_cxx: target/release/libafl_cxx
 libafl_cc: target/release/libafl_cxx
 
 libpng-1.6.37/.libs/libpng16.a: libpng-1.6.37 libafl_cc
-	cd libpng-1.6.37 && ./configure && cd ..
+	cd libpng-1.6.37 && ./configure
-	$(MAKE) -C libpng-1.6.37 CC=$(realpath target/release/libafl_cc) CXX=$(realpath target/release/libafl_cxx)
+	$(MAKE) -C libpng-1.6.37 CC="$(PROJECT_DIR)/target/release/libafl_cc" CXX="$(PROJECT_DIR)/target/release/libafl_cxx"
 	
 
 fuzzer: libpng-1.6.37/.libs/libpng16.a libafl_cxx
 	# Build the libpng libfuzzer library
 	cargo build --release
 
-    # Build the libpng harness	
+	# Build the libpng harness	
 	target/release/libafl_cxx \
-		$(PWD)/harness.cc \
+		$(PROJECT_DIR)/harness.cc \
-		$(PWD)/libpng-1.6.37/.libs/libpng16.a \
+		$(PROJECT_DIR)/libpng-1.6.37/.libs/libpng16.a \
-		-I$(PWD)/libpng-1.6.37/ \
+		-I$(PROJECT_DIR)/libpng-1.6.37/ \
 		-o $(FUZZER_NAME) \
 		-lm -lz
 

fuzzers/libfuzzer_reachability/README.md

@@ -33,7 +33,7 @@ Now compile libpng, using the libafl_cc compiler wrapper:
 ```bash
 cd libpng-1.6.37
 ./configure
-make CC=$(realpath ../target/release/libafl_cc) CXX=$(realpath ../target/release/libafl_cxx) -j `nproc`
+make CC="$(pwd)/../target/release/libafl_cc" CXX="$(pwd)/../target/release/libafl_cxx" -j `nproc`
 ```
 
 You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`.

fuzzers/libfuzzer_reachability/test.sh

@@ -1,10 +0,0 @@
-cargo build --release
-./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm
-
-taskset -c 0 ./fuzzer_libpng &
-sleep 1
-taskset -c 1 ./fuzzer_libpng 2>/dev/null
-
-
-killall ./fuzzer_libpng
-rm -rf ./fuzzer_libpng

fuzzers/libfuzzer_stb_image/Makefile

@@ -0,0 +1,71 @@
+FUZZER_NAME="libfuzzer_stb_image"
+PROJECT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+PHONY: all
+
+all: fuzzer
+
+target/release/libafl_cxx: build.rs
+	# Build the libpng libfuzzer library
+	cargo build --release
+
+libafl_cxx: target/release/libafl_cxx
+
+libafl_cc: target/release/libafl_cxx
+
+fuzzer: libafl_cxx
+	# Build the libpng libfuzzer library
+	cargo build --release
+	cp $(PROJECT_DIR)/target/release/$(FUZZER_NAME) .
+
+clean:
+	rm ./$(FUZZER_NAME)
+
+run: all
+	./$(FUZZER_NAME) &
+	sleep 0.2
+	./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+
+short_test: all
+	timeout 11s ./$(FUZZER_NAME) &
+	sleep 0.2
+	timeout 10s taskset -c 0 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	timeout 10s taskset -c 1 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	timeout 10s taskset -c 2 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	timeout 10s taskset -c 3 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+
+test: all
+	timeout 60s ./$(FUZZER_NAME) &
+	sleep 0.2
+	timeout 59s taskset 0x00000001 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	timeout 59s taskset 0x00000002 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	timeout 59s taskset 0x00000004 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	timeout 59s taskset 0x00000008 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000010 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000020 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000040 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000080 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000100 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000200 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000400 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00000800 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00001000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00002000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00004000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00008000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00010000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00020000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00040000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00080000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00100000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00200000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00400000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x00800000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x01000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x02000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x04000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x08000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x10000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x20000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x40000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &
+	# timeout 59s taskset 0x80000000 ./$(FUZZER_NAME) >/dev/null 2>/dev/null &

libafl_targets/src/libfuzzer_compatibility.c

@@ -12,7 +12,9 @@ EXT_FUNC(LLVMFuzzerCustomCrossOver, size_t,
           const uint8_t *Data2, size_t Size2,
           uint8_t *Out, size_t MaxOutSize, unsigned int Seed),
          false);
-EXT_FUNC(LLVMFuzzerTestOneInput, int, (uint8_t *Data, size_t Size), false);
+EXT_FUNC_IMPL(LLVMFuzzerTestOneInput, int, (uint8_t *Data, size_t Size), false) {
+  return 0;
+}
 
 void libafl_main(void);
 EXT_FUNC_IMPL(main, int, (int argc, char** argv), false) {

scripts/build_all_fuzzers.sh

@@ -20,9 +20,16 @@ do
     else
         echo "[+] Skipping fmt and clippy for $fuzzer (--no-fmt specified)"
     fi
-    echo "[*] Building $fuzzer"
+
-    cargo build || exit 1
+    if [ -e ./Makefile ] && [ "$(uname)" == "Linux" ]; then
+        echo "[*] Testing $fuzzer"
+        make short_test || exit 1
+	    echo "[+] Done testing $fuzzer"
+    else
+        echo "[*] Building $fuzzer"
+        cargo build || exit 1
+        echo "[+] Done building $fuzzer"
+    fi
     cd ..
-    echo "[+] Done building $fuzzer"
     echo ""
 done