[Libguestfs] [PATCH nbdkit 3/3] fuzzing: Recommend combining fuzzing with ASAN
Laszlo Ersek
lersek at redhat.com
Thu Apr 7 09:23:10 UTC 2022
On 04/06/22 18:28, Richard W.M. Jones wrote:
> ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
> for out-of-bounds memory access, use-after-free and other memory
> checks. It's useful to combine this with fuzzing.
>
> Fuzzing can normally only detect paths which cause the binary to
> crash. But some serious, latent bugs might not cause crashes (eg. a
> rogue pointer overwrites another object in memory, but the other
> object is not used or not used in a way that will cause a crash).
> ASAN turns these kinds of bugs into crashes.
>
> See also:
> https://clang.llvm.org/docs/AddressSanitizer.html
> https://aflplus.plus/docs/notes_for_asan/
>
> Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
> RWMJ: Some modifications were required for fuzzing to work with nbdkit.
> ---
> fuzzing/README | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/fuzzing/README b/fuzzing/README
> index eeab9744..b2bc6f08 100644
> --- a/fuzzing/README
> +++ b/fuzzing/README
> @@ -15,6 +15,7 @@ You will need to recompile nbdkit with AFL instrumentation:
>
> To use clang instead (recommended with AFL++):
>
> + export AFL_USE_ASAN=1
> ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
> make clean
> make
> @@ -29,14 +30,16 @@ Master:
>
> mkdir -p fuzzing/sync_dir
> export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> - afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
> + export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
> + afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
> ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>
> Slaves:
>
> # replace fuzzNN with fuzz02, fuzz03, etc.
> export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> - afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
> + export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
> + afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
> ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>
> Test Coverage
>
I guess this is OK, but we should explain the removal of the "-m 256"
option in the commit message.
With that:
Acked-by: Laszlo Ersek <lersek at redhat.com>
Thanks
Laszlo
More information about the Libguestfs
mailing list