[Libguestfs] [PATCH nbdkit 3/3] fuzzing: Recommend combining fuzzing with ASAN

Laszlo Ersek lersek at redhat.com
Thu Apr 7 09:23:10 UTC 2022 

On 04/06/22 18:28, Richard W.M. Jones wrote:
> ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
> for out-of-bounds memory access, use-after-free and other memory
> checks.  It's useful to combine this with fuzzing.
> 
> Fuzzing can normally only detect paths which cause the binary to
> crash.  But some serious, latent bugs might not cause crashes (eg. a
> rogue pointer overwrites another object in memory, but the other
> object is not used or not used in a way that will cause a crash).
> ASAN turns these kinds of bugs into crashes.
> 
> See also:
> https://clang.llvm.org/docs/AddressSanitizer.html
> https://aflplus.plus/docs/notes_for_asan/
> 
> Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
> RWMJ: Some modifications were required for fuzzing to work with nbdkit.
> ---
>  fuzzing/README | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/fuzzing/README b/fuzzing/README
> index eeab9744..b2bc6f08 100644
> --- a/fuzzing/README
> +++ b/fuzzing/README
> @@ -15,6 +15,7 @@ You will need to recompile nbdkit with AFL instrumentation:
>  
>  To use clang instead (recommended with AFL++):
>  
> +  export AFL_USE_ASAN=1
>    ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
>    make clean
>    make
> @@ -29,14 +30,16 @@ Master:
>  
>    mkdir -p fuzzing/sync_dir
>    export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> -  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
> +  export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
> +  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
>        ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>  
>  Slaves:
>  
>    # replace fuzzNN with fuzz02, fuzz03, etc.
>    export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> -  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
> +  export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
> +  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
>        ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>  
>  Test Coverage
> 

I guess this is OK, but we should explain the removal of the "-m 256"
option in the commit message.

With that:

Acked-by: Laszlo Ersek <lersek at redhat.com>

Thanks
Laszlo

More information about the Libguestfs mailing list