[Libguestfs] [PATCH nbdkit v2 5/5] fuzzing: Recommend combining fuzzing with ASAN
Laszlo Ersek
lersek at redhat.com
Thu Apr 7 14:42:48 UTC 2022
On 04/07/22 11:42, Richard W.M. Jones wrote:
> ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
> for out-of-bounds memory access, use-after-free and other memory
> checks. It's useful to combine this with fuzzing.
>
> Fuzzing can normally only detect paths which cause the binary to
> crash. But some serious, latent bugs might not cause crashes (eg. a
> rogue pointer overwrites another object in memory, but the other
> object is not used or not used in a way that will cause a crash).
> ASAN turns these kinds of bugs into crashes.
>
> Note the -m 256 (limit memory) flag has been removed from the example
> afl_fuzz command lines because it conflicts with ASAN. See the second
> link below for detailed reasons.
>
> See also:
> https://clang.llvm.org/docs/AddressSanitizer.html
> https://aflplus.plus/docs/notes_for_asan/
>
> Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
> RWMJ: Some modifications were required for fuzzing to work with nbdkit.
> ---
> fuzzing/README | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/fuzzing/README b/fuzzing/README
> index eeab9744..928ad962 100644
> --- a/fuzzing/README
> +++ b/fuzzing/README
> @@ -15,7 +15,9 @@ You will need to recompile nbdkit with AFL instrumentation:
>
> To use clang instead (recommended with AFL++):
>
> - ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
> + export AFL_USE_ASAN=1
> + ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ \
> + --disable-linker-script
> make clean
> make
>
> @@ -29,14 +31,16 @@ Master:
>
> mkdir -p fuzzing/sync_dir
> export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> - afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
> + export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false abort_on_error=1 symbolize=0"
> + afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
> ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>
> Slaves:
>
> # replace fuzzNN with fuzz02, fuzz03, etc.
> export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> - afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
> + export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false abort_on_error=1 symbolize=0"
> + afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
> ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>
> Test Coverage
>
Looks reasonable.
Acked-by: Laszlo Ersek <lersek at redhat.com>
More information about the Libguestfs
mailing list