[Libguestfs] [PATCH nbdkit v2 5/5] fuzzing: Recommend combining fuzzing with ASAN

Laszlo Ersek lersek at redhat.com
Thu Apr 7 14:42:48 UTC 2022 

On 04/07/22 11:42, Richard W.M. Jones wrote:
> ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
> for out-of-bounds memory access, use-after-free and other memory
> checks.  It's useful to combine this with fuzzing.
> 
> Fuzzing can normally only detect paths which cause the binary to
> crash.  But some serious, latent bugs might not cause crashes (eg. a
> rogue pointer overwrites another object in memory, but the other
> object is not used or not used in a way that will cause a crash).
> ASAN turns these kinds of bugs into crashes.
> 
> Note the -m 256 (limit memory) flag has been removed from the example
> afl_fuzz command lines because it conflicts with ASAN.  See the second
> link below for detailed reasons.
> 
> See also:
> https://clang.llvm.org/docs/AddressSanitizer.html
> https://aflplus.plus/docs/notes_for_asan/
> 
> Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
> RWMJ: Some modifications were required for fuzzing to work with nbdkit.
> ---
>  fuzzing/README | 10 +++++++---
>  1 file changed, 7 insertions(+), 3 deletions(-)
> 
> diff --git a/fuzzing/README b/fuzzing/README
> index eeab9744..928ad962 100644
> --- a/fuzzing/README
> +++ b/fuzzing/README
> @@ -15,7 +15,9 @@ You will need to recompile nbdkit with AFL instrumentation:
>  
>  To use clang instead (recommended with AFL++):
>  
> -  ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
> +  export AFL_USE_ASAN=1
> +  ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ \
> +      --disable-linker-script
>    make clean
>    make
>  
> @@ -29,14 +31,16 @@ Master:
>  
>    mkdir -p fuzzing/sync_dir
>    export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> -  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
> +  export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false abort_on_error=1 symbolize=0"
> +  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
>        ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>  
>  Slaves:
>  
>    # replace fuzzNN with fuzz02, fuzz03, etc.
>    export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
> -  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
> +  export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false abort_on_error=1 symbolize=0"
> +  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
>        ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
>  
>  Test Coverage
> 

Looks reasonable.

Acked-by: Laszlo Ersek <lersek at redhat.com>

More information about the Libguestfs mailing list