Link to this headinglibfuzzer
LLVM version of AFL
Link to this headingExample for Damn Vulnerable C Program
Compiling the Program:
>>> clang -fsanitize=fuzzer,address,undefined -g imgRead_libfuzzer.c -o imgRead_libfuzzer
imgRead_libfuzzer.c:86:1: warning: non-void function does not return a value in all control paths [-Wreturn-type]
}
^
1 warning generated.
Run the program:
>>> ./imgRead_libfuzzer
INFO: Seed: 2569578062
INFO: Loaded 1 modules (86 inline 8-bit counters): 86 [0x56004f453148, 0x56004f45319e),
INFO: Loaded 1 PC tables (86 PCs): 86 [0x56004f4531a0,0x56004f453700),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 30Mb
=================================================================
==1805179==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000819e at pc 0x56004f3db28c bp 0x7ffd712987f0 sp 0x7ffd71297fa0
READ of size 10 at 0x60200000819e thread T0
#0 0x56004f3db28b in __asan_memcpy (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x10f28b)
#1 0x56004f4127a5 in LLVMFuzzerTestOneInput /tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer.c:35:3
#2 0x56004f315f0f in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x49f0f)
#3 0x56004f317ba0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x4bba0)
#4 0x56004f3184e9 in fuzzer::Fuzzer::MutateAndTestOne() (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x4c4e9)
#5 0x56004f319e37 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x4de37)
#6 0x56004f30182d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x3582d)
#7 0x56004f2f12f3 in main (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x252f3)
#8 0x7facc26bf151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
#9 0x56004f2f134d in _start (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x2534d)
0x60200000819e is located 0 bytes to the right of 14-byte region [0x602000008190,0x60200000819e)
allocated by thread T0 here:
#0 0x56004f3dc349 in malloc (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x110349)
#1 0x7facc2a98539 in operator new(unsigned long) /build/gcc/src/gcc/libstdc++-v3/libsupc++/new_op.cc:50:22
#2 0x56004f317ba0 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x4bba0)
#3 0x56004f3184e9 in fuzzer::Fuzzer::MutateAndTestOne() (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x4c4e9)
#4 0x56004f319e37 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x4de37)
#5 0x56004f30182d in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x3582d)
#6 0x56004f2f12f3 in main (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x252f3)
#7 0x7facc26bf151 in __libc_start_main (/usr/lib/libc.so.6+0x28151)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/Damn_Vulnerable_C_Program/imgRead_libfuzzer+0x10f28b) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff8fe0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff8ff0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff9000: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9020: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x0c047fff9030: fa fa 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1805179==ABORTING
MS: 4 InsertByte-CopyPart-ChangeBit-CrossOver-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0xa,0x58,0x83,0x0,0x0,0xa,0xa,0x0,0xa,0x0,0xa,0x0,0x0,0x0,
\x0aX\x83\x00\x00\x0a\x0a\x00\x0a\x00\x0a\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-5b3e359967a560d8422b9557a5cbd4d6f2cdd3ff
Base64: CliDAAAKCgAKAAoAAAA=
Link to this headingTutorial
Example Testfile:
#include <lib/parse_image.h>
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size){
free(ParseImage(data,size));
return 0;
}
Example Compile:
#Add the AddressSanitizer, ThreadSanitizer, MemorySanitizer, and UndefinedBehaviourSanitizer
clang++ -std=c++11 -fsanitize=address,thread,memory,undefined,fuzzer fuzzer.cc library/*.cc
./fuzzer corpusdir