🐇 Fuzzing Rust code with American Fuzzy Lop

Related tags

Testing rust fuzzing fuzz-testing afl
Overview

afl.rs logo
afl.rs

Fuzzing Rust code with AFLplusplus

What is it?

Fuzz testing is a software testing technique used to find security and stability issues by providing pseudo-random data as input to the software. AFLplusplus is a popular, effective, and modern fuzz testing tool based on AFL. This library, afl.rs, allows one to run AFLplusplus on code written in the Rust programming language.

Documentation

Documentation can be found in the Rust Fuzz Book.

What does it look like?

Screen recording of afl

Screen recording of AFL running on Rust code.

lazy_static variables

lazy_static variables present problems for AFL's persistent mode, which afl.rs uses. Such variables can cause AFL to give incorrectly low stability reports, or fail to report timeouts, for example.

To address such problems, rust-fuzz provides a "resettable" version of lazy_static. To use it, make the following two changes to your target's Cargo.toml file.

  1. Add a [patch.crates-io] section and overide the lazy_static dependency with the rust-fuzz version: 
    [patch.crates-io]
lazy_static = { git = "https://github.com/rust-fuzz/resettable-lazy-static.rs" }
  2. Enable the reset_lazy_static feature on afl.rs: 
    [dependencies]
afl = { version = "*", features = ["reset_lazy_static"] }
Comments
  • Compile failure

    Compile failure

    When I try to compile the 'regex-afl' crate in https://github.com/SeanRBurton/regex/tree/afl, I get the following error:

    /home/usr/documents/regex/src/lib.rs:453:42: 453:52 error: /home/usr/documents/regex/regex-afl/target/debug/deps/libafl_plugin-86c859d7ecd403fc.so: undefined symbol: _ZNK4llvm10ModulePass17createPrinterPassERNS_11raw_ostreamERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE /home/sean/usr/documents/regex/src/lib.rs:453 #![cfg_attr(feature = "afl-fuzz", plugin(afl_plugin))]

    Can you please help me debug this?

    opened by SeanRBurton 35
  • Do not write to user data directories on build. Fix docs.rs documentation generation

    Do not write to user data directories on build. Fix docs.rs documentation generation

    This change addresses the same problem as #185. It turns out that build scripts are only meant to write to OUT_DIR, and in general it is untidy to write things all over the place. docs.rs is specially sensitive to this.

    Also, docs.rs does not set the feature flag docsrs by itself, but a Cargo package metadata section can be used to instruct docs.rs to pass that flag to Cargo.

    I have not tested the change.

    opened by AlexTMjugador 14
  • SIGILL while compiling a project with afl.rs

    SIGILL while compiling a project with afl.rs

    Hi,

    I do not know if this bug comes from my setup or from afl.rs, so I'll post it here. I am trying to setup fuzzing for a tar parser built with nom, but I get a SIGILL while building the project. Here is the GDB output for the incriminated rustc call:

    (gdb) r src/main.rs --crate-name tar_example --crate-type bin -g --out-dir /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug --emit=dep-info,link -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps --extern afl_coverage=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage-b12fdfb78ced2df1.rlib --extern tar=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libtar-8c75079877dd814c.rlib --extern afl_coverage_plugin=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so --extern nom=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libnom-8d822f881e715e50.rlib -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out
Starting program: /usr/local/bin/rustc src/main.rs --crate-name tar_example --crate-type bin -g --out-dir /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug --emit=dep-info,link -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug -L dependency=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps --extern afl_coverage=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage-b12fdfb78ced2df1.rlib --extern tar=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libtar-8c75079877dd814c.rlib --extern afl_coverage_plugin=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so --extern nom=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libnom-8d822f881e715e50.rlib -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out -L native=/home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/build/afl-coverage-b12fdfb78ced2df1/out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Traceback (most recent call last):
  File "/usr/share/gdb/auto-load/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19-gdb.py", line 63, in <module>
    from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named 'libstdcxx'
[New Thread 0x7fffefbff700 (LWP 13085)]
warning: Missing auto-load scripts referenced in section .debug_gdb_scripts
of file /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so
Use `info auto-load python-scripts [REGEXP]' to list them.
afl-llvm-pass 1.77b by <[email protected]>

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffefbff700 (LWP 13085)]
0x00007ffff3a57388 in llvm::PointerType::get(llvm::Type*, unsigned int) () from /usr/local/lib/librustc_llvm-d8ace771.so
(gdb) bt
#0  0x00007ffff3a57388 in llvm::PointerType::get(llvm::Type*, unsigned int) () from /usr/local/lib/librustc_llvm-d8ace771.so
#1  0x00007ffff04514a6 in (anonymous namespace)::AFLCoverage::runOnModule(llvm::Module&) () from /home/geal/fuzzing/tar-parser.rs/fuzzed/target/debug/deps/libafl_coverage_plugin-38726c8cba86ad1b.so
#2  0x00007ffff3a3e76f in llvm::FPPassManager::runOnFunction(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#3  0x00007ffff3a3e84e in llvm::legacy::FunctionPassManagerImpl::run(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#4  0x00007ffff3a3e944 in llvm::legacy::FunctionPassManager::run(llvm::Function&) () from /usr/local/lib/librustc_llvm-d8ace771.so
#5  0x00007ffff2addc40 in LLVMRustRunFunctionPassManager (PM=0x7fffe8116270, M=0x7fffe8004e00) at /home/geal/dev/rust/rust/src/rustllvm/PassWrapper.cpp:205
#6  0x00007ffff62ea584 in back::write::execute_work_item::h57fe4379208c73afFjd () from /usr/local/lib/librustc_trans-d8ace771.so
#7  0x00007ffff62e3417 in back::write::run_passes::h0b7edf1f79d9711erZc () from /usr/local/lib/librustc_trans-d8ace771.so
#8  0x00007ffff7ac74b4 in driver::phase_5_run_llvm_passes::h401bc1bb79e26ccfJPa () from /usr/local/lib/librustc_driver-d8ace771.so
#9  0x00007ffff7a9a018 in driver::compile_input::h5f7ce1a1b74fe3e9Tba () from /usr/local/lib/librustc_driver-d8ace771.so
#10 0x00007ffff7b769f4 in run_compiler::h99fee4b1ff194bd3x7b () from /usr/local/lib/librustc_driver-d8ace771.so
#11 0x00007ffff7b743cf in boxed::F.FnBox$LT$A$GT$::call_box::h15186281694418648608 () from /usr/local/lib/librustc_driver-d8ace771.so
#12 0x00007ffff7b73c1a in rt::unwind::try::try_fn::h4127295356855569320 () from /usr/local/lib/librustc_driver-d8ace771.so
#13 0x00007ffff75db1d9 in rust_try_inner () from /usr/local/lib/libstd-d8ace771.so
#14 0x00007ffff75db1c6 in rust_try () from /usr/local/lib/libstd-d8ace771.so
#15 0x00007ffff754eb68 in rt::unwind::try::inner_try::hc82de977351d5e1crJw () from /usr/local/lib/libstd-d8ace771.so
#16 0x00007ffff7b73e2c in boxed::F.FnBox$LT$A$GT$::call_box::h16559282529075441406 () from /usr/local/lib/librustc_driver-d8ace771.so
#17 0x00007ffff7562412 in sys::thread::Thread::new::thread_start::h63af462716e59b66oTv () from /usr/local/lib/libstd-d8ace771.so
#18 0x00007ffff1e75182 in start_thread (arg=0x7fffefbff700) at pthread_create.c:312
#19 0x00007ffff71ab47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb)

    I suspect that my version of rustc may be too new (I built it this morning):

    $ rustc -V
rustc 1.2.0-dev (e749f724b 2015-06-23)

    This is on a Linux machine, but I made it work previously on a Macbook, although with an older rustc:

    $ rustc -V
rustc 1.2.0-dev (717e8831b 2015-06-08)

    I have to add that this project is a great help, fuzzing the nom projects is fun :)

    opened by Geal 12
  • Update for new LLVM pass manager

    Update for new LLVM pass manager

    Fixes #192

    This drops support for the old nightly, but that should be fine. (See discussion in cargo-fuzz: https://github.com/rust-fuzz/cargo-fuzz/pull/277)

    opened by taiki-e 9

  • "linked panic runtime not compiled with ..." error

    I get this error when I try running an example in my repo with afl.rs.

    $ cargo afl build --example chat
...
error: the linked panic runtime `panic_unwind` is not compiled with this crate's panic strategy `abort`
error: aborting due to previous error
error: Could not compile `serde_derive`.
    opened by osa1 7
  • Unknown pass name 'sancov'

    Unknown pass name 'sancov'

    https://github.com/rust-fuzz/cargo-fuzz/issues/276

    afl.rs suffers from this issue as well: https://github.com/rust-fuzz/afl.rs/blob/29134042d23f198ccf4f8fa77eb68e398eb56cff/src/bin/cargo-afl.rs#L307 https://github.com/rust-fuzz/afl.rs/blob/29134042d23f198ccf4f8fa77eb68e398eb56cff/src/bin/cargo-afl.rs#L326

    There seem to be at least two options:

    • Wait and see what cargo-fuzz does.
    • Charge ahead and implement a fix for the latest nightly.

    I don't have a strong opinion. Does anyone else?

    opened by smoelius 5
  • Use local directories when building for docs.rs

    Use local directories when building for docs.rs

    I haven't tested it, but this code should be enough to get afl to compile for docs.rs

    See https://docs.rs/crate/afl/0.10.0/builds/351937 for the current errors. This will require a new release to test.

    opened by XAMPPRocky 5
  • Add option to kill afl-fuzz after a time limit

    Add option to kill afl-fuzz after a time limit

    This PR adds a new option to cargo afl fuzz, --max_total_time, to limit how long afl-fuzz runs for. The new option will enable implementing rust-fuzz/targets#107. When this option is specified, cargo-afl will wait that many seconds and kill afl-fuzz, if it's still running. I had to refactor how command line arguments were passed around, as well, so that this new option didn't get passed to afl.

    opened by divergentdave 5
  • [question] Is this compilation failure due to the docker image's older rustc? Any way to update it?

    [question] Is this compilation failure due to the docker image's older rustc? Any way to update it?

    First off, thanks in advance for your time, and thanks for making afl.rs :)

    When I try to use afl.rs with my C++ symbol demangling crate, which depends on error-chain, I get the following errors. I assume these are becauses error-chain depends on a newer rustc than the one bundled; is there a way to use a newer rustc with afl.rs?

    My normal rustc version (with which I can compile error-chain and my crate):

    $ rustc --version
rustc 1.16.0-nightly (47c8d9fdc 2017-01-08)

    The rustc in the docker image:

    # rustc --version
rustc 1.11.0-nightly (01411937f 2016-07-01)

    The logs when attempting to compile my crate and error-chain inside the docker image:

    # cargo build --features fuzz
    Updating registry `https://github.com/rust-lang/crates.io-index`
 Downloading afl v0.1.5
 Downloading afl-plugin v0.1.5
 Downloading error-chain v0.7.1
 Downloading afl-sys v0.1.5
 Downloading libc v0.2.18
 Downloading gcc v0.3.39
 Downloading quale v1.0.0
 Downloading backtrace v0.3.0
 Downloading winapi v0.2.8
 Downloading dbghelp-sys v0.2.0
 Downloading backtrace-sys v0.1.5
 Downloading kernel32-sys v0.2.2
 Downloading cfg-if v0.1.0
 Downloading rustc-demangle v0.1.3
 Downloading winapi-build v0.1.1
   Compiling winapi v0.2.8
   Compiling cfg-if v0.1.0
   Compiling gcc v0.3.39
   Compiling winapi-build v0.1.1
   Compiling backtrace v0.3.0
   Compiling kernel32-sys v0.2.2
   Compiling libc v0.2.18
   Compiling rustc-demangle v0.1.3
   Compiling dbghelp-sys v0.2.0
   Compiling afl v0.1.5
   Compiling afl-sys v0.1.5
   Compiling quale v1.0.0
   Compiling backtrace-sys v0.1.5
   Compiling afl-plugin v0.1.5
   Compiling error-chain v0.7.1
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419:9: 419:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419         #[cfg(feature = "backtrace")]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:419:9: 419:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424:9: 424:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424         #[cfg(not(feature = "backtrace"))]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:424:9: 424:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435:9: 435:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435         #[cfg(feature = "backtrace")]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:435:9: 435:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444:9: 444:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444         #[cfg(not(feature = "backtrace"))]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:444:9: 444:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454:9: 454:38 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454         #[cfg(feature = "backtrace")]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:454:9: 454:38 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456:9: 456:43 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456         #[cfg(not(feature = "backtrace"))]
                                                                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/lib.rs:456:9: 456:43 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364:20: 364:34 error: attributes on non-item statements and expressions are experimental. (see issue #15701)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364                 $( #[$meta_links] )*
                                                                                                                  ^~~~~~~~~~~~~~
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:81:13: 83:81 note: in this expansion of impl_extract_backtrace! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:24:9: 30:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:9:9: 14:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:325:9: 330:10 note: in this expansion of error_chain_processed! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:319:9: 322:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:309:9: 312:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:299:9: 302:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:339:9: 342:10 note: in this expansion of error_chain_processing! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/example_generated.rs:27:1: 38:2 note: in this expansion of error_chain! (defined in /root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs)
/root/.cargo/registry/src/github.com-1ecc6299db9ec823/error-chain-0.7.1/src/error_chain.rs:364:20: 364:34 help: add #![feature(stmt_expr_attributes)] to the crate attributes to enable
error: aborting due to 7 previous errors
Build failed, waiting for other jobs to finish...
error: Could not compile `error-chain`.

To learn more, run the command again with --verbose.
#
    opened by fitzgen 5
  • Does not work with the latest Rust nightlies

    Does not work with the latest Rust nightlies

    Stopped working after https://github.com/rust-lang/rust/commit/3fd5fdd8d3e64e957a7eafe3d6d0b10ef4170d59

    Output I get when I try to compile a Rust version after the change above: https://gist.githubusercontent.com/frewsxcv/ca3ef34cab9fd96edd44fc5de585044d/raw/837b8b6ccbfa682a34977233f535c186e4375c93/gistfile1.txt

    A lot of errors like:

    /root/.cargo/registry/src/github.com-1ecc6299db9ec823/rayon-0.4.2/src/par_iter/weight.rs:48: undefined reference to `__afl_prev_loc'
    opened by frewsxcv 5
  • SIGSEGV compiling afl-coverage for `examples/hello.rs`

    SIGSEGV compiling afl-coverage for `examples/hello.rs`

    @bb80fc56f5ba096406c61f1790886d8edce878c9, $(which rustc) == /Users/tschottdorf/rust/rust/x86_64-apple-darwin/stage2/bin/rustc @ 1.0.0-beta-6833-g079f384:

    $ cargo build --example hello --verbose
       Fresh gcc v0.3.19
       Fresh byteorder v0.3.13
   Compiling afl-coverage v0.0.1 (file:///Users/tschottdorf/rust/afl.rs)
     Running `/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/build-script-build`
       Fresh afl-coverage-plugin v0.0.1 (file:///Users/tschottdorf/rust/afl.rs)
     Running `rustc src/lib.rs --crate-name afl_coverage --crate-type lib -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -l static=afl-llvm-rt`
     Running `rustc examples/hello.rs --crate-name hello --crate-type bin -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug/examples --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps --extern byteorder=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libbyteorder-3e27c88aa235985f.rlib --extern afl_coverage_plugin=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libafl_coverage_plugin-a9b7f43301ffb1fc.dylib --extern afl_coverage=/Users/tschottdorf/rust/afl.rs/target/debug/libafl_coverage.rlib -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out`
afl-llvm-pass 1.77b by <[email protected]>
Could not compile `afl-coverage`.

Caused by:
  Process didn't exit successfully: `rustc examples/hello.rs --crate-name hello --crate-type bin -g --out-dir /Users/tschottdorf/rust/afl.rs/target/debug/examples --emit=dep-info,link -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug -L dependency=/Users/tschottdorf/rust/afl.rs/target/debug/deps --extern byteorder=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libbyteorder-3e27c88aa235985f.rlib --extern afl_coverage_plugin=/Users/tschottdorf/rust/afl.rs/target/debug/deps/libafl_coverage_plugin-a9b7f43301ffb1fc.dylib --extern afl_coverage=/Users/tschottdorf/rust/afl.rs/target/debug/libafl_coverage.rlib -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out -L native=/Users/tschottdorf/rust/afl.rs/target/debug/build/afl-coverage-f64ebee15259fa44/out` (signal: 11)

    I've tried lldb to get more info about the segfault as in #11 but I can't just re-run the failing command (it needs the right env, I think) and wasn't versed enough to get lldb to attach to the forked child in cargo build. Pointers appreciated.

    opened by tbg 5
  • afl should not store object files inside $CARGO_HOME !

    afl should not store object files inside $CARGO_HOME !

    Found by accident here: https://internals.rust-lang.org/t/what-will-happen-if-someone-insert-malicious-code-to-local-std-or-crates-from-crates-io-source-code/18003/22

    Apparently, afl stores c objects files inside the cargo home, they are supposed to go into the projects target dir, not the $CARGO_HOME :smile:

    ~/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.12.10

    afl-0.12.10/AFLplusplus/instrumentation/afl-common.o, afl-0.12.10/AFLplusplus/src/afl-common.o, afl-0.12.10/AFLplusplus/src/afl-sharedmem.o, afl-0.12.10/AFLplusplus/src/afl-forkserver.o, afl-0.12.10/AFLplusplus/src/afl-performance.o, afl-0.12.10/AFLplusplus/utils/aflpp_driver/aflpp_driver.o, afl-0.12.10/AFLplusplus/utils/aflpp_driver/libAFLDriver.a, afl-0.12.10/AFLplusplus/utils/aflpp_driver/aflpp_qemu_driver.o, afl-0.12.10/AFLplusplus/utils/aflpp_driver/libAFLQemuDriver.a, afl-0.12.10/AFLplusplus/afl-fuzz, afl-0.12.10/AFLplusplus/afl-showmap, afl-0.12.10/AFLplusplus/afl-tmin, afl-0.12.10/AFLplusplus/afl-gotcpu, afl-0.12.10/AFLplusplus/afl-analyze, afl-0.12.10/AFLplusplus/afl-as, afl-0.12.10/AFLplusplus/afl-cc, afl-0.12.10/AFLplusplus/afl-compiler-rt.o, afl-0.12.10/AFLplusplus/afl-compiler-rt-32.o, afl-0.12.10/AFLplusplus/afl-compiler-rt-64.o, afl-0.12.10/AFLplusplus/afl-cc.8, afl-0.12.10/AFLplusplus/afl-gcc-pass.so, afl-0.12.10/AFLplusplus/afl-gcc-cmplog-pass.so, afl-0.12.10/AFLplusplus/afl-gcc-cmptrs-pass.so, afl-0.12.10/AFLplusplus/libAFLDriver.a, afl-0.12.10/AFLplusplus/libAFLQemuDriver.a, afl-0.12.10/AFLplusplus/afl-fuzz.8, afl-0.12.10/AFLplusplus/afl-showmap.8, afl-0.12.10/AFLplusplus/afl-tmin.8, afl-0.12.10/AFLplusplus/afl-gotcpu.8, afl-0.12.10/AFLplusplus/afl-analyze.8, afl-0.12.10/AFLplusplus/afl-plot.8, afl-0.12.10/AFLplusplus/afl-cmin.8, afl-0.12.10/AFLplusplus/afl-cmin.bash.8, afl-0.12.10/AFLplusplus/afl-whatsup.8, afl-0.12.10/AFLplusplus/afl-system-config.8, afl-0.12.10/AFLplusplus/afl-persistent-config.8, afl-0.12.10/AFLplusplus/afl-as.8

    can be reproduced by cargo install afl

    opened by matthiaskrgr 1
  • `maxlength` flag does not work as expected

    `maxlength` flag does not work as expected

    I've tried using AFL++'s -G (--maxlength) option to generate and use inputs bigger than the default 1MB but I have not been successful so far.

    Here is a repository I created to show the behavior: https://github.com/louismerlin/fuzz-size

    I don't know if the behavior comes from afl.rs or from AFL++ directly.

    I'll be happy to help fixing the issue, but I have not found the source of it yet.

    opened by louismerlin 1
  • `--max_total_time` to be deprecated

    `--max_total_time` to be deprecated

    --max_total_time provides an option to kill afl-fuzz after a time limit. However, it has some downsides:

    1. --max_total_time is the only option of cargo afl fuzz handled by cargo-afl and not passed to afl-fuzz. Thus, it is a maintenance burden.

      For example, --max_total_time partially broke with the upgrade to Clap 4. It still works if passed as cargo afl fuzz's first argument, but not if other arguments appear first.

    2. The functionality that --max_total_time provides is also provided by afl-fuzz's -V <seconds> option. Thus, --max_total_time is actually redundant.

    For these reasons, I intend to remove --max_total_time with the next incompatible version change of afl.rs, unless there are strong objections.

    Regarding point 1, it is unfortunate that --max_total_time does not work as it did before the upgrade to Clap 4. That is, it would be nice to offer users the original functionality prior to the option's removal. However, there is no easy way to fix this with Clap 4 currently (see https://github.com/clap-rs/clap/discussions/4468), and I am concerned that switching back to Clap 3 could introduce additional bugs. Users that require the original functionality of --max_total_time should please use afl.rs 0.12.8.

    opened by smoelius 0
  • [Bug] afl.rs>=0.12.9 passes own arguments to `afl-fuzz`

    [Bug] afl.rs>=0.12.9 passes own arguments to `afl-fuzz`

    Starting in version 0.12.9 (coinciding with the upgrade to clap v4.0), arguments passed to cargo afl fuzz are passed down to afl++, where they cause errors as they cannot be parsed. This makes the max_total_time option unusable, as it leads to:

    [...]/afl.rs/rustc-1.64.0-a55dd71/afl.rs-0.12.9/afl/bin/afl-fuzz: invalid option -- '-'

[-] PROGRAM ABORT : Bad syntax used for -m
         Location : main(), src/afl-fuzz.c:860

    whereas on 0.12.8 everything works as expected

    opened by roypat 2
  • feature: Print Debug output when using Arbitrary

    feature: Print Debug output when using Arbitrary

    When fuzzing with libfuzzer and using arbitrary::Arbitrary, if you find a failing input then cargo fuzz prints the Debug representation of your Arbitrary struct. This is quite useful because it's easier to create a unit test and repro the failing scenario.

    Could afl.rs add a similar feature that when using Arbitrary it'll output the Debug representation of your failing struct?

    opened by ParkMyCar 2
  • Unable to build 0.11.1: warning _FORTIFY_SOURCE

    Unable to build 0.11.1: warning _FORTIFY_SOURCE

    Full log:

    [nix-shell:/x/code/naga/fuzz]$ cargo install afl
    Updating crates.io index
  Downloaded afl v0.11.1
  Downloaded 1 crate (3.6 MB) in 0.76s
  Installing afl v0.11.1
   Compiling libc v0.2.112
   Compiling semver v1.0.4
   Compiling unicode-width v0.1.9
   Compiling strsim v0.8.0
   Compiling ansi_term v0.12.1
   Compiling vec_map v0.8.2
   Compiling bitflags v1.3.2
   Compiling cc v1.0.72
   Compiling textwrap v0.11.0
   Compiling rustc_version v0.4.0
   Compiling dirs-sys v0.3.6
   Compiling atty v0.2.14
   Compiling clap v2.34.0
   Compiling dirs v3.0.2
   Compiling xdg v2.4.0
   Compiling afl v0.11.1
error: failed to run custom build command for `afl v0.11.1`

Caused by:
  process didn't exit successfully: `/run/user/1000/cargo-install0HIprX/release/build/afl-e7a898d3022feeeb/build-script-build` (exit status: 101)
  --- stdout
  [*] Compiling afl++ for OS Linux on ARCH x86_64
  Compiling DEBUG version of binaries
  rm -f afl-fuzz afl-showmap afl-tmin afl-gotcpu afl-analyze libradamsa.so afl-fuzz-document afl-as as afl-g++ afl-clang afl-clang++ *.o src/*.o *~ a.out core core.[1-9][0-9]* *.stackdump .test .test1 .test2 test-instr .test-instr0 .test-instr1 afl-qemu-trace afl-gcc-fast afl-gcc-pass.so afl-g++-fast ld *.so *.8 test/unittests/*.o test/unittests/unit_maybe_alloc test/unittests/preallocable .afl-* afl-gcc afl-g++ afl-clang afl-clang++ test/unittests/unit_hash test/unittests/unit_rand
  make -f GNUmakefile.llvm clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus'
  [+] llvm_mode detected llvm 10+, enabling neverZero implementation and c++14
  [+] llvm_mode detected llvm 11+, enabling afl-lto LTO implementation
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]* .test2 test-instr .test-instr0 .test-instr1 *.dwo
  rm -f ./afl-cc ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o  ./afl-llvm-pass.so ./SanitizerCoveragePCGUARD.so ./split-compares-pass.so ./split-switches-pass.so ./cmplog-routines-pass.so ./cmplog-instructions-pass.so ./cmplog-switches-pass.so ./afl-llvm-dict2file.so ./compare-transform-pass.so ./afl-ld-lto ./afl-llvm-lto-instrumentlist.so ./afl-llvm-lto-instrumentation.so ./SanitizerCoverageLTO.so afl-common.o ./afl-c++ ./afl-lto ./afl-lto++ ./afl-clang-lto* ./afl-clang-fast* ./afl-clang*.8 ./ld ./afl-ld ./afl-llvm-rt*.o instrumentation/*.o
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus'
  make -f GNUmakefile.gcc_plugin clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus'
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 .test2
  rm -f ./afl-gcc-pass.so ./afl-compiler-rt.o ./afl-compiler-rt-32.o ./afl-compiler-rt-64.o afl-common.o ./afl-g++-fast ./afl-g*-fast.8 instrumentation/*.o
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus'
  make -C utils/libdislocator clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/libdislocator'
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
  rm -f ../../libdislocator.so
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/libdislocator'
  make -C utils/libtokencap clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/libtokencap'
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
  rm -fv ../../libtokencap.so
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/libtokencap'
  make -C utils/aflpp_driver clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/aflpp_driver'
  rm -f *.o libAFLDriver*.a libAFLQemuDriver.a aflpp_qemu_driver_hook.so *~ core aflpp_driver_test
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/aflpp_driver'
  make -C utils/afl_network_proxy clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/afl_network_proxy'
  rm -f afl-network-client afl-network-server *~ core
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/afl_network_proxy'
  make -C utils/socket_fuzzing clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/socket_fuzzing'
  rm -f socketfuzz32.so socketfuzz64.so
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/socket_fuzzing'
  make -C utils/argv_fuzzing clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/argv_fuzzing'
  rm -f argvfuzz32.so argvfuzz64.so
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/utils/argv_fuzzing'
  make -C qemu_mode/unsigaction clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/qemu_mode/unsigaction'
  rm -f unsigaction.so
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/qemu_mode/unsigaction'
  make -C qemu_mode/libcompcov clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/qemu_mode/libcompcov'
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
  rm -f ../../libcompcov.so compcovtest
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/qemu_mode/libcompcov'
  make -C qemu_mode/libqasan clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/qemu_mode/libqasan'
  rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
  rm -f ../../libqasan.so
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/qemu_mode/libqasan'
  make -C frida_mode clean
  make[1]: Entering directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/frida_mode'
  rm -rf /home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/frida_mode/build/
  make[1]: Leaving directory '/home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/AFLplusplus/frida_mode'
  rm -rf qemu_mode/qemuafl
  rm -rf unicorn_mode/unicornafl
  [!] Note: skipping x86 compilation checks (AFL_NO_X86 set).
  [-] shmat seems not to be working, switching to mmap implementation
  [-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue
  [+] Everything seems to be working, ready to compile.
  gcc -ggdb3 -O0 -Wall -Wextra -Werror -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith -I include/ -DAFL_PATH=\"/lib/afl\" -DBIN_PATH=\"/bin\" -DDOC_PATH=\"/share/doc/afl\" -DUSEMMAP=1 -flto -c src/afl-common.c -o src/afl-common.o

  --- stderr
  GNUmakefile.llvm:68: you are using an in-development llvm version - this might break llvm_mode!
  GNUmakefile.llvm:120: we have trouble finding clang - llvm-config is not helping us
  GNUmakefile.llvm:135: we have trouble finding clang++ - llvm-config is not helping us
  GNUmakefile.llvm:223: clang option -flto is not working - maybe LLVMgold.so not found - cannot enable LTO mode
  In file included from /nix/store/alhk4bwig4mh1qqw0h7y6gkxa64kma84-glibc-2.33-56-dev/include/bits/libc-header-start.h:33,
                   from /nix/store/alhk4bwig4mh1qqw0h7y6gkxa64kma84-glibc-2.33-56-dev/include/stdlib.h:25,
                   from src/afl-common.c:26:
  /nix/store/alhk4bwig4mh1qqw0h7y6gkxa64kma84-glibc-2.33-56-dev/include/features.h:397:4: error: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Werror=cpp]
    397 | #  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
        |    ^~~~~~~
  cc1: all warnings being treated as errors
  make: *** [GNUmakefile:423: src/afl-common.o] Error 1
  thread 'main' panicked at 'assertion failed: status.success()', /home/kvark/.cargo/registry/src/github.com-1ecc6299db9ec823/afl-0.11.1/build.rs:32:5
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
warning: build failed, waiting for other jobs to finish...
error: failed to compile `afl v0.11.1`, intermediate artifacts can be found at `/run/user/1000/cargo-install0HIprX`
    opened by kvark 19
Owner
Rust Fuzzing Authority
Tools and resources for fuzzing with the Rust programming language
Rust Fuzzing Authority
GitHub https://rust-fuzz.github.io/book/afl.html
Hopper is a tool for generating fuzzing test cases for libraries automatically using interpretative fuzzing.

Hopper Hopper is an tool for generating fuzzing test cases for libraries automatically using interpretative fuzzing. It transforms the problem of libr

FuzzAnything 124 Nov 24, 2023
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Dec 29, 2022
Structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions.

fuzzcheck Fuzzcheck is a structure-aware, in-process, coverage-guided, evolutionary fuzzing engine for Rust functions. Given a function test: (T) -> b

Loïc Lecrenier 394 Dec 20, 2022
A self-hosted Fuzzing-As-A-Service platform

OneFuzz A self-hosted Fuzzing-As-A-Service platform Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior t

Microsoft 2.6k Dec 30, 2022
An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing

LibAFL QuickJS Fuzzing Example An example fuzzer about how to fuzz a JS engine combinign Nautilus with Token-level fuzzing. Prepare Make sure to have

Andrea Fioraldi 32 Dec 21, 2022
A structure-aware HTTP fuzzing library

?? FeroxFuzz ?? A structure-aware HTTP fuzzing library ?? Another ferox? why? ?? Chill, it's not another command-line tool, this one's a library! ?? M

epi 141 Dec 27, 2022
Pre-Silicon Hardware Fuzzing Toolkit

Disclaimer All components are provided for research and validation purposes only. Use at your own risk. Pre-Silicon Hardware Fuzzing Toolkit From CPU

Intel Labs 12 Dec 13, 2022
µFUZZ: Redesign of Parallel Fuzzing using Microservice Architecture

mufuzz, a parallel fuzzing framework TODO: Add reference Build Install cargo and protoc curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Software Systems Security Team at Penn State University 7 May 15, 2023
🧹 Quick & dirty fuzzy path comparison

?? fuzzypath Quick & dirty fuzzy path comparison Comparison rules ✅ Case insensitive ✅ Backslashes are normalized to forward slashes ✅ Trailing slashe

William 4 May 19, 2022
How-to: Sanitize your Rust code!

rust-san How-to: Sanitize your Rust code! Intro How to use the sanitizers? Examples AddressSanitizer Out of bounds access Use after free LeakSanitizer

Jorge Aparicio 359 Dec 22, 2022
Breaking your Rust code for fun and profit

Breaking your Rust code for fun & profit this is an architecture-preview, not all components are there This is a mutation testing framework for Rust c

null 533 Dec 18, 2022
Code for comparing CDN speeds!

How to run speed test. the image to use The image you should probably use is: cf_219kb.png cf_219kb.png is an image that won't be compressed by Jetpac

Speed Test Demon 26 Nov 10, 2022
Handle some lichess.org/tournament load with Rust, while learning Rust

lila-http Take some of the HTTP load away from lila. WIP! Arena tournaments Clients connected to a tournament page request new data about the tourname

Lichess 22 Jan 2, 2023
HTTP mocking library for Rust.

httpmock HTTP mocking library for Rust. Documentation · Crate · Report Bug · Request Feature · Changelog Features Simple, expressive, fluent API. Many

Alexander Liesenfeld 320 Dec 21, 2022
Testing Framework for Rust

Polish Polish is Test-Driven Development done right Getting Started Installing the Package The crates.io package is kept up-to-date with all the major

Fadi Hanna Al-Kass 49 Dec 18, 2022
Travis CI and AppVeyor template to test your Rust crate on 5 architectures and publish binary releases of it for Linux, macOS and Windows

trust Travis CI and AppVeyor template to test your Rust crate on 5 architectures and publish binary releases of it for Linux, macOS and Windows Featur

Jorge Aparicio 1.2k Dec 30, 2022
A library for generating fake data in Rust.

Fake A Rust library for generating fake data. Installation Default (rand is required): [dependencies] fake = "2.4" rand = "0.8" If you want to use #[d

cksac 552 Dec 25, 2022
Benchmarks for rust serialization frameworks

Rust serialization benchmark The goal of these benchmarks is to provide thorough and complete benchmarks for various rust serialization frameworks. Th

David Koloski 187 Jan 4, 2023
Playwright is a rust library to automate Chromium, Firefox and WebKit built on top of Node.js library.

?? Playwright for Rust Playwright is a rust library to automate Chromium, Firefox and WebKit built on top of Node.js library. Installation [dependenci

octaltree 132 Jan 6, 2023