blob: 9b6d7d7980d756f7df774823feeb93a07462ca7d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
# I Can Haz Fuzz?
Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html).
Starting from a vanilla+OpenSSH server Ubuntu install.
Use Chrome's handy recent build of clang. Older versions may also work.
$ sudo apt-get install git
$ mkdir git-work
$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
$ clang/scripts/update.py
You may want to git pull and re-run the update from time to time.
Update your path:
$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH
Get and build libFuzzer (there is a git mirror at
https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
$ cd
$ sudo apt-get install subversion
$ mkdir svn-work
$ cd svn-work
$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
$ cd Fuzzer
$ clang++ -c -g -O2 -std=c++11 *.cpp
$ ar r libFuzzer.a *.o
$ ranlib libFuzzer.a
Configure for fuzzing:
$ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared
$ sudo apt-get install make
$ LDCMD=clang++ make -j
$ fuzz/helper.py <fuzzer> <arguments>
Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
need any command line arguments, but, for example, `asn1` needs the name of a
data type.
If you get a crash, you should find a corresponding input file in
`fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with
$ fuzz/<fuzzer> <crashfile>
|
