diff options
author | van Hauser <vh@thc.org> | 2021-02-18 21:55:07 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-02-18 12:55:07 -0800 |
commit | 4bb61df7905c6005000f5766e966e6fe30ab4559 (patch) | |
tree | 3ac2f4562536797982fe00fd57aaa7f51cbb9745 /infra | |
parent | f682792936f489550fe26c475d79468d82b9c7fe (diff) | |
download | oss-fuzz-4bb61df7905c6005000f5766e966e6fe30ab4559.tar.gz |
Final afl++ integration (#5191)
* final afl++ integration
* remove afl++ cmplog tests
* update afl++ commit id
* support rebuild
* llvm 13 workaround
* apply fix for llvm 13
* fix nits
* Fix nits.
* Fix name nit.
* update commit id
* update commit id
* update commit id to stable
Co-authored-by: Abhishek Arya <inferno@chromium.org>
Diffstat (limited to 'infra')
-rw-r--r-- | infra/base-images/base-builder/Dockerfile | 2 | ||||
-rw-r--r-- | infra/base-images/base-builder/compile_afl | 73 | ||||
-rwxr-xr-x | infra/base-images/base-runner/run_fuzzer | 4 |
3 files changed, 67 insertions, 12 deletions
diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile index 68c44be66..4ac72a190 100644 --- a/infra/base-images/base-builder/Dockerfile +++ b/infra/base-images/base-builder/Dockerfile @@ -177,7 +177,7 @@ WORKDIR $SRC # TODO: switch to -b stable once we can. RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \ cd aflplusplus && \ - git checkout aeb7d7048371cd91ab9280c3958f1c35e5d5e758 + git checkout 5dd35f5281afec0955c08fe9f99e3c83222b7764 RUN cd $SRC && \ curl -L -O https://github.com/google/honggfuzz/archive/oss-fuzz.tar.gz && \ diff --git a/infra/base-images/base-builder/compile_afl b/infra/base-images/base-builder/compile_afl index 318eca44e..17762d38e 100644 --- a/infra/base-images/base-builder/compile_afl +++ b/infra/base-images/base-builder/compile_afl @@ -15,6 +15,22 @@ # ################################################################################ +# afl++ configuration options. +# The 'env|grep' setup ensures we do not trigger the linter. +# The variables need to be set to "1" here - or before running this script. + +# If enabled this provides a safe work around if afl-clang-fast ever break: +env | grep -qw AFL_LLVM_MODE_WORKAROUND || { + # needed until llvm 13 works: + AFL_LLVM_MODE_WORKAROUND=0 +} + +# If a dictionary should be generated based on comparisons at compile time: +env | grep -qw AFL_ENABLE_DICTIONARY || { + AFL_ENABLE_DICTIONARY=1 +} + +# Start compiling afl++. echo "Compiling afl++" # Build and copy afl++ tools necessary for fuzzing. @@ -22,24 +38,23 @@ pushd $SRC/aflplusplus > /dev/null # Unset CFLAGS and CXXFLAGS while building AFL since we don't want to slow it # down with sanitizers. -INITIAL_CXXFLAGS=$CXXFLAGS -INITIAL_CFLAGS=$CFLAGS +SAVE_CXXFLAGS=$CXXFLAGS +SAVE_CFLAGS=$CFLAGS unset CXXFLAGS unset CFLAGS +export AFL_IGNORE_UNKNOWN_ENVS=1 make clean AFL_NO_X86=1 PYTHON_INCLUDE=/ make -CFLAGS=$INITIAL_CFLAGS -CXXFLAGS=$INITIAL_CXXFLAGS +CFLAGS=$SAVE_CFLAGS +CXXFLAGS=$SAVE_CXXFLAGS # Build afl++ driver with existing CFLAGS, CXXFLAGS. make -C utils/aflpp_driver -cp libAFLDriver.a $LIB_FUZZING_ENGINE +cp -f libAFLDriver.a $LIB_FUZZING_ENGINE # Some important projects include libraries, copy those even when they don't # start with "afl-". Use "sort -u" to avoid a warning about duplicates. ls afl-* *.txt *.a *.o *.so | sort -u | xargs cp -t $OUT -popd > /dev/null - export CC="$SRC/aflplusplus/afl-clang-fast" export CXX="$SRC/aflplusplus/afl-clang-fast++" @@ -50,8 +65,46 @@ export AFL_QUIET=1 export AFL_MAP_SIZE=4194304 # No leak errors during builds. export ASAN_OPTIONS="detect_leaks=0:symbolize=0" -# -# Placeholder for the upcoming afl++ build options roulette -# + +# AFL compile option roulette. It is OK if they all happen together. + +# 40% chance to perform CMPLOG +rm -f "$OUT/afl_cmplog.txt" +test $(($RANDOM % 10)) -lt 4 && { + export AFL_LLVM_CMPLOG=1 + # We need to notify afl-fuzz to activate CMPLOG + touch "$OUT/afl_cmplog.txt" +} + +# 10% chance to perform LAF_INTEL +test $(($RANDOM % 10)) -lt 1 && { + export AFL_LLVM_LAF_ALL=1 +} + +# In case afl-clang-fast ever breaks, this is a workaround: +test "$AFL_LLVM_MODE_WORKAROUND" = "1" && { + export CC=clang + export CXX=clang++ + WORKAROUND_FLAGS=-fsanitize-coverage=trace-pc-guard + # We can still do CMPLOG light: + test -e "$OUT/afl_cmplog.txt" && { + WORKAROUND_FLAGS="$WORKAROUND_FLAGS",trace-cmp + } + export CFLAGS="$CFLAGS $WORKAROUND_FLAGS" + export CXXFLAGS="$CXXFLAGS $WORKAROUND_FLAGS" + # We need to create a new fuzzer lib however. + ar ru libAFLDrivernew.a afl-compiler-rt.o utils/aflpp_driver/aflpp_driver.o + cp -f libAFLDrivernew.a $LIB_FUZZING_ENGINE +} + +# If the targets whishes a dictionary - then create one. +test "$AFL_ENABLE_DICTIONARY" = "1" && { + export AFL_LLVM_DICT2FILE="$OUT/afl++.dict" +} + +# Provide a way to document the afl++ options used in this build: +env | grep AFL_ > "$OUT/afl_options.txt" + +popd > /dev/null echo " done." diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer index 6464ddc2c..8d137e330 100755 --- a/infra/base-images/base-runner/run_fuzzer +++ b/infra/base-images/base-runner/run_fuzzer @@ -111,7 +111,9 @@ if [[ "$FUZZING_ENGINE" = afl ]]; then # CMPLOG level 2, which will colorize larger files but not huge files and # not enable transform analysis unless there have been several cycles without # any finds. - test -e $OUT/afl_cmplog.txt && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER" + test -e "$OUT/afl_cmplog.txt" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER" + # If $OUT/afl++.dict we load it as a dictionary for afl-fuzz. + test -e "$OUT/afl++.dict" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -x $OUT/afl++.dict" # AFL expects at least 1 file in the input dir. echo input > ${CORPUS_DIR}/input CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i $CORPUS_DIR -o $FUZZER_OUT $(get_dictionary) $* -- $OUT/$FUZZER" |