Stack Overflow
Stack Overflow

Questions tagged [libfuzzer]

31 questions
6
votes
1 answer

How to create minimal libfuzzer cmake example?

I have a simple example of libFuzzer usage. // Test_fuzzer.cc #include #include extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { if (size > 0 && data[0] == 'H') if (size > 1 && data[1] == 'I') …
oleksandr_fryziuk
  • 123
  • 1
  • 7
5
votes
1 answer

How to use libfuzzers custom mutators API?

Libfuzzer offers two APIs to develop custom mutators. size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, const uint8_t *Data2, size_t…
Fee
  • 719
  • 9
  • 24
4
votes
1 answer

How to make Libfuzzer run without stopping similar to AFL?

I have been trying to fuzz using both AFL and Libfuzzer. One of the distinct differences that I have come across is that when the AFL is executed, it runs continuously unless it is manually stopped by the developer. On the other hand, Libfuzzer…
coder
  • 203
  • 5
  • 15
3
votes
1 answer

libfuzzer fuzzing harness crash not reproducible

I want to fuzz an existing harness from stbi harness and make a small change. From free(img) to if(img) free(img); compile with this command clang -fsanitize=fuzzer,address -ggdb -O0 stbi_read_fuzzer.c -o fuzzer, and run with ./fuzzer corpus -fork=1…
Aldo
  • 51
  • 3
3
votes
1 answer

why does ulimit -v not work under clang's address sanitizer?

I'm using libFuzzer to fuzz an API. The API is deserializing an array of bits (given by libFuzzer) and converting them into c++ class instantiations. Due to the serialization format, libFuzer is able construct a serialized object that tell the…
Trevor Hickey
  • 36,288
  • 32
  • 162
  • 271
2
votes
1 answer

clang AddressSanitizer instructs code improperly, false-positive result

FOREWORD The current question is pretty damn huge and related to my master thesis, so I am humbly asking for your patience. I encountered a problem that is going to be explained further about half a year ago and the problem was needed an exterior…
ruslanbyku
  • 31
  • 1
  • 5
2
votes
0 answers

How does one create insertion or deletion mutations using LibFuzzer?

libFuzzer has functions that can be implemented by the end-user like this: size_t LLVMFuzzerCustomMutator( uint8_t* data, size_t size, size_t max_size, unsigned int seed) Am I free to sometimes insert some bytes in data thereby making it…
Sean McCauliff
  • 1,494
  • 1
  • 13
  • 26
2
votes
1 answer

Is it possible to tell libfuzzer ignore certain code?

I use libfuzzer and it's been great experience so far. My code under fuzz is full of branches like this: bool fuzzingThisFunc() { if(!checkSomething()) { fmt::printf("error log"); return false; } ... return true; } Where…
warchantua
  • 1,154
  • 1
  • 10
  • 24
1
vote
1 answer

libfuzzer heap overflow in malloc

I am trying out my hand at libfuzzer and I am facing 'heap overflow' at malloc. The code snippet is as follows int LLVMFuzzerTestOneInput( const unsigned char * Data, size_t Size ) { initialize_state_before_fuzzing(); size_t…
RishabhHardas
  • 495
  • 1
  • 5
  • 25
1
vote
1 answer

libclang_rt.fuzzer_osx.a is not found on macOS

When compiling with the -fsanitize=fuzzer flag to include libfuzzer in LLVM on macOS, I get the error: libclang_rt.fuzzer_osx.a is not found The LLVM/clang compiler I'm using is bundled with Xcode, 14.0.3.
anthony shaw
  • 133
  • 11
1
vote
0 answers

libfuzzer Go executable crashes with "non-Go code set up signal handler without SA_ONSTACK flag"

I am using go-118-fuzz-build and some manual patching to build a libfuzzer executable from a native Go 1.18 fuzz test: Patch the test file, replacing *testing.F with *github.com/AdamKorcz/go-118-fuzz-build/utils.F, rename it, and move it into a…
Ethan Reesor
  • 2,090
  • 1
  • 23
  • 40
1
vote
0 answers

libfuzzer Segmentation fault (core dumped)

Have followed the instructions to create a fuzzer using libfuzzer with ASAN support. I point it at a corpus and it will generally run for a few days and then I'll get a message: Segmentation fault (core dumped) INFO: exiting: 139 time: XXXXXXs I…
Darrell
  • 11
  • 2
1
vote
2 answers

Why is libFuzzer on Windows yielding error: "no interesting inputs were found"?

About half a year ago I had setup a CMake project with VSCode with a libFuzzer target that ran on Windows and macOS. I use the C++ extension along with the CMakeTools extension from Microsoft. When I resumed the project again now I'm getting an…
thomthom
  • 2,854
  • 1
  • 23
  • 53
1
vote
0 answers

How define own guards in/for SanitizerCoverage to prodive coverage for libfuzzer

i am using Clion 2020.3.1, and clang/llvm version 10.0.0 i want to direct libfuzzer to a specific code coverage. So i can define my own edges or decide which code is necessary to obtain. Right now libfuzzer just counts the edges (?) or codes lines…
supagas
  • 41
  • 4
1
vote
1 answer

How to call a renamed symbol in an external object file?

I am trying to fuzz a particular piece of code using LLVM libFuzzer that only exposes its main() function externally. I have access to the source of the target code, but cannot change it. If I try to directly include the object file, it conflicts…
matoro
  • 181
  • 1
  • 13
1
2 3