clusterfuzz icon indicating copy to clipboard operation
clusterfuzz copied to clipboard
verified publisher icon google

Add Better Support for AFL/gcc

Open jonathanmetzman opened this issue 6 years ago • 3 comments

Some potential users (@asudhak and @acatinahat) have said using libFuzzer will be too difficult to use for them because they depend on gcc.

I see two ways to support gcc users:

  1. Make libFuzzer usable with gcc ("libfuzzer-gcc").
  2. Support fuzzing with afl-gcc based targets and no libFuzzer build ("afl-gcc").

@asudhak and @acatinahat preferred the afl-gcc option over the libfuzzer-gcc option. However I think libfuzzer-gcc is worth exploring anyway because it is considerably easier for ClusterFuzz to support and maintain, and it will probably do better, since in our experience, libFuzzer finds more bugs than AFL.

Supporting libfuzzer-gcc would only require (once again) supporting trace-pc-guard instrumentation in libFuzzer.

afl-gcc would require:

  1. Supporting afl targets not compiled with afl_driver.cpp (including creating a convention so that ClusterFuzz could recognize these as targets.
  2. Supporting corpus pruning with afl.
  3. Supporting testcase minimization with afl.

jonathanmetzman avatar Aug 29 '19 20:08 jonathanmetzman

libFuzzer with gcc was easy to get working.

I tested this with g++ (Debian 8.2.0-14+build1) 8.2.0 as well as g++ 7 and g++ 6 (6.5.0).

Here are instructions to try it out for yourselves:

  1. Download and unpack the libFuzzer source archive libfuzzer.zip I've prepared.

  2. Run the build script to build libFuzzer:

$ cd fuzzer
$ bash ./build.sh
  1. Build the example fuzzer using gcc/g++ and link against libFuzzer:
$ g++ -fsanitize=address -fsanitize-coverage=trace-pc MultipleConstraintsOnSmallInputTest.cpp libFuzzer.a -o fuzzer -lpthread
  1. Run the fuzzer:
$ ./fuzzer

@asudhak and @acatinahat can you try out libfuzzer-gcc in your codebases and see if it works for you? If so I'll upstream these small patches needed to get libfuzzer working with gcc.

There seems to be some issue with using gcc as opposed to g++ because libFuzzer needs to be linked against c++ stdlib, but I doubt this should be a problem/can't be solved.

jonathanmetzman avatar Aug 30 '19 21:08 jonathanmetzman

@asudhak and @acatinahat does this solution suit your needs?

jonathanmetzman avatar Sep 17 '19 02:09 jonathanmetzman

Hi @jonathanmetzman. This works! I had to add a -lstdc++ like you mentioned but the target builds and runs fine.

P.S. sorry about the delay on responses (both on this issue and the others) - I've been out and away-from-computer for the last ~2.5 weeks.

[edit] I tested against gcc version 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1).

kishorbhat avatar Sep 20 '19 07:09 kishorbhat