[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen master] tools/insn-fuzz: Support AFL's afl-clang-fast mode



commit 69f4633817c38655cd27aa62c3cbfc02f6627234
Author:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Wed Mar 1 19:02:35 2017 +0000
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Mon Mar 20 16:45:21 2017 +0000

    tools/insn-fuzz: Support AFL's afl-clang-fast mode
    
    AFL has an alternative llvm-base instrumentation mode, which has much lower
    overhead than the traditional afl-gcc.
    
    One extra ability is to chose exactly where the master process gets
    initialised to, before being forked for testing.  This point is chosen after
    the call to LLVMFuzzerInitialize(), so the stack isn't being remapped
    executable for every test.
    
    Another extra ability is to feed multiple inputs into a single test process,
    to reduce the number of fork() calls required overall.  Two caveats are 
that if
    stdin is used for data, it must be unbuffered, and if input is passed via a
    command line parameter, the underlying file must be opened and closed on 
each
    iteration.
    
    Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
---
 tools/fuzz/README.afl                             | 10 ++++-
 tools/fuzz/x86_instruction_emulator/afl-harness.c | 54 +++++++++++++----------
 2 files changed, 40 insertions(+), 24 deletions(-)

diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
index c5f749a..4758de2 100644
--- a/tools/fuzz/README.afl
+++ b/tools/fuzz/README.afl
@@ -18,7 +18,15 @@ Use the x86 instruction emulator fuzzer as an example.
 2. run the following commands to build:
    $ cd tools/fuzz/x86_instruction_emulator
    $ make distclean
-   $ make CC=$AFLPATH/afl-gcc afl # produces afl-harness
+
+   If you have a new enough version of Clang/LLVM and have configured AFL's
+   llvm_mode, make use of afl-clang-fast:
+
+     $ make CC=$AFLPATH/afl-clang-fast afl # produces afl-harness
+
+   If not, use the default afl-gcc:
+
+     $ make CC=$AFLPATH/afl-gcc afl # produces afl-harness
 
 3. provide initial test case (fuzzer dependent, see afl-*.c):
    $ mkdir testcase_dir
diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c 
b/tools/fuzz/x86_instruction_emulator/afl-harness.c
index 63aff59..1548693 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -17,6 +17,7 @@ int main(int argc, char **argv)
     size_t size;
     FILE *fp = NULL;
 
+    setbuf(stdin, NULL);
     setbuf(stdout, NULL);
 
     while ( 1 )
@@ -61,37 +62,44 @@ int main(int argc, char **argv)
     if ( LLVMFuzzerInitialize(&argc, &argv) )
         exit(-1);
 
-    if ( fp != stdin ) /* If not using stdin, open the provided file. */
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+    __AFL_INIT();
+
+    while ( __AFL_LOOP(1000) )
+#endif
     {
-        fp = fopen(argv[optind], "rb");
-        if ( fp == NULL )
+        if ( fp != stdin ) /* If not using stdin, open the provided file. */
         {
-            perror("fopen");
-            exit(-1);
+            fp = fopen(argv[optind], "rb");
+            if ( fp == NULL )
+            {
+                perror("fopen");
+                exit(-1);
+            }
         }
-    }
 
-    size = fread(input, 1, INPUT_SIZE, fp);
+        size = fread(input, 1, INPUT_SIZE, fp);
 
-    if ( ferror(fp) )
-    {
-        perror("fread");
-        exit(-1);
-    }
+        if ( ferror(fp) )
+        {
+            perror("fread");
+            exit(-1);
+        }
 
-    if ( !feof(fp) )
-    {
-        printf("Input too large\n");
-        exit(-1);
-    }
+        if ( !feof(fp) )
+        {
+            printf("Input too large\n");
+            exit(-1);
+        }
 
-    if ( fp != stdin )
-    {
-        fclose(fp);
-        fp = NULL;
-    }
+        if ( fp != stdin )
+        {
+            fclose(fp);
+            fp = NULL;
+        }
 
-    LLVMFuzzerTestOneInput(input, size);
+        LLVMFuzzerTestOneInput(input, size);
+    }
 
     return 0;
 }
--
generated by git-patchbot for /home/xen/git/xen.git#master

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.