On 04/06/22 18:28, Richard W.M. Jones wrote:
ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
for out-of-bounds memory access, use-after-free and other memory
checks. It's useful to combine this with fuzzing.
Fuzzing can normally only detect paths which cause the binary to
crash. But some serious, latent bugs might not cause crashes (eg. a
rogue pointer overwrites another object in memory, but the other
object is not used or not used in a way that will cause a crash).
ASAN turns these kinds of bugs into crashes.
See also:
https://clang.llvm.org/docs/AddressSanitizer.html
https://aflplus.plus/docs/notes_for_asan/
Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
RWMJ: Some modifications were required for fuzzing to work with nbdkit.
---
fuzzing/README | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/fuzzing/README b/fuzzing/README
index eeab9744..b2bc6f08 100644
--- a/fuzzing/README
+++ b/fuzzing/README
@@ -15,6 +15,7 @@ You will need to recompile nbdkit with AFL instrumentation:
To use clang instead (recommended with AFL++):
+ export AFL_USE_ASAN=1
./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
make clean
make
@@ -29,14 +30,16 @@ Master:
mkdir -p fuzzing/sync_dir
export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
- afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
+ export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
+ afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
Slaves:
# replace fuzzNN with fuzz02, fuzz03, etc.
export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
- afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
+ export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
+ afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
Test Coverage
I guess this is OK, but we should explain the removal of the "-m 256"
option in the commit message.
With that:
Acked-by: Laszlo Ersek <lersek(a)redhat.com>
Thanks
Laszlo