1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
# Fuzzing Hints
## LibFuzzer
1. Set compiler that supports fuzzing, this is an example on MacOS using
a homebrew-installed clang/llvm:
```
export CC="/opt/homebrew/Cellar/llvm/18.1.8/bin/clang"
export CXX="/opt/homebrew/Cellar/llvm/18.1.8/bin/clang++"
```
2. Compile c-ares with both ASAN and fuzzing support. We want an optimized
debug build so we will use `RelWithDebInfo`:
```
export CFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
export CXXFLAGS="-fsanitize=address,fuzzer-no-link -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
export LDFLAGS="-fsanitize=address,fuzzer-no-link"
mkdir buildfuzz
cd buildfuzz
cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -G Ninja ..
ninja
```
3. Build the fuzz test itself linked against our fuzzing-enabled build:
```
${CC} -W -Wall -Og -fsanitize=address,fuzzer -I../include -I../src/lib -I. -o ares-test-fuzz ../test/ares-test-fuzz.c -L./lib -Wl,-rpath ./lib -lcares
${CC} -W -Wall -Og -fsanitize=address,fuzzer -I../include -I../src/lib -I. -o ares-test-fuzz-name ../test/ares-test-fuzz-name.c -L./lib -Wl,-rpath ./lib -lcares
```
4. Run the fuzzer, its better if you can provide seed input but it does pretty
well on its own since it uses coverage data to determine how to proceed.
You can play with other flags etc, like `-jobs=XX` for parallelism. See
https://llvm.org/docs/LibFuzzer.html
```
mkdir corpus
cp ../test/fuzzinput/* corpus
./ares-test-fuzz -max_len=65535 corpus
```
or
```
mkdir corpus
cp ../test/fuzznames/* corpus
./ares-test-fuzz-name -max_len=1024 corpus
```
## AFL
To fuzz using AFL, follow the
[AFL quick start guide](http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt):
- Download and build AFL.
- Configure the c-ares library and test tool to use AFL's compiler wrappers:
```console
% export CC=$AFLDIR/afl-gcc
% ./configure --disable-shared && make
% cd test && ./configure && make aresfuzz aresfuzzname
```
- Run the AFL fuzzer against the starting corpus:
```console
% mkdir fuzzoutput
% $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz # OR
% $AFLDIR/afl-fuzz -i fuzznames -o fuzzoutput -- ./aresfuzzname
```
## AFL Persistent Mode
If a recent version of Clang is available, AFL can use its built-in compiler
instrumentation; this configuration also allows the use of a (much) faster
persistent mode, where multiple fuzz inputs are run for each process invocation.
- Download and build a recent AFL, and run `make` in the `llvm_mode`
subdirectory to ensure that `afl-clang-fast` gets built.
- Configure the c-ares library and test tool to use AFL's clang wrappers that
use compiler instrumentation:
```console
% export CC=$AFLDIR/afl-clang-fast
% ./configure --disable-shared && make
% cd test && ./configure && make aresfuzz
```
- Run the AFL fuzzer (in persistent mode) against the starting corpus:
```console
% mkdir fuzzoutput
% $AFLDIR/afl-fuzz -i fuzzinput -o fuzzoutput -- ./aresfuzz
```
|