kubo39's blog

ただの雑記です。

LDCのlibFuzzerを試す

LLVMはlibFuzzerというFuzzingの仕組みがあって、LDCからその機能を使うことができる。

こういうコードで試してみる。LDCは1.19.0。

import ldc.libfuzzer;
import std.string;

mixin DefineTestOneInput!fuzz_target;

int fuzz_target(in ubyte[] data)
{
    if (data == "FU".representation)
        assert(false);
    return 0;
}

コンパイルオプションで -fsanitize=fuzzer をつけることで試せるらしい。 実行してみる。

$ ldc2 -g -fsanitize=fuzzer fuzz.d 
$ ./fuzz                 
WARNING: Failed to find function "__sanitizer_acquire_crash_state".                                           
WARNING: Failed to find function "__sanitizer_print_stack_trace".                 
WARNING: Failed to find function "__sanitizer_set_death_callback".                       
INFO: Seed: 1969889841                                       
INFO: Loaded 1 modules   (25 inline 8-bit counters): 25 [0x56393139edb0, 0x56393139edc9),
INFO: Loaded 1 PC tables (25 PCs): 25 [0x56393139edd0,0x56393139ef60),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes                      
INFO: A corpus is not provided, starting from an empty corpus                     
#2      INITED cov: 7 ft: 7 corp: 1/1b exec/s: 0 rss: 24Mb                        
        NEW_FUNC[1/1]: 0x5639313194b1                                                      
#5      NEW    cov: 9 ft: 9 corp: 2/3b lim: 4 exec/s: 0 rss: 24Mb L: 2/2 MS: 3 ChangeByte-CopyPart-InsertByte-
#4194304        pulse  cov: 9 ft: 9 corp: 2/3b lim: 4096 exec/s: 2097152 rss: 24Mb
#8388608        pulse  cov: 9 ft: 9 corp: 2/3b lim: 4096 exec/s: 1677721 rss: 24Mb                                                                                         
core.exception.AssertError@fuzz.d(10): Assertion failure
----------------                        
??:? [0x563931355425]                                              
??:? [0x563931374daa]                                                             
??:? [0x56393135bbdd]                                             
??:? [0x56393135533c]                                      
fuzz.d:10 [0x5639313192f1]                                                               
libfuzzer.di:66 [0x56393131918a]                                                                              
FuzzerLoop.cpp:553 [0x563931337486]                                                        
FuzzerLoop.cpp:469 [0x56393133d437]                          
FuzzerLoop.cpp:696 [0x56393133f62b]                       
FuzzerLoop.cpp:831 [0x5639313407aa]  
FuzzerDriver.cpp:825 [0x56393132ad79]                                                                                                  
FuzzerMain.cpp:19 [0x563931318ef2]                                                
??:? __libc_start_main [0x7f6dc7dccb96]                                           
??:? [0x563931318fa9]                                                             
uncaught exception                                                                
core.exception.AssertError@/home/kubo39/dlang/ldc-1.19.0/bin/../import/ldc/libfuzzer.di(73): Assertion failure                                                             
----------------
??:? [0x563931355425]
??:? [0x563931374daa]
??:? [0x56393135bbdd]
??:? [0x56393135533c]
libfuzzer.di:73 [0x563931319204]
FuzzerLoop.cpp:553 [0x563931337486]
FuzzerLoop.cpp:469 [0x56393133d437]
FuzzerLoop.cpp:696 [0x56393133f62b]
FuzzerLoop.cpp:831 [0x5639313407aa]
FuzzerDriver.cpp:825 [0x56393132ad79]
FuzzerMain.cpp:19 [0x563931318ef2]
??:? __libc_start_main [0x7f6dc7dccb96]                                                                                                                                    
??:? [0x563931318fa9]                                   
==5215== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.                   
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal                                 
MS: 3 ChangeBit-InsertByte-ChangeBinInt-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x46,0x55,                                                                               
FU                                                                                                            
artifact_prefix='./'; Test unit written to ./crash-510e70573bca51a824e345d5cff7448f740203fb
Base64: RlU=

なんだか出力の結果が怪しいが、とりあえずlibFuzzer runtime上で動いているようにみえる。