forked from irungentoo/toxcore
-
Notifications
You must be signed in to change notification settings - Fork 281
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add scripts to run the fuzzing process
This adds scripts and Dockerfiles to run the fuzzing process standalone or with OSS-Fuzz/ClusterFuzzLite integrations.
- Loading branch information
Showing
8 changed files
with
276 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# c-toxcore Clusterfuzzlite build environment | ||
|
||
# We want to use the latest tools always | ||
# hadolint ignore=DL3006 | ||
FROM gcr.io/oss-fuzz-base/base-builder | ||
|
||
RUN apt-get update && \ | ||
apt-get -y install --no-install-suggests --no-install-recommends \ | ||
cmake libtool autoconf automake pkg-config \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
|
||
RUN git clone --depth 1 --branch 1.0.18 https://github.com/jedisct1/libsodium libsodium | ||
WORKDIR $SRC/libsodium | ||
RUN ./autogen.sh && ./configure --enable-shared=no && make install | ||
|
||
# Copy your project's source code. | ||
COPY . $SRC/c-toxcore | ||
# Working directory for build.sh. | ||
WORKDIR $SRC/c-toxcore | ||
# Copy build.sh into $SRC dir. | ||
COPY ./.clusterfuzzlite/build.sh $SRC/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
#!/bin/bash -eu | ||
|
||
# out of tree build | ||
cd "$WORK" | ||
|
||
ls /usr/local/lib/ | ||
|
||
# Debug build for asserts | ||
cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_COMPILER="$CC" \ | ||
-DCMAKE_CXX_COMPILER="$CXX" \ | ||
-DCMAKE_C_FLAGS="$CFLAGS" \ | ||
-DCMAKE_CXX_FLAGS="$CXXFLAGS" \ | ||
-DCMAKE_EXE_LINKER_FLAGS="$LIB_FUZZING_ENGINE" \ | ||
-DBUILD_TOXAV=OFF -DENABLE_SHARED=NO -DBUILD_FUZZ_TESTS=ON \ | ||
-DDHT_BOOTSTRAP=OFF -DBOOTSTRAP_DAEMON=OFF "$SRC"/c-toxcore | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
# copy to output files | ||
cp "$WORK"/bootstrap_fuzzer "$OUT"/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
# based on https://github.com/AFLplusplus/AFLplusplus/blob/stable/Dockerfile | ||
|
||
FROM ubuntu:20.04 AS toxcore-fuzz | ||
|
||
SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
||
ARG DEBIAN_FRONTEND=noninteractive | ||
|
||
env NO_ARCH_OPT 1 | ||
|
||
RUN apt-get update && \ | ||
apt-get -y install --no-install-suggests --no-install-recommends \ | ||
automake \ | ||
ninja-build \ | ||
bison flex \ | ||
build-essential \ | ||
git \ | ||
python3 python3-dev python3-setuptools python-is-python3 \ | ||
libtool libtool-bin \ | ||
libglib2.0-dev \ | ||
wget vim jupp nano bash-completion less \ | ||
apt-utils apt-transport-https ca-certificates gnupg dialog \ | ||
libpixman-1-dev \ | ||
gnuplot-nox \ | ||
screen \ | ||
cmake \ | ||
parallel \ | ||
libsodium-dev \ | ||
ninja-build\ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
RUN echo "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-12 main" >> /etc/apt/sources.list && \ | ||
wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - | ||
|
||
RUN echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal main" >> /etc/apt/sources.list && \ | ||
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 1E9377A2BA9EF27F | ||
|
||
RUN apt-get update && apt-get full-upgrade -y && \ | ||
apt-get -y install --no-install-suggests --no-install-recommends \ | ||
gcc-10 g++-10 gcc-10-plugin-dev gcc-10-multilib gcc-multilib gdb lcov \ | ||
clang-12 clang-tools-12 libc++1-12 libc++-12-dev \ | ||
libc++abi1-12 libc++abi-12-dev libclang1-12 libclang-12-dev \ | ||
libclang-common-12-dev libclang-cpp12 libclang-cpp12-dev liblld-12 \ | ||
liblld-12-dev liblldb-12 liblldb-12-dev libllvm12 libomp-12-dev \ | ||
libomp5-12 lld-12 lldb-12 llvm-12 llvm-12-dev llvm-12-runtime llvm-12-tools \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 0 | ||
RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-10 0 | ||
|
||
ENV LLVM_CONFIG=llvm-config-12 | ||
ENV AFL_SKIP_CPUFREQ=1 | ||
ENV AFL_TRY_AFFINITY=1 | ||
ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 | ||
|
||
RUN git clone --depth=1 https://github.com/vanhauser-thc/afl-cov /afl-cov | ||
WORKDIR /afl-cov | ||
RUN make install | ||
|
||
RUN git clone --depth=1 https://github.com/AFLplusplus/AFLplusplus /AFLplusplus | ||
WORKDIR /AFLplusplus | ||
RUN export CC=gcc-10 && export CXX=g++-10 && make install | ||
|
||
RUN echo '. /etc/bash_completion' >> ~/.bashrc | ||
RUN echo 'alias joe="joe --wordwrap --joe_state -nobackup"' >> ~/.bashrc | ||
ENV IS_DOCKER="1" | ||
ENV CMAKE_GENERATOR=Ninja |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#! /bin/sh | ||
|
||
# Move to repo root | ||
cd ../ | ||
|
||
# Run code coverage only on minized corpus to save time | ||
afl-cov --cover-corpus -d ./_afl_out --overwrite --live --coverage-cmd "_cov_build/bootstrap_fuzzer @@" --code-dir ../ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
#! /bin/sh | ||
|
||
HARNESS_BIN="../_afl_build/bootstrap_fuzzer" | ||
COV_BIN="../_cov_build/bootstrap_fuzzer" | ||
# move to repo root | ||
cd ../ | ||
|
||
cd _afl_out/ | ||
|
||
# Perform corpus minimization | ||
mkdir -p corpus-cmin | ||
rm corpus-cmin/* | ||
|
||
afl-cmin -i fuzz0/queue/ -o corpus-cmin/ -- "$HARNESS_BIN" | ||
|
||
# Minimize each testcase | ||
mkdir -p corpus-tmin | ||
rm corpus-tmin/* | ||
|
||
# afl-tmin is VERY slow | ||
# massive parallel bash piping for the rescue | ||
find corpus-cmin/ -maxdepth 1 -type f | | ||
parallel --bar --joblog ./parallel.log afl-tmin -i ./corpus-cmin/{/} -o ./corpus-tmin/{/} -- "$HARNESS_BIN" | ||
|
||
# in case the tmin-process was aborted, just copy non-minimized files | ||
cp -n ./corpus-cmin/* ./corpus-tmin | ||
|
||
# hack to let afl-cov run code coverage on our minimal corpus | ||
|
||
rm -R corpus-cov | ||
mkdir -p corpus-cov/queue | ||
|
||
cp corpus-tmin/* corpus-cov/queue | ||
|
||
# Run code coverage only on minized corpus to save time | ||
afl-cov --cover-corpus -d ./corpus-cov --overwrite --coverage-cmd "$COV_BIN @@" --code-dir ../ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,126 @@ | ||
#! /bin/sh | ||
|
||
COMMON_CMAKE_OPTIONS="-DCMAKE_C_COMPILER=afl-clang-lto -DCMAKE_CXX_COMPILER=afl-clang-lto++ -DBUILD_TOXAV=OFF -DENABLE_SHARED=NO -DBUILD_FUZZ_TESTS=ON -DDHT_BOOTSTRAP=OFF -DBOOTSTRAP_DAEMON=OFF" | ||
|
||
# move to repo root | ||
cd ../ | ||
rm -R _afl_build | ||
mkdir _afl_build | ||
|
||
# build fuzzer target UBSAN | ||
mkdir -p _afl_build_ubsan | ||
cd _afl_build_ubsan | ||
|
||
export AFL_USE_UBSAN=1 | ||
|
||
# build c-toxcore using afl instrumentation | ||
cmake -DCMAKE_BUILD_TYPE=Debug "$COMMON_CMAKE_OPTIONS" .. | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
unset AFL_USE_UBSAN | ||
|
||
cd .. | ||
|
||
# build fuzzer target MSAN | ||
mkdir -p _afl_build_msan | ||
cd _afl_build_msan | ||
|
||
export AFL_USE_MSAN=1 | ||
|
||
# build c-toxcore using afl instrumentation | ||
cmake -DCMAKE_BUILD_TYPE=Debug "$COMMON_CMAKE_OPTIONS" .. | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
unset AFL_USE_MSAN | ||
|
||
cd .. | ||
|
||
# build fuzzer target ASAN | ||
mkdir -p _afl_build_asan | ||
cd _afl_build_asan | ||
|
||
export AFL_USE_ASAN=1 | ||
|
||
# build c-toxcore using afl instrumentation | ||
cmake -DCMAKE_BUILD_TYPE=Debug "$COMMON_CMAKE_OPTIONS" .. | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
unset AFL_USE_ASAN | ||
|
||
cd .. | ||
|
||
# build fuzzer target without sanitizers for afl-tmin | ||
mkdir -p _afl_build | ||
cd _afl_build | ||
|
||
# build c-toxcore using afl instrumentation | ||
cmake -DCMAKE_C_COMPILER=afl-clang -DBUILD_MISC_TESTS=ON .. | ||
make | ||
cmake -DCMAKE_BUILD_TYPE=Debug "$COMMON_CMAKE_OPTIONS" .. | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
cd .. | ||
|
||
# build fuzzer target with CmpLog | ||
mkdir -p _afl_build_cmplog | ||
cd _afl_build_cmplog | ||
|
||
export AFL_LLVM_CMPLOG=1 | ||
|
||
# build c-toxcore using afl instrumentation | ||
cmake -DCMAKE_BUILD_TYPE=Debug "$COMMON_CMAKE_OPTIONS" .. | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
unset AFL_LLVM_CMPLOG | ||
|
||
cd .. | ||
|
||
# build fuzzer target for code coverage | ||
mkdir -p _cov_build | ||
cd _cov_build | ||
|
||
# build c-toxcore using afl instrumentation | ||
cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-fprofile-arcs -ftest-coverage" -DCMAKE_C_FLAGS="-fprofile-arcs -ftest-coverage" -DCMAKE_VERBOSE_MAKEFILE=ON "$COMMON_CMAKE_OPTIONS" .. | ||
|
||
# build fuzzer target | ||
cmake --build ./ --target bootstrap_fuzzer | ||
|
||
# back to repo root | ||
cd ../ | ||
|
||
# Create fuzzer working directory | ||
|
||
mkdir -p _afl_out | ||
|
||
AFL_ARGS='-i testing/afl_testdata/tox_bootstraps/ -o _afl_out' | ||
|
||
export AFL_IMPORT_FIRST=1 | ||
export AFL_AUTORESUME=1 | ||
|
||
# faster startup | ||
export AFL_FAST_CAL=1 | ||
|
||
echo "connect to the fuzzers using: screen -x fuzz" | ||
echo "if fuzzing doesn't start execute the following as root:" | ||
echo "" | ||
echo "echo core >/proc/sys/kernel/core_pattern" | ||
echo "echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor" | ||
|
||
# Main fuzzer, keeps complet corpus | ||
screen -dmS fuzz afl-fuzz -M fuzz0 "$AFL_ARGS" -c ./_afl_build_cmplog/bootstrap_fuzzer ./_afl_build/bootstrap_fuzzer | ||
sleep 10s | ||
|
||
# Secondary fuzzers | ||
screen -S fuzz -X screen afl-fuzz -S fuzz1 "$AFL_ARGS" -- ./_afl_build_msan/bootstrap_fuzzer | ||
sleep 1s | ||
|
||
screen -S fuzz -X screen afl-fuzz -S fuzz2 "$AFL_ARGS" ./_afl_build_ubsan/bootstrap_fuzzer | ||
sleep 1s | ||
|
||
# start fuzzing | ||
afl-fuzz -i ../testing/afl_testdata/tox_saves/ -o afl_out/ ./afl_toxsave @@ | ||
screen -S fuzz -X screen afl-fuzz -S fuzz3 "$AFL_ARGS" ./_afl_build_asan/bootstrap_fuzzer |