Commandline wrapper for using libFuzzer. Easy to use, no need to recompile LLVM!
libFuzzer needs LLVM sanitizer support, so this is x86-64 Linux-only for now. This also needs a nightly since it uses some unstable commandline flags.
This crate is currently under some churn -- in case stuff isn't working, please reinstall it (cargo install cargo-fuzz -f), and delete the cloned libfuzzer-sys folder in the fuzz/ folder. Rerunning cargo fuzz --init after moving your fuzz folder and updating this crate may get you a better generated fuzz/Cargo.toml. Expect this to settle down soon.
$ cargo install cargo-fuzzFirst, set up your project for fuzzing:
$ cd /path/to/project
$ cargo fuzz initThis will create a fuzz folder, containing a fuzzing script called fuzzer_script_1 in the
fuzzers/ subfolder. It is generally a good idea to check in the files generated by --init.
libFuzzer is going to repeatedly call the go() function in the fuzzer script with a byte buffer
data of length size, until your program hits an error condition (segfault, panic, etc). Write
your go() function to hit the entry point you need.
You can add more fuzz target scripts via cargo fuzz add name_of_script. There
is a Cargo.toml in the fuzz/ folder where you can add dependencies.
To fuzz a fuzz target, run:
$ cd /path/to/project
$ cargo fuzz run fuzzer_script_1 # or whatever the target is namedThen, wait till it finds something!
🏆 🏆 🏆 🏆 🏆 🏆
- toml-rs panic
- unicode-segmentation: grapheme boundary correctness, word boundary correctness
- image: 1, 2, 3, 4
- inflate: arithmetic overflow
- capnproto-rust: Multiple bugs, including a memory safety bug
- hyper: arithmetic overflow
- libpnet: arithmetic overflow
- quick-xml: arithmetic overflow
- svgparser: arithmetic overflow, bound checking panic, incorrect result, endless loop