Switch branches/tags
Nothing to show
Find file History
Latest commit 917d4fd Oct 5, 2018
Permalink
..
Failed to load latest commit information.
README.md Update README.md Oct 4, 2018
webkit.patch Add WebKitFuzz Oct 4, 2018

README.md

WebKit Fuzzing

webkit.patch is a patch file that makes it easier to build WebKitGTK+ with ASan and fuzz it.

The patch file was made with WebKitGTK+ version 2.20.2 (https://webkitgtk.org/releases/webkitgtk-2.20.2.tar.xz) and might not work as is on other versions.

List of changes:

  • Fixes to be able to build WebKitGTK+ with ASan

  • Changed window.alert() implementation to immediately call the garbage collector instead of displaying a message window.

  • As soon as any web process crashes, exit the main process with the same exit code.

  • Created a custom target binary (webkitfuzz)

After applying the patch, you can build using the following commands:

export CC=/usr/bin/clang
export CXX=/usr/bin/clang++
export CFLAGS="-fsanitize=address"
export CXXFLAGS="-fsanitize=address"
export LDFLAGS="-fsanitize=address"
export ASAN_OPTIONS="detect_leaks=0"

mkdir build
cd build

cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=. -DCMAKE_SKIP_RPATH=ON -DPORT=GTK -DLIB_INSTALL_DIR=./lib -DUSE_LIBHYPHEN=OFF -DENABLE_MINIBROWSER=ON -DUSE_SYSTEM_MALLOC=ON -DENABLE_GEOLOCATION=OFF -DENABLE_GTKDOC=OFF -DENABLE_INTROSPECTION=OFF -DENABLE_OPENGL=OFF -DENABLE_ACCELERATED_2D_CANVAS=OFF -DENABLE_CREDENTIAL_STORAGE=OFF -DENABLE_GAMEPAD_DEPRECATED=OFF -DENABLE_MEDIA_STREAM=OFF -DENABLE_WEB_RTC=OFF -DENABLE_PLUGIN_PROCESS_GTK2=OFF -DENABLE_SPELLCHECK=OFF -DENABLE_VIDEO=OFF -DENABLE_WEB_AUDIO=OFF -DUSE_LIBNOTIFY=OFF -DENABLE_SUBTLE_CRYPTO=OFF -DUSE_WOFF2=OFF -Wno-dev ..

make -j 4

mkdir -p libexec/webkit2gtk-4.0
cp bin/WebKit*Process libexec/webkit2gtk-4.0/

And install dependencies when it complains. Note that some of the dependencies were already removed via -DENABLE_...=OFF flags. These flags are mosly not necessary, but you will need to install additional dependencies if you remove them.

After it builds, you can run the fuzzer binary as:

ASAN_OPTIONS=detect_leaks=0,exitcode=42 ASAN_SYMBOLIZER_PATH=/path/to/llvm-symbolizer LD_LIBRARY_PATH=./lib ./bin/webkitfuzz /path/to/sample <timeout>

Note that exit code 42 will indicate an ASan crash.