From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Xen-devel <xen-devel@lists.xen.org>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <Ian.Jackson@eu.citrix.com>,
Wei Liu <wei.liu2@citrix.com>, Jan Beulich <JBeulich@suse.com>
Subject: [PATCH 8/8] tools/insn-fuzz: Support AFL's afl-clang-fast mode
Date: Mon, 20 Mar 2017 11:19:45 +0000 [thread overview]
Message-ID: <1490008785-6058-9-git-send-email-andrew.cooper3@citrix.com> (raw)
In-Reply-To: <1490008785-6058-1-git-send-email-andrew.cooper3@citrix.com>
AFL has an alternative llvm-base instrumentation mode, which has much lower
overhead than the traditional afl-gcc.
One extra ability is to chose exactly where the master process gets
initialised to, before being forked for testing. This point is chosen after
the call to LLVMFuzzerInitialize(), so the stack isn't being remapped
executable for every test.
Another extra ability is to feed multiple inputs into a single test process,
to reduce the number of fork() calls required overall. Two caveats are that if
stdin is used for data, it must be unbuffered, and if input is passed via a
command line parameter, the underlying file must be opened and closed on each
iteration.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Ian Jackson <Ian.Jackson@eu.citrix.com>
CC: Wei Liu <wei.liu2@citrix.com>
This patch is mostly re-indentation, and far easier reviewed using `git diff
--ignore-all-space`
---
tools/fuzz/README.afl | 10 ++++-
tools/fuzz/x86_instruction_emulator/afl-harness.c | 54 +++++++++++++----------
2 files changed, 40 insertions(+), 24 deletions(-)
diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
index c5f749a..4758de2 100644
--- a/tools/fuzz/README.afl
+++ b/tools/fuzz/README.afl
@@ -18,7 +18,15 @@ Use the x86 instruction emulator fuzzer as an example.
2. run the following commands to build:
$ cd tools/fuzz/x86_instruction_emulator
$ make distclean
- $ make CC=$AFLPATH/afl-gcc afl # produces afl-harness
+
+ If you have a new enough version of Clang/LLVM and have configured AFL's
+ llvm_mode, make use of afl-clang-fast:
+
+ $ make CC=$AFLPATH/afl-clang-fast afl # produces afl-harness
+
+ If not, use the default afl-gcc:
+
+ $ make CC=$AFLPATH/afl-gcc afl # produces afl-harness
3. provide initial test case (fuzzer dependent, see afl-*.c):
$ mkdir testcase_dir
diff --git a/tools/fuzz/x86_instruction_emulator/afl-harness.c b/tools/fuzz/x86_instruction_emulator/afl-harness.c
index 63aff59..1548693 100644
--- a/tools/fuzz/x86_instruction_emulator/afl-harness.c
+++ b/tools/fuzz/x86_instruction_emulator/afl-harness.c
@@ -17,6 +17,7 @@ int main(int argc, char **argv)
size_t size;
FILE *fp = NULL;
+ setbuf(stdin, NULL);
setbuf(stdout, NULL);
while ( 1 )
@@ -61,37 +62,44 @@ int main(int argc, char **argv)
if ( LLVMFuzzerInitialize(&argc, &argv) )
exit(-1);
- if ( fp != stdin ) /* If not using stdin, open the provided file. */
+#ifdef __AFL_HAVE_MANUAL_CONTROL
+ __AFL_INIT();
+
+ while ( __AFL_LOOP(1000) )
+#endif
{
- fp = fopen(argv[optind], "rb");
- if ( fp == NULL )
+ if ( fp != stdin ) /* If not using stdin, open the provided file. */
{
- perror("fopen");
- exit(-1);
+ fp = fopen(argv[optind], "rb");
+ if ( fp == NULL )
+ {
+ perror("fopen");
+ exit(-1);
+ }
}
- }
- size = fread(input, 1, INPUT_SIZE, fp);
+ size = fread(input, 1, INPUT_SIZE, fp);
- if ( ferror(fp) )
- {
- perror("fread");
- exit(-1);
- }
+ if ( ferror(fp) )
+ {
+ perror("fread");
+ exit(-1);
+ }
- if ( !feof(fp) )
- {
- printf("Input too large\n");
- exit(-1);
- }
+ if ( !feof(fp) )
+ {
+ printf("Input too large\n");
+ exit(-1);
+ }
- if ( fp != stdin )
- {
- fclose(fp);
- fp = NULL;
- }
+ if ( fp != stdin )
+ {
+ fclose(fp);
+ fp = NULL;
+ }
- LLVMFuzzerTestOneInput(input, size);
+ LLVMFuzzerTestOneInput(input, size);
+ }
return 0;
}
--
2.1.4
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-03-20 11:19 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-20 11:19 [PATCH 0/8] Fuzzing misc bugfix and performance improvements Andrew Cooper
2017-03-20 11:19 ` [PATCH 1/8] tools/fuzz: Remove .d files in clean Andrew Cooper
2017-03-20 11:19 ` [PATCH 2/8] tools/fuzz: Use $(CC) for linking the harnesses Andrew Cooper
2017-03-20 11:19 ` [PATCH 3/8] tools/fuzz: Include LLVMFuzzerTestOneInput() in the generated .a Andrew Cooper
2017-03-20 11:19 ` [PATCH 4/8] tools/insn-fuzz: Use shorter filenames Andrew Cooper
2017-03-20 11:19 ` [PATCH 5/8] tools/insn-fuzz: Use getopt() for parsing the command line Andrew Cooper
2017-03-20 11:19 ` [PATCH 6/8] tools/insn-fuzz: Accept fuzzing input on stdin Andrew Cooper
2017-03-20 11:19 ` [PATCH 7/8] tools/insn-fuzz: Make use of LLVMFuzzerInitialize() Andrew Cooper
2017-03-20 11:19 ` Andrew Cooper [this message]
2017-03-20 15:55 ` [PATCH 0/8] Fuzzing misc bugfix and performance improvements Wei Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1490008785-6058-9-git-send-email-andrew.cooper3@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=JBeulich@suse.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).