From 2003f7716d6cee311492356ad4d4c904aae3da52 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Fri, 28 Feb 2025 23:28:36 +0100 Subject: [PATCH 01/12] test --- fuzzers/libafl/builder.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzzers/libafl/builder.Dockerfile b/fuzzers/libafl/builder.Dockerfile index f0136ff46..c74eb0261 100644 --- a/fuzzers/libafl/builder.Dockerfile +++ b/fuzzers/libafl/builder.Dockerfile @@ -35,7 +35,7 @@ RUN apt-get update && \ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh # Download libafl. -RUN git clone https://github.com/AFLplusplus/LibAFL /libafl +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit RUN cd /libafl && git pull && git checkout f856092f3d393056b010fcae3b086769377cba18 || true From a232283d9cb3fa1cfd5a143b68424fe77bf42b01 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Fri, 7 Mar 2025 18:10:18 +0100 Subject: [PATCH 02/12] libafl scheduler fuzzers --- experiment-config.yaml | 23 ++++++ fuzzers/libafl_covaccount/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_covaccount/description.md | 11 +++ fuzzers/libafl_covaccount/fuzzer.py | 78 ++++++++++++++++++ fuzzers/libafl_covaccount/runner.Dockerfile | 25 ++++++ fuzzers/libafl_default/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_default/description.md | 11 +++ fuzzers/libafl_default/fuzzer.py | 78 ++++++++++++++++++ fuzzers/libafl_default/runner.Dockerfile | 25 ++++++ fuzzers/libafl_random/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_random/fuzzer.py | 78 ++++++++++++++++++ fuzzers/libafl_random/runner.Dockerfile | 25 ++++++ fuzzers/libafl_valprof/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_valprof/fuzzer.py | 79 +++++++++++++++++++ fuzzers/libafl_valprof/runner.Dockerfile | 25 ++++++ fuzzers/libafl_weighted/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_weighted/fuzzer.py | 79 +++++++++++++++++++ fuzzers/libafl_weighted/runner.Dockerfile | 25 ++++++ .../libafl_random/builder.Dockerfile | 57 +++++++++++++ fuzzers/my_libafl/libafl_random/fuzzer.py | 71 +++++++++++++++++ .../my_libafl/libafl_random/runner.Dockerfile | 24 ++++++ .../libafl_valueprofile/builder.Dockerfile | 53 +++++++++++++ .../my_libafl/libafl_valueprofile/fuzzer.py | 71 +++++++++++++++++ .../libafl_valueprofile/runner.Dockerfile | 24 ++++++ .../builder.Dockerfile | 54 +++++++++++++ .../libafl_weighted_scheduler/fuzzer.py | 71 +++++++++++++++++ .../runner.Dockerfile | 24 ++++++ 27 files changed, 1281 insertions(+) create mode 100644 experiment-config.yaml create mode 100644 fuzzers/libafl_covaccount/builder.Dockerfile create mode 100644 fuzzers/libafl_covaccount/description.md create mode 100755 fuzzers/libafl_covaccount/fuzzer.py create mode 100644 fuzzers/libafl_covaccount/runner.Dockerfile create mode 100644 fuzzers/libafl_default/builder.Dockerfile create mode 100644 fuzzers/libafl_default/description.md create mode 100755 fuzzers/libafl_default/fuzzer.py create mode 100644 fuzzers/libafl_default/runner.Dockerfile create mode 100644 fuzzers/libafl_random/builder.Dockerfile create mode 100755 fuzzers/libafl_random/fuzzer.py create mode 100644 fuzzers/libafl_random/runner.Dockerfile create mode 100644 fuzzers/libafl_valprof/builder.Dockerfile create mode 100755 fuzzers/libafl_valprof/fuzzer.py create mode 100644 fuzzers/libafl_valprof/runner.Dockerfile create mode 100644 fuzzers/libafl_weighted/builder.Dockerfile create mode 100755 fuzzers/libafl_weighted/fuzzer.py create mode 100644 fuzzers/libafl_weighted/runner.Dockerfile create mode 100644 fuzzers/my_libafl/libafl_random/builder.Dockerfile create mode 100644 fuzzers/my_libafl/libafl_random/fuzzer.py create mode 100644 fuzzers/my_libafl/libafl_random/runner.Dockerfile create mode 100644 fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile create mode 100644 fuzzers/my_libafl/libafl_valueprofile/fuzzer.py create mode 100644 fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile create mode 100644 fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile create mode 100644 fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py create mode 100644 fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile diff --git a/experiment-config.yaml b/experiment-config.yaml new file mode 100644 index 000000000..577e15de1 --- /dev/null +++ b/experiment-config.yaml @@ -0,0 +1,23 @@ +# The number of trials of a fuzzer-benchmark pair. +trials: 5 + +# The amount of time in seconds that each trial is run for. +# 1 day = 24 * 60 * 60 = 86400 +max_total_time: 3600 + +# The location of the docker registry. +# FIXME: Support custom docker registry. +# See https://github.com/google/fuzzbench/issues/777 +docker_registry: gcr.io/fuzzbench + +# The local experiment folder that will store most of the experiment data. +# Please use an absolute path. +experiment_filestore: /home/zuka/zuka/thesis/data/local-runs/experiment-data + +# The local report folder where HTML reports and summary data will be stored. +# Please use an absolute path. +report_filestore: /home/zuka/zuka/thesis/data/local-runs/report-data + +# Flag that indicates this is a local experiment. +local_experiment: true + diff --git a/fuzzers/libafl_covaccount/builder.Dockerfile b/fuzzers/libafl_covaccount/builder.Dockerfile new file mode 100644 index 000000000..433177eee --- /dev/null +++ b/fuzzers/libafl_covaccount/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_covaccount && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_default && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_covaccount/description.md b/fuzzers/libafl_covaccount/description.md new file mode 100644 index 000000000..ea9b947d6 --- /dev/null +++ b/fuzzers/libafl_covaccount/description.md @@ -0,0 +1,11 @@ +# libafl + +libafl fuzzer instance + - cmplog feature + - persistent mode + +Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_covaccount/fuzzer.py b/fuzzers/libafl_covaccount/fuzzer.py new file mode 100755 index 000000000..500e74ca2 --- /dev/null +++ b/fuzzers/libafl_covaccount/fuzzer.py @@ -0,0 +1,78 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_covaccount/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_covaccount/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_covaccount/runner.Dockerfile b/fuzzers/libafl_covaccount/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_covaccount/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_default/builder.Dockerfile b/fuzzers/libafl_default/builder.Dockerfile new file mode 100644 index 000000000..ae92b0b04 --- /dev/null +++ b/fuzzers/libafl_default/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_default && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_default && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_default/description.md b/fuzzers/libafl_default/description.md new file mode 100644 index 000000000..ea9b947d6 --- /dev/null +++ b/fuzzers/libafl_default/description.md @@ -0,0 +1,11 @@ +# libafl + +libafl fuzzer instance + - cmplog feature + - persistent mode + +Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_default/fuzzer.py b/fuzzers/libafl_default/fuzzer.py new file mode 100755 index 000000000..ff9cd1ee7 --- /dev/null +++ b/fuzzers/libafl_default/fuzzer.py @@ -0,0 +1,78 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_default/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_default/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_default/runner.Dockerfile b/fuzzers/libafl_default/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_default/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_random/builder.Dockerfile b/fuzzers/libafl_random/builder.Dockerfile new file mode 100644 index 000000000..d9fe3c09f --- /dev/null +++ b/fuzzers/libafl_random/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_random && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_random && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_random/fuzzer.py b/fuzzers/libafl_random/fuzzer.py new file mode 100755 index 000000000..933e6c501 --- /dev/null +++ b/fuzzers/libafl_random/fuzzer.py @@ -0,0 +1,78 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_random/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_random/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_random/runner.Dockerfile b/fuzzers/libafl_random/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_random/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_valprof/builder.Dockerfile b/fuzzers/libafl_valprof/builder.Dockerfile new file mode 100644 index 000000000..0ae372c8e --- /dev/null +++ b/fuzzers/libafl_valprof/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_valprof && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_valprof && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_valprof/fuzzer.py b/fuzzers/libafl_valprof/fuzzer.py new file mode 100755 index 000000000..2ae497850 --- /dev/null +++ b/fuzzers/libafl_valprof/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_valprof/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_valprof" + "/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_valprof/runner.Dockerfile b/fuzzers/libafl_valprof/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_valprof/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_weighted/builder.Dockerfile b/fuzzers/libafl_weighted/builder.Dockerfile new file mode 100644 index 000000000..0950c46f9 --- /dev/null +++ b/fuzzers/libafl_weighted/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_weighted && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_weighted && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_weighted/fuzzer.py b/fuzzers/libafl_weighted/fuzzer.py new file mode 100755 index 000000000..71531b8e3 --- /dev/null +++ b/fuzzers/libafl_weighted/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_weighted" + "/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_weighted/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_weighted/runner.Dockerfile b/fuzzers/libafl_weighted/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_weighted/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/my_libafl/libafl_random/builder.Dockerfile b/fuzzers/my_libafl/libafl_random/builder.Dockerfile new file mode 100644 index 000000000..b70b32176 --- /dev/null +++ b/fuzzers/my_libafl/libafl_random/builder.Dockerfile @@ -0,0 +1,57 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + + + +# Download libafl +RUN git clone https://github.com/zukatsinadze/libafl_fuzzbench /libafl_fuzzbench && \ + cd /libafl_fuzzbench && \ + git checkout 605ce5df98d0ad816074578a28a161edde74c74c && \ + git submodule update --init + +# Compile libafl +RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ + export CC=clang && export CXX=clang++ && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl_fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o + + diff --git a/fuzzers/my_libafl/libafl_random/fuzzer.py b/fuzzers/my_libafl/libafl_random/fuzzer.py new file mode 100644 index 000000000..122147bf2 --- /dev/null +++ b/fuzzers/my_libafl/libafl_random/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = "/libafl_fuzzbench/target/release/rand_scheduler_cc" + os.environ["CXX"] = "/libafl_fuzzbench/target/release/rand_scheduler_cxx" + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"]) diff --git a/fuzzers/my_libafl/libafl_random/runner.Dockerfile b/fuzzers/my_libafl/libafl_random/runner.Dockerfile new file mode 100644 index 000000000..77492efa4 --- /dev/null +++ b/fuzzers/my_libafl/libafl_random/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + diff --git a/fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile b/fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile new file mode 100644 index 000000000..08eee9745 --- /dev/null +++ b/fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile @@ -0,0 +1,53 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl +RUN git clone https://github.com/zukatsinadze/libafl_fuzzbench /libafl_fuzzbench && \ + cd /libafl_fuzzbench && \ + git checkout 605ce5df98d0ad816074578a28a161edde74c74c && \ + git submodule update --init + +# Compile libafl +RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ + export CC=clang && export CXX=clang++ && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl_fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o + diff --git a/fuzzers/my_libafl/libafl_valueprofile/fuzzer.py b/fuzzers/my_libafl/libafl_valueprofile/fuzzer.py new file mode 100644 index 000000000..2ab6ec582 --- /dev/null +++ b/fuzzers/my_libafl/libafl_valueprofile/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = "/libafl_fuzzbench/target/release/value_profile_cc" + os.environ["CXX"] = "/libafl_fuzzbench/target/release/value_profile_cxx" + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"]) diff --git a/fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile b/fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile new file mode 100644 index 000000000..77492efa4 --- /dev/null +++ b/fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + diff --git a/fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile b/fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile new file mode 100644 index 000000000..4e81a8b34 --- /dev/null +++ b/fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl +RUN git clone https://github.com/zukatsinadze/libafl_fuzzbench /libafl_fuzzbench && \ + cd /libafl_fuzzbench && \ + git checkout 605ce5df98d0ad816074578a28a161edde74c74c && \ + git submodule update --init + +# Compile libafl +RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ + export CC=clang && export CXX=clang++ && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl_fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o + + diff --git a/fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py b/fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py new file mode 100644 index 000000000..b32df2b52 --- /dev/null +++ b/fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = "/libafl_fuzzbench/target/release/weighted_cc" + os.environ["CXX"] = "/libafl_fuzzbench/target/release/weighted_cxx" + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"]) diff --git a/fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile b/fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile new file mode 100644 index 000000000..77492efa4 --- /dev/null +++ b/fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + From 962257df6ed990c447a9df86185f65a7d0c51971 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Mon, 10 Mar 2025 13:50:27 +0100 Subject: [PATCH 03/12] dd --- experiment-config.yaml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 experiment-config.yaml diff --git a/experiment-config.yaml b/experiment-config.yaml deleted file mode 100644 index 577e15de1..000000000 --- a/experiment-config.yaml +++ /dev/null @@ -1,23 +0,0 @@ -# The number of trials of a fuzzer-benchmark pair. -trials: 5 - -# The amount of time in seconds that each trial is run for. -# 1 day = 24 * 60 * 60 = 86400 -max_total_time: 3600 - -# The location of the docker registry. -# FIXME: Support custom docker registry. -# See https://github.com/google/fuzzbench/issues/777 -docker_registry: gcr.io/fuzzbench - -# The local experiment folder that will store most of the experiment data. -# Please use an absolute path. -experiment_filestore: /home/zuka/zuka/thesis/data/local-runs/experiment-data - -# The local report folder where HTML reports and summary data will be stored. -# Please use an absolute path. -report_filestore: /home/zuka/zuka/thesis/data/local-runs/report-data - -# Flag that indicates this is a local experiment. -local_experiment: true - From f70fb1a712202959f4b94562ad171689d7ada076 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Mon, 10 Mar 2025 14:02:02 +0100 Subject: [PATCH 04/12] test tag --- docker/image_types.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/image_types.yaml b/docker/image_types.yaml index e292224bd..016147a49 100644 --- a/docker/image_types.yaml +++ b/docker/image_types.yaml @@ -76,7 +76,7 @@ - 'base-image' dockerfile: 'docker/benchmark-builder/Dockerfile' context: '.' - tag: 'builders/{fuzzer}/{benchmark}' + tag: 'builders/{fuzzer}/{benchmark}-debug' type: 'builder' '{fuzzer}-{benchmark}-builder': From 4eef921c18346e9ad999da922e2661393d42df19 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Mon, 10 Mar 2025 22:18:47 +0100 Subject: [PATCH 05/12] test measurer breaking out --- experiment/measurer/measure_manager.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/experiment/measurer/measure_manager.py b/experiment/measurer/measure_manager.py index b3813653d..112483551 100644 --- a/experiment/measurer/measure_manager.py +++ b/experiment/measurer/measure_manager.py @@ -814,12 +814,15 @@ def measure_manager_loop(experiment: str, max_cycle = _time_to_cycle(max_total_time) queued_snapshots = set() - while not scheduler.all_trials_ended(experiment): + while True: continue_inner_loop = measure_manager_inner_loop( experiment, max_cycle, request_queue, response_queue, queued_snapshots) if not continue_inner_loop: - break + logger.info("Zuka: measure inner loop returned False and that's why it was breaking out") + # break + if scheduler.all_trials_ended(experiment): + logger.info("Zuka: all trials ended") time.sleep(MEASUREMENT_LOOP_WAIT) logger.info('All trials ended. Ending measure manager loop') From 1eeadf5947fd13366d4ef74f897e421d11f954ec Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Mon, 10 Mar 2025 23:05:48 +0100 Subject: [PATCH 06/12] fix measurer race condition --- experiment/measurer/measure_manager.py | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/experiment/measurer/measure_manager.py b/experiment/measurer/measure_manager.py index 112483551..d74b61148 100644 --- a/experiment/measurer/measure_manager.py +++ b/experiment/measurer/measure_manager.py @@ -814,15 +814,12 @@ def measure_manager_loop(experiment: str, max_cycle = _time_to_cycle(max_total_time) queued_snapshots = set() - while True: + while not scheduler.all_trials_ended(experiment): continue_inner_loop = measure_manager_inner_loop( experiment, max_cycle, request_queue, response_queue, queued_snapshots) - if not continue_inner_loop: - logger.info("Zuka: measure inner loop returned False and that's why it was breaking out") - # break - if scheduler.all_trials_ended(experiment): - logger.info("Zuka: all trials ended") + # if not continue_inner_loop: + # break time.sleep(MEASUREMENT_LOOP_WAIT) logger.info('All trials ended. Ending measure manager loop') From ca6925a7dd41569eb2b1daa38bcc1bdf70df3389 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Sun, 16 Mar 2025 14:41:15 +0100 Subject: [PATCH 07/12] new targets --- benchmarks/libaom_av1_dec_fuzzer/Dockerfile | 23 ++++ .../libaom_av1_dec_fuzzer/benchmark.yaml | 5 + benchmarks/libaom_av1_dec_fuzzer/build.sh | 69 ++++++++++++ .../libvpx_vpx_dec_fuzzer_vp8/Dockerfile | 22 ++++ .../libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml | 4 + benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh | 63 +++++++++++ .../vpx_dec_fuzzer.dict | 8 ++ .../libvpx_vpx_dec_fuzzer_vp9/Dockerfile | 22 ++++ .../libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml | 4 + benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh | 63 +++++++++++ .../vpx_dec_fuzzer.dict | 8 ++ benchmarks/mruby_mruby_fuzzer/Dockerfile | 24 ++++ benchmarks/mruby_mruby_fuzzer/benchmark.yaml | 5 + benchmarks/mruby_mruby_fuzzer/build.sh | 44 ++++++++ benchmarks/mruby_mruby_fuzzer/mruby.dict | 105 ++++++++++++++++++ benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c | 18 +++ benchmarks/nodejs_fuzz_x509/Dockerfile | 22 ++++ benchmarks/nodejs_fuzz_x509/benchmark.yaml | 4 + benchmarks/nodejs_fuzz_x509/build.sh | 66 +++++++++++ benchmarks/nodejs_fuzz_x509/fuzz_url.cc | 25 +++++ benchmarks/php_php-fuzz-execute/Dockerfile | 27 +++++ .../php_php-fuzz-execute/benchmark.yaml | 53 +++++++++ benchmarks/php_php-fuzz-execute/build.sh | 79 +++++++++++++ benchmarks/php_php-fuzz-execute/cosmic.list | 2 + .../php_php-fuzz-execute/testcases/24387 | 1 + .../php_php-fuzz-execute/testcases/24401 | 1 + .../php_php-fuzz-execute/testcases/24403 | 1 + .../php_php-fuzz-execute/testcases/24405 | Bin 0 -> 79 bytes .../php_php-fuzz-execute/testcases/24423 | 1 + .../php_php-fuzz-execute/testcases/24436 | 1 + .../php_php-fuzz-execute/testcases/24567 | 1 + .../php_php-fuzz-execute/testcases/24627 | 1 + benchmarks/php_php-fuzz-exif/Dockerfile | 27 +++++ benchmarks/php_php-fuzz-exif/benchmark.yaml | 53 +++++++++ benchmarks/php_php-fuzz-exif/build.sh | 79 +++++++++++++ benchmarks/php_php-fuzz-exif/cosmic.list | 2 + benchmarks/php_php-fuzz-exif/testcases/24387 | 1 + benchmarks/php_php-fuzz-exif/testcases/24401 | 1 + benchmarks/php_php-fuzz-exif/testcases/24403 | 1 + benchmarks/php_php-fuzz-exif/testcases/24405 | Bin 0 -> 79 bytes benchmarks/php_php-fuzz-exif/testcases/24423 | 1 + benchmarks/php_php-fuzz-exif/testcases/24436 | 1 + benchmarks/php_php-fuzz-exif/testcases/24567 | 1 + benchmarks/php_php-fuzz-exif/testcases/24627 | 1 + benchmarks/php_php-fuzz-parser/Dockerfile | 27 +++++ benchmarks/php_php-fuzz-parser/benchmark.yaml | 53 +++++++++ benchmarks/php_php-fuzz-parser/build.sh | 79 +++++++++++++ benchmarks/php_php-fuzz-parser/cosmic.list | 2 + .../php_php-fuzz-parser/testcases/24387 | 1 + .../php_php-fuzz-parser/testcases/24401 | 1 + .../php_php-fuzz-parser/testcases/24403 | 1 + .../php_php-fuzz-parser/testcases/24405 | Bin 0 -> 79 bytes .../php_php-fuzz-parser/testcases/24423 | 1 + .../php_php-fuzz-parser/testcases/24436 | 1 + .../php_php-fuzz-parser/testcases/24567 | 1 + .../php_php-fuzz-parser/testcases/24627 | 1 + .../php_php-fuzz-unserialize/Dockerfile | 27 +++++ .../php_php-fuzz-unserialize/benchmark.yaml | 53 +++++++++ benchmarks/php_php-fuzz-unserialize/build.sh | 79 +++++++++++++ .../php_php-fuzz-unserialize/cosmic.list | 2 + .../php_php-fuzz-unserialize/testcases/24387 | 1 + .../php_php-fuzz-unserialize/testcases/24401 | 1 + .../php_php-fuzz-unserialize/testcases/24403 | 1 + .../php_php-fuzz-unserialize/testcases/24405 | Bin 0 -> 79 bytes .../php_php-fuzz-unserialize/testcases/24423 | 1 + .../php_php-fuzz-unserialize/testcases/24436 | 1 + .../php_php-fuzz-unserialize/testcases/24567 | 1 + .../php_php-fuzz-unserialize/testcases/24627 | 1 + .../php_php-fuzz-unserializehash/Dockerfile | 27 +++++ .../benchmark.yaml | 53 +++++++++ .../php_php-fuzz-unserializehash/build.sh | 79 +++++++++++++ .../php_php-fuzz-unserializehash/cosmic.list | 2 + .../testcases/24387 | 1 + .../testcases/24401 | 1 + .../testcases/24403 | 1 + .../testcases/24405 | Bin 0 -> 79 bytes .../testcases/24423 | 1 + .../testcases/24436 | 1 + .../testcases/24567 | 1 + .../testcases/24627 | 1 + 80 files changed, 1444 insertions(+) create mode 100644 benchmarks/libaom_av1_dec_fuzzer/Dockerfile create mode 100644 benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml create mode 100644 benchmarks/libaom_av1_dec_fuzzer/build.sh create mode 100644 benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile create mode 100644 benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml create mode 100755 benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh create mode 100644 benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict create mode 100644 benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile create mode 100644 benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml create mode 100755 benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh create mode 100644 benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict create mode 100644 benchmarks/mruby_mruby_fuzzer/Dockerfile create mode 100644 benchmarks/mruby_mruby_fuzzer/benchmark.yaml create mode 100755 benchmarks/mruby_mruby_fuzzer/build.sh create mode 100644 benchmarks/mruby_mruby_fuzzer/mruby.dict create mode 100644 benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c create mode 100644 benchmarks/nodejs_fuzz_x509/Dockerfile create mode 100644 benchmarks/nodejs_fuzz_x509/benchmark.yaml create mode 100755 benchmarks/nodejs_fuzz_x509/build.sh create mode 100644 benchmarks/nodejs_fuzz_x509/fuzz_url.cc create mode 100644 benchmarks/php_php-fuzz-execute/Dockerfile create mode 100644 benchmarks/php_php-fuzz-execute/benchmark.yaml create mode 100755 benchmarks/php_php-fuzz-execute/build.sh create mode 100644 benchmarks/php_php-fuzz-execute/cosmic.list create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24387 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24401 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24403 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24405 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24423 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24436 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24567 create mode 100644 benchmarks/php_php-fuzz-execute/testcases/24627 create mode 100644 benchmarks/php_php-fuzz-exif/Dockerfile create mode 100644 benchmarks/php_php-fuzz-exif/benchmark.yaml create mode 100755 benchmarks/php_php-fuzz-exif/build.sh create mode 100644 benchmarks/php_php-fuzz-exif/cosmic.list create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24387 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24401 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24403 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24405 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24423 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24436 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24567 create mode 100644 benchmarks/php_php-fuzz-exif/testcases/24627 create mode 100644 benchmarks/php_php-fuzz-parser/Dockerfile create mode 100644 benchmarks/php_php-fuzz-parser/benchmark.yaml create mode 100755 benchmarks/php_php-fuzz-parser/build.sh create mode 100644 benchmarks/php_php-fuzz-parser/cosmic.list create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24387 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24401 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24403 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24405 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24423 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24436 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24567 create mode 100644 benchmarks/php_php-fuzz-parser/testcases/24627 create mode 100644 benchmarks/php_php-fuzz-unserialize/Dockerfile create mode 100644 benchmarks/php_php-fuzz-unserialize/benchmark.yaml create mode 100755 benchmarks/php_php-fuzz-unserialize/build.sh create mode 100644 benchmarks/php_php-fuzz-unserialize/cosmic.list create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24387 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24401 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24403 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24405 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24423 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24436 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24567 create mode 100644 benchmarks/php_php-fuzz-unserialize/testcases/24627 create mode 100644 benchmarks/php_php-fuzz-unserializehash/Dockerfile create mode 100644 benchmarks/php_php-fuzz-unserializehash/benchmark.yaml create mode 100755 benchmarks/php_php-fuzz-unserializehash/build.sh create mode 100644 benchmarks/php_php-fuzz-unserializehash/cosmic.list create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24387 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24401 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24403 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24405 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24423 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24436 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24567 create mode 100644 benchmarks/php_php-fuzz-unserializehash/testcases/24627 diff --git a/benchmarks/libaom_av1_dec_fuzzer/Dockerfile b/benchmarks/libaom_av1_dec_fuzzer/Dockerfile new file mode 100644 index 000000000..17658fab1 --- /dev/null +++ b/benchmarks/libaom_av1_dec_fuzzer/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && apt-get install -y cmake yasm wget +RUN git clone https://aomedia.googlesource.com/aom +ADD https://storage.googleapis.com/aom-test-data/fuzzer/dec_fuzzer_seed_corpus.zip $SRC/ +COPY build.sh $SRC/ +WORKDIR aom diff --git a/benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml b/benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml new file mode 100644 index 000000000..ca821a244 --- /dev/null +++ b/benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml @@ -0,0 +1,5 @@ +# 4601636403675136 +commit: 6E184898310E49E33231B508618D6FDE8B84AB90 +fuzz_target: av1_dec_fuzzer +project: libaom + diff --git a/benchmarks/libaom_av1_dec_fuzzer/build.sh b/benchmarks/libaom_av1_dec_fuzzer/build.sh new file mode 100644 index 000000000..53c87ebfc --- /dev/null +++ b/benchmarks/libaom_av1_dec_fuzzer/build.sh @@ -0,0 +1,69 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build libaom +build_dir=$WORK/build +mkdir -p ${build_dir} +pushd ${build_dir} +# Remove files generated by the previous build. +rm -rf ./* + +# oss-fuzz has 2 GB total memory allocation limit. So, we limit per-allocation +# limit in libaom to 1 GB to avoid OOM errors. A smaller per-allocation is +# needed for MemorySanitizer (see bug oss-fuzz:9497 and bug oss-fuzz:9499). +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_c_flags='-DAOM_MAX_ALLOCABLE_MEMORY=536870912' +else + extra_c_flags='-DAOM_MAX_ALLOCABLE_MEMORY=1073741824' +fi +# Also, enable DO_RANGE_CHECK_CLAMP to suppress the noise of integer overflows +# in the transform functions. +extra_c_flags+=' -DDO_RANGE_CHECK_CLAMP=1' + +extra_cmake_flags= +# MemorySanitizer requires that all program code is instrumented. Therefore we +# need to replace all inline assembly code that writes to memory with pure C +# code. Disable all assembly code for MemorySanitizer. +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_cmake_flags+="-DAOM_TARGET_CPU=generic" +fi + +cmake $SRC/aom -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS_RELEASE='-O3 -g' \ + -DCMAKE_CXX_FLAGS_RELEASE='-O3 -g' -DCONFIG_PIC=1 -DCONFIG_LOWBITDEPTH=1 \ + -DCONFIG_AV1_ENCODER=0 -DENABLE_EXAMPLES=0 -DENABLE_DOCS=0 -DENABLE_TESTS=0 \ + -DCONFIG_SIZE_LIMIT=1 -DDECODE_HEIGHT_LIMIT=12288 -DDECODE_WIDTH_LIMIT=12288 \ + -DAOM_EXTRA_C_FLAGS="${extra_c_flags}" -DENABLE_TOOLS=0 \ + -DAOM_EXTRA_CXX_FLAGS="${extra_c_flags}" ${extra_cmake_flags} +make -j$(nproc) +popd + +# build fuzzers +fuzzer_src_name=av1_dec_fuzzer +fuzzer_name=${fuzzer_src_name} + +$CXX $CXXFLAGS -std=c++11 \ + -I$SRC/aom \ + -I${build_dir} \ + -Wl,--start-group \ + $LIB_FUZZING_ENGINE \ + $SRC/aom/examples/${fuzzer_src_name}.cc -o $OUT/${fuzzer_name} \ + ${build_dir}/libaom.a -Wl,--end-group + +# copy seed corpus. +cp $SRC/dec_fuzzer_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip +cp $SRC/aom/examples/av1_dec_fuzzer.dict $OUT/${fuzzer_name}.dict + diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile new file mode 100644 index 000000000..8fdd762ca --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c +RUN apt-get update && apt-get install -y yasm wget gcc +RUN git clone https://chromium.googlesource.com/webm/libvpx +ADD https://storage.googleapis.com/downloads.webmproject.org/test_data/fuzzer/vpx_fuzzer_seed_corpus.zip $SRC/ +COPY build.sh vpx_dec_fuzzer.dict $SRC/ +WORKDIR libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml new file mode 100644 index 000000000..8f8671d16 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml @@ -0,0 +1,4 @@ +commit: 349820a50dd2c0afbfb26f7b12fc1a83588a52c0 +commit_date: 2025-03-13 22:58:09+00:00 +fuzz_target: vpx_dec_fuzzer_vp8 +project: libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh new file mode 100755 index 000000000..15d9ea9fc --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh @@ -0,0 +1,63 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build libvpx +build_dir=$WORK/build +rm -rf ${build_dir} +mkdir -p ${build_dir} +pushd ${build_dir} + +# oss-fuzz has 2 GB total memory allocation limit. So, we limit per-allocation +# limit in libvpx to 1 GB to avoid OOM errors. A smaller per-allocation is +# needed for MemorySanitizer (see bug oss-fuzz:9497 and bug oss-fuzz:9499). +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=536870912' +else + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=1073741824' +fi + +LDFLAGS="$CXXFLAGS" LD=$CXX $SRC/libvpx/configure \ + --enable-vp9-highbitdepth \ + --disable-unit-tests \ + --disable-examples \ + --size-limit=12288x12288 \ + --extra-cflags="${extra_c_flags}" \ + --disable-webm-io \ + --enable-debug \ + --disable-vp8-encoder \ + --disable-vp9-encoder +make -j$(nproc) all +popd + +# build fuzzers +fuzzer_src_name=vpx_dec_fuzzer +fuzzer_decoders=( 'vp9' 'vp8' ) +for decoder in "${fuzzer_decoders[@]}"; do + fuzzer_name=${fuzzer_src_name}"_"${decoder} + + $CXX $CXXFLAGS -std=c++11 \ + -DDECODER=${decoder} \ + -I$SRC/libvpx \ + -I${build_dir} \ + -Wl,--start-group \ + $LIB_FUZZING_ENGINE \ + $SRC/libvpx/examples/${fuzzer_src_name}.cc -o $OUT/${fuzzer_name} \ + ${build_dir}/libvpx.a \ + -Wl,--end-group + cp $SRC/vpx_fuzzer_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip + cp $SRC/vpx_dec_fuzzer.dict $OUT/${fuzzer_name}.dict +done diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict new file mode 100644 index 000000000..c6dc18077 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict @@ -0,0 +1,8 @@ +# IVF Signature + version (bytes 0-5) +kw1="DKIF\x00\x00" + +# VP9 codec fourCC (bytes 8-11) +kw2="VP90" + +# VP8 codec fourCC (bytes 8-11) +kw3="VP80" diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile new file mode 100644 index 000000000..8fdd762ca --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c +RUN apt-get update && apt-get install -y yasm wget gcc +RUN git clone https://chromium.googlesource.com/webm/libvpx +ADD https://storage.googleapis.com/downloads.webmproject.org/test_data/fuzzer/vpx_fuzzer_seed_corpus.zip $SRC/ +COPY build.sh vpx_dec_fuzzer.dict $SRC/ +WORKDIR libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml new file mode 100644 index 000000000..a276559c2 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml @@ -0,0 +1,4 @@ +commit: 349820a50dd2c0afbfb26f7b12fc1a83588a52c0 +commit_date: 2025-03-13 22:58:09+00:00 +fuzz_target: vpx_dec_fuzzer_vp9 +project: libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh new file mode 100755 index 000000000..15d9ea9fc --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh @@ -0,0 +1,63 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build libvpx +build_dir=$WORK/build +rm -rf ${build_dir} +mkdir -p ${build_dir} +pushd ${build_dir} + +# oss-fuzz has 2 GB total memory allocation limit. So, we limit per-allocation +# limit in libvpx to 1 GB to avoid OOM errors. A smaller per-allocation is +# needed for MemorySanitizer (see bug oss-fuzz:9497 and bug oss-fuzz:9499). +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=536870912' +else + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=1073741824' +fi + +LDFLAGS="$CXXFLAGS" LD=$CXX $SRC/libvpx/configure \ + --enable-vp9-highbitdepth \ + --disable-unit-tests \ + --disable-examples \ + --size-limit=12288x12288 \ + --extra-cflags="${extra_c_flags}" \ + --disable-webm-io \ + --enable-debug \ + --disable-vp8-encoder \ + --disable-vp9-encoder +make -j$(nproc) all +popd + +# build fuzzers +fuzzer_src_name=vpx_dec_fuzzer +fuzzer_decoders=( 'vp9' 'vp8' ) +for decoder in "${fuzzer_decoders[@]}"; do + fuzzer_name=${fuzzer_src_name}"_"${decoder} + + $CXX $CXXFLAGS -std=c++11 \ + -DDECODER=${decoder} \ + -I$SRC/libvpx \ + -I${build_dir} \ + -Wl,--start-group \ + $LIB_FUZZING_ENGINE \ + $SRC/libvpx/examples/${fuzzer_src_name}.cc -o $OUT/${fuzzer_name} \ + ${build_dir}/libvpx.a \ + -Wl,--end-group + cp $SRC/vpx_fuzzer_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip + cp $SRC/vpx_dec_fuzzer.dict $OUT/${fuzzer_name}.dict +done diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict new file mode 100644 index 000000000..c6dc18077 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict @@ -0,0 +1,8 @@ +# IVF Signature + version (bytes 0-5) +kw1="DKIF\x00\x00" + +# VP9 codec fourCC (bytes 8-11) +kw2="VP90" + +# VP8 codec fourCC (bytes 8-11) +kw3="VP80" diff --git a/benchmarks/mruby_mruby_fuzzer/Dockerfile b/benchmarks/mruby_mruby_fuzzer/Dockerfile new file mode 100644 index 000000000..e1c07b611 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd +RUN apt-get update && apt-get install -y build-essential ruby bison ninja-build \ + cmake zlib1g-dev libbz2-dev liblzma-dev +RUN git clone \ + https://github.com/mruby/mruby +RUN git clone --depth 1 https://github.com/bshastry/mruby_seeds.git mruby_seeds +WORKDIR mruby +COPY build.sh *.c *.options *.dict $SRC/ diff --git a/benchmarks/mruby_mruby_fuzzer/benchmark.yaml b/benchmarks/mruby_mruby_fuzzer/benchmark.yaml new file mode 100644 index 000000000..1b666c977 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/benchmark.yaml @@ -0,0 +1,5 @@ +commit: 8c8bbd94dce3b3eabcf72c674e690516c075b0ee +commit_date: 2023-02-03T04:41:10+0000 +fuzz_target: mruby_fuzzer +project: mruby +unsupported_fuzzers: diff --git a/benchmarks/mruby_mruby_fuzzer/build.sh b/benchmarks/mruby_mruby_fuzzer/build.sh new file mode 100755 index 000000000..f984cc040 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/build.sh @@ -0,0 +1,44 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Instrument mruby +( +cd $SRC/mruby +export LD=$CC +export LDFLAGS="$CFLAGS -fPIE" + +# No you cannot overwrite CC/CXX, otherwise afl++, libafl, etc. wont work! +#LD=/usr/local/bin/clang CC=/usr/local/bin/clang CXX=/usr/local/bin/clang++ rake -m || true +rake -m || true + +test -f $SRC/mruby/build/host/lib/libmruby.a + +# build fuzzers +FUZZ_TARGET=$SRC/mruby_fuzzer.c +name=$(basename $FUZZ_TARGET .c) +$CC -c $CFLAGS -Iinclude \ + ${FUZZ_TARGET} -o $OUT/${name}.o +$CXX $CXXFLAGS $OUT/${name}.o $LIB_FUZZING_ENGINE -lm \ + $SRC/mruby/build/host/lib/libmruby.a -o $OUT/${name} +rm -f $OUT/${name}.o +) + +# dict +cp $SRC/mruby.dict $OUT/mruby_fuzzer.dict + +# seeds +zip -rq $OUT/mruby_fuzzer_seed_corpus $SRC/mruby_seeds diff --git a/benchmarks/mruby_mruby_fuzzer/mruby.dict b/benchmarks/mruby_mruby_fuzzer/mruby.dict new file mode 100644 index 000000000..a332d3505 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/mruby.dict @@ -0,0 +1,105 @@ +keyword___ENCODING__="__ENCODING__" +keyword___FILE__="__FILE__" +keyword___LINE__="__LINE__" +keyword_BEGIN="BEGIN" +keyword_END="END" +keyword_alias="alias" +keyword_and="and" +keyword_begin="begin" +keyword_break="break" +keyword_case="case" +keyword_class="class" +keyword_def="def" +keyword_do="do" +keyword_else="else" +keyword_elsif="elsif" +keyword_end="end" +keyword_ensure="ensure" +keyword_false="false" +keyword_for="for" +keyword_if="if" +keyword_in="in" +keyword_module="module" +keyword_next="next" +keyword_nil="nil" +keyword_not="not" +keyword_or="or" +keyword_redo="redo" +keyword_rescue="rescue" +keyword_retry="retry" +keyword_return="return" +keyword_self="self" +keyword_super="super" +keyword_then="then" +keyword_true="true" +keyword_undef="undef" +keyword_unless="unless" +keyword_until="until" +keyword_when="when" +keyword_while="while" +keyword_yield="yield" + +operator_a=" !" +operator_b=" ~" +operator_c=" +" +operator_d=" -" +operator_e=" []" +operator_f=" []=" +operator_g=" *" +operator_h=" /" +operator_i=" %" +operator_j=" +-" +operator_k=" >>" +operator_l=" <<" +operator_m=" &" +operator_n=" ^" +operator_o=" |" +operator_p=" <=" +operator_q=" <>" +operator_r=" >=" +operator_s=" <=>" +operator_t=" ==" +operator_u=" ===" +operator_v=" !=" +operator_w=" =~" +operator_x=" !~" +operator_y=" &&" +operator_z=" ||" +operator_aa=" .." +operator_ab=" ..." +operator_ac=" ?" +operator_ad=" :" +operator_ae=" =" +operator_af=" %=" +operator_ag=" /=" +operator_ah=" -=" +operator_ai=" +=" +operator_aj=" |=" +operator_ak=" &=" +operator_al=" >>=" +operator_am=" <<=" +operator_an=" *=" +operator_ao=" &&=" +operator_ap=" ||=" +operator_aq=" **=" +operator_ar=" ^=" +operator_as=" not" +operator_at=" or" +operator_au=" and" +operator_av=" if" +operator_aw=" unless" +operator_ax=" while" +operator_ay=" until" +operator_az=" begin" +operator_ba=" end" + +snippet_1eq1=" 1=1" +snippet_dollar=" $1" +snippet_at=" @a" +snippet_symbol=" :a" +snippet_array=" [1,2]" +snippet_block=" 1.times{|x| x}" +snippet_multi=" 1*1" + +string_single_q=" 'a'" +string_dbl_q=" \"a\"" diff --git a/benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c b/benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c new file mode 100644 index 000000000..9d3d44a5b --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c @@ -0,0 +1,18 @@ +#include +#include +#include +#include + +int LLVMFuzzerTestOneInput(uint8_t *Data, size_t size) { + if (size < 1) { + return 0; + } + char *code = malloc(size+1); + memcpy(code, Data, size); + code[size] = '\0'; + mrb_state *mrb = mrb_open(); + mrb_load_string(mrb, code); + mrb_close(mrb); + free(code); + return 0; +} diff --git a/benchmarks/nodejs_fuzz_x509/Dockerfile b/benchmarks/nodejs_fuzz_x509/Dockerfile new file mode 100644 index 000000000..a995e296e --- /dev/null +++ b/benchmarks/nodejs_fuzz_x509/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2020 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c +RUN apt-get update && apt-get install -y make +RUN apt-get install -y flex bison build-essential +RUN git clone --recursive --depth 1 https://github.com/AdamKorcz/node --branch=all-new-fuzzers +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/benchmarks/nodejs_fuzz_x509/benchmark.yaml b/benchmarks/nodejs_fuzz_x509/benchmark.yaml new file mode 100644 index 000000000..63fe52759 --- /dev/null +++ b/benchmarks/nodejs_fuzz_x509/benchmark.yaml @@ -0,0 +1,4 @@ +commit: 060a7925dd5a6723d1c52aa901d27fecf96cc579 +commit_date: 2024-04-05 13:12:56+00:00 +fuzz_target: fuzz_x509 +project: nodejs diff --git a/benchmarks/nodejs_fuzz_x509/build.sh b/benchmarks/nodejs_fuzz_x509/build.sh new file mode 100755 index 000000000..90c443a49 --- /dev/null +++ b/benchmarks/nodejs_fuzz_x509/build.sh @@ -0,0 +1,66 @@ +#!/bin/bash -eu +# Copyright 2020 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +cd $SRC/node + +# Coverage build takes very long and time outs in the CI which blocks changes. Ignore Coverage build in OSS-Fuzz CI for now: +if [[ -n "${OSS_FUZZ_CI-}" && "$SANITIZER" = coverage ]]; then + exit 0 +fi + +if [[ "$SANITIZER" = coverage ]]; then + export CFLAGS="${CFLAGS/"-fcoverage-mapping"/" "}" + export CFLAGS="${CFLAGS/"-fprofile-instr-generate"/" "}" + export CXXFLAGS="${CXXFLAGS/"-fcoverage-mapping"/" "}" + export CXXFLAGS="${CXXFLAGS/"-fprofile-instr-generate"/" "}" + echo "CFLAGS: ${CFLAGS}" + echo "CXXFLAGS: ${CXXFLAGS}" +fi + +# Build node +export LDFLAGS="$CXXFLAGS" +export LD="$CXX" +./configure --with-ossfuzz + +# Ensure we build with few processors if memory gets exhausted +if [[ "$SANITIZER" = coverage ]]; then + for mrkpath in fuzz_buffer_includes.target.mk fuzz_buffer_equals.target.mk fuzz_buffer_compare.target.mk fuzz_blob.target.mk fuzz_zlib_gzip_createUnzip.target.mk fuzz_zlib_createBrotliDecompress.target.mk fuzz_zlib_brotliDecompress.target.mk fuzz_zlib_brotliCompress.target.mk fuzz_string_decoder.target.mk fuzz_querystring_parse.target.mk fuzz_ParseSrvReply.target.mk fuzz_path_join.target.mk fuzz_env.target.mk fuzz_stream1.target.mk fuzz_strings.target.mk fuzz_diffieHellmanPEM.target.mk fuzz_createPrivateKeyPEM.target.mk fuzz_createPrivateKeyDER.target.mk fuzz_ParseSoaReply.target.mk fuzz_path_extname.target.mk fuzz_ParseCaaReply.target.mk fuzz_path_normalize.target.mk fuzz_path_relative.target.mk fuzz_createPrivateKeyJWK.target.mk fuzz_ParseMxReply.target.mk fuzz_path_format.target.mk fuzz_LoadBIO.target.mk fuzz_ClientHelloParser.target.mk fuzz_diffieHellmanJWK.target.mk fuzz_path_basename.target.mk fuzz_ParseNaptrReply.target.mk fuzz_path_isAbsolute.target.mk fuzz_tls_socket_request.target.mk fuzz_ParseGeneralReply.target.mk fuzz_diffieHellmanDER.target.mk fuzz_path_toNamespacedPath.target.mk fuzz_path_parse.target.mk fuzz_httpparser1.target.mk fuzz_path_dirname.target.mk fuzz_x509.target.mk fuzz_ParseTxtReply.target.mk fuzz_fs_write_read_append.target.mk fuzz_ParsePublicKey.target.mk fuzz_sign_verify.target.mk fuzz_path_resolve.target.mk fuzz_fs_write_open_read.target.mk libnode.target.mk; do + sed -i 's/BUILDTYPE))/BUILDTYPE)) -fprofile-instr-generate -fcoverage-mapping/g' $SRC/node/out/${mrkpath} + done + make -j 3 || make -j1 +else + make -j$(nproc) || make -j1 +fi + +# Copy all fuzzers to OUT folder +cp out/Release/fuzz_* ${OUT}/ + +# Create seed for fuzz_env +mkdir fuzz_env_seed +find ./test -name '*.js' -exec cp {} ./fuzz_env_seed/ \; +cd fuzz_env_seed +# Remove small files: +find -size -5k -delete +# Remove large files: +find -size +30k -delete +zip $OUT/fuzz_env_seed_corpus.zip ./* +# Add more seeds +cd $SRC/node/test/fuzzers/seed/fuzz_env +zip $OUT/fuzz_env_seed_corpus.zip ./* + +cd $SRC/node/test/fuzzers/seed/fuzz_x509 +zip $OUT/fuzz_x509_seed_corpus.zip ./* + diff --git a/benchmarks/nodejs_fuzz_x509/fuzz_url.cc b/benchmarks/nodejs_fuzz_x509/fuzz_url.cc new file mode 100644 index 000000000..1c07fac3f --- /dev/null +++ b/benchmarks/nodejs_fuzz_x509/fuzz_url.cc @@ -0,0 +1,25 @@ +/* Copyright 2020 Google Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +#include + +#include "node.h" +#include "node_internals.h" +#include "node_url.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + node::url::URL url2((char*)data, size); + + return 0; +} diff --git a/benchmarks/php_php-fuzz-execute/Dockerfile b/benchmarks/php_php-fuzz-execute/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-execute/benchmark.yaml b/benchmarks/php_php-fuzz-execute/benchmark.yaml new file mode 100644 index 000000000..0c4c28bd2 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-execute +project: php +oss_fuzz_corpus_target: php_php-fuzz-execute +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-execute/build.sh b/benchmarks/php_php-fuzz-execute/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-execute/cosmic.list b/benchmarks/php_php-fuzz-execute/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-execute/testcases/24387 b/benchmarks/php_php-fuzz-execute/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24403 b/benchmarks/php_php-fuzz-execute/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24405 b/benchmarks/php_php-fuzz-execute/testcases/24405 new file mode 100644 index 0000000000000000000000000000000000000000..4ca969a8f0dc787e486801d5f87f25d4f4088ad1 GIT binary patch literal 79 zcmZ3tZrwT?`+|%DuEgTv)S?m%GX*s@4V97;{`R_dC8=Fqvu7#TDx{U>C6{F8=V@pv gC{!z`s3ci)0U1E7P|H=TscFr{WpBsDz`)Q2087pnUH||9 literal 0 HcmV?d00001 diff --git a/benchmarks/php_php-fuzz-execute/testcases/24423 b/benchmarks/php_php-fuzz-execute/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24436 b/benchmarks/php_php-fuzz-execute/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24567 b/benchmarks/php_php-fuzz-execute/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24627 b/benchmarks/php_php-fuzz-execute/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/Dockerfile b/benchmarks/php_php-fuzz-exif/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-exif/benchmark.yaml b/benchmarks/php_php-fuzz-exif/benchmark.yaml new file mode 100644 index 000000000..04b47a24c --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-exif +project: php +oss_fuzz_corpus_target: php_php-fuzz-exif +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-exif/build.sh b/benchmarks/php_php-fuzz-exif/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-exif/cosmic.list b/benchmarks/php_php-fuzz-exif/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-exif/testcases/24387 b/benchmarks/php_php-fuzz-exif/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24403 b/benchmarks/php_php-fuzz-exif/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24405 b/benchmarks/php_php-fuzz-exif/testcases/24405 new file mode 100644 index 0000000000000000000000000000000000000000..4ca969a8f0dc787e486801d5f87f25d4f4088ad1 GIT binary patch literal 79 zcmZ3tZrwT?`+|%DuEgTv)S?m%GX*s@4V97;{`R_dC8=Fqvu7#TDx{U>C6{F8=V@pv gC{!z`s3ci)0U1E7P|H=TscFr{WpBsDz`)Q2087pnUH||9 literal 0 HcmV?d00001 diff --git a/benchmarks/php_php-fuzz-exif/testcases/24423 b/benchmarks/php_php-fuzz-exif/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24436 b/benchmarks/php_php-fuzz-exif/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24567 b/benchmarks/php_php-fuzz-exif/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24627 b/benchmarks/php_php-fuzz-exif/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/Dockerfile b/benchmarks/php_php-fuzz-parser/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-parser/benchmark.yaml b/benchmarks/php_php-fuzz-parser/benchmark.yaml new file mode 100644 index 000000000..9a6dd292c --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-parser +project: php +oss_fuzz_corpus_target: php_php-fuzz-parser +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-parser/build.sh b/benchmarks/php_php-fuzz-parser/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-parser/cosmic.list b/benchmarks/php_php-fuzz-parser/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-parser/testcases/24387 b/benchmarks/php_php-fuzz-parser/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24403 b/benchmarks/php_php-fuzz-parser/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24405 b/benchmarks/php_php-fuzz-parser/testcases/24405 new file mode 100644 index 0000000000000000000000000000000000000000..4ca969a8f0dc787e486801d5f87f25d4f4088ad1 GIT binary patch literal 79 zcmZ3tZrwT?`+|%DuEgTv)S?m%GX*s@4V97;{`R_dC8=Fqvu7#TDx{U>C6{F8=V@pv gC{!z`s3ci)0U1E7P|H=TscFr{WpBsDz`)Q2087pnUH||9 literal 0 HcmV?d00001 diff --git a/benchmarks/php_php-fuzz-parser/testcases/24423 b/benchmarks/php_php-fuzz-parser/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24436 b/benchmarks/php_php-fuzz-parser/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24567 b/benchmarks/php_php-fuzz-parser/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24627 b/benchmarks/php_php-fuzz-parser/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/Dockerfile b/benchmarks/php_php-fuzz-unserialize/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-unserialize/benchmark.yaml b/benchmarks/php_php-fuzz-unserialize/benchmark.yaml new file mode 100644 index 000000000..74ef711b3 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-unserialize +project: php +oss_fuzz_corpus_target: php_php-fuzz-unserialize +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-unserialize/build.sh b/benchmarks/php_php-fuzz-unserialize/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-unserialize/cosmic.list b/benchmarks/php_php-fuzz-unserialize/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24387 b/benchmarks/php_php-fuzz-unserialize/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24403 b/benchmarks/php_php-fuzz-unserialize/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24405 b/benchmarks/php_php-fuzz-unserialize/testcases/24405 new file mode 100644 index 0000000000000000000000000000000000000000..4ca969a8f0dc787e486801d5f87f25d4f4088ad1 GIT binary patch literal 79 zcmZ3tZrwT?`+|%DuEgTv)S?m%GX*s@4V97;{`R_dC8=Fqvu7#TDx{U>C6{F8=V@pv gC{!z`s3ci)0U1E7P|H=TscFr{WpBsDz`)Q2087pnUH||9 literal 0 HcmV?d00001 diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24423 b/benchmarks/php_php-fuzz-unserialize/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24436 b/benchmarks/php_php-fuzz-unserialize/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24567 b/benchmarks/php_php-fuzz-unserialize/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24627 b/benchmarks/php_php-fuzz-unserialize/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/Dockerfile b/benchmarks/php_php-fuzz-unserializehash/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-unserializehash/benchmark.yaml b/benchmarks/php_php-fuzz-unserializehash/benchmark.yaml new file mode 100644 index 000000000..995ebe047 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-unserializehash +project: php +oss_fuzz_corpus_target: php_php-fuzz-unserializehash +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-unserializehash/build.sh b/benchmarks/php_php-fuzz-unserializehash/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-unserializehash/cosmic.list b/benchmarks/php_php-fuzz-unserializehash/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24387 b/benchmarks/php_php-fuzz-unserializehash/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24403 b/benchmarks/php_php-fuzz-unserializehash/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24405 b/benchmarks/php_php-fuzz-unserializehash/testcases/24405 new file mode 100644 index 0000000000000000000000000000000000000000..4ca969a8f0dc787e486801d5f87f25d4f4088ad1 GIT binary patch literal 79 zcmZ3tZrwT?`+|%DuEgTv)S?m%GX*s@4V97;{`R_dC8=Fqvu7#TDx{U>C6{F8=V@pv gC{!z`s3ci)0U1E7P|H=TscFr{WpBsDz`)Q2087pnUH||9 literal 0 HcmV?d00001 diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24423 b/benchmarks/php_php-fuzz-unserializehash/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24436 b/benchmarks/php_php-fuzz-unserializehash/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24567 b/benchmarks/php_php-fuzz-unserializehash/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24627 b/benchmarks/php_php-fuzz-unserializehash/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file From e7419a323f429a2f3e0c9d29221d45102a1154cd Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Sat, 22 Mar 2025 19:49:19 +0100 Subject: [PATCH 08/12] add wireshark benchmark --- benchmarks/wireshark_fuzzshark/Dockerfile | 31 ++++++++++ benchmarks/wireshark_fuzzshark/benchmark.yaml | 23 ++++++++ benchmarks/wireshark_fuzzshark/build.sh | 59 +++++++++++++++++++ 3 files changed, 113 insertions(+) create mode 100644 benchmarks/wireshark_fuzzshark/Dockerfile create mode 100644 benchmarks/wireshark_fuzzshark/benchmark.yaml create mode 100755 benchmarks/wireshark_fuzzshark/build.sh diff --git a/benchmarks/wireshark_fuzzshark/Dockerfile b/benchmarks/wireshark_fuzzshark/Dockerfile new file mode 100644 index 000000000..3a949d0ed --- /dev/null +++ b/benchmarks/wireshark_fuzzshark/Dockerfile @@ -0,0 +1,31 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + libstdc++-9-dev libstdc++-9-dev:i386 nasm subversion \ + gnupg lsb-release software-properties-common pkg-config \ + python3-pip libgtk-3-dev unzip pax-utils file cpio ninja-build cmake \ + libgcrypt20-dev libc-ares-dev libpcre2-dev flex inotify-tools \ + libboost-dev + +RUN git clone \ + https://gitlab.com/wireshark/wireshark + +WORKDIR wireshark +COPY build.sh $SRC/ diff --git a/benchmarks/wireshark_fuzzshark/benchmark.yaml b/benchmarks/wireshark_fuzzshark/benchmark.yaml new file mode 100644 index 000000000..845ba76da --- /dev/null +++ b/benchmarks/wireshark_fuzzshark/benchmark.yaml @@ -0,0 +1,23 @@ +commit: 36a9f4231b3ee82bd4efee53ed8a1004ff90102d +commit_date: 2023-11-11T01:07:51+00:00 +fuzz_target: fuzzshark +project: wireshark +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict + - tortoisefuzz diff --git a/benchmarks/wireshark_fuzzshark/build.sh b/benchmarks/wireshark_fuzzshark/build.sh new file mode 100755 index 000000000..b53d53563 --- /dev/null +++ b/benchmarks/wireshark_fuzzshark/build.sh @@ -0,0 +1,59 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +mkdir seeds +find . -name "*.pcap" -exec cp {} seeds \; +cp -r seeds $OUT/ + +mkdir build +cd build + +cmake -G Ninja .. \ + -DENABLE_STATIC=ON \ + -DOSS_FUZZ=ON \ + -DINSTRUMENT_DISSECTORS_ONLY=ON \ + -DBUILD_fuzzshark=ON \ + -DBUILD_wireshark=OFF \ + -DBUILD_sharkd=OFF \ + -DENABLE_PCAP=OFF \ + -DENABLE_ZLIB=OFF \ + -DENABLE_MINIZIP=OFF \ + -DENABLE_LZ4=OFF \ + -DENABLE_BROTLI=OFF \ + -DENABLE_SNAPPY=OFF \ + -DENABLE_ZSTD=OFF \ + -DENABLE_NGHTTP2=OFF \ + -DENABLE_NGHTTP3=OFF \ + -DENABLE_LUA=OFF \ + -DENABLE_SMI=OFF \ + -DENABLE_GNUTLS=OFF \ + -DENABLE_NETLINK=OFF \ + -DENABLE_KERBEROS=OFF \ + -DENABLE_SBC=OFF \ + -DENABLE_SPANDSP=OFF \ + -DENABLE_BCG729=OFF \ + -DENABLE_AMRNB=OFF \ + -DENABLE_ILBC=OFF \ + -DENABLE_LIBXML2=OFF \ + -DENABLE_OPUS=OFF \ + -DENABLE_SINSP=OFF + +ninja fuzzshark +cp run/fuzzshark $OUT/fuzzshark +export FUZZSHARK_TARGET="tcp" + From 4f49e385178601b26ba25a01ccbb32631b38bf75 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Sat, 22 Mar 2025 22:44:02 +0100 Subject: [PATCH 09/12] add naive explore fast --- fuzzers/libafl_covaccount/builder.Dockerfile | 2 +- fuzzers/libafl_covaccount/fuzzer.py | 1 + fuzzers/libafl_default/builder.Dockerfile | 2 +- fuzzers/libafl_default/fuzzer.py | 1 + .../builder.Dockerfile | 6 +- .../fuzzer.py | 6 +- .../runner.Dockerfile | 0 fuzzers/libafl_fast/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_fast/fuzzer.py | 79 +++++++++++++++++++ fuzzers/libafl_fast/runner.Dockerfile | 25 ++++++ fuzzers/libafl_naive/builder.Dockerfile | 54 +++++++++++++ fuzzers/libafl_naive/fuzzer.py | 79 +++++++++++++++++++ fuzzers/libafl_naive/runner.Dockerfile | 25 ++++++ fuzzers/libafl_random/builder.Dockerfile | 2 +- fuzzers/libafl_random/fuzzer.py | 1 + fuzzers/libafl_weighted/builder.Dockerfile | 2 +- fuzzers/libafl_weighted/fuzzer.py | 1 + 17 files changed, 330 insertions(+), 10 deletions(-) rename fuzzers/{libafl_valprof => libafl_explore}/builder.Dockerfile (91%) rename fuzzers/{libafl_valprof => libafl_explore}/fuzzer.py (93%) rename fuzzers/{libafl_valprof => libafl_explore}/runner.Dockerfile (100%) create mode 100644 fuzzers/libafl_fast/builder.Dockerfile create mode 100755 fuzzers/libafl_fast/fuzzer.py create mode 100644 fuzzers/libafl_fast/runner.Dockerfile create mode 100644 fuzzers/libafl_naive/builder.Dockerfile create mode 100755 fuzzers/libafl_naive/fuzzer.py create mode 100644 fuzzers/libafl_naive/runner.Dockerfile diff --git a/fuzzers/libafl_covaccount/builder.Dockerfile b/fuzzers/libafl_covaccount/builder.Dockerfile index 433177eee..0cd07668c 100644 --- a/fuzzers/libafl_covaccount/builder.Dockerfile +++ b/fuzzers/libafl_covaccount/builder.Dockerfile @@ -38,7 +38,7 @@ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e3313999997633 RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit -RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true # Note that due a nightly bug it is currently fixed to a known version on top! # Compile libafl. diff --git a/fuzzers/libafl_covaccount/fuzzer.py b/fuzzers/libafl_covaccount/fuzzer.py index 500e74ca2..2d36871db 100755 --- a/fuzzers/libafl_covaccount/fuzzer.py +++ b/fuzzers/libafl_covaccount/fuzzer.py @@ -74,5 +74,6 @@ def fuzz(input_corpus, output_corpus, target_binary): command += ["-o", output_corpus, "-i", input_corpus] fuzzer_env = os.environ.copy() fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" print(command) subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_default/builder.Dockerfile b/fuzzers/libafl_default/builder.Dockerfile index ae92b0b04..082f01ef9 100644 --- a/fuzzers/libafl_default/builder.Dockerfile +++ b/fuzzers/libafl_default/builder.Dockerfile @@ -38,7 +38,7 @@ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e3313999997633 RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit -RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true # Note that due a nightly bug it is currently fixed to a known version on top! # Compile libafl. diff --git a/fuzzers/libafl_default/fuzzer.py b/fuzzers/libafl_default/fuzzer.py index ff9cd1ee7..631467b55 100755 --- a/fuzzers/libafl_default/fuzzer.py +++ b/fuzzers/libafl_default/fuzzer.py @@ -74,5 +74,6 @@ def fuzz(input_corpus, output_corpus, target_binary): command += ["-o", output_corpus, "-i", input_corpus] fuzzer_env = os.environ.copy() fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" print(command) subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_valprof/builder.Dockerfile b/fuzzers/libafl_explore/builder.Dockerfile similarity index 91% rename from fuzzers/libafl_valprof/builder.Dockerfile rename to fuzzers/libafl_explore/builder.Dockerfile index 0ae372c8e..cc7f56bfd 100644 --- a/fuzzers/libafl_valprof/builder.Dockerfile +++ b/fuzzers/libafl_explore/builder.Dockerfile @@ -38,17 +38,17 @@ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e3313999997633 RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit -RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true # Note that due a nightly bug it is currently fixed to a known version on top! # Compile libafl. RUN cd /libafl && \ unset CFLAGS CXXFLAGS && \ export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - cd ./fuzzers/fuzzbench/fuzzbench_valprof && \ + cd ./fuzzers/fuzzbench/fuzzbench_explore && \ PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main # Auxiliary weak references. -RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_valprof && \ +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_explore && \ clang -c stub_rt.c && \ ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_valprof/fuzzer.py b/fuzzers/libafl_explore/fuzzer.py similarity index 93% rename from fuzzers/libafl_valprof/fuzzer.py rename to fuzzers/libafl_explore/fuzzer.py index 2ae497850..badbb387d 100755 --- a/fuzzers/libafl_valprof/fuzzer.py +++ b/fuzzers/libafl_explore/fuzzer.py @@ -45,11 +45,10 @@ def prepare_fuzz_environment(input_corpus): def build(): # pylint: disable=too-many-branches,too-many-statements """Build benchmark.""" os.environ["CC"] = ( - "/libafl/fuzzers/fuzzbench/fuzzbench_valprof/target/release-fuzzbench/libafl_cc" + "/libafl/fuzzers/fuzzbench/fuzzbench_explore/target/release-fuzzbench/libafl_cc" ) os.environ["CXX"] = ( - "/libafl/fuzzers/fuzzbench/fuzzbench_valprof" - "/target/release-fuzzbench/libafl_cxx" + "/libafl/fuzzers/fuzzbench/fuzzbench_explore/target/release-fuzzbench/libafl_cxx" ) os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" @@ -75,5 +74,6 @@ def fuzz(input_corpus, output_corpus, target_binary): command += ["-o", output_corpus, "-i", input_corpus] fuzzer_env = os.environ.copy() fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" print(command) subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_valprof/runner.Dockerfile b/fuzzers/libafl_explore/runner.Dockerfile similarity index 100% rename from fuzzers/libafl_valprof/runner.Dockerfile rename to fuzzers/libafl_explore/runner.Dockerfile diff --git a/fuzzers/libafl_fast/builder.Dockerfile b/fuzzers/libafl_fast/builder.Dockerfile new file mode 100644 index 000000000..62e3254e9 --- /dev/null +++ b/fuzzers/libafl_fast/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_fast && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_fast && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_fast/fuzzer.py b/fuzzers/libafl_fast/fuzzer.py new file mode 100755 index 000000000..71bde9d91 --- /dev/null +++ b/fuzzers/libafl_fast/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_fast/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_fast/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_fast/runner.Dockerfile b/fuzzers/libafl_fast/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_fast/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_naive/builder.Dockerfile b/fuzzers/libafl_naive/builder.Dockerfile new file mode 100644 index 000000000..4441bc2ec --- /dev/null +++ b/fuzzers/libafl_naive/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_naive && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_naive && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_naive/fuzzer.py b/fuzzers/libafl_naive/fuzzer.py new file mode 100755 index 000000000..7a8ab9324 --- /dev/null +++ b/fuzzers/libafl_naive/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_naive/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_naive/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_naive/runner.Dockerfile b/fuzzers/libafl_naive/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_naive/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_random/builder.Dockerfile b/fuzzers/libafl_random/builder.Dockerfile index d9fe3c09f..1d2c5b1c3 100644 --- a/fuzzers/libafl_random/builder.Dockerfile +++ b/fuzzers/libafl_random/builder.Dockerfile @@ -38,7 +38,7 @@ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e3313999997633 RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit -RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true # Note that due a nightly bug it is currently fixed to a known version on top! # Compile libafl. diff --git a/fuzzers/libafl_random/fuzzer.py b/fuzzers/libafl_random/fuzzer.py index 933e6c501..7c78d4c69 100755 --- a/fuzzers/libafl_random/fuzzer.py +++ b/fuzzers/libafl_random/fuzzer.py @@ -74,5 +74,6 @@ def fuzz(input_corpus, output_corpus, target_binary): command += ["-o", output_corpus, "-i", input_corpus] fuzzer_env = os.environ.copy() fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" print(command) subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_weighted/builder.Dockerfile b/fuzzers/libafl_weighted/builder.Dockerfile index 0950c46f9..e63f82fba 100644 --- a/fuzzers/libafl_weighted/builder.Dockerfile +++ b/fuzzers/libafl_weighted/builder.Dockerfile @@ -38,7 +38,7 @@ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e3313999997633 RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit -RUN cd /libafl && git pull && git checkout 94eb2b6fe2cdcf65ace7aa9c2c9c94ee4e8e00d9 || true +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true # Note that due a nightly bug it is currently fixed to a known version on top! # Compile libafl. diff --git a/fuzzers/libafl_weighted/fuzzer.py b/fuzzers/libafl_weighted/fuzzer.py index 71531b8e3..ef8ee0bf0 100755 --- a/fuzzers/libafl_weighted/fuzzer.py +++ b/fuzzers/libafl_weighted/fuzzer.py @@ -75,5 +75,6 @@ def fuzz(input_corpus, output_corpus, target_binary): command += ["-o", output_corpus, "-i", input_corpus] fuzzer_env = os.environ.copy() fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" print(command) subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) From 1dbd0f7f1cafc0acce2eb6eea974921413eaf2ad Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Sun, 23 Mar 2025 19:48:15 +0100 Subject: [PATCH 10/12] remove nodejs --- benchmarks/nodejs_fuzz_x509/Dockerfile | 22 -------- benchmarks/nodejs_fuzz_x509/benchmark.yaml | 4 -- benchmarks/nodejs_fuzz_x509/build.sh | 66 ---------------------- benchmarks/nodejs_fuzz_x509/fuzz_url.cc | 25 -------- 4 files changed, 117 deletions(-) delete mode 100644 benchmarks/nodejs_fuzz_x509/Dockerfile delete mode 100644 benchmarks/nodejs_fuzz_x509/benchmark.yaml delete mode 100755 benchmarks/nodejs_fuzz_x509/build.sh delete mode 100644 benchmarks/nodejs_fuzz_x509/fuzz_url.cc diff --git a/benchmarks/nodejs_fuzz_x509/Dockerfile b/benchmarks/nodejs_fuzz_x509/Dockerfile deleted file mode 100644 index a995e296e..000000000 --- a/benchmarks/nodejs_fuzz_x509/Dockerfile +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 2020 Google Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -################################################################################ - -FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c -RUN apt-get update && apt-get install -y make -RUN apt-get install -y flex bison build-essential -RUN git clone --recursive --depth 1 https://github.com/AdamKorcz/node --branch=all-new-fuzzers -WORKDIR $SRC -COPY build.sh $SRC/ diff --git a/benchmarks/nodejs_fuzz_x509/benchmark.yaml b/benchmarks/nodejs_fuzz_x509/benchmark.yaml deleted file mode 100644 index 63fe52759..000000000 --- a/benchmarks/nodejs_fuzz_x509/benchmark.yaml +++ /dev/null @@ -1,4 +0,0 @@ -commit: 060a7925dd5a6723d1c52aa901d27fecf96cc579 -commit_date: 2024-04-05 13:12:56+00:00 -fuzz_target: fuzz_x509 -project: nodejs diff --git a/benchmarks/nodejs_fuzz_x509/build.sh b/benchmarks/nodejs_fuzz_x509/build.sh deleted file mode 100755 index 90c443a49..000000000 --- a/benchmarks/nodejs_fuzz_x509/build.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash -eu -# Copyright 2020 Google Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -################################################################################ -cd $SRC/node - -# Coverage build takes very long and time outs in the CI which blocks changes. Ignore Coverage build in OSS-Fuzz CI for now: -if [[ -n "${OSS_FUZZ_CI-}" && "$SANITIZER" = coverage ]]; then - exit 0 -fi - -if [[ "$SANITIZER" = coverage ]]; then - export CFLAGS="${CFLAGS/"-fcoverage-mapping"/" "}" - export CFLAGS="${CFLAGS/"-fprofile-instr-generate"/" "}" - export CXXFLAGS="${CXXFLAGS/"-fcoverage-mapping"/" "}" - export CXXFLAGS="${CXXFLAGS/"-fprofile-instr-generate"/" "}" - echo "CFLAGS: ${CFLAGS}" - echo "CXXFLAGS: ${CXXFLAGS}" -fi - -# Build node -export LDFLAGS="$CXXFLAGS" -export LD="$CXX" -./configure --with-ossfuzz - -# Ensure we build with few processors if memory gets exhausted -if [[ "$SANITIZER" = coverage ]]; then - for mrkpath in fuzz_buffer_includes.target.mk fuzz_buffer_equals.target.mk fuzz_buffer_compare.target.mk fuzz_blob.target.mk fuzz_zlib_gzip_createUnzip.target.mk fuzz_zlib_createBrotliDecompress.target.mk fuzz_zlib_brotliDecompress.target.mk fuzz_zlib_brotliCompress.target.mk fuzz_string_decoder.target.mk fuzz_querystring_parse.target.mk fuzz_ParseSrvReply.target.mk fuzz_path_join.target.mk fuzz_env.target.mk fuzz_stream1.target.mk fuzz_strings.target.mk fuzz_diffieHellmanPEM.target.mk fuzz_createPrivateKeyPEM.target.mk fuzz_createPrivateKeyDER.target.mk fuzz_ParseSoaReply.target.mk fuzz_path_extname.target.mk fuzz_ParseCaaReply.target.mk fuzz_path_normalize.target.mk fuzz_path_relative.target.mk fuzz_createPrivateKeyJWK.target.mk fuzz_ParseMxReply.target.mk fuzz_path_format.target.mk fuzz_LoadBIO.target.mk fuzz_ClientHelloParser.target.mk fuzz_diffieHellmanJWK.target.mk fuzz_path_basename.target.mk fuzz_ParseNaptrReply.target.mk fuzz_path_isAbsolute.target.mk fuzz_tls_socket_request.target.mk fuzz_ParseGeneralReply.target.mk fuzz_diffieHellmanDER.target.mk fuzz_path_toNamespacedPath.target.mk fuzz_path_parse.target.mk fuzz_httpparser1.target.mk fuzz_path_dirname.target.mk fuzz_x509.target.mk fuzz_ParseTxtReply.target.mk fuzz_fs_write_read_append.target.mk fuzz_ParsePublicKey.target.mk fuzz_sign_verify.target.mk fuzz_path_resolve.target.mk fuzz_fs_write_open_read.target.mk libnode.target.mk; do - sed -i 's/BUILDTYPE))/BUILDTYPE)) -fprofile-instr-generate -fcoverage-mapping/g' $SRC/node/out/${mrkpath} - done - make -j 3 || make -j1 -else - make -j$(nproc) || make -j1 -fi - -# Copy all fuzzers to OUT folder -cp out/Release/fuzz_* ${OUT}/ - -# Create seed for fuzz_env -mkdir fuzz_env_seed -find ./test -name '*.js' -exec cp {} ./fuzz_env_seed/ \; -cd fuzz_env_seed -# Remove small files: -find -size -5k -delete -# Remove large files: -find -size +30k -delete -zip $OUT/fuzz_env_seed_corpus.zip ./* -# Add more seeds -cd $SRC/node/test/fuzzers/seed/fuzz_env -zip $OUT/fuzz_env_seed_corpus.zip ./* - -cd $SRC/node/test/fuzzers/seed/fuzz_x509 -zip $OUT/fuzz_x509_seed_corpus.zip ./* - diff --git a/benchmarks/nodejs_fuzz_x509/fuzz_url.cc b/benchmarks/nodejs_fuzz_x509/fuzz_url.cc deleted file mode 100644 index 1c07fac3f..000000000 --- a/benchmarks/nodejs_fuzz_x509/fuzz_url.cc +++ /dev/null @@ -1,25 +0,0 @@ -/* Copyright 2020 Google Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -#include - -#include "node.h" -#include "node_internals.h" -#include "node_url.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - node::url::URL url2((char*)data, size); - - return 0; -} From 470520626b4bd30cb6955c7ee13dcb902e05df48 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Mon, 24 Mar 2025 13:22:32 +0100 Subject: [PATCH 11/12] fix wireshark? --- benchmarks/wireshark_fuzzshark/Dockerfile | 18 +++----- benchmarks/wireshark_fuzzshark/benchmark.yaml | 25 ++--------- benchmarks/wireshark_fuzzshark/build.sh | 43 ++++++++++++++----- 3 files changed, 43 insertions(+), 43 deletions(-) diff --git a/benchmarks/wireshark_fuzzshark/Dockerfile b/benchmarks/wireshark_fuzzshark/Dockerfile index 3a949d0ed..c039ebf5e 100644 --- a/benchmarks/wireshark_fuzzshark/Dockerfile +++ b/benchmarks/wireshark_fuzzshark/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2018 Google Inc. +# Copyright 2017 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,18 +14,14 @@ # ################################################################################ -FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c -RUN apt-get update && \ - apt-get install -y \ - libstdc++-9-dev libstdc++-9-dev:i386 nasm subversion \ - gnupg lsb-release software-properties-common pkg-config \ - python3-pip libgtk-3-dev unzip pax-utils file cpio ninja-build cmake \ - libgcrypt20-dev libc-ares-dev libpcre2-dev flex inotify-tools \ - libboost-dev +RUN apt-get update && apt-get install -y ninja-build cmake \ + flex libc-ares-dev \ + libglib2.0-dev libgcrypt20-dev -RUN git clone \ - https://gitlab.com/wireshark/wireshark +RUN git clone --depth=1 https://gitlab.com/wireshark/wireshark.git +RUN git clone --depth=1 https://bitbucket.org/jwzawadzki/wireshark-fuzzdb.git WORKDIR wireshark COPY build.sh $SRC/ diff --git a/benchmarks/wireshark_fuzzshark/benchmark.yaml b/benchmarks/wireshark_fuzzshark/benchmark.yaml index 845ba76da..8828c82f5 100644 --- a/benchmarks/wireshark_fuzzshark/benchmark.yaml +++ b/benchmarks/wireshark_fuzzshark/benchmark.yaml @@ -1,23 +1,4 @@ -commit: 36a9f4231b3ee82bd4efee53ed8a1004ff90102d -commit_date: 2023-11-11T01:07:51+00:00 -fuzz_target: fuzzshark +commit: 238cc3beabc2b7bc4bd7e41bd0c410b21e680a06 +commit_date: 2025-03-24 07:43:57+00:00 +fuzz_target: fuzzshark_ip project: wireshark -unsupported_fuzzers: - - aflcc - - afl_qemu - - aflplusplus_qemu - - aflplusplus_qemu_tracepc - - aflplusplus_frida - - honggfuzz_qemu - - klee - - lafintel - - weizz_qemu - - aflplusplus_cmplog_double - - symcc_aflplusplus_single - - eclipser_aflplusplus - - aflplusplus_qemu_double - - fuzzolic_aflplusplus_z3 - - symqemu_aflplusplus - - fuzzolic_aflplusplus_fuzzy - - fuzzolic_aflplusplus_z3dict - - tortoisefuzz diff --git a/benchmarks/wireshark_fuzzshark/build.sh b/benchmarks/wireshark_fuzzshark/build.sh index b53d53563..166105d28 100755 --- a/benchmarks/wireshark_fuzzshark/build.sh +++ b/benchmarks/wireshark_fuzzshark/build.sh @@ -1,5 +1,5 @@ #!/bin/bash -eu -# Copyright 2018 Google Inc. +# Copyright 2017 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,15 +15,33 @@ # ################################################################################ +WIRESHARK_BUILD_PATH="$WORK/build" +mkdir -p "$WIRESHARK_BUILD_PATH" -mkdir seeds -find . -name "*.pcap" -exec cp {} seeds \; -cp -r seeds $OUT/ +# Prepare Samples directory +export SAMPLES_DIR="$WORK/samples" +mkdir -p "$SAMPLES_DIR" +cp -a $SRC/wireshark-fuzzdb/samples/* "$SAMPLES_DIR" -mkdir build -cd build +# Make sure we build fuzzshark. +CMAKE_DEFINES="-DBUILD_fuzzshark=ON" -cmake -G Ninja .. \ +# compile static version of libs +# XXX, with static wireshark linking each fuzzer binary is ~346 MB (just libwireshark.a is 761 MB). +# XXX, wireshark is not ready for including static plugins into binaries. +CMAKE_DEFINES="$CMAKE_DEFINES -DENABLE_STATIC=ON -DENABLE_PLUGINS=OFF" + +# disable optional dependencies +CMAKE_DEFINES="$CMAKE_DEFINES -DENABLE_PCAP=OFF -DENABLE_GNUTLS=OFF" + +# There is no need to manually disable programs via BUILD_xxx=OFF since the +# all-fuzzers targets builds the minimum required binaries. However we do have +# to disable the Qt GUI and sharkd or else the cmake step will fail. +CMAKE_DEFINES="$CMAKE_DEFINES -DBUILD_wireshark=OFF -DBUILD_logray=OFF -DBUILD_sharkd=OFF" + +cd "$WIRESHARK_BUILD_PATH" + +cmake -G Ninja \ -DENABLE_STATIC=ON \ -DOSS_FUZZ=ON \ -DINSTRUMENT_DISSECTORS_ONLY=ON \ @@ -51,9 +69,14 @@ cmake -G Ninja .. \ -DENABLE_ILBC=OFF \ -DENABLE_LIBXML2=OFF \ -DENABLE_OPUS=OFF \ - -DENABLE_SINSP=OFF + -DENABLE_SINSP=OFF $SRC/wireshark/ + +# cmake -GNinja \ +# -DCMAKE_C_COMPILER=$CC -DCMAKE_CXX_COMPILER=$CXX \ +# -DCMAKE_C_FLAGS="-Wno-error=fortify-source -Wno-error=missing-field-initializers $CFLAGS" -DCMAKE_CXX_FLAGS="-Wno-error=fortify-source -Wno-error=missing-field-initializers $CXXFLAGS" \ +# -DDISABLE_WERROR=ON -DOSS_FUZZ=ON $CMAKE_DEFINES $SRC/wireshark/ ninja fuzzshark -cp run/fuzzshark $OUT/fuzzshark -export FUZZSHARK_TARGET="tcp" + +$SRC/wireshark/tools/oss-fuzzshark/build.sh all From b2c60512e4e6b6b6673fe33b1a7c4823f38aa2e1 Mon Sep 17 00:00:00 2001 From: Zuka Tsinadze Date: Mon, 31 Mar 2025 16:58:51 +0200 Subject: [PATCH 12/12] dummy gcbrun --- benchmarks/wireshark_fuzzshark/build.sh | 2 ++ service/gcbrun_experiment.py | 1 + 2 files changed, 3 insertions(+) diff --git a/benchmarks/wireshark_fuzzshark/build.sh b/benchmarks/wireshark_fuzzshark/build.sh index 166105d28..f9dd6a2e9 100755 --- a/benchmarks/wireshark_fuzzshark/build.sh +++ b/benchmarks/wireshark_fuzzshark/build.sh @@ -78,5 +78,7 @@ cmake -G Ninja \ ninja fuzzshark +mkdir -p $OUT/seeds +find $SRC -name "*.pcap" -exec cp {} $OUT/seeds \; $SRC/wireshark/tools/oss-fuzzshark/build.sh all diff --git a/service/gcbrun_experiment.py b/service/gcbrun_experiment.py index bbebcf1b9..f0645276f 100644 --- a/service/gcbrun_experiment.py +++ b/service/gcbrun_experiment.py @@ -17,6 +17,7 @@ from the last PR comment containing "/gcbrun" and pass it to run_experiment.py which will run an experiment.""" +# dummy change. import logging import os import sys