diff --git a/benchmarks/libaom_av1_dec_fuzzer/Dockerfile b/benchmarks/libaom_av1_dec_fuzzer/Dockerfile new file mode 100644 index 000000000..17658fab1 --- /dev/null +++ b/benchmarks/libaom_av1_dec_fuzzer/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && apt-get install -y cmake yasm wget +RUN git clone https://aomedia.googlesource.com/aom +ADD https://storage.googleapis.com/aom-test-data/fuzzer/dec_fuzzer_seed_corpus.zip $SRC/ +COPY build.sh $SRC/ +WORKDIR aom diff --git a/benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml b/benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml new file mode 100644 index 000000000..ca821a244 --- /dev/null +++ b/benchmarks/libaom_av1_dec_fuzzer/benchmark.yaml @@ -0,0 +1,5 @@ +# 4601636403675136 +commit: 6E184898310E49E33231B508618D6FDE8B84AB90 +fuzz_target: av1_dec_fuzzer +project: libaom + diff --git a/benchmarks/libaom_av1_dec_fuzzer/build.sh b/benchmarks/libaom_av1_dec_fuzzer/build.sh new file mode 100644 index 000000000..53c87ebfc --- /dev/null +++ b/benchmarks/libaom_av1_dec_fuzzer/build.sh @@ -0,0 +1,69 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build libaom +build_dir=$WORK/build +mkdir -p ${build_dir} +pushd ${build_dir} +# Remove files generated by the previous build. +rm -rf ./* + +# oss-fuzz has 2 GB total memory allocation limit. So, we limit per-allocation +# limit in libaom to 1 GB to avoid OOM errors. A smaller per-allocation is +# needed for MemorySanitizer (see bug oss-fuzz:9497 and bug oss-fuzz:9499). +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_c_flags='-DAOM_MAX_ALLOCABLE_MEMORY=536870912' +else + extra_c_flags='-DAOM_MAX_ALLOCABLE_MEMORY=1073741824' +fi +# Also, enable DO_RANGE_CHECK_CLAMP to suppress the noise of integer overflows +# in the transform functions. +extra_c_flags+=' -DDO_RANGE_CHECK_CLAMP=1' + +extra_cmake_flags= +# MemorySanitizer requires that all program code is instrumented. Therefore we +# need to replace all inline assembly code that writes to memory with pure C +# code. Disable all assembly code for MemorySanitizer. +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_cmake_flags+="-DAOM_TARGET_CPU=generic" +fi + +cmake $SRC/aom -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS_RELEASE='-O3 -g' \ + -DCMAKE_CXX_FLAGS_RELEASE='-O3 -g' -DCONFIG_PIC=1 -DCONFIG_LOWBITDEPTH=1 \ + -DCONFIG_AV1_ENCODER=0 -DENABLE_EXAMPLES=0 -DENABLE_DOCS=0 -DENABLE_TESTS=0 \ + -DCONFIG_SIZE_LIMIT=1 -DDECODE_HEIGHT_LIMIT=12288 -DDECODE_WIDTH_LIMIT=12288 \ + -DAOM_EXTRA_C_FLAGS="${extra_c_flags}" -DENABLE_TOOLS=0 \ + -DAOM_EXTRA_CXX_FLAGS="${extra_c_flags}" ${extra_cmake_flags} +make -j$(nproc) +popd + +# build fuzzers +fuzzer_src_name=av1_dec_fuzzer +fuzzer_name=${fuzzer_src_name} + +$CXX $CXXFLAGS -std=c++11 \ + -I$SRC/aom \ + -I${build_dir} \ + -Wl,--start-group \ + $LIB_FUZZING_ENGINE \ + $SRC/aom/examples/${fuzzer_src_name}.cc -o $OUT/${fuzzer_name} \ + ${build_dir}/libaom.a -Wl,--end-group + +# copy seed corpus. +cp $SRC/dec_fuzzer_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip +cp $SRC/aom/examples/av1_dec_fuzzer.dict $OUT/${fuzzer_name}.dict + diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile new file mode 100644 index 000000000..8fdd762ca --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c +RUN apt-get update && apt-get install -y yasm wget gcc +RUN git clone https://chromium.googlesource.com/webm/libvpx +ADD https://storage.googleapis.com/downloads.webmproject.org/test_data/fuzzer/vpx_fuzzer_seed_corpus.zip $SRC/ +COPY build.sh vpx_dec_fuzzer.dict $SRC/ +WORKDIR libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml new file mode 100644 index 000000000..8f8671d16 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/benchmark.yaml @@ -0,0 +1,4 @@ +commit: 349820a50dd2c0afbfb26f7b12fc1a83588a52c0 +commit_date: 2025-03-13 22:58:09+00:00 +fuzz_target: vpx_dec_fuzzer_vp8 +project: libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh new file mode 100755 index 000000000..15d9ea9fc --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/build.sh @@ -0,0 +1,63 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build libvpx +build_dir=$WORK/build +rm -rf ${build_dir} +mkdir -p ${build_dir} +pushd ${build_dir} + +# oss-fuzz has 2 GB total memory allocation limit. So, we limit per-allocation +# limit in libvpx to 1 GB to avoid OOM errors. A smaller per-allocation is +# needed for MemorySanitizer (see bug oss-fuzz:9497 and bug oss-fuzz:9499). +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=536870912' +else + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=1073741824' +fi + +LDFLAGS="$CXXFLAGS" LD=$CXX $SRC/libvpx/configure \ + --enable-vp9-highbitdepth \ + --disable-unit-tests \ + --disable-examples \ + --size-limit=12288x12288 \ + --extra-cflags="${extra_c_flags}" \ + --disable-webm-io \ + --enable-debug \ + --disable-vp8-encoder \ + --disable-vp9-encoder +make -j$(nproc) all +popd + +# build fuzzers +fuzzer_src_name=vpx_dec_fuzzer +fuzzer_decoders=( 'vp9' 'vp8' ) +for decoder in "${fuzzer_decoders[@]}"; do + fuzzer_name=${fuzzer_src_name}"_"${decoder} + + $CXX $CXXFLAGS -std=c++11 \ + -DDECODER=${decoder} \ + -I$SRC/libvpx \ + -I${build_dir} \ + -Wl,--start-group \ + $LIB_FUZZING_ENGINE \ + $SRC/libvpx/examples/${fuzzer_src_name}.cc -o $OUT/${fuzzer_name} \ + ${build_dir}/libvpx.a \ + -Wl,--end-group + cp $SRC/vpx_fuzzer_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip + cp $SRC/vpx_dec_fuzzer.dict $OUT/${fuzzer_name}.dict +done diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict new file mode 100644 index 000000000..c6dc18077 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp8/vpx_dec_fuzzer.dict @@ -0,0 +1,8 @@ +# IVF Signature + version (bytes 0-5) +kw1="DKIF\x00\x00" + +# VP9 codec fourCC (bytes 8-11) +kw2="VP90" + +# VP8 codec fourCC (bytes 8-11) +kw3="VP80" diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile new file mode 100644 index 000000000..8fdd762ca --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c +RUN apt-get update && apt-get install -y yasm wget gcc +RUN git clone https://chromium.googlesource.com/webm/libvpx +ADD https://storage.googleapis.com/downloads.webmproject.org/test_data/fuzzer/vpx_fuzzer_seed_corpus.zip $SRC/ +COPY build.sh vpx_dec_fuzzer.dict $SRC/ +WORKDIR libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml new file mode 100644 index 000000000..a276559c2 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/benchmark.yaml @@ -0,0 +1,4 @@ +commit: 349820a50dd2c0afbfb26f7b12fc1a83588a52c0 +commit_date: 2025-03-13 22:58:09+00:00 +fuzz_target: vpx_dec_fuzzer_vp9 +project: libvpx diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh new file mode 100755 index 000000000..15d9ea9fc --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/build.sh @@ -0,0 +1,63 @@ +#!/bin/bash -eu +# Copyright 2018 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build libvpx +build_dir=$WORK/build +rm -rf ${build_dir} +mkdir -p ${build_dir} +pushd ${build_dir} + +# oss-fuzz has 2 GB total memory allocation limit. So, we limit per-allocation +# limit in libvpx to 1 GB to avoid OOM errors. A smaller per-allocation is +# needed for MemorySanitizer (see bug oss-fuzz:9497 and bug oss-fuzz:9499). +if [[ $CFLAGS = *sanitize=memory* ]]; then + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=536870912' +else + extra_c_flags='-DVPX_MAX_ALLOCABLE_MEMORY=1073741824' +fi + +LDFLAGS="$CXXFLAGS" LD=$CXX $SRC/libvpx/configure \ + --enable-vp9-highbitdepth \ + --disable-unit-tests \ + --disable-examples \ + --size-limit=12288x12288 \ + --extra-cflags="${extra_c_flags}" \ + --disable-webm-io \ + --enable-debug \ + --disable-vp8-encoder \ + --disable-vp9-encoder +make -j$(nproc) all +popd + +# build fuzzers +fuzzer_src_name=vpx_dec_fuzzer +fuzzer_decoders=( 'vp9' 'vp8' ) +for decoder in "${fuzzer_decoders[@]}"; do + fuzzer_name=${fuzzer_src_name}"_"${decoder} + + $CXX $CXXFLAGS -std=c++11 \ + -DDECODER=${decoder} \ + -I$SRC/libvpx \ + -I${build_dir} \ + -Wl,--start-group \ + $LIB_FUZZING_ENGINE \ + $SRC/libvpx/examples/${fuzzer_src_name}.cc -o $OUT/${fuzzer_name} \ + ${build_dir}/libvpx.a \ + -Wl,--end-group + cp $SRC/vpx_fuzzer_seed_corpus.zip $OUT/${fuzzer_name}_seed_corpus.zip + cp $SRC/vpx_dec_fuzzer.dict $OUT/${fuzzer_name}.dict +done diff --git a/benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict new file mode 100644 index 000000000..c6dc18077 --- /dev/null +++ b/benchmarks/libvpx_vpx_dec_fuzzer_vp9/vpx_dec_fuzzer.dict @@ -0,0 +1,8 @@ +# IVF Signature + version (bytes 0-5) +kw1="DKIF\x00\x00" + +# VP9 codec fourCC (bytes 8-11) +kw2="VP90" + +# VP8 codec fourCC (bytes 8-11) +kw3="VP80" diff --git a/benchmarks/mruby_mruby_fuzzer/Dockerfile b/benchmarks/mruby_mruby_fuzzer/Dockerfile new file mode 100644 index 000000000..e1c07b611 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd +RUN apt-get update && apt-get install -y build-essential ruby bison ninja-build \ + cmake zlib1g-dev libbz2-dev liblzma-dev +RUN git clone \ + https://github.com/mruby/mruby +RUN git clone --depth 1 https://github.com/bshastry/mruby_seeds.git mruby_seeds +WORKDIR mruby +COPY build.sh *.c *.options *.dict $SRC/ diff --git a/benchmarks/mruby_mruby_fuzzer/benchmark.yaml b/benchmarks/mruby_mruby_fuzzer/benchmark.yaml new file mode 100644 index 000000000..1b666c977 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/benchmark.yaml @@ -0,0 +1,5 @@ +commit: 8c8bbd94dce3b3eabcf72c674e690516c075b0ee +commit_date: 2023-02-03T04:41:10+0000 +fuzz_target: mruby_fuzzer +project: mruby +unsupported_fuzzers: diff --git a/benchmarks/mruby_mruby_fuzzer/build.sh b/benchmarks/mruby_mruby_fuzzer/build.sh new file mode 100755 index 000000000..f984cc040 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/build.sh @@ -0,0 +1,44 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Instrument mruby +( +cd $SRC/mruby +export LD=$CC +export LDFLAGS="$CFLAGS -fPIE" + +# No you cannot overwrite CC/CXX, otherwise afl++, libafl, etc. wont work! +#LD=/usr/local/bin/clang CC=/usr/local/bin/clang CXX=/usr/local/bin/clang++ rake -m || true +rake -m || true + +test -f $SRC/mruby/build/host/lib/libmruby.a + +# build fuzzers +FUZZ_TARGET=$SRC/mruby_fuzzer.c +name=$(basename $FUZZ_TARGET .c) +$CC -c $CFLAGS -Iinclude \ + ${FUZZ_TARGET} -o $OUT/${name}.o +$CXX $CXXFLAGS $OUT/${name}.o $LIB_FUZZING_ENGINE -lm \ + $SRC/mruby/build/host/lib/libmruby.a -o $OUT/${name} +rm -f $OUT/${name}.o +) + +# dict +cp $SRC/mruby.dict $OUT/mruby_fuzzer.dict + +# seeds +zip -rq $OUT/mruby_fuzzer_seed_corpus $SRC/mruby_seeds diff --git a/benchmarks/mruby_mruby_fuzzer/mruby.dict b/benchmarks/mruby_mruby_fuzzer/mruby.dict new file mode 100644 index 000000000..a332d3505 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/mruby.dict @@ -0,0 +1,105 @@ +keyword___ENCODING__="__ENCODING__" +keyword___FILE__="__FILE__" +keyword___LINE__="__LINE__" +keyword_BEGIN="BEGIN" +keyword_END="END" +keyword_alias="alias" +keyword_and="and" +keyword_begin="begin" +keyword_break="break" +keyword_case="case" +keyword_class="class" +keyword_def="def" +keyword_do="do" +keyword_else="else" +keyword_elsif="elsif" +keyword_end="end" +keyword_ensure="ensure" +keyword_false="false" +keyword_for="for" +keyword_if="if" +keyword_in="in" +keyword_module="module" +keyword_next="next" +keyword_nil="nil" +keyword_not="not" +keyword_or="or" +keyword_redo="redo" +keyword_rescue="rescue" +keyword_retry="retry" +keyword_return="return" +keyword_self="self" +keyword_super="super" +keyword_then="then" +keyword_true="true" +keyword_undef="undef" +keyword_unless="unless" +keyword_until="until" +keyword_when="when" +keyword_while="while" +keyword_yield="yield" + +operator_a=" !" +operator_b=" ~" +operator_c=" +" +operator_d=" -" +operator_e=" []" +operator_f=" []=" +operator_g=" *" +operator_h=" /" +operator_i=" %" +operator_j=" +-" +operator_k=" >>" +operator_l=" <<" +operator_m=" &" +operator_n=" ^" +operator_o=" |" +operator_p=" <=" +operator_q=" <>" +operator_r=" >=" +operator_s=" <=>" +operator_t=" ==" +operator_u=" ===" +operator_v=" !=" +operator_w=" =~" +operator_x=" !~" +operator_y=" &&" +operator_z=" ||" +operator_aa=" .." +operator_ab=" ..." +operator_ac=" ?" +operator_ad=" :" +operator_ae=" =" +operator_af=" %=" +operator_ag=" /=" +operator_ah=" -=" +operator_ai=" +=" +operator_aj=" |=" +operator_ak=" &=" +operator_al=" >>=" +operator_am=" <<=" +operator_an=" *=" +operator_ao=" &&=" +operator_ap=" ||=" +operator_aq=" **=" +operator_ar=" ^=" +operator_as=" not" +operator_at=" or" +operator_au=" and" +operator_av=" if" +operator_aw=" unless" +operator_ax=" while" +operator_ay=" until" +operator_az=" begin" +operator_ba=" end" + +snippet_1eq1=" 1=1" +snippet_dollar=" $1" +snippet_at=" @a" +snippet_symbol=" :a" +snippet_array=" [1,2]" +snippet_block=" 1.times{|x| x}" +snippet_multi=" 1*1" + +string_single_q=" 'a'" +string_dbl_q=" \"a\"" diff --git a/benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c b/benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c new file mode 100644 index 000000000..9d3d44a5b --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer/mruby_fuzzer.c @@ -0,0 +1,18 @@ +#include +#include +#include +#include + +int LLVMFuzzerTestOneInput(uint8_t *Data, size_t size) { + if (size < 1) { + return 0; + } + char *code = malloc(size+1); + memcpy(code, Data, size); + code[size] = '\0'; + mrb_state *mrb = mrb_open(); + mrb_load_string(mrb, code); + mrb_close(mrb); + free(code); + return 0; +} diff --git a/benchmarks/php_php-fuzz-execute/Dockerfile b/benchmarks/php_php-fuzz-execute/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-execute/benchmark.yaml b/benchmarks/php_php-fuzz-execute/benchmark.yaml new file mode 100644 index 000000000..0c4c28bd2 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-execute +project: php +oss_fuzz_corpus_target: php_php-fuzz-execute +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-execute/build.sh b/benchmarks/php_php-fuzz-execute/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-execute/cosmic.list b/benchmarks/php_php-fuzz-execute/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-execute/testcases/24387 b/benchmarks/php_php-fuzz-execute/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24403 b/benchmarks/php_php-fuzz-execute/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24405 b/benchmarks/php_php-fuzz-execute/testcases/24405 new file mode 100644 index 000000000..4ca969a8f Binary files /dev/null and b/benchmarks/php_php-fuzz-execute/testcases/24405 differ diff --git a/benchmarks/php_php-fuzz-execute/testcases/24423 b/benchmarks/php_php-fuzz-execute/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24436 b/benchmarks/php_php-fuzz-execute/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24567 b/benchmarks/php_php-fuzz-execute/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-execute/testcases/24627 b/benchmarks/php_php-fuzz-execute/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-execute/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/Dockerfile b/benchmarks/php_php-fuzz-exif/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-exif/benchmark.yaml b/benchmarks/php_php-fuzz-exif/benchmark.yaml new file mode 100644 index 000000000..04b47a24c --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-exif +project: php +oss_fuzz_corpus_target: php_php-fuzz-exif +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-exif/build.sh b/benchmarks/php_php-fuzz-exif/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-exif/cosmic.list b/benchmarks/php_php-fuzz-exif/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-exif/testcases/24387 b/benchmarks/php_php-fuzz-exif/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24403 b/benchmarks/php_php-fuzz-exif/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24405 b/benchmarks/php_php-fuzz-exif/testcases/24405 new file mode 100644 index 000000000..4ca969a8f Binary files /dev/null and b/benchmarks/php_php-fuzz-exif/testcases/24405 differ diff --git a/benchmarks/php_php-fuzz-exif/testcases/24423 b/benchmarks/php_php-fuzz-exif/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24436 b/benchmarks/php_php-fuzz-exif/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24567 b/benchmarks/php_php-fuzz-exif/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-exif/testcases/24627 b/benchmarks/php_php-fuzz-exif/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-exif/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/Dockerfile b/benchmarks/php_php-fuzz-parser/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-parser/benchmark.yaml b/benchmarks/php_php-fuzz-parser/benchmark.yaml new file mode 100644 index 000000000..9a6dd292c --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-parser +project: php +oss_fuzz_corpus_target: php_php-fuzz-parser +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-parser/build.sh b/benchmarks/php_php-fuzz-parser/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-parser/cosmic.list b/benchmarks/php_php-fuzz-parser/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-parser/testcases/24387 b/benchmarks/php_php-fuzz-parser/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24403 b/benchmarks/php_php-fuzz-parser/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24405 b/benchmarks/php_php-fuzz-parser/testcases/24405 new file mode 100644 index 000000000..4ca969a8f Binary files /dev/null and b/benchmarks/php_php-fuzz-parser/testcases/24405 differ diff --git a/benchmarks/php_php-fuzz-parser/testcases/24423 b/benchmarks/php_php-fuzz-parser/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24436 b/benchmarks/php_php-fuzz-parser/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24567 b/benchmarks/php_php-fuzz-parser/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-parser/testcases/24627 b/benchmarks/php_php-fuzz-parser/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-parser/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/Dockerfile b/benchmarks/php_php-fuzz-unserialize/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-unserialize/benchmark.yaml b/benchmarks/php_php-fuzz-unserialize/benchmark.yaml new file mode 100644 index 000000000..74ef711b3 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-unserialize +project: php +oss_fuzz_corpus_target: php_php-fuzz-unserialize +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-unserialize/build.sh b/benchmarks/php_php-fuzz-unserialize/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-unserialize/cosmic.list b/benchmarks/php_php-fuzz-unserialize/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24387 b/benchmarks/php_php-fuzz-unserialize/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24403 b/benchmarks/php_php-fuzz-unserialize/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24405 b/benchmarks/php_php-fuzz-unserialize/testcases/24405 new file mode 100644 index 000000000..4ca969a8f Binary files /dev/null and b/benchmarks/php_php-fuzz-unserialize/testcases/24405 differ diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24423 b/benchmarks/php_php-fuzz-unserialize/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24436 b/benchmarks/php_php-fuzz-unserialize/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24567 b/benchmarks/php_php-fuzz-unserialize/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserialize/testcases/24627 b/benchmarks/php_php-fuzz-unserialize/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-unserialize/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/Dockerfile b/benchmarks/php_php-fuzz-unserializehash/Dockerfile new file mode 100644 index 000000000..25311c6cb --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd + +RUN apt-get update && \ + apt-get install -y \ + autoconf automake libtool bison re2c pkg-config + +RUN git clone \ + https://github.com/php/php-src.git + +WORKDIR php-src +COPY build.sh *.options $SRC/ diff --git a/benchmarks/php_php-fuzz-unserializehash/benchmark.yaml b/benchmarks/php_php-fuzz-unserializehash/benchmark.yaml new file mode 100644 index 000000000..995ebe047 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/benchmark.yaml @@ -0,0 +1,53 @@ +# 5089511469613056 +commit: 0dbedb3dbdb27bd3acde65e448ff7bdf2260e620 +commit_date: 2022-07-15T10:03:12+0000 +fuzz_target: php-fuzz-unserializehash +project: php +oss_fuzz_corpus_target: php_php-fuzz-unserializehash +unsupported_fuzzers: + - aflcc + - afl_qemu + - aflplusplus_qemu + - aflplusplus_qemu_tracepc + - aflplusplus_frida + - honggfuzz_qemu + - klee + - lafintel + - weizz_qemu + - aflplusplus_classic_ctx + - aflplusplus_classic_ctx_18 + - aflplusplus_classic_ctx_20 + - aflplusplus_classic_ctx_21 + - aflplusplus_classic_ctx_23 + - aflplusplus_pcguard + - aflplusplus_classic + - cfctx_basic + - cfctx_bottom + - cfctx_dataflow_seadsa + - cfctx_dataflow_svf + - cfctx_params + - cfctx_plain + - cfctx_randomic + - cfctx_bottom_llc + - cfctx_dataflow_seadsa_llc + - cfctx_dataflow_svf_llc + - cfctx_randomic_llc + - cfctx_params_llc + - cfctx_params_1mb + - cfctx_params_2mb + - cfctx_params_4mb + - cfctx_params_512kb + - cfctx_params_768kb + - cfctx_full + - symcc_afl + - symcc_afl_single + - symcc_aflplusplus + - symcc_aflplusplus_single + - aflplusplus_cmplog_double + - symcc_aflplusplus_single + - eclipser_aflplusplus + - aflplusplus_qemu_double + - fuzzolic_aflplusplus_z3 + - symqemu_aflplusplus + - fuzzolic_aflplusplus_fuzzy + - fuzzolic_aflplusplus_z3dict diff --git a/benchmarks/php_php-fuzz-unserializehash/build.sh b/benchmarks/php_php-fuzz-unserializehash/build.sh new file mode 100755 index 000000000..bb3046bb2 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/build.sh @@ -0,0 +1,79 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# PHP's zend_function union is incompatible with the object-size sanitizer +export CFLAGS="$CFLAGS -fno-sanitize=object-size" +export CXXFLAGS="$CXXFLAGS -fno-sanitize=object-size" + +# Disable JIT profitability checks. +export CFLAGS="$CFLAGS -DPROFITABILITY_CHECKS=0" + +# Make sure the right assembly files are picked +BUILD_FLAG="" +if [ "$ARCHITECTURE" = "i386" ]; then + BUILD_FLAG="--build=i686-pc-linux-gnu" +fi + +# build project +./buildconf --force +./configure $BUILD_FLAG \ + --disable-all \ + --enable-debug-assertions \ + --enable-option-checking=fatal \ + --enable-fuzzer \ + --enable-exif \ + --enable-opcache \ + --without-pcre-jit \ + --disable-phpdbg \ + --disable-cgi \ + --with-pic +make -j$(nproc) + +# Generate corpuses and dictionaries. +sapi/cli/php sapi/fuzzer/generate_all.php + +# Copy dictionaries to expected locations. +cp sapi/fuzzer/dict/unserialize $OUT/php-fuzz-unserialize.dict +cp sapi/fuzzer/dict/parser $OUT/php-fuzz-parser.dict +cp sapi/fuzzer/json.dict $OUT/php-fuzz-json.dict + +FUZZERS="php-fuzz-json +php-fuzz-exif +php-fuzz-unserialize +php-fuzz-unserializehash +php-fuzz-parser +php-fuzz-execute" +for fuzzerName in $FUZZERS; do + cp sapi/fuzzer/$fuzzerName $OUT/ +done + +# The JIT fuzzer is fundamentally incompatible with memory sanitizer, +# as that would require the JIT to emit msan instrumentation itself. +# In practice it is currently also incompatible with ubsan. +if [ "$SANITIZER" != "memory" ] && [ "$SANITIZER" != "undefined" ]; then + cp sapi/fuzzer/php-fuzz-function-jit $OUT/ + cp sapi/fuzzer/php-fuzz-tracing-jit $OUT/ + + # Copy opcache.so extension, which does not support static linking. + mkdir -p $OUT/modules + cp modules/opcache.so $OUT/modules +fi + +# copy corpora from source +for fuzzerName in `ls sapi/fuzzer/corpus`; do + zip -j $OUT/php-fuzz-${fuzzerName}_seed_corpus.zip sapi/fuzzer/corpus/${fuzzerName}/* +done diff --git a/benchmarks/php_php-fuzz-unserializehash/cosmic.list b/benchmarks/php_php-fuzz-unserializehash/cosmic.list new file mode 100644 index 000000000..e9f052d76 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/cosmic.list @@ -0,0 +1,2 @@ +deb http://archive.ubuntu.com/ubuntu/ cosmic universe + diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24387 b/benchmarks/php_php-fuzz-unserializehash/testcases/24387 new file mode 100644 index 000000000..bdb3d60c5 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24387 @@ -0,0 +1 @@ +>public$ÿ){}} \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24403 b/benchmarks/php_php-fuzz-unserializehash/testcases/24403 new file mode 100644 index 000000000..8fe1a2145 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24403 @@ -0,0 +1 @@ +ÿ;})); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24405 b/benchmarks/php_php-fuzz-unserializehash/testcases/24405 new file mode 100644 index 000000000..4ca969a8f Binary files /dev/null and b/benchmarks/php_php-fuzz-unserializehash/testcases/24405 differ diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24423 b/benchmarks/php_php-fuzz-unserializehash/testcases/24423 new file mode 100644 index 000000000..e449a2532 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24423 @@ -0,0 +1 @@ + ÿ; })); \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24436 b/benchmarks/php_php-fuzz-unserializehash/testcases/24436 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24436 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24567 b/benchmarks/php_php-fuzz-unserializehash/testcases/24567 new file mode 100644 index 000000000..9459d2b61 --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24567 @@ -0,0 +1 @@ +ÿ; \ No newline at end of file diff --git a/benchmarks/php_php-fuzz-unserializehash/testcases/24627 b/benchmarks/php_php-fuzz-unserializehash/testcases/24627 new file mode 100644 index 000000000..72b58187d --- /dev/null +++ b/benchmarks/php_php-fuzz-unserializehash/testcases/24627 @@ -0,0 +1 @@ +ÿ()); \ No newline at end of file diff --git a/benchmarks/wireshark_fuzzshark/Dockerfile b/benchmarks/wireshark_fuzzshark/Dockerfile new file mode 100644 index 000000000..c039ebf5e --- /dev/null +++ b/benchmarks/wireshark_fuzzshark/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2017 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:fb1a9a49752c9e504687448d1f1a048ec1e062e2e40f7e8a23e86b63ff3dad7c + +RUN apt-get update && apt-get install -y ninja-build cmake \ + flex libc-ares-dev \ + libglib2.0-dev libgcrypt20-dev + +RUN git clone --depth=1 https://gitlab.com/wireshark/wireshark.git +RUN git clone --depth=1 https://bitbucket.org/jwzawadzki/wireshark-fuzzdb.git + +WORKDIR wireshark +COPY build.sh $SRC/ diff --git a/benchmarks/wireshark_fuzzshark/benchmark.yaml b/benchmarks/wireshark_fuzzshark/benchmark.yaml new file mode 100644 index 000000000..8828c82f5 --- /dev/null +++ b/benchmarks/wireshark_fuzzshark/benchmark.yaml @@ -0,0 +1,4 @@ +commit: 238cc3beabc2b7bc4bd7e41bd0c410b21e680a06 +commit_date: 2025-03-24 07:43:57+00:00 +fuzz_target: fuzzshark_ip +project: wireshark diff --git a/benchmarks/wireshark_fuzzshark/build.sh b/benchmarks/wireshark_fuzzshark/build.sh new file mode 100755 index 000000000..f9dd6a2e9 --- /dev/null +++ b/benchmarks/wireshark_fuzzshark/build.sh @@ -0,0 +1,84 @@ +#!/bin/bash -eu +# Copyright 2017 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +WIRESHARK_BUILD_PATH="$WORK/build" +mkdir -p "$WIRESHARK_BUILD_PATH" + +# Prepare Samples directory +export SAMPLES_DIR="$WORK/samples" +mkdir -p "$SAMPLES_DIR" +cp -a $SRC/wireshark-fuzzdb/samples/* "$SAMPLES_DIR" + +# Make sure we build fuzzshark. +CMAKE_DEFINES="-DBUILD_fuzzshark=ON" + +# compile static version of libs +# XXX, with static wireshark linking each fuzzer binary is ~346 MB (just libwireshark.a is 761 MB). +# XXX, wireshark is not ready for including static plugins into binaries. +CMAKE_DEFINES="$CMAKE_DEFINES -DENABLE_STATIC=ON -DENABLE_PLUGINS=OFF" + +# disable optional dependencies +CMAKE_DEFINES="$CMAKE_DEFINES -DENABLE_PCAP=OFF -DENABLE_GNUTLS=OFF" + +# There is no need to manually disable programs via BUILD_xxx=OFF since the +# all-fuzzers targets builds the minimum required binaries. However we do have +# to disable the Qt GUI and sharkd or else the cmake step will fail. +CMAKE_DEFINES="$CMAKE_DEFINES -DBUILD_wireshark=OFF -DBUILD_logray=OFF -DBUILD_sharkd=OFF" + +cd "$WIRESHARK_BUILD_PATH" + +cmake -G Ninja \ + -DENABLE_STATIC=ON \ + -DOSS_FUZZ=ON \ + -DINSTRUMENT_DISSECTORS_ONLY=ON \ + -DBUILD_fuzzshark=ON \ + -DBUILD_wireshark=OFF \ + -DBUILD_sharkd=OFF \ + -DENABLE_PCAP=OFF \ + -DENABLE_ZLIB=OFF \ + -DENABLE_MINIZIP=OFF \ + -DENABLE_LZ4=OFF \ + -DENABLE_BROTLI=OFF \ + -DENABLE_SNAPPY=OFF \ + -DENABLE_ZSTD=OFF \ + -DENABLE_NGHTTP2=OFF \ + -DENABLE_NGHTTP3=OFF \ + -DENABLE_LUA=OFF \ + -DENABLE_SMI=OFF \ + -DENABLE_GNUTLS=OFF \ + -DENABLE_NETLINK=OFF \ + -DENABLE_KERBEROS=OFF \ + -DENABLE_SBC=OFF \ + -DENABLE_SPANDSP=OFF \ + -DENABLE_BCG729=OFF \ + -DENABLE_AMRNB=OFF \ + -DENABLE_ILBC=OFF \ + -DENABLE_LIBXML2=OFF \ + -DENABLE_OPUS=OFF \ + -DENABLE_SINSP=OFF $SRC/wireshark/ + +# cmake -GNinja \ +# -DCMAKE_C_COMPILER=$CC -DCMAKE_CXX_COMPILER=$CXX \ +# -DCMAKE_C_FLAGS="-Wno-error=fortify-source -Wno-error=missing-field-initializers $CFLAGS" -DCMAKE_CXX_FLAGS="-Wno-error=fortify-source -Wno-error=missing-field-initializers $CXXFLAGS" \ +# -DDISABLE_WERROR=ON -DOSS_FUZZ=ON $CMAKE_DEFINES $SRC/wireshark/ + +ninja fuzzshark + +mkdir -p $OUT/seeds +find $SRC -name "*.pcap" -exec cp {} $OUT/seeds \; + +$SRC/wireshark/tools/oss-fuzzshark/build.sh all diff --git a/docker/image_types.yaml b/docker/image_types.yaml index e292224bd..016147a49 100644 --- a/docker/image_types.yaml +++ b/docker/image_types.yaml @@ -76,7 +76,7 @@ - 'base-image' dockerfile: 'docker/benchmark-builder/Dockerfile' context: '.' - tag: 'builders/{fuzzer}/{benchmark}' + tag: 'builders/{fuzzer}/{benchmark}-debug' type: 'builder' '{fuzzer}-{benchmark}-builder': diff --git a/experiment/measurer/measure_manager.py b/experiment/measurer/measure_manager.py index b3813653d..d74b61148 100644 --- a/experiment/measurer/measure_manager.py +++ b/experiment/measurer/measure_manager.py @@ -818,8 +818,8 @@ def measure_manager_loop(experiment: str, continue_inner_loop = measure_manager_inner_loop( experiment, max_cycle, request_queue, response_queue, queued_snapshots) - if not continue_inner_loop: - break + # if not continue_inner_loop: + # break time.sleep(MEASUREMENT_LOOP_WAIT) logger.info('All trials ended. Ending measure manager loop') diff --git a/fuzzers/libafl/builder.Dockerfile b/fuzzers/libafl/builder.Dockerfile index f0136ff46..c74eb0261 100644 --- a/fuzzers/libafl/builder.Dockerfile +++ b/fuzzers/libafl/builder.Dockerfile @@ -35,7 +35,7 @@ RUN apt-get update && \ RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh # Download libafl. -RUN git clone https://github.com/AFLplusplus/LibAFL /libafl +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl # Checkout a current commit RUN cd /libafl && git pull && git checkout f856092f3d393056b010fcae3b086769377cba18 || true diff --git a/fuzzers/libafl_covaccount/builder.Dockerfile b/fuzzers/libafl_covaccount/builder.Dockerfile new file mode 100644 index 000000000..0cd07668c --- /dev/null +++ b/fuzzers/libafl_covaccount/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_covaccount && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_default && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_covaccount/description.md b/fuzzers/libafl_covaccount/description.md new file mode 100644 index 000000000..ea9b947d6 --- /dev/null +++ b/fuzzers/libafl_covaccount/description.md @@ -0,0 +1,11 @@ +# libafl + +libafl fuzzer instance + - cmplog feature + - persistent mode + +Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_covaccount/fuzzer.py b/fuzzers/libafl_covaccount/fuzzer.py new file mode 100755 index 000000000..2d36871db --- /dev/null +++ b/fuzzers/libafl_covaccount/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_covaccount/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_covaccount/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_covaccount/runner.Dockerfile b/fuzzers/libafl_covaccount/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_covaccount/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_default/builder.Dockerfile b/fuzzers/libafl_default/builder.Dockerfile new file mode 100644 index 000000000..082f01ef9 --- /dev/null +++ b/fuzzers/libafl_default/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_default && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_default && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_default/description.md b/fuzzers/libafl_default/description.md new file mode 100644 index 000000000..ea9b947d6 --- /dev/null +++ b/fuzzers/libafl_default/description.md @@ -0,0 +1,11 @@ +# libafl + +libafl fuzzer instance + - cmplog feature + - persistent mode + +Repository: [https://github.com/AFLplusplus/libafl/](https://github.com/AFLplusplus/libafl/) + +[builder.Dockerfile](builder.Dockerfile) +[fuzzer.py](fuzzer.py) +[runner.Dockerfile](runner.Dockerfile) diff --git a/fuzzers/libafl_default/fuzzer.py b/fuzzers/libafl_default/fuzzer.py new file mode 100755 index 000000000..631467b55 --- /dev/null +++ b/fuzzers/libafl_default/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_default/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_default/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_default/runner.Dockerfile b/fuzzers/libafl_default/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_default/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_explore/builder.Dockerfile b/fuzzers/libafl_explore/builder.Dockerfile new file mode 100644 index 000000000..cc7f56bfd --- /dev/null +++ b/fuzzers/libafl_explore/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_explore && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_explore && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_explore/fuzzer.py b/fuzzers/libafl_explore/fuzzer.py new file mode 100755 index 000000000..badbb387d --- /dev/null +++ b/fuzzers/libafl_explore/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_explore/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_explore/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_explore/runner.Dockerfile b/fuzzers/libafl_explore/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_explore/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_fast/builder.Dockerfile b/fuzzers/libafl_fast/builder.Dockerfile new file mode 100644 index 000000000..62e3254e9 --- /dev/null +++ b/fuzzers/libafl_fast/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_fast && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_fast && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_fast/fuzzer.py b/fuzzers/libafl_fast/fuzzer.py new file mode 100755 index 000000000..71bde9d91 --- /dev/null +++ b/fuzzers/libafl_fast/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_fast/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_fast/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_fast/runner.Dockerfile b/fuzzers/libafl_fast/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_fast/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_naive/builder.Dockerfile b/fuzzers/libafl_naive/builder.Dockerfile new file mode 100644 index 000000000..4441bc2ec --- /dev/null +++ b/fuzzers/libafl_naive/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_naive && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_naive && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_naive/fuzzer.py b/fuzzers/libafl_naive/fuzzer.py new file mode 100755 index 000000000..7a8ab9324 --- /dev/null +++ b/fuzzers/libafl_naive/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_naive/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_naive/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_naive/runner.Dockerfile b/fuzzers/libafl_naive/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_naive/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_random/builder.Dockerfile b/fuzzers/libafl_random/builder.Dockerfile new file mode 100644 index 000000000..1d2c5b1c3 --- /dev/null +++ b/fuzzers/libafl_random/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_random && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_random && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_random/fuzzer.py b/fuzzers/libafl_random/fuzzer.py new file mode 100755 index 000000000..7c78d4c69 --- /dev/null +++ b/fuzzers/libafl_random/fuzzer.py @@ -0,0 +1,79 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_random/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_random/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_random/runner.Dockerfile b/fuzzers/libafl_random/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_random/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/libafl_weighted/builder.Dockerfile b/fuzzers/libafl_weighted/builder.Dockerfile new file mode 100644 index 000000000..e63f82fba --- /dev/null +++ b/fuzzers/libafl_weighted/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl. +RUN git clone https://github.com/zukatsinadze/LibAFL /libafl + +# Checkout a current commit +RUN cd /libafl && git pull && git checkout 462f87c2ce6d10dbcc4520431a0af781b306f80b || true +# Note that due a nightly bug it is currently fixed to a known version on top! + +# Compile libafl. +RUN cd /libafl && \ + unset CFLAGS CXXFLAGS && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + cd ./fuzzers/fuzzbench/fuzzbench_weighted && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl/fuzzers/fuzzbench/fuzzbench_weighted && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o diff --git a/fuzzers/libafl_weighted/fuzzer.py b/fuzzers/libafl_weighted/fuzzer.py new file mode 100755 index 000000000..ef8ee0bf0 --- /dev/null +++ b/fuzzers/libafl_weighted/fuzzer.py @@ -0,0 +1,80 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_weighted" + "/target/release-fuzzbench/libafl_cc" + ) + os.environ["CXX"] = ( + "/libafl/fuzzers/fuzzbench/fuzzbench_weighted/target/release-fuzzbench/libafl_cxx" + ) + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + cxxflags = ["--libafl", "--std=c++14"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cxxflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + fuzzer_env = os.environ.copy() + fuzzer_env["LD_PRELOAD"] = "/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" + fuzzer_env["FUZZSHARK_TARGET"] = "tcp" + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"], env=fuzzer_env) diff --git a/fuzzers/libafl_weighted/runner.Dockerfile b/fuzzers/libafl_weighted/runner.Dockerfile new file mode 100644 index 000000000..f0c5eb6cc --- /dev/null +++ b/fuzzers/libafl_weighted/runner.Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +RUN apt install libjemalloc2 + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 diff --git a/fuzzers/my_libafl/libafl_random/builder.Dockerfile b/fuzzers/my_libafl/libafl_random/builder.Dockerfile new file mode 100644 index 000000000..b70b32176 --- /dev/null +++ b/fuzzers/my_libafl/libafl_random/builder.Dockerfile @@ -0,0 +1,57 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + + + +# Download libafl +RUN git clone https://github.com/zukatsinadze/libafl_fuzzbench /libafl_fuzzbench && \ + cd /libafl_fuzzbench && \ + git checkout 605ce5df98d0ad816074578a28a161edde74c74c && \ + git submodule update --init + +# Compile libafl +RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ + export CC=clang && export CXX=clang++ && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl_fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o + + diff --git a/fuzzers/my_libafl/libafl_random/fuzzer.py b/fuzzers/my_libafl/libafl_random/fuzzer.py new file mode 100644 index 000000000..122147bf2 --- /dev/null +++ b/fuzzers/my_libafl/libafl_random/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = "/libafl_fuzzbench/target/release/rand_scheduler_cc" + os.environ["CXX"] = "/libafl_fuzzbench/target/release/rand_scheduler_cxx" + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"]) diff --git a/fuzzers/my_libafl/libafl_random/runner.Dockerfile b/fuzzers/my_libafl/libafl_random/runner.Dockerfile new file mode 100644 index 000000000..77492efa4 --- /dev/null +++ b/fuzzers/my_libafl/libafl_random/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + diff --git a/fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile b/fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile new file mode 100644 index 000000000..08eee9745 --- /dev/null +++ b/fuzzers/my_libafl/libafl_valueprofile/builder.Dockerfile @@ -0,0 +1,53 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl +RUN git clone https://github.com/zukatsinadze/libafl_fuzzbench /libafl_fuzzbench && \ + cd /libafl_fuzzbench && \ + git checkout 605ce5df98d0ad816074578a28a161edde74c74c && \ + git submodule update --init + +# Compile libafl +RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ + export CC=clang && export CXX=clang++ && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl_fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o + diff --git a/fuzzers/my_libafl/libafl_valueprofile/fuzzer.py b/fuzzers/my_libafl/libafl_valueprofile/fuzzer.py new file mode 100644 index 000000000..2ab6ec582 --- /dev/null +++ b/fuzzers/my_libafl/libafl_valueprofile/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = "/libafl_fuzzbench/target/release/value_profile_cc" + os.environ["CXX"] = "/libafl_fuzzbench/target/release/value_profile_cxx" + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"]) diff --git a/fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile b/fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile new file mode 100644 index 000000000..77492efa4 --- /dev/null +++ b/fuzzers/my_libafl/libafl_valueprofile/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + diff --git a/fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile b/fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile new file mode 100644 index 000000000..4e81a8b34 --- /dev/null +++ b/fuzzers/my_libafl/libafl_weighted_scheduler/builder.Dockerfile @@ -0,0 +1,54 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG parent_image +FROM $parent_image + +# Uninstall old Rust & Install the latest one. +RUN if which rustup; then rustup self uninstall -y; fi && \ + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ + sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \ + rm /rustup.sh + +# Install dependencies. +RUN apt-get update && \ + apt-get remove -y llvm-10 && \ + apt-get install -y \ + build-essential \ + lsb-release wget software-properties-common gnupg && \ + apt-get install -y wget libstdc++5 libtool-bin automake flex bison \ + libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ + apt-utils apt-transport-https ca-certificates joe curl && \ + wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh 17 + +RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && chmod u+x ./createAliases.sh && ./createAliases.sh + +# Download libafl +RUN git clone https://github.com/zukatsinadze/libafl_fuzzbench /libafl_fuzzbench && \ + cd /libafl_fuzzbench && \ + git checkout 605ce5df98d0ad816074578a28a161edde74c74c && \ + git submodule update --init + +# Compile libafl +RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ + export CC=clang && export CXX=clang++ && \ + export LIBAFL_EDGES_MAP_SIZE=2621440 && \ + PATH="/root/.cargo/bin/:$PATH" cargo build --release --features no_link_main + +# Auxiliary weak references. +RUN cd /libafl_fuzzbench && \ + clang -c stub_rt.c && \ + ar r /stub_rt.a stub_rt.o + + diff --git a/fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py b/fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py new file mode 100644 index 000000000..b32df2b52 --- /dev/null +++ b/fuzzers/my_libafl/libafl_weighted_scheduler/fuzzer.py @@ -0,0 +1,71 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +"""Integration code for a LibAFL-based fuzzer.""" + +import os +import subprocess + +from fuzzers import utils + + +def prepare_fuzz_environment(input_corpus): + """Prepare to fuzz with a LibAFL-based fuzzer.""" + os.environ["ASAN_OPTIONS"] = ( + "abort_on_error=1:detect_leaks=0:" + "malloc_context_size=0:symbolize=0:" + "allocator_may_return_null=1:" + "detect_odr_violation=0:handle_segv=0:" + "handle_sigbus=0:handle_abort=0:" + "handle_sigfpe=0:handle_sigill=0" + ) + os.environ["UBSAN_OPTIONS"] = ( + "abort_on_error=1:" + "allocator_release_to_os_interval_ms=500:" + "handle_abort=0:handle_segv=0:" + "handle_sigbus=0:handle_sigfpe=0:" + "handle_sigill=0:print_stacktrace=0:" + "symbolize=0:symbolize_inline_frames=0" + ) + # Create at least one non-empty seed to start. + utils.create_seed_file_for_empty_corpus(input_corpus) + + +def build(): # pylint: disable=too-many-branches,too-many-statements + """Build benchmark.""" + os.environ["CC"] = "/libafl_fuzzbench/target/release/weighted_cc" + os.environ["CXX"] = "/libafl_fuzzbench/target/release/weighted_cxx" + + os.environ["ASAN_OPTIONS"] = "abort_on_error=0:allocator_may_return_null=1" + os.environ["UBSAN_OPTIONS"] = "abort_on_error=0" + + cflags = ["--libafl"] + utils.append_flags("CFLAGS", cflags) + utils.append_flags("CXXFLAGS", cflags) + utils.append_flags("LDFLAGS", cflags) + + os.environ["FUZZER_LIB"] = "/stub_rt.a" + utils.build_benchmark() + + +def fuzz(input_corpus, output_corpus, target_binary): + """Run fuzzer.""" + prepare_fuzz_environment(input_corpus) + dictionary_path = utils.get_dictionary_path(target_binary) + command = [target_binary] + if dictionary_path: + command += ["-x", dictionary_path] + command += ["-o", output_corpus, "-i", input_corpus] + print(command) + subprocess.check_call(command, cwd=os.environ["OUT"]) diff --git a/fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile b/fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile new file mode 100644 index 000000000..77492efa4 --- /dev/null +++ b/fuzzers/my_libafl/libafl_weighted_scheduler/runner.Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/fuzzbench/base-image + +# This makes interactive docker runs painless: +ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" +#ENV AFL_MAP_SIZE=2621440 +ENV PATH="$PATH:/out" +ENV AFL_SKIP_CPUFREQ=1 +ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 +ENV AFL_TESTCACHE_SIZE=2 + diff --git a/service/gcbrun_experiment.py b/service/gcbrun_experiment.py index bbebcf1b9..f0645276f 100644 --- a/service/gcbrun_experiment.py +++ b/service/gcbrun_experiment.py @@ -17,6 +17,7 @@ from the last PR comment containing "/gcbrun" and pass it to run_experiment.py which will run an experiment.""" +# dummy change. import logging import os import sys