capstone/suite/fuzz/README.md

Fuzzing
===============


Build the fuzz target
-------

To build the fuzz target, you can simply run `make` with appropriate flags set :
```
ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" LDFLAGS="-fsanitize=address" make
```
You can replace `address` with another sanitizer : `memory` or `undefined`
The fuzz target is then `suite/fuzz/fuzz_bindisasm2`

You can find this in travis configuration `.travis.yml`

Another way is to use oss-fuzz, see https://github.com/google/oss-fuzz/blob/master/projects/capstone/build.sh

Troubleshooting
------

If you get `cc: error: unrecognized argument to ‘-fsanitize=’ option: ‘fuzzer’` check if you have a workable
version of `libfuzz` installed. Also try to build with `CC=clang make`

Interpret OSS-Fuzz report
------

A reported bug by OSS-fuzz looks usually like this:

```
...
    #20 0x7f3a42062082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #21 0x55ad814876dd in _start (build-out/fuzz_disasmnext+0x5246dd)

DEDUP_TOKEN: raise--abort--
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) in raise
==62==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x7,0xe8,0x3,0x4e,0xc0,0xf8,
\007\350\003N\300\370
```

It emits the bytes fed to Capstone in the last two lines.

The first byte determines the `arch+mode`. The following bytes the actual data producing the crash.

You can run `./fuzz_decode_platform` to get the `arch+mode` used:

```
./fuzz_decode_platform 0x7
cstool arch+mode = aarch64
```

And reproduce the bug with `cstool`:

```bash
# Make sureevery hex number has two digits!
cstool -d aarch64 0xe8,0x03,0x4e,0xc0,0xf8,
```

Make sure the every hex number has two digits (`0x3 -> 0x03`)!
`cstool` won't parse it correctly otherwise.

Fuzz drivers
------

There are custom drivers :
- driverbin.c : prints cstool command before running one input
- drivermc.c : converts MC test data to raw binary data before running as many inputs as there are lines in a file
- onefile.c : simple one file driver

For libfuzzer, the preferred main function is now to use linker option `-fsanitize=fuzzer`

Fuzzit integration
------

Travis will build the fuzz target with the different sanitizers.
Then, Travis will launch sanity fuzzit jobs as part of continuous integration (for each of the sanitizers)
The fuzzit target ids are stored in a configuration file fuzzitid.txt and used by fuzzit.sh
-												Fuzzit integration (#1520)


											
										
										
											2019-07-25 01:06:52 +00:00
+								Fuzzing
 								===============
 								Build the fuzz target
 								-------
 								To build the fuzz target, you can simply run `make` with appropriate flags set :
 								```
 								ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" LDFLAGS="-fsanitize=address" make
 								```
 								You can replace `address` with another sanitizer : `memory` or `undefined`
 								The fuzz target is then `suite/fuzz/fuzz_bindisasm2`
 								You can find this in travis configuration `.travis.yml`
 								Another way is to use oss-fuzz, see https://github.com/google/oss-fuzz/blob/master/projects/capstone/build.sh
-												Architecture updater (auto-sync) - Updating ARM (#1949)

* Add auto-sync updater.

* Update Capstone core with auto-sync changes.

* Update ARM via auto-sync.

* Make changes to arch modules which are introduced by auto-sync.

* Update tests for ARM.

* Fix build warnings for make

* Remove meson.build

* Print shift amount in decimal

* Patch non LLVM register alias.

* Change type of immediate operand to unsiged (due to: #771)

* Replace all occurances of a register with its alias.

* Fix printing of signed imms

* Print rotate amount in decimal

* CHange imm type to int64_t to match LLVM imm type.

* Fix search for register names, by completing string first.

* Print ModImm operands always in decimal

* Use number format of previous capstone version.

* Correct implicit writes and update_flags according to SBit.

* Add missing test for RegImmShift

* Reverse incorrect comparision.

* Set shift information for move instructions.

* Set mem access for all memory operands

* Set subtracted flag if offset is negative.

* Add flag for post-index memory operands.

* Add detail op for BX_RET and MOVPCLR

* Use instruction post_index operand.

* Add VPOP and VPUSH as unique CS IDs.

* Add shifting info for MOVsr.

* Add TODOs.

* Add in LLVM hardcoded operands to detail.

* Move detail editing from InstPrinter to Mapping

* Formatting

* Add removed check.

* Add writeback register and constraints to RFEI instructions.

* Translate shift immediate

* Print negative immediates

* Remove duplicate invalid entry

* Add CS groups to instructions

* Fix write attriutes of stores.

* Add missing names of added instructions

* Fix LLVM bug

* Add more post_index flags

* http -> https

* Make generated functions static

* Remove tab prefix for alias instructions.

* Set ValidateMCOperand to NULL.

* Fix AddrMode3Operand operands

* Allow getting system and banked register name via API

* Add writeback to STC/LDC instructions.

* Fix (hopefully) last case where disp is negative and subtracted = true

* Remove accidentially introduced regressions
											
										
										
											2023-07-19 09:56:27 +00:00
+								Troubleshooting
 								------
 								If you get `cc: error: unrecognized argument to ‘-fsanitize=’ option: ‘fuzzer’` check if you have a workable
 								version of `libfuzz` installed. Also try to build with `CC=clang make`
-												AArch64 update to LLVM 18 (#2298)

* Run clang-format

* Remove arm.h header from AArch64 files

* Update all AArch64 module files to LLVM-18.

* Add check if the differs save file is up-to-date with the current files.

* Add new generator for MC test trnaslation.

* Fix warnings

* Update generated AsmWriter files

* Remove unused variable

* Change MCPhysReg type to int16_t as LLVM 18 dictates.

With LLVM 18 the MCPhysReg value's type is changed to int16_t.
If we update modules to LLVM 18, they will generate
compiler warnings that uint16_t* should not be casted to int16_t*.

This makes changing the all tables to int16_t necessary, because the alternative is
to duplicate all MCPhysReg related code. Which is even worse.

* Assign enum values to raw_struct member

* Add printAdrAdrpLabel def

* Add header to regression test files.

* Write files to build dir and ignore more parsing errors.

* Fix parsing of MC test files.

* Reset parser after every block

* Add write and patch header step.

* Add and update MC tests for AArch64

* Fix clang-tidy warnings

* Don't warn about padding issues.

They break automatically initialized structs we can not change easily.

* Fix: Incorrect access of LLVM instruction descriptions.

* Initialize DecoderComplete flag

* Add more mapping and flag details

* Add function to get MCInstDesc from table

* Fix incorrect memory operand access types.

* Fix test where memory was not written, ut only read.

* Attempt to fix Windows build

* Fix 2268

The enum values were different and hence lead to different decoding.

* Refactor SME operands.

- Splits SME operands in Matrix and Predicate operands.
- Fixes general problems of incorrect detections with
the vector select/index operands of predicate registers.
- Simplifies code.

* Fix up typo in WRITE

* Print actual path to struct fields

* Add Registers of SME operands to the reg-read list

* Add tests for SME operands.

* Use Capstone reg enum for comparison

* Fix tests: 'Vector arra...' to 'operands[x].vas'

* Add the developer fuzz option.

* Fix Python bindings for SME operands

* Fix variable shadowing.

* Fix clang-tidy warnings

* Add missing break.

* Fix varg usage

* Brackets for case

* Handle AArch64_OP_GROUP_AdrAdrpLabel

* Fix endian issue with fuzzing start bytes

* Move previous sme.pred to it's own operand type.

* Fix calculation for imm ranges

* Print list member flag

* Fix up operand strings for cstest

* Do only a shallow clone of the cmocka stable branch

* Fix: Don't categorize ZT0 as a SME matrix operand.

* Remove unused code.

* Add flag to distinguish Vn and Qn registers.

* Add all registers to detail struct, even if emitted in the asm text

* Fix: Increment op count after each list member is added.

* Remove implicit write to NZCV for MSR Imm instructions.

* Handle several alias operands.

* Add details for zero alias with za0.h

* Add SME tile to write list if written

* Add write access flags to operands which are zeroed.

* Add SME tests of #2285

* Fix tests with latest syntax changes.

* Fix segfault if memory operand is only a label without register.

* Fix python bindings

* Attempt to fix clang-tidy warning for some configurations.

* Add missing test file (accidentially blocked by gitignore.)

* Print clang-tidy version before linting.

* Update differ save file

* Formatting

* Use clang-tidy-15 as if possible.

* Remove search patterns for MC tests, since they need to be reworked anyways.

* Enum to upper case change

* Add information to read the OSS fuzz result.

* Fix special case of SVE2 operands.

Apparently ZT0 registers can an index attached,
get which is BOUND to it. We have no "index for reg" field.
So it is simply saved as an immediate.

* Handle LLVM expressions without asserts.

* Ensure choices are always saved.

* OP_GROUP enums can't be all upper case because they contain type information.

* Fix compatibility header patching

* Update saved_choices.json

* Allow mode == None in test_corpus
											
										
										
											2024-07-08 02:28:54 +00:00
+								Interpret OSS-Fuzz report
 								------
 								A reported bug by OSS-fuzz looks usually like this:
 								```
 								...
 								    #20 0x7f3a42062082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
 								    #21 0x55ad814876dd in _start (build-out/fuzz_disasmnext+0x5246dd)
 								DEDUP_TOKEN: raise--abort--
 								AddressSanitizer can not provide additional info.
 								SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) in raise
 								==62==ABORTING
 								MS: 0 ; base unit: 0000000000000000000000000000000000000000
 x7,0xe8,0x3,0x4e,0xc0,0xf8,
 								\007\350\003N\300\370
 								```
 								It emits the bytes fed to Capstone in the last two lines.
 								The first byte determines the `arch+mode`. The following bytes the actual data producing the crash.
 								You can run `./fuzz_decode_platform` to get the `arch+mode` used:
 								```
 								./fuzz_decode_platform 0x7
 								cstool arch+mode = aarch64
 								```
 								And reproduce the bug with `cstool`:
 								```bash
 								# Make sureevery hex number has two digits!
 								cstool -d aarch64 0xe8,0x03,0x4e,0xc0,0xf8,
 								```
 								Make sure the every hex number has two digits (`0x3 -> 0x03`)!
 								`cstool` won't parse it correctly otherwise.
-												Fuzzit integration (#1520)


											
										
										
											2019-07-25 01:06:52 +00:00
+								Fuzz drivers
 								------
 								There are custom drivers :
 								- driverbin.c : prints cstool command before running one input
 								- drivermc.c : converts MC test data to raw binary data before running as many inputs as there are lines in a file
 								- onefile.c : simple one file driver
 								For libfuzzer, the preferred main function is now to use linker option `-fsanitize=fuzzer`
 								Fuzzit integration
 								------
 								Travis will build the fuzz target with the different sanitizers.
 								Then, Travis will launch sanity fuzzit jobs as part of continuous integration (for each of the sanitizers)
 								The fuzzit target ids are stored in a configuration file fuzzitid.txt and used by fuzzit.sh