Magic-Mirror/capstone
1
0
Fork 0
mirror of https://github.com/capstone-engine/capstone.git synced 2024-11-26 23:10:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
next
capstone/suite/fuzz
History
billow 1ecfb5b042
Some checks failed
Run Test / ${{ matrix.config.name }} (map[arch:x64 build-system:cmake diet-build:OFF enable-asan:OFF name:ubuntu-22.04 x64 cmake os:ubuntu-22.04]) (push) Has been cancelled
Details
Run Test / ${{ matrix.config.name }} (map[arch:x64 build-system:cmake diet-build:OFF enable-asan:ON name:ubuntu-24.04 x64 ASAN os:ubuntu-24.04]) (push) Has been cancelled
Details
Run Test / ${{ matrix.config.name }} (map[arch:x64 build-system:make diet-build:OFF enable-asan:OFF name:ubuntu-22.04 x64 make os:ubuntu-22.04]) (push) Has been cancelled
Details
Run Test / ${{ matrix.config.name }} (map[arch:x64 name:windows x64 MSVC 64bit os:windows-latest platform:windows python-arch:x64 python-version:3.9]) (push) Has been cancelled
Details
Auto-Sync / check (push) Has been cancelled
Details
Run clang-tidy / clang-tidy (push) Has been cancelled
Details
RELEASE BUILD - PyPI 📦 Distribution / Build wheels on ${{ matrix.os }} (macos-latest) (push) Has been cancelled
Details
RELEASE BUILD - PyPI 📦 Distribution / Build wheels on ${{ matrix.os }} (ubuntu-latest) (push) Has been cancelled
Details
RELEASE BUILD - PyPI 📦 Distribution / Build wheels on ${{ matrix.os }} (windows-latest) (push) Has been cancelled
Details
RELEASE BUILD - PyPI 📦 Distribution / Make SDist (push) Has been cancelled
Details
Python Package CI / build (macOS-14, 3.12) (push) Has been cancelled
Details
Python Package CI / build (macOS-14, 3.8) (push) Has been cancelled
Details
Python Package CI / build (ubuntu-24.04, 3.12) (push) Has been cancelled
Details
Python Package CI / build (ubuntu-24.04, 3.8) (push) Has been cancelled
Details
Python Package CI / build (windows-2022, 3.12) (push) Has been cancelled
Details
Python Package CI / build (windows-2022, 3.8) (push) Has been cancelled
Details
RELEASE BUILD - PyPI 📦 Distribution / publish (push) Has been cancelled
Details
Coverity Scan / latest (push) Has been cancelled
Details
xtensa: update to espressif/llvm-project (#2533)
2024-11-10 21:55:40 +08:00
..
driverbin.c fix typos (#2344) 2024-04-30 10:37:53 +08:00
drivermc.c xtensa: update to espressif/llvm-project (#2533) 2024-11-10 21:55:40 +08:00
fuzz_decode_platform.c fuzz: refactor platforms.inc to platform.c 2019-04-13 15:22:20 +08:00
fuzz_diff.c xtensa: update to espressif/llvm-project (#2533) 2024-11-10 21:55:40 +08:00
fuzz_disasm.c Add a clang-tidy checks and warnings (#2312) 2024-04-26 15:11:46 +08:00
fuzz_disasm.options Integrate capstone with oss-fuzz (#1150) 2018-06-01 20:47:19 +08:00
fuzz_harness.c xtensa: update to espressif/llvm-project (#2533) 2024-11-10 21:55:40 +08:00
fuzz_llvm.cpp Use whole corpus for regression testing (#1302) 2018-12-11 09:33:31 +07:00
fuzzit.sh Fuzzit integration (#1520) 2019-07-25 09:06:52 +08:00
fuzzitid.txt Fuzzit integration (#1520) 2019-07-25 09:06:52 +08:00
Makefile Modern Testing (#2456) 2024-08-31 21:33:38 +08:00
onefile.c fix typos (#2344) 2024-04-30 10:37:53 +08:00
platform.c xtensa: update to espressif/llvm-project (#2533) 2024-11-10 21:55:40 +08:00
platform.h fuzz: refactor platforms.inc to platform.c 2019-04-13 15:22:20 +08:00
README suite: move fuzz_hardness.c to suite/fuzz/ 2015-06-16 17:37:48 +08:00
README.md AArch64 update to LLVM 18 (#2298) 2024-07-08 10:28:54 +08:00

README.md

Fuzzing

Build the fuzz target

To build the fuzz target, you can simply run make with appropriate flags set :

ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" LDFLAGS="-fsanitize=address" make

You can replace address with another sanitizer : memory or undefined The fuzz target is then suite/fuzz/fuzz_bindisasm2

You can find this in travis configuration .travis.yml

Another way is to use oss-fuzz, see https://github.com/google/oss-fuzz/blob/master/projects/capstone/build.sh

Troubleshooting

If you get cc: error: unrecognized argument to -fsanitize= option: fuzzer check if you have a workable version of libfuzz installed. Also try to build with CC=clang make

Interpret OSS-Fuzz report

A reported bug by OSS-fuzz looks usually like this:

...
    #20 0x7f3a42062082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #21 0x55ad814876dd in _start (build-out/fuzz_disasmnext+0x5246dd)

DEDUP_TOKEN: raise--abort--
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) in raise
==62==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x7,0xe8,0x3,0x4e,0xc0,0xf8,
\007\350\003N\300\370

It emits the bytes fed to Capstone in the last two lines.

The first byte determines the arch+mode. The following bytes the actual data producing the crash.

You can run ./fuzz_decode_platform to get the arch+mode used:

./fuzz_decode_platform 0x7
cstool arch+mode = aarch64

And reproduce the bug with cstool:

# Make sureevery hex number has two digits!
cstool -d aarch64 0xe8,0x03,0x4e,0xc0,0xf8,

Make sure the every hex number has two digits (0x3 -> 0x03)! cstool won't parse it correctly otherwise.

Fuzz drivers

There are custom drivers :

  • driverbin.c : prints cstool command before running one input
  • drivermc.c : converts MC test data to raw binary data before running as many inputs as there are lines in a file
  • onefile.c : simple one file driver

For libfuzzer, the preferred main function is now to use linker option -fsanitize=fuzzer

Fuzzit integration

Travis will build the fuzz target with the different sanitizers. Then, Travis will launch sanity fuzzit jobs as part of continuous integration (for each of the sanitizers) The fuzzit target ids are stored in a configuration file fuzzitid.txt and used by fuzzit.sh