Magic-Mirror/capstone
1
0
Fork 0
mirror of https://github.com/capstone-engine/capstone.git synced 2024-11-26 23:10:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
next
capstone/suite/fuzz/README.md
Rot127 9c5b48b57f
AArch64 update to LLVM 18 (#2298) 
* Run clang-format

* Remove arm.h header from AArch64 files

* Update all AArch64 module files to LLVM-18.

* Add check if the differs save file is up-to-date with the current files.

* Add new generator for MC test trnaslation.

* Fix warnings

* Update generated AsmWriter files

* Remove unused variable

* Change MCPhysReg type to int16_t as LLVM 18 dictates.

With LLVM 18 the MCPhysReg value's type is changed to int16_t.
If we update modules to LLVM 18, they will generate
compiler warnings that uint16_t* should not be casted to int16_t*.

This makes changing the all tables to int16_t necessary, because the alternative is
to duplicate all MCPhysReg related code. Which is even worse.

* Assign enum values to raw_struct member

* Add printAdrAdrpLabel def

* Add header to regression test files.

* Write files to build dir and ignore more parsing errors.

* Fix parsing of MC test files.

* Reset parser after every block

* Add write and patch header step.

* Add and update MC tests for AArch64

* Fix clang-tidy warnings

* Don't warn about padding issues.

They break automatically initialized structs we can not change easily.

* Fix: Incorrect access of LLVM instruction descriptions.

* Initialize DecoderComplete flag

* Add more mapping and flag details

* Add function to get MCInstDesc from table

* Fix incorrect memory operand access types.

* Fix test where memory was not written, ut only read.

* Attempt to fix Windows build

* Fix 2268

The enum values were different and hence lead to different decoding.

* Refactor SME operands.

- Splits SME operands in Matrix and Predicate operands.
- Fixes general problems of incorrect detections with
the vector select/index operands of predicate registers.
- Simplifies code.

* Fix up typo in WRITE

* Print actual path to struct fields

* Add Registers of SME operands to the reg-read list

* Add tests for SME operands.

* Use Capstone reg enum for comparison

* Fix tests: 'Vector arra...' to 'operands[x].vas'

* Add the developer fuzz option.

* Fix Python bindings for SME operands

* Fix variable shadowing.

* Fix clang-tidy warnings

* Add missing break.

* Fix varg usage

* Brackets for case

* Handle AArch64_OP_GROUP_AdrAdrpLabel

* Fix endian issue with fuzzing start bytes

* Move previous sme.pred to it's own operand type.

* Fix calculation for imm ranges

* Print list member flag

* Fix up operand strings for cstest

* Do only a shallow clone of the cmocka stable branch

* Fix: Don't categorize ZT0 as a SME matrix operand.

* Remove unused code.

* Add flag to distinguish Vn and Qn registers.

* Add all registers to detail struct, even if emitted in the asm text

* Fix: Increment op count after each list member is added.

* Remove implicit write to NZCV for MSR Imm instructions.

* Handle several alias operands.

* Add details for zero alias with za0.h

* Add SME tile to write list if written

* Add write access flags to operands which are zeroed.

* Add SME tests of #2285

* Fix tests with latest syntax changes.

* Fix segfault if memory operand is only a label without register.

* Fix python bindings

* Attempt to fix clang-tidy warning for some configurations.

* Add missing test file (accidentially blocked by gitignore.)

* Print clang-tidy version before linting.

* Update differ save file

* Formatting

* Use clang-tidy-15 as if possible.

* Remove search patterns for MC tests, since they need to be reworked anyways.

* Enum to upper case change

* Add information to read the OSS fuzz result.

* Fix special case of SVE2 operands.

Apparently ZT0 registers can an index attached,
get which is BOUND to it. We have no "index for reg" field.
So it is simply saved as an immediate.

* Handle LLVM expressions without asserts.

* Ensure choices are always saved.

* OP_GROUP enums can't be all upper case because they contain type information.

* Fix compatibility header patching

* Update saved_choices.json

* Allow mode == None in test_corpus
2024-07-08 10:28:54 +08:00

2.7 KiB
Raw Permalink Blame History

Fuzzing

Build the fuzz target

To build the fuzz target, you can simply run make with appropriate flags set :

ASAN_OPTIONS=detect_leaks=0 CXXFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" CFLAGS="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize=fuzzer-no-link" LDFLAGS="-fsanitize=address" make

You can replace address with another sanitizer : memory or undefined The fuzz target is then suite/fuzz/fuzz_bindisasm2

You can find this in travis configuration .travis.yml

Another way is to use oss-fuzz, see https://github.com/google/oss-fuzz/blob/master/projects/capstone/build.sh

Troubleshooting

If you get cc: error: unrecognized argument to -fsanitize= option: fuzzer check if you have a workable version of libfuzz installed. Also try to build with CC=clang make

Interpret OSS-Fuzz report

A reported bug by OSS-fuzz looks usually like this:

...
    #20 0x7f3a42062082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #21 0x55ad814876dd in _start (build-out/fuzz_disasmnext+0x5246dd)

DEDUP_TOKEN: raise--abort--
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x4300b) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e) in raise
==62==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x7,0xe8,0x3,0x4e,0xc0,0xf8,
\007\350\003N\300\370

It emits the bytes fed to Capstone in the last two lines.

The first byte determines the arch+mode. The following bytes the actual data producing the crash.

You can run ./fuzz_decode_platform to get the arch+mode used:

./fuzz_decode_platform 0x7
cstool arch+mode = aarch64

And reproduce the bug with cstool:

# Make sureevery hex number has two digits!
cstool -d aarch64 0xe8,0x03,0x4e,0xc0,0xf8,

Make sure the every hex number has two digits (0x3 -> 0x03)! cstool won't parse it correctly otherwise.

Fuzz drivers

There are custom drivers :

  • driverbin.c : prints cstool command before running one input
  • drivermc.c : converts MC test data to raw binary data before running as many inputs as there are lines in a file
  • onefile.c : simple one file driver

For libfuzzer, the preferred main function is now to use linker option -fsanitize=fuzzer

Fuzzit integration

Travis will build the fuzz target with the different sanitizers. Then, Travis will launch sanity fuzzit jobs as part of continuous integration (for each of the sanitizers) The fuzzit target ids are stored in a configuration file fuzzitid.txt and used by fuzzit.sh