rust-fuzz/afl.rs

Is there any proper way to combine address sanitizer(ASAN) with afl.rs? #178

0xfocu5 opened this issue · 2 comments

I want to use afl.rs to test some unsafe rust code, however, combining ASAN with afl.rs seems to have some problem.
For example, I have fuzz target as follows, which contains stack buffer overflow bug that can be detected by ASAN

fn main() {
fuzz!(|data: &[u8]| {
let new_data = [1,2,3];
let _y = unsafe { *new_data.as_ptr().offset(4) };
});
}
I build the project by

RUSTFLAGS=-Zsanitizer=address cargo afl build -Zbuild-std --target x86_64-unknown-linux-gnu
and I run the target by

RUSTFLAGS=-Zsanitizer=address cargo afl fuzz -i in -o out -m none target/x86_64-unknown-linux-gnu/debug/afl_with_sanitizer
The build target seems to contain ASAN code, for I use recidivm to estimates the target program's peak virtual memory and is about 20TB.

recidivm -u M target/x86_64-unknown-linux-gnu/debug/afl_with_sanitizer
But when I fuzz it, it seems the error can not be detected, and the stability is very low(about 25%). I wonder if there is any proper way to combine afl.rs with ASAN. Thanks a lot.

Hi, @0xfocu5. Thanks for the ping. I replied in #178 (which you probably already noticed). Is it okay if we discuss this issue there, and close this one?

Hi, @0xfocu5. Thanks for the ping. I replied in #178 (which you probably already noticed). Is it okay if we discuss this issue there, and close this one?

sry for that,i have closed this one