rust-fuzz/libfuzzer

Add support for compiling fuzz target with AFL-compatible instrumentation

frewsxcv opened this issue · 7 comments

http://llvm.org/docs/LibFuzzer.html#afl-compatibility

Not sure how easy this is, but it would be nice. Then afl.rs could use this.

I looked into this tonight briefly. For reference:

https://github.com/llvm-mirror/llvm/blob/d660a5d68c7a1c190855874531c3e8065bc8ca7d/lib/Fuzzer/afl/afl_driver.cpp#L25-L33

I understand how to do all these steps except for the first one. If anyone knows how to compile the fuzz target with sanitization into an object file, please share

I assume it's just a matter of passing the -fsanitize argument via -Cllvm-args and then using the regular rust commands for making object files?

Oh, wait, this is libfuzzer. Unsure why libfuzzer-sys needs support for this, I'd assume cargo fuzz is what would drive this.

Unsure why libfuzzer-sys needs support for this, I'd assume cargo fuzz is what would drive this.

Yeah, this is right. Most of the changes will probably happen in cargo-fuzz. Though, these instructions indicate that we need to build an object file of the fuzz target, which might involve changes to this crate?

I don't see how this crate should be affected. libFuzzer is an alternate to AFL, it doesn't "work with AFL", to the best of my knowledge. You'd need to perhaps write similar bindings, or have cargo-fuzz pass down similar flags, but it's still different.