From b38e282f3aa5264f48eaf3699c32b8f871eb0e54 Mon Sep 17 00:00:00 2001 From: Denis Kasak Date: Thu, 1 Jul 2021 14:16:31 +0200 Subject: [PATCH] fuzzing: Add script for starting fuzzers on a given harness. --- fuzzing/start_fuzzers.sh | 118 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100755 fuzzing/start_fuzzers.sh diff --git a/fuzzing/start_fuzzers.sh b/fuzzing/start_fuzzers.sh new file mode 100755 index 0000000..732a327 --- /dev/null +++ b/fuzzing/start_fuzzers.sh @@ -0,0 +1,118 @@ +#!/usr/bin/bash + +# Needs to be started in tmux. + +script_dir() { + dirname "$(readlink -f "$0")" +} + +fuzzer_dir() { + printf '%s/fuzzers\n' "$(script_dir)" +} + +fuzzer_list() { + find "$(fuzzer_dir)" -maxdepth 1 -type f \( -name '*.cpp' -or -name '*.c' \) -printf '%P\n' \ + | while read -r fuzzer; do + fuzzer="${fuzzer#fuzz_}" + printf '%s\n' "${fuzzer%.c*}" + done +} + +usage() { + printf '%s: HARNESS FUZZER\n\n' "$(basename "$0")" + printf ' HARNESS ∈ {\n' + # We want word-splitting here so that each fuzzer ends up as a separate + # argument. + # shellcheck disable=SC2046 + printf '%30s,\n' $(fuzzer_list | tr '\n' ' ') + printf ' }\n' + printf ' FUZZER ∈ {afl, afl++}\n' +} + +if [[ $# -ne 2 ]]; then + usage + exit 1 +fi + +case "$2" in + afl++) + export AFL_PATH=/home/dkasak/code/projects/afl/afl++ + export AFL_AUTORESUME=1 + AFL_ARGS_FUZZER0="-D" + AFL_ARGS_FUZZER1="-L 0" + AFL_ARGS_FUZZER2="-p rare" + AFL_ARGS_FUZZER3="-p fast" + AFL_ARGS_FUZZER4="-p exploit" + AFL_ARGS_FUZZER5="-p explore" + ;; + afl) + export AFL_PATH=/usr/bin + ;; + *) + printf 'Unknown fuzzer: %s\n' "$2" + exit 1 + ;; +esac + +export AFL=$AFL_PATH/afl-fuzz +export AFL_TMPDIR=/tmp + +case "$1" in + group_decrypt) + FUZZER_ARG1="fuzzing/$1/pickled-inbound-group-session.txt" + ;; + decrypt) + FUZZER_ARG1="fuzzing/$1/pickled-session.txt" + FUZZER_ARG2="1" + ;; + decode_message) + ;; + unpickle_session) + ;; + unpickle_account) + ;; + unpickle_account_test) + ;; + unpickle_megolm_outbound) + ;; + *) + printf 'Unknown harness: %s\n' "$1" + exit 1 + ;; +esac + +cd "$(script_dir)" || exit 1 + +# Fuzzer args are deliberately not quoted below so that word-splitting happens. +# This is used so that they expand into nothing in cases where they are missing +# or to expand into multiple arguments from a string definition. + +# shellcheck disable=SC2086 +tmux new-window -d -n "M" -- \ + "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -M i0 "$AFL_ARGS_FUZZER0" \ + -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2 + +# shellcheck disable=SC2086 +tmux new-window -d -n "S1" -- \ + "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i1 "$AFL_ARGS_FUZZER1" \ + -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2 + +# shellcheck disable=SC2086 +tmux new-window -d -n "S2" -- \ + "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i2 $AFL_ARGS_FUZZER2 \ + -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2 + +# shellcheck disable=SC2086 +tmux new-window -d -n "S3" -- \ + "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i3 $AFL_ARGS_FUZZER3 \ + -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2 + +# shellcheck disable=SC2086 +tmux new-window -d -n "S4" -- \ + "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i4 $AFL_ARGS_FUZZER4 \ + -- "../build/fuzzers/fuzz_$1_asan" $FUZZER_ARG1 $FUZZER_ARG2 + +# shellcheck disable=SC2086 +tmux new-window -d -n "S5" -- \ + "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i5 $AFL_ARGS_FUZZER5 \ + -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2