1#!/bin/bash -eu 2# Copyright 2016 Google Inc. 3# 4# Licensed under the Apache License, Version 2.0 (the "License"); 5# you may not use this file except in compliance with the License. 6# You may obtain a copy of the License at 7# 8# http://www.apache.org/licenses/LICENSE-2.0 9# 10# Unless required by applicable law or agreed to in writing, software 11# distributed under the License is distributed on an "AS IS" BASIS, 12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13# See the License for the specific language governing permissions and 14# limitations under the License. 15# 16################################################################################ 17 18# Fuzzer runner. Appends .options arguments and seed corpus to users args. 19# Usage: $0 <fuzzer_name> <fuzzer_args> 20 21export PATH=$OUT:$PATH 22cd $OUT 23 24DEBUGGER=${DEBUGGER:-} 25 26FUZZER=$1 27shift 28 29# This env var is set by CIFuzz. CIFuzz fills this directory with the corpus 30# from ClusterFuzz. 31CORPUS_DIR=${CORPUS_DIR:-} 32if [ -z "$CORPUS_DIR" ] 33then 34 CORPUS_DIR="/tmp/${FUZZER}_corpus" 35 rm -rf $CORPUS_DIR && mkdir -p $CORPUS_DIR 36fi 37 38SANITIZER=${SANITIZER:-} 39if [ -z $SANITIZER ]; then 40 # If $SANITIZER is not specified (e.g. calling from `reproduce` command), it 41 # is not important and can be set to any value. 42 SANITIZER="default" 43fi 44 45if [[ "$RUN_FUZZER_MODE" = interactive ]]; then 46 FUZZER_OUT="$OUT/${FUZZER}_${FUZZING_ENGINE}_${SANITIZER}_out" 47else 48 FUZZER_OUT="/tmp/${FUZZER}_${FUZZING_ENGINE}_${SANITIZER}_out" 49fi 50 51function get_dictionary() { 52 local options_file="$FUZZER.options" 53 local dict_file="$FUZZER.dict" 54 local dict="" 55 if [[ -f "$options_file" ]]; then 56 dict=$(sed -n 's/^\s*dict\s*=\s*\(.*\)/\1/p' "$options_file" | tail -1) 57 fi 58 if [[ -z "$dict" && -f "$dict_file" ]]; then 59 dict="$dict_file" 60 fi 61 [[ -z "$dict" ]] && return 62 if [[ "$FUZZING_ENGINE" = "libfuzzer" ]]; then 63 printf -- "-dict=%s" "$dict" 64 elif [[ "$FUZZING_ENGINE" = "afl" ]]; then 65 printf -- "-x %s" "$dict" 66 elif [[ "$FUZZING_ENGINE" = "honggfuzz" ]]; then 67 printf -- "--dict %s" "$dict" 68 else 69 printf "Unexpected FUZZING_ENGINE: $FUZZING_ENGINE, ignoring\n" >&2 70 fi 71} 72 73rm -rf $FUZZER_OUT && mkdir -p $FUZZER_OUT 74 75SEED_CORPUS="${FUZZER}_seed_corpus.zip" 76 77if [ -f $SEED_CORPUS ] && [ -z ${SKIP_SEED_CORPUS:-} ]; then 78 echo "Using seed corpus: $SEED_CORPUS" 79 unzip -o -d ${CORPUS_DIR}/ $SEED_CORPUS > /dev/null 80fi 81 82OPTIONS_FILE="${FUZZER}.options" 83CUSTOM_LIBFUZZER_OPTIONS="" 84 85if [ -f $OPTIONS_FILE ]; then 86 custom_asan_options=$(parse_options.py $OPTIONS_FILE asan) 87 if [ ! -z $custom_asan_options ]; then 88 export ASAN_OPTIONS="$ASAN_OPTIONS:$custom_asan_options" 89 fi 90 91 custom_msan_options=$(parse_options.py $OPTIONS_FILE msan) 92 if [ ! -z $custom_msan_options ]; then 93 export MSAN_OPTIONS="$MSAN_OPTIONS:$custom_msan_options" 94 fi 95 96 custom_ubsan_options=$(parse_options.py $OPTIONS_FILE ubsan) 97 if [ ! -z $custom_ubsan_options ]; then 98 export UBSAN_OPTIONS="$UBSAN_OPTIONS:$custom_ubsan_options" 99 fi 100 101 CUSTOM_LIBFUZZER_OPTIONS=$(parse_options.py $OPTIONS_FILE libfuzzer) 102fi 103 104if [[ "$FUZZING_ENGINE" = afl ]]; then 105 106 # Set afl++ environment options. 107 export ASAN_OPTIONS="$ASAN_OPTIONS:abort_on_error=1:symbolize=0:detect_odr_violation=0:" 108 export MSAN_OPTIONS="$MSAN_OPTIONS:exit_code=86:symbolize=0" 109 export UBSAN_OPTIONS="$UBSAN_OPTIONS:symbolize=0" 110 export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 111 export AFL_SKIP_CPUFREQ=1 112 export AFL_TRY_AFFINITY=1 113 export AFL_FAST_CAL=1 114 export AFL_CMPLOG_ONLY_NEW=1 115 export AFL_FORKSRV_INIT_TMOUT=30000 116 # If $OUT/afl_cmplog.txt is present this means the target was compiled for 117 # CMPLOG. So we have to add the proper parameters to afl-fuzz. 118 test -e "$OUT/afl_cmplog.txt" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -c $OUT/$FUZZER" 119 # If $OUT/afl++.dict we load it as a dictionary for afl-fuzz. 120 test -e "$OUT/afl++.dict" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -x $OUT/afl++.dict" 121 # Ensure timeout is a bit larger than 1sec as some of the OSS-Fuzz fuzzers 122 # are slower than this. 123 AFL_FUZZER_ARGS="$FUZZER_ARGS $AFL_FUZZER_ARGS -t 5000+" 124 # AFL expects at least 1 file in the input dir. 125 echo input > ${CORPUS_DIR}/input 126 echo afl++ setup: 127 env|grep AFL_ 128 cat "$OUT/afl_options.txt" 129 CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i $CORPUS_DIR -o $FUZZER_OUT $(get_dictionary) $* -- $OUT/$FUZZER" 130 131elif [[ "$FUZZING_ENGINE" = honggfuzz ]]; then 132 133 # Honggfuzz expects at least 1 file in the input dir. 134 echo input > $CORPUS_DIR/input 135 # --exit_upon_crash: exit whith a first crash seen 136 # -R (report): save report file to this location 137 # -W (working dir): where the crashes go 138 # -v (verbose): don't use VTE UI, just stderr 139 # -z: use software-instrumentation of clang (trace-pc-guard....) 140 # -P: use persistent mode of fuzzing (i.e. LLVMFuzzerTestOneInput) 141 # -f: location of the initial (and destination) file corpus 142 # -n: number of fuzzing threads (and processes) 143 CMD_LINE="$OUT/honggfuzz -n 1 --exit_upon_crash -R /tmp/${FUZZER}_honggfuzz.report -W $FUZZER_OUT -v -z -P -f \"$CORPUS_DIR\" $(get_dictionary) $FUZZER_ARGS $* -- \"$OUT/$FUZZER\"" 144 145else 146 147 CMD_LINE="$OUT/$FUZZER $FUZZER_ARGS $*" 148 149 if [ -z ${SKIP_SEED_CORPUS:-} ]; then 150 CMD_LINE="$CMD_LINE $CORPUS_DIR" 151 fi 152 153 if [ ! -z $CUSTOM_LIBFUZZER_OPTIONS ]; then 154 CMD_LINE="$CMD_LINE $CUSTOM_LIBFUZZER_OPTIONS" 155 fi 156 157 if [[ ! "$CMD_LINE" =~ "-dict=" ]]; then 158 if [ -f "$FUZZER.dict" ]; then 159 CMD_LINE="$CMD_LINE -dict=$FUZZER.dict" 160 fi 161 fi 162 163 CMD_LINE="$CMD_LINE < /dev/null" 164 165fi 166 167echo $CMD_LINE 168 169# Unset OUT so the fuzz target can't rely on it. 170unset OUT 171 172if [ ! -z "$DEBUGGER" ]; then 173 CMD_LINE="$DEBUGGER $CMD_LINE" 174fi 175 176bash -c "$CMD_LINE" 177 178