Lines Matching +full:clang +full:- +full:msan +full:- +full:fuzz

5 This is a companion library that can be used as a drop-in replacement for the
7 heap-related security bugs in several ways:
9   - It allocates all buffers so that they are immediately adjacent to a
10     subsequent PROT_NONE page, causing most off-by-one reads and writes to
13   - It adds a canary immediately below the allocated buffer, to catch writes to
16   - It sets the memory returned by malloc() to garbage values, improving the
19   - It sets freed memory to PROT_NONE and does not actually reuse it, causing
20     most use-after-free bugs to segfault right away,
22   - It forces all realloc() calls to return a new address - and sets PROT_NONE
23     on the original block. This catches use-after-realloc bugs,
25   - It checks for calloc() overflows and can cause soft or hard failures of
29   - Optionally, in platforms supporting it, huge pages can be used by passing
32   - Optionally, in platforms supporting it, `named` pages can be used by passing
35   - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In
38     off-by-one bugs but also it makes libdislocator compliant to the C standard.
40 Basically, it is inspired by some of the non-default options available for the
41 OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
43 DUMA - but is simple, plug-and-play, and designed specifically for fuzzing jobs.
45 Note that it does nothing for stack-based memory handling errors. The
46 -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
49 The allocator is slow and memory-intensive (even the tiniest allocation uses up
51 unsuitable for "production" uses; but it can be faster and more hassle-free than
52 ASAN / MSAN when fuzzing small, self-contained binaries.
57 AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]
63 Similarly to afl-tmin, the library is not "proprietary" and can be used with
65 require AFL-instrumented binaries to work.