[still WIP] Development of libfuzzer-workshop for new libFuzzer version 2/2

README.md

@@ -50,6 +50,8 @@ cd libFuzzer
 Fuzzer/build.sh
 ```
 
+libFuzzer repository could be found inside LLVM's compiler-rt project.
+
 
 ## Links
 

checkout_build_install_llvm.sh

@@ -34,6 +34,10 @@ cd $WORK_DIR/src/llvm/projects && git clone --depth 1 http://llvm.org/git/compil
 cd $WORK_DIR/src/llvm/projects && git clone --depth 1 http://llvm.org/git/libcxx.git
 cd $WORK_DIR/src/llvm/projects && git clone --depth 1 http://llvm.org/git/libcxxabi.git
 
+# Uncomment if you want *fresh* libFuzzer from checkouted repository.
+#rm -r $WORK_DIR/libFuzzer/Fuzzer
+#cp -r $WORK_DIR/src/llvm/projects/compiler-rt/lib/fuzzer/ $WORK_DIR/libFuzzer/Fuzzer
+
 # Build & Install
 mkdir -p $WORK_DIR/work/llvm
 cd $WORK_DIR/work/llvm

lessons/04/README.md

@@ -34,7 +34,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
 Compile the fuzzer in the following way:
 ```bash
-clang++ -g -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard \
+clang++ -g -std=c++11 -fsanitize=address,fuzzer \
     first_fuzzer.cc ../../libFuzzer/libFuzzer.a \
     -o first_fuzzer
 ```
@@ -43,7 +43,7 @@ Create an empty directory for corpus and run the fuzzer:
 
 ```bash
 mkdir corpus1
-./first_fuzzer corpus1
+ASAN_OPTIONS=symbolize=0 ./first_fuzzer corpus1
 ```
 
 You should see the following input:
@@ -77,10 +77,12 @@ reproduce the crash:
 $ ./first_fuzzer crash-0eb8e4ed029b774d80f2b66408203801cb982a60 
 ```
 
+Since some time ago, symbolized stacktrace is generated by default.
 To get a symbolized stacktrace, add `symbolize=1` option to `ASAN_OPTIONS` env
-variable:
+variable or no extra env variable:
 ```bash
 ASAN_OPTIONS=symbolize=1 ./first_fuzzer crash-0eb8e4ed029b774d80f2b66408203801cb982a60 
+./first_fuzzer crash-0eb8e4ed029b774d80f2b66408203801cb982a60
 ```
 
 The symbolized result looks like:
@@ -148,7 +150,7 @@ Shadow byte legend (one shadow byte represents 8 application bytes):
 ==15226==ABORTING
 ```
 
-To get symbolized stack-traces by default, let's export `ASAN_OPTIONS` env var:
+To get symbolized stack-traces by default, for different version of libFuzzer, let's export `ASAN_OPTIONS` env var:
 ```bash
 export ASAN_OPTIONS=symbolize=1
 ```
@@ -203,7 +205,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 Compile the fuzzer:
 
 ```bash
-clang++ -g -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard \
+clang++ -g -std=c++11 -fsanitize=address,fuzzer \
     second_fuzzer.cc ../../libFuzzer/libFuzzer.a \
     -o second_fuzzer
 ```
@@ -254,7 +256,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 Compile the fuzzer:
 
 ```bash
-clang++ -g -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard \
+clang++ -g -std=c++11 -fsanitize=address,fuzzer \
     third_fuzzer.cc ../../libFuzzer/libFuzzer.a \
     -o third_fuzzer
 ```
@@ -361,7 +363,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 Compile the fuzzer:
 
 ```bash
-clang++ -g -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard \
+clang++ -g -std=c++11 -fsanitize=address,fuzzer \
     fourth_fuzzer.cc ../../libFuzzer/libFuzzer.a \
     -o fourth_fuzzer
 ```

lessons/05/README.md

@@ -3,7 +3,7 @@
 Here we will find Heartbleed vulnerability (CVE-2014-0160).
 
 ***
-This example has been taken from [google/fuzzer-stest-suite] repository.
+This example has been taken from [google/fuzzer-test-suite] repository (tutorial moved to [google/fuzzing]).
 ***
 
 
@@ -15,7 +15,7 @@ cd openssl1.0.1f/
 
 ./config
 make clean
-make CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div" -j$(nproc)
+make CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=trace-cmp,trace-gep,trace-div" -j4
 ```
 
 ### Build and run the fuzzer
@@ -71,8 +71,8 @@ Build the fuzzer:
 
 ```bash
 cd ..
-clang++ -g openssl_fuzzer.cc -O2 -fno-omit-frame-pointer -fsanitize=address \
-    -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div \
+clang++ -g openssl_fuzzer.cc -O2 -fno-omit-frame-pointer -fsanitize=address,fuzzer \
+    -fsanitize-coverage=trace-cmp,trace-gep,trace-div \
     -Iopenssl1.0.1f/include openssl1.0.1f/libssl.a openssl1.0.1f/libcrypto.a \
     ../../libFuzzer/libFuzzer.a -o openssl_fuzzer
 ```
@@ -84,6 +84,49 @@ mkdir corpus1
 ./openssl_fuzzer ./corpus1/
 ```
 
+We see that nothing happens - nor new paths. That turns that library was not correctly build (without `-fsanitize=fuzzer`).
+We were running dumb fuzzing, because library was not instrumentated.
+
+```bash
+cd openssl1.0.1f/
+
+make clean
+make CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer -fsanitize-coverage=trace-cmp,trace-gep,trace-div" -j4
+```
+
+During build after enabling libFuzzer instrumentation within library build, we will see error:
+```
+/usr/local/lib/clang/10.0.0/lib/linux/libclang_rt.fuzzer-x86_64.a(fuzzer.o): In function `main':
+.../libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19: undefined reference to `LLVMFuzzerTestOneInput'
+clang-10: error: linker command failed with exit code 1 (use -v to see invocation)
+```
+
+We should not link with standalone libFuzzer fuzzer function, because it is definied outside of library source code.
+See libFuzzer code and LLVM user manual for deeper understanding.
+
+At the end we manage to build openssl without errors:
+
+```bash
+make clean
+make CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=trace-cmp,trace-gep,trace-div" -j4
+```
+
+In both cases fuzzing would work neither error, but linking errors or compiler errors could prevent libraries from build.
+
+We are building fuzzer and try again.
+
+```bash
+cd ..
+clang++ -g openssl_fuzzer.cc -O2 -fno-omit-frame-pointer -fsanitize=address,fuzzer \
+    -fsanitize-coverage=trace-cmp,trace-gep,trace-div \
+    -Iopenssl1.0.1f/include openssl1.0.1f/libssl.a openssl1.0.1f/libcrypto.a \
+    ../../libFuzzer/libFuzzer.a -o openssl_fuzzer
+
+rm -r corpus1
+mkdir corpus1
+./openssl_fuzzer ./corpus1/
+```
+
 After some time:
 
 ```
@@ -121,4 +164,5 @@ vulnerabilities can be found in a few minutes. Fuzzing is awesome.
 
 
 [Heartbleed]: https://en.wikipedia.org/wiki/Heartbleed
-[google/fuzzer-stest-suite]: https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md#heartbleed
+[google/fuzzing]: https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md#heartbleed
+[google/fuzzer-test-suite]: https://github.com/google/fuzzer-test-suite/tree/master/openssl-1.0.1f

lessons/06/README.md

@@ -4,7 +4,7 @@ Here we will find [c-ares] vulnerability (CVE-2016-5180) that has been exploited
 to obtain [remote code execution] with root privileges on ChromeOS.
 
 ***
-This example has been taken from [google/fuzzer-stest-suite] repository.
+This example has been taken from [google/fuzzer-test-suite] repository (tutorial moved to [google/fuzzing]).
 ***
 
 
@@ -15,7 +15,7 @@ tar xzvf c-ares.tgz
 cd c-ares
 
 ./buildconf
-./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div"
+./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=trace-cmp,trace-gep,trace-div"
 make CFLAGS=
 ```
 
@@ -41,8 +41,8 @@ Build the fuzzer:
 
 ```bash
 cd ..
-clang++ -g c_ares_fuzzer.cc -O2 -fno-omit-frame-pointer -fsanitize=address \
-    -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div \
+clang++ -g c_ares_fuzzer.cc -O2 -fno-omit-frame-pointer -fsanitize=address,fuzzer \
+    -fsanitize-coverage=trace-cmp,trace-gep,trace-div \
     -Ic-ares c-ares/.libs/libcares.a \
     ../../libFuzzer/libFuzzer.a -o c_ares_fuzzer
 ```
@@ -93,4 +93,5 @@ WRITE of size 1 at 0x6030000470f5 thread T0
 
 [c-ares]: https://c-ares.haxx.se/
 [remote code execution]: https://googlechromereleases.blogspot.com/2016/09/stable-channel-updates-for-chrome-os.html
-[google/fuzzer-stest-suite]: https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md#heartbleed
+[google/fuzzing]: https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md#heartbleed
+[google/fuzzer-test-suite]: https://github.com/google/fuzzer-test-suite/tree/master/c-ares-CVE-2016-5180

lessons/08/README.md

@@ -15,11 +15,11 @@ cd libxml2
 
 ./autogen.sh
 
-export FUZZ_CXXFLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address \
-    -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep,trace-pc-guard"
+export FUZZ_CXXFLAGS_NO_LINK="-O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link \
+    -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep"
 
-CXX="clang++ $FUZZ_CXXFLAGS" CC="clang $FUZZ_CXXFLAGS" \
-    CCLD="clang++ $FUZZ_CXXFLAGS"  ./configure
+CXX="clang++ $FUZZ_CXXFLAGS_NO_LINK" CC="clang $FUZZ_CXXFLAGS_NO_LINK" \
+    CCLD="clang++ $FUZZ_CXXFLAGS_NO_LINK"  ./configure
 make -j$(nproc)
 ```
 
@@ -53,6 +53,10 @@ Then build it:
 
 ```bash
 cd ..
+
+export FUZZ_CXXFLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer \
+    -fsanitize-coverage=edge,indirect-calls,trace-cmp,trace-div,trace-gep"
+
 clang++ -std=c++11 xml_read_memory_fuzzer.cc $FUZZ_CXXFLAGS -I libxml2/include \
     libxml2/.libs/libxml2.a ../../libFuzzer/libFuzzer.a -lz \
     -o xml_read_memory_fuzzer