diff --git a/run_fuzzer.sh b/.ci/riscv-fuzz.sh similarity index 72% rename from run_fuzzer.sh rename to .ci/riscv-fuzz.sh index 0d544b26b..d6fbabb14 100755 --- a/run_fuzzer.sh +++ b/.ci/riscv-fuzz.sh @@ -1,7 +1,9 @@ #!/usr/bin/env bash set -e -u -o pipefail -echo "Compiling..." +# compile +command -v clang &> /dev/null + clang \ -g -O1 \ -fsanitize=fuzzer,address,undefined \ @@ -11,7 +13,7 @@ clang \ -D DEFAULT_STACK_ADDR=0xFFFFE000 \ -D DEFAULT_ARGS_ADDR=0xFFFFF000 \ -D FUZZER \ - -o build/rv32emu_fuzzer \ + -o build/rv32emu_fuzz \ src/fuzz_target.cc \ src/map.c \ src/utils.c \ @@ -24,8 +26,10 @@ clang \ src/cache.c \ src/mpool.c \ src/main.c -echo "Done" # populate the initial CORPUS for the fuzzer using valid elf -mkdir -p src/fuzzer/CORPUS_DIR -cp build/*.elf src/fuzzer/CORPUS_DIR \ No newline at end of file +mkdir -p build/fuzz/CORPUS_DIR +cp build/*.elf build/fuzz/CORPUS_DIR + +# execute +./build/rv32emu_fuzz build/fuzz/CORPUS_DIR -timeout=3 diff --git a/.gitignore b/.gitignore index ad5210627..75085aac0 100644 --- a/.gitignore +++ b/.gitignore @@ -11,12 +11,13 @@ toolchain/ # built objects build/.config build/rv32emu -build/rv32emu_fuzzer +build/rv32emu_fuzz build/arch-test build/mini-gdbstub build/softfloat build/cache/ build/map/ +build/fuzz/ *.o *.o.d tests/**/*.elf diff --git a/Makefile b/Makefile index 5a869a1c3..f6b451b7a 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,7 @@ include mk/toolchain.mk OUT ?= build BIN := $(OUT)/rv32emu -FUZZER_BIN := $(OUT)/rv32emu_fuzzer +FUZZER_BIN := $(OUT)/rv32emu_fuzz CONFIG_FILE := $(OUT)/.config -include $(CONFIG_FILE) diff --git a/src/fuzzer/fuzzer.md b/docs/fuzzer.md similarity index 64% rename from src/fuzzer/fuzzer.md rename to docs/fuzzer.md index 73661474b..febd57c76 100644 --- a/src/fuzzer/fuzzer.md +++ b/docs/fuzzer.md @@ -1,23 +1,18 @@ # Fuzzing -> Inspired by the fuzzer from [this project](/~https://github.com/fwsGonzo/libriscv/tree/master/fuzz). - We are using the [LLVM Fuzzer](https://llvm.org/docs/LibFuzzer.html). The fuzzer used here is without structured input generation. Instead, we rely on the fuzzer to mutate the input. -# Execution +The initial seeds are all the ELF files in the build folder. -- `./run_fuzzer.sh && ./build/rv32emu_fuzzer src/fuzzer/CORPUS_DIR -jobs=1 -timeout=3` - - TODO - - `make fuzzer CC=clang ENABLE_EXT_F=0 ENABLE_SDL=0` - - `./build/rv32emu_fuzzer src/fuzzer/CORPUS_DIR` +## Execution -# [Corpus](https://llvm.org/docs/LibFuzzer.html#corpus) +- `./.ci/riscv-fuzz.sh` -The a corpus of sample inputs, which is the seed, will be all the elf binaries in the build folder. +## References -# References +> Inspired by the fuzzer from [this project](/~https://github.com/fwsGonzo/libriscv/tree/master/fuzz). - [LLVM official LibFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#corpus) - [Chromium - Getting started with LibFuzzer](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/testing/libfuzzer/getting_started_with_libfuzzer.md) diff --git a/src/elf.c b/src/elf.c index e0c12021c..e0a6b702d 100644 --- a/src/elf.c +++ b/src/elf.c @@ -360,7 +360,6 @@ bool elf_open(elf_t *e, const char *path) /* point to the header */ if (sizeof(struct Elf32_Ehdr) > e->raw_size) { - // this will never be a valid ELF file release(e); return false; } diff --git a/src/fuzzer/.gitignore b/src/fuzzer/.gitignore deleted file mode 100644 index 5b787955c..000000000 --- a/src/fuzzer/.gitignore +++ /dev/null @@ -1 +0,0 @@ -CORPUS_DIR