AFL Fuzzing

Install AFL

wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar -xvf afl-latest.tgz
cd afl-2.52b
make

# for afl-clang-fast and afl-clang-fast++
cd llvm_mode
make

# or
sudo apt install afl++

From git

git clone https://github.com/google/AFL
cd AFL
make
cd llvm_mode
make

Build target binary with afl-gcc

CC=[AFL_DIR]/afl-2.52b/afl-gcc CXX=[AFL_DIR]/afl-2.52b/afl-g++ ./configure

ASAN

export AFL_USE_ASAN=1

CC=[AFL_DIR]/afl-2.52b/afl-clang-fast CXX=[AFL_DIR]/afl-2.52b/afl-clang-fast++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address -g" ./configure

export PATH=/usr/lib/llvm-10/bin:$PATH

Fuzzing

afl-fuzz -i input -o output -- ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S @@ -c ":qa!"

stdin fuzzing은 -f 옵션으로 파일 지정하면 된다.

-m none 옵션을 주면 메모리 제한 해제

Reproduce and check crashes

for file in output/crashes/*;do
echo Input: $file >> crash.log
./vim -u NONE -i NONE -S $file -c :qa! 2>> crash.log
done