diff options
author | John Levon <john.levon@nutanix.com> | 2022-04-21 13:43:44 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-04-21 13:43:44 +0100 |
commit | 3779fca8c766b18b6d68feda9ed7958aa60bd4cf (patch) | |
tree | 07401acbf0d8656dc1de00b2a9ecb3fec1d2a932 /docs | |
parent | 9ad7474568a6c9f1fbb12fb8048f2083078a8144 (diff) | |
download | libvfio-user-3779fca8c766b18b6d68feda9ed7958aa60bd4cf.zip libvfio-user-3779fca8c766b18b6d68feda9ed7958aa60bd4cf.tar.gz libvfio-user-3779fca8c766b18b6d68feda9ed7958aa60bd4cf.tar.bz2 |
support AFL++ fuzzing (#623)
To support fuzzing with AFL++, add a "pipe" transport that reads from stdin and
outputs to stdout: this is the most convenient way of doing fuzzing.
Add some docs on how to run a fuzzing session.
Signed-off-by: John Levon <john.levon@nutanix.com>
Reviewed-by: Swapnil Ingle <swapnil.ingle@nutanix.com>
Reviewed-by: Thanos Makatos <thanos.makatos@nutanix.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/testing.md | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/docs/testing.md b/docs/testing.md index 71a80b6..11b3301 100644 --- a/docs/testing.md +++ b/docs/testing.md @@ -22,3 +22,38 @@ Debugging Test Errors Sometimes debugging Valgrind errors on Python unit tests can be tricky. To run specific tests use the pytest `-k` option in `PYTESTCMD` in the Makefile. +AFL++ +----- + +You can run [American Fuzzy Lop](https://github.com/AFLplusplus/AFLplusplus) +against `libvfio-user`. It's easiest to use the Docker container: + +``` +cd /path/to/libvfio-user/src +docker pull aflplusplus/aflplusplus +docker run -ti -v $(pwd):/src aflplusplus/aflplusplus +``` + +Set up and build: + +``` +apt update +apt-get -y install libjson-c-dev libcmocka-dev clang valgrind python3-pytest debianutils flake8 libssl-dev cmake + +cd /src +export AFL_LLVM_LAF_ALL=1 +make CC=afl-clang-fast WITH_TRAN_PIPE=1 + +mkdir inputs +# don't yet have a better starting point +echo "1" >inputs/start +mkdir outputs +``` + +The `VFU_TRAN_PIPE` is a special `libvfio-user` transport that reads from +`stdin` instead of a socket, we'll use this with the sample server to do our +fuzzing: + +``` +afl-fuzz -i inputs/ -o outputs/ -- ./build/dbg/samples/server pipe +``` |