cargo-fuzz 0.4.0

Simple wrapper around libFuzzer
cargo-fuzz-0.4.0 is not a library.

Cargo-fuzz

Command-line wrapper for using libFuzzer. Easy to use, no need to recompile LLVM!

libFuzzer needs LLVM sanitizer support, so this is x86-64 Linux-only for now. This also needs a nightly since it uses some unstable command-line flags.

This crate is currently under some churn -- in case stuff isn't working, please reinstall it (cargo install cargo-fuzz -f). Rerunning cargo fuzz init after moving your fuzz folder and updating this crate may get you a better generated fuzz/Cargo.toml. Expect this to settle down soon.

Installation

$ cargo install cargo-fuzz

Usage

First, set up your project for fuzzing:

$ cd /path/to/project
$ cargo fuzz init

This will create a fuzz folder, containing a fuzzing script called fuzzer_script_1 in the fuzzers/ subfolder. It is generally a good idea to check in the files generated by init.

libFuzzer is going to repeatedly call the body of fuzz_target!() with a byte buffer data, until your program hits an error condition (segfault, panic, etc). Write your fuzz_target!() body to hit the entry point you need.

You can add more fuzz target scripts via cargo fuzz add name_of_script. There is a Cargo.toml in the fuzz/ folder where you can add dependencies.

To fuzz a fuzz target, run:

$ cd /path/to/project
$ cargo fuzz run fuzzer_script_1 # or whatever the target is named

Then, wait till it finds something! More complex invocations are available as well. Consider looking at cargo fuzz --help, cargo fuzz run --help and others.

Trophy case