Cargo-fuzz
Command-line wrapper for using libFuzzer
. Easy to use, no need to recompile LLVM!
libFuzzer
needs LLVM sanitizer support, so this is x86-64 Linux-only for now. This also needs a nightly since it uses some unstable command-line flags.
This crate is currently under some churn -- in case stuff isn't working, please reinstall it (cargo install cargo-fuzz -f
). Rerunning cargo fuzz init
after moving your fuzz
folder and updating this crate may get you a better generated fuzz/Cargo.toml
. Expect this to settle down soon.
Installation
Usage
First, set up your project for fuzzing:
This will create a fuzz
folder, containing a fuzzing script called fuzzer_script_1
in the
fuzzers/
subfolder. It is generally a good idea to check in the files generated by init
.
libFuzzer
is going to repeatedly call the body of fuzz_target!()
with a byte buffer data
,
until your program hits an error condition (segfault, panic, etc). Write your fuzz_target!()
body to hit the entry point you need.
You can add more fuzz target scripts via cargo fuzz add name_of_script
. There
is a Cargo.toml
in the fuzz/
folder where you can add dependencies.
To fuzz a fuzz target, run:
Then, wait till it finds something! More complex invocations are available as well. Consider
looking at cargo fuzz --help
, cargo fuzz run --help
and others.
Trophy case
- toml-rs panic
- regex parsing panics, with blog post
- unicode-segmentation: grapheme boundary correctness, word boundary correctness
- image: 1, 2, 3, 4
- inflate: arithmetic overflow
- capnproto-rust: Multiple bugs, including a memory safety bug
- hyper: arithmetic overflow
- libpnet: arithmetic overflow
- quick-xml: arithmetic overflow, arithmetic overflow
- svgparser: arithmetic overflow, bound checking panic, incorrect result, endless loop
- num: panic on
BigInt
parsing - httpdate panics: "no character boundary" and arithmetic overflow
- vobsub: invalid slice 1, 2, 3, shift overflow, arithmetic overflow
- uuid: index out of bounds
- flac: index out of bounds
- ntp: panic caused by unwrap on invalid input
- pulldown-cmark: Overflow ParseIntError
- bson: multiple bugs, including arithmetic overflow
- jpeg-decoder: arithmetic overflow
- npy-rs: arithmetic overflow
- snmp-parser: panic on unwrapping
- der-parser: arithmetic overflow
- ssh-keys: panic on slice indexing