Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to fuzz a project containing C++ code? #338

Open
nbigaouette opened this issue Jun 2, 2023 · 1 comment
Open

How to fuzz a project containing C++ code? #338

nbigaouette opened this issue Jun 2, 2023 · 1 comment

Comments

@nbigaouette
Copy link

I've been using cargo-fuzz and afl.rs to fuzz my (pure) rust projects, but one of those contains C++ code that I would like to be included in the fuzzing process.

The project structure looks like this:

├── build.rs
├── Cargo.toml
└── src
   ├── cpp
   │  ├── CMakeLists.txt
   │  ├── file.cpp
   │  └── file.hpp
   └── lib.rs

The rust build script will call cmake to build the C++ code which will be linked in the final Rust library.

Can I use cargo afl to fuzz not only the Rust code but also the C++ code? What would be required to do so? Would the C++ code need to be compiled in a certain way that cargo afl cannot control (and thus I'd have to tweak my CMakeLists.txt)? Would I need to install something else (f.e. install/compile afl itself as described here: https://github.com/AFLplusplus/AFLplusplus/blob/stable/instrumentation/README.lto.md)?

I'm on macOS which comes with clang (from XCode). Is that sufficient or should a different llvm/clang should be used (f.e. from homebrew)?

Thanks!

@smoelius
Copy link
Member

smoelius commented Jun 5, 2023

Hi, @nbigaouette.

Can I use cargo afl to fuzz not only the Rust code but also the C++ code? What would be required to do so?

To be honest, I'm not sure. Here are the flags that cargo-afl passes to rustc:

afl.rs/src/bin/cargo-afl.rs

Lines 277 to 283 in d0e5a6e

-C passes={passes} \
-C codegen-units=1 \
-C llvm-args=-sanitizer-coverage-level=3 \
-C llvm-args=-sanitizer-coverage-trace-pc-guard \
-C llvm-args=-sanitizer-coverage-prune-blocks=0 \
-C llvm-args=-sanitizer-coverage-trace-compares \
-C opt-level=3 \

I would imagine that if one could determine the corresponding flags for Clang and compile with them, then it would simply be a matter of linking in the resulting object files. But I would need to experiment with this to know for sure.

I'm sorry I can't be of more help right now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants