Commandline wrapper for using libFuzzer. Easy to use, no need to recompile LLVM!
libFuzzer needs LLVM sanitizer support, so this is x86-64 Linux-only for now. This also needs a nightly since it uses some unstable commandline flags.
This crate is currently under some churn -- in case stuff isn't working, please reinstall it (cargo install cargo-fuzz -f
), and delete the cloned libfuzzer-sys
folder in the fuzz/
folder. Rerunning cargo fuzz --init
after moving your fuzz
folder and updating this crate may get you a better generated fuzz/Cargo.toml
. Expect this to settle down soon.
$ cargo install cargo-fuzz
First, set up your project for fuzzing:
$ cd /path/to/project
$ cargo fuzz init
This will create a fuzz
folder, containing a fuzzing script called fuzzer_script_1
in the
fuzzers/
subfolder. It is generally a good idea to check in the files generated by init
.
libFuzzer is going to repeatedly call the go()
function in the fuzzer script with a byte buffer
data
of length size
, until your program hits an error condition (segfault, panic, etc). Write
your go()
function to hit the entry point you need.
You can add more fuzz target scripts via cargo fuzz add name_of_script
. There
is a Cargo.toml
in the fuzz/
folder where you can add dependencies.
To fuzz a fuzz target, run:
$ cd /path/to/project
$ cargo fuzz run fuzzer_script_1 # or whatever the target is named
Then, wait till it finds something!
🏆 🏆 🏆 🏆 🏆 🏆
- toml-rs panic
- unicode-segmentation: grapheme boundary correctness, word boundary correctness
- image: 1, 2, 3, 4
- inflate: arithmetic overflow
- capnproto-rust: Multiple bugs, including a memory safety bug
- hyper: arithmetic overflow
- libpnet: arithmetic overflow
- quick-xml: arithmetic overflow
- svgparser: arithmetic overflow, bound checking panic, incorrect result, endless loop
- num: panic on
BigInt
parsing - httpdate panics: "no character boundary" and arithmetic overflow