start_fuzzers.sh 3.19 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/bash

# Needs to be started in tmux.

script_dir() {
    dirname "$(readlink -f "$0")"
}

fuzzer_dir() {
    printf '%s/fuzzers\n' "$(script_dir)"
}

fuzzer_list() {
    find "$(fuzzer_dir)" -maxdepth 1 -type f \( -name '*.cpp' -or -name '*.c' \) -printf '%P\n' \
      | while read -r fuzzer; do
        fuzzer="${fuzzer#fuzz_}"
        printf '%s\n' "${fuzzer%.c*}"
    done
}

usage() {
    printf '%s: HARNESS FUZZER\n\n' "$(basename "$0")"
    printf '    HARNESS ∈ {\n'
    # We want word-splitting here so that each fuzzer ends up as a separate
    # argument.
    # shellcheck disable=SC2046
    printf '%30s,\n' $(fuzzer_list | tr '\n' ' ')
    printf '    }\n'
    printf '    FUZZER ∈ {afl, afl++}\n'
}

if [[ $# -ne 2 ]]; then
    usage
    exit 1
fi

case "$2" in
    afl++)
        export AFL_PATH=/home/dkasak/code/projects/afl/afl++
        export AFL_AUTORESUME=1
        AFL_ARGS_FUZZER0="-D"
        AFL_ARGS_FUZZER1="-L 0"
        AFL_ARGS_FUZZER2="-p rare"
        AFL_ARGS_FUZZER3="-p fast"
        AFL_ARGS_FUZZER4="-p exploit"
        AFL_ARGS_FUZZER5="-p explore"
        ;;
    afl)
        export AFL_PATH=/usr/bin
        ;;
    *)
        printf 'Unknown fuzzer: %s\n' "$2"
        exit 1
        ;;
esac

export AFL=$AFL_PATH/afl-fuzz
export AFL_TMPDIR=/tmp

case "$1" in
    group_decrypt)
        FUZZER_ARG1="fuzzing/$1/pickled-inbound-group-session.txt"
        ;;
    decrypt)
        FUZZER_ARG1="fuzzing/$1/pickled-session.txt"
        FUZZER_ARG2="1"
        ;;
    decode_message)
        ;;
    unpickle_session)
        ;;
    unpickle_account)
        ;;
    unpickle_account_test)
        ;;
    unpickle_megolm_outbound)
        ;;
    *)
        printf 'Unknown harness: %s\n' "$1"
        exit 1
        ;;
esac

cd "$(script_dir)" || exit 1

# Fuzzer args are deliberately not quoted below so that word-splitting happens.
# This is used so that they expand into nothing in cases where they are missing
# or to expand into multiple arguments from a string definition.

# shellcheck disable=SC2086
tmux new-window -d -n "M" -- \
    "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -M i0 "$AFL_ARGS_FUZZER0" \
            -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2

# shellcheck disable=SC2086
tmux new-window -d -n "S1" -- \
    "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i1 "$AFL_ARGS_FUZZER1" \
            -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2

# shellcheck disable=SC2086
tmux new-window -d -n "S2" -- \
    "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i2 $AFL_ARGS_FUZZER2 \
            -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2

# shellcheck disable=SC2086
tmux new-window -d -n "S3" -- \
    "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i3 $AFL_ARGS_FUZZER3 \
            -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2

# shellcheck disable=SC2086
tmux new-window -d -n "S4" -- \
    "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i4 $AFL_ARGS_FUZZER4 \
            -- "../build/fuzzers/fuzz_$1_asan" $FUZZER_ARG1 $FUZZER_ARG2

# shellcheck disable=SC2086
tmux new-window -d -n "S5" -- \
    "$AFL" -i "corpora/$1/in" -o "corpora/$1/out" -S i5 $AFL_ARGS_FUZZER5 \
            -- "../build/fuzzers/fuzz_$1" $FUZZER_ARG1 $FUZZER_ARG2