From f8d4b3beda963e0920a139f1ab70ac079a52f5e7 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Thu, 5 Jan 2017 20:12:05 +0100 Subject: [PATCH] Update fuzz documentation Reviewed-by: Rich Salz GH: #2182 --- fuzz/README.md | 53 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 5 deletions(-) diff --git a/fuzz/README.md b/fuzz/README.md index e0d2eb68fb..31e21ac595 100644 --- a/fuzz/README.md +++ b/fuzz/README.md @@ -43,7 +43,8 @@ Configure for fuzzing: -fsanitize-coverage=edge,indirect-calls,8bit-counters \ enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \ enable-weak-ssl-ciphers enable-rc5 enable-md2 \ - enable-ssl3 enable-ssl3-method enable-nextprotoneg + enable-ssl3 enable-ssl3-method enable-nextprotoneg \ + --debug $ sudo apt-get install make $ LDCMD=clang++ make -j $ fuzz/helper.py $FUZZER @@ -51,9 +52,7 @@ Configure for fuzzing: Where $FUZZER is one of the executables in `fuzz/`. If you get a crash, you should find a corresponding input file in -`fuzz/corpora/$FUZZER-crash/`. You can reproduce the crash with - - $ fuzz/$FUZZER +`fuzz/corpora/$FUZZER-crash/`. AFL === @@ -64,7 +63,8 @@ Configure for fuzzing: $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \ enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \ enable-ssl3 enable-ssl3-method enable-nextprotoneg \ - enable-ec_nistp_64_gcc_128 + enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \ + --debug $ make The following options can also be enabled: enable-asan, enable-ubsan, enable-msan @@ -74,3 +74,46 @@ Run one of the fuzzers: $ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER Where $FUZZER is one of the executables in `fuzz/`. + +Reproducing issues +================== + +If a fuzzer generates a reproducible error, you can reproduce the problem using +the fuzz/*-test binaries and the file generated by the fuzzer. They binaries +don't need to be build for fuzzing, there is no need to set CC or the call +config with enable-fuzz-* or -fsanitize-coverage, but some of the other options +above might be needed. For instance the enable-asan or enable-ubsan option might +be useful to show you when the problem happens. For the client and server fuzzer +it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to +reproduce the generated random numbers. + +To reproduce the crash you can run: + + $ fuzz/$FUZZER-test $file + +Random numbers +============== + +The client and server fuzzer normally generate random numbers as part of the TLS +connection setup. This results in the coverage of the fuzzing corpus changing +depending on the random numbers. This also has an effect for coverage of the +rest of the test suite and you see the coverage change for each commit even when +no code has been modified. + +Since we want to maximize the coverage of the fuzzing corpus, the client and +server fuzzer will use predictable numbers instead of the random numbers. This +is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define. + +The coverage depends on the way the numbers are generated. We don't disable any +check of hashes, but the corpus has the correct hash in it for the random +numbers that were generated. For instance the client fuzzer will always generate +the same client hello with the same random number in it, and so the server, as +emulated by the file, can be generated for that client hello. + +Coverage changes +================ + +Since the corpus depends on the default behaviour of the client and the server, +changes in what they send by default will have an impact on the coverage. The +corpus will need to be updated in that case. + -- 2.25.1