-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add bindings for custom crossover with example
* Expose `LLVMFuzzerCustomCrossOver` through `fuzz_crossover` macro. * `example_crossover` uses `fuzz_mutator` & `fuzz_crossover`
- Loading branch information
R. Elliott Childre
committed
Jan 22, 2024
1 parent
910a31a
commit 75e9bb6
Showing
10 changed files
with
352 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
[package] | ||
name = "example_crossover" | ||
version = "0.1.0" | ||
authors = ["R. Elliott Childre"] | ||
edition = "2021" | ||
|
||
[target.'cfg(fuzzing)'.dependencies] | ||
rand = "0.8" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# A Custom Crossover Example | ||
|
||
## Overview | ||
|
||
This example is a reimplementation of [Erik Rigtorp's floating point summation fuzzing example][1] | ||
in the Rust bindings for LibFuzzer, provided by this crate. In this particular example, Erik uses | ||
both a custom mutator, and a custom crossover function, which provides a well-documented, complex | ||
code example. | ||
|
||
## Implementation | ||
|
||
This is mostly a one-to-one rewrite of the C++ code in the blog post, with the big difference | ||
being the method of converting the raw bytes that is exposed to the custom functions, into the | ||
decoded double-precision floating-point values. Where in C++ we can simply do: | ||
|
||
```c++ | ||
uint8_t *Data = ...; | ||
size_t Size = ...; | ||
double *begin = (double *)Data; | ||
double *end = (double *)Data + Size / sizeof(double); | ||
``` | ||
|
||
In Rust, however, the task seems a bit more complex due to strictness on alignment: | ||
|
||
* [Rust, how to slice into a byte array as if it were a float array? - Stack Overflow][2] | ||
* [Re-interpret slice of bytes (e.g. [u8]) as slice of [f32] - help - The Rust Programming Language Forum][3] | ||
* [How to transmute a u8 buffer to struct in Rust? - Stack Overflow][4] | ||
|
||
So the casting of `Data` in the blog post's C++ are now `slice::align_to{_mut}` calls | ||
|
||
## Example Crashing Testcase | ||
|
||
The fuzz harness typically discovers a non-optimized crashing testcase in very little time, however | ||
the artifact file checked into the example is the minimal crashing 16 bytes of `[-inf, inf]`. | ||
These two values add to produce a `NaN` value just as Erik showed that the C++ runtime produced. | ||
|
||
[1]: https://rigtorp.se/fuzzing-floating-point-code/ | ||
[2]: https://stackoverflow.com/a/73174764 | ||
[3]: https://users.rust-lang.org/t/re-interpret-slice-of-bytes-e-g-u8-as-slice-of-f32/34551 | ||
[4]: https://stackoverflow.com/a/59292352 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
[package] | ||
name = "example_crossover_fuzz" | ||
version = "0.1.0" | ||
authors = ["R. Elliott Childre"] | ||
edition = "2021" | ||
|
||
[package.metadata] | ||
cargo-fuzz = true | ||
|
||
[dependencies] | ||
rand = "0.8" | ||
libfuzzer-sys = { path = "../.." } | ||
example_crossover = { path = ".." } | ||
|
||
[[bin]] | ||
name = "boom" | ||
path = "fuzz_targets/boom.rs" |
Binary file added
BIN
+16 Bytes
example_crossover/fuzz/artifacts/boom/crash-6f37ac2111469380f475f6c307a915f5917fed6b
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
#![no_main] | ||
|
||
use example_crossover::sum; | ||
use libfuzzer_sys::{fuzz_crossover, fuzz_mutator, fuzz_target}; | ||
use rand::distributions::{Bernoulli, Distribution, Uniform}; | ||
use rand::{rngs::StdRng, seq::SliceRandom, SeedableRng}; | ||
use std::mem::size_of; | ||
|
||
fuzz_target!(|data: &[u8]| { | ||
let (_, floats, _) = unsafe { data.align_to::<f64>() }; | ||
|
||
let res = sum(floats); | ||
|
||
assert!( | ||
!res.is_nan(), | ||
"The sum of the following f64's resulted in a NaN: {floats:?}" | ||
); | ||
}); | ||
|
||
fn rfp(rng: &mut StdRng) -> f64 { | ||
match Uniform::new_inclusive(0, 10).sample(rng) { | ||
0 => f64::NAN, | ||
1 => f64::MIN, | ||
2 => f64::MAX, | ||
3 => -f64::MIN, | ||
4 => -f64::MAX, | ||
5 => f64::EPSILON, | ||
6 => -f64::EPSILON, | ||
7 => f64::INFINITY, | ||
8 => f64::NEG_INFINITY, | ||
9 => 0.0, | ||
10 => Uniform::new_inclusive(-1.0, 1.0).sample(rng), | ||
_ => 0.0, | ||
} | ||
} | ||
|
||
fuzz_mutator!(|data: &mut [u8], size: usize, max_size: usize, seed: u32| { | ||
let mut gen = StdRng::seed_from_u64(seed.into()); | ||
|
||
match Uniform::new_inclusive(0, 3).sample(&mut gen) { | ||
0 => { | ||
// "Change [an] element" | ||
|
||
// Not altering the size, so decode the intended space (i.e. `size`) as floats | ||
let (_, floats, _) = unsafe { data[..size].align_to_mut::<f64>() }; | ||
|
||
if !floats.is_empty() { | ||
let d = Uniform::new(0, floats.len()); | ||
floats[d.sample(&mut gen)] = rfp(&mut gen); | ||
} | ||
} | ||
1 => { | ||
// "Add [an] element [to the end]" | ||
let plus_one = size + size_of::<f64>(); | ||
if plus_one <= max_size { | ||
// Adding 1, f64 to the size, so decode the intended space (i.e. | ||
// `size`) plus one more (since we just checked it will fit) as floats | ||
let (_, floats, _) = unsafe { data[..plus_one].align_to_mut::<f64>() }; | ||
|
||
let last = floats.last_mut().unwrap(); | ||
*last = rfp(&mut gen); | ||
|
||
return plus_one; | ||
} | ||
} | ||
2 => { | ||
// "Delete [the end] element" | ||
|
||
// Attempting to shrink the size by 1, f64, so decode the intended | ||
// space (i.e. `size`) as floats and see if we have any | ||
let (_, floats, _) = unsafe { data[..size].align_to::<f64>() }; | ||
|
||
if !floats.is_empty() { | ||
return size - size_of::<f64>(); | ||
} | ||
} | ||
3 => { | ||
// "Shuffle [the] elements" | ||
|
||
// Not altering the size, so decode the intended space (i.e. `size`) as floats | ||
let (_, floats, _) = unsafe { data[..size].align_to_mut::<f64>() }; | ||
floats.shuffle(&mut gen); | ||
} | ||
_ => unreachable!(), | ||
}; | ||
|
||
size | ||
}); | ||
|
||
fuzz_crossover!(|data1: &[u8], data2: &[u8], out: &mut [u8], seed: u32| { | ||
let mut gen = StdRng::seed_from_u64(seed.into()); | ||
|
||
let bd = Bernoulli::new(0.5).unwrap(); | ||
|
||
// Decode each source to see how many floats we can pull with proper | ||
// alignment, and destination as to how many will fit with proper alignment | ||
// | ||
// Keep track of the unaligned prefix to `out`, as we will need to remember | ||
// that those bytes will remain prepended to the actual floats that we | ||
// write into the out buffer. | ||
let (out_pref, out_floats, _) = unsafe { out.align_to_mut::<f64>() }; | ||
let (_, d1_floats, _) = unsafe { data1.align_to::<f64>() }; | ||
let (_, d2_floats, _) = unsafe { data2.align_to::<f64>() }; | ||
|
||
// Given that the sources and destinations may have drastically fewer | ||
// available aligned floats than decoding allows for; see which has the | ||
// smallest number. | ||
let n = *[out_floats.len(), d1_floats.len(), d2_floats.len()] | ||
.iter() | ||
.min() | ||
.unwrap(); | ||
|
||
// Put into the destination, floats from either data1 or data2 if the | ||
// Bernoulli distribution succeeds or fails | ||
for i in 0..n { | ||
out_floats[i] = if bd.sample(&mut gen) { | ||
d1_floats[i] | ||
} else { | ||
d2_floats[i] | ||
}; | ||
} | ||
|
||
// Now that we have written the true floats, report back to the fuzzing | ||
// engine that we left the unaligned `out` prefix bytes at the beginning of | ||
// `out` and also then the floats that we wrote into the aligned float | ||
// section. | ||
out_pref.len() * size_of::<u8>() + n * size_of::<f64>() | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
pub fn sum(floats: &[f64]) -> f64 { | ||
floats | ||
.iter() | ||
.fold(0.0, |a, b| if b.is_nan() { a } else { a + b }) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters