PengZheng commented on code in PR #799:
URL: https://github.com/apache/celix/pull/799#discussion_r2619044291
##########
.github/workflows/fuzzing.yml:
##########
@@ -0,0 +1,59 @@
+name: Celix Fuzzing
+
+on:
+ push:
+ pull_request:
+ schedule:
+ - cron: '0 3 * * *'
+
+jobs:
+ fuzz-utils:
+ runs-on: ubuntu-22.04
+ timeout-minutes: 30
+ steps:
+ - name: Checkout source code
+ uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c #v3.3.0
+ - name: Set up Python
+ uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c
#v4.9.1
+ with:
+ python-version: '3.x'
+ - name: Set Compiler Environment Variables
+ run: |
+ echo "CC=clang" >> $GITHUB_ENV
+ echo "CXX=clang++" >> $GITHUB_ENV
+ - name: Install Conan
+ run: pip install conan
+ - name: Cache Conan
+ uses: actions/cache@v3
+ with:
+ path: ~/.conan2/p
+ key: ${{ runner.os }}-conan-${{ hashFiles('conanfile.py',
'libs/utils/**') }}
+ restore-keys: |
+ ${{ runner.os }}-conan-
+ - name: Setup Conan Profile
+ run: |
+ conan profile detect
+ - name: Conan install
+ run: conan install . --output-folder=build --build=missing -o
"celix/*:build_utils=True" -o "celix/*:enable_fuzzing=True"
+ - name: Conan build
+ run: conan build . --output-folder=build -o "celix/*:build_utils=True"
-o "celix/*:enable_fuzzing=True" -o "celix/*:celix_err_buffer_size=5120"
Review Comment:
Here is a minimal reproducer:
```C++
// myfuzzer.cpp
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
// Function to test (example: a simple vulnerable function)
void my_api_function(const uint8_t* data, size_t size) {
if (size > 0 && data[0] == 'B') {
if (size > 1 && data[1] == 'U') {
if (size > 2 && data[2] == 'G') {
char* p = NULL;
*p = 1; // This will cause a crash (dereferencing NULL)
}
}
}
}
// The libFuzzer entry point
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
malloc(0);
my_api_function(data, size);
return 0;
}
```
```Bash
$ clang++ -g -shared-libasan -fsanitize=address,fuzzer myfuzzer.cpp -o
myfuzzer_asan -Wl,-rpath,/usr/lib/llvm-18/lib/clang/18/lib/linux/
$ ./myfuzzer_asan
==79772==ASan runtime does not come first in initial library list; you
should either link runtime to your application or manually preload it with
LD_PRELOAD.
```
Removing `-shared-libasan` fixes the issue:
```Bash
$ clang++ -g -fsanitize=address,fuzzer myfuzzer.cpp -o myfuzzer_asan
-Wl,-rpath,/usr/lib/llvm-18/lib/clang/18/lib/linux/
$ ./myfuzzer_asan
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3170674705
INFO: Loaded 1 modules (9 inline 8-bit counters): 9 [0x57509822be88,
0x57509822be91),
INFO: Loaded 1 PC tables (9 PCs): 9 [0x57509822be98,0x57509822bf28),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger
than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED cov: 3 ft: 3 corp: 1/1b exec/s: 0 rss: 31Mb
=================================================================
==79832==ERROR: LeakSanitizer: detected memory leaks
```
IIRC, `-shared-libasan` is needed for error injector.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
