commit
fe2bf93182
5 changed files with 50 additions and 0 deletions
Unified View
Diff Options
-
+20 -0README.md
-
+1 -0build.sh
-
+7 -0fsck_ffs/README.md
-
+18 -0fsck_ffs/build.test.cases.sh
-
+4 -0fsck_ffs/run.main.sh
+ 20
- 0
README.md
View File
| @@ -0,0 +1,20 @@ | |||||
| Fuzzing FreeBSD w/ AFL | |||||
| ====================== | |||||
| This project is used to store the various information and scripts that | |||||
| I have used in fuzzing FreeBSD. | |||||
| This project started when someone reported that fsck_ffs couldn't | |||||
| repair a file system they had, but as we all know, file systems are | |||||
| often large, and contain data the people don't want to share, making | |||||
| getting test cases more difficult than most. I decided to see if | |||||
| fuzzing was able to reproduce their failure, and the very first | |||||
| failure was the reported, but it also managed to find some more. | |||||
| Building | |||||
| -------- | |||||
| There is a script `build.sh` that will set the compiler correctly when | |||||
| building parts of the FreeBSD source tree. You do have to be careful | |||||
| when doing this as there are sometimes dependencies that need to be | |||||
| built as well, e.g. `libufs` for `fsck_ffs`. | |||||
+ 1
- 0
build.sh
View File
| @@ -0,0 +1 @@ | |||||
| CC=/usr/local/afl++-llvm/bin/afl-cc CXX=/usr/local/afl++-llvm/bin/afl-c++ make "$@" | |||||
+ 7
- 0
fsck_ffs/README.md
View File
| @@ -0,0 +1,7 @@ | |||||
| fsck_ffs | |||||
| ======== | |||||
| Collect stack traces for examination: | |||||
| ``` | |||||
| for i in id:000*; do echo TEST CASE "$i"; (echo run -y $i; echo bt) | gdb /usr/obj/usr/src/arm64.aarch64/sbin/fsck_ffs/fsck_ffs; done > crashes.txt | |||||
| ``` | |||||
+ 18
- 0
fsck_ffs/build.test.cases.sh
View File
| @@ -0,0 +1,18 @@ | |||||
| size=512kb | |||||
| for fstype in -O1 -O2; do | |||||
| for secsize in -S512 -S4096; do | |||||
| for blkfrag in "" "-b 4096 -f 512"; do | |||||
| if [ ! -z "$blkfrag" ]; then | |||||
| part=".b4096f512" | |||||
| else | |||||
| part="" | |||||
| fi | |||||
| fname="test.$fstype.$secsize$part.img" | |||||
| truncate -s "$size" "$fname" | |||||
| dev=$(mdconfig -f "$fname") | |||||
| newfs $fstype $secsize $blkfrag "$dev" | |||||
| mdconfig -d -u "$dev" | |||||
| done | |||||
| done | |||||
| done | |||||
+ 4
- 0
fsck_ffs/run.main.sh
View File
| @@ -0,0 +1,4 @@ | |||||
| /usr/local/afl++-llvm/bin/afl-fuzz -i testcase_dir -o sync_dir -M fuzzer01 /usr/obj/usr/src/arm64.aarch64/sbin/fsck_ffs/fsck_ffs -y @@ | |||||
| #secondaries: | |||||
| # /usr/local/afl++-llvm/bin/afl-fuzz -i testcase_dir -o sync_dir -S fuzzerXX /usr/obj/usr/src/arm64.aarch64/sbin/fsck_ffs/fsck_ffs -y @@ | |||||