Duke Leto
5 years ago
7 changed files with 131 additions and 0 deletions
@ -0,0 +1,19 @@ |
|||
#!/usr/bin/env bash |
|||
# A wrapper around ./zcutil/build.sh for instrumenting the build with AFL: |
|||
# ./zcutil/afl/afl-build.sh <directory where AFL is installed> <fuzz case> |
|||
# You may obtain a copy of AFL using ./zcutil/afl/afl-get.sh. |
|||
|
|||
set -eu -o pipefail |
|||
|
|||
export AFL_INSTALL_DIR=$(realpath "$1") |
|||
FUZZ_CASE="$2" |
|||
shift 2 |
|||
export AFL_LOG_DIR="$(pwd)" |
|||
export ZCUTIL=$(realpath "./zcutil") |
|||
|
|||
cp "./src/fuzzing/$FUZZ_CASE/fuzz.cpp" src/fuzz.cpp |
|||
|
|||
CONFIGURE_FLAGS="--enable-tests=no --enable-fuzz-main" "$ZCUTIL/build.sh" "CC=$ZCUTIL/afl/zcash-wrapper-gcc" "CXX=$ZCUTIL/afl/zcash-wrapper-g++" AFL_HARDEN=1 "$@" |
|||
|
|||
echo "You can now run AFL as follows:" |
|||
echo "$ ./zcutil/afl/afl-run.sh '$AFL_INSTALL_DIR' '$FUZZ_CASE'" |
@ -0,0 +1,33 @@ |
|||
#!/usr/bin/env bash |
|||
# Obtains and builds a copy of AFL from source. |
|||
# ./zcutil/afl/afl-get.sh <directory to build and install AFL in> |
|||
|
|||
set -eu -o pipefail |
|||
|
|||
mkdir -p "$1" |
|||
cd "$1" |
|||
|
|||
if [ ! -z "$(ls -A .)" ]; then |
|||
echo "$1 is not empty. This script will only attempt to build AFL in an empty directory." |
|||
exit 1 |
|||
fi |
|||
|
|||
# Get the AFL source |
|||
rm -f afl-latest.tgz |
|||
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz |
|||
sha256sum afl-latest.tgz | grep '43614b4b91c014d39ef086c5cc84ff5f068010c264c2c05bf199df60898ce045' |
|||
if [ "$?" != "0" ] |
|||
then |
|||
echo "Wrong SHA256 hash for afl" |
|||
exit |
|||
fi |
|||
tar xvf afl-latest.tgz |
|||
mv afl-*/* . |
|||
|
|||
# Build AFL |
|||
make |
|||
|
|||
echo "You can now build zcashd with AFL instrumentation as follows:" |
|||
echo "$ make clean # if you've already built zcashd without AFL instrumentation" |
|||
echo "$ ./zcutil/afl/afl-build.sh '$(pwd)' <fuzz case> -j\$(nproc)" |
|||
echo "...where <fuzz case> is the name of a directory in src/fuzzing." |
@ -0,0 +1,20 @@ |
|||
#!/usr/bin/env bash |
|||
# Builds AFL and an instrumented zcashd, then begins fuzzing. |
|||
# This script must be run from within the top level directory of a zcash clone. |
|||
# Pass it the name of a directory in ./src/fuzzing. |
|||
# Additional arguments are passed-through to AFL. |
|||
|
|||
set -eu -o pipefail |
|||
|
|||
FUZZ_CASE="$1" |
|||
shift 1 |
|||
|
|||
export AFL_INSTALL_DIR=$(realpath "./afl-temp") |
|||
|
|||
if [ ! -d "$AFL_INSTALL_DIR" ]; then |
|||
mkdir "$AFL_INSTALL_DIR" |
|||
./zcutil/afl/afl-get.sh "$AFL_INSTALL_DIR" |
|||
fi |
|||
|
|||
./zcutil/afl/afl-build.sh "$AFL_INSTALL_DIR" "$FUZZ_CASE" -j$(nproc) |
|||
./zcutil/afl/afl-run.sh "$AFL_INSTALL_DIR" "$FUZZ_CASE" "$@" |
@ -0,0 +1,9 @@ |
|||
#!/usr/bin/env bash |
|||
|
|||
set -eu -o pipefail |
|||
|
|||
AFL_INSTALL_DIR="$1" |
|||
FUZZ_CASE="$2" |
|||
shift 2 |
|||
|
|||
"$AFL_INSTALL_DIR/afl-fuzz" -i "./src/fuzzing/$FUZZ_CASE/input" -o "./src/fuzzing/$FUZZ_CASE/output" "$@" ./src/zcashd @@ |
@ -0,0 +1,48 @@ |
|||
#!/usr/bin/env bash |
|||
|
|||
set -ex -o pipefail |
|||
|
|||
export ARGS=$@ |
|||
|
|||
instrument=( |
|||
"\/src$" |
|||
|
|||
) |
|||
|
|||
if [ "$override_instrument" != "" ] |
|||
then |
|||
instrument = $override_instrument |
|||
fi |
|||
|
|||
# Store the command line we were given to a file |
|||
|
|||
(echo "$ARGS" ; pwd) >> "$AFL_LOG_DIR/hush-build-wrapper.log" |
|||
|
|||
# Work out which compiler we were called as |
|||
|
|||
case $0 in |
|||
*hush-wrapper-g++) |
|||
COMPILER="g++" |
|||
;; |
|||
*hush-wrapper-gcc) |
|||
COMPILER="gcc" |
|||
;; |
|||
*hush-wrapper) |
|||
echo "Call this script instead of your regular compiler, and if the absolute path of the CWD the wrapper was called from matches a regex in the array 'instrument', it will call AFL to instrument the resulting binary. Otherwise it will call either g++ or gcc depending on how it was invoked. \$AFL_INSTALL_DIR must be set to the path where AFL is installed." |
|||
exit |
|||
;; |
|||
esac |
|||
|
|||
# Check if we should instrument |
|||
|
|||
for i in "${instrument[@]}" |
|||
do |
|||
if echo -- "`pwd`" | grep "$i"; then |
|||
# We found a match, let's instrument this one. |
|||
echo "Matched directory `pwd` to instrument element $i. Instrumenting this call." >> "$AFL_LOG_DIR/hush-build-wrapper.log" |
|||
exec -- "$AFL_INSTALL_DIR/afl-$COMPILER" "$@" |
|||
fi |
|||
done |
|||
|
|||
# No match, just pass-through. |
|||
exec -- "$COMPILER" "$@" |
@ -0,0 +1 @@ |
|||
hush-wrapper |
@ -0,0 +1 @@ |
|||
hush-wrapper |
Loading…
Reference in new issue