NAME

FUZZER_INIT, FUZZER_TEARDOWN, FUZZER_TARGET_BUFFER, FUZZER_TARGET_FILE — fuzzer macros

SYNOPSIS

#include <libks/fuzzer.h>

FUZZER_INIT(void *(*cb)(int argc, char *argv[]));

FUZZER_TEARDOWN(void (*cb)(void *userdata));

FUZZER_TARGET_BUFFER(void (*cb)(const struct buffer *bf, void *userdata));

FUZZER_TARGET_FILE(void (*cb)(const char *path, void *userdata));

DESCRIPTION

The fuzzer macros can be used to create fuzzing targets compatible with both the American Fuzzy Lop (AFL) and libfuzzer (LLVM). The choice of fuzzer engine is selected at compile time using the FUZZER_AFL and FUZZER_LLVM preprocessor macros.

The FUZZER_INIT() macro is used to declare cb as an initialization function that will be called once during program startup, before invoking FUZZER_TARGET_BUFFER() or FUZZER_TARGET_FILE(). The returned pointer is later passed to FUZZER_TEARDOWN(), FUZZER_TARGET_BUFFER() and FUZZER_TARGET_FILE().

The FUZZER_TEARDOWN() macro is used to declare cb as a teardown function that will be called once before program exit. The userdata is the returned value from FUZZER_INIT().

The FUZZER_TARGET_BUFFER() macro is used to declare cb as the fuzzer target. The fuzzer input can be accessed through bf. The userdata is the returned value from FUZZER_INIT(). Mutually exclusive with FUZZER_TARGET_FILE().

The FUZZER_TARGET_FILE() macro is used to declare cb as the fuzzer target. The fuzzer input can be accessed through path. The userdata is the returned value from FUZZER_INIT(). Mutually exclusive with FUZZER_TARGET_BUFFER().

EXAMPLES

The following example demonstrates how to compile a translation unit targeting either AFL or LLVM.

$ cat fuzzer.c
#include <err.h>
#include <stdlib.h>

#include "libks/buffer.h"
#include "libks/fuzzer.h"

static void *
init(int argc, char *argv[])
{
	struct context *c;

	c = calloc(1, sizeof(*c));
	if (c == NULL)
		err(1, NULL);
	return c;
}
FUZZER_INIT(init);

static void
teardown(void *userdata)
{
	struct context *c = userdata;

	free(c);
}
FUZZER_TEARDOWN(teardown);

static void
target(const struct buffer *bf, void *userdata)
{
	struct context *c = userdata;
	const char *buf = buffer_get_ptr(bf);
	size_t buflen = buffer_get_len(bf);

	process_input(c, buf, buflen);
}
FUZZER_TARGET_BUFFER(target);

Compile targeting AFL:

$ cc -DFUZZER_AFL fuzzer.c

Compile targeting LLVM:

$ cc -DFUZZER_LLVM -fsanitize=fuzzer fuzzer.c

SEE ALSO

buffer(3)

AUTHORS

Anton Lindqvist <anton@basename.se>