How to run provided fuzzer locally?

[mirusu400]

Hello. I'm trying to run AFL (or libfuzzer) and fuzzing given harnesses in fuzz/C++/fuzz_process....

I'm trying to build and running fuzzer locally, but It doesn't work than I thought.

On fuzz_XMLProfiles

• Using AFL, I cannot get stdin and serve stdin into LLVMFuzzerTestOneInput.

• Using libfuzzer, I have an error with this log:

./fuzz_XMLProfiles -trace_malloc=[12] ../fuzz_XMLProfiles_seed_corpus/
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 291792502
INFO: Loaded 1 modules   (285 inline 8-bit counters): 285 [0x5631d60417e0, 0x5631d60418fd), 
INFO: Loaded 1 PC tables (285 PCs): 285 [0x5631d6041900,0x5631d6042ad0), 
INFO:       20 files found in ../fuzz_XMLProfiles_seed_corpus/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 20 min: 1b max: 1784b total: 6909b rss: 41Mb
#41     INITED cov: 23 ft: 24 corp: 1/1b exec/s: 0 rss: 50Mb
#1024   pulse  cov: 23 ft: 24 corp: 1/1b lim: 11 exec/s: 512 rss: 74Mb
INFO: libFuzzer disabled leak detection after every mutation.
      Most likely the target function accumulates allocated
      memory in a global state w/o actually leaking it.
      You may try running this binary with -trace_malloc=[12]      to get a trace of mallocs and frees.
      If LeakSanitizer is enabled in this process it will still
      run on the process shutdown.
#4096   pulse  cov: 23 ft: 24 corp: 1/1b lim: 43 exec/s: 585 rss: 121Mb
#8192   pulse  cov: 23 ft: 24 corp: 1/1b lim: 80 exec/s: 1170 rss: 183Mb
#16384  pulse  cov: 23 ft: 24 corp: 1/1b lim: 163 exec/s: 2340 rss: 306Mb
#32768  pulse  cov: 23 ft: 24 corp: 1/1b lim: 325 exec/s: 4681 rss: 451Mb
#65536  pulse  cov: 23 ft: 24 corp: 1/1b lim: 652 exec/s: 8192 rss: 459Mb
#131072 pulse  cov: 23 ft: 24 corp: 1/1b lim: 1300 exec/s: 14563 rss: 471Mb
#262144 pulse  cov: 23 ft: 24 corp: 1/1b lim: 2600 exec/s: 21845 rss: 494Mb
#524288 pulse  cov: 23 ft: 24 corp: 1/1b lim: 4096 exec/s: 29127 rss: 537Mb
#1048576     pulse  cov: 23 ft: 24 corp: 1/1b lim: 4096 exec/s: 34952 rss: 627Mb
#2097152     pulse  cov: 23 ft: 24 corp: 1/1b lim: 4096 exec/s: 39568 rss: 807Mb
#4194304     pulse  cov: 23 ft: 24 corp: 1/1b lim: 4096 exec/s: 39945 rss: 1168Mb
#8388608     pulse  cov: 23 ft: 24 corp: 1/1b lim: 4096 exec/s: 38304 rss: 1881Mb
==216270== ERROR: libFuzzer: out-of-memory (used: 2049Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 890565950 bytes in 18627729 chunks; quarantined: 160221426 bytes in 388797 chunks; 306174 other chunks; total chunks: 19322700; showing top 95% (at most 8 unique contexts)
670496688 byte(s) (75%) in 9312454 allocation(s)
...

On fuzz_processCDRMsg

• Using AFL, I cannot get stdin and serve stdin into LLVMFuzzerTestOneInput.

• Using libfuzzer, I got and error:

./fuzz_processCDRMsg 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 4270052035
INFO: Loaded 1 modules   (112 inline 8-bit counters): 112 [0x55a9dc024e38, 0x55a9dc024ea8), 
INFO: Loaded 1 PC tables (112 PCs): 112 [0x55a9dc024ea8,0x55a9dc0255a8), 
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 58Mb
AddressSanitizer:DEADLYSIGNAL
=================================================================
==196132==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000008c8 (pc 0x55a9da87760f bp 0x7ffe0e6c03b0 sp 0x7ffe0e6c02c0 T0)
==196132==The signal is caused by a READ memory access.
==196132==Hint: address points to the zero page.
    #0 0x55a9da87760f in std::__shared_ptr<bool, (__gnu_cxx::_Lock_policy)2>::operator bool() const /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/shared_ptr_base.h:1670:16
    #1 0x55a9da87760f in eprosima::fastrtps::rtps::security::SecurityManager::is_security_active() const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/security/SecurityManager.h:310:13
    #2 0x55a9da87760f in eprosima::fastrtps::rtps::RTPSParticipantImpl::is_secure() const /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/participant/RTPSParticipantImpl.h:411:35
    #3 0x55a9da87760f in eprosima::fastrtps::rtps::MessageReceiver::MessageReceiver(eprosima::fastrtps::rtps::RTPSParticipantImpl*, unsigned int) /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/src/cpp/rtps/messages/MessageReceiver.cpp:59:32
    #4 0x55a9da874934 in LLVMFuzzerTestOneInput /mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/fuzz/C++/fuzz_processCDRMsg/fuzz_processCDRMsg.cxx:28:32
    #5 0x55a9da724b40 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #6 0x55a9da724365 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:516:7
    #7 0x55a9da725b35 in fuzzer::Fuzzer::MutateAndTestOne() /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:760:19
    #8 0x55a9da726925 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:905:5
    #9 0x55a9da714db3 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:911:6
    #10 0x55a9da7411d2 in main /home/runner/work/llvm-project/llvm-project/final/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7fee95e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7fee95e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x55a9da705ef4 in _start (/mnt/EAE2CD0AE2CCDBC7/Fast-DDS/Fast-DDS/fuzz/C++/fuzz_processCDRMsg/build/fuzz_processCDRMsg+0x6e3ef4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/shared_ptr_base.h:1670:16 in std::__shared_ptr<bool, (__gnu_cxx::_Lock_policy)2>::operator bool() const
==196132==ABORTING
MS: 5 CrossOver-ChangeByte-InsertRepeatedBytes-ChangeByte-InsertRepeatedBytes-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0x41,0x2a,0x2a,0x2a,0x2a,0x2a,0x2a,0x2a,0x2a,0x2a,0x24,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
A*********$\000\000\000\000\000\000\000\000\000\000
artifact_prefix='./'; Test unit written to ./crash-11deb247439df0a5bd0bb85b9277021bd6daeef5
Base64: QSoqKioqKioqKiQAAAAAAAAAAAAA

---

I have three questions.

1. Is there any documentation about fuzzing FastDDS locally? I cannot found any documentation or issue / discussions in FastDDS repo.

2. In AFL, how can I serve stdin into LLVMFuzzerTestOneInput harness?

3. Why my libfuzzer doesn't work properly in my environment? I'm using clang/llvm 17, am I do something wrong?

[MiguelCompany]

@mirusu400 You could take a look at how it is done in OSS-fuzz here

[mirusu400]

@MiguelCompany I already checked dockerfile and yaml files, and now I also can run libfuzzer or afl++ using LLVMFuzzerTestOneInput harness, but how can run in AFL?

AFL always takes stdin as an input, but the code doesn't have stdin input, even main funcrtion.

[ZX41R]

For AFL++, you do not need to rewrite the harness to read stdin. These are libFuzzer-style targets, so build them with AFL++'s libFuzzer compatibility driver.

The short version is:

afl-clang-fast++ -o fuzz_XMLProfiles \
  fuzz_XMLProfiles.cxx fuzz_utils.cxx \
  /path/to/libAFLDriver.a \
  ...same Fast-DDS libs...

afl-fuzz -i fuzz_XMLProfiles_seed_corpus -o out -- ./fuzz_XMLProfiles @@

AFL++ also supports - if you want stdin instead of @@, but @@ is usually simpler for these harnesses. If your normal libFuzzer command is built with clang++ -fsanitize=fuzzer, the AFL++ docs also describe replacing clang++ with afl-clang-fast++; the compiler wrapper inserts the driver.

For the two runtime failures, they look like separate harness issues rather than LLVM 17 being wrong:

• fuzz_XMLProfiles calls DomainParticipantFactory::get_instance()->load_XML_profiles_string(...) on every iteration and never resets global factory/profile state. libFuzzer is telling you exactly that: the target accumulates state across iterations, so per-iteration leak checking gets disabled and RSS grows until the fuzzer limit kills it. As a sanity check, run ./fuzz_XMLProfiles -runs=1 crash_or_seed and compare that to a long fuzzing run. The real fix is either to clear the loaded profiles/state after each iteration or restructure the harness so the global state is not unbounded.

• fuzz_processCDRMsg constructs MessageReceiver(NULL, MAX_SIZE). Your ASan trace dies at RTPSParticipantImpl::is_secure(), reached from the MessageReceiver constructor, so the harness is dereferencing the null participant before the input bytes matter. That target needs a real/minimal RTPSParticipantImpl or a test double that satisfies the constructor's security-manager path. Until then, AFL/libFuzzer will just rediscover the same harness crash.

So I would first make both targets deterministic for -runs=1 with a single seed, then move to AFL++/libFuzzer. Otherwise the fuzzer is measuring harness lifetime problems, not CDR/XML parser behavior.