Hello,
i hope this is the right place to ask. I’m currently working on my bachelor thesis which compares fuzzing tools.
So i used libFuzzer to test some files (with AdressSanitizer)
It found heap buffer overflow. How i understand is that the input which cause this error, should be written in the crash file.
But my crash file is empty. So does that mean, that libFuzzer found the overflow without an input or where can i find the input which caused the buffer overflow?
Sincerely Yours
Wingkin Mak
Hello,
When it found some defect, it should print a line like this:
artifact_prefix='./'; Test unit written to
./crash-b13e8756b13a00cf168300179061fb4b91fefbed
(see: http://llvm.org/docs/LibFuzzer.html)
That file should contain a data caused a crash, you can even try it
out with calling your fuzzer binary ./test
./crash-b13e8756b13a00cf168300179061fb4b91fefbed (using it as an
argument will cause it to run with that input).
The generated file prefix can be other than `crash-`, based on quick
grepping in source:
FuzzerLoop.cpp
132: DumpCurrentUnit("oom-");
176:void Fuzzer::DumpCurrentUnit(const char *Prefix) {
193: DumpCurrentUnit("crash-");
238: DumpCurrentUnit("crash-");
252: DumpCurrentUnit("crash-");
298: DumpCurrentUnit("timeout-");
317: DumpCurrentUnit("oom-");
559: DumpCurrentUnit("crash-");
693: DumpCurrentUnit("leak-");
Maybe your unit under test has heap overflow with empty string ?