From b6f9a3747f9eab12e291445fb73888a6335a7836 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Fri, 30 Jul 2021 16:20:25 +0100 Subject: [PATCH 1/2] Add sanitizer flags when fuzzing. --- cmake/compilerFlags.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmake/compilerFlags.cmake b/cmake/compilerFlags.cmake index 8459fa0e..6c0658ce 100644 --- a/cmake/compilerFlags.cmake +++ b/cmake/compilerFlags.cmake @@ -83,7 +83,7 @@ if ( MINGW OR UNIX OR MSYS ) # MINGW, Linux, APPLE, CYGWIN endif() elseif( COMPILER_IS_CLANG ) if ( EXIV2_BUILD_FUZZ_TESTS ) - set(SANITIZER_FLAGS "-fsanitize=fuzzer-no-link") + set(SANITIZER_FLAGS "-fsanitize=fuzzer-no-link,address,undefined") elseif ( CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 4.9 ) set(SANITIZER_FLAGS "-fno-omit-frame-pointer -fsanitize=address,undefined -fno-sanitize-recover=all") elseif ( CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 3.4 ) From 89abcad1247d06ad2aeef6a1329788199f4a9c35 Mon Sep 17 00:00:00 2001 From: Kevin Backhouse Date: Sun, 8 Aug 2021 11:38:31 +0100 Subject: [PATCH 2/2] Add LSAN suppressions. --- .github/workflows/on_PR_linux_fuzz.yml | 2 +- fuzz/README.md | 2 +- fuzz/fuzzloop.sh | 4 ++-- fuzz/knownleaks.txt | 4 ++++ 4 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 fuzz/knownleaks.txt diff --git a/.github/workflows/on_PR_linux_fuzz.yml b/.github/workflows/on_PR_linux_fuzz.yml index 21b3bc71..6ddfeead 100644 --- a/.github/workflows/on_PR_linux_fuzz.yml +++ b/.github/workflows/on_PR_linux_fuzz.yml @@ -27,4 +27,4 @@ jobs: run: | cd build mkdir corpus - ./bin/fuzz-read-print-write corpus ../test/data/ -dict=../fuzz/exiv2.dict -jobs=$(nproc) -workers=$(nproc) -max_total_time=120 -max_len=4096 + LSAN_OPTIONS=suppressions=../fuzz/knownleaks.txt ./bin/fuzz-read-print-write corpus ../test/data/ -dict=../fuzz/exiv2.dict -jobs=$(nproc) -workers=$(nproc) -max_len=4096 -max_total_time=120 diff --git a/fuzz/README.md b/fuzz/README.md index 326c71cf..7d0fb596 100644 --- a/fuzz/README.md +++ b/fuzz/README.md @@ -19,7 +19,7 @@ This is the command to run the fuzzer for 2 minutes: ```bash cd /build-fuzz mkdir corpus -./bin/fuzz-read-print-write corpus ../test/data/ -dict=../fuzz/exiv2.dict -jobs=$(nproc) -workers=$(nproc) -max_total_time=120 +LSAN_OPTIONS=suppressions=../fuzz/knownleaks.txt ./bin/fuzz-read-print-write corpus ../test/data/ -dict=../fuzz/exiv2.dict -jobs=$(nproc) -workers=$(nproc) -max_len=20480 -max_total_time=120 ``` Alternatively, a simple script is provided for running the fuzzer in a continuous loop: diff --git a/fuzz/fuzzloop.sh b/fuzz/fuzzloop.sh index 07a57102..8b6c8193 100755 --- a/fuzz/fuzzloop.sh +++ b/fuzz/fuzzloop.sh @@ -15,11 +15,11 @@ do mv corpus/ corpus2 mkdir corpus echo minimizing corpus - ./bin/fuzz-read-print-write -merge=1 corpus ../test/data/ corpus2/ + LSAN_OPTIONS=suppressions=../fuzz/knownleaks.txt ./bin/fuzz-read-print-write -merge=1 corpus ../test/data/ corpus2/ -max_len=20480 rm -r corpus2 # Run the fuzzer for 4 hours date echo start fuzzer - ./bin/fuzz-read-print-write corpus -dict=../fuzz/exiv2.dict -jobs=$(nproc) -workers=$(nproc) -max_total_time=14400 + LSAN_OPTIONS=suppressions=../fuzz/knownleaks.txt ./bin/fuzz-read-print-write corpus -dict=../fuzz/exiv2.dict -jobs=$(nproc) -workers=$(nproc) -max_len=20480 -max_total_time=14400 done diff --git a/fuzz/knownleaks.txt b/fuzz/knownleaks.txt new file mode 100644 index 00000000..b2ef2667 --- /dev/null +++ b/fuzz/knownleaks.txt @@ -0,0 +1,4 @@ +# Known memory leak in expat, caused by xmpsdk throwing an exception. +# See https://github.com/Exiv2/exiv2/issues/1821 +leak:libexpat.so +