diff --git a/.github/workflows/blank.yml b/.github/workflows/blank.yml deleted file mode 100644 index 19a95dc..0000000 --- a/.github/workflows/blank.yml +++ /dev/null @@ -1,52 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: CI - -# Controls when the action will run. -on: - # Triggers the workflow on push or pull request events but only for the main branch - push: - branches: [ main ] - pull_request: - branches: [ main ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - name: Check out the repo - uses: actions/checkout@v2 - - # Login to remote registry - - name: Docker login - run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD - env: - DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} - - # Build images so that they're ready to be pushed - - name: Build images - env: - MAYHEM_DOCKER_REGISTRY: docker.io - run: make build - - # Push images to dockerhub - - name: Push images - env: - MAYHEM_DOCKER_REGISTRY: docker.io - run: make push - - # Runs a set of commands using the runners shell - - name: Run a multi-line script - run: | - echo Add other actions to build, - echo test, and deploy your project. diff --git a/.github/workflows/build-linux-docker.yml b/.github/workflows/build-linux-docker.yml new file mode 100644 index 0000000..cc81620 --- /dev/null +++ b/.github/workflows/build-linux-docker.yml @@ -0,0 +1,48 @@ +name: Build Linux Docker Images for Mayhem + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + # this might remove tools that are actually needed, + # if set to "true" but frees about 6 GB + tool-cache: false + + # all of these default to true, but feel free to set to + # "false" if necessary for your workflow + android: true + dotnet: true + haskell: true + large-packages: true + docker-images: true + swap-storage: true + + - name: Check out the repo + uses: actions/checkout@v5 + + - name: Docker login + run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD + env: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} + + - name: Build images + env: + MAYHEM_DOCKER_REGISTRY: docker.io + run: make build + + - name: Push images + env: + MAYHEM_DOCKER_REGISTRY: docker.io + run: make push diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml new file mode 100644 index 0000000..f4902bb --- /dev/null +++ b/.github/workflows/build-windows.yml @@ -0,0 +1,67 @@ +name: Build Windows Targets for Mayhem + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + workflow_dispatch: + +jobs: + build: + runs-on: windows-latest + steps: + - name: Check out the repo + uses: actions/checkout@v5 + + - name: Setup Developer Command Prompt + uses: TheMrMilchmann/setup-msvc-dev@v3 + with: + arch: x64 + + - name: Build Windows C++ targets + run: | + cl.exe cpp\windows\base-executable\msvc-cpp-base-executable\src\fuzz_target.cpp /nologo /Zi /FS /MDd /EHsc /Fo: "fuzz_target_msvc.obj" /Fe: "fuzz_target_msvc.exe" + clang++.exe cpp\windows\base-executable\clang-cpp-base-executable\src\fuzz_target.cpp -g -O1 -o fuzz_target_clang.exe + clang++.exe cpp\windows\libfuzzer\src\libfuzzer_target.cpp -g -O1 -fsanitize=fuzzer -o fuzz_target_libfuzzer.exe + g++.exe cpp\windows\base-executable\gcc-cpp-base-executable\src\fuzz_target.cpp -g -O1 -o fuzz_target_mingw.exe + + - name: Build Windows C# targets + run: | + csc.exe /unsafe /nologo /out:/dotnet_fuzz.exe csharp\windows\base-executable\csharp-base-executable\src\dotnet_fuzz.cs + + # - name: Install Mayhem + # shell: pwsh + # run: | + # Invoke-WebRequest -Uri "https://app.mayhem.security/cli/Windows/mayhem.msi" -OutFile "mayhem.msi" + # Start-Process msiexec.exe -ArgumentList "/i mayhem.msi /quiet /norestart" -Wait + # echo "MAYHEM_PATH=C:\Program Files (x86)\Mayhem\mayhem.exe" | Out-File -FilePath $env:GITHUB_ENV -Append + + # - name: Set values + # shell: pwsh + # run: | + # $mayhemUrl = if ([string]::IsNullOrEmpty("${{ inputs.mayhem_url }}")) { 'https://app.mayhem.security' } else { "${{ inputs.mayhem_url }}" } + # $workspace = if ([string]::IsNullOrEmpty("${{ inputs.workspace }}")) { 'mayhem-examples' } else { "${{ inputs.workspace }}" } + # echo "MAYHEM_URL=$mayhemUrl" | Out-File -FilePath $env:GITHUB_ENV -Append + # echo "WORKSPACE=$workspace" | Out-File -FilePath $env:GITHUB_ENV -Append + + # - name: Mayhem login + # shell: pwsh + # run: | + # &$env:MAYHEM_PATH login "$env:MAYHEM_URL" "${{ secrets.MAYHEM_TOKEN }}" + + # - name: Mayhem run + # shell: pwsh + # run: | + # &$env:MAYHEM_PATH package -o mayhem_package_msvc fuzz_target_msvc.exe + # Copy-Item -Path cpp\windows\base-executable\msvc\testsuite -Destination mayhem_package_msvc\testsuite + # &$env:MAYHEM_PATH run --owner $env:WORKSPACE --project mayhem-examples --target cpp-windows-msvc --duration 5m mayhem_package_msvc + # &$env:MAYHEM_PATH package -o mayhem_package_clang fuzz_target_clang.exe + # Copy-Item -Path cpp\windows\base-executable\clang\testsuite -Destination mayhem_package_clang\testsuite + # &$env:MAYHEM_PATH run --owner $env:WORKSPACE --project mayhem-examples --target cpp-windows-clang --duration 5m mayhem_package_clang + # &$env:MAYHEM_PATH package -o mayhem_package_libfuzzer fuzz_target_libfuzzer.exe + # Copy-Item -Path cpp\windows\libfuzzer\testsuite -Destination mayhem_package_libfuzzer\testsuite + # &$env:MAYHEM_PATH run --owner $env:WORKSPACE --project mayhem-examples --target cpp-windows-libfuzzer --duration 5m mayhem_package_libfuzzer + # &$env:MAYHEM_PATH package -o mayhem_package_mingw fuzz_target_mingw.exe + # Copy-Item -Path cpp\windows\base-executable\gcc\testsuite -Destination mayhem_package_mingw\testsuite + # &$env:MAYHEM_PATH run --owner $env:WORKSPACE --project mayhem-examples --target cpp-windows-mingw --duration 5m mayhem_package_mingw diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index a6654e0..0513768 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,19 +1,22 @@ # How do I contribute? -All targets are broken down by language, fuzzer, and target. The general structure is: +All targets are broken down by language, OS, fuzzer, and target. The general structure is: ```sh - - - - - - - testsuite - - src - - Dockerfile - - Mayhemfile - - README.md + - + - + - + - testsuite + - src + - Dockerfile + - Mayhemfile + - README.md ``` -All targets should be able to be built and pushed using the following commands: +## Linux Targets + +All Linux targets should be able to be built and pushed using the following commands: > **Note:** You should first navigate to the corresponding target directory before executing the below commands. @@ -43,3 +46,9 @@ if input[0] == "b" ``` You can also use the included `Makefile` at the root of the `mayhem-examples` repository to automatically build and push all images using the `make build` and `make push` commands, respectively. + +## Windows Targets + +For Windows targets, the structure is similar, but the build and packaging process is different. Namely, you will not use a Dockerfile or Mayhemfile, and will compile the target directly using the appropriate compiler for the language (e.g., `csc.exe` for C# or `clang++.exe` for C++). You can find more examples under the (`base-executable/windows/README.md`)[base-executable/windows/README.md] and [cpp/windows/libfuzzer/README.md](cpp/windows/libfuzzer/README.md) directories. + +Be sure to include a `README.md` as well. \ No newline at end of file diff --git a/LICENSE.md b/LICENSE.md index 19de8eb..0fe7a88 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright (c) 2021 ForAllSecure +Copyright (c) 2025 ForAllSecure Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the diff --git a/Makefile b/Makefile index 8cf632a..c62f9c6 100644 --- a/Makefile +++ b/Makefile @@ -20,15 +20,15 @@ FUZZERS := \ c/honggfuzz/c-honggfuzz-clang \ c/honggfuzz/c-honggfuzz-gcc \ c/libfuzzer/c-libfuzzer \ - cpp/afl/cpp-afl-clang \ - cpp/afl/cpp-afl-gcc \ - cpp/aflpp/cpp-aflpp-clang \ - cpp/aflpp/cpp-aflpp-gcc \ - cpp/base-executable/cpp-base-executable \ - cpp/honggfuzz/cpp-honggfuzz-clang \ - cpp/honggfuzz/cpp-honggfuzz-gcc \ - cpp/libfuzzer/cpp-libfuzzer \ - csharp/libfuzzer/csharp-sharpfuzz \ + cpp/linux/afl/cpp-afl-clang \ + cpp/linux/afl/cpp-afl-gcc \ + cpp/linux/aflpp/cpp-aflpp-clang \ + cpp/linux/aflpp/cpp-aflpp-gcc \ + cpp/linux/base-executable/cpp-base-executable \ + cpp/linux/honggfuzz/cpp-honggfuzz-clang \ + cpp/linux/honggfuzz/cpp-honggfuzz-gcc \ + cpp/linux/libfuzzer/cpp-libfuzzer \ + csharp/linux/libfuzzer/csharp-sharpfuzz \ fortran/base-executable/fortran-base-executable \ go/base-executable/go-base-executable \ go/libfuzzer/go-go-fuzz \ diff --git a/README.md b/README.md index 88bb121..7f195c4 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Mayhem example templates for programming languages and fuzzers that you love! Like a "Hello World!" but for fuzzing! ![visitors](https://visitor-badge.glitch.me/badge?page_id=ForAllSecure.mayhem-examples) -[![CI](https://github.com/ForAllSecure/mayhem-examples/actions/workflows/blank.yml/badge.svg)](https://github.com/ForAllSecure/mayhem-examples/actions/workflows/blank.yml) +[![CI](https://github.com/ForAllSecure/mayhem-examples/actions/workflows/build-linux-docker.yml/badge.svg)](https://github.com/ForAllSecure/mayhem-examples/actions/workflows/build-linux-docker.yml) --- @@ -15,7 +15,7 @@ Mayhem example templates for programming languages and fuzzers that you love! Li Use the Mayhem CLI to execute a new Mayhem run (via the `mayhem run` command) for any mayhem-examples target directory with a valid `Mayhemfile`. Alternatively, Mayhem users can use the Mayhem UI to execute a new Mayhem run by selecting and fuzzing a mayhem-examples target Docker image uploaded to either the private Mayhem Docker Registry or the public [Docker Hub](https://hub.docker.com/). -> **Note:** Before executing a Mayhem run on the mayhem-examples, you'll need to first upload the below mayhem-example targets to either a private Mayhem Docker Registry or to the public Docker Hub. Read the [How to Get Started](#how-to-get-started) section for more details. +> **Note:** Before executing a Mayhem run on most of the mayhem-examples, you'll need to first upload the below mayhem-example targets to either a private Mayhem Docker Registry, or to the public Github Container Registry or Docker Hub. Read the [How to Get Started](#how-to-get-started) section for more details. Windows targets can be built directly and packaged with the `mayhem package` command. ## Target List by Language/Fuzzer @@ -57,6 +57,12 @@ Order is alphabetical. | [forallsecure/rust-cargo-fuzz](rust/libfuzzer/rust-cargo-fuzz) | Rust | Rust 1.44 | [cargo-fuzz](https://rust-fuzz.github.io/book/cargo-fuzz.html) | ![](https://img.shields.io/docker/image-size/forallsecure/rust-cargo-fuzz) | [![docker-logo](.images/docker-logo.png)](https://hub.docker.com/r/forallsecure/rust-cargo-fuzz) | [forallsecure/swift-libfuzzer](swift/libfuzzer/swift-libfuzzer) | Swift | Swift 5.4.2 | [libFuzzer](https://github.com/apple/swift/blob/main/docs/libFuzzerIntegration.md) | ![](https://img.shields.io/docker/image-size/forallsecure/swift-libfuzzer) | [![docker-logo](.images/docker-logo.png)](https://hub.docker.com/r/forallsecure/swift-libfuzzer) + +#### Looking for Windows targets? + +You can find information about building Windows base executable targets [here](base-executable/windows/README.md) and Windows libFuzzer targets [here](cpp/windows/libfuzzer/README.md). + + ## Supported Fuzzers | Fuzzer | dictionary | max_length | sanitizers | @@ -161,8 +167,6 @@ Mayhem can run Docker images stored on either the included private Docker regist ## About Us -ForAllSecure was founded with the mission to make the world’s critical software safe. The company has been applying its patented technology from over a decade of CMU research to solving the difficult challenge of making software safer. ForAllSecure has partnered with Fortune 1000 companies in aerospace, automotive and high-tech industries, as well as the US Department of Defense to integrate Mayhem into software development cycles for continuous security. Profitable and revenue-funded, the company is scaling rapidly. +Mayhem was founded with the mission to make the world’s critical software safe. The company has been applying its patented technology from over a decade of CMU research to solving the difficult challenge of making software safer. Mayhem has partnered with Fortune 1000 companies in aerospace, automotive and high-tech industries, as well as the US Department of Defense to integrate Mayhem into software development cycles for continuous security. Profitable and revenue-funded, the company is scaling rapidly. -* [https://forallsecure.com/](https://forallsecure.com/) -* [https://forallsecure.com/mayhem-for-code](https://forallsecure.com/mayhem-for-code) -* [https://community.forallsecure.com/](https://community.forallsecure.com/) \ No newline at end of file +* [https://mayhem.security/](https://mayhem.security/) \ No newline at end of file diff --git a/android/base-executable/android-base-executable/Dockerfile b/android/base-executable/android-base-executable/Dockerfile index a2a3b24..eb44e01 100644 --- a/android/base-executable/android-base-executable/Dockerfile +++ b/android/base-executable/android-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim +FROM debian:bookworm-slim AS builder RUN apt-get update && \ apt-get install -fy wget zip make && \ wget https://dl.google.com/android/repository/android-ndk-r21e-linux-x86_64.zip && \ @@ -12,8 +12,8 @@ WORKDIR /android-ndk-r21e/mayhemit/jni/ RUN ../../ndk-build WORKDIR /android-ndk-r21e/mayhemit/libs/x86_64 -FROM debian:buster-slim -COPY --from=0 /android-ndk-r21e/mayhemit/libs/x86_64/mayhemit /mayhemit +FROM debian:bookworm-slim +COPY --from=builder /android-ndk-r21e/mayhemit/libs/x86_64/mayhemit /mayhemit # Set to fuzz! ENTRYPOINT [] diff --git a/base-executable/ada-base-executable b/base-executable/ada-base-executable deleted file mode 120000 index 7ab688d..0000000 --- a/base-executable/ada-base-executable +++ /dev/null @@ -1 +0,0 @@ -../ada/base-executable/ada-base-executable \ No newline at end of file diff --git a/base-executable/android-base-executable b/base-executable/android-base-executable deleted file mode 120000 index f576d74..0000000 --- a/base-executable/android-base-executable +++ /dev/null @@ -1 +0,0 @@ -../android/base-executable/android-base-executable \ No newline at end of file diff --git a/base-executable/c-base-executable b/base-executable/c-base-executable deleted file mode 120000 index a8dc528..0000000 --- a/base-executable/c-base-executable +++ /dev/null @@ -1 +0,0 @@ -../c/base-executable/c-base-executable \ No newline at end of file diff --git a/base-executable/cpp-base-executable b/base-executable/cpp-base-executable deleted file mode 120000 index beb466d..0000000 --- a/base-executable/cpp-base-executable +++ /dev/null @@ -1 +0,0 @@ -../cpp/base-executable/cpp-base-executable \ No newline at end of file diff --git a/base-executable/fortran-base-executable b/base-executable/fortran-base-executable deleted file mode 120000 index 0a0a78b..0000000 --- a/base-executable/fortran-base-executable +++ /dev/null @@ -1 +0,0 @@ -../fortran/base-executable/fortran-base-executable/ \ No newline at end of file diff --git a/base-executable/go-base-executable b/base-executable/go-base-executable deleted file mode 120000 index 75c3c5e..0000000 --- a/base-executable/go-base-executable +++ /dev/null @@ -1 +0,0 @@ -../go/base-executable/go-base-executable \ No newline at end of file diff --git a/base-executable/java-base-executable b/base-executable/java-base-executable deleted file mode 120000 index 7520863..0000000 --- a/base-executable/java-base-executable +++ /dev/null @@ -1 +0,0 @@ -../java/base-executable/java-base-executable \ No newline at end of file diff --git a/base-executable/linux/ada-base-executable b/base-executable/linux/ada-base-executable new file mode 120000 index 0000000..04a9c7a --- /dev/null +++ b/base-executable/linux/ada-base-executable @@ -0,0 +1 @@ +../../ada/base-executable/ada-base-executable \ No newline at end of file diff --git a/base-executable/linux/android-base-executable b/base-executable/linux/android-base-executable new file mode 120000 index 0000000..d043750 --- /dev/null +++ b/base-executable/linux/android-base-executable @@ -0,0 +1 @@ +../../android/base-executable/android-base-executable \ No newline at end of file diff --git a/base-executable/linux/c-base-executable b/base-executable/linux/c-base-executable new file mode 120000 index 0000000..d42c08d --- /dev/null +++ b/base-executable/linux/c-base-executable @@ -0,0 +1 @@ +../../c/base-executable/c-base-executable/ \ No newline at end of file diff --git a/base-executable/linux/fortran-base-executable b/base-executable/linux/fortran-base-executable new file mode 120000 index 0000000..99c252f --- /dev/null +++ b/base-executable/linux/fortran-base-executable @@ -0,0 +1 @@ +../../fortran/base-executable/fortran-base-executable \ No newline at end of file diff --git a/base-executable/linux/go-base-executable b/base-executable/linux/go-base-executable new file mode 120000 index 0000000..6e21771 --- /dev/null +++ b/base-executable/linux/go-base-executable @@ -0,0 +1 @@ +../../go/base-executable/go-base-executable \ No newline at end of file diff --git a/base-executable/linux/java-base-executable b/base-executable/linux/java-base-executable new file mode 120000 index 0000000..6da8c6d --- /dev/null +++ b/base-executable/linux/java-base-executable @@ -0,0 +1 @@ +../../java/base-executable/java-base-executable \ No newline at end of file diff --git a/base-executable/linux/obj-c-base-executable b/base-executable/linux/obj-c-base-executable new file mode 120000 index 0000000..da107a7 --- /dev/null +++ b/base-executable/linux/obj-c-base-executable @@ -0,0 +1 @@ +../../objective-c/base-executable/obj-c-base-executable \ No newline at end of file diff --git a/base-executable/linux/ocaml-base-executable b/base-executable/linux/ocaml-base-executable new file mode 120000 index 0000000..68e89b2 --- /dev/null +++ b/base-executable/linux/ocaml-base-executable @@ -0,0 +1 @@ +../../ocaml/base-executable/ocaml-base-executable \ No newline at end of file diff --git a/base-executable/linux/powerpc-c-base-executable b/base-executable/linux/powerpc-c-base-executable new file mode 120000 index 0000000..d2c2c56 --- /dev/null +++ b/base-executable/linux/powerpc-c-base-executable @@ -0,0 +1 @@ +../../c/base-executable/powerpc-c-base-executable \ No newline at end of file diff --git a/base-executable/linux/powerpc64-c-base-executable b/base-executable/linux/powerpc64-c-base-executable new file mode 120000 index 0000000..a5a122e --- /dev/null +++ b/base-executable/linux/powerpc64-c-base-executable @@ -0,0 +1 @@ +../../c/base-executable/powerpc64-c-base-executable/ \ No newline at end of file diff --git a/base-executable/linux/powerpc64le-c-base-executable b/base-executable/linux/powerpc64le-c-base-executable new file mode 120000 index 0000000..1e05285 --- /dev/null +++ b/base-executable/linux/powerpc64le-c-base-executable @@ -0,0 +1 @@ +../../c/base-executable/powerpc64le-c-base-executable \ No newline at end of file diff --git a/base-executable/linux/rust-base-executable b/base-executable/linux/rust-base-executable new file mode 120000 index 0000000..19879ea --- /dev/null +++ b/base-executable/linux/rust-base-executable @@ -0,0 +1 @@ +../../rust/base-executable/rust-base-executable \ No newline at end of file diff --git a/base-executable/obj-c-base-executable b/base-executable/obj-c-base-executable deleted file mode 120000 index dc9990d..0000000 --- a/base-executable/obj-c-base-executable +++ /dev/null @@ -1 +0,0 @@ -../objective-c/base-executable/obj-c-base-executable \ No newline at end of file diff --git a/base-executable/ocaml-base-executable b/base-executable/ocaml-base-executable deleted file mode 120000 index b1b90be..0000000 --- a/base-executable/ocaml-base-executable +++ /dev/null @@ -1 +0,0 @@ -../ocaml/base-executable/ocaml-base-executable \ No newline at end of file diff --git a/base-executable/powerpc-c-base-executable b/base-executable/powerpc-c-base-executable deleted file mode 120000 index a989224..0000000 --- a/base-executable/powerpc-c-base-executable +++ /dev/null @@ -1 +0,0 @@ -../c/base-executable/powerpc-c-base-executable \ No newline at end of file diff --git a/base-executable/powerpc64-c-base-executable b/base-executable/powerpc64-c-base-executable deleted file mode 120000 index c6d33af..0000000 --- a/base-executable/powerpc64-c-base-executable +++ /dev/null @@ -1 +0,0 @@ -../c/base-executable/powerpc64-c-base-executable \ No newline at end of file diff --git a/base-executable/powerpc64le-c-base-executable b/base-executable/powerpc64le-c-base-executable deleted file mode 120000 index 973e1ba..0000000 --- a/base-executable/powerpc64le-c-base-executable +++ /dev/null @@ -1 +0,0 @@ -../c/base-executable/powerpc64le-c-base-executable \ No newline at end of file diff --git a/base-executable/rust-base-executable b/base-executable/rust-base-executable deleted file mode 120000 index 317fa3e..0000000 --- a/base-executable/rust-base-executable +++ /dev/null @@ -1 +0,0 @@ -../rust/base-executable/rust-base-executable \ No newline at end of file diff --git a/base-executable/windows/README.md b/base-executable/windows/README.md new file mode 100644 index 0000000..14b1d3d --- /dev/null +++ b/base-executable/windows/README.md @@ -0,0 +1,37 @@ +# Windows Base Executable Fuzzing Examples + +This directory contains examples of fuzzing Windows base executables using various compilers and configurations. To run, simply navigate to a given directory and follow the instructions in the README files. + +## Fuzzing Support with Mayhem + +| Compiler | Architecture | Binary | Sanitizers | +|------------------------|--------------|-----------|--------------------| +| MSVC 2022 (cl.exe v19) | x32/x64 | Supported | Failing | +| clang 10+ (MSVC) | x32/x64 | Supported | Failing | +| clang 10+ (libfuzzer) | x32/x64 | Supported | Failing | +| gcc 12.4 (cygwin) | x32/x64 | Failing | Failing | +| gcc 15.1 (mingw) | x32/x64 | Supported | N/A. Linking fails | + +**clang8 and cygwin**: cygwin installs clang8, which does not support +`libfuzzer` or `ASAN`. To use `libfuzzer` or `ASAN`, you need to install: + * clang 10+ + * built with the `libclang_rt` library. + +MSVC will install a supported version of clang, and you can also install +from the [GitHub release page](https://github.com/llvm/llvm-project/releases) + +## Windows Behaviors + +Windows behaviors are different than Linux. In Linux, `assert` and `abort` +crash with a signal, but in Windows they are silently wrapped. Note that `assert` prints a message and then immediately calls `abort()`, so the behavior is similar. Also, note that compiling for release mode may remove `assert()` calls entirely. + +| Case | Linux Behavior | Windows MSVC Default | Supported | +|---------------------------------|------------------------|-----------------------------|-----------| +| `abort()` | Raises signal, exits | Shows dialog, exits code 3 | No | +| `assert()` | Raises SIGABRT | May no-op in release | No | +| `throw std::runtime_error` | Uncaught → terminate() | Exits silently (code 1/3) | Yes | +| Null pointer dereference | Crashes | Crashes | Yes | +| OOB heap write (with ASAN) | Detected by ASAN | Detected by ASAN (Clang) | No | +| `RaiseFailFastException()` | Not applicable | Crashes with fast fail | No | + +_Note: You can get Mayhem to recognize `assert` and `abort` as crashes by setting the environment variable `AFL_CRASH_EXITCODE` to `3` in your Mayhemfile, as this is the exit code Windows raises when an `abort()` is called._ \ No newline at end of file diff --git a/base-executable/windows/clang-cpp-base-executable b/base-executable/windows/clang-cpp-base-executable new file mode 120000 index 0000000..91a8e67 --- /dev/null +++ b/base-executable/windows/clang-cpp-base-executable @@ -0,0 +1 @@ +../../cpp/windows/base-executable/clang-cpp-base-executable \ No newline at end of file diff --git a/base-executable/windows/csharp-base-executable b/base-executable/windows/csharp-base-executable new file mode 120000 index 0000000..054b325 --- /dev/null +++ b/base-executable/windows/csharp-base-executable @@ -0,0 +1 @@ +../../csharp/windows/base-executable/csharp-base-executable \ No newline at end of file diff --git a/base-executable/windows/gcc-cpp-base-executable b/base-executable/windows/gcc-cpp-base-executable new file mode 120000 index 0000000..04f1951 --- /dev/null +++ b/base-executable/windows/gcc-cpp-base-executable @@ -0,0 +1 @@ +../../cpp/windows/base-executable/gcc-cpp-base-executable \ No newline at end of file diff --git a/base-executable/windows/msvc-cpp-base-executable b/base-executable/windows/msvc-cpp-base-executable new file mode 120000 index 0000000..3774ac1 --- /dev/null +++ b/base-executable/windows/msvc-cpp-base-executable @@ -0,0 +1 @@ +../../cpp/windows/base-executable/msvc-cpp-base-executable \ No newline at end of file diff --git a/c/base-executable/c-base-executable/Dockerfile b/c/base-executable/c-base-executable/Dockerfile index 5ecc2ad..ac4609f 100644 --- a/c/base-executable/c-base-executable/Dockerfile +++ b/c/base-executable/c-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim as builder RUN apt-get update && \ apt-get install -y gcc make libc6-dbg && \ rm -rf /var/lib/apt/lists/* diff --git a/c/base-executable/powerpc-c-base-executable/Dockerfile b/c/base-executable/powerpc-c-base-executable/Dockerfile index 51c5a7a..3936cad 100644 --- a/c/base-executable/powerpc-c-base-executable/Dockerfile +++ b/c/base-executable/powerpc-c-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim as builder RUN apt-get update && \ apt-get install -y gcc-powerpc-linux-gnu make libc6-dbg && \ rm -rf /var/lib/apt/lists/* diff --git a/c/base-executable/powerpc64-c-base-executable/Dockerfile b/c/base-executable/powerpc64-c-base-executable/Dockerfile index 37b2e1a..eef9afc 100644 --- a/c/base-executable/powerpc64-c-base-executable/Dockerfile +++ b/c/base-executable/powerpc64-c-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim as builder RUN apt-get update && \ apt-get install -y gcc-powerpc64-linux-gnu make libc6-dbg && \ rm -rf /var/lib/apt/lists/* diff --git a/c/base-executable/powerpc64le-c-base-executable/Dockerfile b/c/base-executable/powerpc64le-c-base-executable/Dockerfile index 8f9ee10..48ea851 100644 --- a/c/base-executable/powerpc64le-c-base-executable/Dockerfile +++ b/c/base-executable/powerpc64le-c-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim as builder RUN apt-get update && \ apt-get install -y gcc-powerpc64le-linux-gnu make libc6-dbg && \ rm -rf /var/lib/apt/lists/* diff --git a/c/honggfuzz/c-honggfuzz-clang/Dockerfile b/c/honggfuzz/c-honggfuzz-clang/Dockerfile index 54a8736..24b3475 100644 --- a/c/honggfuzz/c-honggfuzz-clang/Dockerfile +++ b/c/honggfuzz/c-honggfuzz-clang/Dockerfile @@ -2,7 +2,7 @@ FROM fuzzers/honggfuzz:1.9 COPY src/mayhemit.c . RUN hfuzz-clang -fno-inline mayhemit.c -o /mayhemit -FROM debian:buster-slim +FROM debian:bookworm-slim COPY --from=0 /mayhemit . COPY --from=0 /usr/local/bin/honggfuzz /usr/local/bin/honggfuzz COPY --from=0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 diff --git a/c/honggfuzz/c-honggfuzz-gcc/Dockerfile b/c/honggfuzz/c-honggfuzz-gcc/Dockerfile index 346dd76..11428bc 100644 --- a/c/honggfuzz/c-honggfuzz-gcc/Dockerfile +++ b/c/honggfuzz/c-honggfuzz-gcc/Dockerfile @@ -2,7 +2,7 @@ FROM fuzzers/honggfuzz:1.9 COPY src/mayhemit.c . RUN hfuzz-gcc mayhemit.c -o /mayhemit -FROM debian:buster-slim +FROM debian:bookworm-slim COPY --from=0 /mayhemit . COPY --from=0 /usr/local/bin/honggfuzz /usr/local/bin/honggfuzz COPY --from=0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 diff --git a/cpp/afl/cpp-afl-clang/Dockerfile b/cpp/linux/afl/cpp-afl-clang/Dockerfile similarity index 100% rename from cpp/afl/cpp-afl-clang/Dockerfile rename to cpp/linux/afl/cpp-afl-clang/Dockerfile diff --git a/cpp/afl/cpp-afl-clang/Mayhemfile b/cpp/linux/afl/cpp-afl-clang/Mayhemfile similarity index 100% rename from cpp/afl/cpp-afl-clang/Mayhemfile rename to cpp/linux/afl/cpp-afl-clang/Mayhemfile diff --git a/cpp/afl/cpp-afl-clang/README.md b/cpp/linux/afl/cpp-afl-clang/README.md similarity index 100% rename from cpp/afl/cpp-afl-clang/README.md rename to cpp/linux/afl/cpp-afl-clang/README.md diff --git a/cpp/afl/cpp-afl-clang/src/mayhemit.cpp b/cpp/linux/afl/cpp-afl-clang/src/mayhemit.cpp similarity index 100% rename from cpp/afl/cpp-afl-clang/src/mayhemit.cpp rename to cpp/linux/afl/cpp-afl-clang/src/mayhemit.cpp diff --git a/cpp/afl/cpp-afl-clang/testsuite/seed.txt b/cpp/linux/afl/cpp-afl-clang/testsuite/seed.txt similarity index 100% rename from cpp/afl/cpp-afl-clang/testsuite/seed.txt rename to cpp/linux/afl/cpp-afl-clang/testsuite/seed.txt diff --git a/cpp/afl/cpp-afl-gcc/Dockerfile b/cpp/linux/afl/cpp-afl-gcc/Dockerfile similarity index 100% rename from cpp/afl/cpp-afl-gcc/Dockerfile rename to cpp/linux/afl/cpp-afl-gcc/Dockerfile diff --git a/cpp/afl/cpp-afl-gcc/Mayhemfile b/cpp/linux/afl/cpp-afl-gcc/Mayhemfile similarity index 100% rename from cpp/afl/cpp-afl-gcc/Mayhemfile rename to cpp/linux/afl/cpp-afl-gcc/Mayhemfile diff --git a/cpp/afl/cpp-afl-gcc/README.md b/cpp/linux/afl/cpp-afl-gcc/README.md similarity index 100% rename from cpp/afl/cpp-afl-gcc/README.md rename to cpp/linux/afl/cpp-afl-gcc/README.md diff --git a/cpp/afl/cpp-afl-gcc/src/mayhemit.cpp b/cpp/linux/afl/cpp-afl-gcc/src/mayhemit.cpp similarity index 100% rename from cpp/afl/cpp-afl-gcc/src/mayhemit.cpp rename to cpp/linux/afl/cpp-afl-gcc/src/mayhemit.cpp diff --git a/cpp/afl/cpp-afl-gcc/testsuite/seed.txt b/cpp/linux/afl/cpp-afl-gcc/testsuite/seed.txt similarity index 100% rename from cpp/afl/cpp-afl-gcc/testsuite/seed.txt rename to cpp/linux/afl/cpp-afl-gcc/testsuite/seed.txt diff --git a/cpp/aflpp/cpp-aflpp-clang/Dockerfile b/cpp/linux/aflpp/cpp-aflpp-clang/Dockerfile similarity index 100% rename from cpp/aflpp/cpp-aflpp-clang/Dockerfile rename to cpp/linux/aflpp/cpp-aflpp-clang/Dockerfile diff --git a/cpp/aflpp/cpp-aflpp-clang/Mayhemfile b/cpp/linux/aflpp/cpp-aflpp-clang/Mayhemfile similarity index 100% rename from cpp/aflpp/cpp-aflpp-clang/Mayhemfile rename to cpp/linux/aflpp/cpp-aflpp-clang/Mayhemfile diff --git a/cpp/aflpp/cpp-aflpp-clang/README.md b/cpp/linux/aflpp/cpp-aflpp-clang/README.md similarity index 100% rename from cpp/aflpp/cpp-aflpp-clang/README.md rename to cpp/linux/aflpp/cpp-aflpp-clang/README.md diff --git a/cpp/aflpp/cpp-aflpp-clang/src/mayhemit.cpp b/cpp/linux/aflpp/cpp-aflpp-clang/src/mayhemit.cpp similarity index 100% rename from cpp/aflpp/cpp-aflpp-clang/src/mayhemit.cpp rename to cpp/linux/aflpp/cpp-aflpp-clang/src/mayhemit.cpp diff --git a/cpp/aflpp/cpp-aflpp-clang/testsuite/seed.txt b/cpp/linux/aflpp/cpp-aflpp-clang/testsuite/seed.txt similarity index 100% rename from cpp/aflpp/cpp-aflpp-clang/testsuite/seed.txt rename to cpp/linux/aflpp/cpp-aflpp-clang/testsuite/seed.txt diff --git a/cpp/aflpp/cpp-aflpp-gcc/Dockerfile b/cpp/linux/aflpp/cpp-aflpp-gcc/Dockerfile similarity index 100% rename from cpp/aflpp/cpp-aflpp-gcc/Dockerfile rename to cpp/linux/aflpp/cpp-aflpp-gcc/Dockerfile diff --git a/cpp/aflpp/cpp-aflpp-gcc/Mayhemfile b/cpp/linux/aflpp/cpp-aflpp-gcc/Mayhemfile similarity index 100% rename from cpp/aflpp/cpp-aflpp-gcc/Mayhemfile rename to cpp/linux/aflpp/cpp-aflpp-gcc/Mayhemfile diff --git a/cpp/aflpp/cpp-aflpp-gcc/README.md b/cpp/linux/aflpp/cpp-aflpp-gcc/README.md similarity index 100% rename from cpp/aflpp/cpp-aflpp-gcc/README.md rename to cpp/linux/aflpp/cpp-aflpp-gcc/README.md diff --git a/cpp/aflpp/cpp-aflpp-gcc/src/mayhemit.cpp b/cpp/linux/aflpp/cpp-aflpp-gcc/src/mayhemit.cpp similarity index 100% rename from cpp/aflpp/cpp-aflpp-gcc/src/mayhemit.cpp rename to cpp/linux/aflpp/cpp-aflpp-gcc/src/mayhemit.cpp diff --git a/cpp/aflpp/cpp-aflpp-gcc/testsuite/seed.txt b/cpp/linux/aflpp/cpp-aflpp-gcc/testsuite/seed.txt similarity index 100% rename from cpp/aflpp/cpp-aflpp-gcc/testsuite/seed.txt rename to cpp/linux/aflpp/cpp-aflpp-gcc/testsuite/seed.txt diff --git a/cpp/base-executable/cpp-base-executable/Dockerfile b/cpp/linux/base-executable/cpp-base-executable/Dockerfile similarity index 85% rename from cpp/base-executable/cpp-base-executable/Dockerfile rename to cpp/linux/base-executable/cpp-base-executable/Dockerfile index 43c23fa..412132a 100644 --- a/cpp/base-executable/cpp-base-executable/Dockerfile +++ b/cpp/linux/base-executable/cpp-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim as builder RUN apt-get update && \ apt-get install -y gcc g++ make libc6-dbg && \ rm -rf /var/lib/apt/lists/* diff --git a/cpp/base-executable/cpp-base-executable/Mayhemfile b/cpp/linux/base-executable/cpp-base-executable/Mayhemfile similarity index 100% rename from cpp/base-executable/cpp-base-executable/Mayhemfile rename to cpp/linux/base-executable/cpp-base-executable/Mayhemfile diff --git a/cpp/base-executable/cpp-base-executable/README.md b/cpp/linux/base-executable/cpp-base-executable/README.md similarity index 100% rename from cpp/base-executable/cpp-base-executable/README.md rename to cpp/linux/base-executable/cpp-base-executable/README.md diff --git a/cpp/linux/base-executable/cpp-base-executable/linux-cpp-base-executable b/cpp/linux/base-executable/cpp-base-executable/linux-cpp-base-executable new file mode 120000 index 0000000..05cc7f8 --- /dev/null +++ b/cpp/linux/base-executable/cpp-base-executable/linux-cpp-base-executable @@ -0,0 +1 @@ +./linux-cpp-base-executable \ No newline at end of file diff --git a/cpp/base-executable/cpp-base-executable/src/mayhemit.cpp b/cpp/linux/base-executable/cpp-base-executable/src/mayhemit.cpp similarity index 100% rename from cpp/base-executable/cpp-base-executable/src/mayhemit.cpp rename to cpp/linux/base-executable/cpp-base-executable/src/mayhemit.cpp diff --git a/cpp/base-executable/cpp-base-executable/testsuite/seed.txt b/cpp/linux/base-executable/cpp-base-executable/testsuite/seed.txt similarity index 100% rename from cpp/base-executable/cpp-base-executable/testsuite/seed.txt rename to cpp/linux/base-executable/cpp-base-executable/testsuite/seed.txt diff --git a/cpp/honggfuzz/cpp-honggfuzz-clang/Dockerfile b/cpp/linux/honggfuzz/cpp-honggfuzz-clang/Dockerfile similarity index 97% rename from cpp/honggfuzz/cpp-honggfuzz-clang/Dockerfile rename to cpp/linux/honggfuzz/cpp-honggfuzz-clang/Dockerfile index caf56c3..8f091b6 100644 --- a/cpp/honggfuzz/cpp-honggfuzz-clang/Dockerfile +++ b/cpp/linux/honggfuzz/cpp-honggfuzz-clang/Dockerfile @@ -2,7 +2,7 @@ FROM fuzzers/honggfuzz:1.9 COPY src/mayhemit.cpp . RUN hfuzz-clang++ -fno-inline mayhemit.cpp -o mayhemit -FROM debian:buster-slim +FROM debian:bookworm-slim COPY --from=0 /mayhemit . COPY --from=0 /usr/local/bin/honggfuzz /usr/local/bin/honggfuzz COPY --from=0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 diff --git a/cpp/honggfuzz/cpp-honggfuzz-clang/Mayhemfile b/cpp/linux/honggfuzz/cpp-honggfuzz-clang/Mayhemfile similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-clang/Mayhemfile rename to cpp/linux/honggfuzz/cpp-honggfuzz-clang/Mayhemfile diff --git a/cpp/honggfuzz/cpp-honggfuzz-clang/README.md b/cpp/linux/honggfuzz/cpp-honggfuzz-clang/README.md similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-clang/README.md rename to cpp/linux/honggfuzz/cpp-honggfuzz-clang/README.md diff --git a/cpp/honggfuzz/cpp-honggfuzz-clang/src/mayhemit.cpp b/cpp/linux/honggfuzz/cpp-honggfuzz-clang/src/mayhemit.cpp similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-clang/src/mayhemit.cpp rename to cpp/linux/honggfuzz/cpp-honggfuzz-clang/src/mayhemit.cpp diff --git a/cpp/honggfuzz/cpp-honggfuzz-clang/testsuite/seed.txt b/cpp/linux/honggfuzz/cpp-honggfuzz-clang/testsuite/seed.txt similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-clang/testsuite/seed.txt rename to cpp/linux/honggfuzz/cpp-honggfuzz-clang/testsuite/seed.txt diff --git a/cpp/honggfuzz/cpp-honggfuzz-gcc/Dockerfile b/cpp/linux/honggfuzz/cpp-honggfuzz-gcc/Dockerfile similarity index 97% rename from cpp/honggfuzz/cpp-honggfuzz-gcc/Dockerfile rename to cpp/linux/honggfuzz/cpp-honggfuzz-gcc/Dockerfile index e9650a5..4cd6044 100644 --- a/cpp/honggfuzz/cpp-honggfuzz-gcc/Dockerfile +++ b/cpp/linux/honggfuzz/cpp-honggfuzz-gcc/Dockerfile @@ -2,7 +2,7 @@ FROM fuzzers/honggfuzz:1.9 COPY src/mayhemit.cpp . RUN hfuzz-g++ mayhemit.cpp -o /mayhemit -FROM debian:buster-slim +FROM debian:bookworm-slim COPY --from=0 /mayhemit . COPY --from=0 /usr/local/bin/honggfuzz /usr/local/bin/honggfuzz COPY --from=0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 /usr/lib/x86_64-linux-gnu/libunwind-ptrace.so.0 diff --git a/cpp/honggfuzz/cpp-honggfuzz-gcc/Mayhemfile b/cpp/linux/honggfuzz/cpp-honggfuzz-gcc/Mayhemfile similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-gcc/Mayhemfile rename to cpp/linux/honggfuzz/cpp-honggfuzz-gcc/Mayhemfile diff --git a/cpp/honggfuzz/cpp-honggfuzz-gcc/README.md b/cpp/linux/honggfuzz/cpp-honggfuzz-gcc/README.md similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-gcc/README.md rename to cpp/linux/honggfuzz/cpp-honggfuzz-gcc/README.md diff --git a/cpp/honggfuzz/cpp-honggfuzz-gcc/src/mayhemit.cpp b/cpp/linux/honggfuzz/cpp-honggfuzz-gcc/src/mayhemit.cpp similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-gcc/src/mayhemit.cpp rename to cpp/linux/honggfuzz/cpp-honggfuzz-gcc/src/mayhemit.cpp diff --git a/cpp/honggfuzz/cpp-honggfuzz-gcc/testsuite/seed.txt b/cpp/linux/honggfuzz/cpp-honggfuzz-gcc/testsuite/seed.txt similarity index 100% rename from cpp/honggfuzz/cpp-honggfuzz-gcc/testsuite/seed.txt rename to cpp/linux/honggfuzz/cpp-honggfuzz-gcc/testsuite/seed.txt diff --git a/cpp/libfuzzer/cpp-libfuzzer/Dockerfile b/cpp/linux/libfuzzer/cpp-libfuzzer/Dockerfile similarity index 100% rename from cpp/libfuzzer/cpp-libfuzzer/Dockerfile rename to cpp/linux/libfuzzer/cpp-libfuzzer/Dockerfile diff --git a/cpp/libfuzzer/cpp-libfuzzer/Mayhemfile b/cpp/linux/libfuzzer/cpp-libfuzzer/Mayhemfile similarity index 100% rename from cpp/libfuzzer/cpp-libfuzzer/Mayhemfile rename to cpp/linux/libfuzzer/cpp-libfuzzer/Mayhemfile diff --git a/cpp/libfuzzer/cpp-libfuzzer/README.md b/cpp/linux/libfuzzer/cpp-libfuzzer/README.md similarity index 100% rename from cpp/libfuzzer/cpp-libfuzzer/README.md rename to cpp/linux/libfuzzer/cpp-libfuzzer/README.md diff --git a/cpp/libfuzzer/cpp-libfuzzer/src/mayhemit.cpp b/cpp/linux/libfuzzer/cpp-libfuzzer/src/mayhemit.cpp similarity index 100% rename from cpp/libfuzzer/cpp-libfuzzer/src/mayhemit.cpp rename to cpp/linux/libfuzzer/cpp-libfuzzer/src/mayhemit.cpp diff --git a/cpp/libfuzzer/cpp-libfuzzer/testsuite/seed.txt b/cpp/linux/libfuzzer/cpp-libfuzzer/testsuite/seed.txt similarity index 100% rename from cpp/libfuzzer/cpp-libfuzzer/testsuite/seed.txt rename to cpp/linux/libfuzzer/cpp-libfuzzer/testsuite/seed.txt diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/README.md b/cpp/windows/base-executable/clang-cpp-base-executable/README.md new file mode 100644 index 0000000..88b0a5c --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/README.md @@ -0,0 +1,23 @@ +## Building Windows C++ Targets + +Run the following to build the Windows C++ Clang target for Mayhem. + +```cmd +clang++.exe src\fuzz_target.cpp -g -O1 -o fuzz_target_clang.exe +``` + +## Creating a Mayhem package + +Once you've got your binary built, you can create a Mayhem package like so: + +```cmd +mayhem.exe package -o .\cpp-windows-base-executable-clang .\fuzz_target_clang.exe +``` + +## Executing the Mayhem Run + +The `mayhem package` command will create a `Mayhemfile` for you under the `cpp-windows-base-executable-clang` directory. You can initiate a Mayhem run like so: + +```cmd +mayhem.exe run .\cpp-windows-base-executable-clang --project mayhem-examples --target cpp-windows-base-executable-clang --duration 90 +``` diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/src/fuzz_methods.cpp b/cpp/windows/base-executable/clang-cpp-base-executable/src/fuzz_methods.cpp new file mode 100644 index 0000000..ae0df1c --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/src/fuzz_methods.cpp @@ -0,0 +1,92 @@ +#include +#include +#include +#include +#include +#include + +void fuzz_init() { + static bool initialized = false; + if (!initialized) { +#ifdef _MSC_VER + // abort() displays a message box, then exits. + // assert() may not crash or trigger a debugger, depending on the CRT configuration. + // This disables the message box, but does not solve the whole problem. + // This is only available in MSVC. + _set_abort_behavior(0, _WRITE_ABORT_MSG | _CALL_REPORTFAULT); +#endif + initialized = true; + } +} + +void test_address_sanitizer_boo(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'address_sanitizer' + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'o' && data.c_str()[2] == 'o') { + // Note: this will crash powershell in MSVC. + std::cout << "Found 'boo' address sanitizer corner case!\n"; + int* x = new int[100]; + x[100] = 5; + delete[] x; + } + } +} + +void test_null_deref_mom(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'mom' + if (data.size() >= 3) { + if (data.c_str()[0] == 'm' && data.c_str()[1] == 'o' && data.c_str()[2] == 'm') { + std::cout << "Found 'mom' null deref corner case!\n"; + *((volatile int*)0) = 123; // guaranteed crash + } + } +} + +void test_runtime_error_dad(std::string data) { + // This function uses a runtime error to see if mayhem catches it with input 'dad'. + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'a' && data.c_str()[2] == 'd') { + std::cout << "Found 'dad' corner case!\n"; + throw std::runtime_error("Found 'dad' runtime_error corner case!"); // Alternative: throw an exception + } + } +} + +void test_assert_cab(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'c' && data.c_str()[1] == 'a' && data.c_str()[2] == 'b') { + std::cout << "Found 'cab' assert corner case!\n"; + assert(1 == 0); + } + } +} + +void test_raise_fail_fast_dog(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'o' && data.c_str()[2] == 'g') { + std::cout << "Found 'dog' RaiseFailFastException!\n"; + RaiseFailFastException(nullptr, nullptr, 0); + } + } +} + + +void test_abort_bug(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'bug' + + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'u' && data.c_str()[2] == 'g') { + std::cout << "Found 'bug' abort corner case!\n"; + abort(); // Uncomment to crash on this condition + } + } +} + +void test_all(std::string data) { + test_abort_bug(data); + test_assert_cab(data); + test_null_deref_mom(data); + test_runtime_error_dad(data); + test_address_sanitizer_boo(data); + test_raise_fail_fast_dog(data); +} \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/src/fuzz_target.cpp b/cpp/windows/base-executable/clang-cpp-base-executable/src/fuzz_target.cpp new file mode 100644 index 0000000..acc0a07 --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/src/fuzz_target.cpp @@ -0,0 +1,23 @@ +#include +#include "fuzz_methods.cpp" + +int main(int argc, char* argv[]) { + if (argc < 2) { + std::cerr << "Usage: fuzz_target \n"; + return 1; + } + + std::ifstream file(argv[1], std::ios::binary); + if (!file) { + std::cerr << "Error opening file: " << argv[1] << "\n"; + return 1; + } + + std::string data((std::istreambuf_iterator(file)), + std::istreambuf_iterator()); + + fuzz_init(); + test_all(data); + + return 0; +} \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_abort.txt b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_abort.txt new file mode 100644 index 0000000..b7ce198 --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_abort.txt @@ -0,0 +1 @@ +bu. \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_address_sanitizer.txt b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_address_sanitizer.txt new file mode 100644 index 0000000..7b27f90 --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_address_sanitizer.txt @@ -0,0 +1 @@ +bo. \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_assert.txt b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_assert.txt new file mode 100644 index 0000000..ef55258 --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_assert.txt @@ -0,0 +1 @@ +ca. \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_null_deref.txt b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_null_deref.txt new file mode 100644 index 0000000..5d3a263 --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_null_deref.txt @@ -0,0 +1 @@ +mo. \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_raise_fail_fast.txt b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_raise_fail_fast.txt new file mode 100644 index 0000000..0baf38e --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_raise_fail_fast.txt @@ -0,0 +1 @@ +do. \ No newline at end of file diff --git a/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_runtime_error.txt b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_runtime_error.txt new file mode 100644 index 0000000..ee94fad --- /dev/null +++ b/cpp/windows/base-executable/clang-cpp-base-executable/testsuite/test_runtime_error.txt @@ -0,0 +1 @@ +da. \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/README.md b/cpp/windows/base-executable/gcc-cpp-base-executable/README.md new file mode 100644 index 0000000..8af1978 --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/README.md @@ -0,0 +1,23 @@ +## Building Windows C++ Targets + +Run the following to build the Windows C++ GCC target for Mayhem. + +```cmd +g++.exe src\fuzz_target.cpp -g -O1 -o fuzz_target_mingw.exe +``` + +## Creating a Mayhem package + +Once you've got your binary built, you can create a Mayhem package like so: + +```cmd +mayhem.exe package -o .\cpp-windows-base-executable-gcc .\fuzz_target_mingw.exe +``` + +## Executing the Mayhem Run + +The `mayhem package` command will create a `Mayhemfile` for you under the `cpp-windows-base-executable-gcc` directory. You can initiate a Mayhem run like so: + +```cmd +mayhem.exe run .\cpp-windows-base-executable-gcc --project mayhem-examples --target cpp-windows-base-executable-gcc --duration 90 +``` \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/src/fuzz_methods.cpp b/cpp/windows/base-executable/gcc-cpp-base-executable/src/fuzz_methods.cpp new file mode 100644 index 0000000..ae0df1c --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/src/fuzz_methods.cpp @@ -0,0 +1,92 @@ +#include +#include +#include +#include +#include +#include + +void fuzz_init() { + static bool initialized = false; + if (!initialized) { +#ifdef _MSC_VER + // abort() displays a message box, then exits. + // assert() may not crash or trigger a debugger, depending on the CRT configuration. + // This disables the message box, but does not solve the whole problem. + // This is only available in MSVC. + _set_abort_behavior(0, _WRITE_ABORT_MSG | _CALL_REPORTFAULT); +#endif + initialized = true; + } +} + +void test_address_sanitizer_boo(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'address_sanitizer' + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'o' && data.c_str()[2] == 'o') { + // Note: this will crash powershell in MSVC. + std::cout << "Found 'boo' address sanitizer corner case!\n"; + int* x = new int[100]; + x[100] = 5; + delete[] x; + } + } +} + +void test_null_deref_mom(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'mom' + if (data.size() >= 3) { + if (data.c_str()[0] == 'm' && data.c_str()[1] == 'o' && data.c_str()[2] == 'm') { + std::cout << "Found 'mom' null deref corner case!\n"; + *((volatile int*)0) = 123; // guaranteed crash + } + } +} + +void test_runtime_error_dad(std::string data) { + // This function uses a runtime error to see if mayhem catches it with input 'dad'. + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'a' && data.c_str()[2] == 'd') { + std::cout << "Found 'dad' corner case!\n"; + throw std::runtime_error("Found 'dad' runtime_error corner case!"); // Alternative: throw an exception + } + } +} + +void test_assert_cab(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'c' && data.c_str()[1] == 'a' && data.c_str()[2] == 'b') { + std::cout << "Found 'cab' assert corner case!\n"; + assert(1 == 0); + } + } +} + +void test_raise_fail_fast_dog(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'o' && data.c_str()[2] == 'g') { + std::cout << "Found 'dog' RaiseFailFastException!\n"; + RaiseFailFastException(nullptr, nullptr, 0); + } + } +} + + +void test_abort_bug(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'bug' + + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'u' && data.c_str()[2] == 'g') { + std::cout << "Found 'bug' abort corner case!\n"; + abort(); // Uncomment to crash on this condition + } + } +} + +void test_all(std::string data) { + test_abort_bug(data); + test_assert_cab(data); + test_null_deref_mom(data); + test_runtime_error_dad(data); + test_address_sanitizer_boo(data); + test_raise_fail_fast_dog(data); +} \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/src/fuzz_target.cpp b/cpp/windows/base-executable/gcc-cpp-base-executable/src/fuzz_target.cpp new file mode 100644 index 0000000..acc0a07 --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/src/fuzz_target.cpp @@ -0,0 +1,23 @@ +#include +#include "fuzz_methods.cpp" + +int main(int argc, char* argv[]) { + if (argc < 2) { + std::cerr << "Usage: fuzz_target \n"; + return 1; + } + + std::ifstream file(argv[1], std::ios::binary); + if (!file) { + std::cerr << "Error opening file: " << argv[1] << "\n"; + return 1; + } + + std::string data((std::istreambuf_iterator(file)), + std::istreambuf_iterator()); + + fuzz_init(); + test_all(data); + + return 0; +} \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_abort.txt b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_abort.txt new file mode 100644 index 0000000..b7ce198 --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_abort.txt @@ -0,0 +1 @@ +bu. \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_address_sanitizer.txt b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_address_sanitizer.txt new file mode 100644 index 0000000..7b27f90 --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_address_sanitizer.txt @@ -0,0 +1 @@ +bo. \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_assert.txt b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_assert.txt new file mode 100644 index 0000000..ef55258 --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_assert.txt @@ -0,0 +1 @@ +ca. \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_null_deref.txt b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_null_deref.txt new file mode 100644 index 0000000..5d3a263 --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_null_deref.txt @@ -0,0 +1 @@ +mo. \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_raise_fail_fast.txt b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_raise_fail_fast.txt new file mode 100644 index 0000000..0baf38e --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_raise_fail_fast.txt @@ -0,0 +1 @@ +do. \ No newline at end of file diff --git a/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_runtime_error.txt b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_runtime_error.txt new file mode 100644 index 0000000..ee94fad --- /dev/null +++ b/cpp/windows/base-executable/gcc-cpp-base-executable/testsuite/test_runtime_error.txt @@ -0,0 +1 @@ +da. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/README.md b/cpp/windows/base-executable/msvc-cpp-base-executable/README.md new file mode 100644 index 0000000..7516d8c --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/README.md @@ -0,0 +1,23 @@ +## Building Windows C++ Targets + +Run the following to build the Windows C++ MSVC target for Mayhem. + +```cmd +cl.exe src\fuzz_target.cpp /nologo /Zi /FS /MDd /EHsc /Fo: "fuzz_target_msvc.obj" /Fe: "fuzz_target_msvc.exe" +``` + +## Creating a Mayhem package + +Once you've got your binary built, you can create a Mayhem package like so: + +```cmd +mayhem.exe package -o .\cpp-windows-base-executable-msvc .\fuzz_target_msvc.exe +``` + +## Executing the Mayhem Run + +The `mayhem package` command will create a `Mayhemfile` for you under the `cpp-windows-base-executable-msvc` directory. You can initiate a Mayhem run like so: + +```cmd +mayhem.exe run .\cpp-windows-base-executable-msvc --project mayhem-examples --target cpp-windows-base-executable-msvc --duration 90 +``` \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/src/fuzz_methods.cpp b/cpp/windows/base-executable/msvc-cpp-base-executable/src/fuzz_methods.cpp new file mode 100644 index 0000000..ae0df1c --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/src/fuzz_methods.cpp @@ -0,0 +1,92 @@ +#include +#include +#include +#include +#include +#include + +void fuzz_init() { + static bool initialized = false; + if (!initialized) { +#ifdef _MSC_VER + // abort() displays a message box, then exits. + // assert() may not crash or trigger a debugger, depending on the CRT configuration. + // This disables the message box, but does not solve the whole problem. + // This is only available in MSVC. + _set_abort_behavior(0, _WRITE_ABORT_MSG | _CALL_REPORTFAULT); +#endif + initialized = true; + } +} + +void test_address_sanitizer_boo(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'address_sanitizer' + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'o' && data.c_str()[2] == 'o') { + // Note: this will crash powershell in MSVC. + std::cout << "Found 'boo' address sanitizer corner case!\n"; + int* x = new int[100]; + x[100] = 5; + delete[] x; + } + } +} + +void test_null_deref_mom(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'mom' + if (data.size() >= 3) { + if (data.c_str()[0] == 'm' && data.c_str()[1] == 'o' && data.c_str()[2] == 'm') { + std::cout << "Found 'mom' null deref corner case!\n"; + *((volatile int*)0) = 123; // guaranteed crash + } + } +} + +void test_runtime_error_dad(std::string data) { + // This function uses a runtime error to see if mayhem catches it with input 'dad'. + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'a' && data.c_str()[2] == 'd') { + std::cout << "Found 'dad' corner case!\n"; + throw std::runtime_error("Found 'dad' runtime_error corner case!"); // Alternative: throw an exception + } + } +} + +void test_assert_cab(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'c' && data.c_str()[1] == 'a' && data.c_str()[2] == 'b') { + std::cout << "Found 'cab' assert corner case!\n"; + assert(1 == 0); + } + } +} + +void test_raise_fail_fast_dog(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'o' && data.c_str()[2] == 'g') { + std::cout << "Found 'dog' RaiseFailFastException!\n"; + RaiseFailFastException(nullptr, nullptr, 0); + } + } +} + + +void test_abort_bug(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'bug' + + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'u' && data.c_str()[2] == 'g') { + std::cout << "Found 'bug' abort corner case!\n"; + abort(); // Uncomment to crash on this condition + } + } +} + +void test_all(std::string data) { + test_abort_bug(data); + test_assert_cab(data); + test_null_deref_mom(data); + test_runtime_error_dad(data); + test_address_sanitizer_boo(data); + test_raise_fail_fast_dog(data); +} \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/src/fuzz_target.cpp b/cpp/windows/base-executable/msvc-cpp-base-executable/src/fuzz_target.cpp new file mode 100644 index 0000000..acc0a07 --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/src/fuzz_target.cpp @@ -0,0 +1,23 @@ +#include +#include "fuzz_methods.cpp" + +int main(int argc, char* argv[]) { + if (argc < 2) { + std::cerr << "Usage: fuzz_target \n"; + return 1; + } + + std::ifstream file(argv[1], std::ios::binary); + if (!file) { + std::cerr << "Error opening file: " << argv[1] << "\n"; + return 1; + } + + std::string data((std::istreambuf_iterator(file)), + std::istreambuf_iterator()); + + fuzz_init(); + test_all(data); + + return 0; +} \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_abort.txt b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_abort.txt new file mode 100644 index 0000000..b7ce198 --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_abort.txt @@ -0,0 +1 @@ +bu. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_address_sanitizer.txt b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_address_sanitizer.txt new file mode 100644 index 0000000..7b27f90 --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_address_sanitizer.txt @@ -0,0 +1 @@ +bo. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_assert.txt b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_assert.txt new file mode 100644 index 0000000..ef55258 --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_assert.txt @@ -0,0 +1 @@ +ca. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_null_deref.txt b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_null_deref.txt new file mode 100644 index 0000000..5d3a263 --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_null_deref.txt @@ -0,0 +1 @@ +mo. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_raise_fail_fast.txt b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_raise_fail_fast.txt new file mode 100644 index 0000000..0baf38e --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_raise_fail_fast.txt @@ -0,0 +1 @@ +do. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_runtime_error.txt b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_runtime_error.txt new file mode 100644 index 0000000..ee94fad --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/testsuite/test_runtime_error.txt @@ -0,0 +1 @@ +da. \ No newline at end of file diff --git a/cpp/windows/base-executable/msvc-cpp-base-executable/windows-cpp-base-executable b/cpp/windows/base-executable/msvc-cpp-base-executable/windows-cpp-base-executable new file mode 120000 index 0000000..ba095ef --- /dev/null +++ b/cpp/windows/base-executable/msvc-cpp-base-executable/windows-cpp-base-executable @@ -0,0 +1 @@ +./windows-cpp-base-executable \ No newline at end of file diff --git a/cpp/windows/crashers/test_abort.txt b/cpp/windows/crashers/test_abort.txt new file mode 100644 index 0000000..a6866f5 --- /dev/null +++ b/cpp/windows/crashers/test_abort.txt @@ -0,0 +1 @@ +bug \ No newline at end of file diff --git a/cpp/windows/crashers/test_address_sanitizer.txt b/cpp/windows/crashers/test_address_sanitizer.txt new file mode 100644 index 0000000..924806b --- /dev/null +++ b/cpp/windows/crashers/test_address_sanitizer.txt @@ -0,0 +1 @@ +boo \ No newline at end of file diff --git a/cpp/windows/crashers/test_assert.txt b/cpp/windows/crashers/test_assert.txt new file mode 100644 index 0000000..7e32cfb --- /dev/null +++ b/cpp/windows/crashers/test_assert.txt @@ -0,0 +1 @@ +cab \ No newline at end of file diff --git a/cpp/windows/crashers/test_null_deref.txt b/cpp/windows/crashers/test_null_deref.txt new file mode 100644 index 0000000..9d25384 --- /dev/null +++ b/cpp/windows/crashers/test_null_deref.txt @@ -0,0 +1 @@ +mom \ No newline at end of file diff --git a/cpp/windows/crashers/test_raise_fail_fast.txt b/cpp/windows/crashers/test_raise_fail_fast.txt new file mode 100644 index 0000000..edca36d --- /dev/null +++ b/cpp/windows/crashers/test_raise_fail_fast.txt @@ -0,0 +1 @@ +dog \ No newline at end of file diff --git a/cpp/windows/crashers/test_runtime_error.txt b/cpp/windows/crashers/test_runtime_error.txt new file mode 100644 index 0000000..8eff968 --- /dev/null +++ b/cpp/windows/crashers/test_runtime_error.txt @@ -0,0 +1 @@ +dad \ No newline at end of file diff --git a/cpp/windows/libfuzzer/README.md b/cpp/windows/libfuzzer/README.md new file mode 100644 index 0000000..57d0620 --- /dev/null +++ b/cpp/windows/libfuzzer/README.md @@ -0,0 +1,23 @@ +## Building Windows C++ LibFuzzer Targets + +Run the following to build the Windows libFuzzer target for Mayhem. + +```cmd +clang++.exe src\libfuzzer_target.cpp -g -O1 -fsanitize=fuzzer -o fuzz_target_libfuzzer.exe +``` + +## Creating a Mayhem package + +Once you've got your binary built, you can create a Mayhem package like so: + +```cmd +mayhem.exe package -o .\cpp-windows-libfuzzer .\fuzz_target_libfuzzer.exe +``` + +## Executing the Mayhem Run + +The `mayhem package` command will create a `Mayhemfile` for you under the `cpp-windows-libfuzzer` directory. You can initiate a Mayhem run like so: + +```cmd +mayhem.exe run .\cpp-windows-libfuzzer --project mayhem-examples --target cpp-windows-libfuzzer --duration 90 +``` diff --git a/cpp/windows/libfuzzer/src/fuzz_methods.cpp b/cpp/windows/libfuzzer/src/fuzz_methods.cpp new file mode 100644 index 0000000..ae0df1c --- /dev/null +++ b/cpp/windows/libfuzzer/src/fuzz_methods.cpp @@ -0,0 +1,92 @@ +#include +#include +#include +#include +#include +#include + +void fuzz_init() { + static bool initialized = false; + if (!initialized) { +#ifdef _MSC_VER + // abort() displays a message box, then exits. + // assert() may not crash or trigger a debugger, depending on the CRT configuration. + // This disables the message box, but does not solve the whole problem. + // This is only available in MSVC. + _set_abort_behavior(0, _WRITE_ABORT_MSG | _CALL_REPORTFAULT); +#endif + initialized = true; + } +} + +void test_address_sanitizer_boo(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'address_sanitizer' + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'o' && data.c_str()[2] == 'o') { + // Note: this will crash powershell in MSVC. + std::cout << "Found 'boo' address sanitizer corner case!\n"; + int* x = new int[100]; + x[100] = 5; + delete[] x; + } + } +} + +void test_null_deref_mom(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'mom' + if (data.size() >= 3) { + if (data.c_str()[0] == 'm' && data.c_str()[1] == 'o' && data.c_str()[2] == 'm') { + std::cout << "Found 'mom' null deref corner case!\n"; + *((volatile int*)0) = 123; // guaranteed crash + } + } +} + +void test_runtime_error_dad(std::string data) { + // This function uses a runtime error to see if mayhem catches it with input 'dad'. + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'a' && data.c_str()[2] == 'd') { + std::cout << "Found 'dad' corner case!\n"; + throw std::runtime_error("Found 'dad' runtime_error corner case!"); // Alternative: throw an exception + } + } +} + +void test_assert_cab(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'c' && data.c_str()[1] == 'a' && data.c_str()[2] == 'b') { + std::cout << "Found 'cab' assert corner case!\n"; + assert(1 == 0); + } + } +} + +void test_raise_fail_fast_dog(std::string data) { + if (data.size() >= 3) { + if (data.c_str()[0] == 'd' && data.c_str()[1] == 'o' && data.c_str()[2] == 'g') { + std::cout << "Found 'dog' RaiseFailFastException!\n"; + RaiseFailFastException(nullptr, nullptr, 0); + } + } +} + + +void test_abort_bug(std::string data) { + // This function uses a null deref to see if mayhem catches it with 'bug' + + if (data.size() >= 3) { + if (data.c_str()[0] == 'b' && data.c_str()[1] == 'u' && data.c_str()[2] == 'g') { + std::cout << "Found 'bug' abort corner case!\n"; + abort(); // Uncomment to crash on this condition + } + } +} + +void test_all(std::string data) { + test_abort_bug(data); + test_assert_cab(data); + test_null_deref_mom(data); + test_runtime_error_dad(data); + test_address_sanitizer_boo(data); + test_raise_fail_fast_dog(data); +} \ No newline at end of file diff --git a/cpp/windows/libfuzzer/src/libfuzzer_target.cpp b/cpp/windows/libfuzzer/src/libfuzzer_target.cpp new file mode 100644 index 0000000..3ade3be --- /dev/null +++ b/cpp/windows/libfuzzer/src/libfuzzer_target.cpp @@ -0,0 +1,13 @@ +#include "fuzz_methods.cpp" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + fuzz_init(); + + if (Size > 0) { + std::string data((const char*) Data, Size); + test_all(data); + return 0; + } + + return 1; +} \ No newline at end of file diff --git a/cpp/windows/libfuzzer/testsuite/test_abort.txt b/cpp/windows/libfuzzer/testsuite/test_abort.txt new file mode 100644 index 0000000..b7ce198 --- /dev/null +++ b/cpp/windows/libfuzzer/testsuite/test_abort.txt @@ -0,0 +1 @@ +bu. \ No newline at end of file diff --git a/cpp/windows/libfuzzer/testsuite/test_address_sanitizer.txt b/cpp/windows/libfuzzer/testsuite/test_address_sanitizer.txt new file mode 100644 index 0000000..7b27f90 --- /dev/null +++ b/cpp/windows/libfuzzer/testsuite/test_address_sanitizer.txt @@ -0,0 +1 @@ +bo. \ No newline at end of file diff --git a/cpp/windows/libfuzzer/testsuite/test_assert.txt b/cpp/windows/libfuzzer/testsuite/test_assert.txt new file mode 100644 index 0000000..ef55258 --- /dev/null +++ b/cpp/windows/libfuzzer/testsuite/test_assert.txt @@ -0,0 +1 @@ +ca. \ No newline at end of file diff --git a/cpp/windows/libfuzzer/testsuite/test_null_deref.txt b/cpp/windows/libfuzzer/testsuite/test_null_deref.txt new file mode 100644 index 0000000..5d3a263 --- /dev/null +++ b/cpp/windows/libfuzzer/testsuite/test_null_deref.txt @@ -0,0 +1 @@ +mo. \ No newline at end of file diff --git a/cpp/windows/libfuzzer/testsuite/test_raise_fail_fast.txt b/cpp/windows/libfuzzer/testsuite/test_raise_fail_fast.txt new file mode 100644 index 0000000..0baf38e --- /dev/null +++ b/cpp/windows/libfuzzer/testsuite/test_raise_fail_fast.txt @@ -0,0 +1 @@ +do. \ No newline at end of file diff --git a/cpp/windows/libfuzzer/testsuite/test_runtime_error.txt b/cpp/windows/libfuzzer/testsuite/test_runtime_error.txt new file mode 100644 index 0000000..ee94fad --- /dev/null +++ b/cpp/windows/libfuzzer/testsuite/test_runtime_error.txt @@ -0,0 +1 @@ +da. \ No newline at end of file diff --git a/csharp/libfuzzer/csharp-sharpfuzz/Dockerfile b/csharp/libfuzzer/csharp-sharpfuzz/Dockerfile deleted file mode 100644 index 4f8ecd9..0000000 --- a/csharp/libfuzzer/csharp-sharpfuzz/Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -FROM mcr.microsoft.com/dotnet/nightly/sdk:6.0 as builder - -RUN mkdir /workdir -WORKDIR /workdir - -RUN dotnet tool install --global SharpFuzz.CommandLine -RUN wget https://github.com/Metalnem/libfuzzer-dotnet/releases/latest/download/libfuzzer-dotnet.tar.gz && \ - tar -xf libfuzzer-dotnet.tar.gz && \ - rm libfuzzer-dotnet.tar.gz - -ENV PATH $PATH:/root/.dotnet/tools - -COPY Program.cs Program.cs -COPY fuzzme.csproj fuzzme.csproj - -RUN dotnet publish fuzzme.csproj -c release -r linux-x64 --self-contained -o fuzzme -RUN sharpfuzz ./fuzzme/fuzzme.dll Fuzzme.Fuzzme -RUN mv libfuzzer-dotnet fuzzme/libfuzzer-dotnet - -FROM mcr.microsoft.com/dotnet/nightly/runtime:6.0 as fuzzer -COPY --from=builder /workdir/fuzzme /fuzzme - -# Set to fuzz! -ENTRYPOINT [] -CMD ["/fuzzme/libfuzzer-dotnet", "--target_path=/fuzzme/fuzzme"] diff --git a/csharp/linux/libfuzzer/csharp-sharpfuzz/Dockerfile b/csharp/linux/libfuzzer/csharp-sharpfuzz/Dockerfile new file mode 100644 index 0000000..8ee9606 --- /dev/null +++ b/csharp/linux/libfuzzer/csharp-sharpfuzz/Dockerfile @@ -0,0 +1,27 @@ +FROM mcr.microsoft.com/dotnet/nightly/sdk:6.0 AS builder + +RUN mkdir /workdir +WORKDIR /workdir + +RUN dotnet tool install --global SharpFuzz.CommandLine --version 2.1.1 +RUN wget $(curl -s https://api.github.com/repos/Metalnem/libfuzzer-dotnet/releases/latest | grep "tarball_url" | cut -d '"' -f 4) -O libfuzzer-dotnet.tar.gz && \ + mkdir libfuzzer-dotnet && \ + tar xzf libfuzzer-dotnet.tar.gz -C libfuzzer-dotnet --strip-components=1 && \ + rm libfuzzer-dotnet.tar.gz && \ + rm -r libfuzzer-dotnet/tests libfuzzer-dotnet/test.ps1 + +ENV PATH=$PATH:/root/.dotnet/tools + +COPY Program.cs Program.cs +COPY fuzzme.csproj fuzzme.csproj + +RUN dotnet publish fuzzme.csproj -c release -r linux-x64 --self-contained -o fuzzme +RUN sharpfuzz ./fuzzme/fuzzme.dll Fuzzme.Fuzzme +RUN mv libfuzzer-dotnet fuzzme/libfuzzer-dotnet + +FROM mcr.microsoft.com/dotnet/nightly/runtime:6.0 +COPY --from=builder /workdir/fuzzme /fuzzme + +# Set to fuzz! +ENTRYPOINT [] +CMD ["/fuzzme/libfuzzer-dotnet", "--target_path=/fuzzme/fuzzme"] diff --git a/csharp/libfuzzer/csharp-sharpfuzz/Mayhemfile b/csharp/linux/libfuzzer/csharp-sharpfuzz/Mayhemfile similarity index 54% rename from csharp/libfuzzer/csharp-sharpfuzz/Mayhemfile rename to csharp/linux/libfuzzer/csharp-sharpfuzz/Mayhemfile index 451856d..d2ac146 100644 --- a/csharp/libfuzzer/csharp-sharpfuzz/Mayhemfile +++ b/csharp/linux/libfuzzer/csharp-sharpfuzz/Mayhemfile @@ -1,7 +1,7 @@ -image: $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-sharpfuzz:latest +image: $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-linux-sharpfuzz:latest duration: 90 project: mayhem-examples -target: csharp +target: csharp-linux-sharpfuzz cmds: - cmd: /fuzzme/libfuzzer-dotnet --target_path=/fuzzme/fuzzme libfuzzer: true diff --git a/csharp/libfuzzer/csharp-sharpfuzz/Program.cs b/csharp/linux/libfuzzer/csharp-sharpfuzz/Program.cs similarity index 73% rename from csharp/libfuzzer/csharp-sharpfuzz/Program.cs rename to csharp/linux/libfuzzer/csharp-sharpfuzz/Program.cs index a949c10..0640bab 100644 --- a/csharp/libfuzzer/csharp-sharpfuzz/Program.cs +++ b/csharp/linux/libfuzzer/csharp-sharpfuzz/Program.cs @@ -18,9 +18,9 @@ public static void Func(ReadOnlySpan data) { } } -class Program { - static void Main(string[] args) { - Fuzzer.LibFuzzer.Run(data => { Fuzzme.Func(data); }); + class Program { + static void Main(string[] args) { + Fuzzer.LibFuzzer.Run(data => { Fuzzme.Func(data); }); + } } } -} diff --git a/csharp/libfuzzer/csharp-sharpfuzz/README.md b/csharp/linux/libfuzzer/csharp-sharpfuzz/README.md similarity index 54% rename from csharp/libfuzzer/csharp-sharpfuzz/README.md rename to csharp/linux/libfuzzer/csharp-sharpfuzz/README.md index e38c3aa..daff381 100644 --- a/csharp/libfuzzer/csharp-sharpfuzz/README.md +++ b/csharp/linux/libfuzzer/csharp-sharpfuzz/README.md @@ -1,10 +1,10 @@ ## Building and Pushing the Docker Image -Run the following to build the `forallsecure/csharp-sharpfuzz` Docker image and push it to a specified Docker registry. +Run the following to build the `forallsecure/csharp-linux-sharpfuzz` Docker image and push it to a specified Docker registry. ```sh -docker build -t $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-sharpfuzz . -docker push $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-sharpfuzz +docker build -t $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-linux-sharpfuzz . +docker push $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-linux-sharpfuzz ``` ## Executing the Mayhem Run @@ -15,7 +15,7 @@ Then initiate a Mayhem run using a Mayhemfile similar to the following: image: $MAYHEM_DOCKER_REGISTRY/forallsecure/csharp-sharpfuzz:latest duration: 90 project: mayhem-examples -target: csharp +target: csharp-linux-sharpfuzz cmds: - cmd: /fuzzme/libfuzzer-dotnet --target_path=/fuzzme/fuzzme libfuzzer: true diff --git a/csharp/libfuzzer/csharp-sharpfuzz/fuzzme.csproj b/csharp/linux/libfuzzer/csharp-sharpfuzz/fuzzme.csproj similarity index 100% rename from csharp/libfuzzer/csharp-sharpfuzz/fuzzme.csproj rename to csharp/linux/libfuzzer/csharp-sharpfuzz/fuzzme.csproj diff --git a/csharp/libfuzzer/csharp-sharpfuzz/testsuite/seed.txt b/csharp/linux/libfuzzer/csharp-sharpfuzz/testsuite/seed.txt similarity index 100% rename from csharp/libfuzzer/csharp-sharpfuzz/testsuite/seed.txt rename to csharp/linux/libfuzzer/csharp-sharpfuzz/testsuite/seed.txt diff --git a/csharp/windows/base-executable/csharp-base-executable/README.md b/csharp/windows/base-executable/csharp-base-executable/README.md new file mode 100644 index 0000000..18b19be --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/README.md @@ -0,0 +1,23 @@ +## Building Windows C# Targets + +Run the following to build the Windows C# target for Mayhem. + +```cmd +csc.exe /unsafe /nologo /out:/dotnet_fuzz.exe src\dotnet_fuzz.cs +``` + +## Creating a Mayhem package + +Once you've got your binary built, you can create a Mayhem package like so: + +```cmd +mayhem.exe package -o .\csharp-windows-base-executable .\dotnet_fuzz.exe +``` + +## Executing the Mayhem Run + +The `mayhem package` command will create a `Mayhemfile` for you under the `csharp-windows-base-executable` directory. You can initiate a Mayhem run like so: + +```cmd +mayhem.exe run .\csharp-windows-base-executable --project mayhem-examples --target csharp-windows-base-executable --duration 90 +``` diff --git a/csharp/windows/base-executable/csharp-base-executable/src/dotnet_fuzz.cs b/csharp/windows/base-executable/csharp-base-executable/src/dotnet_fuzz.cs new file mode 100644 index 0000000..4a47366 --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/src/dotnet_fuzz.cs @@ -0,0 +1,105 @@ +using System; +using System.IO; +using System.Runtime.InteropServices; +using System.Diagnostics; + +namespace DotnetFuzz +{ + public static class DotnetFuzz + { + [DllImport("kernel32.dll")] + public static extern void RaiseFailFastException(IntPtr pExceptionRecord, IntPtr pContextRecord, uint dwFlags); + + public static void TestAbortBug(string data) + { + if (data.StartsWith("bug")) + { + Console.WriteLine("Found 'bug' abort corner case!"); + Environment.FailFast("Simulated abort"); + } + } + + public static void TestNullDerefMom(string data) + { + if (data.StartsWith("mom")) + { + Console.WriteLine("Found 'mom' null deref corner case!"); + unsafe + { + int* ptr = null; + *ptr = 42; + } + } + } + + public static void TestRuntimeErrorDad(string data) + { + if (data.StartsWith("dad")) + { + Console.WriteLine("Found 'dad' runtime_error corner case!"); + throw new Exception("Simulated runtime error"); + } + } + + public static void TestAssertCab(string data) + { + if (data.StartsWith("cab")) + { + Console.WriteLine("Found 'cab' assert corner case!"); + Debug.Assert(false, "Assertion failed for input 'cab'"); + } + } + + public static void TestRaiseFailFastDog(string data) + { + if (data.StartsWith("dog")) + { + Console.WriteLine("Found 'dog' RaiseFailFastException!"); + RaiseFailFastException(IntPtr.Zero, IntPtr.Zero, 0); + } + } + + public static void TestAddressSanitizerBoo(string data) + { + if (data.StartsWith("boo")) + { + Console.WriteLine("Found 'boo' address sanitizer corner case!"); + int[] x = new int[100]; + x[100] = 5; // Out of bounds write + } + } + + public static void TestAbortSetBehaviorSet(string data) + { + if (data.StartsWith("set")) + { + Console.WriteLine("Found 'set' FailFast corner case!"); + Environment.FailFast("set_abort_behavior + abort simulation"); + } + } + } + + class Program + { + + static void Main(string[] args) + { + if (args.Length < 1) + { + Console.Error.WriteLine("Usage: dotnet_fuzz_target "); + return; + } + + string input = File.ReadAllText(args[0]); + // Console.WriteLine($"Read '{input}' from input file."); + + DotnetFuzz.TestAbortBug(input); + DotnetFuzz.TestNullDerefMom(input); + DotnetFuzz.TestRuntimeErrorDad(input); + DotnetFuzz.TestAssertCab(input); + DotnetFuzz.TestRaiseFailFastDog(input); + DotnetFuzz.TestAddressSanitizerBoo(input); + DotnetFuzz.TestAbortSetBehaviorSet(input); + } + } +} diff --git a/csharp/windows/base-executable/csharp-base-executable/src/dotnet_fuzz.csproj b/csharp/windows/base-executable/csharp-base-executable/src/dotnet_fuzz.csproj new file mode 100644 index 0000000..fca5df0 --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/src/dotnet_fuzz.csproj @@ -0,0 +1,11 @@ + + + + Exe + net6.0 + true + dotnet_fuzz + true + + + \ No newline at end of file diff --git a/csharp/windows/base-executable/csharp-base-executable/testsuite/test_abort.txt b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_abort.txt new file mode 100644 index 0000000..b7ce198 --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_abort.txt @@ -0,0 +1 @@ +bu. \ No newline at end of file diff --git a/csharp/windows/base-executable/csharp-base-executable/testsuite/test_address_sanitizer.txt b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_address_sanitizer.txt new file mode 100644 index 0000000..7b27f90 --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_address_sanitizer.txt @@ -0,0 +1 @@ +bo. \ No newline at end of file diff --git a/csharp/windows/base-executable/csharp-base-executable/testsuite/test_assert.txt b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_assert.txt new file mode 100644 index 0000000..ef55258 --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_assert.txt @@ -0,0 +1 @@ +ca. \ No newline at end of file diff --git a/csharp/windows/base-executable/csharp-base-executable/testsuite/test_null_deref.txt b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_null_deref.txt new file mode 100644 index 0000000..5d3a263 --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_null_deref.txt @@ -0,0 +1 @@ +mo. \ No newline at end of file diff --git a/csharp/windows/base-executable/csharp-base-executable/testsuite/test_raise_fail_fast.txt b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_raise_fail_fast.txt new file mode 100644 index 0000000..0baf38e --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_raise_fail_fast.txt @@ -0,0 +1 @@ +do. \ No newline at end of file diff --git a/csharp/windows/base-executable/csharp-base-executable/testsuite/test_runtime_error.txt b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_runtime_error.txt new file mode 100644 index 0000000..ee94fad --- /dev/null +++ b/csharp/windows/base-executable/csharp-base-executable/testsuite/test_runtime_error.txt @@ -0,0 +1 @@ +da. \ No newline at end of file diff --git a/fortran/base-executable/fortran-base-executable/Dockerfile b/fortran/base-executable/fortran-base-executable/Dockerfile index f37aba6..42ba8de 100644 --- a/fortran/base-executable/fortran-base-executable/Dockerfile +++ b/fortran/base-executable/fortran-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim +FROM debian:bookworm-slim COPY src/mayhemit.f90 . RUN apt-get update && \ apt-get install -fy gfortran && \ diff --git a/objective-c/base-executable/obj-c-base-executable/Dockerfile b/objective-c/base-executable/obj-c-base-executable/Dockerfile index a4faa5f..ec24fe8 100644 --- a/objective-c/base-executable/obj-c-base-executable/Dockerfile +++ b/objective-c/base-executable/obj-c-base-executable/Dockerfile @@ -1,8 +1,8 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim AS builder RUN apt-get update && \ apt-get install -fy build-essential gobjc gobjc++ gnustep gnustep-devel libgnustep-base-dev COPY src/mayhemit.m . -RUN gcc $(gnustep-config --objc-flags) $(gnustep-config --base-libs) mayhemit.m -o mayhemit +RUN gcc mayhemit.m $(gnustep-config --objc-flags) $(gnustep-config --base-libs) -o mayhemit # Set to fuzz! ENTRYPOINT [] diff --git a/ocaml/afl/ocaml-afl/Dockerfile b/ocaml/afl/ocaml-afl/Dockerfile index 81b3582..827e676 100644 --- a/ocaml/afl/ocaml-afl/Dockerfile +++ b/ocaml/afl/ocaml-afl/Dockerfile @@ -1,8 +1,9 @@ -FROM fuzzers/afl:2.52 -RUN apt-get update && \ - apt-get install -y ocaml +FROM ubuntu AS base +RUN apt update -y && apt install -y curl afl++ unzip +RUN curl -fsSL https://opam.ocaml.org/install.sh | bash +RUN opam init --disable-sandboxing -y COPY src/mayhemit.ml . -RUN ocamlopt -afl-instrument unix.cmxa mayhemit.ml -o /mayhemit && \ +RUN eval $(opam env) && ocamlopt -afl-instrument unix.cmxa mayhemit.ml -o /mayhemit && \ mkdir /input && \ echo seed > input/seed && \ mkdir /output diff --git a/ocaml/base-executable/ocaml-base-executable/Dockerfile b/ocaml/base-executable/ocaml-base-executable/Dockerfile index 447f1e4..871a0b7 100644 --- a/ocaml/base-executable/ocaml-base-executable/Dockerfile +++ b/ocaml/base-executable/ocaml-base-executable/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:buster-slim as builder +FROM debian:bookworm-slim as builder RUN apt-get update && \ apt-get install -y ocaml COPY src/mayhemit.ml . diff --git a/rust/afl/rust-afl/Dockerfile b/rust/afl/rust-afl/Dockerfile index f8e9bd5..3d1e775 100644 --- a/rust/afl/rust-afl/Dockerfile +++ b/rust/afl/rust-afl/Dockerfile @@ -1,14 +1,14 @@ -FROM fuzzers/cargo-fuzz:0.10.0 -RUN cargo install afl --version 0.7.0 +FROM rust:1.90.0 +RUN cargo install cargo-afl COPY src/mayhemit.rs . RUN export USER=root && \ cargo new mayhemit && \ cd mayhemit && \ mv /mayhemit.rs src/main.rs && \ - echo afl = '"0.4"' >> Cargo.toml && \ + echo afl = '"*"' >> Cargo.toml && \ cargo afl build RUN echo seed > /tmp/seed # Set to fuzz! ENTRYPOINT ["cargo", "afl", "fuzz", "-i", "/tmp", "-o", "/out"] -CMD ["/mayhemit/target/debug/mayhemit"] +CMD ["/mayhemit/target/debug/mayhemit"] \ No newline at end of file