6 This page describes the fuzzing targets and supported fuzzers available in FRR
7 and how to use them. Familiarity with fuzzing techniques and tools is assumed.
12 It is well known that networked applications tend to be difficult to fuzz on
13 their network-facing attack surfaces. Approaches involving actual network
14 transmission tend to be slow and are subject to intermediate devices and
15 networking stacks which tend to drop fuzzed packets, especially if the fuzzing
16 surface covers IP itself. Some time was spent on fuzzing FRR this way with some
17 mediocre results but attention quickly turned towards skipping the actual
18 networking and instead adding fuzzing targets directly in the packet processing
19 code for use by more traditional in- and out-of-process fuzzers. Results from
20 this approach have been very fruitful.
22 The patches to add fuzzing targets are kept in a separate git branch. Typically
23 it is better to keep them in the main branch so they are kept up to date and do
24 not need to be constantly synchronized with the main codebase. Unfortunately,
25 changes to FRR to support fuzzing necessarily extend far beyond the
26 entrypoints. Checksums must be disarmed, interactions with the kernel must be
27 skipped, sockets and files must be avoided, desired under/overflows must be
28 marked, etc. There are the usual ``LD_PRELOAD`` libraries to emulate these
29 things (preeny et al) but FRR is a very kernel-reliant program and these
30 libraries tend to create annoying problems when used with FRR for whatever
31 reason. Keeping this code in the main codebase is cluttering, difficult to work
32 with / around, and runs the risk of accidentally introducing bugs even if
33 ``#ifdef``'d out. Consequently it's in a separate branch that is rebased on
34 ``master`` from time to time.
40 The git branch with fuzzing targets is located here:
42 https://github.com/FRRouting/frr/tree/fuzz
44 To build libFuzzer targets, pass ``--enable-libfuzzer`` to ``configure``.
45 To build AFL targets, compile with ``afl-clang`` as usual.
47 Fuzzing with sanitizers is strongly recommended, especially ASAN, which you can
48 enable by passing ``--enable-address-sanitizer`` to ``configure``.
50 Suggested UBSAN flags: ``-fsanitize-recover=unsigned-integer-overflow,implicit-conversion -fsanitize=unsigned-integer-overflow,implicit-conversion,nullability-arg,nullability-assign,nullability-return``
51 Recommended cflags: ``-Wno-all -g3 -O3 -funroll-loops``
56 All fuzzing targets have support for libFuzzer and AFL. This is done by writing
57 the target as a libFuzzer entrypoint (``LLVMFuzzerTestOneInput()``) and calling
58 it from the AFL entrypoint in ``main()``. New targets should use this rule.
60 When adding AFL entrypoints, it's a good idea to use AFL persistent mode for
61 better performance. Grep ``bgpd/bgp_main.c`` for ``__AFL_INIT()`` for an
62 example of how to do this in FRR. Typically it involves moving all internal
63 daemon setup into a setup function. Then this setup function is called exactly
64 once for the lifetime of the process. In ``LLVMFuzzerTestOneInput()`` this
65 means you need to call it at the start of the function protected by a static
66 boolean that is set to true, since that function is your entrypoint. You also
67 need to call it prior to ``__AFL_INIT()`` in ``main()`` because ``main()`` is
68 your entrypoint in the AFL case.
70 Adding support to daemons
71 ^^^^^^^^^^^^^^^^^^^^^^^^^
73 This section describes how to add entrypoints to daemons that do not have any
76 Because libFuzzer has its own ``main()`` function, when adding fuzzing support
77 to a daemon that doesn't have any targets already, ``main()`` needs to be
78 ``#ifdef``'d out like so:
82 #ifndef FUZZING_LIBFUZZER
84 int main(int argc, char **argv)
89 #endif /* FUZZING_LIBFUZZER */
92 The ``FUZZING_LIBFUZZER`` macro is set by ``--enable-libfuzzer``.
94 Because libFuzzer can only be linked into daemons that have
95 ``LLVMFuzzerTestOneInput()`` implemented, we can't pass ``-fsanitize=fuzzer``
96 to all daemons in ``AM_CFLAGS``. It needs to go into a variable specific to
97 each daemon. Since it can be thought of as a kind of sanitizer, for daemons
98 that have libFuzzer support there are now individual flags variables for those
99 daemons named ``DAEMON_SAN_FLAGS`` (e.g. ``BGPD_SAN_FLAGS``,
100 ``ZEBRA_SAN_FLAGS``). This variable has the contents of the generic
101 ``SAN_FLAGS`` plus any fuzzing-related flags. It is used in daemons'
102 ``subdir.am`` in place of ``SAN_FLAGS``. Daemons that don't support libFuzzer
103 still use ``SAN_FLAGS``. If you want to add fuzzing support to a daemon you
104 need to do this flag variable conversion; look at ``configure.ac`` for
105 examples, it is fairly straightforward. Remember to update ``subdir.am`` to use
108 Do note that when fuzzing is enabled, ``SAN_FLAGS`` gains
109 ``-fsanitize=fuzzer-no-link``; the result is that all daemons are instrumented
110 for fuzzing but only the ones with ``LLVMFuzzerTestOneInput()`` actually get
111 linked with libFuzzer.
117 A given daemon can have lots of different paths that are interesting to fuzz.
118 There's not really a great way to handle this, most fuzzers assume the program
119 has one entrypoint. The approach taken in FRR for multiple entrypoints is to
120 control which path is taken within ``LLVMFuzzerTestOneInput()`` using
121 ``#ifdef`` and passing whatever controlling macro definition you want. Take a
122 look at that function for the daemon you're interested in fuzzing, pick the
123 target, add ``#define MY_TARGET 1`` somewhere before the ``#ifdef`` switch,
126 .. list-table:: Fuzzing Targets
157 Some interesting seed corpuses for various daemons are available `here
158 <https://github.com/qlyoung/frr-fuzz/tree/master/samples>`_.
160 For libFuzzer, you need to pass ``-rss_limit_mb=0`` if you are fuzzing with
161 ASAN enabled, as you should.
163 For AFL, afl++ is strongly recommended; afl proper isn't really maintained
projects / mirror_frr.git / blob