commit fe2bf931821ace43acbcc2b059984ae46a9d08b0 Author: John-Mark Gurney Date: Mon Feb 20 13:36:31 2023 -0800 just some notes on my fuzzing FreeBSD fsck.. diff --git a/README.md b/README.md new file mode 100644 index 0000000..4d67440 --- /dev/null +++ b/README.md @@ -0,0 +1,20 @@ +Fuzzing FreeBSD w/ AFL +====================== + +This project is used to store the various information and scripts that +I have used in fuzzing FreeBSD. + +This project started when someone reported that fsck_ffs couldn't +repair a file system they had, but as we all know, file systems are +often large, and contain data the people don't want to share, making +getting test cases more difficult than most. I decided to see if +fuzzing was able to reproduce their failure, and the very first +failure was the reported, but it also managed to find some more. + +Building +-------- + +There is a script `build.sh` that will set the compiler correctly when +building parts of the FreeBSD source tree. You do have to be careful +when doing this as there are sometimes dependencies that need to be +built as well, e.g. `libufs` for `fsck_ffs`. diff --git a/build.sh b/build.sh new file mode 100644 index 0000000..f474713 --- /dev/null +++ b/build.sh @@ -0,0 +1 @@ +CC=/usr/local/afl++-llvm/bin/afl-cc CXX=/usr/local/afl++-llvm/bin/afl-c++ make "$@" diff --git a/fsck_ffs/README.md b/fsck_ffs/README.md new file mode 100644 index 0000000..d7b3c6e --- /dev/null +++ b/fsck_ffs/README.md @@ -0,0 +1,7 @@ +fsck_ffs +======== + +Collect stack traces for examination: +``` +for i in id:000*; do echo TEST CASE "$i"; (echo run -y $i; echo bt) | gdb /usr/obj/usr/src/arm64.aarch64/sbin/fsck_ffs/fsck_ffs; done > crashes.txt +``` diff --git a/fsck_ffs/build.test.cases.sh b/fsck_ffs/build.test.cases.sh new file mode 100644 index 0000000..cdd99a2 --- /dev/null +++ b/fsck_ffs/build.test.cases.sh @@ -0,0 +1,18 @@ +size=512kb + +for fstype in -O1 -O2; do + for secsize in -S512 -S4096; do + for blkfrag in "" "-b 4096 -f 512"; do + if [ ! -z "$blkfrag" ]; then + part=".b4096f512" + else + part="" + fi + fname="test.$fstype.$secsize$part.img" + truncate -s "$size" "$fname" + dev=$(mdconfig -f "$fname") + newfs $fstype $secsize $blkfrag "$dev" + mdconfig -d -u "$dev" + done + done +done diff --git a/fsck_ffs/run.main.sh b/fsck_ffs/run.main.sh new file mode 100644 index 0000000..0f38e67 --- /dev/null +++ b/fsck_ffs/run.main.sh @@ -0,0 +1,4 @@ +/usr/local/afl++-llvm/bin/afl-fuzz -i testcase_dir -o sync_dir -M fuzzer01 /usr/obj/usr/src/arm64.aarch64/sbin/fsck_ffs/fsck_ffs -y @@ + +#secondaries: +# /usr/local/afl++-llvm/bin/afl-fuzz -i testcase_dir -o sync_dir -S fuzzerXX /usr/obj/usr/src/arm64.aarch64/sbin/fsck_ffs/fsck_ffs -y @@