From 9539ebbf7042f8eaf8c6ddac25ad01aa4017634e Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 21 Mar 2016 18:24:53 -0400 Subject: [PATCH] Update FUZZING documentation about max_len. Maintain the max_len values in foo.options files which ClusterFuzz can process. Also recompute the recommended client and server lengths as they've since gotten much more extensive. Change-Id: Ie87a80d8a4a0c41e215f0537c8ccf82b38c4de09 Reviewed-on: https://boringssl-review.googlesource.com/7509 Reviewed-by: Mike Aizatsky Reviewed-by: David Benjamin --- FUZZING.md | 15 ++++----------- fuzz/cert.options | 2 ++ fuzz/client.options | 2 ++ fuzz/privkey.options | 2 ++ fuzz/server.options | 2 ++ 5 files changed, 12 insertions(+), 11 deletions(-) create mode 100644 fuzz/cert.options create mode 100644 fuzz/client.options create mode 100644 fuzz/privkey.options create mode 100644 fuzz/server.options diff --git a/FUZZING.md b/FUZZING.md index 6416eeba..3474cbc7 100644 --- a/FUZZING.md +++ b/FUZZING.md @@ -23,21 +23,14 @@ Then copy `libFuzzer.a` to the top-level of your BoringSSL source directory. From the `build/` directory, you can then run the fuzzers. For example: ``` -./fuzz/cert -max_len=4000 -jobs=32 -workers=32 ../fuzz/cert_corpus/ +./fuzz/cert -max_len=3072 -jobs=32 -workers=32 ../fuzz/cert_corpus/ ``` -The `max_len` argument is often important because, without it, libFuzzer defaults to limiting all test cases to 64 bytes, which is often insufficient for the formats that we wish to fuzz. The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. +The arguments to `jobs` and `workers` should be the number of cores that you wish to dedicate to fuzzing. By default, libFuzzer uses the largest test in the corpus (or 64 if empty) as the maximum test case length. The `max_len` argument overrides this. -There are directories in `fuzz/` for each of the fuzzing tests which contain seed files for fuzzing. Some of the seed files were generated manually but many of them are “interesting” results generated by the fuzzing itself. (Where “interesting” means that it triggered a previously unknown path in the code.) - -Here are the recommended values of `max_len` for each test. +The recommended values of `max_len` for each test may be found in `.options` files alongside the test source. These were determined by rounding up the length of the largest case in the corpus. When writing a new fuzzer, configure `max_len` in a similar file. -| Test | `max_len` value | -|-----------|-----------------| -| `privkey` | 2048 | -| `cert` | 3072 | -| `server` | 1024 | -| `client` | 4096 | +There are directories in `fuzz/` for each of the fuzzing tests which contain seed files for fuzzing. Some of the seed files were generated manually but many of them are “interesting” results generated by the fuzzing itself. (Where “interesting” means that it triggered a previously unknown path in the code.) ## Minimising the corpuses diff --git a/fuzz/cert.options b/fuzz/cert.options new file mode 100644 index 00000000..1c91af35 --- /dev/null +++ b/fuzz/cert.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 3072 \ No newline at end of file diff --git a/fuzz/client.options b/fuzz/client.options new file mode 100644 index 00000000..db49f157 --- /dev/null +++ b/fuzz/client.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 20000 diff --git a/fuzz/privkey.options b/fuzz/privkey.options new file mode 100644 index 00000000..60bd9b0b --- /dev/null +++ b/fuzz/privkey.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 2048 diff --git a/fuzz/server.options b/fuzz/server.options new file mode 100644 index 00000000..9fda93fc --- /dev/null +++ b/fuzz/server.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 4096