Skip to content

README.md

Latest commit

 

History

History
66 lines (54 loc) · 3.63 KB

README.md

File metadata and controls

66 lines (54 loc) · 3.63 KB

Fuzzor

Work in progress continuous fuzzing infrastructure. Mainly build and maintained to continuously fuzz Bitcoin Core but support for adding and fuzzing other projects is available (see projects/).

Quick Start

docker build --tag fuzzor-base:latest --file infra/Dockerfile.base .

cd projects/bitcoin
docker build --tag fuzzor-bitcoin:latest .

docker run -it fuzzor-bitcoin:latest

FUZZ=txgraph ./out/libfuzzer_asan/fuzz

Features

  • Automatic bug reports
  • Automatic coverage report creation
  • Support for major fuzzing engines (AFL++, libFuzzer, honggfuzz, Native Golang)
  • Crash deduplication
  • Corpus minimization with all supported engines
  • Real-time ensemble fuzzing
  • Coverage based campaign scheduling
  • Support for experimental fuzzing engines (e.g. fuzz driven characterization testing with SemSan)

Planned Features

  • Support for more fuzzing engines (e.g. Radamsa, libafl_libfuzzer, libafl-fuzz, ...)
  • Snapshot fuzzing support (e.g. using full-system libafl_qemu and/or nyx)
  • Concolic fuzzing engine support
  • Automatic bug triaging
  • Automatic pull request fuzzing

Bugs discovered by Fuzzor

  • core-lightning: fuzz-connectd-handshake-act2: Assertion 'write_count == 1 && "too many calls to io_write()"' (details)
  • core-lightning: fuzz-cryptomsg: Assertion 'cryptomsg_decrypt_body(buf, &cs_in, buf) == NULL' (details)
  • core-lightning: fuzz-bolt12-bech32-decode: index 128 out of bounds for type 'const int8_t[128]' (details)
  • lnd: FuzzProbability: normalization factor is zero (details)
  • lnd: FuzzReplyChannelRange: failed to encode message to buffer (details)
  • bitcoin: wallet_bdb_parser: BDB builtin encryption is not supported (details)
  • bitcoin: rpc: runtime error: reference binding to null pointer of type 'const value_type' (details)
  • bitcoin: script: Assertion '!extract_destination_ret' failed (details)
  • bitcoin: scriptpubkeyman: heap-buffer-overflow miniscript.cpp in CScript BuildScript (details)
  • bitcoin: p2p_headers_presync: Assertion 'total_work < chainman.MinimumChainWork()' failed (details)
  • bitcoin: connman: terminate called after throwing an instance of 'std::bad_alloc' (details)
  • bitcoin #30243: mocked_descriptor_parse: Assertion '(leaf_version & ~TAPROOT_LEAF_MASK) == 0' failed (details)
  • bitcoin #31244: various descriptor parsing crashes (details)
  • bitcoin #28584: null-ptr deref (details)
  • bitcoin #28584: use of uninitialized memory (details)