summaryrefslogtreecommitdiff
path: root/doc/HACKING/Fuzzing.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/HACKING/Fuzzing.md')
-rw-r--r--doc/HACKING/Fuzzing.md40
1 files changed, 26 insertions, 14 deletions
diff --git a/doc/HACKING/Fuzzing.md b/doc/HACKING/Fuzzing.md
index 487716bb6d..1a9185aebf 100644
--- a/doc/HACKING/Fuzzing.md
+++ b/doc/HACKING/Fuzzing.md
@@ -6,7 +6,10 @@ Check out fuzzing-corpora, and set TOR_FUZZ_CORPORA to point to the place
where you checked it out.
To run the fuzzing test cases in a deterministic fashion, use:
- make test-fuzz-corpora
+
+```console
+$ make test-fuzz-corpora
+```
This won't actually fuzz Tor! It will just run all the fuzz binaries
on our existing set of testcases for the fuzzer.
@@ -58,11 +61,13 @@ machine you care about, anyway.
To Build:
Get AFL from http://lcamtuf.coredump.cx/afl/ and unpack it
- cd afl
- make
- cd ../tor
- PATH=$PATH:../afl/ CC="../afl/afl-gcc" ./configure --enable-expensive-hardening
- AFL_HARDEN=1 make clean fuzzers
+ ```console
+ $ cd afl
+ $ make
+ $ cd ../tor
+ $ PATH=$PATH:../afl/ CC="../afl/afl-gcc" ./configure --enable-expensive-hardening
+ $ AFL_HARDEN=1 make clean fuzzers
+ ```
To Find The ASAN Memory Limit: (64-bit only)
@@ -75,10 +80,12 @@ Read afl/docs/notes_for_asan.txt for more details.
Download recidivm from https://jwilk.net/software/recidivm
Download the signature
Check the signature
- tar xvzf recidivm*.tar.gz
- cd recidivm*
- make
- /path/to/recidivm -v src/test/fuzz/fuzz-http
+ ```console
+ $ tar xvzf recidivm*.tar.gz
+ $ cd recidivm*
+ $ make
+ $ /path/to/recidivm -v src/test/fuzz/fuzz-http
+ ```
Use the final "ok" figure as the input to -m when calling afl-fuzz
(Normally, recidivm would output a figure automatically, but in some cases,
the fuzzing harness will hang when the memory limit is too small.)
@@ -88,9 +95,11 @@ don't care about memory limits.
To Run:
- mkdir -p src/test/fuzz/fuzz_http_findings
- ../afl/afl-fuzz -i ${TOR_FUZZ_CORPORA}/http -o src/test/fuzz/fuzz_http_findings -m <asan-memory-limit> -- src/test/fuzz/fuzz-http
+```console
+$ mkdir -p src/test/fuzz/fuzz_http_findings
+$ ../afl/afl-fuzz -i ${TOR_FUZZ_CORPORA}/http -o src/test/fuzz/fuzz_http_findings -m <asan-memory-limit> -- src/test/fuzz/fuzz-http
+```
AFL has a multi-core mode, check the documentation for details.
You might find the included fuzz-multi.sh script useful for this.
@@ -109,7 +118,10 @@ valid inputs may take a second or so, particularly with the fuzzer and
sanitizers enabled.
To see what fuzz-http is doing with a test case, call it like this:
- src/test/fuzz/fuzz-http --debug < /path/to/test.case
+
+```console
+$ src/test/fuzz/fuzz-http --debug < /path/to/test.case
+```
(Logging is disabled while fuzzing to increase fuzzing speed.)
@@ -118,4 +130,4 @@ To see what fuzz-http is doing with a test case, call it like this:
Please report any issues discovered using the process in Tor's security issue
policy:
-https://trac.torproject.org/projects/tor/wiki/org/meetings/2016SummerDevMeeting/Notes/SecurityIssuePolicy
+https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion