In macOS:
brew install llvm@22 meson ninja
eval $(make env)
make bRunning with the provided Makefile
cd test/fuzz
make build
make run-fuzzer T=fuzz_types_parsermake usagemake help T=fuzz_r_run_parselineCorpus files are taken from ./test/fuzz/corpus/${T}.
- Copy the files you like in there before the
run-fuzzer
Note: The make build command builds radare2 normally first, then builds the fuzzing targets with proper sanitizers and fuzzer support. This approach avoids the sanitizer linking issues that can occur when building the entire project with sanitizers enabled.
Refer to https://llvm.org/docs/LibFuzzer.html
Run fuzzer
make run-fuzzer T=fuzz_r_run_parselineRun with custom options
Note that -detect_leaks=0 is always necessary in FUZZER_OPTS
make run-fuzzer T=fuzz_r_run_parseline FUZZER_OPTS="-workers=1 -runs=50000 -timeout=3"Replay crashes
make replay T=fuzz_r_run_parseline CRASH_FILES="crash-*"Show help
./build/test/fuzz/fuzz_r_run_parseline -help=1
Run fuzzer
mkdir corpus_parseline
./build/test/fuzz/fuzz_r_run_parseline \
-workers=1 -runs=50000 -timeout=3 \
corpus_parseline
Replay crashes
./build/test/fuzz/fuzz_r_run_parseline crash-*
- add your test to /test/fuzz/meson.build
- add
/test/fuzz/fuzz_<name>.cfile- add system setup to
LLVMFuzzerInitialize(disable logging, enable sandbox, etc) - add fuzz target to
LLVMFuzzerTestOneInput - make sure input is short (ideally no longer than 256 bytes)
- make sure no memory leaks are present
- add system setup to
-close_fd_mask=2(mute stderr) if your target is spammy-ignore_ooms-fork=16if you're likely to OOM