Important fix: make fuzzer able to tell different bugs appart (again)

PaulGrandperrin · PaulGrandperrin · commit abe2b4c93121 · 2018-04-23T13:04:02.000+02:00
**Context:** For the fuzzer to be able to "understand" that something went wrong, like a panic, the process must terminate in an abnormal fashion. The default panic hook will unwind the stack, run destructors, optionally print a backtrace and exit with code 101. The fuzzer will not be able to "understand" that something went particuliarly wrong. One way to stop a process in a way that the fuzzer understands as abnormal is to call `std::process::abort()`. **Possible solutions:** - build with "-C panic=abort": incompatible with compiler plugins rust-lang/cargo#2738 (comment) rust-fuzz/afl.rs#120 - use `panic::catch_unwind()` to catch unwinding stacks and call `std::process::abort()`: all kind of bugs will then unwind their stack up to the code calling this function and therefore render different bugs indistinguishable from the fuzzer's point of view. - use a custom panic hook and call `std::process::abort()` here. **Implemented solution** We implemented both solution 2 and 3. Solution 3 has no drawbacks that I know of, but could potentially be missed if the fuzzed code modifies the panic hook. In this case, we fall back to solution 2 as a last resort.
diff --git a/src/lib.rs b/src/lib.rs
@@ -236,6 +236,7 @@ pub fn fuzz<F>(closure: F) where F: Fn(&[u8]) {
 
 #[cfg(all(fuzzing, not(fuzzing_debug)))]
 pub fn fuzz<F>(closure: F) where F: Fn(&[u8]) + std::panic::RefUnwindSafe {
+    // get buffer from honggfuzz runtime
     let buf;
     unsafe {
         let mut buf_ptr: *const u8 = std::mem::uninitialized();
@@ -244,11 +245,24 @@ pub fn fuzz<F>(closure: F) where F: Fn(&[u8]) + std::panic::RefUnwindSafe {
         buf = ::std::slice::from_raw_parts(buf_ptr, len_ptr);
     }
 
+    // Registers a panic hook that aborts the process before unwinding.
+    // It is useful to abort before unwinding so that the fuzzer will then be
+    // able to analyse the process stack frames to tell different bugs appart.
+    std::panic::set_hook(Box::new(|_| {
+        std::process::abort();
+    }));
+
+    // We still catch unwinding panics just in case the fuzzed code modifies
+    // the panic hook.
+    // If so, the fuzzer will be unable to tell different bugs appart and you will
+    // only be able to find one bug at a time before fixing it to then find a new one.
     let did_panic = std::panic::catch_unwind(|| {
         closure(buf);
     }).is_err();
 
     if did_panic {
+        // hopefully the custom panic hook will be called before and abort the
+        // process with instact stack frames.
         std::process::abort();
     }
 }
