moodmosaic

Fuzzing The CSV CLI With AFL++

This post is part of the Input Coverage > Code Coverage series.

Fuzz the binary, not the library. Make panics abort.

fuzz-afl/src/main.rs (optional persistent harness):

fn process(data: &[u8]) {
    let s = String::from_utf8_lossy(data);
    let _ = csv_import_cli::ingest_rows_unbounded(&s);
}

fn main() {
    #[cfg(feature = "afl")]
    {
        afl::fuzz!(|data: &[u8]| { process(data); });
    }
    #[cfg(not(feature = "afl"))]
    {
        use std::io::Read;
        let mut buf = Vec::new();
        std::io::stdin().read_to_end(&mut buf).unwrap();
        process(&buf);
    }
}

Run:

cargo install cargo-afl
export RUSTFLAGS="-C panic=abort"

# Option 1: fuzz the CLI.
cargo afl build --bin import
mkdir -p afl_in afl_out
printf "N=1\n0,x,1\n" > afl_in/seed
cargo afl fuzz -i afl_in -o afl_out target/debug/import @@

# Option 2: fuzz the harness.
cargo afl build -F afl --bin csv-import-cli-fuzz-afl
cargo afl fuzz -i afl_in -o afl_out   target/debug/csv-import-cli-fuzz-afl @@

Expect a crash from huge N. Fix by capping N before reserve.

Next: Panics Are Not Crashes