search

google / oss-fuzz

OSS-Fuzz - continuous fuzzing for open source software.
https://google.github.io/oss-fuzz
Apache License 2.0
10.45k stars 2.21k forks source link

Applying coverage instrumentation to non-standalone Golang code #7294

Open guidovranken opened 2 years ago

guidovranken commented 2 years ago

Cryptofuzz has support for fuzzing several Go libraries (including the Go standard library).

The harnessing code is mostly implemented in a .go file: https://github.com/guidovranken/cryptofuzz/blob/master/modules/golang/cryptofuzz.go

It exports functions so that they can be called from C++: https://github.com/guidovranken/cryptofuzz/blob/c49d3df24fdc63d960e0419202d09468e86fc101/modules/golang/cryptofuzz.go#L363-L364

The Go code is compiled into a static archive: https://github.com/guidovranken/cryptofuzz/blob/c49d3df24fdc63d960e0419202d09468e86fc101/modules/golang/Makefile#L16 which is then linked into the Cryptofuzz binary.

As such, no instrumentation is being applied to the Go code, unlike standalone Go fuzzers which use go-fuzz.

While Cryptofuzz is capable of generating meaningful inputs without a code coverage signal, and therefore can find bugs in Go libraries, the lack of instrumentation is not optimal.

I've been trying to hack go-fuzz to instrument Go code without emitting a libFuzzer entry point (https://github.com/dvyukov/go-fuzz/blob/4980593459a186bd2a389fe4557a260cce742594/go-fuzz-build/main.go#L866-L887)

Unfortunately it's not trivial to get it working as go-fuzz will complain about the use of cgo (could not import C (no metadata for C)), which I require to export functions from Go to C++.

I could rewrite my harness to use a single entry point (such as func Fuzz(data []byte) int), so that I don't need to export all the separate functions, but I still need to export GetResult (https://github.com/guidovranken/cryptofuzz/blob/c49d3df24fdc63d960e0419202d09468e86fc101/modules/golang/cryptofuzz.go#L195-L196) which I need to pass data from Go to C++.

Are you aware of any way to apply coverage instrumentation to Go code that exports functions?

Perhaps I should ask this in the go-fuzz repository instead but I figured you might have run into this issue before in other projects.

jonathanmetzman commented 2 years ago

I'm not aware of any way to do this. I can keep this issue open for visibility. I agree this would be better to ask go-fuzz folks. But you can also try CCing contributors to go projects if you'd like.

guidovranken commented 2 years ago

Thanks Jonathan.

@josharian If you think you could get this to work, I'm willing to pay you for it.

josharian commented 2 years ago

@guidovranken thanks for the offer, but I'm not doing any contracting for the foreseeable future. Perhaps @thepudds might be interested? I don't know what their current situation is.

thepudds commented 2 years ago

Hi @guidovranken, this sounds potentially interesting. I will send you an email.

Thanks for the mention @josharian.

guidovranken commented 2 years ago

Thank you both @josharian and @thepudds , I have replied to your e-mail @thepudds .