Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After upgrading LibAFL from 0.8 to 0.9 the test
tls::vulnerabilities::tests::test_seed_heartbleed
started to fail. This test checks whether AddressSanitizer is correctly detecting heartbleed in OpenSSL 1.0.The solution is to use -fsanitize=address instead of linking
libasan
manually 😵💫 and using Ubuntu (which uses a libclang_rt.asan with non-dynamic symbol exports). Linking againstlibasan
is bad because it is from GCC.Why did ASAN stop working?
LibAFL defines a weak symbol __libafl_asan_region_is_poisoned. The fuzzing target, which is linked to the final Rust binary, is a sanitized (
-fsanitize=address -shared-libasan
) static library. Because only this static library is sanitized we have to use the shared DSO version of ASAN.ASAN was linked with the Rust binary and the static library using
-lasan
.Now, weak symbols from static libraries are preferred over the dynamic ASAN library.
Therefore, ASAN used the invalid weak symbol from LibAFL. This is valid and not a bug. Linking order does not change this behavior.
Why did this happen with the update from LibAFL 0.8 to 0.9?
The weak
__libafl_asan_region_is_poisoned
from LibAFL is only included if it is referenced. Else the linker will discard it because it is dead code.Apparently something in LibAFL changed which made it believe that
__libafl_asan_region_is_poisoned
is required.How can we solve this?
Two things are involved here:
-fsanitize=address
to the linker. This will make sure that the LLVM libclang_rt is used instead of GCC libasan. On Ubuntu libclang_rt uses the correct__libafl_asan_region_is_poisoned
symbol.libasan
through e.g. abuild.rs
script orRUSTFLAGS
.clang
as a linker. By default, Rust will usecc
as linker binary for x86_64 Linux targets.cc
will link against the GCC ASAN runtime calledlibasan.so
. This might be invalid with the sanitization applied to the fuzzing target, which uses LLVM.Enable default-linker-libraries, such that it will automatically link against ASAN. This works because the static library (fuzzing target) is compiled with clang and wants to link against ASAN.LD_LIBRARY_PATH
, such that the LLVM runtime is found. / Use rpathMinor hints:
--target
, else build scripts will also be sanitized.RUSTDOCFLAGS
, else doc tests will not find ASAN symbols.Requires: tlspuffin/openssl-src-rs#2