自 2025 年 3 月 27 日起,我们建议您使用 android-latest-release 而非 aosp-main 构建 AOSP 并为其做出贡献。如需了解详情,请参阅 AOSP 的变更。
模糊测试模块
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
Rust 模糊测试通过 libfuzzer-sys crate 得到支持,此 crate 可提供与 LLVM libFuzzer 模糊引擎的绑定。如需了解详情,请参阅 libfuzzer-sys 代码库以及 LLVM libFuzzer 项目页面。
rust_fuzz 模块会生成一个模糊测试工具二进制文件,在该模块运行时开始模糊测试(与 cc_fuzz 模块类似)。由于该模糊测试工具使用 libFuzzer 模糊引擎,它可以使用许多参数来控制模糊测试。libFuzzer 文档中列举了这些参数。
rust_fuzz 模块是 rust_binary 模块的扩展,因此具有相同的属性和注意事项。此外,这些模块实现的许多属性和功能与 cc_fuzz 模块相同。
构建 rust_fuzz 模块时,系统会发出 --cfg fuzzing 标志,该标志可用于支持对库代码进行条件编译,以改进模糊测试。
编写基本的 Rust 模糊测试工具
您可以使用以下代码在 Android.bp 构建文件中定义模糊测试模块:
rust_fuzz {
name: "example_rust_fuzzer",
srcs: ["fuzzer.rs"],
// Config for running the target on fuzzing infrastructure can be set under
// fuzz_config. This shares the same properties as cc_fuzz's fuzz_config.
fuzz_config: {
fuzz_on_haiku_device: true,
fuzz_on_haiku_host: false,
},
// Path to a corpus of sample inputs, optional. See https://llvm.org/docs/LibFuzzer.html#corpus
corpus: ["testdata/*"],
// Path to a dictionary of sample byte sequences, optional. See https://llvm.org/docs/LibFuzzer.html#dictionaries
dictionary: "example_rust_fuzzer.dict",
}
fuzzer.rs 文件包含一个简单的模糊测试工具:
fn heap_oob() {
let xs = vec![0, 1, 2, 3];
let val = unsafe { *xs.as_ptr().offset(4) };
println!("Out-of-bounds heap value: {}", val);
}
fuzz_target!(|data: &[u8]| {
let magic_number = 327;
if data.len() == magic_number {
heap_oob();
}
});
这里的 fuzz_target!(|data: &[u8]| { /* fuzz using data here */ }); 定义了 libFuzzer 引擎调用的模糊测试目标入口点。data 参数是 libFuzzer 引擎提供的一系列字节数,将作为输入进行操作,用于对目标函数进行模糊测试。
在此模糊测试工具示例中,只检查了数据长度以确定是否调用 heap_oob 函数,调用该函数会导致出界读取错误。libFuzzer 是覆盖率引导模糊测试工具,因此当其确定前 326 B 数据未产生新的执行路径时,就会对有问题的长度快速进行收敛。
在树内的以下位置可找到此示例:tools/security/fuzzing/example_rust_fuzzer/。
如需查看树内另一个模糊测试工具(对 rustlib 依赖项进行模糊测试)的稍微复杂一些的示例,请参阅 legacy_blob_fuzzer。
如需有关如何编写结构感知型 Rust 模糊测试工具的指导,请参阅 Rust 模糊测试项目的官方文档 Rust Fuzz Book。
本页面上的内容和代码示例受内容许可部分所述许可的限制。Java 和 OpenJDK 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-04-04。
[null,null,["最后更新时间 (UTC):2025-04-04。"],[],[],null,["# Fuzz modules\n\nRust fuzzing is supported through the `libfuzzer-sys` crate, which provides\nbindings to LLVM's libFuzzer fuzzing engine. For more information, see the [libfuzzer-sys](https://github.com/rust-fuzz/libfuzzer)\nrepository as well as the [LLVM libFuzzer project page](https://llvm.org/docs/LibFuzzer.html).\n\nThe `rust_fuzz` module produces a fuzzer binary which begins fuzzing when it's\nrun (similar to `cc_fuzz` modules). As the fuzzer leverages the `libFuzzer`\nfuzzing engine, it can take a number of arguments to control fuzzing. These are\nenumerated in the [libFuzzer documentation](https://llvm.org/docs/LibFuzzer.html#options).\n\n`rust_fuzz` modules are an extension of `rust_binary` modules, and as such share\nthe same properties and considerations. Additionally, they implement many of the\nsame properties and functionality as do the `cc_fuzz` modules.\n\nWhen building `rust_fuzz` modules, the `--cfg fuzzing` flag is emitted which can\nbe used to support conditional compilation of library code to improve fuzzing.\n\nWrite a basic Rust fuzzer\n-------------------------\n\nYou can define a fuzz module in an `Android.bp` build file with this code: \n\n rust_fuzz {\n name: \"example_rust_fuzzer\",\n srcs: [\"fuzzer.rs\"],\n\n // Config for running the target on fuzzing infrastructure can be set under\n // fuzz_config. This shares the same properties as cc_fuzz's fuzz_config.\n fuzz_config: {\n fuzz_on_haiku_device: true,\n fuzz_on_haiku_host: false,\n },\n\n // Path to a corpus of sample inputs, optional. See https://llvm.org/docs/LibFuzzer.html#corpus\n corpus: [\"testdata/*\"],\n\n // Path to a dictionary of sample byte sequences, optional. See https://llvm.org/docs/LibFuzzer.html#dictionaries\n dictionary: \"example_rust_fuzzer.dict\",\n }\n\nThe `fuzzer.rs` file contains a simple fuzzer: \n\n fn heap_oob() {\n let xs = vec![0, 1, 2, 3];\n let val = unsafe { *xs.as_ptr().offset(4) };\n println!(\"Out-of-bounds heap value: {}\", val);\n }\n\n fuzz_target!(|data: &[u8]| {\n let magic_number = 327;\n if data.len() == magic_number {\n heap_oob();\n }\n });\n\nHere `fuzz_target!(|data: &[u8]| { /* fuzz using data here */ });` defines the\nfuzz-target entry-point called by the `libFuzzer` engine. The `data` argument is\na sequence of bytes provided by the `libFuzzer` engine to be manipulated as input\nto fuzz the targeted function.\n\nIn this example fuzzer, only the length of the data gets checked to determine\nwhether to call the `heap_oob` function, the calling of which results in an\nout-of-bounds read. `libFuzzer` is a coverage-guided fuzzer, so it quickly converges on the\nproblematic length as it determines that the first 326 B of data don't\nresult in new execution paths.\n\nLocate this example, in-tree, at [tools/security/fuzzing/example_rust_fuzzer/](https://android.googlesource.com/platform/tools/security/+/669e5608d5bea0171b4888bed099725c4300b346/fuzzing/example_rust_fuzzer/fuzzer.rs).\nTo view a slightly more complex example of another fuzzer (which fuzzes a `rustlib`\ndependency) in-tree, see the [legacy_blob_fuzzer](https://android.googlesource.com/platform/system/security/+/2f503e597130e1d65dbf9fb4cd0fbd6a2f9ccb07/keystore2/src/fuzzers/legacy_blob_fuzzer.rs).\n\nFor guidance on [how to write structure-aware Rust fuzzers](https://rust-fuzz.github.io/book/cargo-fuzz/structure-aware-fuzzing.html),\nsee the [Rust Fuzz book](https://rust-fuzz.github.io/book/introduction.html), the official documentation for the Rust Fuzz project."]]
