wasm-fuzzers: support docker in place of podman, refactoring

Author: baflor

README.md

@@ -78,7 +78,7 @@ Note: We have not evaluated the effectiveness of these passes yet.
 - Exits if a crash is found
 - No core pinning
 - Does not support LibAFL-style network scaling (we use simple ad-hoc in-process message passing and structure sharing, no `llmp`)
-- Only partial support of WebAssembly 2.0 features. (Does not support the _Component Model_)
+- No support for the WebAssembly 2.0 _Component Model_.
 
 ## Harness Suite ([./harness-suite/](./harness-suite/))
 
@@ -92,6 +92,8 @@ Building these requires a Docker/Podman and Python installation. Use `make -C ha
 
 - Optimized builds with full debug info: Harness modules also contain their source code so we can emit coverage reports without any additional files.
 
+We target the [Lime1](https://github.com/WebAssembly/tool-conventions/blob/main/Lime.md#lime1) series of WebAssembly, which is WebAssembly 1.0 in combination with a few standardized post-1.0 features like the `bulk-memory-opt` extension.
+
 
 ## WASM Variants of Other Fuzzers ([./wasm-fuzzers/](./wasm-fuzzers/))
 

harness-suite/make-one.py

@@ -10,7 +10,7 @@
 tag = f"wasmfuzz-builder-{name}"
 cid = f"{tag}-extract"
 
-PODMAN = "podman" if shutil.which("podman") else "docker"
+PODMAN = os.environ.get("PODMAN", "podman" if shutil.which("podman") else "docker")
 
 subprocess.run([
     PODMAN, "build",

wasm-fuzzers/Dockerfile

@@ -22,10 +22,8 @@ WORKDIR /AFLplusplus
 RUN make NO_NYX=1 IS_DOCKER=1 install
 
 WORKDIR /
-COPY afl++-w2c2.sh /usr/bin/
-RUN chmod +x /usr/bin/afl++-w2c2.sh
-ENV AFL_SKIP_CPUFREQ=1
-ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+COPY afl++-w2c2.sh run-afl-fuzz.sh /usr/bin/
+RUN chmod +x /usr/bin/afl++-w2c2.sh /usr/bin/run-afl-fuzz.sh
 
 RUN mkdir -p /seeds/ && echo -n "YELLOW SUBMARINE" > /seeds/seed && mkdir -p /corpus/
 ENTRYPOINT [ "afl++-w2c2.sh" ]

wasm-fuzzers/Dockerfile.aflpp-w2c2

@@ -22,10 +22,8 @@ WORKDIR /AFLplusplus
 RUN make NO_NYX=1 IS_DOCKER=1 install
 
 WORKDIR /
-COPY afl++-wasm2c.sh /usr/bin/
-RUN chmod +x /usr/bin/afl++-wasm2c.sh
-ENV AFL_SKIP_CPUFREQ=1
-ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+COPY afl++-wasm2c.sh run-afl-fuzz.sh /usr/bin/
+RUN chmod +x /usr/bin/afl++-wasm2c.sh /usr/bin/run-afl-fuzz.sh
 
 RUN mkdir -p /seeds/ && echo -n "YELLOW SUBMARINE" > /seeds/seed && mkdir -p /corpus/
 ENTRYPOINT [ "afl++-wasm2c.sh" ]

wasm-fuzzers/Dockerfile.aflpp-wasm2c

@@ -16,7 +16,7 @@ RUN wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-11/w
     tar xvf wasi-sdk-11.0-linux.tar.gz
 RUN cd AFL-wasm && make install
 
-COPY fuzzm.sh /usr/bin/fuzzm.sh
-RUN chmod +x /usr/bin/fuzzm.sh
+COPY fuzzm.sh run-afl-fuzz.sh /usr/bin/fuzzm.sh
+RUN chmod +x /usr/bin/fuzzm.sh /usr/bin/run-afl-fuzz.sh
 WORKDIR /
 ENTRYPOINT [ "fuzzm.sh" ]

wasm-fuzzers/Dockerfile.fuzzm

@@ -38,7 +38,7 @@ RUN ninja && ninja install && \
     patchelf --add-needed /usr/local/lib/libWAVM.so /usr/local/bin/wavm
 
 WORKDIR /
-COPY wafl.sh shim-for-wafl.sh /usr/bin/
-RUN chmod +x /usr/bin/wafl.sh /usr/bin/shim-for-wafl.sh
+COPY wafl.sh shim-for-wafl.sh run-afl-fuzz.sh /usr/bin/
+RUN chmod +x /usr/bin/wafl.sh /usr/bin/shim-for-wafl.sh /usr/bin/run-afl-fuzz.sh
 RUN mkdir -p /seeds/ && echo -n "YELLOW SUBMARINE" > /seeds/seed && mkdir -p /corpus/
 ENTRYPOINT [ "wafl.sh" ]

wasm-fuzzers/Dockerfile.wafl

@@ -1,12 +1,15 @@
 # ubuntu:24.04 is rustc 1.75
 # ubuntu:24.10 is rustc 1.80
+# ubuntu:25.04 is rustc 1.81
 # libafl needs 1.82 for `&raw const GLOBAL_MUT`
-
-FROM ubuntu:24.04
+FROM ubuntu:24.04 AS builder
 RUN apt-get update && apt-get install -y rustup git clang
 RUN rustup toolchain add 1.82 --no-self-update
 RUN git clone https://github.com/CISPA-SysSec/wasmfuzz && git -C wasmfuzz checkout ac17ec0ce7cfd7d5988cf6bb76418b3219def4fe
-RUN cargo install --no-default-features --path /wasmfuzz && ln -s /root/.cargo/bin/wasmfuzz /usr/bin/
+RUN cargo install --locked --no-default-features --path /wasmfuzz
+
+FROM ubuntu:24.04
+COPY --from=builder /root/.cargo/bin/wasmfuzz /usr/bin/
 COPY wasmfuzz.sh /usr/bin/
 RUN chmod +x /usr/bin/wasmfuzz.sh
 RUN mkdir -p /seeds/ && echo -n "YELLOW SUBMARINE" > /seeds/seed && mkdir -p /corpus/

wasm-fuzzers/Dockerfile.wasmfuzz

@@ -1,5 +1,6 @@
-PODMAN_BUILD := podman build --cache-ttl=72h
-FUZZERS := libfuzzer-wasm2c libfuzzer-w2c2 aflpp-wasm2c aflpp-w2c2 libafl-libfuzzer-wasm2c wasmfuzz wafl fuzzm
+PODMAN_BUILD ?= podman build --cache-ttl=72h
+FUZZERS := libfuzzer-wasm2c libfuzzer-w2c2 aflpp-wasm2c aflpp-w2c2 libafl-libfuzzer-wasm2c wasmfuzz wasmfuzz-rel wafl
+# fuzzm
 
 .PHONY: all $(FUZZERS) wasm-fuzzers-wasm2c-base wasm-fuzzers-w2c2-base
 # $(addprefix wasm-fuzzers-,$(FUZZERS))

wasm-fuzzers/Makefile

@@ -5,34 +5,6 @@ name=`basename $1`
 
 source prepare-w2c2-fuzzer.sh "$1"
 
-export AFL_LLVM_CMPLOG=1
+AFL_LLVM_CMPLOG=1 afl-clang-fast -O2 -g -o "$name-fuzzer" $CC_CMD
 
-afl-clang-fast -O2 -g -o "$name-fuzzer" $CC_CMD
-
-export AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_AFFINITY=1
-
-export AFL_BENCH_UNTIL_CRASH=1
-
-function sync() {
-    while true; do
-        rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-        rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt"
-        sleep 5
-    done
-}
-mkdir -p /sync/
-sync &
-
-afl-fuzz -G 4096 -i /seeds -o /sync -M default -c "./$name-fuzzer" -- "./$name-fuzzer" &
-pids["1"]=$!
-for i in $(seq 2 "${FUZZER_CORES:-1}")
-do
-    afl-fuzz -G 4096 -i /seeds -o /sync -S "core-$i" -c "./$name-fuzzer" -- "./$name-fuzzer" > /dev/null &
-    pids[${i}]=$!
-done
-for pid in ${pids[*]}; do
-    wait $pid
-done
-
-rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt"
+run-afl-fuzz.sh -c "./$name-fuzzer" -- "./$name-fuzzer"

wasm-fuzzers/afl++-w2c2.sh

@@ -5,34 +5,6 @@ name=`basename $1`
 
 source prepare-wasm2c-fuzzer.sh "$1"
 
-export AFL_LLVM_CMPLOG=1
+AFL_LLVM_CMPLOG=1 afl-clang-fast -O2 -g -o "$name-fuzzer" $CC_CMD
 
-afl-clang-fast -O2 -g -o "$name-fuzzer" $CC_CMD
-
-export AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_NO_AFFINITY=1
-
-export AFL_BENCH_UNTIL_CRASH=1
-
-function sync() {
-    while true; do
-        rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-        rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt"
-        sleep 5
-    done
-}
-mkdir -p /sync/
-sync &
-
-afl-fuzz -G 4096 -i /seeds -o /sync -M default -c "./$name-fuzzer" -- "./$name-fuzzer" &
-pids["1"]=$!
-for i in $(seq 2 "${FUZZER_CORES:-1}")
-do 
-    afl-fuzz -G 4096 -i /seeds -o /sync -S "core-$i" -c "./$name-fuzzer" -- "./$name-fuzzer" > /dev/null &
-    pids[${i}]=$!
-done
-for pid in ${pids[*]}; do
-    wait $pid
-done
-
-rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt"
+run-afl-fuzz.sh -c "./$name-fuzzer" -- "./$name-fuzzer"

wasm-fuzzers/afl++-wasm2c.sh

@@ -4,12 +4,9 @@ set -e
 target="$1"
 name=`basename $1`
 
-export AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_SKIP_BIN_CHECK=1
+export AFL_SKIP_BIN_CHECK=1
 export __AFL_PERSISTENT=1 __AFL_SHM_FUZZ=1 AFL_FORKSRV_INIT_TMOUT=9999999
-export AFL_NO_AFFINITY=1
-
-
-export WASM_MODE=1 AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+export WASM_MODE=1
 
 
 
@@ -21,30 +18,5 @@ afl_branch "$target" "/tmp/$name-cov.wasm"
 
 # shim-for-wafl.sh "$target" "/tmp/$name-wafl.wasm"
 
-function sync() {
-    while true; do
-        rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-        sleep 5
-    done
-}
-mkdir -p /sync/
-sync &
-
-
-# LD_LIBRARY_PATH=../AFL-wasm/wasmtime-v0.20.0-x86_64-linux-c-api/lib/ ../public-project-repo/fuzzm-project/AFL-wasm/afl-fuzz -i testcases/ -o findings ./vuln-cov-canaries.wasm
-
+run-afl-fuzz.sh "/tmp/$name-cov.wasm"
 
-if [ "$FUZZER_CONFIG" == "multicore" ]; then
-    afl-fuzz -G 4096 -i /seeds -o /sync -M default "/tmp/$name-cov.wasm" &
-    pids["1"]=$!
-    for i in {2..8}
-    do 
-        afl-fuzz -G 4096 -i /seeds -o /sync -S "core-$i" "/tmp/$name-cov.wasm" > /dev/null &
-        pids[${i}]=$!
-    done
-    for pid in ${pids[*]}; do
-        wait $pid
-    done
-else
-    afl-fuzz -G 4096 -i /seeds -o /sync "/tmp/$name-cov.wasm"
-fi

wasm-fuzzers/fuzzm.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+export AFL_SKIP_CPUFREQ=1
+export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+export AFL_NO_AFFINITY=1
+export AFL_BENCH_UNTIL_CRASH=1
+
+function syncOne() {
+    rsync -r /sync/default/queue/ /corpus/ --exclude=".state" --chmod=ugo=rwX
+    rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt" --chmod=ugo=rwX
+}
+function syncForever() {
+    while true; do
+        syncOne; sleep 5
+    done
+}
+
+mkdir -p /sync/
+syncForever &
+
+afl-fuzz -G 4096 -i /seeds -o /sync -M default $@ &
+pids["1"]=$!
+for i in $(seq 2 "${FUZZER_CORES:-1}")
+do
+    afl-fuzz -G 4096 -i /seeds -o /sync -S "core-$i" $@ > /dev/null &
+    pids[${i}]=$!
+done
+for pid in ${pids[*]}; do
+    wait $pid
+done
+
+syncOne

wasm-fuzzers/run-afl-fuzz.sh

@@ -4,35 +4,9 @@ set -e
 target="$1"
 name=`basename $1`
 
-export AFL_SKIP_CPUFREQ=1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 AFL_SKIP_BIN_CHECK=1
+export AFL_SKIP_BIN_CHECK=1
 export __AFL_PERSISTENT=1 __AFL_SHM_FUZZ=1 AFL_FORKSRV_INIT_TMOUT=9999999
-export AFL_NO_AFFINITY=1
 
 shim-for-wafl.sh "$target" "/tmp/$name-wafl.wasm"
 
-export AFL_BENCH_UNTIL_CRASH=1
-
-function sync() {
-    while true; do
-        rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-        rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt"
-        sleep 30
-    done
-}
-mkdir -p /sync/
-sync &
-
-
-afl-fuzz -G 4096 -i /seeds -o /sync -M default wavm run "/tmp/$name-wafl.wasm" &
-pids["1"]=$!
-for i in $(seq 2 "${FUZZER_CORES:-1}")
-do 
-    afl-fuzz -G 4096 -i /seeds -o /sync -S "core-$i" wavm run "/tmp/$name-wafl.wasm" > /dev/null &
-    pids[${i}]=$!
-done
-for pid in ${pids[*]}; do
-    wait $pid
-done
-
-rsync -r /sync/default/queue/ /corpus/  --exclude=".state"
-rsync -r /sync/default/crashes/ /corpus/  --exclude="README.txt"
+run-afl-fuzz.sh wavm run "/tmp/$name-wafl.wasm"