AFL的安装和使用（二）——测试FFmpeg

这篇博客紧跟上一篇的内容：https://blog.csdn.net/qysh123/article/details/114792891

参考别人的教程：https://blog.csdn.net/salmonwilliam/article/details/112846864

https://blog.csdn.net/qq_36711003/article/details/107016408

我们如果要测试FFmpeg，可以运行如下命令：

wget https://ffmpeg.org/releases/ffmpeg-4.0.2.tar.bz2
tar -jxvf ffmpeg-4.0.2.tar.bz2
cd ffmpeg-4.0.2/
./configure
make
make install

这些都很显而易见，不过我运行./configure的时候，还是报了错：

nasm/yasm not found or too old. Use --disable-x86asm for a crippled build.

If you think configure made a mistake, make sure you are using the latest
version from Git.  If the latest version fails, report the problem to the
ffmpeg-user@ffmpeg.org mailing list or IRC #ffmpeg on irc.freenode.net.
Include the log file "ffbuild/config.log" produced by configure as this will help
solve the problem.

按照这里的介绍：https://stackoverflow.com/questions/36548940/yasm-nasm-not-found-or-too-old-use-disable-yasm-for-a-crippled-build

运行：

sudo apt-get install yasm

即可，呵呵。

接下来下载testcase：

# 进入到你的ffmeg所在位置
mkdir in     # 当前文件夹下创建in文件下
cd in
# 通过wget指令可以下载测试语料库，这里只给出一个测试集
wget http://samples.ffmpeg.org/tests/DivX-test/Xmen-OpenDivX-200-slow.avi
cd ..

按照教程，只需要运行：

afl-fuzz -Q -m none -i in -o out ./ffmpeg -i @@

就可以开始fuzzing了，不过我还是遇到了报错：

[-] Hmm, your system is configured to send core dump notifications to an
    external utility. This will cause issues: there will be an extended delay
    between stumbling upon a crash and having this information relayed to the
    fuzzer via the standard waitpid() API.

    To avoid having crashes misinterpreted as timeouts, please log in as root
    and temporarily modify /proc/sys/kernel/core_pattern, like so:

    echo core >/proc/sys/kernel/core_pattern

[-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
         Location : check_crash_handling(), afl-fuzz.c:7275

简单了解了一下，这里临时修改一下配置，使系统将coredump输出到文件，而不是上报给系统的处理程序（也可以参考这里的讨论：https://stackoverflow.com/questions/65591480/how-to-get-crash-data-from-afl-without-modifying-proc-sys-kernel-core-pattern）：

sudo su root

正如上面提示的，首先应该log in as root，注意这时候直接运行：sudo echo core >/proc/sys/kernel/core_pattern

还是会报：bash: /proc/sys/kernel/core_pattern: 权限不够

先转成root（可以参考这里：https://blog.csdn.net/weixin_42736507/article/details/88539998）

然后再

echo core >/proc/sys/kernel/core_pattern

然后再运行：

afl-fuzz -Q -m none -i in -o out ./ffmpeg -i @@

结果还是报错：

[-] Whoops, your system uses on-demand CPU frequency scaling, adjusted
    between 781 and 5175 MHz. Unfortunately, the scaling algorithm in the
    kernel is imperfect and can miss the short-lived processes spawned by
    afl-fuzz. To keep things moving, run these commands as root:

    cd /sys/devices/system/cpu
    echo performance | tee cpu*/cpufreq/scaling_governor

    You can later go back to the original state by replacing 'performance' with
    'ondemand'. If you don't want to change the settings, set AFL_SKIP_CPUFREQ
    to make afl-fuzz skip this check - but expect some performance drop.

[-] PROGRAM ABORT : Suboptimal CPU scaling governor
         Location : check_cpu_governor(), afl-fuzz.c:7337

这个嘛……，似乎可以接受吧，反正只是简单测试一下，所以先运行（具体可以参考这里：http://www.cse.psu.edu/~gxt29/teaching/cs447s19/slides/06testingFuzzing.pdf）：

export AFL_SKIP_CPUFREQ=1

上面的coredump设置不想改的话，也可以运行（https://groups.google.com/g/afl-users/c/7arn66RyNfg/m/BsnOPViuCAAJ）：

export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1

然后再运行上面那个命令行就可以了，就简单总结这么多。