google · catenacyber · Feb 7, 2023 · May 23, 2023 · May 23, 2023 · Jun 16, 2023
diff --git a/docs/advanced-topics/reproducing.md b/docs/advanced-topics/reproducing.md
@@ -138,6 +138,9 @@ Once you reproduce the bug, you can do the following:
 - **Improve fuzzing support:** Consider
    [improving your integration with OSS-Fuzz]({{ site.baseurl }}/advanced-topics/ideal-integration/).
 
+For `nallocfuzz` fuzzing engine, reproducing needs to use nallocfuzz itself.
+If you launch the target yourself, without the python wrapper, be sure to use `-runs=2` or more.
+
 ## Reproducing build failures
 
 Our infrastructure runs some sanity tests to make sure that your build was

diff --git a/docs/getting-started/new_project_guide.md b/docs/getting-started/new_project_guide.md
@@ -187,6 +187,8 @@ The list of fuzzing engines to use.
 By default, `libfuzzer`, `afl`, `honggfuzz`, and `centipede` are used. It is recommended to
 use all of them if possible. `libfuzzer` is required by OSS-Fuzz.
 
+`nallocfuzz` is an optional fuzzing engine to test for allocation failures.
+
 ### help_url (optional) {#help_url}
 A link to a custom help URL that appears in bug reports instead of the default
 [OSS-Fuzz guide to reproducing crashes]({{ site.baseurl }}/advanced-topics/reproducing/). This can be useful if you assign

diff --git a/docs/index.md b/docs/index.md
@@ -30,19 +30,20 @@ instances of [ClusterFuzz] or [ClusterFuzzLite].
 [Core Infrastructure Initiative]: https://www.coreinfrastructure.org/
 [OpenSSF]: https://www.openssf.org/
 
-We support the [libFuzzer], [AFL++], [Honggfuzz], and [Centipede] fuzzing engines in
+We support the [libFuzzer], [AFL++], [Honggfuzz], [Nallocfuzz], and [Centipede] fuzzing engines in
 combination with [Sanitizers], as well as [ClusterFuzz], a distributed fuzzer
 execution environment and reporting tool.
 
 [libFuzzer]: https://llvm.org/docs/LibFuzzer.html
 [AFL++]: https://github.com/AFLplusplus/AFLplusplus
 [Honggfuzz]: https://github.com/google/honggfuzz
+[Nallocfuzz]: https://github.com/catenacyber/nallocfuzz
 [Centipede]: https://github.com/google/centipede
 [Sanitizers]: https://github.com/google/sanitizers
 [ClusterFuzz]: https://github.com/google/clusterfuzz
 [ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/
 
-Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other
+Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Swift and Java/JVM code. Other
 languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64
 and i386 builds.
 

diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile
@@ -122,6 +122,11 @@ ENV FUZZER_LDFLAGS ""
 
 WORKDIR $SRC
 
+RUN git clone --depth 1 https://github.com/catenacyber/nallocfuzz.git
+RUN git clone --depth 1 https://github.com/ianlancetaylor/libbacktrace.git $SRC/nallocfuzz/libbacktrace
+COPY precompile_nallocfuzz /usr/local/bin/
+RUN precompile_nallocfuzz
+
 RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
     git checkout daaefcddc063b356018c29027494a00bcfc3e240 && \
@@ -167,6 +172,7 @@ COPY bazel_build_fuzz_tests \
     compile_javascript_fuzzer \
     compile_libfuzzer \
     compile_native_go_fuzzer \
+    compile_nallocfuzz \
     compile_python_fuzzer \
     debug_afl \
     # Go, JavaScript, Java, Python, Rust, and Swift installation scripts.

diff --git a/infra/base-images/base-builder/compile_nallocfuzz b/infra/base-images/base-builder/compile_nallocfuzz
@@ -0,0 +1,22 @@
+#!/bin/bash -eu
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "Skipping compilation; using precompiled nallocfuzz"
+
+cp $SRC/nallocfuzz/nallocfuzz.a $LIB_FUZZING_ENGINE
+
+echo " done."
diff --git a/infra/base-images/base-builder/precompile_nallocfuzz b/infra/base-images/base-builder/precompile_nallocfuzz
@@ -0,0 +1,32 @@
+#!/bin/bash -eu
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "Precompiling nallocfuzz"
+
+pushd $SRC/nallocfuzz/ > /dev/null
+pushd libbacktrace > /dev/null
+./configure
+make -j$(nproc)
+popd > /dev/null
+clang -fPIE -I. -c nallocfuzz.c -o nallocfuzz.o
+ar -x /usr/local/lib/clang/*/lib/linux/libclang_rt.fuzzer_no_main-$ARCHITECTURE.a
+ar -x libbacktrace/.libs/libbacktrace.a
+ar rcs nallocfuzz.a *.o
+rm *.o
+popd > /dev/null
+
+echo "Done."
diff --git a/infra/build/functions/build_lib.py b/infra/build/functions/build_lib.py
@@ -102,6 +102,10 @@ class SignedPolicyDocument:
         EngineInfo(upload_bucket='clusterfuzz-builds-centipede',
                    supported_sanitizers=['address', 'none'],
                    supported_architectures=['x86_64']),
+    'nallocfuzz':
+        EngineInfo(upload_bucket='clusterfuzz-builds-nallocfuzz',
+                   supported_sanitizers=['address'],
+                   supported_architectures=['x86_64']),
 }
 
 OSS_FUZZ_BUILDPOOL_NAME = os.getenv(

diff --git a/infra/constants.py b/infra/constants.py
@@ -46,4 +46,12 @@
     'hwaddress',
 ]
 ARCHITECTURES = ['i386', 'x86_64', 'aarch64']
-ENGINES = ['libfuzzer', 'afl', 'honggfuzz', 'centipede', 'none', 'wycheproof']
+ENGINES = [
+    'libfuzzer',
+    'afl',
+    'honggfuzz',
+    'centipede',
+    'none',
+    'wycheproof',
+    'nallocfuzz',
+]
diff --git a/projects/flac/project.yaml b/projects/flac/project.yaml
@@ -13,5 +13,10 @@ sanitizers:
 architectures:
  - x86_64
  - i386
+fuzzing_engines:
+ - afl
+ - honggfuzz
+ - libfuzzer
+ - nallocfuzz
 coverage_extra_args: -ignore-filename-regex=/usr/lib/jvm/.*
 main_repo: 'https://github.com/xiph/flac.git'
diff --git a/projects/fluent-bit/project.yaml b/projects/fluent-bit/project.yaml
@@ -11,3 +11,4 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
diff --git a/projects/libpng/project.yaml b/projects/libpng/project.yaml
@@ -20,4 +20,5 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
 
diff --git a/projects/libwebp/project.yaml b/projects/libwebp/project.yaml
@@ -3,6 +3,7 @@ language: c++
 primary_contact: "[email protected]"
 fuzzing_engines:
   - libfuzzer
+  - nallocfuzz
 sanitizers:
   - address
   - undefined

diff --git a/projects/ndpi/project.yaml b/projects/ndpi/project.yaml
@@ -8,6 +8,11 @@ sanitizers:
   - address
   - undefined
   - memory
+fuzzing_engines:
+  - afl
+  - honggfuzz
+  - libfuzzer
+  - nallocfuzz
 main_repo: 'https://github.com/ntop/nDPI.git'
 
 #Coverage report doesn't analyze custom mutator code (see https://github.com/google/oss-fuzz/issues/12143)

diff --git a/projects/suricata/project.yaml b/projects/suricata/project.yaml
@@ -12,4 +12,5 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
 main_repo: 'https://github.com/OISF/suricata.git'
diff --git a/projects/systemd/project.yaml b/projects/systemd/project.yaml
@@ -10,6 +10,7 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
 auto_ccs:
   - [email protected]
   - [email protected]