diff --git a/README.md b/README.md index cf083cce2..4e385ed1b 100644 --- a/README.md +++ b/README.md @@ -248,6 +248,12 @@ Special thanks to all users of Fuzzilli who have reported bugs found by it! - [CVE-2020-1912](https://www.facebook.com/security/advisories/cve-2020-1912): Memory corruption when executing lazily compiled inner generator functions - [CVE-2020-1914](https://www.facebook.com/security/advisories/cve-2020-1914): Bytecode corruption when handling the SaveGeneratorLong instruction +#### [Workerd](https://github.com/cloudflare/workerd) +- [PR 4793](https://github.com/cloudflare/workerd/pull/4793): OOB write in writeSync due to missing bounds check +- [PR 4845](https://github.com/cloudflare/workerd/pull/4845): UAF in VFS file clone handling +- [PR 4828](https://github.com/cloudflare/workerd/pull/4828): Segmentation fault on undefined keys in DH crypto API. +- [PR 4853](https://github.com/cloudflare/workerd/pull/4853): Workerd hits illegal instruction due to missing branch in FileSystemModule::setLastModified. + ## Disclaimer This is not an officially supported Google product. diff --git a/Sources/FuzzilliCli/Profiles/Profile.swift b/Sources/FuzzilliCli/Profiles/Profile.swift index d3a0038c4..4a777832f 100644 --- a/Sources/FuzzilliCli/Profiles/Profile.swift +++ b/Sources/FuzzilliCli/Profiles/Profile.swift @@ -53,4 +53,5 @@ let profiles = [ "v8holefuzzing": v8HoleFuzzingProfile, "serenity": serenityProfile, "njs": njsProfile, + "workerd": workerdProfile, ] diff --git a/Sources/FuzzilliCli/Profiles/WorkerdProfile.swift b/Sources/FuzzilliCli/Profiles/WorkerdProfile.swift new file mode 100644 index 000000000..4664826a4 --- /dev/null +++ b/Sources/FuzzilliCli/Profiles/WorkerdProfile.swift @@ -0,0 +1,62 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +import Fuzzilli + +let workerdProfile = Profile( + processArgs: { randomize in ["fuzzilli"] }, + + processEnv: ["ASAN_OPTIONS" : "abort_on_error=1:symbolize=false", "UBSAN_OPTIONS" : "abort_on_error=1:symbolize=false"], + + maxExecsBeforeRespawn: 1000, + + timeout: 250, + + codePrefix: """ + """, + + codeSuffix: """ + """, + + ecmaVersion: ECMAScriptVersion.es5, + + startupTests: [ + // Check that the fuzzilli integration is available. + ("fuzzilli('FUZZILLI_PRINT', 'test')", .shouldSucceed), + + // Check that common crash types are detected. + ("fuzzilli('FUZZILLI_CRASH', 0)", .shouldCrash), + ("fuzzilli('FUZZILLI_CRASH', 1)", .shouldCrash), + ("fuzzilli('FUZZILLI_CRASH', 2)", .shouldCrash), + ("fuzzilli('FUZZILLI_CRASH', 3)", .shouldCrash), + ("fuzzilli('FUZZILLI_CRASH', 4)", .shouldCrash), + // doesn't crash in workerd + //("fuzzilli('FUZZILLI_CRASH', 5)", .shouldCrash), + ("fuzzilli('FUZZILLI_CRASH', 6)", .shouldCrash), + ], + + additionalCodeGenerators: [], + + additionalProgramTemplates: WeightedList([]), + + disabledCodeGenerators: [], + + disabledMutators: [], + + additionalBuiltins: [:], + + additionalObjectGroups: [], + + optionalPostProcessor: nil +) diff --git a/Targets/workerd/README.md b/Targets/workerd/README.md new file mode 100644 index 000000000..2d6eca948 --- /dev/null +++ b/Targets/workerd/README.md @@ -0,0 +1,11 @@ +# Target: workerd + +To build workerd for fuzzing: + +0. Clone [workerd](https://github.com/cloudflare/workerd/) +1. Follow the instructions [here](https://github.com/cloudflare/workerd/blob/main/README.md#getting-started) +2. Run the fuzzbuild.sh script in the workerd root directory to build workerd with the fuzzili configuration +3. Test if REPRL works: + `swift run REPRLRun fuzzilli --experimental` +4. Run Fuzzilli with a workerd config (See samples/reprl): + `swift run -c release FuzzilliCli --inspect=all --profile=workerd --additionalArguments=,--experimental` diff --git a/Targets/workerd/fuzzbuild.sh b/Targets/workerd/fuzzbuild.sh new file mode 100644 index 000000000..1ef748fd5 --- /dev/null +++ b/Targets/workerd/fuzzbuild.sh @@ -0,0 +1 @@ +bazel --nohome_rc --nosystem_rc build --config=fuzzilli //src/workerd/server:workerd --action_env=CC=clang-19