Suricata

Hello Suricata Team,

I am writing to report an issue I encountered while setting up fuzz testing with Suricata 7.0.8 using AFL++ within a Docker environment. I am experiencing problems related to both the fuzz target directory and the lack of generated code coverage files.

Details:

1. Docker Setup:
I have prepared a Dockerfile based on the aflplusplus/aflplusplus:v4.30c image to set up the fuzz testing environment. The Dockerfile installs the necessary dependencies and configures Suricata with AFL++ and code coverage flags:

FROM aflplusplus/aflplusplus:v4.30c

ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get update && apt-get install -y \
    build-essential \
    autoconf \
    automake \
    libtool \
    pkg-config \
    libpcre2-dev \
    libyaml-dev \
    zlib1g-dev \
    libcap-ng-dev \
    libmagic-dev \
    libjansson-dev \
    libnss3-dev \
    libnet1-dev \
    libnetfilter-queue-dev \
    libluajit-5.1-dev \
    python3 \
    python3-pip \
    wget \
    clang \
    llvm \
    libpcap-dev \
    libhtp-dev \
    lcov \
    && apt-get clean && rm -rf /var/lib/apt/lists/*

# Suricata needed Rust 
RUN curl https://sh.rustup.rs -sSf | sh -s -- -y 
ENV PATH="/root/.cargo/bin:${PATH}" 

WORKDIR /src 

COPY ./suricata-7.0.8.tar.gz /src/
RUN tar xzf suricata-7.0.8.tar.gz && mv suricata-7.0.8 suricata 

WORKDIR /src/suricata 

# Clean up any existing artifacts from previous builds
RUN make distclean || true

# Configure Suricata with AFL++ and code coverage flags
RUN ./configure CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-fprofile-arcs -ftest-coverage" CXXFLAGS="-fprofile-arcs -ftest-coverage" --enable-fuzztargets --disable-shared --enable-afl

# Build Suricata
RUN make clean
RUN CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-fprofile-arcs -ftest-coverage" CXXFLAGS="-fprofile-arcs -ftest-coverage" make -j$(nproc)

COPY ./seeds /src/seeds 

WORKDIR /src/suricata/src/tests/fuzz 

# Run fuzzing
ENTRYPOINT ["afl-fuzz", "-V", "60", "-i", "/src/seeds", "-o", "/src/output", "--", "/src/suricata/src/fuzz_siginit", "@@"]

# Generate code coverage report after fuzzing
CMD ["bash", "-c", "lcov --directory . --capture --output-file coverage.info; genhtml coverage.info --output-directory out"]

2. Issue with Fuzz Target Compilation:
According to the https://github.com/OISF/suricata/blob/master/src/tests/fuzz/README:
To compile the fuzz targets, you simply need to run
CC=afl-gcc ./configure --enable-fuzztargets CC=afl-gcc make
You can rather use afl-clang if needed.
Then you can run afl as usual with each of the fuzz targets in ./src/.libs/
afl-fuzz your_afl_options -- ./src/.libs/fuzz_target_x @@

However, after building, the directory ./src/.libs/ is empty. I am unsure if using src/fuzz_siginit is appropriate as the correct fuzz target. Any guidance here would be appreciated.

3. Lack of Code Coverage Files (.gcda):
Despite compiling Suricata with the appropriate --enable-fuzztargets flag and coverage flags (-fprofile-arcs -ftest-coverage), no .gcda files are generated upon running the fuzz tests. This is impeding the ability to measure code coverage for the tests.

Questions:

- Am I referencing the correct fuzz target in the Docker entrypoint?
- Are there additional steps required to ensure .gcda files are generated for code coverage?

Any insights or suggestions to address these issues would be greatly appreciated.

Thank you for your assistance.