Google Git
Sign in
pigweed / third_party / github / google / honggfuzz / HEAD
commitf0314885bab1a4d9aa64eda51ba100b98aa360b0[log] [tgz]
authorRobert Swiecki <robert@swiecki.net>Sun Jan 04 20:24:52 2026 +0100
committerRobert Swiecki <robert@swiecki.net>Sun Jan 04 20:24:52 2026 +0100
treed62a096ae22a1d8645a17c73910c8f5df176e81a
parentb5433dc87b036ec83e43908dcf93ce2e0f3b9b12 [diff]
libhfuzz+linux/bfd: unify static and dynamic (cmp) dictionaries into one
10 files changed
tree: d62a096ae22a1d8645a17c73910c8f5df176e81a
  1. android/
  2. docs/
  3. examples/
  4. hfuzz_cc/
  5. includes/
  6. libhfcommon/
  7. libhfnetdriver/
  8. libhfuzz/
  9. linux/
  10. mac/
  11. netbsd/
  12. patches/
  13. posix/
  14. qemu_mode/
  15. socketfuzzer/
  16. third_party/
  17. tools/
  18. .clang-format
  19. .clangd
  20. .gitattributes
  21. .gitignore
  22. .gitmodules
  23. arch.h
  24. CHANGELOG
  25. cmdline.c
  26. cmdline.h
  27. CONTRIBUTING.md
  28. COPYING
  29. dict.c
  30. dict.h
  31. display.c
  32. display.h
  33. Dockerfile
  34. fuzz.c
  35. fuzz.h
  36. honggfuzz.c
  37. honggfuzz.h
  38. input.c
  39. input.h
  40. Makefile
  41. mangle.c
  42. mangle.h
  43. power.c
  44. power.h
  45. README.md
  46. report.c
  47. report.h
  48. sanitizers.c
  49. sanitizers.h
  50. screenshot-honggfuzz-1.png
  51. socketfuzzer.c
  52. socketfuzzer.h
  53. subproc.c
  54. subproc.h
README.md

Honggfuzz

A security-oriented, feedback-driven, evolutionary fuzzer.

Honggfuzz is a general-purpose fuzzer that uses code coverage (software and hardware-based) to find bugs. It is multi-process, multi-threaded, and supports persistent fuzzing for extreme speed.

Key Features

  • Fast: Multi-process and multi-threaded engine. unlocking full CPU potential.
  • Persistent Fuzzing: Test APIs directly in-process with iteration speeds up to 1M/sec.
  • Feedback-Driven: Uses hardware (Intel BTS/PT) and software code coverage to evolve inputs.
  • Easy: Can start with an empty corpus and automatically build a valid input set.
  • Deep Monitoring: Uses low-level APIs (ptrace) to detect hijacked signals and hidden crashes.
  • Broad Support: Linux, macOS, Android, NetBSD, FreeBSD, and Windows (Cygwin).

Installation

Dependencies

Linux (Ubuntu/Debian)

sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang

macOS Requires Xcode (10.8+) and libblocksruntime.

Build

make
# Compilation wrappers are created in hfuzz_cc/

Usage

1. Compile Target

Use the provided compiler wrappers to automatically add instrumentation:

# C code
./hfuzz_cc/hfuzz-clang -o my_target my_target.c

# C++ code
./hfuzz_cc/hfuzz-clang++ -o my_target my_target.cpp

2. Run Fuzzer

Point it to an input corpus directory (can be empty) and your binary:

# Basic run
./honggfuzz -i input_dir/ -- ./my_target ___FILE___

# Persistent mode (faster)
./honggfuzz -P -i input_dir/ -- ./my_target

Note: ___FILE___ is a placeholder for the input filename generated by honggfuzz.

For advanced examples (Apache, OpenSSL, BIND, etc.), check the examples/ directory.

See USAGE.md for detailed options.

Trophies

Honggfuzz has discovered major security vulnerabilities in critical software.

HTTP & Servers

  • Apache HTTPD:
    • CVE-2017-7659 (mod_http2 remote crash)
    • CVE-2017-9789 (Use-after-free)
    • CVE-2018-1301, CVE-2018-1302, CVE-2018-1303
  • OpenSSH: Pre-auth remote crash (commit 28652bca)
  • BIND: Multiple bugs
  • NGINX Unit: Infinite loop
  • ProFTPD: CVE-2019-18217 (DoS)
  • Samba: CVE-2019-14907, CVE-2020-10745, CVE-2021-20277

Cryptography & SSL

  • OpenSSL:
    • CVE-2016-6309 (Critical, Potential RCE)
    • CVE-2015-1789, CVE-2016-7054, CVE-2017-3731
  • LibreSSL: Multiple crashes and invalid frees
  • BoringSSL: Uninitialized memory use
  • Crypto++: CVE-2016-9939 (Remote DoS)

Languages & Interpreters

  • PHP: WDDX bugs, generic interpreter crashes
  • Python/Ruby: Interpreter bugs
  • Rust: Panics/safety issues in regex, h2, sleep-parser, lewton
  • Perl: Multiple interpreter crashes

Media & Formats

  • FreeType 2: CVE-2010-2497 through CVE-2010-2527 (7+ CVEs)
  • LibTIFF: Multiple bugs
  • LibJPEG/Turbo: Multiple bugs
  • VLC: Double-free RCE
  • Adobe Flash: CVE-2015-0316
  • ImageIO (iOS/macOS): Multiple security problems (Project Zero)
  • LibreOffice: Memory corruption

System & Utils

  • Systemd: Tested by honggfuzz
  • fwupd: 17+ bugs found
  • TCPDump: Multiple bugs
  • Rsyslog: Multiple bugs

(See OSS-Fuzz for hundreds more)

Projects Using Honggfuzz

  • Google OSS-Fuzz: Continuous fuzzing for open source software.
  • Android: Used by Android Security team.
  • Rust: honggfuzz-rs crate for fuzzing Rust code.
  • Bitcoin Core: Fuzzing infrastructure.
  • Apache HTTP Server: CI fuzzing.
  • Systemd: CI fuzzing.
  • Cifasis QuickFuzz
  • Mozilla FuzzOS

License

Apache License 2.0.

This is NOT an official Google product