Google Git
Sign in
pigweed/third_party/github/google/honggfuzz/b9c96bb4cba88261afdc2c6166d4b23f1b7c49ed
commit
b9c96bb4cba88261afdc2c6166d4b23f1b7c49ed
[log]
author
Paul Grandperrin <paul.grandperrin@gmail.com>
Sat Mar 14 12:58:18 2026 +0100
committer
Paul Grandperrin <paul.grandperrin@gmail.com>
Sat Mar 14 12:58:18 2026 +0100
tree
ec84b334ccd0f4b6d53f1f77642d7f3e90ffbe30
parent
f0314885bab1a4d9aa64eda51ba100b98aa360b0 [diff]
Makefile: allow using BUILD_DIR for outputs

The Makefile now supports an optional `BUILD_DIR` variable for out-of-tree builds. When not set, it builds in-tree exactly as before.

Key mechanisms:

`SRCDIR` — automatically derived from the Makefile's own location using `$(abspath $(lastword $(MAKEFILE_LIST)))`, so it always points to the source tree regardless of where `make` is invoked from.
`BUILD_DIR` — user-supplied, optional. When set, all build artifacts (`.o`, `.a`, `.so`, binaries) go there instead of the source tree.
`_OBJDIR` — internal variable that equals `BUILD_DIR` when set, or `SRCDIR` when not (backward compat).
`VPATH := $(SRCDIR)` — lets Make find `.c` source files in the source tree when building from a different directory.
`-I$(SRCDIR)` — replaces the old `-I.` so header includes always resolve against the source tree.
`.SECONDEXPANSION:` with `| $$(dir $$@)` order-only prerequisites — ensures build subdirectories (`linux/`, `libhfcommon/`, etc.) are created in `BUILD_DIR` before compilation.

All output paths (`OBJS`, `BIN`, `HFUZZ_CC_BIN`, `LHFUZZ_ARCH`, `LCOMMON_ARCH`, `LNETDRIVER_ARCH`, etc.) are prefixed with `$(_OBJDIR)/`.
1 file changed
tree: ec84b334ccd0f4b6d53f1f77642d7f3e90ffbe30
  1. android/
  2. docs/
  3. examples/
  4. hfuzz_cc/
  5. includes/
  6. libhfcommon/
  7. libhfnetdriver/
  8. libhfuzz/
  9. linux/
  10. mac/
  11. netbsd/
  12. patches/
  13. posix/
  14. qemu_mode/
  15. socketfuzzer/
  16. third_party/
  17. tools/
  18. .clang-format
  19. .clangd
  20. .gitattributes
  21. .gitignore
  22. .gitmodules
  23. arch.h
  24. CHANGELOG
  25. cmdline.c
  26. cmdline.h
  27. CONTRIBUTING.md
  28. COPYING
  29. dict.c
  30. dict.h
  31. display.c
  32. display.h
  33. Dockerfile
  34. fuzz.c
  35. fuzz.h
  36. honggfuzz.c
  37. honggfuzz.h
  38. input.c
  39. input.h
  40. Makefile
  41. mangle.c
  42. mangle.h
  43. power.c
  44. power.h
  45. README.md
  46. report.c
  47. report.h
  48. sanitizers.c
  49. sanitizers.h
  50. screenshot-honggfuzz-1.png
  51. socketfuzzer.c
  52. socketfuzzer.h
  53. subproc.c
  54. subproc.h
README.md

Honggfuzz

A security-oriented, feedback-driven, evolutionary fuzzer.

Honggfuzz is a general-purpose fuzzer that uses code coverage (software and hardware-based) to find bugs. It is multi-process, multi-threaded, and supports persistent fuzzing for extreme speed.

Key Features

  • Fast: Multi-process and multi-threaded engine. unlocking full CPU potential.
  • Persistent Fuzzing: Test APIs directly in-process with iteration speeds up to 1M/sec.
  • Feedback-Driven: Uses hardware (Intel BTS/PT) and software code coverage to evolve inputs.
  • Easy: Can start with an empty corpus and automatically build a valid input set.
  • Deep Monitoring: Uses low-level APIs (ptrace) to detect hijacked signals and hidden crashes.
  • Broad Support: Linux, macOS, Android, NetBSD, FreeBSD, and Windows (Cygwin).

Installation

Dependencies

Linux (Ubuntu/Debian)

sudo apt-get install binutils-dev libunwind-dev libblocksruntime-dev clang

macOS Requires Xcode (10.8+) and libblocksruntime.

Build

make
# Compilation wrappers are created in hfuzz_cc/

Usage

1. Compile Target

Use the provided compiler wrappers to automatically add instrumentation:

# C code
./hfuzz_cc/hfuzz-clang -o my_target my_target.c

# C++ code
./hfuzz_cc/hfuzz-clang++ -o my_target my_target.cpp

2. Run Fuzzer

Point it to an input corpus directory (can be empty) and your binary:

# Basic run
./honggfuzz -i input_dir/ -- ./my_target ___FILE___

# Persistent mode (faster)
./honggfuzz -P -i input_dir/ -- ./my_target

Note: ___FILE___ is a placeholder for the input filename generated by honggfuzz.

For advanced examples (Apache, OpenSSL, BIND, etc.), check the examples/ directory.

See USAGE.md for detailed options.

Trophies

Honggfuzz has discovered major security vulnerabilities in critical software.

HTTP & Servers

  • Apache HTTPD:
    • CVE-2017-7659 (mod_http2 remote crash)
    • CVE-2017-9789 (Use-after-free)
    • CVE-2018-1301, CVE-2018-1302, CVE-2018-1303
  • OpenSSH: Pre-auth remote crash (commit 28652bca)
  • BIND: Multiple bugs
  • NGINX Unit: Infinite loop
  • ProFTPD: CVE-2019-18217 (DoS)
  • Samba: CVE-2019-14907, CVE-2020-10745, CVE-2021-20277

Cryptography & SSL

  • OpenSSL:
    • CVE-2016-6309 (Critical, Potential RCE)
    • CVE-2015-1789, CVE-2016-7054, CVE-2017-3731
  • LibreSSL: Multiple crashes and invalid frees
  • BoringSSL: Uninitialized memory use
  • Crypto++: CVE-2016-9939 (Remote DoS)

Languages & Interpreters

  • PHP: WDDX bugs, generic interpreter crashes
  • Python/Ruby: Interpreter bugs
  • Rust: Panics/safety issues in regex, h2, sleep-parser, lewton
  • Perl: Multiple interpreter crashes

Media & Formats

  • FreeType 2: CVE-2010-2497 through CVE-2010-2527 (7+ CVEs)
  • LibTIFF: Multiple bugs
  • LibJPEG/Turbo: Multiple bugs
  • VLC: Double-free RCE
  • Adobe Flash: CVE-2015-0316
  • ImageIO (iOS/macOS): Multiple security problems (Project Zero)
  • LibreOffice: Memory corruption

System & Utils

  • Systemd: Tested by honggfuzz
  • fwupd: 17+ bugs found
  • TCPDump: Multiple bugs
  • Rsyslog: Multiple bugs

(See OSS-Fuzz for hundreds more)

Projects Using Honggfuzz

  • Google OSS-Fuzz: Continuous fuzzing for open source software.
  • Android: Used by Android Security team.
  • Rust: honggfuzz-rs crate for fuzzing Rust code.
  • Bitcoin Core: Fuzzing infrastructure.
  • Apache HTTP Server: CI fuzzing.
  • Systemd: CI fuzzing.
  • Cifasis QuickFuzz
  • Mozilla FuzzOS

License

Apache License 2.0.

This is NOT an official Google product