How afl-fuzz generate 'data' for fuzzing

I am following Rust AFL-fuzz tutorial, I have done all thing perfectly. But I want to know that in the given example code , values for the variable ‘data’, we never given to fuzz! (macro), how/where it takes and working ??? . If we give -i inputDir , then i could understand that afl may read from that input folder, but they said AFL doesn't strictly require starting inputs, so how then data is generated and assigned to ‘data’ variable in closure body.

fuzz!(|data: &[u8]| {
if let Ok(s) = std::str::from_utf8(data) {
let _ = url::Url::parse(&s);
}
});

First of all, closures can be thought as functions that can capture their environment, here there is no capture so the closure is equivalent to:

fn unnamed_function(data: &[u8]) {
    // snip
}

Where data comes from? It depends on the caller, in this case you have to look into the fuzz macro to find out.

// get buffer from AFL through stdin
io::stdin().read_to_end(&mut input);
closure(&input);

So AFL provides the input.

That’s as far as I can go, I know nothing about fuzzer (and AFL doesn’t seem to be a fuzzer itself but invoke one, libFuzzer). Maybe someone can be more helpful that me, you can look for information online or you can always look into the source code but that might take a while.

Thanks for your reply. So, the values assigned/ read to ‘input’ from user given data, afl generated input, or from seed directory (i.e. -i inputDir) ???

This looks like a question about afl itself and not the Rust runner. But, well, it seems that afl takes the seed directory as initial values and then generates input itself.

1 Like