This repository has a companion blog post titled "Finding CVE-2022-3786 (openssl) with Mayhem" at https://www.seandeaton.com.

All of this is taken care of for you with the included Dockerfile (also on DockerHub). You can run it like so:

# Build the container
docker build --tag openssl-cve-2022-3768 .
# Or if you just want to pull down the existing one:
TODO
# Ensure that you're in this project's root directory (ie you can see ./output/)
# Mount the ./input/ directory to the containers /input. This is for fuzz input.
# This is Linux specific, Windows I think has %CD% in lieu of $(pwd)?
docker run --interactive --tty --volume $(pwd)/input:/input

The entrypoint of the container is to just run afl so you can get started fuzzing immediately. To override this behavior, append /bin/bash to the end of the docker run line.

The last commit that includes the vulnerability is commit SHA 3b421ebc64c7b52f1b9feb3812bdc7781c784332 from November 1st, 2022. It was fixed in commit SHA 680e65b94c916af259bfdc2e25f1ab6e0c7a97d6. We can get the vulnerable version easily with git:

# Clone the repository.
git clone git://git.openssl.org/openssl.git
# Change into the working directory.
cd openssl
# Detach HEAD from origin to examine the code as it was when it was vulnerable.
git checkout 3b421ebc64c7b52f1b9feb3812bdc7781c784332

For compilation, we use AFL's gcc compiler (because I kept getting undefined references with clang). Because of the small buffer overflow offset, we also want to use address sanitization (ASAN), enabled with AFL's environment variable AFL_USE_ASAN. Given ASAN's use of large amounts of memory, we also need to restrict the address space which we can do by compiling the program for a 32-bit architecture. More detail here.

OpenSSL's configuration for 32-bit takes in the flags -m32 and linux-generic32. The compile.sh script does this for you.

# Configuration
AFL_USE_ASAN=1 CC=afl-gcc-fast CXX=afl-g++-fast ./Configure -m32 linux-generic32
# Make
AFL_USE_ASAN=1 CC=afl-gcc-fast CXX=afl-g++-fast CFLAGS="-m32" CXXFLAGS="-m32" make

This could take awhile given your system's resources. After compilation, we need to compile our harness. A Makefile is given.

# Compile the harness.
$ make harness
# Run the harness.
$ ./harness input/seed0.txt
ossl_a2ulabel returned: 1

And there you go, you can get started fuzzing the ossl_a2ulabel in openssl. With AFL the command looks something like the following (or just use the included run.sh script).

afl-fuzz -i /input -o /output /harness/harness @@