Database · C++

How to fuzz LevelDB

Chrome's IndexedDB and many blockchain nodes use LevelDB — a corrupt SSTable crashes both.

LevelDB is embedded in Chrome's IndexedDB implementation and numerous blockchain and distributed-system projects. Its SSTable block format, log file reader, and MANIFEST parser each consume on-disk data that an attacker can manipulate, making file-based fuzzing a direct model of real attack paths.

Common bug classes

•Heap buffer overflow in SSTable data block restart-point decode
•Integer overflow in log record CRC32 length field
•Out-of-bounds read in block filter policy prefix extraction
•Use-after-free in iterator invalidation on compaction
•Null dereference on empty MANIFEST VersionEdit record

Recommended setup

Fuzzers

→ AFL++
→ libFuzzer

Sanitizers

→ ASan
→ UBSan

Harness scaffold

#include <stdint.h>
#include <stddef.h>
#include <leveldb/db.h>
#include <leveldb/env.h>

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  /* Parse a raw SSTable block directly using the table builder API */
  leveldb::Options opts;
  opts.create_if_missing = true;
  std::string input(reinterpret_cast<const char *>(data), size);
  /* Exercise the WriteBatch deserialiser as a stable entry point */
  leveldb::WriteBatch batch;
  batch.SetContents(input);
  leveldb::WriteBatchInternal::Count(&batch);
  return 0;
}

Save this as fuzz_target.cc, build with your compiler + sanitizer flags, and you have a working starting point.

Start fuzzing LevelDB on Fuzze.rs →

Push the harness above + a Dockerfile. First month 50% off.