Use this skill to fuzz open source Rust software projects.
This skill provides the agent with the knowledge and tools to write, build, and
validate fuzz targets for Rust projects integrated into OSS-Fuzz. Rust fuzzing
uses cargo-fuzz with the libfuzzer_sys crate, which drives libFuzzer.
Rust projects must use the Rust base builder image:
FROM gcr.io/oss-fuzz-base/base-builder-rust
Set language: rust in project.yaml.
Rust fuzz targets live in fuzz/fuzz_targets/<name>.rs within the crate being
fuzzed. The minimal harness using raw bytes:
#![no_main]
use libfuzzer_sys::fuzz_target;
fuzz_target!(|data: &[u8]| {
// Call into the target. The fuzzer will mutate `data` on every iteration.
let _ = my_crate::parse(data);
});
For structured fuzzing using the arbitrary crate (preferred when the target
expects typed input):
#![no_main]
use libfuzzer_sys::fuzz_target;
use arbitrary::Arbitrary;
#[derive(Debug, Arbitrary)]
struct MyInput {
header: u8,
payload: Vec<u8>,
flags: u32,
}
fuzz_target!(|input: MyInput| {
let _ = my_crate::process(input.header, &input.payload, input.flags);
});
The Cargo.toml for the fuzz directory must declare dependencies:
# fuzz/Cargo.toml
[package]
name = "my-crate-fuzz"
version = "0.0.0"
edition = "2021"
publish = false
[dependencies]
libfuzzer-sys = "0.4"
arbitrary = { version = "1", features = ["derive"] } # only if using structured fuzzing
[dependencies.my-crate]
path = ".."
[[bin]]
name = "fuzz_target_name"
path = "fuzz_targets/fuzz_target_name.rs"
test = false
doc = false
build.sh uses cargo fuzz build and then copies binaries to $OUT:
# build.sh
cd $SRC/<crate-dir>
cargo fuzz build -O # -O enables release optimisations; important for performance
FUZZ_TARGET_OUTPUT_DIR=$SRC/<crate-dir>/target/x86_64-unknown-linux-gnu/release
for f in fuzz/fuzz_targets/*.rs; do
name=$(basename "${f%.*}")
cp "$FUZZ_TARGET_OUTPUT_DIR/$name" "$OUT/"
done
If the project requires a nightly toolchain, set it in the Dockerfile:
ENV RUSTUP_TOOLCHAIN=nightly
Or pin to a specific nightly for reproducibility:
ENV RUSTUP_TOOLCHAIN=nightly-2025-07-03
fuzz/corpus/<target_name>/ within the repo; they are
automatically picked up by cargo-fuzz and can be zipped for OSS-Fuzz.$OUT/<target_name>_seed_corpus.zip.$OUT/<target_name>.dict.arbitrary) when the target expects typed data
rather than raw bytes — this dramatically improves coverage.Result and Option should be let-bound and
ignored (let _ = ...). Only actual panics are findings..unwrap() or .expect()
on fallible operations driven by fuzz input — these create false positives.rand, no system time, no thread spawning
inside the fuzz callback.fuzz_target! macro if needed with
LazyLock / OnceLock.unsafe code: if the crate has unsafe blocks, write
harnesses that exercise those paths — this is where memory bugs can still
occur in Rust.-O): fuzzing in debug mode is much slower.Rust's ownership model prevents most memory-corruption bugs, but fuzzing still