From patchwork Sat Oct 3 07:48:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Petr_=C5=A0tetiar?= X-Patchwork-Id: 1376190 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=true.cz Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=MxTipHBo; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4C3JvY6PQdz9sS8 for ; Sat, 3 Oct 2020 17:51:05 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=IyVRME37WhFVMb+CGrBi9/igD65BxcIFZGY0StY8BcM=; b=MxTipHBoStrAThtctsFNCT/Wf ZTnnXCU6V8bcU/jTu0XAcafcvhq/Ko7KibzYC0yC8Kh5qcu0Y7UTsTxRfTQCzg9fBZ8TdH3B/hk+n DsOnWlyikPiiepGvnAAX2khV4qgFlcIuscTWsPr/zO0wE/GS4wL/yLbJBya7JxWEDaLfItfcyhXSW /UluHznAT3uaKTcTbMyKpf1lVUoNfpwzhAclVBmKpuqsfX8ijQHe6Qv0XN6DilMw2rLcD5hYIf3mL bXp1E5cE3oP/U/uns9jkIDhK2duZEYiL0ERvxIyKe2i7Nh8+AcUiWCRwr/sRn311J9qS2I6BPSu6/ 5MS7iE9UQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kOcHj-00024s-Vu; Sat, 03 Oct 2020 07:48:52 +0000 Received: from smtp-out.xnet.cz ([178.217.244.18]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kOcHZ-000213-J4 for openwrt-devel@lists.openwrt.org; Sat, 03 Oct 2020 07:48:44 +0000 Received: from meh.true.cz (meh.true.cz [108.61.167.218]) (Authenticated sender: petr@true.cz) by smtp-out.xnet.cz (Postfix) with ESMTPSA id 27C563F85; Sat, 3 Oct 2020 09:48:34 +0200 (CEST) Received: by meh.true.cz (OpenSMTPD) with ESMTP id 25b93405; Sat, 3 Oct 2020 09:48:16 +0200 (CEST) From: =?utf-8?q?Petr_=C5=A0tetiar?= To: openwrt-devel@lists.openwrt.org Subject: [PATCH uci 1/6] tests: add libFuzzer based fuzzing Date: Sat, 3 Oct 2020 09:48:25 +0200 Message-Id: <20201003074830.948-2-ynezz@true.cz> In-Reply-To: <20201003074830.948-1-ynezz@true.cz> References: <20201003074830.948-1-ynezz@true.cz> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201003_034841_872282_C61DF162 X-CRM114-Status: GOOD ( 25.39 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Petr_=C5=A0tetiar?= Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. So lets use libFuzzer to fuzz uci_import for the start. Ref: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Petr Štetiar --- tests/CMakeLists.txt | 4 + tests/fuzz/CMakeLists.txt | 18 ++ .../231ee80a172b8e1749b9d91867989d88e4faf7bb | Bin 0 -> 15 bytes .../26a6253fc1eb695b61a2fc7640ee4c03c19e438e | Bin 0 -> 9 bytes .../29a6e206439d792afba5e8e9c1fdf55e65a1145d | Bin 0 -> 4 bytes .../51045ac5401085f5727c6d3c1cac5f8cc32a2927 | 1 + .../845dcf3f15f3c28235e6be148a690e7f03b07f65 | Bin 0 -> 22 bytes .../bb589d0621e5472f470fa3425a234c74b1e202e8 | 1 + .../ea387894a296772f96706df8b999a52d9334c746 | Bin 0 -> 5 bytes ...d:000000,sig:11,src:000001,op:flip1,pos:24 | Bin 0 -> 44 bytes ...sig:11,src:000022,op:arith8,pos:42,val:+26 | Bin 0 -> 43 bytes tests/fuzz/dict/uci.dict | 18 ++ tests/fuzz/inputs/dhcp | 49 +++++ tests/fuzz/inputs/firewall | 208 ++++++++++++++++++ tests/fuzz/test-fuzz.c | 60 +++++ 15 files changed, 359 insertions(+) create mode 100644 tests/fuzz/CMakeLists.txt create mode 100644 tests/fuzz/corpus/231ee80a172b8e1749b9d91867989d88e4faf7bb create mode 100644 tests/fuzz/corpus/26a6253fc1eb695b61a2fc7640ee4c03c19e438e create mode 100644 tests/fuzz/corpus/29a6e206439d792afba5e8e9c1fdf55e65a1145d create mode 100644 tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927 create mode 100644 tests/fuzz/corpus/845dcf3f15f3c28235e6be148a690e7f03b07f65 create mode 100644 tests/fuzz/corpus/bb589d0621e5472f470fa3425a234c74b1e202e8 create mode 100644 tests/fuzz/corpus/ea387894a296772f96706df8b999a52d9334c746 create mode 100644 tests/fuzz/corpus/id:000000,sig:11,src:000001,op:flip1,pos:24 create mode 100644 tests/fuzz/corpus/id:000008,sig:11,src:000022,op:arith8,pos:42,val:+26 create mode 100644 tests/fuzz/dict/uci.dict create mode 100644 tests/fuzz/inputs/dhcp create mode 100644 tests/fuzz/inputs/firewall create mode 100644 tests/fuzz/test-fuzz.c diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 872ed6de12d4..6f31b9343f5d 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -1,2 +1,6 @@ ADD_SUBDIRECTORY(cram) ADD_SUBDIRECTORY(shunit2) + +IF(CMAKE_C_COMPILER_ID STREQUAL "Clang") + ADD_SUBDIRECTORY(fuzz) +ENDIF() diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt new file mode 100644 index 000000000000..1533c46ca971 --- /dev/null +++ b/tests/fuzz/CMakeLists.txt @@ -0,0 +1,18 @@ +FILE(GLOB test_cases "test-*.c") + +MACRO(ADD_FUZZER_TEST name) + ADD_EXECUTABLE(${name} ${name}.c) + TARGET_COMPILE_OPTIONS(${name} PRIVATE -g -O1 -fno-omit-frame-pointer -fsanitize=fuzzer,address,leak,undefined) + TARGET_INCLUDE_DIRECTORIES(${name} PRIVATE ${PROJECT_SOURCE_DIR}) + TARGET_LINK_OPTIONS(${name} PRIVATE -stdlib=libc++ -fsanitize=fuzzer,address,leak,undefined) + TARGET_LINK_LIBRARIES(${name} uci) + ADD_TEST( + NAME ${name} + COMMAND ${name} -max_len=256 -timeout=10 -max_total_time=300 -dict=${CMAKE_CURRENT_SOURCE_DIR}/dict/uci.dict ${CMAKE_CURRENT_SOURCE_DIR}/corpus + ) +ENDMACRO(ADD_FUZZER_TEST) + +FOREACH(test_case ${test_cases}) + GET_FILENAME_COMPONENT(test_case ${test_case} NAME_WE) + ADD_FUZZER_TEST(${test_case}) +ENDFOREACH(test_case) diff --git a/tests/fuzz/corpus/231ee80a172b8e1749b9d91867989d88e4faf7bb b/tests/fuzz/corpus/231ee80a172b8e1749b9d91867989d88e4faf7bb new file mode 100644 index 0000000000000000000000000000000000000000..9c17457fb85abbcc5b28d861981937b3b2dc0fb2 GIT binary patch literal 15 Wcmd;N;9}t7WN<9t?BU literal 0 HcmV?d00001 diff --git a/tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927 b/tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927 new file mode 100644 index 000000000000..f47ebca01bc0 --- /dev/null +++ b/tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927 @@ -0,0 +1 @@ + # \ No newline at end of file diff --git a/tests/fuzz/corpus/845dcf3f15f3c28235e6be148a690e7f03b07f65 b/tests/fuzz/corpus/845dcf3f15f3c28235e6be148a690e7f03b07f65 new file mode 100644 index 0000000000000000000000000000000000000000..cf5c1b00e262ac0b3fcf9c8c7ae43099d4f8488e GIT binary patch literal 22 Tcmd;N;NnC=1)K)FF +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "uci.h" + +static void fuzz_uci_import(const uint8_t *input, size_t size) +{ + int r; + int fd; + FILE *fs = NULL; + struct uci_context *ctx = NULL; + struct uci_package *package = NULL; + + fd = open("/dev/shm", O_TMPFILE | O_RDWR, S_IRUSR | S_IWUSR); + if (fd < 0) { + perror("unable to create temp file"); + exit(-1); + } + + r = write(fd, input, size); + if (r < 0) { + perror("unable to write()"); + exit(-1); + } + + fs = fdopen(fd, "r"); + if (fs == NULL) { + perror("unable to fdopen()"); + exit(-1); + } + + fseek(fs, 0L, SEEK_SET); + + ctx = uci_alloc_context(); + if (ctx == NULL) { + perror("unable to uci_alloc_context()"); + exit(-1); + } + + uci_import(ctx, fs, NULL, &package, false); + uci_free_context(ctx); + close(fd); + fclose(fs); +} + +int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size) +{ + fuzz_uci_import(input, size); + return 0; +}