From 0092e2eadbfae068fb500e6a4cc24af2634d12ad Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Thu, 21 Dec 2023 15:41:44 -0800 Subject: [PATCH 1/4] Add ClusterFuzzLite integration Signed-off-by: David Korczynski --- .clusterfuzzlite/Dockerfile | 6 +++ .clusterfuzzlite/README.md | 3 ++ .clusterfuzzlite/build.sh | 13 +++++++ .clusterfuzzlite/project.yaml | 1 + .clusterfuzzlite/zone_parse_string_fuzzer.c | 42 +++++++++++++++++++++ .github/workflows/cflite_pr.yml | 30 +++++++++++++++ 6 files changed, 95 insertions(+) create mode 100644 .clusterfuzzlite/Dockerfile create mode 100644 .clusterfuzzlite/README.md create mode 100644 .clusterfuzzlite/build.sh create mode 100644 .clusterfuzzlite/project.yaml create mode 100644 .clusterfuzzlite/zone_parse_string_fuzzer.c create mode 100644 .github/workflows/cflite_pr.yml diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile new file mode 100644 index 0000000..1a2c119 --- /dev/null +++ b/.clusterfuzzlite/Dockerfile @@ -0,0 +1,6 @@ +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool + +COPY . $SRC/simdzone +COPY .clusterfuzzlite/build.sh $SRC/build.sh +WORKDIR $SRC/simdzone \ No newline at end of file diff --git a/.clusterfuzzlite/README.md b/.clusterfuzzlite/README.md new file mode 100644 index 0000000..175ac4a --- /dev/null +++ b/.clusterfuzzlite/README.md @@ -0,0 +1,3 @@ +# ClusterFuzzLite set up +This folder contains a fuzzing set for [ClusterFuzzLite](https://google.github.io/clusterfuzzlite). + \ No newline at end of file diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh new file mode 100644 index 0000000..8028c10 --- /dev/null +++ b/.clusterfuzzlite/build.sh @@ -0,0 +1,13 @@ +#!/bin/bash -eu +mkdir build +cd build +cmake .. +make + +# Copy all fuzzer executables to $OUT/ +$CC $CFLAGS $LIB_FUZZING_ENGINE \ + $SRC/simdzone/.clusterfuzzlite/zone_parse_string_fuzzer.c \ + -o $OUT/zone_parse_string_fuzzer \ + -I$SRC/simdzone/include \ + -I$SRC/simdzone/build/include \ + $SRC/simdzone/build/libzone.a diff --git a/.clusterfuzzlite/project.yaml b/.clusterfuzzlite/project.yaml new file mode 100644 index 0000000..e196c5c --- /dev/null +++ b/.clusterfuzzlite/project.yaml @@ -0,0 +1 @@ +language: c \ No newline at end of file diff --git a/.clusterfuzzlite/zone_parse_string_fuzzer.c b/.clusterfuzzlite/zone_parse_string_fuzzer.c new file mode 100644 index 0000000..ed16b37 --- /dev/null +++ b/.clusterfuzzlite/zone_parse_string_fuzzer.c @@ -0,0 +1,42 @@ +#include +#include +#include + +#include "zone.h" + +static int32_t add_rr(zone_parser_t *parser, const zone_name_t *owner, + uint16_t type, uint16_t class, uint32_t ttl, + uint16_t rdlength, const uint8_t *rdata, + void *user_data) { + (void)parser; + (void)owner; + (void)type; + (void)class; + (void)ttl; + (void)rdlength; + (void)rdata; + (void)user_data; + return ZONE_SUCCESS; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + // Ensure we have a bit of data. + if (size < 10) { + return 0; + } + zone_parser_t parser = {0}; + zone_name_buffer_t name; + zone_rdata_buffer_t rdata; + zone_buffers_t buffers = {1, &name, &rdata}; + zone_options_t options = {0}; + + options.accept.callback = add_rr; + options.origin = "example.com."; + options.default_ttl = 3600; + options.default_class = 1; + + zone_parse_string(&parser, &options, &buffers, (const char *)data, size, + NULL); + + return 0; +} \ No newline at end of file diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml new file mode 100644 index 0000000..1c8f7cc --- /dev/null +++ b/.github/workflows/cflite_pr.yml @@ -0,0 +1,30 @@ +name: ClusterFuzzLite PR fuzzing +on: + workflow_dispatch: + pull_request: + branches: [ main ] +permissions: read-all +jobs: + PR: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + sanitizer: [address] + steps: + - name: Build Fuzzers (${{ matrix.sanitizer }}) + id: build + uses: google/clusterfuzzlite/actions/build_fuzzers@v1 + with: + sanitizer: ${{ matrix.sanitizer }} + language: c + bad-build-check: false + - name: Run Fuzzers (${{ matrix.sanitizer }}) + id: run + uses: google/clusterfuzzlite/actions/run_fuzzers@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + fuzz-seconds: 180 + mode: 'code-change' + report-unreproducible-crashes: false + sanitizer: ${{ matrix.sanitizer }} From c83a09b6b0b9ea7c72724d7eaf9aad4072d04a76 Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Wed, 27 Dec 2023 02:27:42 -0800 Subject: [PATCH 2/4] ClusterFuzzLite: ensure proper sizing of input Signed-off-by: David Korczynski --- .clusterfuzzlite/zone_parse_string_fuzzer.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/.clusterfuzzlite/zone_parse_string_fuzzer.c b/.clusterfuzzlite/zone_parse_string_fuzzer.c index ed16b37..a189b37 100644 --- a/.clusterfuzzlite/zone_parse_string_fuzzer.c +++ b/.clusterfuzzlite/zone_parse_string_fuzzer.c @@ -20,10 +20,12 @@ static int32_t add_rr(zone_parser_t *parser, const zone_name_t *owner, } int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // Ensure we have a bit of data. - if (size < 10) { - return 0; - } + + size_t size_of_input = size + ZONE_BLOCK_SIZE + 1; + char *null_terminated = (char*)malloc(size_of_input); + memcpy(null_terminated, data, size); + null_terminated[size_of_input-1] = '\0'; + zone_parser_t parser = {0}; zone_name_buffer_t name; zone_rdata_buffer_t rdata; @@ -35,8 +37,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { options.default_ttl = 3600; options.default_class = 1; - zone_parse_string(&parser, &options, &buffers, (const char *)data, size, + zone_parse_string(&parser, &options, &buffers, null_terminated, size_of_input, NULL); + free(null_terminated); return 0; } \ No newline at end of file From 1080aadc33a6eb5d272b93270795e09553550d3c Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Thu, 28 Dec 2023 04:09:05 -0800 Subject: [PATCH 3/4] Place null-termination correctly Signed-off-by: David Korczynski --- .clusterfuzzlite/zone_parse_string_fuzzer.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.clusterfuzzlite/zone_parse_string_fuzzer.c b/.clusterfuzzlite/zone_parse_string_fuzzer.c index a189b37..16a7309 100644 --- a/.clusterfuzzlite/zone_parse_string_fuzzer.c +++ b/.clusterfuzzlite/zone_parse_string_fuzzer.c @@ -20,11 +20,10 @@ static int32_t add_rr(zone_parser_t *parser, const zone_name_t *owner, } int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - size_t size_of_input = size + ZONE_BLOCK_SIZE + 1; char *null_terminated = (char*)malloc(size_of_input); memcpy(null_terminated, data, size); - null_terminated[size_of_input-1] = '\0'; + null_terminated[size] = '\0'; zone_parser_t parser = {0}; zone_name_buffer_t name; From 9f37189807deca03176f7e48f2906148c9861ec9 Mon Sep 17 00:00:00 2001 From: DavidKorczynski Date: Tue, 16 Jan 2024 22:24:17 +0000 Subject: [PATCH 4/4] fix size argument --- .clusterfuzzlite/zone_parse_string_fuzzer.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.clusterfuzzlite/zone_parse_string_fuzzer.c b/.clusterfuzzlite/zone_parse_string_fuzzer.c index 16a7309..80b4cec 100644 --- a/.clusterfuzzlite/zone_parse_string_fuzzer.c +++ b/.clusterfuzzlite/zone_parse_string_fuzzer.c @@ -36,9 +36,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { options.default_ttl = 3600; options.default_class = 1; - zone_parse_string(&parser, &options, &buffers, null_terminated, size_of_input, - NULL); + zone_parse_string(&parser, &options, &buffers, null_terminated, size, NULL); free(null_terminated); return 0; -} \ No newline at end of file +}