[SBFT25]: Team HFuzz

benchmarks/libarchive_libarchive_fuzzer/Dockerfile

@@ -0,0 +1,42 @@
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+
+RUN apt-get update && apt-get install -y make autoconf libtool pkg-config \
+        libbz2-dev liblzo2-dev liblzma-dev liblz4-dev libz-dev \
+        libssl-dev libacl1-dev libattr1-dev lrzip liblzo2-dev \
+	      liblz4-tool lzop zstd lcab genisoimage jlha-utils rar default-jdk sharutils
+RUN curl -LO http://mirrors.kernel.org/ubuntu/pool/main/a/automake-1.16/automake_1.16.5-1.3_all.deb && \
+    apt install ./automake_1.16.5-1.3_all.deb
+RUN git clone --depth 1 https://github.com/libarchive/libarchive.git
+RUN git clone --depth 1 https://gitlab.gnome.org/GNOME/libxml2.git
+# compile libxml2 from source so we can statically link
+RUN mkdir /deps && \
+  cd $SRC/libxml2 && \
+  ./autogen.sh \
+      --without-debug \
+      --without-ftp \
+      --without-http \
+      --without-legacy \
+      --without-python \
+      --enable-static && \
+  make -j$(nproc) && \
+  make install && \
+  cp .libs/libxml2.a /deps/
+
+COPY build.sh libarchive_fuzzer.cc $SRC/
+WORKDIR $SRC

benchmarks/libarchive_libarchive_fuzzer/benchmark.yaml

@@ -0,0 +1,4 @@
+commit: d5b74d5cccd0601ef4f88b19ea9f32740fcb10ba
+commit_date: 2024-07-01 15:34:53+00:00
+fuzz_target: libarchive_fuzzer
+project: libarchive

benchmarks/libarchive_libarchive_fuzzer/build.sh

@@ -0,0 +1,57 @@
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# For fuzz-introspector. This is to exclude all libxml2 code from the
+# fuzz-introspector reports.
+export FUZZ_INTROSPECTOR_CONFIG=$SRC/fuzz_introspector_exclusion.config
+cat > $FUZZ_INTROSPECTOR_CONFIG <<EOF
+FILES_TO_AVOID
+libxml2
+EOF
+
+DEPS=/deps
+
+cd $SRC/libarchive
+
+mkdir build2
+cd build2
+cmake -DDONT_FAIL_ON_CRC_ERROR=ON -DENABLE_WERROR=OFF ../
+make -j$(nproc)
+
+# build seed
+cp $SRC/libarchive/contrib/oss-fuzz/corpus.zip\
+        $OUT/libarchive_fuzzer_seed_corpus.zip
+
+# build fuzzer(s)
+$CXX $CXXFLAGS -I../libarchive \
+    $SRC/libarchive_fuzzer.cc -o $OUT/libarchive_fuzzer \
+    $LIB_FUZZING_ENGINE ./libarchive/libarchive.a \
+    -Wl,-Bstatic -llzo2 -Wl,-Bdynamic -lcrypto -lacl -llzma -llz4 -lbz2 -lz ${DEPS}/libxml2.a
+
+# add the uuencoded test files
+cd $SRC
+mkdir ./uudecoded
+find $SRC/libarchive/ -type f -name "test_extract.*.uu" -print0 | xargs -0 -I % cp -f % ./uudecoded/
+cd ./uudecoded
+find ./ -name "*.uu" -exec uudecode {} \;
+cd ../
+rm -f ./uudecoded/*.uu
+zip -jr $OUT/libarchive_fuzzer_seed_corpus.zip ./uudecoded/*
+
+# add weird archives
+git clone --depth=1 https://github.com/corkami/pocs
+find ./pocs/ -type f -print0 | xargs -0 -I % zip -jr $OUT/libarchive_fuzzer_seed_corpus.zip %

benchmarks/libarchive_libarchive_fuzzer/libarchive_fuzzer.cc

@@ -0,0 +1,86 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+#include <stddef.h>
+#include <stdint.h>
+#include <vector>
+
+#include "archive.h"
+#include "archive_entry.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+  struct archive *a = archive_read_new();
+
+  archive_read_support_filter_all(a);
+  archive_read_support_format_all(a);
+  archive_read_support_format_empty(a);
+  archive_read_support_format_raw(a);
+  archive_read_support_format_gnutar(a);
+
+  if (ARCHIVE_OK != archive_read_set_options(a, "zip:ignorecrc32,tar:read_concatenated_archives,tar:mac-ext")) {
+    return 0;
+  }
+
+  archive_read_add_passphrase(a, "secret");
+
+  if (ARCHIVE_OK != archive_read_open_memory(a, buf, len)) {
+    archive_read_free(a);
+    return 0;
+  }
+
+  while(1) {
+    std::vector<uint8_t> data_buffer(getpagesize(), 0);
+    struct archive_entry *entry;
+    int ret = archive_read_next_header(a, &entry);
+    if (ret == ARCHIVE_EOF || ret == ARCHIVE_FATAL)
+      break;
+    if (ret == ARCHIVE_RETRY)
+      continue;
+
+    (void)archive_entry_pathname(entry);
+    (void)archive_entry_pathname_utf8(entry);
+    (void)archive_entry_pathname_w(entry);
+
+    (void)archive_entry_atime(entry);
+    (void)archive_entry_birthtime(entry);
+    (void)archive_entry_ctime(entry);
+    (void)archive_entry_dev(entry);
+    (void)archive_entry_digest(entry, ARCHIVE_ENTRY_DIGEST_SHA1);
+    (void)archive_entry_filetype(entry);
+    (void)archive_entry_gid(entry);
+    (void)archive_entry_is_data_encrypted(entry);
+    (void)archive_entry_is_encrypted(entry);
+    (void)archive_entry_is_metadata_encrypted(entry);
+    (void)archive_entry_mode(entry);
+    (void)archive_entry_mtime(entry);
+    (void)archive_entry_size(entry);
+    (void)archive_entry_uid(entry);
+
+    ssize_t r;
+    while ((r = archive_read_data(a, data_buffer.data(),
+            data_buffer.size())) > 0)
+      ;
+    if (r == ARCHIVE_FATAL)
+      break;
+  }
+
+  archive_read_has_encrypted_entries(a);
+  archive_read_format_capabilities(a);
+  archive_file_count(a);
+  archive_seek_data(a, 0, SEEK_SET);
+
+  archive_read_free(a);
+  return 0;
+}

fuzzers/hfuzz/builder.Dockerfile

@@ -0,0 +1,132 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG parent_image
+FROM $parent_image
+
+RUN apt-get update && \
+    apt-get install -y \
+        build-essential \
+        python3-dev \
+        python3-setuptools \
+        automake \
+        cmake \
+        git \
+        flex \
+        bison \
+        libglib2.0-dev \
+        libpixman-1-dev \
+        cargo \
+        libgtk-3-dev \
+        # for QEMU mode
+        ninja-build \
+        gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev \
+        libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
+
+RUN git clone https://github.com/Yu3H0/HFuzz.git /hfuzz1
+RUN git -C /hfuzz1 checkout hfuzz1
+
+RUN git clone https://github.com/Yu3H0/HFuzz.git /hfuzz2
+RUN git -C /hfuzz2 checkout hfuzz2
+
+RUN git clone https://github.com/Yu3H0/HFuzz.git /hfuzz3
+RUN git -C /hfuzz3 checkout hfuzz3
+
+# Download afl++.
+RUN git clone -b dev https://github.com/AFLplusplus/AFLplusplus /afl_vanilla  && \
+    cd /afl_vanilla  && \
+    git checkout tags/v4.30c || \
+    true
+
+# Install dependencies.
+RUN apt-get update && \
+    apt-get remove -y llvm-10 && \
+    apt-get install -y \
+        build-essential \
+        lsb-release wget software-properties-common gnupg && \
+    apt-get install -y wget libstdc++5 libtool-bin automake flex bison \
+        libglib2.0-dev libpixman-1-dev python3-setuptools unzip \
+        apt-utils apt-transport-https ca-certificates libc6-dev joe curl
+
+# Build without Python support as we don't need it.
+# Set AFL_NO_X86 to skip flaky tests.
+RUN cd /afl_vanilla && \
+    unset CFLAGS CXXFLAGS && \
+    export CC=clang-15 AFL_NO_X86=1 && \
+    PYTHON_INCLUDE=/ make && \
+    cp utils/aflpp_driver/libAFLDriver.a /
+
+RUN cd /hfuzz1 && \
+    unset CFLAGS CXXFLAGS && \
+    export CC=clang-15 AFL_NO_X86=1 && \
+    PYTHON_INCLUDE=/ make && \
+    cp utils/aflpp_driver/libAFLDriver.a /
+
+RUN cd /hfuzz2 && \
+    unset CFLAGS CXXFLAGS && \
+    export CC=clang-15 AFL_NO_X86=1 && \
+    PYTHON_INCLUDE=/ make && \
+    cp utils/aflpp_driver/libAFLDriver.a /
+
+# The hfuzz3 fuzzer
+COPY ./ensemble_runner.py /hfuzz2/ensemble_runner.py
+# COPY ./hfuzz3 /hfuzz3
+RUN cd /hfuzz3 && \
+    unset CFLAGS CXXFLAGS && \
+    export CC=clang-15 AFL_NO_X86=1 && \
+    PYTHON_INCLUDE=/ CFLAGS="-DAFL_CFG_PATH=\\\"/out/hfuzz3/hfuzz3_sancov_cfg\\\"" CXXFLAGS="-DAFL_CFG_PATH=\\\"/out/hfuzz3/hfuzz3_sancov_cfg\\\"" make source-only && \
+    cp utils/aflpp_driver/libAFLDriver.a /
+
+
+RUN if which rustup; then rustup self uninstall -y; fi && \
+    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \
+    sh /rustup.sh --default-toolchain nightly-2024-08-12 -y && \
+    rm /rustup.sh
+
+
+RUN wget https://gist.githubusercontent.com/tokatoka/26f4ba95991c6e33139999976332aa8e/raw/698ac2087d58ce5c7a6ad59adce58dbfdc32bd46/createAliases.sh && \
+    chmod u+x ./createAliases.sh && ./createAliases.sh 
+# RUN rustup component add rustfmt clippy
+
+# Download libafl.
+RUN git clone https://github.com/AFLplusplus/LibAFL /libafl
+
+# Checkout a current commit
+RUN cd /libafl && git pull && git checkout f856092f3d393056b010fcae3b086769377cba18 || true
+# Note that due a nightly bug it is currently fixed to a known version on top!
+
+# Compile libafl.
+RUN cd /libafl && \
+    unset CFLAGS CXXFLAGS && \
+    export LIBAFL_EDGES_MAP_SIZE=2621440 && \
+    cd ./fuzzers/fuzzbench/fuzzbench && \
+    PATH="/root/.cargo/bin/:$PATH" cargo build --profile release-fuzzbench --features no_link_main
+
+# Auxiliary weak references.
+RUN cd /libafl/fuzzers/fuzzbench/fuzzbench && \
+    clang -c stub_rt.c && \
+    ar r /stub_rt.a stub_rt.o
+
+
+# RUN cargo install cargo-make
+# build afl-cc, afl-cxx compilers
+
+# RUN cd $SRC && ls ./build.sh
+# RUN cd $SRC && CC=/libafl/fuzzers/fuzzbench/fuzzbench/target/release-fuzzbench/libafl_cc \
+#     CXX=/libafl/fuzzers/fuzzbench/fuzzbench/target/release-fuzzbench/libafl_cxx \
+#     CFLAGS= CXXFLAGS= FUZZER_LIB="/stub_rt.a /libafl/fuzzers/fuzzbench/fuzzbench/target/release-fuzzbench/libfuzzbench.a" \
+#     ./build.sh 
+# RUN mv $OUT/cms_transform_fuzzer $OUT/libafl_target_bin
+# RUN $OUT/libafl_target_bin --help 
+