diff options
| author | Nardi Ivan <nardi.ivan@gmail.com> | 2023-10-08 20:36:23 +0200 |
|---|---|---|
| committer | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2023-10-09 15:41:46 +0200 |
| commit | 1366d9415678a44456f4f8e38adef7114a106273 (patch) | |
| tree | 7c8da81948ca2da57a2c4a1d061604077373f1a5 | |
| parent | 86115a8a65c98d0665100b5ae85cc661d1404783 (diff) | |
fuzzing: extend fuzzing coverage
Try fuzzing some functions which write to file/file descriptor; to avoid
slowing the fuzzer, close its stdout
| -rw-r--r-- | fuzz/Makefile.am | 1 | ||||
| -rw-r--r-- | fuzz/fuzz_config.cpp | 6 | ||||
| -rw-r--r-- | fuzz/fuzz_config.options | 2 | ||||
| -rw-r--r-- | fuzz/fuzz_gcrypt_gcm.cpp | 15 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 4 | ||||
| -rw-r--r-- | src/lib/third_party/src/gcrypt/aes.c | 6 | ||||
| -rw-r--r-- | tests/ossfuzz.sh | 2 |
7 files changed, 32 insertions, 4 deletions
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index 2568af4b1..3d865a253 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -626,6 +626,7 @@ distdir: -o -name '*.am' \ -o -name '*.h' \ -o -name '*.cpp' \ + -o -name '*.options' \ -o -name 'ipv4_addresses.txt' \ -o -name 'bd_param.txt' \ -o -name 'splt_param.txt' \ diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp index c5ee02042..53d5c2fd8 100644 --- a/fuzz/fuzz_config.cpp +++ b/fuzz/fuzz_config.cpp @@ -172,7 +172,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ndpi_get_ndpi_num_custom_protocols(ndpi_info_mod); ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod); - ndpi_self_check_host_match(stderr); + ndpi_self_check_host_match(stdout); + + ndpi_dump_protocols(ndpi_info_mod, stdout); + ndpi_generate_options(fuzzed_data.ConsumeIntegralInRange(0, 4), stdout); + ndpi_dump_risks_score(stdout); /* Basic code to try testing this "config" */ bool_value = fuzzed_data.ConsumeBool(); diff --git a/fuzz/fuzz_config.options b/fuzz/fuzz_config.options new file mode 100644 index 000000000..1c815b33f --- /dev/null +++ b/fuzz/fuzz_config.options @@ -0,0 +1,2 @@ +[libfuzzer] +close_fd_mask=1 diff --git a/fuzz/fuzz_gcrypt_gcm.cpp b/fuzz/fuzz_gcrypt_gcm.cpp index 37bb35e3d..fb2b0a931 100644 --- a/fuzz/fuzz_gcrypt_gcm.cpp +++ b/fuzz/fuzz_gcrypt_gcm.cpp @@ -20,7 +20,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { int key_len, rc_e, rc_d; mbedtls_cipher_id_t cipher; unsigned char *tag; - int iv_len, tag_len, input_length; + int iv_len, tag_len, input_length, force_auth_tag_error; /* No real memory allocations involved */ @@ -28,6 +28,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 1 + 64 + /* iv */ 1 + /* tag_len */ 1 + 64 + /* input */ + 1 + /* force_auth_tag_error */ 1 /* useless data: to be able to add the check with assert */) return -1; @@ -55,6 +56,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { output = (unsigned char *)malloc(input_length); decrypted = (unsigned char *)malloc(input_length); + force_auth_tag_error = fuzzed_data.ConsumeBool(); + cipher = static_cast<mbedtls_cipher_id_t>(fuzzed_data.ConsumeIntegralInRange(0, (int)MBEDTLS_CIPHER_ID_CHACHA20)); assert(fuzzed_data.remaining_bytes() > 0); @@ -74,6 +77,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { output, tag_len, tag); if(rc_e == 0) { + if(force_auth_tag_error && tag_len > 0 && tag[0] != 0) { + tag[0] = 0; + } else { + force_auth_tag_error = 0; + } + rc_d = mbedtls_gcm_auth_decrypt(gcm_d_ctx, input.size(), iv.data(), iv.size(), @@ -81,8 +90,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { tag, tag_len, output, decrypted); - if (rc_d == 0) + if(rc_d == 0) assert(memcmp(input.data(), decrypted, input.size()) == 0); + if(force_auth_tag_error) + assert(rc_d == MBEDTLS_ERR_GCM_AUTH_FAILED); } } diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 274273cb9..87d43f3f2 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -8777,6 +8777,7 @@ void ndpi_generate_options(u_int opt, FILE *options_out) { if (!options_out) return; ndpi_str = ndpi_init_detection_module(ndpi_no_prefs); + if (!ndpi_str) return; NDPI_BITMASK_SET_ALL(all); ndpi_set_protocol_detection_bitmask2(ndpi_str, &all); @@ -8819,6 +8820,8 @@ void ndpi_generate_options(u_int opt, FILE *options_out) { fprintf(options_out, "%s\n", "WARNING: option -a out of range"); break; } + + ndpi_exit_detection_module(ndpi_str); } /* ****************************************************** */ @@ -9701,7 +9704,6 @@ static int ndpi_is_vowel(char c) { case 'y': // Not a real vowel... case 'x': // Not a real vowel... return(1); - break; default: return(0); diff --git a/src/lib/third_party/src/gcrypt/aes.c b/src/lib/third_party/src/gcrypt/aes.c index 61dc2137a..dd9c0c88a 100644 --- a/src/lib/third_party/src/gcrypt/aes.c +++ b/src/lib/third_party/src/gcrypt/aes.c @@ -191,7 +191,13 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key, if( aes_init_done == 0 ) { aes_gen_tables(); + + /* Allow to test both aesni and not aesni data path when fuzzing. + We can call aes_gen_tables() at every iteration without any issues + (performances asides) */ +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION aes_init_done = 1; +#endif } ctx->rk = RK = ctx->buf; diff --git a/tests/ossfuzz.sh b/tests/ossfuzz.sh index 365751b3b..42943838a 100644 --- a/tests/ossfuzz.sh +++ b/tests/ossfuzz.sh @@ -51,6 +51,8 @@ ls fuzz/fuzz* | grep -v "\." | while read i; do cp $i $OUT/; done cp fuzz/*.dict $OUT/ # Copy seed corpus cp fuzz/*.zip $OUT/ +# Copy options +cp fuzz/*.options $OUT/ # Copy configuration files cp example/protos.txt $OUT/ cp example/categories.txt $OUT/ |