commit b96c70d668f96550401057834bb9caafb5d0e412 Author: Nick Mathewson nickm@torproject.org Date: Tue Dec 13 19:15:26 2016 -0500
Fuzzing: Add an initial fuzzing tool, for descriptors.
This will need some refactoring and mocking. --- Makefile.am | 1 + src/include.am | 2 +- src/test/fuzz/fuzz_descriptor.c | 26 +++++++++++++++++++++ src/test/fuzz/fuzzing.h | 7 ++++++ src/test/fuzz/fuzzing_common.c | 52 +++++++++++++++++++++++++++++++++++++++++ src/test/fuzz/include.am | 48 +++++++++++++++++++++++++++++++++++++ 6 files changed, 135 insertions(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am index b6e4e53..2e853d4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,6 +9,7 @@ noinst_LIBRARIES= EXTRA_DIST= noinst_HEADERS= bin_PROGRAMS= +EXTRA_PROGRAMS= CLEANFILES= TESTS= noinst_PROGRAMS= diff --git a/src/include.am b/src/include.am index c468af3..d12684e 100644 --- a/src/include.am +++ b/src/include.am @@ -6,4 +6,4 @@ include src/test/include.am include src/tools/include.am include src/win32/include.am include src/config/include.am - +include src/test/fuzz/include.am diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c new file mode 100644 index 0000000..1364bf4 --- /dev/null +++ b/src/test/fuzz/fuzz_descriptor.c @@ -0,0 +1,26 @@ + +#include "or.h" +#include "routerparse.h" +#include "routerlist.h" +#include "fuzzing.h" + +int +fuzz_init(void) +{ + ed25519_init(); + return 0; +} + +int +fuzz_main(const uint8_t *data, size_t sz) +{ + routerinfo_t *ri; + const char *str = (const char*) data; + ri = router_parse_entry_from_string((const char *)str, + str+sz, + 0, 0, 0, NULL); + if (ri) + routerinfo_free(ri); + return 0; +} + diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h new file mode 100644 index 0000000..fbd54da --- /dev/null +++ b/src/test/fuzz/fuzzing.h @@ -0,0 +1,7 @@ +#ifndef FUZZING_H +#define FUZZING_H + +int fuzz_init(void); +int fuzz_main(const uint8_t *data, size_t sz); + +#endif /* FUZZING_H */ diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c new file mode 100644 index 0000000..51d519b --- /dev/null +++ b/src/test/fuzz/fuzzing_common.c @@ -0,0 +1,52 @@ +#include "orconfig.h" +#include "torint.h" +#include "util.h" +#include "torlog.h" +#include "backtrace.h" +#include "fuzzing.h" + +extern const char tor_git_revision[]; +const char tor_git_revision[] = ""; + +#define MAX_FUZZ_SIZE (128*1024) + +#ifdef LLVM_FUZZ +int +LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + static int initialized = 0; + if (!initialized) { + if (fuzz_init() < 0) + abort(); + } + + return fuzz_main(Data, Size); +} + +#else /* Not LLVM_FUZZ, so AFL. */ + +int +main(int argc, char **argv) +{ + size_t size; + char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); + + tor_threads_init(); + init_logging(1); + + if (argc > 1 && !strcmp(argv[1], "--info")) { + log_severity_list_t sev; + set_log_severity_config(LOG_INFO, LOG_ERR, &sev); + add_stream_log(&sev, "stdout", 1); + configure_backtrace_handler(NULL); + } + + tor_assert(input); + if (fuzz_init() < 0) + abort(); + fuzz_main((const uint8_t*)input, size); + tor_free(input); + return 0; +} + +#endif + diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am new file mode 100644 index 0000000..323798f --- /dev/null +++ b/src/test/fuzz/include.am @@ -0,0 +1,48 @@ + +FUZZING_CPPFLAGS = \ + $(src_test_AM_CPPFLAGS) $(TEST_CPPFLAGS) +FUZZING_CFLAGS = \ + $(AM_CFLAGS) $(TEST_CFLAGS) +FUZZING_LDFLAG = \ + @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@ +FUZZING_LIBS = \ + src/or/libtor-testing.a \ + src/common/libor-crypto-testing.a \ + $(LIBKECCAK_TINY) \ + $(LIBDONNA) \ + src/common/libor-testing.a \ + src/common/libor-ctime-testing.a \ + src/common/libor-event-testing.a \ + src/trunnel/libor-trunnel-testing.a \ + @TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \ + @TOR_LIBEVENT_LIBS@ \ + @TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \ + @TOR_SYSTEMD_LIBS@ + + +noinst_HEADERS += \ + src/test/fuzz/fuzzing_boilerplate.h + +src_test_fuzz_fuzz_descriptor_SOURCES = \ + src/test/fuzz/fuzzing_common.c \ + src/test/fuzz/fuzz_descriptor.c +src_test_fuzz_fuzz_descriptor_CPPFLAGS = $(FUZZING_CPPFLAGS) +src_test_fuzz_fuzz_descriptor_CFLAGS = $(FUZZING_CFLAGS) +src_test_fuzz_fuzz_descriptor_LDFLAGS = $(FUZZING_LDFLAG) +src_test_fuzz_fuzz_descriptor_LDADD = $(FUZZING_LIBS) + +src_test_fuzz_fuzz_http_SOURCES = \ + src/test/fuzz/fuzzing_common.c \ + src/test/fuzz/fuzz_http.c +src_test_fuzz_fuzz_http_CPPFLAGS = $(FUZZING_CPPFLAGS) +src_test_fuzz_fuzz_http_CFLAGS = $(FUZZING_CFLAGS) +src_test_fuzz_fuzz_http_LDFLAGS = $(FUZZING_LDFLAG) +src_test_fuzz_fuzz_http_LDADD = $(FUZZING_LIBS) + +FUZZERS = \ + src/test/fuzz/fuzz-descriptor \ + src/test/fuzz/fuzz-http + +# The fuzzers aren't built by default right now. That should change. +EXTRA_PROGRAMS += $(FUZZERS) +fuzzers: $(FUZZERS)