util-linux/tools/oss-fuzz.sh

#!/usr/bin/env bash

set -ex

export LC_CTYPE=C.UTF-8

export CC=${CC:-clang}
export CXX=${CXX:-clang++}
export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}

SANITIZER=${SANITIZER:-address -fsanitize-address-use-after-scope}
flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"

export CFLAGS=${CFLAGS:-$flags}
export CXXFLAGS=${CXXFLAGS:-$flags}

export OUT=${OUT:-$(pwd)/out}
mkdir -p $OUT

./autogen.sh
./configure --disable-all-programs --enable-libuuid --enable-libfdisk --enable-last --enable-fuzzing-engine --enable-libmount --enable-libblkid
make -j$(nproc) V=1 check-programs

for d in "$(dirname $0)"/../tests/ts/fuzzers/test_*_fuzz_files; do
    bd=$(basename "$d")
    fuzzer=${bd%_files}
    zip -jqr $OUT/${fuzzer}_seed_corpus.zip "$d"
done

find . -maxdepth 1 -type f -executable -name "test_*_fuzz" -exec mv {} $OUT \;
find . -type f -name "fuzz-*.dict" -exec cp {} $OUT \;
tests: add a fuzzer for mnt_table_parse_stream The fuzzer is supposed to cover `mnt_table_parse_stream`, which is used by systemd to parse /proc/self/mountinfo. The systemd project has run into memory leaks there at least twice: https://github.com/systemd/systemd/pull/12252#issuecomment-482804040 https://github.com/systemd/systemd/issues/8504 so it seems to be a good idea to continuously fuzz that particular function. The patch can be tested locally by installing clang and running ./tools/oss-fuzz.sh. Currently the fuzzer is failing with ``` ================================================================= ==96638==ERROR: LeakSanitizer: detected memory leaks Direct leak of 216 byte(s) in 1 object(s) allocated from: #0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77) #1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25 #2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9 #3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8 #4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16 #5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88) #6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const, unsigned long, bool, fuzzer::InputInfo, bool) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0) #7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270) #8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617) #9 0x43adbb in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb) #10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46) #11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s). INFO: to ignore leaks on libFuzzer side use -detect_leaks=0. ``` Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible to turn on CIFuzz to make sure the fuzz target can be built and run for some time without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> 2020-04-11 08:25:26 -05:00			`#!/usr/bin/env bash`

			`set -ex`

			`export LC_CTYPE=C.UTF-8`

			`export CC=${CC:-clang}`
			`export CXX=${CXX:-clang++}`
			`export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}`

			`SANITIZER=${SANITIZER:-address -fsanitize-address-use-after-scope}`
			`flags="-O1 -fno-omit-frame-pointer -gline-tables-only -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"`

			`export CFLAGS=${CFLAGS:-$flags}`
			`export CXXFLAGS=${CXXFLAGS:-$flags}`

			`export OUT=${OUT:-$(pwd)/out}`
			`mkdir -p $OUT`

			`./autogen.sh`
tests: add a fuzz target calling fdisk_script_read_file It has already found a couple of issues mentioned in https://github.com/karelzak/util-linux/issues/1023#issuecomment-671910621 2020-08-10 17:24:41 -05:00			`./configure --disable-all-programs --enable-libuuid --enable-libfdisk --enable-last --enable-fuzzing-engine --enable-libmount --enable-libblkid`
tests: add a fuzzer for mnt_table_parse_stream The fuzzer is supposed to cover `mnt_table_parse_stream`, which is used by systemd to parse /proc/self/mountinfo. The systemd project has run into memory leaks there at least twice: https://github.com/systemd/systemd/pull/12252#issuecomment-482804040 https://github.com/systemd/systemd/issues/8504 so it seems to be a good idea to continuously fuzz that particular function. The patch can be tested locally by installing clang and running ./tools/oss-fuzz.sh. Currently the fuzzer is failing with ``` ================================================================= ==96638==ERROR: LeakSanitizer: detected memory leaks Direct leak of 216 byte(s) in 1 object(s) allocated from: #0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77) #1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25 #2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9 #3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8 #4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16 #5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88) #6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const, unsigned long, bool, fuzzer::InputInfo, bool) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0) #7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270) #8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617) #9 0x43adbb in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb) #10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46) #11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s). INFO: to ignore leaks on libFuzzer side use -detect_leaks=0. ``` Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible to turn on CIFuzz to make sure the fuzz target can be built and run for some time without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> 2020-04-11 08:25:26 -05:00			`make -j$(nproc) V=1 check-programs`

tests: pack testcases into zip archives so that OSS-Fuzz can use them as seed corpora Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> 2020-07-29 02:22:41 -05:00			`for d in "$(dirname $0)"/../tests/ts/fuzzers/test_*_fuzz_files; do`
			`bd=$(basename "$d")`
			`fuzzer=${bd%_files}`
			`zip -jqr $OUT/${fuzzer}_seed_corpus.zip "$d"`
			`done`

tests: add a fuzzer for mnt_table_parse_stream The fuzzer is supposed to cover `mnt_table_parse_stream`, which is used by systemd to parse /proc/self/mountinfo. The systemd project has run into memory leaks there at least twice: https://github.com/systemd/systemd/pull/12252#issuecomment-482804040 https://github.com/systemd/systemd/issues/8504 so it seems to be a good idea to continuously fuzz that particular function. The patch can be tested locally by installing clang and running ./tools/oss-fuzz.sh. Currently the fuzzer is failing with ``` ================================================================= ==96638==ERROR: LeakSanitizer: detected memory leaks Direct leak of 216 byte(s) in 1 object(s) allocated from: #0 0x50cd77 in calloc (/home/vagrant/util-linux/out/test_mount_fuzz+0x50cd77) #1 0x58716a in mnt_new_fs /home/vagrant/util-linux/libmount/src/fs.c:36:25 #2 0x54f224 in __table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:728:9 #3 0x54eed8 in mnt_table_parse_stream /home/vagrant/util-linux/libmount/src/tab_parse.c:804:8 #4 0x5448b2 in LLVMFuzzerTestOneInput /home/vagrant/util-linux/libmount/src/fuzz.c:19:16 #5 0x44cc88 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const, unsigned long) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44cc88) #6 0x44d8b0 in fuzzer::Fuzzer::RunOne(unsigned char const, unsigned long, bool, fuzzer::InputInfo, bool) (/home/vagrant/util-linux/out/test_mount_fuzz+0x44d8b0) #7 0x44e270 in fuzzer::Fuzzer::MutateAndTestOne() (/home/vagrant/util-linux/out/test_mount_fuzz+0x44e270) #8 0x450617 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) (/home/vagrant/util-linux/out/test_mount_fuzz+0x450617) #9 0x43adbb in fuzzer::FuzzerDriver(int, char*, int ()(unsigned char const*, unsigned long)) (/home/vagrant/util-linux/out/test_mount_fuzz+0x43adbb) #10 0x42ad46 in main (/home/vagrant/util-linux/out/test_mount_fuzz+0x42ad46) #11 0x7fa084f621a2 in __libc_start_main (/lib64/libc.so.6+0x271a2) SUMMARY: AddressSanitizer: 216 byte(s) leaked in 1 allocation(s). INFO: to ignore leaks on libFuzzer side use -detect_leaks=0. ``` Once the bug is fixed and the OSS-Fuzz counterpart is merged it should be possible to turn on CIFuzz to make sure the fuzz target can be built and run for some time without crashing: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru> 2020-04-11 08:25:26 -05:00			`find . -maxdepth 1 -type f -executable -name "test_*_fuzz" -exec mv {} $OUT \;`
			`find . -type f -name "fuzz-*.dict" -exec cp {} $OUT \;`