diff options
author | Tim Taubert <ttaubert@mozilla.com> | 2017-01-26 11:11:11 +0100 |
---|---|---|
committer | Tim Taubert <ttaubert@mozilla.com> | 2017-01-26 11:11:11 +0100 |
commit | 8755e4aaa86ba5c53b3a76825bd97d6ded40d503 (patch) | |
tree | 291649bee01ce3038c7a36368bae19b9ba7edf22 | |
parent | 4bd75b18618066d0a6230c876a1bc3f597004484 (diff) | |
download | nss-hg-8755e4aaa86ba5c53b3a76825bd97d6ded40d503.tar.gz |
Bug 1334062 - Remove libFuzzer dependencies from fuzzers r=franziskus
Differential Revision: https://nss-review.dev.mozaws.net/D177
-rwxr-xr-x | automation/ossfuzz/build.sh | 4 | ||||
-rw-r--r-- | automation/taskcluster/graph/src/extend.js | 19 | ||||
-rwxr-xr-x | automation/taskcluster/scripts/fuzz.sh | 11 | ||||
-rw-r--r-- | fuzz/asn1_mutators.cc | 19 | ||||
-rw-r--r-- | fuzz/cert_target.cc | 17 | ||||
-rw-r--r-- | fuzz/fuzz.gyp | 3 | ||||
-rw-r--r-- | fuzz/hash_target.cc | 3 | ||||
-rw-r--r-- | fuzz/initialize.cc | 54 | ||||
-rw-r--r-- | fuzz/pkcs8_target.cc | 10 | ||||
-rw-r--r-- | fuzz/quickder_target.cc | 10 | ||||
-rw-r--r-- | fuzz/shared.h | 29 | ||||
-rw-r--r-- | fuzz/spki_target.cc | 17 |
12 files changed, 68 insertions, 128 deletions
diff --git a/automation/ossfuzz/build.sh b/automation/ossfuzz/build.sh index 2a74426aa..324c33a0e 100755 --- a/automation/ossfuzz/build.sh +++ b/automation/ossfuzz/build.sh @@ -10,8 +10,8 @@ declare -A disabled=([pkcs8]=1) # Build the library. -CXX="$CXX -stdlib=libc++" CXXFLAGS="$CXXFLAGS -I$SRC/libfuzzer" \ - LDFLAGS="$CFLAGS" ./build.sh -c -v --fuzz=oss --fuzz=tls --disable-tests +CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \ + ./build.sh -c -v --fuzz=oss --fuzz=tls --disable-tests # Find fuzzing targets. for fuzzer in $(find ../dist/Debug/bin -name "nssfuzz-*" -printf "%f\n"); do diff --git a/automation/taskcluster/graph/src/extend.js b/automation/taskcluster/graph/src/extend.js index ce4e91ae9..cfa57f74b 100644 --- a/automation/taskcluster/graph/src/extend.js +++ b/automation/taskcluster/graph/src/extend.js @@ -325,12 +325,29 @@ async function scheduleFuzzing() { queue.scheduleTask(merge(base, { parent: task_build, + name: "Hash", + command: [ + "/bin/bash", + "-c", + "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " + + "hash nss/fuzz/corpus/hash -max_total_time=300 -max_len=4096" + ], + // Need a privileged docker container to remove detect_leaks=0. + env: { + ASAN_OPTIONS: "allocator_may_return_null=1:detect_leaks=0", + }, + symbol: "Hash", + kind: "test" + })); + + queue.scheduleTask(merge(base, { + parent: task_build, name: "QuickDER", command: [ "/bin/bash", "-c", "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " + - "quickder nss/fuzz/corpus/quickder -max_total_time=300" + "quickder nss/fuzz/corpus/quickder -max_total_time=300 -max_len=10000" ], // Need a privileged docker container to remove detect_leaks=0. env: { diff --git a/automation/taskcluster/scripts/fuzz.sh b/automation/taskcluster/scripts/fuzz.sh index ed25a805f..72f9f18ea 100755 --- a/automation/taskcluster/scripts/fuzz.sh +++ b/automation/taskcluster/scripts/fuzz.sh @@ -11,8 +11,15 @@ fetch_dist # Clone corpus. ./nss/fuzz/clone_corpus.sh -# Ensure we have a directory. -mkdir -p nss/fuzz/corpus/$type +# Ensure we have a corpus. +if [ ! -d "nss/fuzz/corpus/$type" ]; then + mkdir -p nss/fuzz/corpus/$type + + # Create a corpus out of what we have. + for f in $(find nss/fuzz/corpus -type f); do + cp $f "nss/fuzz/corpus/$type" + done +fi # Fetch objdir name. objdir=$(cat dist/latest) diff --git a/fuzz/asn1_mutators.cc b/fuzz/asn1_mutators.cc index a7c952290..e0f7a0236 100644 --- a/fuzz/asn1_mutators.cc +++ b/fuzz/asn1_mutators.cc @@ -3,10 +3,10 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include <assert.h> +#include <random> #include <string.h> #include <tuple> -#include "FuzzerRandom.h" #include "asn1_mutators.h" using namespace std; @@ -94,9 +94,11 @@ static vector<uint8_t *> ParseItems(uint8_t *Data, size_t Size) { size_t ASN1MutatorFlipConstructed(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { - fuzzer::Random R(Seed); auto items = ParseItems(Data, Size); - uint8_t *item = items.at(R(items.size())); + + std::mt19937 rng(Seed); + std::uniform_int_distribution<size_t> dist(0, items.size() - 1); + uint8_t *item = items.at(dist(rng)); // Flip "constructed" type bit. item[0] ^= 0x20; @@ -106,12 +108,15 @@ size_t ASN1MutatorFlipConstructed(uint8_t *Data, size_t Size, size_t MaxSize, size_t ASN1MutatorChangeType(uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { - fuzzer::Random R(Seed); auto items = ParseItems(Data, Size); - uint8_t *item = items.at(R(items.size())); - // Change type to a random int [0, 31). - item[0] = R(31); + std::mt19937 rng(Seed); + std::uniform_int_distribution<size_t> dist(0, items.size() - 1); + uint8_t *item = items.at(dist(rng)); + + // Change type to a random int [0, 30]. + static std::uniform_int_distribution<size_t> tdist(0, 30); + item[0] = tdist(rng); return Size; } diff --git a/fuzz/cert_target.cc b/fuzz/cert_target.cc deleted file mode 100644 index bcbef0a4e..000000000 --- a/fuzz/cert_target.cc +++ /dev/null @@ -1,17 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "FuzzerInternal.h" -#include "asn1_mutators.h" -#include "shared.h" - -extern const uint16_t DEFAULT_MAX_LENGTH = 3072U; - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - CERTCertificate cert; - QuickDERDecode(&cert, SEC_SignedCertificateTemplate, Data, Size); - return 0; -} - -ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType}) diff --git a/fuzz/fuzz.gyp b/fuzz/fuzz.gyp index 1ccc9df8f..98c87ad24 100644 --- a/fuzz/fuzz.gyp +++ b/fuzz/fuzz.gyp @@ -92,7 +92,6 @@ 'type': 'executable', 'sources': [ 'asn1_mutators.cc', - 'initialize.cc', 'pkcs8_target.cc', ], 'dependencies': [ @@ -105,7 +104,6 @@ 'type': 'executable', 'sources': [ 'asn1_mutators.cc', - 'initialize.cc', 'quickder_target.cc', ], 'dependencies': [ @@ -118,7 +116,6 @@ 'type': 'executable', 'sources': [ 'hash_target.cc', - 'initialize.cc', ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', diff --git a/fuzz/hash_target.cc b/fuzz/hash_target.cc index dad89e8e3..87b0f82c7 100644 --- a/fuzz/hash_target.cc +++ b/fuzz/hash_target.cc @@ -5,14 +5,11 @@ #include <memory> #include <vector> -#include "FuzzerInternal.h" #include "hasht.h" #include "pk11pub.h" #include "secoidt.h" #include "shared.h" -extern const uint16_t DEFAULT_MAX_LENGTH = 4096U; - const std::vector<SECOidTag> algos = {SEC_OID_MD5, SEC_OID_SHA1, SEC_OID_SHA256, SEC_OID_SHA384, SEC_OID_SHA512}; diff --git a/fuzz/initialize.cc b/fuzz/initialize.cc deleted file mode 100644 index 220d50ed1..000000000 --- a/fuzz/initialize.cc +++ /dev/null @@ -1,54 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include <string.h> -#include <algorithm> -#include <iostream> -#include <vector> - -#include "assert.h" - -extern const uint16_t DEFAULT_MAX_LENGTH; - -const uint16_t MERGE_MAX_LENGTH = 50000U; - -extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) { - std::vector<std::string> args(*argv, *argv + *argc); - - auto hasMaxLenArg = [](std::string &a) { return a.find("-max_len=") == 0; }; - - // Nothing to do if a max_len argument is given. - if (any_of(args.begin(), args.end(), hasMaxLenArg)) { - return 0; - } - - auto hasMergeArg = [](std::string &a) { return a.find("-merge=1") == 0; }; - - uint16_t max_length = DEFAULT_MAX_LENGTH; - - // Set specific max_len when merging. - if (any_of(args.begin(), args.end(), hasMergeArg)) { - max_length = MERGE_MAX_LENGTH; - } - - std::cerr << "INFO: MaxLen: " << max_length << std::endl; - std::string param = "-max_len=" + std::to_string(max_length); - - // Copy original arguments. - char **new_args = new char *[*argc + 1]; - for (int i = 0; i < *argc; i++) { - new_args[i] = (*argv)[i]; - } - - // Append corpus max length. - size_t param_len = param.size() + 1; - new_args[*argc] = new char[param_len]; - memcpy(new_args[*argc], param.c_str(), param_len); - - // Update arguments. - (*argc)++; - *argv = new_args; - - return 0; -} diff --git a/fuzz/pkcs8_target.cc b/fuzz/pkcs8_target.cc index 04a157a53..4c6849090 100644 --- a/fuzz/pkcs8_target.cc +++ b/fuzz/pkcs8_target.cc @@ -8,13 +8,10 @@ #include "keyhi.h" #include "pk11pub.h" -#include "FuzzerInternal.h" #include "asn1_mutators.h" #include "assert.h" #include "shared.h" -extern const uint16_t DEFAULT_MAX_LENGTH = 2048U; - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { SECItem data = {siBuffer, (unsigned char *)Data, (unsigned int)Size}; @@ -35,4 +32,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } -ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType}) +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, + size_t MaxSize, unsigned int Seed) { + static Mutators mutators = {&ASN1MutatorFlipConstructed, + &ASN1MutatorChangeType}; + return CustomMutate(mutators, Data, Size, MaxSize, Seed); +} diff --git a/fuzz/quickder_target.cc b/fuzz/quickder_target.cc index 08df137cb..4d6277d3b 100644 --- a/fuzz/quickder_target.cc +++ b/fuzz/quickder_target.cc @@ -2,7 +2,6 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include "FuzzerInternal.h" #include "asn1_mutators.h" #include "shared.h" @@ -62,8 +61,6 @@ const std::vector<const SEC_ASN1Template *> templates = { SECKEY_RSAPublicKeyTemplate, SECOID_AlgorithmIDTemplate}; -extern const uint16_t DEFAULT_MAX_LENGTH = 10000U; - extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { char *dest[2048]; @@ -80,4 +77,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 0; } -ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType}) +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, + size_t MaxSize, unsigned int Seed) { + static Mutators mutators = {&ASN1MutatorFlipConstructed, + &ASN1MutatorChangeType}; + return CustomMutate(mutators, Data, Size, MaxSize, Seed); +} diff --git a/fuzz/shared.h b/fuzz/shared.h index bfa4e8f52..24ca51f85 100644 --- a/fuzz/shared.h +++ b/fuzz/shared.h @@ -7,33 +7,34 @@ #ifndef shared_h__ #define shared_h__ -#include "FuzzerRandom.h" +#include <assert.h> +#include <random> #include "cert.h" #include "nss.h" +extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, + size_t MaxSize, unsigned int Seed); + class NSSDatabase { public: NSSDatabase() { assert(NSS_NoDB_Init(nullptr) == SECSuccess); } ~NSSDatabase() { assert(NSS_Shutdown() == SECSuccess); } }; -size_t CustomMutate(std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators, - uint8_t *Data, size_t Size, size_t MaxSize, - unsigned int Seed) { - fuzzer::Random R(Seed); +typedef std::vector<decltype(LLVMFuzzerCustomMutator) *> Mutators; + +size_t CustomMutate(Mutators &mutators, uint8_t *Data, size_t Size, + size_t MaxSize, unsigned int Seed) { + std::mt19937 rng(Seed); + static std::bernoulli_distribution bdist; - if (R.RandBool()) { - auto idx = R(mutators.size()); - return mutators.at(idx)(Data, Size, MaxSize, Seed); + if (bdist(rng)) { + std::uniform_int_distribution<size_t> idist(0, mutators.size() - 1); + return mutators.at(idist(rng))(Data, Size, MaxSize, Seed); } return LLVMFuzzerMutate(Data, Size, MaxSize); } -#define ADD_CUSTOM_MUTATORS(...) \ - extern "C" size_t LLVMFuzzerCustomMutator( \ - uint8_t *Data, size_t Size, size_t MaxSize, unsigned int Seed) { \ - return CustomMutate(__VA_ARGS__, Data, Size, MaxSize, Seed); \ - } - #endif // shared_h__ diff --git a/fuzz/spki_target.cc b/fuzz/spki_target.cc deleted file mode 100644 index 708ba3bf8..000000000 --- a/fuzz/spki_target.cc +++ /dev/null @@ -1,17 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "FuzzerInternal.h" -#include "asn1_mutators.h" -#include "shared.h" - -extern const uint16_t DEFAULT_MAX_LENGTH = 1024U; - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - CERTSubjectPublicKeyInfo spki; - QuickDERDecode(&spki, CERT_SubjectPublicKeyInfoTemplate, Data, Size); - return 0; -} - -ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType}) |