lib/fuzzing: Add mode for the AFL fuzzer

This is helpful for ensuring the fuzzers still compile in autobuild as no
library support is required.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

5 files changed, 93 insertions, 16 deletions

diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 5bbcc156fe7..7827d374654 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -375,7 +375,7 @@ def SAMBA_BINARY(bld, binname, source,
     # Fuzzing builds do not build normal binaries
     # however we must build asn1compile etc
 
-    if not use_hostcc and bld.env.enable_libfuzzer != fuzzer:
+    if not use_hostcc and bld.env.enable_fuzzing != fuzzer:
         SET_TARGET_TYPE(bld, binname, 'DISABLED')
         return
 
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 764e357cc87..f0b679257b7 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -133,8 +133,11 @@ def options(opt):
         dest='undefined_sanitizer',
         default=False)
     gr.add_option('--enable-libfuzzer',
-                  help=("Build fuzzing binaries (use ADDITIONAL_CFLAGS to specify compiler options for libFuzzer or use a compiler wrapper such as honggfuzz/hfuzz-cc)"),
+                  help=("Build fuzzing binaries (use ADDITIONAL_CFLAGS to specify compiler options for libFuzzer or use CC=honggfuzz/hfuzz-cc)"),
                   action="store_true", dest='enable_libfuzzer', default=False)
+    gr.add_option('--enable-afl-fuzzer',
+                  help=("Build fuzzing binaries AFL-style (typically use with CC=afl-gcc)"),
+                  action="store_true", dest='enable_afl_fuzzer', default=False)
 
     # Fuzz targets may need additional LDFLAGS that we can't use on
     # internal binaries like asn1_compile
@@ -603,8 +606,12 @@ struct foo bar = { .y = 'X', .x = 1 };
                     eprintf("bla", "bar")
                     ''', define='HAVE__VA_ARGS__MACRO')
 
+    conf.env.enable_fuzzing = False
+
     conf.env.enable_libfuzzer = Options.options.enable_libfuzzer
-    if conf.env.enable_libfuzzer:
+    conf.env.enable_afl_fuzzer = Options.options.enable_afl_fuzzer
+    if conf.env.enable_libfuzzer or conf.env.enable_afl_fuzzer:
+        conf.env.enable_fuzzing = True
         conf.DEFINE('FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION', 1)
         conf.env.FUZZ_TARGET_LDFLAGS = Options.options.FUZZ_TARGET_LDFLAGS
 
diff --git a/lib/fuzzing/README.md b/lib/fuzzing/README.md
index 97b49ed0fb1..5a248241248 100644
--- a/lib/fuzzing/README.md
+++ b/lib/fuzzing/README.md
@@ -7,6 +7,7 @@ exceptions such as crashes, assertions or memory corruption.
 See [Wikipedia article on fuzzing](https://en.wikipedia.org/wiki/Fuzzing) for
 more information.
 
+# Hongfuzz
 
 ## Configure with fuzzing
 
@@ -15,7 +16,7 @@ Example command line to build binaries for use with
 
 ```sh
 buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \
-	--address-sanitizer --enable-libfuzzer \
+	--address-sanitizer --enable-libfuzzer --abi-check-disable \
 	CC=.../honggfuzz/hfuzz_cc/hfuzz-clang configure \
 	LINK_CC=.../honggfuzz/hfuzz_cc/hfuzz-clang
 ```
@@ -32,6 +33,29 @@ buildtools/bin/waf --targets=fuzz_tiniparser build && \
   --rlimit_rss 100 -f .../tiniparser-corpus -- bin/fuzz_tiniparser
 ```
 
+# AFL (american fuzzy lop)
+
+## Configure with fuzzing
+
+Example command line to build binaries for use with
+[afl](http://lcamtuf.coredump.cx/afl/)
+
+```sh
+buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \
+	--enable-afl-fuzzer --abi-check-disable \
+	CC=afl-gcc configure
+```
+
+## Fuzzing tiniparser
+
+Example for fuzzing `tiniparser` using `afl-fuzz` (see `--help` for more
+options):
+
+```sh
+buildtools/bin/waf --targets=fuzz_tiniparser build && \
+afl-fuzz -m 200 -i inputdir -o outputdir -- bin/fuzz_tiniparser
+```
+
 # oss-fuzz
 
 Samba can be fuzzed by Google's oss-fuzz system.  Assuming you have an
diff --git a/lib/fuzzing/afl-fuzz-main.c b/lib/fuzzing/afl-fuzz-main.c
new file mode 100644
index 00000000000..730aa39ae49
--- /dev/null
+++ b/lib/fuzzing/afl-fuzz-main.c
@@ -0,0 +1,42 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Fuzz driver (AFL style)
+
+   Copyright (C) Andrew Bartlett 2019
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/samba_util.h"
+#include "fuzzing.h"
+
+int main(int argc, char *argv[]) {
+	int ret;
+	size_t size = 0;
+#ifdef __AFL_LOOP
+	while (__AFL_LOOP(1000))
+#endif
+	{
+		uint8_t *buf = (uint8_t *)fd_load(0, &size, 0, NULL);
+		if (buf == NULL) {
+			exit(1);
+		}
+
+		ret = LLVMFuzzerTestOneInput(buf, size);
+		TALLOC_FREE(buf);
+	}
+	return ret;
+}
diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index b187f088445..191aa69b6d7 100644
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -3,44 +3,48 @@
 from waflib import Build
 
 bld.SAMBA_SUBSYSTEM('fuzzing',
-    source='fuzzing.c',
-    deps='talloc',
-    enabled=bld.env.enable_libfuzzer
+                    source='fuzzing.c',
+                    deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('afl-fuzz-main',
+    source='afl-fuzz-main.c',
+    deps='samba-util',
+    enabled=bld.env.enable_afl_fuzzer
     )
 
 bld.SAMBA_BINARY('fuzz_tiniparser',
                  source='fuzz_tiniparser.c',
-                 deps='fuzzing tiniparser talloc',
+                 deps='fuzzing tiniparser talloc afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_oLschema2ldif',
                  source='fuzz_oLschema2ldif.c',
-                 deps='fuzzing oLschema2ldif-lib',
+                 deps='fuzzing oLschema2ldif-lib afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_reg_parse',
                  source='fuzz_reg_parse.c',
-                 deps='fuzzing samba3-util smbconf REGFIO',
+                 deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_regfio',
                  source='fuzz_regfio.c',
-                 deps='fuzzing samba3-util smbconf REGFIO',
+                 deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_lzxpress',
                  source='fuzz_lzxpress.c',
-                 deps='fuzzing LZXPRESS',
+                 deps='fuzzing LZXPRESS afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_ldap_decode',
                  source='fuzz_ldap_decode.c',
-                 deps='fuzzing cli-ldap',
+                 deps='fuzzing cli-ldap afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_ldb_parse_tree',
                  source='fuzz_ldb_parse_tree.c',
-                 deps='fuzzing ldb',
+                 deps='fuzzing ldb afl-fuzz-main',
                  fuzzer=True)
 
 # The fuzz_type and fuzz_function parameters make the built
@@ -71,9 +75,9 @@ def SAMBA_NDR_FUZZ(bld, interface, auto_deps=False,
                         rule='cp ${SRC} ${TGT}')
 
     if auto_deps:
-        deps = "talloc ndr NDR_%s" % interface.upper()
+        deps = "afl-fuzz-main talloc ndr NDR_%s" % interface.upper()
     else:
-        deps = "ndr-table NDR_DCERPC"
+        deps = "afl-fuzz-main ndr-table NDR_DCERPC"
 
     bld.SAMBA_BINARY(name, source=fuzz_named_src,
                      cflags = cflags,