diff options
author | Andrew Bartlett <abartlet@samba.org> | 2019-12-04 21:23:06 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2019-12-10 07:50:29 +0000 |
commit | 1d98ced841f83d7305a570297908fd1270de42e0 (patch) | |
tree | e08abd292d32f7c24951246896ff91f0006ac312 | |
parent | f4ff9a079414953b17f49857ecfca6c0e479c32f (diff) | |
download | samba-1d98ced841f83d7305a570297908fd1270de42e0.tar.gz |
lib/fuzzing: Add mode for the AFL fuzzer
This is helpful for ensuring the fuzzers still compile in autobuild as no
library support is required.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
-rw-r--r-- | buildtools/wafsamba/wafsamba.py | 2 | ||||
-rw-r--r-- | buildtools/wafsamba/wscript | 11 | ||||
-rw-r--r-- | lib/fuzzing/README.md | 26 | ||||
-rw-r--r-- | lib/fuzzing/afl-fuzz-main.c | 42 | ||||
-rw-r--r-- | lib/fuzzing/wscript_build | 28 |
5 files changed, 93 insertions, 16 deletions
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index 5bbcc156fe7..7827d374654 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -375,7 +375,7 @@ def SAMBA_BINARY(bld, binname, source, # Fuzzing builds do not build normal binaries # however we must build asn1compile etc - if not use_hostcc and bld.env.enable_libfuzzer != fuzzer: + if not use_hostcc and bld.env.enable_fuzzing != fuzzer: SET_TARGET_TYPE(bld, binname, 'DISABLED') return diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript index 764e357cc87..f0b679257b7 100644 --- a/buildtools/wafsamba/wscript +++ b/buildtools/wafsamba/wscript @@ -133,8 +133,11 @@ def options(opt): dest='undefined_sanitizer', default=False) gr.add_option('--enable-libfuzzer', - help=("Build fuzzing binaries (use ADDITIONAL_CFLAGS to specify compiler options for libFuzzer or use a compiler wrapper such as honggfuzz/hfuzz-cc)"), + help=("Build fuzzing binaries (use ADDITIONAL_CFLAGS to specify compiler options for libFuzzer or use CC=honggfuzz/hfuzz-cc)"), action="store_true", dest='enable_libfuzzer', default=False) + gr.add_option('--enable-afl-fuzzer', + help=("Build fuzzing binaries AFL-style (typically use with CC=afl-gcc)"), + action="store_true", dest='enable_afl_fuzzer', default=False) # Fuzz targets may need additional LDFLAGS that we can't use on # internal binaries like asn1_compile @@ -603,8 +606,12 @@ struct foo bar = { .y = 'X', .x = 1 }; eprintf("bla", "bar") ''', define='HAVE__VA_ARGS__MACRO') + conf.env.enable_fuzzing = False + conf.env.enable_libfuzzer = Options.options.enable_libfuzzer - if conf.env.enable_libfuzzer: + conf.env.enable_afl_fuzzer = Options.options.enable_afl_fuzzer + if conf.env.enable_libfuzzer or conf.env.enable_afl_fuzzer: + conf.env.enable_fuzzing = True conf.DEFINE('FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION', 1) conf.env.FUZZ_TARGET_LDFLAGS = Options.options.FUZZ_TARGET_LDFLAGS diff --git a/lib/fuzzing/README.md b/lib/fuzzing/README.md index 97b49ed0fb1..5a248241248 100644 --- a/lib/fuzzing/README.md +++ b/lib/fuzzing/README.md @@ -7,6 +7,7 @@ exceptions such as crashes, assertions or memory corruption. See [Wikipedia article on fuzzing](https://en.wikipedia.org/wiki/Fuzzing) for more information. +# Hongfuzz ## Configure with fuzzing @@ -15,7 +16,7 @@ Example command line to build binaries for use with ```sh buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \ - --address-sanitizer --enable-libfuzzer \ + --address-sanitizer --enable-libfuzzer --abi-check-disable \ CC=.../honggfuzz/hfuzz_cc/hfuzz-clang configure \ LINK_CC=.../honggfuzz/hfuzz_cc/hfuzz-clang ``` @@ -32,6 +33,29 @@ buildtools/bin/waf --targets=fuzz_tiniparser build && \ --rlimit_rss 100 -f .../tiniparser-corpus -- bin/fuzz_tiniparser ``` +# AFL (american fuzzy lop) + +## Configure with fuzzing + +Example command line to build binaries for use with +[afl](http://lcamtuf.coredump.cx/afl/) + +```sh +buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \ + --enable-afl-fuzzer --abi-check-disable \ + CC=afl-gcc configure +``` + +## Fuzzing tiniparser + +Example for fuzzing `tiniparser` using `afl-fuzz` (see `--help` for more +options): + +```sh +buildtools/bin/waf --targets=fuzz_tiniparser build && \ +afl-fuzz -m 200 -i inputdir -o outputdir -- bin/fuzz_tiniparser +``` + # oss-fuzz Samba can be fuzzed by Google's oss-fuzz system. Assuming you have an diff --git a/lib/fuzzing/afl-fuzz-main.c b/lib/fuzzing/afl-fuzz-main.c new file mode 100644 index 00000000000..730aa39ae49 --- /dev/null +++ b/lib/fuzzing/afl-fuzz-main.c @@ -0,0 +1,42 @@ +/* + Unix SMB/CIFS implementation. + + Fuzz driver (AFL style) + + Copyright (C) Andrew Bartlett 2019 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "lib/util/samba_util.h" +#include "fuzzing.h" + +int main(int argc, char *argv[]) { + int ret; + size_t size = 0; +#ifdef __AFL_LOOP + while (__AFL_LOOP(1000)) +#endif + { + uint8_t *buf = (uint8_t *)fd_load(0, &size, 0, NULL); + if (buf == NULL) { + exit(1); + } + + ret = LLVMFuzzerTestOneInput(buf, size); + TALLOC_FREE(buf); + } + return ret; +} diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build index b187f088445..191aa69b6d7 100644 --- a/lib/fuzzing/wscript_build +++ b/lib/fuzzing/wscript_build @@ -3,44 +3,48 @@ from waflib import Build bld.SAMBA_SUBSYSTEM('fuzzing', - source='fuzzing.c', - deps='talloc', - enabled=bld.env.enable_libfuzzer + source='fuzzing.c', + deps='talloc') + +bld.SAMBA_SUBSYSTEM('afl-fuzz-main', + source='afl-fuzz-main.c', + deps='samba-util', + enabled=bld.env.enable_afl_fuzzer ) bld.SAMBA_BINARY('fuzz_tiniparser', source='fuzz_tiniparser.c', - deps='fuzzing tiniparser talloc', + deps='fuzzing tiniparser talloc afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_oLschema2ldif', source='fuzz_oLschema2ldif.c', - deps='fuzzing oLschema2ldif-lib', + deps='fuzzing oLschema2ldif-lib afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_reg_parse', source='fuzz_reg_parse.c', - deps='fuzzing samba3-util smbconf REGFIO', + deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_regfio', source='fuzz_regfio.c', - deps='fuzzing samba3-util smbconf REGFIO', + deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_lzxpress', source='fuzz_lzxpress.c', - deps='fuzzing LZXPRESS', + deps='fuzzing LZXPRESS afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_ldap_decode', source='fuzz_ldap_decode.c', - deps='fuzzing cli-ldap', + deps='fuzzing cli-ldap afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_ldb_parse_tree', source='fuzz_ldb_parse_tree.c', - deps='fuzzing ldb', + deps='fuzzing ldb afl-fuzz-main', fuzzer=True) # The fuzz_type and fuzz_function parameters make the built @@ -71,9 +75,9 @@ def SAMBA_NDR_FUZZ(bld, interface, auto_deps=False, rule='cp ${SRC} ${TGT}') if auto_deps: - deps = "talloc ndr NDR_%s" % interface.upper() + deps = "afl-fuzz-main talloc ndr NDR_%s" % interface.upper() else: - deps = "ndr-table NDR_DCERPC" + deps = "afl-fuzz-main ndr-table NDR_DCERPC" bld.SAMBA_BINARY(name, source=fuzz_named_src, cflags = cflags, |