diff options
author | Andrew Bartlett <abartlet@samba.org> | 2019-12-04 21:23:06 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2019-12-10 07:50:29 +0000 |
commit | 1d98ced841f83d7305a570297908fd1270de42e0 (patch) | |
tree | e08abd292d32f7c24951246896ff91f0006ac312 /lib/fuzzing | |
parent | f4ff9a079414953b17f49857ecfca6c0e479c32f (diff) | |
download | samba-1d98ced841f83d7305a570297908fd1270de42e0.tar.gz |
lib/fuzzing: Add mode for the AFL fuzzer
This is helpful for ensuring the fuzzers still compile in autobuild as no
library support is required.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'lib/fuzzing')
-rw-r--r-- | lib/fuzzing/README.md | 26 | ||||
-rw-r--r-- | lib/fuzzing/afl-fuzz-main.c | 42 | ||||
-rw-r--r-- | lib/fuzzing/wscript_build | 28 |
3 files changed, 83 insertions, 13 deletions
diff --git a/lib/fuzzing/README.md b/lib/fuzzing/README.md index 97b49ed0fb1..5a248241248 100644 --- a/lib/fuzzing/README.md +++ b/lib/fuzzing/README.md @@ -7,6 +7,7 @@ exceptions such as crashes, assertions or memory corruption. See [Wikipedia article on fuzzing](https://en.wikipedia.org/wiki/Fuzzing) for more information. +# Hongfuzz ## Configure with fuzzing @@ -15,7 +16,7 @@ Example command line to build binaries for use with ```sh buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \ - --address-sanitizer --enable-libfuzzer \ + --address-sanitizer --enable-libfuzzer --abi-check-disable \ CC=.../honggfuzz/hfuzz_cc/hfuzz-clang configure \ LINK_CC=.../honggfuzz/hfuzz_cc/hfuzz-clang ``` @@ -32,6 +33,29 @@ buildtools/bin/waf --targets=fuzz_tiniparser build && \ --rlimit_rss 100 -f .../tiniparser-corpus -- bin/fuzz_tiniparser ``` +# AFL (american fuzzy lop) + +## Configure with fuzzing + +Example command line to build binaries for use with +[afl](http://lcamtuf.coredump.cx/afl/) + +```sh +buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \ + --enable-afl-fuzzer --abi-check-disable \ + CC=afl-gcc configure +``` + +## Fuzzing tiniparser + +Example for fuzzing `tiniparser` using `afl-fuzz` (see `--help` for more +options): + +```sh +buildtools/bin/waf --targets=fuzz_tiniparser build && \ +afl-fuzz -m 200 -i inputdir -o outputdir -- bin/fuzz_tiniparser +``` + # oss-fuzz Samba can be fuzzed by Google's oss-fuzz system. Assuming you have an diff --git a/lib/fuzzing/afl-fuzz-main.c b/lib/fuzzing/afl-fuzz-main.c new file mode 100644 index 00000000000..730aa39ae49 --- /dev/null +++ b/lib/fuzzing/afl-fuzz-main.c @@ -0,0 +1,42 @@ +/* + Unix SMB/CIFS implementation. + + Fuzz driver (AFL style) + + Copyright (C) Andrew Bartlett 2019 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "lib/util/samba_util.h" +#include "fuzzing.h" + +int main(int argc, char *argv[]) { + int ret; + size_t size = 0; +#ifdef __AFL_LOOP + while (__AFL_LOOP(1000)) +#endif + { + uint8_t *buf = (uint8_t *)fd_load(0, &size, 0, NULL); + if (buf == NULL) { + exit(1); + } + + ret = LLVMFuzzerTestOneInput(buf, size); + TALLOC_FREE(buf); + } + return ret; +} diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build index b187f088445..191aa69b6d7 100644 --- a/lib/fuzzing/wscript_build +++ b/lib/fuzzing/wscript_build @@ -3,44 +3,48 @@ from waflib import Build bld.SAMBA_SUBSYSTEM('fuzzing', - source='fuzzing.c', - deps='talloc', - enabled=bld.env.enable_libfuzzer + source='fuzzing.c', + deps='talloc') + +bld.SAMBA_SUBSYSTEM('afl-fuzz-main', + source='afl-fuzz-main.c', + deps='samba-util', + enabled=bld.env.enable_afl_fuzzer ) bld.SAMBA_BINARY('fuzz_tiniparser', source='fuzz_tiniparser.c', - deps='fuzzing tiniparser talloc', + deps='fuzzing tiniparser talloc afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_oLschema2ldif', source='fuzz_oLschema2ldif.c', - deps='fuzzing oLschema2ldif-lib', + deps='fuzzing oLschema2ldif-lib afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_reg_parse', source='fuzz_reg_parse.c', - deps='fuzzing samba3-util smbconf REGFIO', + deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_regfio', source='fuzz_regfio.c', - deps='fuzzing samba3-util smbconf REGFIO', + deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_lzxpress', source='fuzz_lzxpress.c', - deps='fuzzing LZXPRESS', + deps='fuzzing LZXPRESS afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_ldap_decode', source='fuzz_ldap_decode.c', - deps='fuzzing cli-ldap', + deps='fuzzing cli-ldap afl-fuzz-main', fuzzer=True) bld.SAMBA_BINARY('fuzz_ldb_parse_tree', source='fuzz_ldb_parse_tree.c', - deps='fuzzing ldb', + deps='fuzzing ldb afl-fuzz-main', fuzzer=True) # The fuzz_type and fuzz_function parameters make the built @@ -71,9 +75,9 @@ def SAMBA_NDR_FUZZ(bld, interface, auto_deps=False, rule='cp ${SRC} ${TGT}') if auto_deps: - deps = "talloc ndr NDR_%s" % interface.upper() + deps = "afl-fuzz-main talloc ndr NDR_%s" % interface.upper() else: - deps = "ndr-table NDR_DCERPC" + deps = "afl-fuzz-main ndr-table NDR_DCERPC" bld.SAMBA_BINARY(name, source=fuzz_named_src, cflags = cflags, |