lib/fuzzing: Add mode for the AFL fuzzer

This is helpful for ensuring the fuzzers still compile in autobuild as no
library support is required.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

3 files changed, 83 insertions, 13 deletions

diff --git a/lib/fuzzing/README.md b/lib/fuzzing/README.md
index 97b49ed0fb1..5a248241248 100644
--- a/lib/fuzzing/README.md
+++ b/lib/fuzzing/README.md
@@ -7,6 +7,7 @@ exceptions such as crashes, assertions or memory corruption.
 See [Wikipedia article on fuzzing](https://en.wikipedia.org/wiki/Fuzzing) for
 more information.
 
+# Hongfuzz
 
 ## Configure with fuzzing
 
@@ -15,7 +16,7 @@ Example command line to build binaries for use with
 
 ```sh
 buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \
-	--address-sanitizer --enable-libfuzzer \
+	--address-sanitizer --enable-libfuzzer --abi-check-disable \
 	CC=.../honggfuzz/hfuzz_cc/hfuzz-clang configure \
 	LINK_CC=.../honggfuzz/hfuzz_cc/hfuzz-clang
 ```
@@ -32,6 +33,29 @@ buildtools/bin/waf --targets=fuzz_tiniparser build && \
   --rlimit_rss 100 -f .../tiniparser-corpus -- bin/fuzz_tiniparser
 ```
 
+# AFL (american fuzzy lop)
+
+## Configure with fuzzing
+
+Example command line to build binaries for use with
+[afl](http://lcamtuf.coredump.cx/afl/)
+
+```sh
+buildtools/bin/waf -C --without-gettext --enable-debug --enable-developer \
+	--enable-afl-fuzzer --abi-check-disable \
+	CC=afl-gcc configure
+```
+
+## Fuzzing tiniparser
+
+Example for fuzzing `tiniparser` using `afl-fuzz` (see `--help` for more
+options):
+
+```sh
+buildtools/bin/waf --targets=fuzz_tiniparser build && \
+afl-fuzz -m 200 -i inputdir -o outputdir -- bin/fuzz_tiniparser
+```
+
 # oss-fuzz
 
 Samba can be fuzzed by Google's oss-fuzz system.  Assuming you have an
diff --git a/lib/fuzzing/afl-fuzz-main.c b/lib/fuzzing/afl-fuzz-main.c
new file mode 100644
index 00000000000..730aa39ae49
--- /dev/null
+++ b/lib/fuzzing/afl-fuzz-main.c
@@ -0,0 +1,42 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Fuzz driver (AFL style)
+
+   Copyright (C) Andrew Bartlett 2019
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "lib/util/samba_util.h"
+#include "fuzzing.h"
+
+int main(int argc, char *argv[]) {
+	int ret;
+	size_t size = 0;
+#ifdef __AFL_LOOP
+	while (__AFL_LOOP(1000))
+#endif
+	{
+		uint8_t *buf = (uint8_t *)fd_load(0, &size, 0, NULL);
+		if (buf == NULL) {
+			exit(1);
+		}
+
+		ret = LLVMFuzzerTestOneInput(buf, size);
+		TALLOC_FREE(buf);
+	}
+	return ret;
+}
diff --git a/lib/fuzzing/wscript_build b/lib/fuzzing/wscript_build
index b187f088445..191aa69b6d7 100644
--- a/lib/fuzzing/wscript_build
+++ b/lib/fuzzing/wscript_build
@@ -3,44 +3,48 @@
 from waflib import Build
 
 bld.SAMBA_SUBSYSTEM('fuzzing',
-    source='fuzzing.c',
-    deps='talloc',
-    enabled=bld.env.enable_libfuzzer
+                    source='fuzzing.c',
+                    deps='talloc')
+
+bld.SAMBA_SUBSYSTEM('afl-fuzz-main',
+    source='afl-fuzz-main.c',
+    deps='samba-util',
+    enabled=bld.env.enable_afl_fuzzer
     )
 
 bld.SAMBA_BINARY('fuzz_tiniparser',
                  source='fuzz_tiniparser.c',
-                 deps='fuzzing tiniparser talloc',
+                 deps='fuzzing tiniparser talloc afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_oLschema2ldif',
                  source='fuzz_oLschema2ldif.c',
-                 deps='fuzzing oLschema2ldif-lib',
+                 deps='fuzzing oLschema2ldif-lib afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_reg_parse',
                  source='fuzz_reg_parse.c',
-                 deps='fuzzing samba3-util smbconf REGFIO',
+                 deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_regfio',
                  source='fuzz_regfio.c',
-                 deps='fuzzing samba3-util smbconf REGFIO',
+                 deps='fuzzing samba3-util smbconf REGFIO afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_lzxpress',
                  source='fuzz_lzxpress.c',
-                 deps='fuzzing LZXPRESS',
+                 deps='fuzzing LZXPRESS afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_ldap_decode',
                  source='fuzz_ldap_decode.c',
-                 deps='fuzzing cli-ldap',
+                 deps='fuzzing cli-ldap afl-fuzz-main',
                  fuzzer=True)
 
 bld.SAMBA_BINARY('fuzz_ldb_parse_tree',
                  source='fuzz_ldb_parse_tree.c',
-                 deps='fuzzing ldb',
+                 deps='fuzzing ldb afl-fuzz-main',
                  fuzzer=True)
 
 # The fuzz_type and fuzz_function parameters make the built
@@ -71,9 +75,9 @@ def SAMBA_NDR_FUZZ(bld, interface, auto_deps=False,
                         rule='cp ${SRC} ${TGT}')
 
     if auto_deps:
-        deps = "talloc ndr NDR_%s" % interface.upper()
+        deps = "afl-fuzz-main talloc ndr NDR_%s" % interface.upper()
     else:
-        deps = "ndr-table NDR_DCERPC"
+        deps = "afl-fuzz-main ndr-table NDR_DCERPC"
 
     bld.SAMBA_BINARY(name, source=fuzz_named_src,
                      cflags = cflags,