diff options
author | Seonah Moon <seonah1.moon@samsung.com> | 2019-08-09 14:22:03 +0900 |
---|---|---|
committer | Seonah Moon <seonah1.moon@samsung.com> | 2019-08-09 14:22:40 +0900 |
commit | 5341f72ee3d82cab6a4e3459f6f19ee3ecbc6f6c (patch) | |
tree | ad4c0ed380d0a41368ef20ba15e272eb981c926b /fuzz | |
parent | 97014ed0c6db196bca17bcd6c22766f6c27e88bf (diff) | |
download | bind-5341f72ee3d82cab6a4e3459f6f19ee3ecbc6f6c.tar.gz bind-5341f72ee3d82cab6a4e3459f6f19ee3ecbc6f6c.tar.bz2 bind-5341f72ee3d82cab6a4e3459f6f19ee3ecbc6f6c.zip |
Imported Upstream version 9.14.4upstream/9.14.4
Change-Id: I04261b1d3d81ead0a7732834f02fc4219d86f5aa
Diffstat (limited to 'fuzz')
-rw-r--r-- | fuzz/FUZZING.md | 24 | ||||
-rw-r--r-- | fuzz/Makefile.in | 44 | ||||
-rw-r--r-- | fuzz/dns_name_fromtext_target.c | 39 | ||||
-rw-r--r-- | fuzz/dns_name_fromtext_target.in/example.com | 1 | ||||
-rw-r--r-- | fuzz/dns_rdata_fromwire_text.c | 195 | ||||
-rw-r--r-- | fuzz/dns_rdata_fromwire_text.in/cdnskey | bin | 0 -> 20 bytes | |||
-rw-r--r-- | fuzz/dns_rdata_fromwire_text.in/smimea | 1 | ||||
-rw-r--r-- | fuzz/dns_rdata_fromwire_text.in/sshfp | 1 | ||||
-rw-r--r-- | fuzz/fuzz.h | 43 | ||||
-rw-r--r-- | fuzz/main.c | 140 |
10 files changed, 488 insertions, 0 deletions
diff --git a/fuzz/FUZZING.md b/fuzz/FUZZING.md new file mode 100644 index 00000000..cccf41ff --- /dev/null +++ b/fuzz/FUZZING.md @@ -0,0 +1,24 @@ += Fuzzing + +The tests in this directory can be operated in three modes: + +* non-fuzzing - the test just runs over all input located in `<test_name>.in/` + directory by compiling with mock main.c that walks through the directory and + runs `LLVMFuzzerTestOneInput()` over the input files +* AFL - `./configure --with-fuzzing=afl` will either feed the stdin to + `LLVMFuzzerTestOneInput()` or run the `__AFL_LOOP(10000)` if compiled with + `afl-clang-fast` +* LibFuzzer - `./configure --with-fuzzing=libfuzzer` will disable `main.c` + completely and it uses the standard LibFuzzer mechanims to feed + `LLVMFuzzerTestOneInput` with the fuzzer + +== Test Cases + +Each test case should be called descriptively and the executable target must +link `testcase.o` and `main.o` and the `test_case.c` must have a function +`LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)`. + +== Adding more fuzzers + +To add a different fuzzer, `main.c` must be modified to include `main()` function +for a specific fuzzer (or no function as is case with LibFuzzer). diff --git a/fuzz/Makefile.in b/fuzz/Makefile.in new file mode 100644 index 00000000..538f6fae --- /dev/null +++ b/fuzz/Makefile.in @@ -0,0 +1,44 @@ +srcdir = @srcdir@ +VPATH = @srcdir@ +top_srcdir = @top_srcdir@ +abs_srcdir = @abs_srcdir@ + +@BIND9_MAKE_INCLUDES@ + +CINCLUDES = -I. -I.. ${DNS_INCLUDES} ${ISC_INCLUDES} \ + @OPENSSL_INCLUDES@ +CDEFINES = -DFUZZDIR=\"$(abs_srcdir)\" + +ISCLIBS = ../lib/isc/libisc.@A@ @OPENSSL_LIBS@ +ISCDEPLIBS = ../lib/isc/libisc.@A@ +DNSLIBS = ../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@ +DNSDEPLIBS = ../lib/dns/libdns.@A@ + +LIBS = @LIBS@ + +OBJS = main.@O@ +SRCS = main.c dns_name_fromtext_target.c dns_rdata_fromwire_text.c + +SUBDIRS = +TARGETS = dns_name_fromtext_target@EXEEXT@ \ + dns_rdata_fromwire_text@EXEEXT@ + +@BIND9_MAKE_RULES@ + +dns_name_fromtext_target@EXEEXT@: dns_name_fromtext_target.@O@ main.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dns_name_fromtext_target.@O@ main.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS} + +dns_rdata_fromwire_text@EXEEXT@: dns_rdata_fromwire_text.@O@ main.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dns_rdata_fromwire_text.@O@ main.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS} + +check: ${TARGETS} + for fuzzer in ${TARGETS}; do \ + ./$${fuzzer} ; \ + done + +oss-fuzz: ${TARGETS} + +clean distclean:: + rm -f ${TARGETS} diff --git a/fuzz/dns_name_fromtext_target.c b/fuzz/dns_name_fromtext_target.c new file mode 100644 index 00000000..9fe52bfa --- /dev/null +++ b/fuzz/dns_name_fromtext_target.c @@ -0,0 +1,39 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <stddef.h> +#include <stdint.h> +#include <isc/buffer.h> +#include <isc/util.h> +#include <dns/fixedname.h> +#include <dns/name.h> + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) +{ + isc_buffer_t buf; + isc_result_t result; + dns_fixedname_t origin; + char *de_const; + + if (size < 5) { + return 0; + } + + dns_fixedname_init(&origin); + DE_CONST(data, de_const); + isc_buffer_init(&buf, (void *)de_const, size); + isc_buffer_add(&buf, size); + result = dns_name_fromtext(dns_fixedname_name(&origin), &buf, dns_rootname, 0, NULL); + UNUSED(result); + return 0; +} diff --git a/fuzz/dns_name_fromtext_target.in/example.com b/fuzz/dns_name_fromtext_target.in/example.com new file mode 100644 index 00000000..de54ac66 --- /dev/null +++ b/fuzz/dns_name_fromtext_target.in/example.com @@ -0,0 +1 @@ +example.com diff --git a/fuzz/dns_rdata_fromwire_text.c b/fuzz/dns_rdata_fromwire_text.c new file mode 100644 index 00000000..628c71ed --- /dev/null +++ b/fuzz/dns_rdata_fromwire_text.c @@ -0,0 +1,195 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <assert.h> +#include <stddef.h> +#include <stdint.h> +#include <string.h> + +#include <isc/buffer.h> +#include <isc/lex.h> +#include <isc/mem.h> +#include <isc/result.h> +#include <isc/util.h> + +#include <dns/callbacks.h> +#include <dns/compress.h> +#include <dns/master.h> +#include <dns/rdata.h> +#include <dns/rdatatype.h> + +#define CHECK(x) ({ if ((result = (x)) != ISC_R_SUCCESS) goto done; }) + +/* + * Fuzz input to dns_rdata_fromwire(). Then convert the result + * to text, back to wire format, to multiline text, and back to wire + * format again, checking for consistency throughout the sequence. + */ + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static void +nullmsg(dns_rdatacallbacks_t *cb, const char *fmt, ...) { + va_list ap; + + UNUSED(cb); + UNUSED(fmt); + UNUSED(ap); +} + +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + char totext[1024]; + dns_compress_t cctx; + dns_decompress_t dctx; + dns_rdatatype_t rdtype; + dns_rdataclass_t rdclass; + dns_rdatatype_t typelist[256] = { 1000 }; /* unknown */ + dns_rdataclass_t classlist[] = { dns_rdataclass_in, + dns_rdataclass_hs, + dns_rdataclass_ch, + dns_rdataclass_any, + 60 }; + dns_rdata_t rdata1 = DNS_RDATA_INIT, + rdata2 = DNS_RDATA_INIT, + rdata3 = DNS_RDATA_INIT; + dns_rdatacallbacks_t callbacks; + isc_buffer_t source, target; + isc_lex_t *lex = NULL; + isc_lexspecials_t specials; + isc_mem_t *mctx = NULL; + isc_result_t result; + unsigned char fromtext[1024]; + unsigned char fromwire[1024]; + unsigned char towire[1024]; + unsigned int classes = (sizeof(classlist)/sizeof(classlist[0])); + unsigned int types = 1, flags, t; + + if (size < 2) { + goto done; + } + + /* + * Append known types to list. + */ + for (t = 1; t <= 0x10000; t++) { + char typebuf[256]; + if (dns_rdatatype_ismeta(t)) { + continue; + } + dns_rdatatype_format(t, typebuf, sizeof(typebuf)); + if (strncmp(typebuf, "TYPE", 4) != 0) { + /* Assert when we need to grow typelist. */ + assert(types < sizeof(typelist)/sizeof(typelist[0])); + typelist[types++] = t; + } + } + + /* + * Random type and class from a limited set. + */ + rdtype = typelist[(*data++) % types]; size--; + rdclass = classlist[(*data++) % classes]; size--; + + CHECK(isc_mem_create(0, 0, &mctx)); + + CHECK(isc_lex_create(mctx, 64, &lex)); + memset(specials, 0, sizeof(specials)); + specials[0] = 1; + specials['('] = 1; + specials[')'] = 1; + specials['"'] = 1; + isc_lex_setspecials(lex, specials); + isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE); + + dns_rdatacallbacks_init(&callbacks); + callbacks.warn = callbacks.error = nullmsg; + + dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY); + + isc_buffer_constinit(&source, data, size); + isc_buffer_add(&source, size); + isc_buffer_setactive(&source, size); + + isc_buffer_init(&target, fromwire, sizeof(fromwire)); + + /* + * Reject invalid rdata. + */ + CHECK(dns_rdata_fromwire(&rdata1, rdclass, rdtype, &source, &dctx, + 0, &target)); + + /* + * Convert to text from wire. + */ + isc_buffer_init(&target, totext, sizeof(totext)); + result = dns_rdata_totext(&rdata1, NULL, &target); + assert(result == ISC_R_SUCCESS); + + /* + * Convert to wire from text. + */ + isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target)); + isc_buffer_add(&source, isc_buffer_usedlength(&target)); + CHECK(isc_lex_openbuffer(lex, &source)); + + isc_buffer_init(&target, fromtext, sizeof(fromtext)); + result = dns_rdata_fromtext(&rdata2, rdclass, rdtype, lex, + dns_rootname, 0, mctx, &target, + &callbacks); + assert(result == ISC_R_SUCCESS); + assert(rdata2.length == size); + assert(!memcmp(rdata2.data, data, size)); + + /* + * Convert to multi-line text from wire. + */ + isc_buffer_init(&target, totext, sizeof(totext)); + flags = dns_master_styleflags(&dns_master_style_default); + result = dns_rdata_tofmttext(&rdata1, dns_rootname, flags, + 80 - 32, 4, "\n", &target); + assert(result == ISC_R_SUCCESS); + + /* + * Convert to wire from text. + */ + isc_buffer_constinit(&source, totext, isc_buffer_usedlength(&target)); + isc_buffer_add(&source, isc_buffer_usedlength(&target)); + CHECK(isc_lex_openbuffer(lex, &source)); + + isc_buffer_init(&target, fromtext, sizeof(fromtext)); + result = dns_rdata_fromtext(&rdata3, rdclass, rdtype, lex, + dns_rootname, 0, mctx, &target, + &callbacks); + assert(result == ISC_R_SUCCESS); + assert(rdata3.length == size); + assert(!memcmp(rdata3.data, data, size)); + + /* + * Convert rdata back to wire. + */ + CHECK(dns_compress_init(&cctx, -1, mctx)); + dns_compress_setsensitive(&cctx, true); + isc_buffer_init(&target, towire, sizeof(towire)); + result = dns_rdata_towire(&rdata1, &cctx, &target); + dns_compress_invalidate(&cctx); + assert(result == ISC_R_SUCCESS); + assert(target.used == size); + assert(!memcmp(target.base, data, size)); + + done: + if (lex != NULL) { + isc_lex_destroy(&lex); + } + if (lex != NULL) { + isc_mem_detach(&mctx); + } + return (0); +} diff --git a/fuzz/dns_rdata_fromwire_text.in/cdnskey b/fuzz/dns_rdata_fromwire_text.in/cdnskey Binary files differnew file mode 100644 index 00000000..9eb47d56 --- /dev/null +++ b/fuzz/dns_rdata_fromwire_text.in/cdnskey diff --git a/fuzz/dns_rdata_fromwire_text.in/smimea b/fuzz/dns_rdata_fromwire_text.in/smimea new file mode 100644 index 00000000..528472da --- /dev/null +++ b/fuzz/dns_rdata_fromwire_text.in/smimea @@ -0,0 +1 @@ +
-Ņe<
\ No newline at end of file diff --git a/fuzz/dns_rdata_fromwire_text.in/sshfp b/fuzz/dns_rdata_fromwire_text.in/sshfp new file mode 100644 index 00000000..b3007cdb --- /dev/null +++ b/fuzz/dns_rdata_fromwire_text.in/sshfp @@ -0,0 +1 @@ +|°|8
\ No newline at end of file diff --git a/fuzz/fuzz.h b/fuzz/fuzz.h new file mode 100644 index 00000000..500e3ed6 --- /dev/null +++ b/fuzz/fuzz.h @@ -0,0 +1,43 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <config.h> + +#include <stdbool.h> +#include <stddef.h> +#include <stdint.h> + +#include <isc/lang.h> +#include <isc/mem.h> +#include <isc/once.h> +#include <isc/types.h> +#include <isc/util.h> + +#include <dst/dst.h> + +ISC_LANG_BEGINDECLS + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size); + +static isc_mem_t *mctx = NULL; + +static void __attribute__((constructor)) init(void) { + RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS); + RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS); +} + +static void __attribute__((destructor)) deinit(void) +{ + dst_lib_destroy(); + isc_mem_destroy(&mctx); +} + +ISC_LANG_ENDDECLS diff --git a/fuzz/main.c b/fuzz/main.c new file mode 100644 index 00000000..b6aef95c --- /dev/null +++ b/fuzz/main.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +#include <config.h> + +#include <stdio.h> +#include <unistd.h> +#include <stdlib.h> +#include <stdint.h> +#include <string.h> +#include <fcntl.h> +#include <errno.h> +#include <sys/stat.h> + +#include "fuzz.h" + +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + +#include <dirent.h> + +static void test_all_from(const char *dirname) +{ + DIR *dirp; + struct dirent *dp; + + dirp = opendir(dirname); + if (dirp == NULL) { + return; + } + + while ((dp = readdir(dirp)) != NULL) { + char filename[strlen(dirname) + strlen(dp->d_name) + 2]; + int fd; + struct stat st; + char *data; + ssize_t n; + + if (dp->d_name[0] == '.') { + continue; + } + snprintf(filename, sizeof(filename), "%s/%s", + dirname, dp->d_name); + + if ((fd = open(filename, O_RDONLY)) == -1) { + fprintf(stderr, "Failed to open %s: %s\n", filename, + strerror(errno)); + continue; + } + + if (fstat(fd, &st) != 0) { + fprintf(stderr, "Failed to stat %s: %s\n", filename, + strerror(errno)); + goto closefd; + } + + data = malloc(st.st_size); + n = read(fd, data, st.st_size); + if (n == st.st_size) { + printf("testing %zd bytes from %s\n", + n, filename); + fflush(stdout); + LLVMFuzzerTestOneInput((const uint8_t *)data, n); + fflush(stderr); + } else { + if (n < 0) { + fprintf(stderr, + "Failed to read %zd bytes from %s: %s\n", + (ssize_t) st.st_size, filename, + strerror(errno)); + } else { + fprintf(stderr, + "Failed to read %zd bytes from %s" + ", got %zd\n", + (ssize_t) st.st_size, filename, + n); + } + } + free(data); + closefd: + close(fd); + } + + closedir(dirp); +} + +int main(int argc, char **argv) +{ + char corpusdir[PATH_MAX]; + const char *target = strrchr(argv[0], '/'); + + UNUSED(argc); + UNUSED(argv); + + target = target ? target + 1 : argv[0]; + if (strncmp(target, "lt-", 3) == 0) { + target += 3; + } + + snprintf(corpusdir, sizeof(corpusdir), FUZZDIR "/%s.in", target); + + test_all_from(corpusdir); + + return 0; +} + +#elif __AFL_COMPILER + +int main(int argc, char **argv) +{ + int ret; + unsigned char buf[64 * 1024]; + + UNUSED(argc); + UNUSED(argv); + +#ifdef __AFL_LOOP + while (__AFL_LOOP(10000)) { // only works with afl-clang-fast +#else + { +#endif + ret = fread(buf, 1, sizeof(buf), stdin); + if (ret < 0) { + return 0; + } + + LLVMFuzzerTestOneInput(buf, ret); + } + + return 0; +} + +#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */ |