diff options
author | Eugene Rodionov <rodionov@google.com> | 2020-11-10 22:27:44 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-11-10 22:27:44 +0000 |
commit | a139e98c85270d811104aa3659f4ce0a6c395f54 (patch) | |
tree | 5e68befd6294de3b6d19fc35d396b551ea39b29a | |
parent | 0cff1e151f793ec674924570b65b28304b1e4aa3 (diff) | |
parent | f4e068b00e77a69a4611377c7663b0c700ad8151 (diff) | |
download | dng_sdk-a139e98c85270d811104aa3659f4ce0a6c395f54.tar.gz |
Add a fuzz target to test DNG image parsing in dng_sdk. am: 0c2c0ca07a am: 49be9325f2 am: f4e068b00e
Original change: https://android-review.googlesource.com/c/platform/external/dng_sdk/+/1487679
Change-Id: If8b5c82874c353315bcf6b8a9147141f00777fc5
-rw-r--r-- | fuzzer/Android.bp | 26 | ||||
-rw-r--r-- | fuzzer/README.md | 47 | ||||
-rw-r--r-- | fuzzer/dng_parser_fuzzer.cpp | 36 | ||||
-rwxr-xr-x | fuzzer/seeds/CVE_2020_9589/original.dng | bin | 0 -> 266600 bytes | |||
-rwxr-xr-x | fuzzer/seeds/CVE_2020_9589/poc.dng | bin | 0 -> 266600 bytes |
5 files changed, 109 insertions, 0 deletions
diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp new file mode 100644 index 0000000..5bf44fa --- /dev/null +++ b/fuzzer/Android.bp @@ -0,0 +1,26 @@ +cc_fuzz { + name: "dng_parser_fuzzer", + host_supported: true, + srcs: [ + "dng_parser_fuzzer.cpp", + ], + cflags: [ + "-Wno-unused-parameter", + "-fexceptions", + ], + static_libs: [ + "libdng_sdk", + "libjpeg", + "liblog", + "libz", + ], + target: { + darwin: { + enabled: false, + }, + }, + corpus: [ + "seeds/CVE_2020_9589/original.dng", + "seeds/CVE_2020_9589/poc.dng", + ], +} diff --git a/fuzzer/README.md b/fuzzer/README.md new file mode 100644 index 0000000..edc7ef2 --- /dev/null +++ b/fuzzer/README.md @@ -0,0 +1,47 @@ +# Fuzzing DNG SDK + +This fuzzer is intented to do a varian analysis of the issue reported +in b/156261521. + +Here is a list of some CVEs previously discovered in DNG SDK: + +* CVE-2020-9589 +* CVE-2020-9590 +* CVE-2020-9620 +* CVE-2020-9621 +* CVE-2020-9622 +* CVE-2020-9623 +* CVE-2020-9624 +* CVE-2020-9625 +* CVE-2020-9626 +* CVE-2020-9627 +* CVE-2020-9628 +* CVE-2020-9629 + +## Building & running the fuzz target: Android device + +It is recommended to set rss limit to higher values (such as 4096) when running +the fuzzer to avoid frequent OOM libFuzzer crashes. + +```sh +$ source build/envsetup.sh +$ lunch aosp_arm64-eng +$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer +$ adb sync data +$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \ +$ -rss_limit=4096 \ +$ /data/fuzz/arm64/dng_parser_fuzzer/corpus +``` + +## Building & running the fuzz target: Host + +```sh +$ source build/envsetup.sh +$ lunch aosp_x86_64-eng +$ SANITIZE_HOST=address make dng_parser_fuzzer +$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \ +$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \ +$ -rss_limit_mb=4096 \ +$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/ +``` + diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp new file mode 100644 index 0000000..84db0f3 --- /dev/null +++ b/fuzzer/dng_parser_fuzzer.cpp @@ -0,0 +1,36 @@ +#include <stddef.h> +#include <stdint.h> + +#include "dng_exceptions.h" +#include "dng_host.h" +#include "dng_info.h" +#include "dng_memory_stream.h" +#include "dng_negative.h" + + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + dng_host host; + dng_memory_stream stream(host.Allocator()); + + stream.Put(data, size); + stream.SetReadPosition(0); + + std::unique_ptr<dng_negative> negative(host.Make_dng_negative()); + + try { + dng_info info; + info.Parse(host, stream); + info.PostParse(host); + + if (info.IsValidDNG()) { + negative->Parse(host, stream, info); + negative->PostParse(host, stream, info); + negative->ReadStage1Image(host, stream, info); + } + } catch (dng_exception &e) { + // dng_sdk throws C++ exceptions on errors + // catch them here to prevent libFuzzer from crashing. + } + + return 0; +} diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng Binary files differnew file mode 100755 index 0000000..a30ac76 --- /dev/null +++ b/fuzzer/seeds/CVE_2020_9589/original.dng diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng Binary files differnew file mode 100755 index 0000000..b838844 --- /dev/null +++ b/fuzzer/seeds/CVE_2020_9589/poc.dng |