From 0c2c0ca07a59484d7f12ea583f3404e6d3d83ccd Mon Sep 17 00:00:00 2001
From: Eugene Rodionov <rodionov@google.com>
Date: Wed, 4 Nov 2020 23:46:02 +0000
Subject: Add a fuzz target to test DNG image parsing in dng_sdk.

This fuzz target aims at `dng_read_image::ReadLosslessJPEG` to do
variant analysis for CVE-2020-9589 (b/156261521).

Test: # To run fuzzer on the host do:
Test: source build/envsetup.sh && \
Test: lunch aosp_x86_64-eng && \
Test: SANITIZE_HOST=address make dng_parser_fuzzer && \
Test: LD_LIBRARY_PATH=out/host/linux-x86/fuzz/x86_64/lib/ \
Test: out/host/linux-x86/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer
Change-Id: I2f71abbbc97e35a409a3843c7c4462d6e5c40ee5
---
 fuzzer/Android.bp                       |  26 ++++++++++++++++++
 fuzzer/README.md                        |  47 ++++++++++++++++++++++++++++++++
 fuzzer/dng_parser_fuzzer.cpp            |  36 ++++++++++++++++++++++++
 fuzzer/seeds/CVE_2020_9589/original.dng | Bin 0 -> 266600 bytes
 fuzzer/seeds/CVE_2020_9589/poc.dng      | Bin 0 -> 266600 bytes
 5 files changed, 109 insertions(+)
 create mode 100644 fuzzer/Android.bp
 create mode 100644 fuzzer/README.md
 create mode 100644 fuzzer/dng_parser_fuzzer.cpp
 create mode 100755 fuzzer/seeds/CVE_2020_9589/original.dng
 create mode 100755 fuzzer/seeds/CVE_2020_9589/poc.dng

diff --git a/fuzzer/Android.bp b/fuzzer/Android.bp
new file mode 100644
index 0000000..5bf44fa
--- /dev/null
+++ b/fuzzer/Android.bp
@@ -0,0 +1,26 @@
+cc_fuzz {
+    name: "dng_parser_fuzzer",
+    host_supported: true,
+    srcs: [
+        "dng_parser_fuzzer.cpp",
+    ],
+    cflags: [
+        "-Wno-unused-parameter",
+        "-fexceptions",
+    ],
+    static_libs: [
+        "libdng_sdk",
+        "libjpeg",
+        "liblog",
+        "libz",
+    ],
+    target: {
+        darwin: {
+            enabled: false,
+        },
+    },
+    corpus: [
+        "seeds/CVE_2020_9589/original.dng",
+        "seeds/CVE_2020_9589/poc.dng",
+    ],
+}
diff --git a/fuzzer/README.md b/fuzzer/README.md
new file mode 100644
index 0000000..edc7ef2
--- /dev/null
+++ b/fuzzer/README.md
@@ -0,0 +1,47 @@
+# Fuzzing DNG SDK
+
+This fuzzer is intented to do a varian analysis of the issue reported
+in b/156261521.
+
+Here is a list of some CVEs previously discovered in DNG SDK:
+
+* CVE-2020-9589
+* CVE-2020-9590
+* CVE-2020-9620
+* CVE-2020-9621
+* CVE-2020-9622
+* CVE-2020-9623
+* CVE-2020-9624
+* CVE-2020-9625
+* CVE-2020-9626
+* CVE-2020-9627
+* CVE-2020-9628
+* CVE-2020-9629
+
+## Building & running the fuzz target: Android device
+
+It is recommended to set rss limit to higher values (such as 4096) when running
+the fuzzer to avoid frequent OOM libFuzzer crashes.
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_arm64-eng
+$ SANITIZE_TARGET=hwaddress make dng_parser_fuzzer
+$ adb sync data
+$ adb shell /data/fuzz/arm64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit=4096 \
+$ /data/fuzz/arm64/dng_parser_fuzzer/corpus
+```
+
+## Building & running the fuzz target: Host
+
+```sh
+$ source build/envsetup.sh
+$ lunch aosp_x86_64-eng
+$ SANITIZE_HOST=address make dng_parser_fuzzer
+$ LD_LIBRARY_PATH=$ANDROID_HOST_OUT/fuzz/x86_64/lib/ \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/dng_parser_fuzzer \
+$ -rss_limit_mb=4096 \
+$ $ANDROID_HOST_OUT/fuzz/x86_64/dng_parser_fuzzer/corpus/
+```
+
diff --git a/fuzzer/dng_parser_fuzzer.cpp b/fuzzer/dng_parser_fuzzer.cpp
new file mode 100644
index 0000000..84db0f3
--- /dev/null
+++ b/fuzzer/dng_parser_fuzzer.cpp
@@ -0,0 +1,36 @@
+#include <stddef.h>
+#include <stdint.h>
+
+#include "dng_exceptions.h"
+#include "dng_host.h"
+#include "dng_info.h"
+#include "dng_memory_stream.h"
+#include "dng_negative.h"
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  dng_host host;
+  dng_memory_stream stream(host.Allocator());
+
+  stream.Put(data, size);
+  stream.SetReadPosition(0);
+
+  std::unique_ptr<dng_negative> negative(host.Make_dng_negative());
+
+  try {
+    dng_info info;
+    info.Parse(host, stream);
+    info.PostParse(host);
+
+    if (info.IsValidDNG()) {
+      negative->Parse(host, stream, info);
+      negative->PostParse(host, stream, info);
+      negative->ReadStage1Image(host, stream, info);
+    }
+  } catch (dng_exception &e) {
+    // dng_sdk throws C++ exceptions on errors
+    // catch them here to prevent libFuzzer from crashing.
+  }
+
+  return 0;
+}
diff --git a/fuzzer/seeds/CVE_2020_9589/original.dng b/fuzzer/seeds/CVE_2020_9589/original.dng
new file mode 100755
index 0000000..a30ac76
Binary files /dev/null and b/fuzzer/seeds/CVE_2020_9589/original.dng differ
diff --git a/fuzzer/seeds/CVE_2020_9589/poc.dng b/fuzzer/seeds/CVE_2020_9589/poc.dng
new file mode 100755
index 0000000..b838844
Binary files /dev/null and b/fuzzer/seeds/CVE_2020_9589/poc.dng differ
-- 
cgit v1.2.3