Add log4j CVE-2021-44228 example

4 files changed, 134 insertions, 2 deletions

diff --git a/examples/BUILD.bazel b/examples/BUILD.bazel
index 06f0d2a0..7f65a15b 100644
--- a/examples/BUILD.bazel
+++ b/examples/BUILD.bazel
@@ -103,6 +103,26 @@ java_fuzz_target_test(
 )
 
 java_fuzz_target_test(
+    name = "Log4jFuzzer",
+    timeout = "long",
+    srcs = [
+        "src/main/java/com/example/Log4jFuzzer.java",
+    ],
+    fuzzer_args = [
+        "-fork=4",
+        "-use_value_profile=1",
+    ],
+    # Finding this bug takes ~5 minutes on a decent laptop, but the GitHub Actions machines are not
+    # powerful enough to run it as part of our test suite.
+    tags = ["manual"],
+    target_class = "com.example.Log4jFuzzer",
+    deps = [
+        "@maven//:org_apache_logging_log4j_log4j_api",
+        "@maven//:org_apache_logging_log4j_log4j_core",
+    ],
+)
+
+java_fuzz_target_test(
     name = "JpegImageParserFuzzer",
     srcs = [
         "src/main/java/com/example/JpegImageParserFuzzer.java",
diff --git a/examples/src/main/java/com/example/Log4jFuzzer.java b/examples/src/main/java/com/example/Log4jFuzzer.java
new file mode 100644
index 00000000..41870c9c
--- /dev/null
+++ b/examples/src/main/java/com/example/Log4jFuzzer.java
@@ -0,0 +1,82 @@
+// Copyright 2021 Code Intelligence GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.core.Appender;
+import org.apache.logging.log4j.core.Core;
+import org.apache.logging.log4j.core.LogEvent;
+import org.apache.logging.log4j.core.appender.AbstractAppender;
+import org.apache.logging.log4j.core.config.Configurator;
+import org.apache.logging.log4j.core.config.builder.api.AppenderComponentBuilder;
+import org.apache.logging.log4j.core.config.builder.api.RootLoggerComponentBuilder;
+import org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder;
+import org.apache.logging.log4j.core.config.plugins.Plugin;
+import org.apache.logging.log4j.core.config.plugins.PluginAttribute;
+import org.apache.logging.log4j.core.config.plugins.PluginFactory;
+import org.apache.logging.log4j.core.layout.PatternLayout;
+import org.apache.logging.log4j.status.StatusLogger;
+
+// This fuzzer reproduces the log4j RCE vulnerability CVE-2021-44228.
+public class Log4jFuzzer {
+  private final static Logger log = LogManager.getLogger(Log4jFuzzer.class.getName());
+
+  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+    log.error(data.consumeRemainingAsString());
+  }
+
+  public static void fuzzerInitialize() {
+    // Install a logger that constructs the log message, but never prints it.
+    // This noticeably increases the fuzzing performance
+    DefaultConfigurationBuilder configBuilder = new DefaultConfigurationBuilder();
+    configBuilder.setPackages(FuzzingAppender.class.getPackage().getName());
+    AppenderComponentBuilder fuzzingAppender =
+        configBuilder.newAppender("nullAppender", "FuzzingAppender");
+    configBuilder.add(fuzzingAppender);
+    RootLoggerComponentBuilder rootLogger = configBuilder.newRootLogger();
+    rootLogger.add(configBuilder.newAppenderRef("nullAppender"));
+    configBuilder.add(rootLogger);
+    Configurator.reconfigure(configBuilder.build());
+
+    // Disable logging of exceptions caught in log4j itself.
+    StatusLogger.getLogger().reset();
+    StatusLogger.getLogger().setLevel(Level.OFF);
+  }
+
+  @Plugin(
+      name = "FuzzingAppender", category = Core.CATEGORY_NAME, elementType = Appender.ELEMENT_TYPE)
+  public static class FuzzingAppender extends AbstractAppender {
+    protected FuzzingAppender(String name) {
+      super(name, null, PatternLayout.createDefaultLayout(), true);
+    }
+
+    @PluginFactory
+    public static FuzzingAppender createAppender(@PluginAttribute("name") String name) {
+      return new FuzzingAppender(name);
+    }
+
+    @Override
+    public void append(LogEvent event) {
+      try {
+        getLayout().toByteArray(event);
+      } catch (Exception ignored) {
+        // Prevent exceptions from being logged to stderr.
+      }
+    }
+  }
+}
diff --git a/maven.bzl b/maven.bzl
index b07f7264..0bc498ec 100644
--- a/maven.bzl
+++ b/maven.bzl
@@ -15,6 +15,8 @@
 JAZZER_API_VERSION = "0.10.0"
 JAZZER_API_COORDINATES = "com.code-intelligence:jazzer-api:%s" % JAZZER_API_VERSION
 
+# **WARNING**: These Maven dependencies have known vulnerabilities and are only used to test that
+#              Jazzer finds these issues. DO NOT USE.
 MAVEN_ARTIFACTS = [
     "junit:junit:4.12",
     "org.apache.commons:commons-imaging:1.0-alpha2",
@@ -29,4 +31,6 @@ MAVEN_ARTIFACTS = [
     "javax.xml.bind:jaxb-api:2.3.1",
     "javax.el:javax.el-api:3.0.1-b06",
     "org.hibernate:hibernate-validator:5.2.4.Final",
+    "org.apache.logging.log4j:log4j-api:jar:2.14.1",
+    "org.apache.logging.log4j:log4j-core:jar:2.14.1",
 ]
diff --git a/maven_install.json b/maven_install.json
index 1312ca22..faef1860 100644
--- a/maven_install.json
+++ b/maven_install.json
@@ -1,8 +1,8 @@
 {
     "dependency_tree": {
         "__AUTOGENERATED_FILE_DO_NOT_MODIFY_THIS_FILE_MANUALLY": "THERE_IS_NO_DATA_ONLY_ZUUL",
-        "__INPUT_ARTIFACTS_HASH": 1253627227,
-        "__RESOLVED_ARTIFACTS_HASH": 2123690276,
+        "__INPUT_ARTIFACTS_HASH": -1844081556,
+        "__RESOLVED_ARTIFACTS_HASH": 40706841,
         "conflict_resolution": {},
         "dependencies": [
             {
@@ -200,6 +200,32 @@
                 "url": "https://repo1.maven.org/maven2/org/apache/commons/commons-imaging/1.0-alpha2/commons-imaging-1.0-alpha2.jar"
             },
             {
+                "coord": "org.apache.logging.log4j:log4j-api:2.14.1",
+                "dependencies": [],
+                "directDependencies": [],
+                "file": "v1/https/repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar",
+                "mirror_urls": [
+                    "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar"
+                ],
+                "sha256": "8caf58db006c609949a0068110395a33067a2bad707c3da35e959c0473f9a916",
+                "url": "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.14.1/log4j-api-2.14.1.jar"
+            },
+            {
+                "coord": "org.apache.logging.log4j:log4j-core:2.14.1",
+                "dependencies": [
+                    "org.apache.logging.log4j:log4j-api:2.14.1"
+                ],
+                "directDependencies": [
+                    "org.apache.logging.log4j:log4j-api:2.14.1"
+                ],
+                "file": "v1/https/repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar",
+                "mirror_urls": [
+                    "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar"
+                ],
+                "sha256": "ade7402a70667a727635d5c4c29495f4ff96f061f12539763f6f123973b465b0",
+                "url": "https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.14.1/log4j-core-2.14.1.jar"
+            },
+            {
                 "coord": "org.hamcrest:hamcrest-core:1.3",
                 "dependencies": [],
                 "directDependencies": [],