diff options
author | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-12-10 16:07:03 +0100 |
---|---|---|
committer | Fabian Meumertzheim <fabian@meumertzhe.im> | 2021-12-13 13:21:09 +0100 |
commit | 6ae678426a2915fedf2342becacb2c36c04d659c (patch) | |
tree | 04d8b09794bdb2ac22f1fa227c517ca2447baf41 /examples | |
parent | 86f5b94657ef07f848bb95d51f489893907e31c7 (diff) | |
download | jazzer-api-6ae678426a2915fedf2342becacb2c36c04d659c.tar.gz |
Add log4j CVE-2021-44228 example
Diffstat (limited to 'examples')
-rw-r--r-- | examples/BUILD.bazel | 20 | ||||
-rw-r--r-- | examples/src/main/java/com/example/Log4jFuzzer.java | 82 |
2 files changed, 102 insertions, 0 deletions
diff --git a/examples/BUILD.bazel b/examples/BUILD.bazel index 06f0d2a0..7f65a15b 100644 --- a/examples/BUILD.bazel +++ b/examples/BUILD.bazel @@ -103,6 +103,26 @@ java_fuzz_target_test( ) java_fuzz_target_test( + name = "Log4jFuzzer", + timeout = "long", + srcs = [ + "src/main/java/com/example/Log4jFuzzer.java", + ], + fuzzer_args = [ + "-fork=4", + "-use_value_profile=1", + ], + # Finding this bug takes ~5 minutes on a decent laptop, but the GitHub Actions machines are not + # powerful enough to run it as part of our test suite. + tags = ["manual"], + target_class = "com.example.Log4jFuzzer", + deps = [ + "@maven//:org_apache_logging_log4j_log4j_api", + "@maven//:org_apache_logging_log4j_log4j_core", + ], +) + +java_fuzz_target_test( name = "JpegImageParserFuzzer", srcs = [ "src/main/java/com/example/JpegImageParserFuzzer.java", diff --git a/examples/src/main/java/com/example/Log4jFuzzer.java b/examples/src/main/java/com/example/Log4jFuzzer.java new file mode 100644 index 00000000..41870c9c --- /dev/null +++ b/examples/src/main/java/com/example/Log4jFuzzer.java @@ -0,0 +1,82 @@ +// Copyright 2021 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.example; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import org.apache.logging.log4j.Level; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.logging.log4j.core.Appender; +import org.apache.logging.log4j.core.Core; +import org.apache.logging.log4j.core.LogEvent; +import org.apache.logging.log4j.core.appender.AbstractAppender; +import org.apache.logging.log4j.core.config.Configurator; +import org.apache.logging.log4j.core.config.builder.api.AppenderComponentBuilder; +import org.apache.logging.log4j.core.config.builder.api.RootLoggerComponentBuilder; +import org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder; +import org.apache.logging.log4j.core.config.plugins.Plugin; +import org.apache.logging.log4j.core.config.plugins.PluginAttribute; +import org.apache.logging.log4j.core.config.plugins.PluginFactory; +import org.apache.logging.log4j.core.layout.PatternLayout; +import org.apache.logging.log4j.status.StatusLogger; + +// This fuzzer reproduces the log4j RCE vulnerability CVE-2021-44228. +public class Log4jFuzzer { + private final static Logger log = LogManager.getLogger(Log4jFuzzer.class.getName()); + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + log.error(data.consumeRemainingAsString()); + } + + public static void fuzzerInitialize() { + // Install a logger that constructs the log message, but never prints it. + // This noticeably increases the fuzzing performance + DefaultConfigurationBuilder configBuilder = new DefaultConfigurationBuilder(); + configBuilder.setPackages(FuzzingAppender.class.getPackage().getName()); + AppenderComponentBuilder fuzzingAppender = + configBuilder.newAppender("nullAppender", "FuzzingAppender"); + configBuilder.add(fuzzingAppender); + RootLoggerComponentBuilder rootLogger = configBuilder.newRootLogger(); + rootLogger.add(configBuilder.newAppenderRef("nullAppender")); + configBuilder.add(rootLogger); + Configurator.reconfigure(configBuilder.build()); + + // Disable logging of exceptions caught in log4j itself. + StatusLogger.getLogger().reset(); + StatusLogger.getLogger().setLevel(Level.OFF); + } + + @Plugin( + name = "FuzzingAppender", category = Core.CATEGORY_NAME, elementType = Appender.ELEMENT_TYPE) + public static class FuzzingAppender extends AbstractAppender { + protected FuzzingAppender(String name) { + super(name, null, PatternLayout.createDefaultLayout(), true); + } + + @PluginFactory + public static FuzzingAppender createAppender(@PluginAttribute("name") String name) { + return new FuzzingAppender(name); + } + + @Override + public void append(LogEvent event) { + try { + getLayout().toByteArray(event); + } catch (Exception ignored) { + // Prevent exceptions from being logged to stderr. + } + } + } +} |