Age | Commit message (Collapse) | Author |
|
At least in theory, when run on an old JDK, this fuzzer could randomly
pick up log4j exploits.
|
|
|
|
Fixes https://github.com/google/oss-fuzz/issues/6926.
|
|
|
|
Also removes a copy-pasted check for a crash file that is not created by
the replayer.
|
|
|
|
We will reenable this later when the replayer builds on Windows.
|
|
This allows us to get rid of the libFuzzer patch to quote argv, which
breaks Windows and would have to be turned into a conditional patch
otherwise.
With this change, all argument separators use the same syntax as the
java executable on any given platform.
Collisions of ':' as an argument separator and a classpath separator
should be rare as we have our own argument to pass in the classpath.
This commit implements a rudimentary escaping mechanism to handle the
cases where this should be an issue:
* \<separator> results in a literal <separator> and no split
* \\ results in a literal backlash not interpreted as an escape
character for a subsequent <separator>
This is a breaking change, but we should rather break this now that we
haven't committed to a version 1.0 yet. The only breakage I am aware of
is easily fixed:
https://github.com/google/oss-fuzz/blob/0c1d5231de61b4166281b4d5685aa66e9f4948a8/projects/kryo/build.sh#L48
|
|
ExampleFuzzerWithASan runs and passes, but ExampleFuzzerWithUBSan only
builds and crashes at runtime with no error message. It remains disabled
for now.
|
|
|
|
|
|
The replayer can be used to reproduce crashes for fuzz targets using the
FuzzedDataProvider only given the raw crashing input. This will help
maintainers of OSS-Fuzz projects to reproduce issues even though they
have no access to the Java reproducers, which ClusterFuzz does not
store.
Compared to the full Jazzer driver, it has the advantage that it is a
Java library (with a native library dependency) and can thus be
published to Maven.
Since we currently do not have multi-platform RBE or cross toolchains
set up on GitHub, the packages jars for the individual architectures are
merged in a GitHub Actions pipeline.
|
|
This simplifies the libjvm location logic as well as native library
packaging. Incidentally, this fixes the libjpeg_turbo build.
In anticipation of Windows support and because it simplifies further
improvements to the fuzz target test setup, the wrapper is rewritten in
Java.
|
|
These repositories are no longer how starlarkified rules will be
published in the near future.
|
|
|
|
Restores compatibility with gcc on linux.
|
|
Since Bazel uses clang as its linker instead of clang++, the UBSan
C++ runtime library is not linked automatically. We request it
explicitly.
|
|
Since we require building with a relatively modern clang, we might as
well use its linker (and in the future, its C++ standard library).
|
|
The toolchain is only enabled in the CI by default as users should use
the same compiler toolchain for compiling the Jazzer driver as they use
to compile their JNI libraries. However, if they are only interested in
fuzzing pure Java libraries, they can pass --config=ci on the CLI to use
the toolchain, which greatly simplifies the build on macOS.
A significant complication arises because the ASan runtime library can't
be linked statically on macOS. To make the tests pass, it needs to be
exported from the toolchain and the driver has to conditionally depend
on it explicitly.
A further patch to the toolchain is required to ensure compatibility
with Ubuntu 21.04.
|
|
|
|
|
|
The Jazzer API should not be linked as it is provided by the agent at
runtime. Enforce this by limiting the visibility of the runtime dep to
//:__pkg__, where the _deploy.jar target is needed for Maven
publication.
|
|
|
|
In certain situations, such as OSS-Fuzz coverage reports, additional
JVM args need to be specified on the command line after --jvm_args has
already been used. Specifying --jvm_args again overrides the previous
arguments rather than appending to them.
This commit adds an additional flag for adding JVM args that will be
emitted after the flags specified in --jvm_args.
|
|
|
|
|
|
libFuzzer does not quote the arguments it passes to child processes during merge
and fork, which leads to arguments being lost if passing multiple jvm_args with
delimiter ';'.
This commit adds a libFuzzer patch that properly quotes all arguments as well as
a test that fails if quoting is not appropriate.
|
|
Use a Bazel provided target for the JNI headers instead of a custom one.
|
|
|
|
|
|
* Revert "Fix formatting"
This reverts commit 5affff5b1f370c6234c5a9c4eb2c20205d971daf.
* Revert "Disable broken tests on OSX."
This reverts commit 33eb45dd4c9e608a1b5406b3137b7171643d9435.
|
|
|
|
|
|
|
|
|
|
Instead of parsing and modifying the stack trace in the driver, a
preprocessing step in Kotlin now adds the severity markers.
It also performs basic deduplication of StackOverflowErrors.
|
|
Fuzzing with forked processes or native libraries is not yet supported,
but everything else should work.
|
|
|
|
This reverts commit 71ac55c6fc9d808bcc8a8e8d895f7f20141bec86.
|
|
* Replace uses of quick_exit and at_quick_exit
quick_exit is not supported on macOS, but can easily replaced by a call
to _Exit after running our cleanup manually.
* Run buildifier --lint=fix -r .
* Build libFuzzer from source
Building libFuzzer from source is easy and has multiple advantages:
* The clang distributed with XCode on macOS does not include libFuzzer.
* Applying a small patch to libFuzzer will allow us to replace the
--wrap linker feature, which is not supported on platforms other than
Linux.
* Replace -Wl,--wrap with a source code patch
* Pin non-native rules_python
* Print exit code on test failure
* Do not intercept JVM-internal C stdlib calls
The JVM frequently calls strcmp/memcmp/..., which fills up the table of
recent compares with entries that are either duplicates of values
already reported by the bytecode instrumentation or JDK-internal strings
that are not relevant for fuzzing.
This commit adds an ignorelist to the C stdlib interceptors that filters
out calls from known JVM libraries. If the fuzz target has not yet
loaded a native library, all such callbacks are ignored, which greatly
improves fuzzer performance for string-heavy targets. E.g.,
JsonSanitizerDenylistFuzzer takes < 1 million runs now when it used to
take over 3 million.
|
|
|
|
|
|
|
|
Also split up JsonSanitizerFuzzer into four individual fuzzers.
|
|
When run with e.g. the -fork flag, libFuzzer delegates the fuzzing to
multiple child processes running concurrently. As each of these
processes runs its own JVM with its own instance of the Jazzer agent,
different ranges of coverage IDs may be assigned to the same class
depending on when it is discovered by that fuzzer process. Since
libFuzzer collates the coverage counter buffers, this leads to
misreported coverage and unnecessarily large corpora.
This commit adds a coverage ID generation strategy that uses a lockable
temporary file as a means to synchronize the IDs between multiple
processes. This requires injecting new command-line arguments into
libFuzzer, building on the previous commit.
One of the example fuzz targets is set to be fuzzed in fork mode, which
provides test coverage for the new feature.
|
|
Java assertion errors are impossible to deduplicate and easily replaced
by an assert or a check and a custom exception.
This commit makes both variants of fuzzerTestOneInput void methods and
adds a note about this change to the respective error message.
|
|
|
|
|