diff options
| author | Elliott Hughes <enh@google.com> | 2021-04-02 19:51:01 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-04-02 19:51:01 +0000 |
| commit | 75c8dcf71ca8652f671b4ca5fea780a558c86e08 (patch) | |
| tree | 328e6c9629b196cec1de3a94ee804d9fee3a0524 | |
| parent | 378a8d19d33a5a62afbbe33b7f7b87b67db47236 (diff) | |
| parent | 235e96b2f8ab4e43316158a2e6fa69e75a219e23 (diff) | |
| download | oss-fuzz-android12-qpr3-s4-release.tar.gz | |
Upgrade oss-fuzz to 947169dc86572e121c3e138f366a9f39ac6266ae am: f3764d0712 am: 1117028736 am: 235e96b2f8android-12.1.0_r9android-12.1.0_r8android-12.1.0_r7android-12.1.0_r26android-12.1.0_r25android-12.1.0_r24android-12.1.0_r23android-12.1.0_r22android-12.1.0_r21android-12.1.0_r20android-12.1.0_r19android-12.1.0_r18android-12.1.0_r17android-12.1.0_r16android-12.1.0_r15android-12.1.0_r14android-12.1.0_r13android-12.1.0_r12android-12.1.0_r11android-12.1.0_r10android-12.0.0_r32android-12.0.0_r29android-12.0.0_r28android-12.0.0_r27android-12.0.0_r26android-12.0.0_r21android-12.0.0_r20android-12.0.0_r19android-12.0.0_r18android-12.0.0_r16android12L-devandroid12L-d2-s8-releaseandroid12L-d2-s7-releaseandroid12L-d2-s6-releaseandroid12L-d2-s5-releaseandroid12L-d2-s4-releaseandroid12L-d2-s3-releaseandroid12L-d2-s2-releaseandroid12L-d2-s1-releaseandroid12L-d2-releaseandroid12-qpr3-s7-releaseandroid12-qpr3-s6-releaseandroid12-qpr3-s5-releaseandroid12-qpr3-s4-releaseandroid12-qpr3-s3-releaseandroid12-qpr3-s2-releaseandroid12-qpr3-s1-releaseandroid12-qpr3-releaseandroid12-qpr1-releaseandroid12-qpr1-d-s3-releaseandroid12-qpr1-d-s2-releaseandroid12-qpr1-d-s1-releaseandroid12-qpr1-d-releaseandroid12-dev
Original change: https://android-review.googlesource.com/c/platform/external/oss-fuzz/+/1662261
Change-Id: Ib7b7a79b38e1261c1d5fb4ccb1a5dfd106588996
436 files changed, 6080 insertions, 1493 deletions
diff --git a/.dockerignore b/.dockerignore index 61ac0b13e..b72d742a6 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,10 +1,11 @@ -out .git +infra/cifuzz/test_data/* +docs/* # Copied from .gitignore. .vscode/ *.pyc -/build/ +build *~ .DS_Store -*.swp +*.swp
\ No newline at end of file diff --git a/.github/workflows/infra_tests.yml b/.github/workflows/infra_tests.yml index 8b3ed96bc..5273adc45 100644 --- a/.github/workflows/infra_tests.yml +++ b/.github/workflows/infra_tests.yml @@ -9,6 +9,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Cancel previous + uses: styfle/cancel-workflow-action@0.8.0 + with: + access_token: ${{ github.token }} + - uses: actions/checkout@v2 - run: | # Needed for git diff to work. git fetch origin master --depth 1 @@ -33,5 +38,3 @@ jobs: - name: Run infra tests run: sudo env "PATH=$PATH" INTEGRATION_TESTS=1 python infra/presubmit.py infra-tests -p - - diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml index 0ab4f4f43..9a4b8d698 100644 --- a/.github/workflows/presubmit.yml +++ b/.github/workflows/presubmit.yml @@ -1,11 +1,20 @@ name: Presubmit checks -on: [pull_request] + +on: + pull_request: + branches: + - master jobs: build: runs-on: ubuntu-latest steps: + - name: Cancel previous + uses: styfle/cancel-workflow-action@0.8.0 + with: + access_token: ${{ github.token }} + - uses: actions/checkout@v2 - run: | # Needed for git diff to work. git fetch origin master --depth 1 diff --git a/.github/workflows/project_tests.yml b/.github/workflows/project_tests.yml index 4c78ee1e5..55dfb7f39 100644 --- a/.github/workflows/project_tests.yml +++ b/.github/workflows/project_tests.yml @@ -1,5 +1,9 @@ name: Project tests -on: [pull_request] + +on: + pull_request: + branches: + - master jobs: build: @@ -38,6 +42,11 @@ jobs: ARCHITECTURE: ${{ matrix.architecture }} steps: + - name: Cancel previous + uses: styfle/cancel-workflow-action@0.8.0 + with: + access_token: ${{ github.token }} + - uses: actions/checkout@v2 - run: | # Needed for git diff to work. git fetch origin master --depth 1 @@ -9,11 +9,11 @@ third_party { type: GIT value: "https://github.com/google/oss-fuzz.git" } - version: "0e6b81c81b415bb584c8d7595264480fa5a7de84" + version: "947169dc86572e121c3e138f366a9f39ac6266ae" license_type: RESTRICTED last_upgrade_date { year: 2021 - month: 2 - day: 9 + month: 4 + day: 1 } } @@ -29,7 +29,7 @@ execution environment and reporting tool. [Sanitizers]: https://github.com/google/sanitizers [ClusterFuzz]: https://github.com/google/clusterfuzz -Currently, OSS-Fuzz supports C/C++, Rust, Go and Python code. Other languages +Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds. diff --git a/docs/faq.md b/docs/faq.md index fa0826c48..46e5ebf80 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -158,6 +158,19 @@ We work with open source projects and try to keep as much information public as possible. We believe that public code coverage reports do not put users at risk, as they do not indicate the presence of bugs or lack thereof. +## Why is the coverage command complaining about format compatibility issues? + +This may happen if the Docker images fetched locally become out of sync. Make +sure you run the following command to pull the most recent images: + +```bash +$ python infra/helper.py pull_images +``` + +Please refer to +[code coverage]({{ site.baseurl }}/advanced-topics/code-coverage/) for detailed +information on code coverage generation. + ## What happens when I rename a fuzz target ? If you rename your fuzz targets, the existing bugs for those targets will get diff --git a/docs/getting-started/bug_disclosure_guidelines.md b/docs/getting-started/bug_disclosure_guidelines.md index f82a75100..e5a76ef2c 100644 --- a/docs/getting-started/bug_disclosure_guidelines.md +++ b/docs/getting-started/bug_disclosure_guidelines.md @@ -12,12 +12,12 @@ Following [Google's standard disclosure policy](https://googleprojectzero.blogsp OSS-Fuzz will adhere to following disclosure principles: - **Deadline**. After notifying project authors, we will open reported - issues to the public in 90 days, or 30 days after the fix is released - (whichever comes earlier). + issues to the public in 90 days, or after the fix is released (whichever + comes earlier). - **Weekends and holidays**. If a deadline is due to expire on a weekend, the deadline will be moved to the next normal work day. - **Grace period**. We have a 14-day grace period. If a 90-day deadline expires but the upstream engineers let us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability - of the patch.
\ No newline at end of file + of the patch. diff --git a/docs/getting-started/continuous_integration.md b/docs/getting-started/continuous_integration.md index bb3f7e107..88e6e4b15 100644 --- a/docs/getting-started/continuous_integration.md +++ b/docs/getting-started/continuous_integration.md @@ -74,13 +74,13 @@ jobs: uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'example' - dry-run: false + language: c++ - name: Run Fuzzers uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'example' + language: c++ fuzz-seconds: 600 - dry-run: false - name: Upload Crash uses: actions/upload-artifact@v1 if: failure() && steps.build.outcome == 'success' @@ -93,8 +93,16 @@ jobs: ### Optional configuration #### Configurable Variables + +`language`: (optional) The language your target program is written in. Defaults +to `c++`. This should be the same as the value you set in `project.yaml`. See +[this explanation]({{ site.baseurl }}//getting-started/new-project-guide/#language) +for more details. + `fuzz-time`: Determines how long CIFuzz spends fuzzing your project in seconds. -The default is 600 seconds. The GitHub Actions max run time is 21600 seconds (6 hours). +The default is 600 seconds. The GitHub Actions max run time is 21600 seconds (6 +hours). This variable is only meaningful when supplied to the `run_fuzzers` +action, not the `build_fuzzers` action. `dry-run`: Determines if CIFuzz surfaces errors. The default value is `false`. When set to `true`, CIFuzz will never report a failure even if it finds a crash in your project. @@ -103,7 +111,8 @@ make sure to set the dry-run parameters in both the `Build Fuzzers` and `Run Fuz `allowed-broken-targets-percentage`: Can be set if you want to set a stricter limit for broken fuzz targets than OSS-Fuzz's check_build. Most users should -not set this. +not set this. This value is only meaningful when supplied to the `run_fuzzers` +action, not the `build_fuzzers` action. `sanitizer`: Determines a sanitizer to build and run fuzz targets with. The choices are `'address'`, `'memory'` and `'undefined'`. The default is `'address'`. It is important to note that the `Build Fuzzers` @@ -128,14 +137,14 @@ jobs: uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'example' - dry-run: false + language: c++ sanitizer: ${{ matrix.sanitizer }} - name: Run Fuzzers (${{ matrix.sanitizer }}) uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'example' + language: c++ fuzz-seconds: 600 - dry-run: false sanitizer: ${{ matrix.sanitizer }} - name: Upload Crash uses: actions/upload-artifact@v1 @@ -175,13 +184,13 @@ jobs: uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master with: oss-fuzz-project-name: 'example' - dry-run: false + language: c++ - name: Run Fuzzers uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master with: oss-fuzz-project-name: 'example' + language: c++ fuzz-seconds: 600 - dry-run: false - name: Upload Crash uses: actions/upload-artifact@v1 if: failure() && steps.build.outcome == 'success' @@ -213,9 +222,9 @@ The results of CIFuzz can be found in two different places. 1. When a crash is found by CIFuzz the Upload Artifact event is triggered. 1. This will cause a pop up in the right hand corner, allowing you to download a zip file called `artifacts`. - 1. `artifacts` contains two files: - * `test_case` - a test case that can be used to reproduce the crash. - * `bug_summary` - the stack trace and summary of the crash. + 1. `artifacts` contains two files for each crash: + * A test case that can be used to reproduce the crash. + * The sanitizer stack trace of the crash.  diff --git a/docs/getting-started/new-project-guide/bazel.md b/docs/getting-started/new-project-guide/bazel.md index 4ad179d86..45b942fee 100644 --- a/docs/getting-started/new-project-guide/bazel.md +++ b/docs/getting-started/new-project-guide/bazel.md @@ -3,7 +3,7 @@ layout: default title: Integrating a Bazel project parent: Setting up a new project grand_parent: Getting started -nav_order: 4 +nav_order: 5 permalink: /getting-started/new-project-guide/bazel/ --- @@ -36,10 +36,9 @@ test artifacts in the OSS-Fuzz format. Each `//path/to:fuzz_test` fuzz test target automatically has a `//path/to:fuzz_test_oss_fuzz` packaging target that (a) builds the fuzz test using the instrumentation and engine library specified in the OSS-Fuzz environment variables, and (b) generates an archive containing -the binary and its associated artifacts (corpus, dictionary, etc.). Using the -`_oss_fuzz` target substantially simplifies the `build.sh` script, which only -needs to copy the build artifacts from `bazel-bin/` to the `${OUT}/` directory. -The next section explains this process in more detail. +the binary and its associated artifacts (corpus, dictionary, etc.). Moreover, +OSS-Fuzz provides a standard tool to automatically process these targets, +substantially simplifying the `build.sh` script (see below). [rules-fuzzing-usage]: https://github.com/bazelbuild/rules_fuzzing#using-the-rules-in-your-project @@ -61,7 +60,7 @@ Only C++ projects are currently supported. Since the OSS-Fuzz target builds the fuzz test using the instrumentation and engine specified in the OSS-Fuzz environment variables, all the engine and sanitizer configurations supported in the `project.yaml` file are automatically -supported by the `_oss_fuzz` packaging rule, too. +supported by the fuzzing rules. ### Dockerfile @@ -75,43 +74,24 @@ file in your repository root with the desired version string. ### build.sh -Your `build.sh` script essentially needs to perform three tasks: (1) selecting +Your `build.sh` script essentially needs to perform three steps: (1) selecting which fuzz tests to build, (2) building their OSS-Fuzz package targets in the right configuration, and (3) copying the build artifacts to the `${OUT}/` destination. -For the first step, you can use the "bazel query" command for the most -flexibility. Each fuzz test has the `"fuzz-test"` tag, which you can query. You -may also perform additional filtering. We recommend using the `"no-oss-fuzz"` -tag to opt-out particular fuzz tests if they are a work in progress or -test-only. - -The complete query command would look as follows ([example][example-query]): - -```sh -declare -r QUERY=' - let all_fuzz_tests = attr(tags, "fuzz-test", "//...") in - $all_fuzz_tests - attr(tags, "no-oss-fuzz", $all_fuzz_tests) -' -declare -r OSS_FUZZ_TESTS="$(bazel query "${QUERY}" | sed "s/$/_oss_fuzz/")" -``` - -Building the `_oss_fuzz` targets requires setting the engine and instrumentation -options. We recommend creating a `--config=oss-fuzz` configuration in your -`.bazelrc` file ([example][example-bazelrc]), so you can directly invoke -`bazel build --config=oss-fuzz` in your build script ([example][example-build]). - -If all goes well, `bazel-bin/` will contain an `_oss_fuzz.tar` archive for each -fuzz test built. You need to traverse each archive and extract it in the -`${OUT}/` directory ([example][example-copy]): - -```sh -for oss_fuzz_archive in $(find bazel-bin/ -name '*_oss_fuzz.tar'); do - tar -xvf "${oss_fuzz_archive}" -C "${OUT}" -done -``` - -[example-query]: https://github.com/google/oss-fuzz/blob/b19e7001928b08f9ae8fd3c017688cd5edf96cb2/projects/bazel-rules-fuzzing-test/build.sh#L27-L37 -[example-bazelrc]: https://github.com/bazelbuild/rules_fuzzing/blob/f6062a88d83463e2900e47bc218547ba046dad44/.bazelrc#L56-L58 -[example-build]: https://github.com/google/oss-fuzz/blob/b19e7001928b08f9ae8fd3c017688cd5edf96cb2/projects/bazel-rules-fuzzing-test/build.sh#L43-L45 -[example-copy]: https://github.com/google/oss-fuzz/blob/b19e7001928b08f9ae8fd3c017688cd5edf96cb2/projects/bazel-rules-fuzzing-test/build.sh#L50-L52 +OSS-Fuzz provides a +[`bazel_build_fuzz_tests`](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/bazel_build_fuzz_tests) +tool that implements these steps in a standard way, so in most cases your +build script only needs to invoke this command with no arguments. + +If necessary, the behavior of the tool can be customized though a set of +environment variables. The most common are: + +* `BAZEL_EXTRA_BUILD_FLAGS` are extra build flags passed on the Bazel command + line. +* `BAZEL_FUZZ_TEST_TAG` and `BAZEL_FUZZ_TEST_EXCLUDE_TAG` can be overriden to + specify which target tags to use when determining what fuzz tests to include. + By default, the tool selects all the fuzz tests except for those tagged as + `"no-oss-fuzz"`. +* `BAZEL_FUZZ_TEST_QUERY` overrides the Bazel query the tool uses to identify + the fuzz tests to build, if the tag-based approach is not sufficient. diff --git a/docs/getting-started/new-project-guide/go_lang.md b/docs/getting-started/new-project-guide/go_lang.md index 62fde91d6..600a66665 100644 --- a/docs/getting-started/new-project-guide/go_lang.md +++ b/docs/getting-started/new-project-guide/go_lang.md @@ -60,21 +60,16 @@ sanitizers: ### Dockerfile The OSS-Fuzz builder image has the latest stable release of Golang installed. In -order to install dependencies of your project, add `RUN go get ...` command to +order to install dependencies of your project, add `RUN git clone ...` command to your Dockerfile. [Example](https://github.com/google/oss-fuzz/blob/356f2b947670b7eb33a1f535c71bc5c87a60b0d1/projects/syzkaller/Dockerfile#L23): ```dockerfile # Dependency for one of the fuzz targets. -RUN go get github.com/ianlancetaylor/demangle +RUN git clone --depth 1 https://github.com/ianlancetaylor/demangle ``` -In the case you are using modules, the best practice is to `git clone` the repository into the expected `$GOPATH/src` directory. - -A usage example from go-coredns project is -```dockerfile -RUN git clone --depth 1 https://github.com/coredns/coredns $GOPATH/src/github.com/coredns/coredns -``` +go-fuzz will then automatically download the dependencies based on the go.mod file ### build.sh diff --git a/docs/getting-started/new-project-guide/jvm_lang.md b/docs/getting-started/new-project-guide/jvm_lang.md new file mode 100644 index 000000000..19e4ecbfe --- /dev/null +++ b/docs/getting-started/new-project-guide/jvm_lang.md @@ -0,0 +1,173 @@ +--- +layout: default +title: Integrating a Java/JVM project +parent: Setting up a new project +grand_parent: Getting started +nav_order: 4 +permalink: /getting-started/new-project-guide/jvm-lang/ +--- + +# Integrating a Java/JVM project +{: .no_toc} + +- TOC +{:toc} +--- + +The process of integrating a project written in Java or any other language +running on the Java Virtual Machine (JVM) with OSS-Fuzz is very similar to the +general +[Setting up a new project]({{ site.baseurl }}/getting-started/new-project-guide/) +process. The key specifics of integrating a JVM project are outlined below. + +## Jazzer + +Java fuzzing in OSS-Fuzz depends on +[Jazzer](https://github.com/CodeIntelligenceTesting/jazzer), which is +pre-installed on the OSS-Fuzz base docker images. As Jazzer operates directly +on the bytecode level, it can be applied to any project written in a JVM-based +language. More information on how Jazzer fuzz targets look like can be found in +its +[README's Usage section](https://github.com/CodeIntelligenceTesting/jazzer#usage). + +## Project files + +### Example project + +We recommend viewing +[json-sanitizer](https://github.com/google/oss-fuzz/tree/master/projects/json-sanitizer) +as an example of a simple Java-only fuzzing project. Additional examples, +including one for a Java project with native dependencies, are part of the +[java-example](https://github.com/google/oss-fuzz/tree/master/projects/java-example) +project. + +### project.yaml + +The `language` attribute must be specified as follows: + +```yaml +language: jvm +``` + +The only supported fuzzing engine is libFuzzer (`libfuzzer`). So far the only +supported sanitizer is AddressSanitizer (`address`), which needs to be +specified explicitly even for pure Java projects. + +```yaml +fuzzing_engines: + - libfuzzer +sanitizers: + - address +``` + +### Dockerfile + +The OSS-Fuzz base Docker images already come with OpenJDK 15 pre-installed. If +you need Maven to build your project, you can install it by adding the following +line to your Dockerfile: + +```docker +RUN apt-get update && apt-get install -y maven +``` + +Apart from this, you should usually not need to do more than to clone the +project, set a `WORKDIR`, and copy any necessary files, or install any +project-specific dependencies here as you normally would. + +### Fuzzers + +In the simplest case, every fuzzer consists of a single Java file with a +filename matching `*Fuzzer.java` and no `package` directive. An example fuzz +target could thus be a file `ExampleFuzzer.java` with contents: + +```java +public class ExampleFuzzer { + public static void fuzzerTestOneInput(byte[] input) { + ... + // Call a function of the project under test with arguments derived from + // input and throw an exception if something unwanted happens. + ... + } +} +``` + +### build.sh + +For JVM projects, `build.sh` does need some more significant modifications +over C/C++ projects. Below is an annotated example build script for a +Java-only project with single-file fuzz targets as described above: + +```sh +# Step 1: Build the project + +# Build the project .jar as usual, e.g. using Maven. +mvn package +# In this example, the project is built with Maven, which typically includes the +# project version into the name of the packaged .jar file. The version can be +# obtained as follows: +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ +-Dexpression=project.version -q -DforceStdout) +# Copy the project .jar into $OUT under a fixed name. +cp "target/sample-project-$CURRENT_VERSION.jar" $OUT/sample-project.jar + +# Specify the projects .jar file(s), separated by spaces if there are multiple. +PROJECT_JARS="sample-project.jar" + +# Step 2: Build the fuzzers (should not require any changes) + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $PROJECT_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $PROJECT_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done +``` + +## FuzzedDataProvider + +Jazzer provides a `FuzzedDataProvider` that can simplify the task of creating a +fuzz target by translating the raw input bytes received from the fuzzer into +useful primitive Java types. Its functionality is similar to +`FuzzedDataProviders` available in other languages, such as +[Python](https://github.com/google/atheris#fuzzeddataprovider) and +[C++](https://github.com/google/fuzzing/blob/master/docs/split-inputs.md). + +On OSS-Fuzz, the required library is available in the base docker images under +the path `$JAZZER_API_PATH`, which is added to the classpath by the example +build script shown above. Locally, the library can be obtained from +[Maven Central](https://search.maven.org/search?q=g:com.code-intelligence%20a:jazzer-api). + +A fuzz target using the `FuzzedDataProvider` would look as follows: + +```java +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +public class ExampleFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + int number = data.consumeInt(); + String string = data.consumeRemainingAsString(); + // ... + } +} +``` + +For a list of convenience methods offered by `FuzzedDataProvider`, consult its +[javadocs](https://codeintelligencetesting.github.io/jazzer-api/com/code_intelligence/jazzer/api/FuzzedDataProvider.html). diff --git a/docs/getting-started/new-project-guide/python_lang.md b/docs/getting-started/new-project-guide/python_lang.md index 14208e300..da147803a 100644 --- a/docs/getting-started/new-project-guide/python_lang.md +++ b/docs/getting-started/new-project-guide/python_lang.md @@ -31,7 +31,7 @@ docker images. ### Example project -We recommending viewing [ujson](https://github.com/google/oss-fuzz/tree/master/projects/ujson) as an +We recommend viewing [ujson](https://github.com/google/oss-fuzz/tree/master/projects/ujson) as an example of a simple Python fuzzing project, with both plain-Atheris and Atheris + Hypothesis harnesses. @@ -112,14 +112,17 @@ or [by using test functions as fuzz harnesses](https://hypothesis.readthedocs.io failures in the test reveal problems with the system under test that could not have been revealed by direct fuzzing of that system. -You also get integrated test-case reduction for free - meaning that it's trivial to -report a canonical minimal example for each distinct failure discovered while fuzzing! +We recommend using the [`hypothesis write`](https://hypothesis.readthedocs.io/en/latest/ghostwriter.html) +command to generate a starter fuzz harness. This "ghostwritten" code may be usable as-is, +or provide a useful template for writing more specific tests. See [here for the core "strategies"](https://hypothesis.readthedocs.io/en/latest/data.html), for arbitrary data, [here for Numpy + Pandas support](https://hypothesis.readthedocs.io/en/latest/numpy.html), or [here for a variety of third-party extensions](https://hypothesis.readthedocs.io/en/latest/strategies.html) supporting everything from protobufs, to jsonschemas, to networkx graphs or geojson or valid Python source code. +Hypothesis' integrated test-case reduction also makes it trivial to report a canonical minimal +example for each distinct failure discovered while fuzzing - just run the test function! To use Hypothesis in OSS-Fuzz, install it in your Dockerfile with diff --git a/docs/getting-started/new_project_guide.md b/docs/getting-started/new_project_guide.md index 64d4b8029..d2a7d805b 100644 --- a/docs/getting-started/new_project_guide.md +++ b/docs/getting-started/new_project_guide.md @@ -97,6 +97,7 @@ Programming language the project is written in. Values you can specify include: * [`go`]({{ site.baseurl }}//getting-started/new-project-guide/go-lang/) * [`rust`]({{ site.baseurl }}//getting-started/new-project-guide/rust-lang/) * [`python`]({{ site.baseurl }}//getting-started/new-project-guide/python-lang/) +* [`jvm` (Java, Kotlin, Scala and other JVM-based languages)]({{ site.baseurl }}//getting-started/new-project-guide/jvm-lang/) ### primary_contact, auto_ccs {#primary} The primary contact and list of other contacts to be CCed. Each person listed gets access to ClusterFuzz, including crash reports and fuzzer statistics, and are auto-cced on new bugs filed in the OSS-Fuzz @@ -148,7 +149,8 @@ homepage]({{ site.baseurl }}/further-reading/clusterfuzz#web-interface). ### architectures (optional) {#architectures} The list of architectures to fuzz on. ClusterFuzz supports fuzzing on x86_64 (aka x64) by default. -However you can also fuzz using AddressSanitizer and libFuzzer on i386 (aka x86, or 32 bit) by specifying "x86_64" and "i386" in "architectures" like this: +Some projects can benefit from i386 fuzzing. OSS-Fuzz will build and run +AddressSanitizer with libFuzzer on i386 by doing the following: ```yaml architectures: @@ -192,7 +194,6 @@ For most projects, the image is simple: ```docker FROM gcr.io/oss-fuzz-base/base-builder # base image with clang toolchain RUN apt-get update && apt-get install -y ... # install required packages to build your project -RUN go get ... # install dependencies to build your Go project RUN git clone <git_url> <checkout_dir> # checkout all sources needed to build your project WORKDIR <checkout_dir> # current directory for the build script COPY build.sh fuzzer.cc $SRC/ # copy build script and other fuzzer files in src dir @@ -245,6 +246,30 @@ If your project is written in Go, check out the [Integrating a Go project]({{ si alphanumeric characters, underscore(_) or dash(-). Otherwise, they won't run on our infrastructure. 3. Don't remove source code files. They are needed for code coverage. +### Temporarily disabling code instrumentation during builds + +Sometimes not every 3rd party library might be needed to be instrumented or +tools are being compiled that just support the target built. + +If for any reasons part of the build process should not be instrumented +then the following code snippit can be used for this: + +``` +CFLAGS_SAVE="$CFLAGS" +CXXFLAGS_SAVE="$CXXFLAGS" +unset CFLAGS +unset CXXFLAGS +export AFL_NOOPT=1 + +# +# build commands here that should not result in instrumented code. +# + +export CFLAGS="${CFLAGS_SAVE}" +export CXXFLAGS="${CXXFLAGS_SAVE}" +unset AFL_NOOPT +``` + ### build.sh script environment When your build.sh script is executed, the following locations are available within the image: @@ -334,7 +359,8 @@ generated from the previous `run_fuzzer` step in your local corpus directory. $ python infra/helper.py coverage $PROJECT_NAME --fuzz-target=<fuzz_target> --corpus-dir=<path-to-temp-corpus-dir> ``` -Please refer to +You may need to run `python infra/helper.py pull_images` to use the latest +coverage tools. Please refer to [code coverage]({{ site.baseurl }}/advanced-topics/code-coverage/) for detailed information on code coverage generation. @@ -421,7 +447,7 @@ via GitHub. Please include copyright headers for all files checked in to oss-fuzz: ``` -# Copyright 2020 Google LLC +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/docs/index.md b/docs/index.md index 74f1961b8..c372e77f0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -38,9 +38,9 @@ execution environment and reporting tool. [Sanitizers]: https://github.com/google/sanitizers [ClusterFuzz]: https://github.com/google/clusterfuzz -Currently, OSS-Fuzz supports C/C++, Rust, Go and Python code. Other languages -supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 and i386 -builds. +Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other +languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 +and i386 builds. [LLVM]: https://llvm.org diff --git a/docs/oss-fuzz/architecture.md b/docs/oss-fuzz/architecture.md index 689870eaa..56ff29620 100644 --- a/docs/oss-fuzz/architecture.md +++ b/docs/oss-fuzz/architecture.md @@ -29,5 +29,5 @@ with the project's build and test system. discovery (the commit message should contain the string **'Credit to OSS-Fuzz'**). Once the developer fixes the bug, [ClusterFuzz]({{ site.baseurl }}/further-reading/clusterfuzz) automatically -verifies the fix, adds a comment, and closes the issue ([example](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53#c3)). 30 days after the fix is verified or 90 days after reporting (whichever is earlier), the issue becomes [public]({{ site.baseurl }}/getting-started/bug-disclosure-guidelines/). +verifies the fix, adds a comment, and closes the issue ([example](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53#c3)). After the fix is verified or 90 days after reporting (whichever is earlier), the issue becomes [public]({{ site.baseurl }}/getting-started/bug-disclosure-guidelines/). diff --git a/infra/.dockerignore b/infra/.dockerignore index 1e82e3e75..c78653342 100644 --- a/infra/.dockerignore +++ b/infra/.dockerignore @@ -1 +1,9 @@ -test_files
\ No newline at end of file +cifuzz/test_data/* + +# Copied from .gitignore. +.vscode/ +*.pyc +build +*~ +.DS_Store +*.swp
\ No newline at end of file diff --git a/infra/.pylintrc b/infra/.pylintrc deleted file mode 100644 index 8ce0b2226..000000000 --- a/infra/.pylintrc +++ /dev/null @@ -1,2 +0,0 @@ -[FORMAT] -indent-string = " "
\ No newline at end of file diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile index 6f596d5ba..d802f247a 100644 --- a/infra/base-images/base-builder/Dockerfile +++ b/infra/base-images/base-builder/Dockerfile @@ -29,6 +29,7 @@ RUN dpkg --add-architecture i386 && \ jq \ libc6-dev-i386 \ patchelf \ + rsync \ subversion \ zip @@ -57,12 +58,14 @@ RUN export PYTHON_DEPS="\ ln -s /usr/bin/python3 /usr/bin/python && \ cd .. && \ rm -r /tmp/Python-$PYTHON_VERSION.tar.xz /tmp/Python-$PYTHON_VERSION && \ - apt-get remove -y $PYTHON_DEPS # https://github.com/google/oss-fuzz/issues/3888 + rm -rf /usr/local/lib/python3.8/test && \ + apt-get remove -y $PYTHON_DEPS # https://github.com/google/oss-fuzz/issues/3888 # Install latest atheris for python fuzzing, pyinstaller for fuzzer packaging, # six for Bazel rules. -RUN unset CFLAGS CXXFLAGS && pip3 install -v \ - atheris pyinstaller==4.1 six==1.15.0 +RUN unset CFLAGS CXXFLAGS && pip3 install -v --no-cache-dir \ + atheris pyinstaller==4.1 six==1.15.0 && \ + rm -rf /tmp/* # Download and install the latest stable Go. RUN cd /tmp && \ @@ -87,15 +90,42 @@ ENV CARGO_HOME=/rust ENV RUSTUP_HOME=/rust/rustup ENV PATH=$PATH:/rust/bin RUN curl https://sh.rustup.rs | sh -s -- -y --default-toolchain=nightly --profile=minimal -RUN cargo install cargo-fuzz +RUN cargo install cargo-fuzz && rm -rf /rust/registry # Needed to recompile rust std library for MSAN RUN rustup component add rust-src --toolchain nightly +# Set up custom environment variable for source code copy for coverage reports +ENV OSSFUZZ_RUSTPATH /rust # Install Bazel through Bazelisk, which automatically fetches the latest Bazel version. ENV BAZELISK_VERSION 1.7.4 RUN curl -L https://github.com/bazelbuild/bazelisk/releases/download/v$BAZELISK_VERSION/bazelisk-linux-amd64 -o /usr/local/bin/bazel && \ chmod +x /usr/local/bin/bazel +# Install OpenJDK 15 and trim its size by removing unused components. +ENV JAVA_HOME=/usr/lib/jvm/java-15-openjdk-amd64 +ENV JVM_LD_LIBRARY_PATH=$JAVA_HOME/lib/server +ENV PATH=$PATH:$JAVA_HOME/bin +RUN cd /tmp && \ + curl -L -O https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz && \ + mkdir -p $JAVA_HOME && \ + tar -xzv --strip-components=1 -f openjdk-15.0.2_linux-x64_bin.tar.gz --directory $JAVA_HOME && \ + rm -f openjdk-15.0.2_linux-x64_bin.tar.gz && \ + rm -rf $JAVA_HOME/jmods $JAVA_HOME/lib/src.zip + +# Install the latest Jazzer in $OUT. +# jazzer_api_deploy.jar is required only at build-time, the agent and the +# drivers are copied to $OUT as they need to be present on the runners. +ENV JAZZER_API_PATH "/usr/local/lib/jazzer_api_deploy.jar" +RUN cd $SRC/ && \ + git clone --depth=1 https://github.com/CodeIntelligenceTesting/jazzer && \ + cd jazzer && \ + bazel build --java_runtime_version=localjdk_15 -c opt --cxxopt="-stdlib=libc++" --linkopt=-lc++ \ + //agent:jazzer_agent_deploy.jar //driver:jazzer_driver //driver:jazzer_driver_asan //agent:jazzer_api_deploy.jar && \ + cp bazel-bin/agent/jazzer_agent_deploy.jar bazel-bin/driver/jazzer_driver bazel-bin/driver/jazzer_driver_asan /usr/local/bin/ && \ + cp bazel-bin/agent/jazzer_api_deploy.jar $JAZZER_API_PATH && \ + rm -rf ~/.cache/bazel ~/.cache/bazelisk && \ + rm -rf $SRC/jazzer + # Default build flags for various sanitizers. ENV SANITIZER_FLAGS_address "-fsanitize=address -fsanitize-address-use-after-scope" @@ -106,6 +136,8 @@ ENV SANITIZER_FLAGS_memory "-fsanitize=memory -fsanitize-memory-track-origins" ENV SANITIZER_FLAGS_dataflow "-fsanitize=dataflow" +ENV SANITIZER_FLAGS_thread "-fsanitize=thread" + # Do not use any sanitizers in the coverage build. ENV SANITIZER_FLAGS_coverage "" @@ -144,15 +176,12 @@ ENV LIB_FUZZING_ENGINE="/usr/lib/libFuzzingEngine.a" # TODO: remove after tpm2 catchup. ENV FUZZER_LDFLAGS "" -ENV PRECOMPILED_DIR="/usr/lib/precompiled" -RUN mkdir $PRECOMPILED_DIR - WORKDIR $SRC # TODO: switch to -b stable once we can. RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \ cd aflplusplus && \ - git checkout aeb7d7048371cd91ab9280c3958f1c35e5d5e758 + git checkout 2102264acf5c271b7560a82771b3af8136af9354 RUN cd $SRC && \ curl -L -O https://github.com/google/honggfuzz/archive/oss-fuzz.tar.gz && \ @@ -161,12 +190,14 @@ RUN cd $SRC && \ tar -xzv --strip-components=1 -f $SRC/oss-fuzz.tar.gz && \ rm -rf examples $SRC/oss-fuzz.tar.gz -COPY compile compile_afl compile_dataflow compile_libfuzzer compile_honggfuzz \ - compile_go_fuzzer precompile_honggfuzz srcmap write_labels.py /usr/local/bin/ +COPY cargo compile compile_afl compile_dataflow compile_libfuzzer compile_honggfuzz \ + compile_go_fuzzer precompile_honggfuzz precompile_afl debug_afl srcmap \ + write_labels.py bazel_build_fuzz_tests /usr/local/bin/ COPY detect_repo.py /opt/cifuzz/ COPY ossfuzz_coverage_runner.go $GOPATH RUN precompile_honggfuzz +RUN precompile_afl CMD ["compile"] diff --git a/infra/base-images/base-builder/bazel_build_fuzz_tests b/infra/base-images/base-builder/bazel_build_fuzz_tests new file mode 100755 index 000000000..86740ee01 --- /dev/null +++ b/infra/base-images/base-builder/bazel_build_fuzz_tests @@ -0,0 +1,80 @@ +#!/bin/bash -eu +# +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +: "${BAZEL_FUZZ_TEST_TAG:=fuzz-test}" +: "${BAZEL_FUZZ_TEST_EXCLUDE_TAG:=no-oss-fuzz}" +: "${BAZEL_PACKAGE_SUFFIX:=_oss_fuzz}" +: "${BAZEL_TOOL:=bazel}" +: "${BAZEL_EXTRA_BUILD_FLAGS:=}" + +if [[ -z "${BAZEL_FUZZ_TEST_QUERY:-}" ]]; then + BAZEL_FUZZ_TEST_QUERY=" + let all_fuzz_tests = attr(tags, \"${BAZEL_FUZZ_TEST_TAG}\", \"//...\") in + \$all_fuzz_tests - attr(tags, \"${BAZEL_FUZZ_TEST_EXCLUDE_TAG}\", \$all_fuzz_tests) + " +fi + +echo "Using Bazel query to find fuzz targets: ${BAZEL_FUZZ_TEST_QUERY}" + +declare -r OSS_FUZZ_TESTS=( + $(bazel query "${BAZEL_FUZZ_TEST_QUERY}" | sed "s/$/${BAZEL_PACKAGE_SUFFIX}/") +) + +echo "Found ${#OSS_FUZZ_TESTS[@]} fuzz test packages:" +for oss_fuzz_test in "${OSS_FUZZ_TESTS[@]}"; do + echo " ${oss_fuzz_test}" +done + +declare -r BAZEL_BUILD_FLAGS=( + "-c" "opt" + "--//fuzzing:cc_engine=@rules_fuzzing_oss_fuzz//:oss_fuzz_engine" \ + "--@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz" \ + "--@rules_fuzzing//fuzzing:cc_engine_sanitizer=none" \ + "--linkopt=-lc++" \ + "--action_env=CC=${CC}" "--action_env=CXX=${CXX}" \ + ${BAZEL_EXTRA_BUILD_FLAGS[*]} +) + +echo "Building the fuzz tests with the following Bazel options:" +echo " ${BAZEL_BUILD_FLAGS[@]}" + +${BAZEL_TOOL} build "${BAZEL_BUILD_FLAGS[@]}" "${OSS_FUZZ_TESTS[@]}" + +echo "Extracting the fuzz test packages in the output directory." +for oss_fuzz_archive in $(find bazel-bin/ -name "*${BAZEL_PACKAGE_SUFFIX}.tar"); do + tar -xvf "${oss_fuzz_archive}" -C "${OUT}" +done + +if [ "$SANITIZER" = "coverage" ]; then + echo "Collecting the repository source files for coverage tracking." + declare -r COVERAGE_SOURCES="${OUT}/proc/self/cwd" + mkdir -p "${COVERAGE_SOURCES}" + declare -r RSYNC_FILTER_ARGS=( + "--include" "*.h" + "--include" "*.cc" + "--include" "*.hpp" + "--include" "*.cpp" + "--include" "*.c" + "--include" "*.inc" + "--include" "*/" + "--exclude" "*" + ) + rsync -avLk "${RSYNC_FILTER_ARGS[@]}" \ + "$(bazel info execution_root)/" \ + "${COVERAGE_SOURCES}/" +fi diff --git a/infra/base-images/base-builder/cargo b/infra/base-images/base-builder/cargo new file mode 100755 index 000000000..bed8e7660 --- /dev/null +++ b/infra/base-images/base-builder/cargo @@ -0,0 +1,51 @@ +#!/bin/bash -eu +# Copyright 2020 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# This is a wrapper around calling cargo +# This just expands RUSTFLAGS in case of a coverage build +# We need this until https://github.com/rust-lang/cargo/issues/5450 is merged +# because cargo uses relative paths for the current crate +# and absolute paths for its dependencies +# +################################################################################ + +if [ "$SANITIZER" = "coverage" ] && [ $1 = "build" ] +then + crate_src_abspath=`cargo metadata --no-deps --format-version 1 | jq -r '.workspace_root'` + export RUSTFLAGS="$RUSTFLAGS --remap-path-prefix src=$crate_src_abspath/src" +fi + +if [ "$SANITIZER" = "coverage" ] && [ $1 = "fuzz" ] +then + # hack to turn cargo fuzz build into cargo build so as to get coverage + # cargo fuzz adds "--target" "x86_64-unknown-linux-gnu" + ( + # go into fuzz directory if not already the case + cd fuzz || true + fuzz_src_abspath=`pwd` + export RUSTFLAGS="$RUSTFLAGS --remap-path-prefix fuzz_targets=$fuzz_src_abspath/fuzz_targets" + # we do not want to trigger debug assertions and stops + export RUSTFLAGS="$RUSTFLAGS -C debug-assertions=no" + # do not optimize with --release, leading to Malformed instrumentation profile data + cargo build --bins + # copies the build output in the expected target directory + cd `cargo metadata --format-version 1 --no-deps | jq -r '.target_directory'` + mkdir -p x86_64-unknown-linux-gnu/release + cp -r debug/* x86_64-unknown-linux-gnu/release/ + ) + exit 0 +fi + +/rust/bin/cargo "$@" diff --git a/infra/base-images/base-builder/compile b/infra/base-images/base-builder/compile index 2bf20b1e3..78453c98c 100755 --- a/infra/base-images/base-builder/compile +++ b/infra/base-images/base-builder/compile @@ -22,6 +22,21 @@ if [ "$SANITIZER" = "dataflow" ] && [ "$FUZZING_ENGINE" != "dataflow" ]; then exit 1 fi +if [ "$FUZZING_LANGUAGE" = "jvm" ]; then + if [ "$FUZZING_ENGINE" != "libfuzzer" ]; then + echo "ERROR: JVM projects can be fuzzed with libFuzzer engine only." + exit 1 + fi + if [ "$SANITIZER" != "address" ]; then + echo "ERROR: JVM projects can be fuzzed with AddressSanitizer only." + exit 1 + fi + if [ "$ARCHITECTURE" != "x86_64" ]; then + echo "ERROR: JVM projects can be fuzzed on x86_64 architecture only." + exit 1 + fi +fi + if [ "$FUZZING_LANGUAGE" = "python" ]; then if [ "$FUZZING_ENGINE" != "libfuzzer" ]; then echo "ERROR: Python projects can be fuzzed with libFuzzer engine only." @@ -46,7 +61,8 @@ if [[ $ARCHITECTURE == "i386" ]]; then export CFLAGS="-m32 $CFLAGS" cp -R /usr/i386/lib/* /usr/lib fi -if [[ $FUZZING_ENGINE != "none" ]]; then +# JVM projects are fuzzed with Jazzer, which has libFuzzer built in. +if [[ $FUZZING_ENGINE != "none" ]] && [[ $FUZZING_LANGUAGE != "jvm" ]]; then # compile script might override environment, use . to call it. . compile_${FUZZING_ENGINE} fi @@ -87,6 +103,11 @@ if [ "$SANITIZER" != "undefined" ] && [ "$SANITIZER" != "coverage" ] && [ "$ARCH else export RUSTFLAGS="--cfg fuzzing -Cdebuginfo=1 -Cforce-frame-pointers" fi +if [ "$SANITIZER" = "coverage" ] +then + # link to C++ from comment in f5098035eb1a14aa966c8651d88ea3d64323823d + export RUSTFLAGS="$RUSTFLAGS -Zinstrument-coverage -C link-arg=-lc++" +fi # Add Rust libfuzzer flags. # See https://github.com/rust-fuzz/libfuzzer/blob/master/build.rs#L12. @@ -113,6 +134,11 @@ fi # Copy latest llvm-symbolizer in $OUT for stack symbolization. cp $(which llvm-symbolizer) $OUT/ +# Copy Jazzer to $OUT if needed. +if [ "$FUZZING_LANGUAGE" = "jvm" ]; then + cp $(which jazzer_agent_deploy.jar) $(which jazzer_driver) $(which jazzer_driver_asan) $OUT/ +fi + echo "---------------------------------------------------------------" echo "CC=$CC" echo "CXX=$CXX" @@ -124,7 +150,7 @@ BUILD_CMD="bash -eux $SRC/build.sh" # We need to preserve source code files for generating a code coverage report. # We need exact files that were compiled, so copy both $SRC and $WORK dirs. -COPY_SOURCES_CMD="cp -rL --parents $SRC $WORK /usr/include /usr/local/include $GOPATH $OUT" +COPY_SOURCES_CMD="cp -rL --parents $SRC $WORK /usr/include /usr/local/include $GOPATH $OSSFUZZ_RUSTPATH $OUT" if [ "${BUILD_UID-0}" -ne "0" ]; then adduser -u $BUILD_UID --disabled-password --gecos '' builder diff --git a/infra/base-images/base-builder/compile_afl b/infra/base-images/base-builder/compile_afl index 318eca44e..dc6624459 100644 --- a/infra/base-images/base-builder/compile_afl +++ b/infra/base-images/base-builder/compile_afl @@ -15,43 +15,78 @@ # ################################################################################ -echo "Compiling afl++" +# afl++ configuration options. +# The 'env|grep' setup ensures we do not trigger the linter. +# The variables need to be set to "1" here - or before running this script. -# Build and copy afl++ tools necessary for fuzzing. +# AFL++ settings. +export AFL_LLVM_MODE_WORKAROUND=0 +export AFL_ENABLE_DICTIONARY=0 + +# Start compiling afl++. +echo "Copying precompiled afl++" + +# Copy afl++ tools necessary for fuzzing. pushd $SRC/aflplusplus > /dev/null -# Unset CFLAGS and CXXFLAGS while building AFL since we don't want to slow it -# down with sanitizers. -INITIAL_CXXFLAGS=$CXXFLAGS -INITIAL_CFLAGS=$CFLAGS -unset CXXFLAGS -unset CFLAGS -make clean -AFL_NO_X86=1 PYTHON_INCLUDE=/ make -CFLAGS=$INITIAL_CFLAGS -CXXFLAGS=$INITIAL_CXXFLAGS - -# Build afl++ driver with existing CFLAGS, CXXFLAGS. -make -C utils/aflpp_driver -cp libAFLDriver.a $LIB_FUZZING_ENGINE +cp -f libAFLDriver.a $LIB_FUZZING_ENGINE # Some important projects include libraries, copy those even when they don't # start with "afl-". Use "sort -u" to avoid a warning about duplicates. ls afl-* *.txt *.a *.o *.so | sort -u | xargs cp -t $OUT -popd > /dev/null - export CC="$SRC/aflplusplus/afl-clang-fast" export CXX="$SRC/aflplusplus/afl-clang-fast++" # Set sane afl++ environment defaults: # Be quiet, otherwise this can break some builds. export AFL_QUIET=1 -# Several targets run their own tools, so ensure its working. -export AFL_MAP_SIZE=4194304 # No leak errors during builds. -export ASAN_OPTIONS="detect_leaks=0:symbolize=0" -# -# Placeholder for the upcoming afl++ build options roulette -# +export ASAN_OPTIONS="detect_leaks=0:symbolize=0:detect_odr_violation=0:abort_on_error=1" + +# AFL compile option roulette. It is OK if they all happen together. + +# 40% chance to perform CMPLOG +rm -f "$OUT/afl_cmplog.txt" +test $(($RANDOM % 10)) -lt 4 && { + export AFL_LLVM_CMPLOG=1 + touch "$OUT/afl_cmplog.txt" +} + +# 10% chance to perform LAF_INTEL +test $(($RANDOM % 10)) -lt 1 && { + export AFL_LLVM_LAF_ALL=1 +} + +# If the targets wants a dictionary - then create one. +test "$AFL_ENABLE_DICTIONARY" = "1" && { + export AFL_LLVM_DICT2FILE="$OUT/afl++.dict" +} + +# In case afl-clang-fast ever breaks, this is a workaround: +test "$AFL_LLVM_MODE_WORKAROUND" = "1" && { + export CC=clang + export CXX=clang++ + WORKAROUND_FLAGS=-fsanitize-coverage=trace-pc-guard + # We can still do CMPLOG light: + test -e "$OUT/afl_cmplog.txt" && { + WORKAROUND_FLAGS="$WORKAROUND_FLAGS",trace-cmp + } + export CFLAGS="$CFLAGS $WORKAROUND_FLAGS" + export CXXFLAGS="$CXXFLAGS $WORKAROUND_FLAGS" + unset AFL_LLVM_LAF_ALL + unset AFL_LLVM_DICT2FILE + unset AFL_ENABLE_DICTIONARY + # We need to create a new fuzzer lib however. + ar ru libAFLDrivernew.a afl-compiler-rt.o utils/aflpp_driver/aflpp_driver.o + cp -f libAFLDrivernew.a $LIB_FUZZING_ENGINE +} + +# Provide a way to document the afl++ options used in this build: +echo +echo afl++ target compilation setup: +env | grep AFL_ | tee "$OUT/afl_options.txt" +echo + +popd > /dev/null echo " done." diff --git a/infra/base-images/base-builder/compile_go_fuzzer b/infra/base-images/base-builder/compile_go_fuzzer index 8f8cde759..2342800fb 100755 --- a/infra/base-images/base-builder/compile_go_fuzzer +++ b/infra/base-images/base-builder/compile_go_fuzzer @@ -18,27 +18,35 @@ path=$1 function=$2 fuzzer=$3 -tags="" +tags="-tags gofuzz" if [[ $# -eq 4 ]]; then tags="-tags $4" fi +# makes directory change temporary +( +cd $GOPATH/src/$path || true +# in the case we are in the right directory, with go.mod but no go.sum +go mod tidy || true +# project was downloaded with go get if go list fails +go list $tags $path || { cd $GOPATH/pkg/mod/ && cd `echo $path | cut -d/ -f1-3 | awk '{print $1"@*"}'`; } +# project does not have go.mod if go list fails again +go list $tags $path || { go mod init $path && go mod tidy ;} + if [[ $SANITIZER = *coverage* ]]; then - cd $GOPATH/src/$path - fuzzed_package=`go list $tags -f '{{.Name}}'` + fuzzed_package=`go list $tags -f '{{.Name}}' $path` + abspath=`go list $tags -f {{.Dir}} $path` + cd $abspath cp $GOPATH/ossfuzz_coverage_runner.go ./"${function,,}"_test.go sed -i -e 's/FuzzFunction/'$function'/' ./"${function,,}"_test.go sed -i -e 's/mypackagebeingfuzzed/'$fuzzed_package'/' ./"${function,,}"_test.go sed -i -e 's/TestFuzzCorpus/Test'$function'Corpus/' ./"${function,,}"_test.go - echo "#!/bin/sh" > $OUT/$fuzzer - echo "cd $path" >> $OUT/$fuzzer - # The fuzzer may be in a subdirectory, but we want the coverage report for the whole repository fuzzed_repo=`echo $path | cut -d/ -f-3` - echo "go test -run Test${function}Corpus -v $tags -coverpkg $fuzzed_repo/... -coverprofile \$1 " >> $OUT/$fuzzer - chmod +x $OUT/$fuzzer - - cd - + abspath_repo=`go list -m $tags -f {{.Dir}} $fuzzed_repo || go list $tags -f {{.Dir}} $fuzzed_repo` + # give equivalence to absolute paths in another file, as go test -cover uses golangish pkg.Dir + echo "s=$fuzzed_repo"="$abspath_repo"= > $OUT/$fuzzer.gocovpath + go test -run Test${function}Corpus -v $tags -coverpkg $fuzzed_repo/... -c -o $OUT/$fuzzer $path else # Compile and instrument all Go files relevant to this fuzz target. echo "Running go-fuzz $tags -func $function -o $fuzzer.a $path" @@ -47,3 +55,4 @@ else # Link Go code ($fuzzer.a) with fuzzing engine to produce fuzz target binary. $CXX $CXXFLAGS $LIB_FUZZING_ENGINE $fuzzer.a -o $OUT/$fuzzer fi +) diff --git a/infra/base-images/base-builder/compile_honggfuzz b/infra/base-images/base-builder/compile_honggfuzz index 362a0a598..f86e8426d 100755 --- a/infra/base-images/base-builder/compile_honggfuzz +++ b/infra/base-images/base-builder/compile_honggfuzz @@ -17,8 +17,8 @@ echo "Skipping compilation; using precompiled honggfuzz" -cp $PRECOMPILED_DIR/honggfuzz.a $LIB_FUZZING_ENGINE -cp $PRECOMPILED_DIR/honggfuzz $OUT/ +cp $SRC/honggfuzz/honggfuzz.a $LIB_FUZZING_ENGINE +cp $SRC/honggfuzz/honggfuzz $OUT/ # Custom coverage flags, roughly in sync with: # https://github.com/google/honggfuzz/blob/oss-fuzz/hfuzz_cc/hfuzz-cc.c diff --git a/infra/base-images/base-builder/compile_libfuzzer b/infra/base-images/base-builder/compile_libfuzzer index 00f2d6337..3fd7f3906 100755 --- a/infra/base-images/base-builder/compile_libfuzzer +++ b/infra/base-images/base-builder/compile_libfuzzer @@ -16,16 +16,7 @@ ################################################################################ echo -n "Compiling libFuzzer to $LIB_FUZZING_ENGINE... " -mkdir -p $WORK/libfuzzer -pushd $WORK/libfuzzer > /dev/null - -# Use -fPIC to allow preloading (LD_PRELOAD). -$CXX $CXXFLAGS -std=c++11 -O2 -fPIC $SANITIZER_FLAGS -fno-sanitize=vptr \ - -c $SRC/libfuzzer/*.cpp -I$SRC/libfuzzer -ar r $LIB_FUZZING_ENGINE_DEPRECATED $WORK/libfuzzer/*.o -popd > /dev/null -rm -rf $WORK/libfuzzer -# Override variable as libFuzzer builds do not link directly against an -# engine library, but use -fsanitize=fuzzer to instruct clang to do so. export LIB_FUZZING_ENGINE="-fsanitize=fuzzer" +cp /usr/local/lib/clang/*/lib/linux/libclang_rt.fuzzer-$ARCHITECTURE.a \ + $LIB_FUZZING_ENGINE_DEPRECATED echo " done." diff --git a/infra/base-images/base-builder/debug_afl b/infra/base-images/base-builder/debug_afl new file mode 100755 index 000000000..c53dae815 --- /dev/null +++ b/infra/base-images/base-builder/debug_afl @@ -0,0 +1,40 @@ +#!/bin/bash +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Source this file for afl++ debug sessions. +apt-get update +apt-get install -y strace gdb vim joe psmisc + +pushd $SRC/aflplusplus > /dev/null +git checkout dev +git pull +test -n "$1" && { git checkout "$1" ; git pull ; } +CFLAGS_SAVE="$CFLAGS" +CXXFLAGS_SAVE="$CXXFLAGS" +unset CFLAGS +unset CXXFLAGS +make +export CFLAGS="$CFLAGS_SAVE" +export CXXFLAGS="$CXXFLAGS_SAVE" +popd > /dev/null + +export ASAN_OPTIONS="detect_leaks=0:symbolize=0:detect_odr_violation=0:abort_on_error=1" +export AFL_LLVM_LAF_ALL=1 +export AFL_LLVM_CMPLOG=1 +touch "$OUT/afl_cmplog.txt" +export AFL_LLVM_DICT2FILE=$OUT/afl++.dict +ulimit -c unlimited diff --git a/infra/base-images/base-builder/detect_repo.py b/infra/base-images/base-builder/detect_repo.py index 8969e974f..e677e1023 100644 --- a/infra/base-images/base-builder/detect_repo.py +++ b/infra/base-images/base-builder/detect_repo.py @@ -107,20 +107,25 @@ def get_repo(repo_path): return None -def check_for_repo_name(repo_path, repo_name): - """Check to see if the repo_name matches the remote repository repo name. +def check_for_repo_name(repo_path, expected_repo_name): + """Returns True if the repo at |repo_path| repo_name matches + |expected_repo_name|. Args: - repo_path: The directory of the git repo. - repo_name: The name of the target git repo. + repo_path: The directory of a git repo. + expected_repo_name: The name of the target git repo. """ if not os.path.exists(os.path.join(repo_path, '.git')): return False - out, _ = execute(['git', 'config', '--get', 'remote.origin.url'], - location=repo_path) - out = out.split('/')[-1].replace('.git', '').rstrip() - return out == repo_name + repo_url, _ = execute(['git', 'config', '--get', 'remote.origin.url'], + location=repo_path) + # Handle two common cases: + # https://github.com/google/syzkaller/ + # https://github.com/google/syzkaller.git + repo_url = repo_url.replace('.git', '').rstrip().rstrip('/') + actual_repo_name = repo_url.split('/')[-1] + return actual_repo_name == expected_repo_name def check_for_commit(repo_path, commit): diff --git a/infra/base-images/base-builder/detect_repo_test.py b/infra/base-images/base-builder/detect_repo_test.py index 21f64af44..0243b3ac5 100644 --- a/infra/base-images/base-builder/detect_repo_test.py +++ b/infra/base-images/base-builder/detect_repo_test.py @@ -23,6 +23,7 @@ import re import sys import tempfile import unittest +from unittest import mock import detect_repo @@ -36,6 +37,33 @@ import test_repos # pylint: enable=wrong-import-position +class TestCheckForRepoName(unittest.TestCase): + """Tests for check_for_repo_name.""" + + @mock.patch('os.path.exists', return_value=True) + @mock.patch('detect_repo.execute', + return_value=('https://github.com/google/syzkaller/', None)) + def test_go_get_style_url(self, _, __): + """Tests that check_for_repo_name works on repos that were downloaded using + go get.""" + self.assertTrue(detect_repo.check_for_repo_name('fake-path', 'syzkaller')) + + @mock.patch('os.path.exists', return_value=True) + @mock.patch('detect_repo.execute', + return_value=('https://github.com/google/syzkaller', None)) + def test_missing_git_and_slash_url(self, _, __): + """Tests that check_for_repo_name works on repos who's URLs do not end in + ".git" or "/".""" + self.assertTrue(detect_repo.check_for_repo_name('fake-path', 'syzkaller')) + + @mock.patch('os.path.exists', return_value=True) + @mock.patch('detect_repo.execute', + return_value=('https://github.com/google/syzkaller.git', None)) + def test_normal_style_repo_url(self, _, __): + """Tests that check_for_repo_name works on normally cloned repos.""" + self.assertTrue(detect_repo.check_for_repo_name('fake-path', 'syzkaller')) + + @unittest.skipIf(not os.getenv('INTEGRATION_TESTS'), 'INTEGRATION_TESTS=1 not set') class DetectRepoIntegrationTest(unittest.TestCase): diff --git a/infra/base-images/base-builder/precompile_afl b/infra/base-images/base-builder/precompile_afl new file mode 100755 index 000000000..d6e71f2c3 --- /dev/null +++ b/infra/base-images/base-builder/precompile_afl @@ -0,0 +1,35 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +echo "Precompiling AFLplusplus" + +pushd $SRC/aflplusplus > /dev/null +make clean +# Unset CFLAGS and CXXFLAGS while building AFL since we don't want to slow it +# down with sanitizers. +SAVE_CXXFLAGS=$CXXFLAGS +SAVE_CFLAGS=$CFLAGS +unset CXXFLAGS +unset CFLAGS +export AFL_IGNORE_UNKNOWN_ENVS=1 +make clean +AFL_NO_X86=1 PYTHON_INCLUDE=/ make +make -C utils/aflpp_driver + +popd > /dev/null + +echo "Done." diff --git a/infra/base-images/base-builder/precompile_honggfuzz b/infra/base-images/base-builder/precompile_honggfuzz index 2565bb83f..df6bb2b75 100755 --- a/infra/base-images/base-builder/precompile_honggfuzz +++ b/infra/base-images/base-builder/precompile_honggfuzz @@ -15,7 +15,7 @@ # ################################################################################ -echo -n "Precompiling honggfuzz to $PRECOMPILED_DIR..." +echo "Precompiling honggfuzz" export BUILD_OSSFUZZ_STATIC=true PACKAGES=( @@ -37,10 +37,9 @@ CC=clang CFLAGS="-O3 -funroll-loops -D_HF_LINUX_NO_BFD" make # libhfuzz.a will be added by CC/CXX linker directly during linking, # but it's defined here to satisfy the build infrastructure -ar rcs $PRECOMPILED_DIR/honggfuzz.a libhfuzz/*.o libhfcommon/*.o -cp honggfuzz $PRECOMPILED_DIR/ +ar rcs honggfuzz.a libhfuzz/*.o libhfcommon/*.o popd > /dev/null apt-get remove -y --purge ${PACKAGES[@]} apt-get autoremove -y -echo " done." +echo "Done." diff --git a/infra/base-images/base-clang/Dockerfile b/infra/base-images/base-clang/Dockerfile index 928e7934f..3c16a8f3c 100644 --- a/infra/base-images/base-clang/Dockerfile +++ b/infra/base-images/base-clang/Dockerfile @@ -25,7 +25,8 @@ RUN apt-get update && apt-get install -y wget sudo && \ chmod +x cmake-$CMAKE_VERSION-Linux-x86_64.sh && \ ./cmake-$CMAKE_VERSION-Linux-x86_64.sh --skip-license --prefix="/usr/local" && \ rm cmake-$CMAKE_VERSION-Linux-x86_64.sh && \ - SUDO_FORCE_REMOVE=yes apt-get remove --purge -y wget sudo + SUDO_FORCE_REMOVE=yes apt-get remove --purge -y wget sudo && \ + rm -rf /usr/local/doc/cmake /usr/local/bin/cmake-gui COPY checkout_build_install_llvm.sh /root/ # Keep all steps in the same script to decrease the number of intermediate diff --git a/infra/base-images/base-clang/checkout_build_install_llvm.sh b/infra/base-images/base-clang/checkout_build_install_llvm.sh index c5d97d5bf..f6e8ca99c 100755 --- a/infra/base-images/base-clang/checkout_build_install_llvm.sh +++ b/infra/base-images/base-clang/checkout_build_install_llvm.sh @@ -15,10 +15,14 @@ # ################################################################################ -NPROC=16 # See issue #4270. The compiler crashes on GCB instance with 32 vCPUs. +# See issue #4270. The compiler crashes on GCB instance with 32 vCPUs, so when +# we compile on GCB we want 16 cores. But locally we want more (so use nproc / +# 2). +NPROC=$(expr $(nproc) / 2) -LLVM_DEP_PACKAGES="build-essential make cmake ninja-build git python3 g++-multilib binutils-dev" -apt-get install -y $LLVM_DEP_PACKAGES +# zlib1g-dev is needed for llvm-profdata to handle coverage data from rust compiler +LLVM_DEP_PACKAGES="build-essential make cmake ninja-build git python3 g++-multilib binutils-dev zlib1g-dev" +apt-get install -y $LLVM_DEP_PACKAGES --no-install-recommends # Checkout CHECKOUT_RETRIES=10 @@ -60,7 +64,7 @@ function cmake_llvm { # Use chromium's clang revision mkdir $SRC/chromium_tools cd $SRC/chromium_tools -git clone https://chromium.googlesource.com/chromium/src/tools/clang +git clone https://chromium.googlesource.com/chromium/src/tools/clang --depth 1 cd clang LLVM_SRC=$SRC/llvm-project @@ -89,11 +93,9 @@ fi git -C $LLVM_SRC checkout $LLVM_REVISION echo "Using LLVM revision: $LLVM_REVISION" -# Build & install. We build clang in two stages because gcc can't build a -# static version of libcxxabi -# (see https://github.com/google/oss-fuzz/issues/2164). +# Build & install. mkdir -p $WORK/llvm-stage2 $WORK/llvm-stage1 -cd $WORK/llvm-stage1 +python3 $SRC/chromium_tools/clang/scripts/update.py --output-dir $WORK/llvm-stage1 TARGET_TO_BUILD= case $(uname -m) in @@ -111,9 +113,6 @@ esac PROJECTS_TO_BUILD="libcxx;libcxxabi;compiler-rt;clang;lld" -cmake_llvm -ninja -j $NPROC - cd $WORK/llvm-stage2 export CC=$WORK/llvm-stage1/bin/clang export CXX=$WORK/llvm-stage1/bin/clang++ @@ -175,3 +174,54 @@ rm -rf $LLVM_SRC rm -rf $SRC/chromium_tools apt-get remove --purge -y $LLVM_DEP_PACKAGES apt-get autoremove -y + +# Delete unneeded parts of LLVM to reduce image size. +# See https://github.com/google/oss-fuzz/issues/5170 +LLVM_TOOLS_TMPDIR=/tmp/llvm-tools +mkdir $LLVM_TOOLS_TMPDIR +# Move binaries with llvm- prefix that we want into LLVM_TOOLS_TMPDIR +mv \ + /usr/local/bin/llvm-ar \ + /usr/local/bin/llvm-as \ + /usr/local/bin/llvm-config \ + /usr/local/bin/llvm-cov \ + /usr/local/bin/llvm-objcopy \ + /usr/local/bin/llvm-profdata \ + /usr/local/bin/llvm-ranlib \ + /usr/local/bin/llvm-symbolizer \ + /usr/local/bin/llvm-undname \ + $LLVM_TOOLS_TMPDIR +# Delete remaining llvm- binaries. +rm -rf /usr/local/bin/llvm-* +# Restore the llvm- binaries we want to keep. +mv $LLVM_TOOLS_TMPDIR/* /usr/local/bin/ +rm -rf $LLVM_TOOLS_TMPDIR + +# Remove binaries from LLVM buld that we don't need. +rm -f \ + /usr/local/bin/bugpoint \ + /usr/local/bin/llc \ + /usr/local/bin/lli \ + /usr/local/bin/clang-check \ + /usr/local/bin/clang-refactor \ + /usr/local/bin/clang-offload-wrapper \ + /usr/local/bin/clang-offload-bundler \ + /usr/local/bin/clang-check \ + /usr/local/bin/clang-refactor \ + /usr/local/bin/c-index-test \ + /usr/local/bin/clang-rename \ + /usr/local/bin/clang-scan-deps \ + /usr/local/bin/clang-extdef-mapping \ + /usr/local/bin/diagtool \ + /usr/local/bin/sanstats \ + /usr/local/bin/dsymutil \ + /usr/local/bin/verify-uselistorder \ + /usr/local/bin/clang-format + +# Remove unneeded clang libs, CMake files from LLVM build, lld libs, and the +# libraries. +# Note: we need fuzzer_no_main libraries for atheris. Don't delete. +rm -rf \ + /usr/local/lib/libclang* \ + /usr/local/lib/liblld* \ + /usr/local/lib/cmake/ diff --git a/infra/base-images/base-runner/Dockerfile b/infra/base-images/base-runner/Dockerfile index f0a264fa7..f847de026 100644..100755 --- a/infra/base-images/base-runner/Dockerfile +++ b/infra/base-images/base-runner/Dockerfile @@ -14,30 +14,40 @@ # ################################################################################ +# Build rust stuff in its own image. We only need the resulting binaries. +# Keeping the rust toolchain in the image wastes 1 GB. +FROM gcr.io/oss-fuzz-base/base-image as temp-runner-binary-builder + +RUN apt-get update && apt-get install -y cargo +RUN cargo install rustfilt + # Using multi-stage build to copy some LLVM binaries needed in the runner image. FROM gcr.io/oss-fuzz-base/base-clang AS base-clang +# Real image that will be used later. FROM gcr.io/oss-fuzz-base/base-image +COPY --from=temp-runner-binary-builder /root/.cargo/bin/rustfilt /usr/local/bin + # Copy the binaries needed for code coverage and crash symbolization. COPY --from=base-clang /usr/local/bin/llvm-cov \ /usr/local/bin/llvm-profdata \ /usr/local/bin/llvm-symbolizer \ /usr/local/bin/ -# TODO(metzman): Install libc6-i386 lib32gcc1 instead of libc6-dev-i386 for -# consistency with ClusterFuzz image and to reduce size. RUN apt-get update && apt-get install -y \ binutils \ file \ fonts-dejavu \ git \ - libc6-dev-i386 \ + lib32gcc1 \ + libc6-i386 \ libcap2 \ python3 \ python3-pip \ + unzip \ wget \ - zip + zip --no-install-recommends RUN git clone https://chromium.googlesource.com/chromium/src/tools/code_coverage /opt/code_coverage && \ pip3 install -r /opt/code_coverage/requirements.txt @@ -66,7 +76,20 @@ ENV GOPATH /root/go ENV PATH $PATH:/root/.go/bin:$GOPATH/bin # Set up Golang coverage modules. -RUN go get github.com/google/oss-fuzz/infra/go/coverage/... +COPY gocoverage $GOPATH/gocoverage +RUN cd $GOPATH/gocoverage && go install ./... + +# Install OpenJDK 15 and trim its size by removing unused components. +ENV JAVA_HOME=/usr/lib/jvm/java-15-openjdk-amd64 +ENV JVM_LD_LIBRARY_PATH=$JAVA_HOME/lib/server +ENV PATH=$PATH:$JAVA_HOME/bin + +RUN wget https://download.java.net/java/GA/jdk15.0.2/0d1cfde4252546c6931946de8db48ee2/7/GPL/openjdk-15.0.2_linux-x64_bin.tar.gz -O /tmp/openjdk-15.0.2_linux-x64_bin.tar.gz && \ + cd /tmp && \ + mkdir -p $JAVA_HOME && \ + tar -xzv --strip-components=1 -f openjdk-15.0.2_linux-x64_bin.tar.gz --directory $JAVA_HOME && \ + rm -f openjdk-15.0.2_linux-x64_bin.tar.gz && \ + rm -rf $JAVA_HOME/jmods $JAVA_HOME/lib/src.zip # Do this last to make developing these files easier/faster due to caching. COPY bad_build_check \ @@ -75,12 +98,11 @@ COPY bad_build_check \ coverage_helper \ dataflow_tracer.py \ download_corpus \ - minijail0 \ + rcfilt \ reproduce \ run_fuzzer \ - run_minijail \ parse_options.py \ targets_list \ test_all.py \ - test_one \ + test_one.py \ /usr/local/bin/ diff --git a/infra/base-images/base-runner/bad_build_check b/infra/base-images/base-runner/bad_build_check index a57a48252..01f8fbbab 100755 --- a/infra/base-images/base-runner/bad_build_check +++ b/infra/base-images/base-runner/bad_build_check @@ -301,6 +301,12 @@ function check_mixed_sanitizers { local result=0 local CALL_INSN= + if [ "${FUZZING_LANGUAGE:-}" = "jvm" ]; then + # Sanitizer runtime is linked into the Jazzer driver, so this check does not + # apply. + return 0 + fi + if [ "${FUZZING_LANGUAGE:-}" = "python" ]; then # Sanitizer runtime is loaded via LD_PRELOAD, so this check does not apply. return 0 @@ -312,7 +318,7 @@ function check_mixed_sanitizers { else case $(uname -m) in x86_64) - CALL_INSN="callq\s+[0-9a-f]+\s+<" + CALL_INSN="callq?\s+[0-9a-f]+\s+<" ;; aarch64) CALL_INSN="bl\s+[0-9a-f]+\s+<" @@ -328,6 +334,7 @@ function check_mixed_sanitizers { local MSAN_CALLS=$(objdump -dC $FUZZER | egrep "${CALL_INSN}__msan" -c) local UBSAN_CALLS=$(objdump -dC $FUZZER | egrep "${CALL_INSN}__ubsan" -c) + if [[ "$SANITIZER" = address ]]; then check_asan_build $FUZZER $ASAN_CALLS $DFSAN_CALLS $MSAN_CALLS $UBSAN_CALLS result=$? @@ -340,6 +347,9 @@ function check_mixed_sanitizers { elif [[ "$SANITIZER" = undefined ]]; then check_ubsan_build $FUZZER $ASAN_CALLS $DFSAN_CALLS $MSAN_CALLS $UBSAN_CALLS result=$? + elif [[ "$SANITIZER" = thread ]]; then + # TODO(metzman): Implement this. + result=0 fi return $result @@ -376,6 +386,12 @@ function check_architecture { local FUZZER=$1 local FUZZER_NAME=$(basename $FUZZER) + if [ "${FUZZING_LANGUAGE:-}" = "jvm" ]; then + # The native dependencies of a JVM project are not packaged, but loaded + # dynamically at runtime and thus cannot be checked here. + return 0; + fi + if [ "${FUZZING_LANGUAGE:-}" = "python" ]; then FUZZER=${FUZZER}.pkg fi diff --git a/infra/base-images/base-runner/coverage b/infra/base-images/base-runner/coverage index 2fcf9e977..a86b00dec 100755 --- a/infra/base-images/base-runner/coverage +++ b/infra/base-images/base-runner/coverage @@ -114,13 +114,15 @@ function run_fuzz_target { function run_go_fuzz_target { local target=$1 - cd $GOPATH/src echo "Running go target $target" export FUZZ_CORPUS_DIR="/corpus/${target}/" export FUZZ_PROFILE_NAME="$DUMPS_DIR/$target.perf" - bash $OUT/$target $DUMPS_DIR/$target.profdata &> $LOGS_DIR/$target.log + $OUT/$target -test.coverprofile $DUMPS_DIR/$target.profdata &> $LOGS_DIR/$target.log + # translate from golangish paths to current absolute paths + cat $OUT/$target.gocovpath | while read i; do sed -i $i $DUMPS_DIR/$target.profdata; done + # cf PATH_EQUIVALENCE_ARGS + sed -i 's=/='$OUT'/=' $DUMPS_DIR/$target.profdata $SYSGOPATH/bin/gocovsum $DUMPS_DIR/$target.profdata > $FUZZER_STATS_DIR/$target.json - cd $OUT } export SYSGOPATH=$GOPATH @@ -131,7 +133,7 @@ for fuzz_target in $FUZZ_TARGETS; do if [[ $FUZZING_LANGUAGE == "go" ]]; then # Continue if not a fuzz target. if [[ $FUZZING_ENGINE != "none" ]]; then - grep "go test -run" $fuzz_target > /dev/null 2>&1 || continue + grep "FUZZ_CORPUS_DIR" $fuzz_target > /dev/null 2>&1 || continue fi run_go_fuzz_target $fuzz_target & else @@ -193,7 +195,7 @@ else # Generate HTML report. llvm-cov show -format=html -output-dir=$REPORT_ROOT_DIR \ - -Xdemangler c++filt -Xdemangler -n $LLVM_COV_ARGS + -Xdemangler rcfilt $LLVM_COV_ARGS # Export coverage summary in JSON format. llvm-cov export -summary-only $LLVM_COV_ARGS > $SUMMARY_FILE diff --git a/infra/base-images/base-runner/gocoverage/go.mod b/infra/base-images/base-runner/gocoverage/go.mod new file mode 100644 index 000000000..b0b57216e --- /dev/null +++ b/infra/base-images/base-runner/gocoverage/go.mod @@ -0,0 +1,8 @@ +module oss-fuzz.com/gocoverage + +go 1.14 + +require ( + github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5 + golang.org/x/tools v0.1.0 +) diff --git a/infra/base-images/base-runner/gocoverage/go.sum b/infra/base-images/base-runner/gocoverage/go.sum new file mode 100644 index 000000000..3279af3ba --- /dev/null +++ b/infra/base-images/base-runner/gocoverage/go.sum @@ -0,0 +1,30 @@ +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5 h1:zIaiqGYDQwa4HVx5wGRTXbx38Pqxjemn4BP98wpzpXo= +github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/infra/go/coverage/gocovmerge/LICENSE b/infra/base-images/base-runner/gocoverage/gocovmerge/LICENSE index 455fb1087..455fb1087 100644 --- a/infra/go/coverage/gocovmerge/LICENSE +++ b/infra/base-images/base-runner/gocoverage/gocovmerge/LICENSE diff --git a/infra/go/coverage/gocovmerge/gocovmerge.go b/infra/base-images/base-runner/gocoverage/gocovmerge/gocovmerge.go index e8099839e..e8099839e 100644 --- a/infra/go/coverage/gocovmerge/gocovmerge.go +++ b/infra/base-images/base-runner/gocoverage/gocovmerge/gocovmerge.go diff --git a/infra/base-images/base-runner/gocoverage/gocovsum/gocovsum.go b/infra/base-images/base-runner/gocoverage/gocovsum/gocovsum.go new file mode 100644 index 000000000..973b7ae92 --- /dev/null +++ b/infra/base-images/base-runner/gocoverage/gocovsum/gocovsum.go @@ -0,0 +1,147 @@ +package main + +import ( + "encoding/json" + "flag" + "fmt" + "log" + + "go/ast" + "go/parser" + "go/token" + + "golang.org/x/tools/cover" +) + +type CoverageTotal struct { + Count int `json:"count"` + Covered int `json:"covered"` + Uncovered int `json:"notcovered"` + Percent float64 `json:"percent"` +} + +type CoverageTotals struct { + Functions CoverageTotal `json:"functions,omitempty"` + Lines CoverageTotal `json:"lines,omitempty"` + Regions CoverageTotal `json:"regions,omitempty"` + Instantiations CoverageTotal `json:"instantiations,omitempty"` + Branches CoverageTotal `json:"branches,omitempty"` +} + +type CoverageFile struct { + Summary CoverageTotals `json:"summary,omitempty"` + Filename string `json:"filename,omitempty"` +} + +type CoverageData struct { + Totals CoverageTotals `json:"totals,omitempty"` + Files []CoverageFile `json:"files,omitempty"` +} + +type PositionInterval struct { + start token.Position + end token.Position +} + +type CoverageSummary struct { + Data []CoverageData `json:"data,omitempty"` + Type string `json:"type,omitempty"` + Version string `json:"version,omitempty"` +} + +func isFunctionCovered(s token.Position, e token.Position, blocks []cover.ProfileBlock) bool { + for _, b := range blocks { + if b.StartLine >= s.Line && b.StartLine <= e.Line && b.EndLine >= s.Line && b.EndLine <= e.Line { + if b.Count > 0 { + return true + } + } + } + return false +} + +func computePercent(s *CoverageTotals) { + s.Regions.Percent = float64(100*s.Regions.Covered) / float64(s.Regions.Count) + s.Lines.Percent = float64(100*s.Lines.Covered) / float64(s.Lines.Count) + s.Functions.Percent = float64(100*s.Functions.Covered) / float64(s.Functions.Count) +} + +func main() { + flag.Parse() + + if len(flag.Args()) != 1 { + log.Fatalf("needs exactly one argument") + } + profiles, err := cover.ParseProfiles(flag.Args()[0]) + if err != nil { + log.Fatalf("failed to parse profiles: %v", err) + } + r := CoverageSummary{} + r.Type = "oss-fuzz.go.coverage.json.export" + r.Version = "2.0.1" + r.Data = make([]CoverageData, 1) + for _, p := range profiles { + fset := token.NewFileSet() // positions are relative to fset + f, err := parser.ParseFile(fset, p.FileName, nil, 0) + if err != nil { + panic(err) + } + fileCov := CoverageFile{} + fileCov.Filename = p.FileName + ast.Inspect(f, func(n ast.Node) bool { + switch x := n.(type) { + case *ast.FuncLit: + startf := fset.Position(x.Pos()) + endf := fset.Position(x.End()) + fileCov.Summary.Functions.Count++ + if isFunctionCovered(startf, endf, p.Blocks) { + fileCov.Summary.Functions.Covered++ + } else { + fileCov.Summary.Functions.Uncovered++ + } + case *ast.FuncDecl: + startf := fset.Position(x.Pos()) + endf := fset.Position(x.End()) + fileCov.Summary.Functions.Count++ + if isFunctionCovered(startf, endf, p.Blocks) { + fileCov.Summary.Functions.Covered++ + } else { + fileCov.Summary.Functions.Uncovered++ + } + } + return true + }) + + for _, b := range p.Blocks { + fileCov.Summary.Regions.Count++ + if b.Count > 0 { + fileCov.Summary.Regions.Covered++ + } else { + fileCov.Summary.Regions.Uncovered++ + } + + fileCov.Summary.Lines.Count += b.NumStmt + if b.Count > 0 { + fileCov.Summary.Lines.Covered += b.NumStmt + } else { + fileCov.Summary.Lines.Uncovered += b.NumStmt + } + } + r.Data[0].Totals.Regions.Count += fileCov.Summary.Regions.Count + r.Data[0].Totals.Regions.Covered += fileCov.Summary.Regions.Covered + r.Data[0].Totals.Regions.Uncovered += fileCov.Summary.Regions.Uncovered + r.Data[0].Totals.Lines.Count += fileCov.Summary.Lines.Count + r.Data[0].Totals.Lines.Covered += fileCov.Summary.Lines.Covered + r.Data[0].Totals.Lines.Uncovered += fileCov.Summary.Lines.Uncovered + r.Data[0].Totals.Functions.Count += fileCov.Summary.Functions.Count + r.Data[0].Totals.Functions.Covered += fileCov.Summary.Functions.Covered + r.Data[0].Totals.Functions.Uncovered += fileCov.Summary.Functions.Uncovered + + computePercent(&fileCov.Summary) + r.Data[0].Files = append(r.Data[0].Files, fileCov) + } + + computePercent(&r.Data[0].Totals) + o, _ := json.Marshal(r) + fmt.Printf(string(o)) +} diff --git a/infra/go/coverage/pprof-merge/LICENSE b/infra/base-images/base-runner/gocoverage/pprof-merge/LICENSE index 8dada3eda..8dada3eda 100644 --- a/infra/go/coverage/pprof-merge/LICENSE +++ b/infra/base-images/base-runner/gocoverage/pprof-merge/LICENSE diff --git a/infra/go/coverage/pprof-merge/main.go b/infra/base-images/base-runner/gocoverage/pprof-merge/main.go index f35156403..f35156403 100644 --- a/infra/go/coverage/pprof-merge/main.go +++ b/infra/base-images/base-runner/gocoverage/pprof-merge/main.go diff --git a/infra/base-images/base-runner/minijail0 b/infra/base-images/base-runner/minijail0 Binary files differdeleted file mode 100755 index 369e0bbd9..000000000 --- a/infra/base-images/base-runner/minijail0 +++ /dev/null diff --git a/infra/base-images/base-runner/rcfilt b/infra/base-images/base-runner/rcfilt new file mode 100755 index 000000000..1c621100c --- /dev/null +++ b/infra/base-images/base-runner/rcfilt @@ -0,0 +1,21 @@ +#!/bin/bash -u +# Copyright 2020 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Symbol demangling for both C++ and Rust +# +################################################################################ + +# simply pipe +rustfilt | c++filt -n diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer index 6464ddc2c..b9bc8d9d6 100755 --- a/infra/base-images/base-runner/run_fuzzer +++ b/infra/base-images/base-runner/run_fuzzer @@ -98,22 +98,29 @@ fi if [[ "$FUZZING_ENGINE" = afl ]]; then # Set afl++ environment options. - export ASAN_OPTIONS="$ASAN_OPTIONS:abort_on_error=1:symbolize=0" + export ASAN_OPTIONS="$ASAN_OPTIONS:abort_on_error=1:symbolize=0:detect_odr_violation=0:" export MSAN_OPTIONS="$MSAN_OPTIONS:exit_code=86:symbolize=0" export UBSAN_OPTIONS="$UBSAN_OPTIONS:symbolize=0" export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 export AFL_SKIP_CPUFREQ=1 export AFL_NO_AFFINITY=1 export AFL_FAST_CAL=1 - export AFL_MAP_SIZE=4194304 # If $OUT/afl_cmplog.txt is present this means the target was compiled for # CMPLOG. So we have to add the proper parameters to afl-fuzz. `-l 2` is # CMPLOG level 2, which will colorize larger files but not huge files and # not enable transform analysis unless there have been several cycles without # any finds. - test -e $OUT/afl_cmplog.txt && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER" + test -e "$OUT/afl_cmplog.txt" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -l 2 -c $OUT/$FUZZER" + # If $OUT/afl++.dict we load it as a dictionary for afl-fuzz. + test -e "$OUT/afl++.dict" && AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -x $OUT/afl++.dict" + # Ensure timeout is a bit large than 1sec as some of the OSS-Fuzz fuzzers + # are slower than this. + AFL_FUZZER_ARGS="$AFL_FUZZER_ARGS -t 5000+" # AFL expects at least 1 file in the input dir. echo input > ${CORPUS_DIR}/input + echo afl++ setup: + env|grep AFL_ + cat "$OUT/afl_options.txt" CMD_LINE="$OUT/afl-fuzz $AFL_FUZZER_ARGS -i $CORPUS_DIR -o $FUZZER_OUT $(get_dictionary) $* -- $OUT/$FUZZER" elif [[ "$FUZZING_ENGINE" = honggfuzz ]]; then diff --git a/infra/base-images/base-runner/run_minijail b/infra/base-images/base-runner/run_minijail deleted file mode 100755 index bf950b1e7..000000000 --- a/infra/base-images/base-runner/run_minijail +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/bash -eu -# Copyright 2017 Google Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -################################################################################ - -rm -rf /tmp/chroot -mkdir /tmp/chroot - -mkdir /tmp/chroot/lib -mkdir /tmp/chroot/lib64 -mkdir /tmp/chroot/lib32 - -mkdir /tmp/chroot/usr -mkdir /tmp/chroot/usr/lib -mkdir /tmp/chroot/usr/lib32 - -mkdir /tmp/chroot/dev -mknod -m 666 /tmp/chroot/dev/null c 1 3 -mknod -m 666 /tmp/chroot/dev/urandom c 1 9 - -mkdir /tmp/chroot/proc -mkdir /tmp/chroot/tmp - -mkdir /tmp/chroot/bin -cp /bin/sh /tmp/chroot/bin/sh -cp $(which llvm-symbolizer) /tmp/chroot/bin/llvm-symbolizer - -FULL_EXE_PATH=$(readlink -f $1) -EXE_DIR=$(dirname $FULL_EXE_PATH) -mkdir -p /tmp/chroot/$EXE_DIR - -shift - -echo 'Running:' -echo minijail0 -U -m \"0 $UID 1\" -T static \ - -c 0 -n -v -p -l -I \ - -k proc,/proc,proc,1 -P /tmp/chroot \ - -b /lib,/lib,0 -b /lib64,/lib64,0 -b /lib32,/lib32,0 -b /usr/lib,/usr/lib,0 \ - -b /usr/lib32,/usr/lib32,0 -b /tmp,/tmp,1 \ - -b $EXE_DIR,$EXE_DIR,0 $FULL_EXE_PATH $@ - -minijail0 -U -m "0 $UID 1" -T static \ - -c 0 -n -v -p -l -I \ - -k proc,/proc,proc,1 -P /tmp/chroot \ - -b /lib,/lib,0 -b /lib64,/lib64,0 -b /lib32,/lib32,0 -b /usr/lib,/usr/lib,0 \ - -b /usr/lib32,/usr/lib32,0 -b /tmp,/tmp,1 \ - -b $EXE_DIR,$EXE_DIR,0 $FULL_EXE_PATH $@ diff --git a/infra/base-images/base-runner/test_all.py b/infra/base-images/base-runner/test_all.py index 360da0345..925ebde69 100755 --- a/infra/base-images/base-runner/test_all.py +++ b/infra/base-images/base-runner/test_all.py @@ -78,11 +78,16 @@ def find_fuzz_targets(directory, fuzzing_language): continue if filename.startswith('afl-'): continue + if filename.startswith('jazzer_'): + continue if not os.path.isfile(path): continue if not os.stat(path).st_mode & EXECUTABLE: continue - if fuzzing_language != 'python' and not is_elf(path): + # Fuzz targets are expected to be ELF binaries for languages other than + # Python and Java. + if (fuzzing_language != 'python' and fuzzing_language != 'jvm' and + not is_elf(path)): continue if os.getenv('FUZZING_ENGINE') != 'none': with open(path, 'rb') as file_handle: diff --git a/infra/base-images/base-runner/test_one b/infra/base-images/base-runner/test_one deleted file mode 100755 index 23b7fd932..000000000 --- a/infra/base-images/base-runner/test_one +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash -u -# Copyright 2020 Google Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -################################################################################ - -# Wrapper around bad_build_check that moves the /out directory to /tmp/not-out. -# This is useful when bad_build_check isn't called from test_all which does the -# same thing. - -function main { - # Move the directory the fuzzer is located in to somewhere that doesn't exist - # on the builder to make it more likely that hardcoding /out fails here (since - # it will fail on ClusterFuzz). - local fuzzer=$1 - fuzzer=$(realpath $fuzzer) - local initial_fuzzer_dir=$(dirname $fuzzer) - - local tmp_fuzzer_dir=/tmp/not-out - rm -rf $tmp_fuzzer_dir - mkdir $tmp_fuzzer_dir - # Move the contents of $initial_fuzzer_dir rather than the directory itself in - # case it is a mount. - mv $initial_fuzzer_dir/* $tmp_fuzzer_dir - fuzzer="$tmp_fuzzer_dir/$(basename $fuzzer)" - - # Change OUT to the temporary fuzzer dir. - local initial_out=$OUT - export OUT=$tmp_fuzzer_dir - - bad_build_check $fuzzer - returncode=$? - - # Restore OUT and $initial_fuzzer_dir - export OUT=$initial_out - mv $tmp_fuzzer_dir/* $initial_fuzzer_dir - - return $returncode -} - -if [ $# -ne 1 ]; then - echo "Usage: $0 <fuzz_target_binary>" - exit 1 -fi - -main $1 -exit $? diff --git a/infra/base-images/base-runner/test_one.py b/infra/base-images/base-runner/test_one.py new file mode 100755 index 000000000..9bdb75faf --- /dev/null +++ b/infra/base-images/base-runner/test_one.py @@ -0,0 +1,43 @@ +#!/usr/bin/env python3 +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +"""Does bad_build_check on a fuzz target in $OUT.""" +import os +import sys + +import test_all + + +def test_one(fuzz_target): + """Does bad_build_check on one fuzz target. Returns True on success.""" + with test_all.use_different_out_dir(): + fuzz_target_path = os.path.join(os.environ['OUT'], fuzz_target) + return test_all.do_bad_build_check(fuzz_target_path).returncode == 0 + + +def main(): + """Does bad_build_check on one fuzz target. Returns 1 on failure, 0 on + success.""" + if len(sys.argv) != 2: + print('Usage: %d <fuzz_target>', sys.argv[0]) + return 1 + + fuzz_target_binary = sys.argv[1] + return 0 if test_one(fuzz_target_binary) else 1 + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/infra/base-images/base-sanitizer-libs-builder/msan_build.py b/infra/base-images/base-sanitizer-libs-builder/msan_build.py index 928b1a596..5ea00ab10 100755 --- a/infra/base-images/base-sanitizer-libs-builder/msan_build.py +++ b/infra/base-images/base-sanitizer-libs-builder/msan_build.py @@ -73,7 +73,9 @@ def SetUpEnvironment(work_dir): dpkg_host_architecture = wrapper_utils.DpkgHostArchitecture() wrapper_utils.CreateSymlinks( - compiler_wrapper_path, bin_dir, [ + compiler_wrapper_path, + bin_dir, + [ 'clang', 'clang++', # Not all build rules respect $CC/$CXX, so make additional symlinks. @@ -101,41 +103,35 @@ def SetUpEnvironment(work_dir): env['DPKG_GENSYMBOLS_CHECK_LEVEL'] = '0' # debian/rules can set DPKG_GENSYMBOLS_CHECK_LEVEL explicitly, so override it. - gen_symbols_wrapper = ( - '#!/bin/sh\n' - 'export DPKG_GENSYMBOLS_CHECK_LEVEL=0\n' - '/usr/bin/dpkg-gensymbols "$@"\n') + gen_symbols_wrapper = ('#!/bin/sh\n' + 'export DPKG_GENSYMBOLS_CHECK_LEVEL=0\n' + '/usr/bin/dpkg-gensymbols "$@"\n') - wrapper_utils.InstallWrapper(bin_dir, 'dpkg-gensymbols', - gen_symbols_wrapper) + wrapper_utils.InstallWrapper(bin_dir, 'dpkg-gensymbols', gen_symbols_wrapper) # Install no-op strip binaries. - no_op_strip = ('#!/bin/sh\n' - 'exit 0\n') - wrapper_utils.InstallWrapper( - bin_dir, 'strip', no_op_strip, - [dpkg_host_architecture + '-strip']) + no_op_strip = ('#!/bin/sh\n' 'exit 0\n') + wrapper_utils.InstallWrapper(bin_dir, 'strip', no_op_strip, + [dpkg_host_architecture + '-strip']) env['PATH'] = bin_dir + ':' + os.environ['PATH'] # nocheck doesn't disable override_dh_auto_test. So we have this hack to try # to disable "make check" or "make test" invocations. - make_wrapper = ( - '#!/bin/bash\n' - 'if [ "$1" = "test" ] || [ "$1" = "check" ]; then\n' - ' exit 0\n' - 'fi\n' - '/usr/bin/make "$@"\n') - wrapper_utils.InstallWrapper(bin_dir, 'make', - make_wrapper) + make_wrapper = ('#!/bin/bash\n' + 'if [ "$1" = "test" ] || [ "$1" = "check" ]; then\n' + ' exit 0\n' + 'fi\n' + '/usr/bin/make "$@"\n') + wrapper_utils.InstallWrapper(bin_dir, 'make', make_wrapper) # Prevent entire build from failing because of bugs/uninstrumented in tools # that are part of the build. msan_log_dir = os.path.join(work_dir, 'msan') os.mkdir(msan_log_dir) msan_log_path = os.path.join(msan_log_dir, 'log') - env['MSAN_OPTIONS'] = ( - 'halt_on_error=0:exitcode=0:report_umrs=0:log_path=' + msan_log_path) + env['MSAN_OPTIONS'] = ('halt_on_error=0:exitcode=0:report_umrs=0:log_path=' + + msan_log_path) # Increase maximum stack size to prevent tests from failing. limit = 128 * 1024 * 1024 @@ -207,7 +203,7 @@ def ExtractLibraries(deb_paths, work_directory, output_directory): target_file_path = os.path.join(output_directory, rel_file_path) extracted.append(target_file_path) - + if os.path.lexists(target_file_path): os.remove(target_file_path) @@ -215,8 +211,8 @@ def ExtractLibraries(deb_paths, work_directory, output_directory): link_path = os.readlink(file_path) if os.path.isabs(link_path): # Make absolute links relative. - link_path = os.path.relpath( - link_path, os.path.join('/', rel_directory)) + link_path = os.path.relpath(link_path, + os.path.join('/', rel_directory)) os.symlink(link_path, target_file_path) else: @@ -244,8 +240,8 @@ def GetPackage(package_name): def PatchRpath(path, output_directory): """Patch rpath to be relative to $ORIGIN.""" try: - rpaths = subprocess.check_output( - ['patchelf', '--print-rpath', path]).strip() + rpaths = subprocess.check_output(['patchelf', '--print-rpath', + path]).strip() except subprocess.CalledProcessError: return @@ -262,15 +258,13 @@ def PatchRpath(path, output_directory): processed_rpath.append(rpath) continue - processed_rpath.append(os.path.join( - '$ORIGIN', - os.path.relpath(rpath, rel_directory))) + processed_rpath.append( + os.path.join('$ORIGIN', os.path.relpath(rpath, rel_directory))) processed_rpath = ':'.join(processed_rpath) print('Patching rpath for', path, 'to', processed_rpath) subprocess.check_call( - ['patchelf', '--force-rpath', '--set-rpath', - processed_rpath, path]) + ['patchelf', '--force-rpath', '--set-rpath', processed_rpath, path]) def _CollectDependencies(apt_cache, pkg, cache, dependencies): @@ -331,7 +325,11 @@ def GetBuildList(package_name): class MSanBuilder(object): """MSan builder.""" - def __init__(self, debug=False, log_path=None, work_dir=None, no_track_origins=False): + def __init__(self, + debug=False, + log_path=None, + work_dir=None, + no_track_origins=False): self.debug = debug self.log_path = log_path self.work_dir = work_dir @@ -396,19 +394,24 @@ class MSanBuilder(object): extracted_paths = ExtractLibraries(deb_paths, self.work_dir, extract_directory) for extracted_path in extracted_paths: - if not os.path.islink(extracted_path): - PatchRpath(extracted_path, extract_directory) + if os.path.islink(extracted_path): + continue + if os.path.basename(extracted_path) == 'llvm-symbolizer': + continue + PatchRpath(extracted_path, extract_directory) def main(): parser = argparse.ArgumentParser('msan_build.py', description='MSan builder.') parser.add_argument('package_names', nargs='+', help='Name of the packages.') parser.add_argument('output_dir', help='Output directory.') - parser.add_argument('--create-subdirs', action='store_true', + parser.add_argument('--create-subdirs', + action='store_true', help=('Create subdirectories in the output ' 'directory for each package.')) parser.add_argument('--work-dir', help='Work directory.') - parser.add_argument('--no-build-deps', action='store_true', + parser.add_argument('--no-build-deps', + action='store_true', help='Don\'t build dependencies.') parser.add_argument('--debug', action='store_true', help='Enable debug mode.') parser.add_argument('--log-path', help='Log path for debugging.') @@ -445,7 +448,8 @@ def main(): for package_name in package_names: print('\t', package_name) - with MSanBuilder(debug=args.debug, log_path=args.log_path, + with MSanBuilder(debug=args.debug, + log_path=args.log_path, work_dir=args.work_dir, no_track_origins=args.no_track_origins) as builder: for package_name in package_names: diff --git a/infra/bisector.py b/infra/bisector.py index dc4a470d5..1438d0de9 100644 --- a/infra/bisector.py +++ b/infra/bisector.py @@ -189,6 +189,8 @@ def _bisect(bisect_type, old_commit, new_commit, test_case_path, fuzz_target, bisect_repo_manager = repo_manager.RepoManager( os.path.join(host_src_dir, os.path.basename(repo_path))) + bisect_repo_manager.fetch_all_remotes() + commit_list = bisect_repo_manager.get_commit_list(new_commit, old_commit) old_idx = len(commit_list) - 1 diff --git a/infra/build/functions/build_and_run_coverage.py b/infra/build/functions/build_and_run_coverage.py index 71d7338f9..cc2de5a32 100644 --- a/infra/build/functions/build_and_run_coverage.py +++ b/infra/build/functions/build_and_run_coverage.py @@ -48,7 +48,7 @@ LATEST_REPORT_INFO_CONTENT_TYPE = 'application/json' UPLOAD_URL_FORMAT = 'gs://' + COVERAGE_BUCKET_NAME + '/{project}/{type}/{date}' # Languages from project.yaml that have code coverage support. -LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go'] +LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go', 'rust'] def usage(): diff --git a/infra/build/functions/requirements.txt b/infra/build/functions/requirements.txt index 8d07d82ff..a60a03283 100644 --- a/infra/build/functions/requirements.txt +++ b/infra/build/functions/requirements.txt @@ -16,7 +16,7 @@ Brotli==1.0.9 hiredis==1.1.0 -PyYaml==5.2 +PyYaml==5.4 PyGithub==1.51 grpcio==1.29.0 google-auth==1.21.1 diff --git a/infra/build/functions/update_build_status.py b/infra/build/functions/update_build_status.py index b5f955227..af65a41ab 100644 --- a/infra/build/functions/update_build_status.py +++ b/infra/build/functions/update_build_status.py @@ -195,7 +195,10 @@ def update_build_badges(project, last_build_successful, last_coverage_build_successful): """Upload badges of given project.""" badge = 'building' - if not last_coverage_build_successful: + # last_coverage_build_successful is False if there was an unsuccessful build + # and None if the target does not support coverage (e.g. Python or Java + # targets). + if last_coverage_build_successful is False: badge = 'coverage_failing' if not last_build_successful: badge = 'failing' @@ -289,12 +292,16 @@ def update_badges(): futures = [] with ndb.Client().context(): for project in Project.query(): - if (project.name not in project_build_statuses or - project.name not in coverage_build_statuses): + if project.name not in project_build_statuses: continue + # Certain projects (e.g. JVM and Python) do not have any coverage + # builds, but should still receive a badge. + coverage_build_status = None + if project.name in coverage_build_statuses: + coverage_build_status = coverage_build_statuses[project.name] futures.append( executor.submit(update_build_badges, project.name, project_build_statuses[project.name], - coverage_build_statuses[project.name])) + coverage_build_status)) concurrent.futures.wait(futures) diff --git a/infra/build_specified_commit.py b/infra/build_specified_commit.py index 9f29e420e..b2130ea85 100644 --- a/infra/build_specified_commit.py +++ b/infra/build_specified_commit.py @@ -200,6 +200,7 @@ def build_fuzzers_from_commit(commit, # Re-copy /src for a clean checkout every time. copy_src_from_docker(build_data.project_name, os.path.dirname(host_src_path)) + build_repo_manager.fetch_all_remotes() projects_dir = os.path.join('projects', build_data.project_name) dockerfile_path = os.path.join(projects_dir, 'Dockerfile') diff --git a/infra/build_specified_commit_test.py b/infra/build_specified_commit_test.py index 916b31885..a86504580 100644 --- a/infra/build_specified_commit_test.py +++ b/infra/build_specified_commit_test.py @@ -95,6 +95,10 @@ class BuildImageIntegrationTest(unittest.TestCase): def test_detect_main_repo_from_name(self): """Test the detect main repo function from build specific commit module.""" for example_repo in test_repos.TEST_REPOS: + if example_repo.project_name == 'gonids': + # It's unclear how this test ever passed, but we can't infer the repo + # because gonids doesn't really check it out, it uses "go get". + continue repo_origin, repo_name = build_specified_commit.detect_main_repo( example_repo.project_name, repo_name=example_repo.git_repo_name) self.assertEqual(repo_origin, example_repo.git_url) diff --git a/infra/ci/build.py b/infra/ci/build.py index f71799bb2..addeb7879 100755 --- a/infra/ci/build.py +++ b/infra/ci/build.py @@ -32,7 +32,7 @@ DEFAULT_ENGINES = ['afl', 'honggfuzz', 'libfuzzer'] DEFAULT_SANITIZERS = ['address', 'undefined'] # Languages from project.yaml that have code coverage support. -LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go'] +LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go', 'rust'] def get_changed_files_output(): diff --git a/infra/ci/requirements.txt b/infra/ci/requirements.txt index 48d2ae758..f0a8be0b5 100644 --- a/infra/ci/requirements.txt +++ b/infra/ci/requirements.txt @@ -4,5 +4,5 @@ pyfakefs==4.1.0 pylint==2.5.3 pytest==6.2.1 pytest-xdist==2.2.0 -PyYAML==5.3.1 +PyYAML==5.4 yapf==0.30.0 diff --git a/infra/cifuzz/actions/build_fuzzers/action.yml b/infra/cifuzz/actions/build_fuzzers/action.yml index 2919db40e..835b7b430 100644 --- a/infra/cifuzz/actions/build_fuzzers/action.yml +++ b/infra/cifuzz/actions/build_fuzzers/action.yml @@ -5,6 +5,10 @@ inputs: oss-fuzz-project-name: description: 'Name of the corresponding OSS-Fuzz project.' required: true + language: + description: 'Programming language project is written in.' + required: false + default: 'c++' dry-run: description: 'If set, run the action without actually reporting a failure.' default: false @@ -20,13 +24,20 @@ inputs: build-integration-path: description: "The path to the the project's build integration." required: false + bad-build-check: + description: "Whether or not OSS-Fuzz's check for bad builds should be done." + required: false + default: true runs: using: 'docker' image: '../../../build_fuzzers.Dockerfile' env: OSS_FUZZ_PROJECT_NAME: ${{ inputs.oss-fuzz-project-name }} + LANGUAGE: ${{ inputs.language }} DRY_RUN: ${{ inputs.dry-run}} ALLOWED_BROKEN_TARGETS_PERCENTAGE: ${{ inputs.allowed-broken-targets-percentage}} SANITIZER: ${{ inputs.sanitizer }} PROJECT_SRC_PATH: ${{ inputs.project-src-path }} BUILD_INTEGRATION_PATH: ${{ inputs.build-integration-path }} + LOW_DISK_SPACE: 'True' + BAD_BUILD_CHECK: ${{ inputs.bad-build-check }} diff --git a/infra/cifuzz/actions/run_fuzzers/action.yml b/infra/cifuzz/actions/run_fuzzers/action.yml index 582133c74..d1c03c833 100644 --- a/infra/cifuzz/actions/run_fuzzers/action.yml +++ b/infra/cifuzz/actions/run_fuzzers/action.yml @@ -5,6 +5,10 @@ inputs: oss-fuzz-project-name: description: 'The OSS-Fuzz project name.' required: true + language: + description: 'Programming language project is written in.' + required: false + default: 'c++' fuzz-seconds: description: 'The total time allotted for fuzzing in seconds.' required: true @@ -31,6 +35,7 @@ runs: image: '../../../run_fuzzers.Dockerfile' env: OSS_FUZZ_PROJECT_NAME: ${{ inputs.oss-fuzz-project-name }} + LANGUAGE: ${{ inputs.language }} FUZZ_SECONDS: ${{ inputs.fuzz-seconds }} DRY_RUN: ${{ inputs.dry-run}} SANITIZER: ${{ inputs.sanitizer }} @@ -39,3 +44,4 @@ runs: # for running because we use it to distinguish OSS-Fuzz from non-OSS-Fuzz. # We should do something explicit instead. BUILD_INTEGRATION_PATH: ${{ inputs.build-integration-path }} + LOW_DISK_SPACE: 'True' diff --git a/infra/cifuzz/affected_fuzz_targets_test.py b/infra/cifuzz/affected_fuzz_targets_test.py index 72e6d266c..05f27c072 100644 --- a/infra/cifuzz/affected_fuzz_targets_test.py +++ b/infra/cifuzz/affected_fuzz_targets_test.py @@ -30,15 +30,15 @@ EXAMPLE_PROJECT = 'example' EXAMPLE_FILE_CHANGED = 'test.txt' -TEST_FILES_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'test_files') +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), + 'test_data') class RemoveUnaffectedFuzzTargets(unittest.TestCase): """Tests remove_unaffected_fuzzers.""" - TEST_FUZZER_1 = os.path.join(TEST_FILES_PATH, 'out', 'example_crash_fuzzer') - TEST_FUZZER_2 = os.path.join(TEST_FILES_PATH, 'out', 'example_nocrash_fuzzer') + TEST_FUZZER_1 = os.path.join(TEST_DATA_PATH, 'out', 'example_crash_fuzzer') + TEST_FUZZER_2 = os.path.join(TEST_DATA_PATH, 'out', 'example_nocrash_fuzzer') # yapf: disable @parameterized.parameterized.expand([ diff --git a/infra/cifuzz/build_fuzzers.py b/infra/cifuzz/build_fuzzers.py index a4342a413..78180b52b 100644 --- a/infra/cifuzz/build_fuzzers.py +++ b/infra/cifuzz/build_fuzzers.py @@ -20,6 +20,7 @@ import sys import affected_fuzz_targets import continuous_integration +import docker # pylint: disable=wrong-import-position,import-error sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) @@ -77,7 +78,8 @@ class Builder: # pylint: disable=too-many-instance-attributes def build_fuzzers(self): """Moves the source code we want to fuzz into the project builder and builds the fuzzers from that source code. Returns True on success.""" - docker_args = get_common_docker_args(self.config.sanitizer) + docker_args = get_common_docker_args(self.config.sanitizer, + self.config.language) container = utils.get_container_name() if container: @@ -93,7 +95,7 @@ class Builder: # pylint: disable=too-many-instance-attributes self.handle_msan_prebuild(container) docker_args.extend([ - 'gcr.io/oss-fuzz/' + self.config.project_name, + docker.get_project_image_name(self.config.project_name), '/bin/bash', '-c', ]) @@ -118,8 +120,7 @@ class Builder: # pylint: disable=too-many-instance-attributes helper.docker_run([ '--volumes-from', container, '-e', 'WORK={work_dir}'.format(work_dir=self.work_dir), - 'gcr.io/oss-fuzz-base/base-sanitizer-libs-builder', 'patch_build.py', - '/out' + docker.MSAN_LIBS_BUILDER_TAG, 'patch_build.py', '/out' ]) def handle_msan_prebuild(self, container): @@ -127,8 +128,8 @@ class Builder: # pylint: disable=too-many-instance-attributes returns docker arguments to use that directory for MSAN libs.""" logging.info('Copying MSAN libs.') helper.docker_run([ - '--volumes-from', container, 'gcr.io/oss-fuzz-base/msan-libs-builder', - 'bash', '-c', 'cp -r /msan {work_dir}'.format(work_dir=self.work_dir) + '--volumes-from', container, docker.MSAN_LIBS_BUILDER_TAG, 'bash', '-c', + 'cp -r /msan {work_dir}'.format(work_dir=self.work_dir) ]) def build(self): @@ -185,7 +186,7 @@ def build_fuzzers(config): return builder.build() -def get_common_docker_args(sanitizer): +def get_common_docker_args(sanitizer, language): """Returns a list of common docker arguments.""" return [ '--cap-add', @@ -199,12 +200,13 @@ def get_common_docker_args(sanitizer): '-e', 'CIFUZZ=True', '-e', - 'FUZZING_LANGUAGE=c++', # FIXME: Add proper support. + 'FUZZING_LANGUAGE=' + language, ] def check_fuzzer_build(out_dir, - sanitizer='address', + sanitizer, + language, allowed_broken_targets_percentage=None): """Checks the integrity of the built fuzzers. @@ -222,7 +224,7 @@ def check_fuzzer_build(out_dir, logging.error('No fuzzers found in out directory: %s.', out_dir) return False - command = get_common_docker_args(sanitizer) + command = get_common_docker_args(sanitizer, language) if allowed_broken_targets_percentage is not None: command += [ @@ -236,7 +238,7 @@ def check_fuzzer_build(out_dir, command += ['-e', 'OUT=' + out_dir, '--volumes-from', container] else: command += ['-v', '%s:/out' % out_dir] - command.extend(['-t', 'gcr.io/oss-fuzz-base/base-runner', 'test_all.py']) + command.extend(['-t', docker.BASE_RUNNER_TAG, 'test_all.py']) exit_code = helper.docker_run(command) logging.info('check fuzzer build exit code: %d', exit_code) if exit_code: diff --git a/infra/cifuzz/build_fuzzers_entrypoint.py b/infra/cifuzz/build_fuzzers_entrypoint.py index 9c4b98215..04f562068 100644 --- a/infra/cifuzz/build_fuzzers_entrypoint.py +++ b/infra/cifuzz/build_fuzzers_entrypoint.py @@ -72,10 +72,16 @@ def main(): return returncode out_dir = os.path.join(config.workspace, 'out') + + if not config.bad_build_check: + # If we've gotten to this point and we don't need to do bad_build_check, + # then the build has succeeded. + returncode = 0 # yapf: disable - if build_fuzzers.check_fuzzer_build( + elif build_fuzzers.check_fuzzer_build( out_dir, - sanitizer=config.sanitizer, + config.sanitizer, + config.language, allowed_broken_targets_percentage=config.allowed_broken_targets_percentage ): # yapf: enable diff --git a/infra/cifuzz/build_fuzzers_test.py b/infra/cifuzz/build_fuzzers_test.py index 2d27356d2..298778867 100644 --- a/infra/cifuzz/build_fuzzers_test.py +++ b/infra/cifuzz/build_fuzzers_test.py @@ -36,9 +36,9 @@ import test_helpers # https://github.com/google/oss-fuzz/tree/master/projects/example project. EXAMPLE_PROJECT = 'example' -# Location of files used for testing. -TEST_FILES_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'test_files') +# Location of data used for testing. +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), + 'test_data') # An example fuzzer that triggers an crash. # Binary is a copy of the example project's do_stuff_fuzzer and can be @@ -251,10 +251,13 @@ class BuildFuzzersIntegrationTest(unittest.TestCase): class CheckFuzzerBuildTest(unittest.TestCase): """Tests the check_fuzzer_build function in the cifuzz module.""" + SANITIZER = 'address' + LANGUAGE = 'c++' + def setUp(self): self.tmp_dir_obj = tempfile.TemporaryDirectory() self.test_files_path = os.path.join(self.tmp_dir_obj.name, 'test_files') - shutil.copytree(TEST_FILES_PATH, self.test_files_path) + shutil.copytree(TEST_DATA_PATH, self.test_files_path) def tearDown(self): self.tmp_dir_obj.cleanup() @@ -262,23 +265,31 @@ class CheckFuzzerBuildTest(unittest.TestCase): def test_correct_fuzzer_build(self): """Checks check_fuzzer_build function returns True for valid fuzzers.""" test_fuzzer_dir = os.path.join(self.test_files_path, 'out') - self.assertTrue(build_fuzzers.check_fuzzer_build(test_fuzzer_dir)) + self.assertTrue( + build_fuzzers.check_fuzzer_build(test_fuzzer_dir, self.SANITIZER, + self.LANGUAGE)) def test_not_a_valid_fuzz_path(self): """Tests that False is returned when a bad path is given.""" - self.assertFalse(build_fuzzers.check_fuzzer_build('not/a/valid/path')) + self.assertFalse( + build_fuzzers.check_fuzzer_build('not/a/valid/path', self.SANITIZER, + self.LANGUAGE)) def test_not_a_valid_fuzzer(self): """Checks a directory that exists but does not have fuzzers is False.""" - self.assertFalse(build_fuzzers.check_fuzzer_build(self.test_files_path)) + self.assertFalse( + build_fuzzers.check_fuzzer_build(self.test_files_path, self.SANITIZER, + self.LANGUAGE)) @mock.patch('helper.docker_run') def test_allow_broken_fuzz_targets_percentage(self, mocked_docker_run): """Tests that ALLOWED_BROKEN_TARGETS_PERCENTAGE is set when running docker if passed to check_fuzzer_build.""" mocked_docker_run.return_value = 0 - test_fuzzer_dir = os.path.join(TEST_FILES_PATH, 'out') + test_fuzzer_dir = os.path.join(TEST_DATA_PATH, 'out') build_fuzzers.check_fuzzer_build(test_fuzzer_dir, + self.SANITIZER, + self.LANGUAGE, allowed_broken_targets_percentage='0') self.assertIn('-e ALLOWED_BROKEN_TARGETS_PERCENTAGE=0', ' '.join(mocked_docker_run.call_args[0][0])) diff --git a/infra/cifuzz/cifuzz-base/Dockerfile b/infra/cifuzz/cifuzz-base/Dockerfile index 0aee3b2cf..e0599dbbe 100644 --- a/infra/cifuzz/cifuzz-base/Dockerfile +++ b/infra/cifuzz/cifuzz-base/Dockerfile @@ -14,25 +14,19 @@ # ################################################################################ +# Don't bother with a slimmer base image. +# When we pull base-builder to build project builder image we need to pull +# ubuntu:16.04 anyway. So in the long run we probably would waste time if +# we pulled something like alpine here instead. FROM ubuntu:16.04 -RUN apt-get update && apt-get install -y git \ - apt-transport-https \ - ca-certificates \ - curl \ - gnupg2 \ - software-properties-common \ - python3 +RUN apt-get update && \ + apt-get install ca-certificates wget python3 git-core --no-install-recommends -y && \ + wget https://download.docker.com/linux/ubuntu/dists/xenial/pool/stable/amd64/docker-ce-cli_20.10.5~3-0~ubuntu-xenial_amd64.deb -O /tmp/docker-ce.deb && \ + dpkg -i /tmp/docker-ce.deb && rm /tmp/docker-ce.deb && \ + apt-get remove wget -y --purge -RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - && apt-key fingerprint 0EBFCD88 -RUN add-apt-repository \ - "deb [arch=amd64] https://download.docker.com/linux/ubuntu \ - xenial \ - stable" - -RUN apt-get update && apt-get install docker-ce docker-ce-cli containerd.io -y - ENV OSS_FUZZ_ROOT=/opt/oss-fuzz ADD . ${OSS_FUZZ_ROOT} RUN rm -rf ${OSS_FUZZ_ROOT}/infra
\ No newline at end of file diff --git a/infra/cifuzz/config_utils.py b/infra/cifuzz/config_utils.py index fd1871497..ad2cd36c6 100644 --- a/infra/cifuzz/config_utils.py +++ b/infra/cifuzz/config_utils.py @@ -18,14 +18,16 @@ import enum import os import json +import environment + def _get_project_repo_name(): - return os.path.basename(os.getenv('GITHUB_REPOSITORY', '')) + return os.path.basename(environment.get('GITHUB_REPOSITORY', '')) def _get_pr_ref(event): if event == 'pull_request': - return os.getenv('GITHUB_REF') + return environment.get('GITHUB_REF') return None @@ -40,7 +42,7 @@ def _get_project_name(): def _is_dry_run(): """Returns True if configured to do a dry run.""" - return os.getenv('DRY_RUN', 'false').lower() == 'true' + return environment.get_bool('DRY_RUN', 'false') def get_project_src_path(workspace): @@ -62,6 +64,19 @@ def get_project_src_path(workspace): return os.path.join(workspace, path) +DEFAULT_LANGUAGE = 'c++' + + +def _get_language(): + """Returns the project language.""" + # Get language from environment. We took this approach because the convenience + # given to OSS-Fuzz users by not making them specify the language again (and + # getting it from the project.yaml) is outweighed by the complexity in + # implementing this. A lot of the complexity comes from our unittests not + # setting a proper projet at this point. + return os.getenv('LANGUAGE', DEFAULT_LANGUAGE) + + # pylint: disable=too-few-public-methods,too-many-instance-attributes @@ -81,14 +96,22 @@ class BaseConfig: self.dry_run = _is_dry_run() self.sanitizer = _get_sanitizer() self.build_integration_path = os.getenv('BUILD_INTEGRATION_PATH') + self.language = _get_language() event_path = os.getenv('GITHUB_EVENT_PATH') self.is_github = bool(event_path) logging.debug('Is github: %s.', self.is_github) + # TODO(metzman): Parse env like we do in ClusterFuzz. + self.low_disk_space = environment.get('LOW_DISK_SPACE', False) + + @property + def is_internal(self): + """Returns True if this is an OSS-Fuzz project.""" + return not self.build_integration_path @property def platform(self): """Returns the platform CIFuzz is runnning on.""" - if self.build_integration_path: + if not self.is_internal: return self.Platform.EXTERNAL_GITHUB if self.is_github: return self.Platform.INTERNAL_GITHUB @@ -149,6 +172,7 @@ class BuildFuzzersConfig(BaseConfig): self.allowed_broken_targets_percentage = os.getenv( 'ALLOWED_BROKEN_TARGETS_PERCENTAGE') + self.bad_build_check = environment.get_bool('BAD_BUILD_CHECK', 'true') # TODO(metzman): Use better system for interpreting env vars. What if env # var is set to '0'? diff --git a/infra/cifuzz/config_utils_test.py b/infra/cifuzz/config_utils_test.py index 71e7450fa..6f87bd4c5 100644 --- a/infra/cifuzz/config_utils_test.py +++ b/infra/cifuzz/config_utils_test.py @@ -13,19 +13,38 @@ # limitations under the License. """Module for getting the configuration CIFuzz needs to run.""" import os -import sys import unittest import config_utils - -# pylint: disable=wrong-import-position,import-error -sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) - import test_helpers # pylint: disable=no-self-use +class BaseConfigTest(unittest.TestCase): + """Tests for BaseConfig.""" + + def setUp(self): + test_helpers.patch_environ(self) + + def _create_config(self): + return config_utils.BuildFuzzersConfig() + + def test_language_default(self): + """Tests that the correct default language is set.""" + os.environ['BUILD_INTEGRATION_PATH'] = '/path' + config = self._create_config() + self.assertEqual(config.language, 'c++') + + def test_language(self): + """Tests that the correct language is set.""" + os.environ['BUILD_INTEGRATION_PATH'] = '/path' + language = 'python' + os.environ['LANGUAGE'] = language + config = self._create_config() + self.assertEqual(config.language, language) + + class BuildFuzzersConfigTest(unittest.TestCase): """Tests for BuildFuzzersConfig.""" diff --git a/infra/cifuzz/coverage.py b/infra/cifuzz/coverage.py index b5c6fbf1a..9a179c59d 100644 --- a/infra/cifuzz/coverage.py +++ b/infra/cifuzz/coverage.py @@ -115,7 +115,7 @@ def _get_latest_cov_report_info(project_name): LATEST_REPORT_INFO_PATH, project_name + '.json') latest_cov_info = get_json_from_url(latest_report_info_url) - if not latest_cov_info is None: + if latest_cov_info is None: logging.error('Could not get the coverage report json from url: %s.', latest_report_info_url) return None diff --git a/infra/cifuzz/coverage_test.py b/infra/cifuzz/coverage_test.py index 57120f5f5..1b24d798c 100644 --- a/infra/cifuzz/coverage_test.py +++ b/infra/cifuzz/coverage_test.py @@ -21,8 +21,8 @@ import coverage # pylint: disable=protected-access -TEST_FILES_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'test_files') +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), + 'test_data') PROJECT_NAME = 'curl' REPO_PATH = '/src/curl' @@ -31,7 +31,7 @@ PROJECT_COV_JSON_FILENAME = 'example_curl_cov.json' FUZZ_TARGET_COV_JSON_FILENAME = 'example_curl_fuzzer_cov.json' INVALID_TARGET = 'not-a-fuzz-target' -with open(os.path.join(TEST_FILES_PATH, +with open(os.path.join(TEST_DATA_PATH, PROJECT_COV_JSON_FILENAME),) as cov_file_handle: PROJECT_COV_INFO = json.loads(cov_file_handle.read()) @@ -39,19 +39,28 @@ with open(os.path.join(TEST_FILES_PATH, class GetFuzzerStatsDirUrlTest(unittest.TestCase): """Tests _get_fuzzer_stats_dir_url.""" - @mock.patch('coverage.get_json_from_url', return_value={}) + @mock.patch('coverage.get_json_from_url', + return_value={ + 'fuzzer_stats_dir': + 'gs://oss-fuzz-coverage/systemd/fuzzer_stats/20210303' + }) def test_get_valid_project(self, mocked_get_json_from_url): """Tests that a project's coverage report can be downloaded and parsed. NOTE: This test relies on the PROJECT_NAME repo's coverage report. The "example" project was not used because it has no coverage reports. """ - coverage._get_fuzzer_stats_dir_url(PROJECT_NAME) + result = coverage._get_fuzzer_stats_dir_url(PROJECT_NAME) (url,), _ = mocked_get_json_from_url.call_args self.assertEqual( 'https://storage.googleapis.com/oss-fuzz-coverage/' 'latest_report_info/curl.json', url) + expected_result = ( + 'https://storage.googleapis.com/oss-fuzz-coverage/systemd/fuzzer_stats/' + '20210303') + self.assertEqual(result, expected_result) + def test_get_invalid_project(self): """Tests that passing a bad project returns None.""" self.assertIsNone(coverage._get_fuzzer_stats_dir_url('not-a-proj')) @@ -98,7 +107,7 @@ class GetFilesCoveredByTargetTest(unittest.TestCase): def test_valid_target(self): """Tests that covered files can be retrieved from a coverage report.""" - with open(os.path.join(TEST_FILES_PATH, + with open(os.path.join(TEST_DATA_PATH, FUZZ_TARGET_COV_JSON_FILENAME),) as file_handle: fuzzer_cov_info = json.loads(file_handle.read()) @@ -106,7 +115,7 @@ class GetFilesCoveredByTargetTest(unittest.TestCase): return_value=fuzzer_cov_info): file_list = self.coverage_getter.get_files_covered_by_target(FUZZ_TARGET) - curl_files_list_path = os.path.join(TEST_FILES_PATH, + curl_files_list_path = os.path.join(TEST_DATA_PATH, 'example_curl_file_list.json') with open(curl_files_list_path) as file_handle: expected_file_list = json.loads(file_handle.read()) @@ -152,5 +161,34 @@ class IsFileCoveredTest(unittest.TestCase): self.assertFalse(coverage.is_file_covered(file_coverage)) +class GetLatestCovReportInfo(unittest.TestCase): + """Tests that _get_latest_cov_report_info works as intended.""" + + PROJECT = 'project' + LATEST_REPORT_INFO_URL = ('https://storage.googleapis.com/oss-fuzz-coverage/' + 'latest_report_info/project.json') + + @mock.patch('logging.error') + @mock.patch('coverage.get_json_from_url', return_value={'coverage': 1}) + def test_get_latest_cov_report_info(self, mocked_get_json_from_url, + mocked_error): + """Tests that _get_latest_cov_report_info works as intended.""" + result = coverage._get_latest_cov_report_info(self.PROJECT) + self.assertEqual(result, {'coverage': 1}) + mocked_error.assert_not_called() + mocked_get_json_from_url.assert_called_with(self.LATEST_REPORT_INFO_URL) + + @mock.patch('logging.error') + @mock.patch('coverage.get_json_from_url', return_value=None) + def test_get_latest_cov_report_info_fail(self, _, mocked_error): + """Tests that _get_latest_cov_report_info works as intended when we can't + get latest report info.""" + result = coverage._get_latest_cov_report_info('project') + self.assertIsNone(result) + mocked_error.assert_called_with( + 'Could not get the coverage report json from url: %s.', + self.LATEST_REPORT_INFO_URL) + + if __name__ == '__main__': unittest.main() diff --git a/infra/cifuzz/docker.py b/infra/cifuzz/docker.py new file mode 100644 index 000000000..eb993e28d --- /dev/null +++ b/infra/cifuzz/docker.py @@ -0,0 +1,38 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Module for dealing with docker.""" +import os +import sys + +# pylint: disable=wrong-import-position,import-error +sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) + +import utils + +BASE_BUILDER_TAG = 'gcr.io/oss-fuzz-base/base-builder' +BASE_RUNNER_TAG = 'gcr.io/oss-fuzz-base/base-runner' +MSAN_LIBS_BUILDER_TAG = 'gcr.io/oss-fuzz-base/msan-libs-builder' +PROJECT_TAG_PREFIX = 'gcr.io/oss-fuzz/' + + +def get_project_image_name(project): + """Returns the name of the project builder image for |project_name|.""" + return PROJECT_TAG_PREFIX + project + + +def delete_images(images): + """Deletes |images|.""" + command = ['docker', 'rmi', '-f'] + images + utils.execute(command) + utils.execute(['docker', 'builder', 'prune', '-f']) diff --git a/infra/cifuzz/environment.py b/infra/cifuzz/environment.py new file mode 100644 index 000000000..4cc0f846b --- /dev/null +++ b/infra/cifuzz/environment.py @@ -0,0 +1,54 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Module for dealing with env vars.""" + +import ast +import os + + +def _eval_value(value_string): + """Returns evaluated value.""" + try: + return ast.literal_eval(value_string) + except: # pylint: disable=bare-except + # String fallback. + return value_string + + +def get(env_var, default_value=None): + """Returns an environment variable value.""" + value_string = os.getenv(env_var) + if value_string is None: + return default_value + + return _eval_value(value_string) + + +def get_bool(env_var, default_value=None): + """Returns a boolean environment variable value. This is needed because a lot + of CIFuzz users specified 'false' for dry-run. So we need to special case + this.""" + value = get(env_var, default_value) + if not isinstance(value, str): + return bool(value) + + lower_value = value.lower() + allowed_values = {'true', 'false'} + if lower_value not in allowed_values: + raise Exception(('Bool env var {env_var} value {value} is invalid. ' + 'Must be one of {allowed_values}').format( + env_var=env_var, + value=value, + allowed_values=allowed_values)) + return lower_value == 'true' diff --git a/infra/cifuzz/fuzz_target.py b/infra/cifuzz/fuzz_target.py index 7bccfa4e1..c623bf60d 100644 --- a/infra/cifuzz/fuzz_target.py +++ b/infra/cifuzz/fuzz_target.py @@ -16,10 +16,13 @@ import collections import logging import os import re +import shutil import stat import subprocess import sys +import docker + # pylint: disable=wrong-import-position,import-error sys.path.append(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) import utils @@ -28,6 +31,8 @@ logging.basicConfig( format='%(asctime)s - %(name)s - %(levelname)s - %(message)s', level=logging.DEBUG) +# Use a fixed seed for determinism. Use len_control=0 since we don't have enough +# time fuzzing for len_control to make sense (probably). LIBFUZZER_OPTIONS = '-seed=1337 -len_control=0' # The number of reproduce attempts for a crash. @@ -78,6 +83,7 @@ class FuzzTarget: self.out_dir = out_dir self.clusterfuzz_deployment = clusterfuzz_deployment self.config = config + self.latest_corpus_path = None def fuzz(self): """Starts the fuzz target run for the length of time specified by duration. @@ -98,8 +104,7 @@ class FuzzTarget: command += [ '-e', 'FUZZING_ENGINE=libfuzzer', '-e', 'SANITIZER=' + self.config.sanitizer, '-e', 'CIFUZZ=True', '-e', - 'RUN_FUZZER_MODE=interactive', 'gcr.io/oss-fuzz-base/base-runner', - 'bash', '-c' + 'RUN_FUZZER_MODE=interactive', docker.BASE_RUNNER_TAG, 'bash', '-c' ] run_fuzzer_command = 'run_fuzzer {fuzz_target} {options}'.format( @@ -107,10 +112,10 @@ class FuzzTarget: options=LIBFUZZER_OPTIONS + ' -max_total_time=' + str(self.duration)) # If corpus can be downloaded use it for fuzzing. - latest_corpus_path = self.clusterfuzz_deployment.download_corpus( + self.latest_corpus_path = self.clusterfuzz_deployment.download_corpus( self.target_name, self.out_dir) - if latest_corpus_path: - run_fuzzer_command = run_fuzzer_command + ' ' + latest_corpus_path + if self.latest_corpus_path: + run_fuzzer_command = run_fuzzer_command + ' ' + self.latest_corpus_path command.append(run_fuzzer_command) logging.info('Running command: %s', ' '.join(command)) @@ -136,10 +141,37 @@ class FuzzTarget: if not testcase: logging.error(b'No testcase found in stacktrace: %s.', stderr) return FuzzResult(None, None) + + utils.binary_print(b'Fuzzer: %s. Detected bug:\n%s' % + (self.target_name.encode(), stderr)) if self.is_crash_reportable(testcase): + # We found a bug in the fuzz target and we will report it. return FuzzResult(testcase, stderr) + + # We found a bug but we won't report it. return FuzzResult(None, None) + def free_disk_if_needed(self): + """Deletes things that are no longer needed from fuzzing this fuzz target to + save disk space if needed.""" + if not self.config.low_disk_space: + return + logging.info( + 'Deleting corpus, seed corpus and fuzz target of %s to save disk.', + self.target_name) + + # Delete the seed corpus, corpus, and fuzz target. + if self.latest_corpus_path and os.path.exists(self.latest_corpus_path): + # Use ignore_errors=True to fix + # https://github.com/google/oss-fuzz/issues/5383. + shutil.rmtree(self.latest_corpus_path, ignore_errors=True) + + os.remove(self.target_path) + target_seed_corpus_path = self.target_path + '_seed_corpus.zip' + if os.path.exists(target_seed_corpus_path): + os.remove(target_seed_corpus_path) + logging.info('Done deleting.') + def is_reproducible(self, testcase, target_path): """Checks if the testcase reproduces. @@ -176,8 +208,7 @@ class FuzzTarget: ] command += [ - '-t', 'gcr.io/oss-fuzz-base/base-runner', 'reproduce', self.target_name, - '-runs=100' + '-t', docker.BASE_RUNNER_TAG, 'reproduce', self.target_name, '-runs=100' ] logging.info('Running reproduce command: %s.', ' '.join(command)) @@ -246,7 +277,6 @@ class FuzzTarget: logging.info('The crash is reproducible. The crash doesn\'t reproduce ' 'on old builds. This code change probably introduced the ' 'crash.') - return True logging.info('The crash is reproducible on old builds ' diff --git a/infra/cifuzz/fuzz_target_test.py b/infra/cifuzz/fuzz_target_test.py index 8a506fa59..8bec234dc 100644 --- a/infra/cifuzz/fuzz_target_test.py +++ b/infra/cifuzz/fuzz_target_test.py @@ -148,8 +148,7 @@ class GetTestCaseTest(unittest.TestCase): def test_valid_error_string(self): """Tests that get_testcase returns the correct testcase give an error.""" testcase_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'test_files', - 'example_crash_fuzzer_output.txt') + 'test_data', 'example_crash_fuzzer_output.txt') with open(testcase_path, 'rb') as test_fuzz_output: parsed_testcase = self.test_target.get_testcase(test_fuzz_output.read()) self.assertEqual( diff --git a/infra/cifuzz/run_fuzzers.py b/infra/cifuzz/run_fuzzers.py index 2a2a89e5f..513cfb6fa 100644 --- a/infra/cifuzz/run_fuzzers.py +++ b/infra/cifuzz/run_fuzzers.py @@ -91,7 +91,9 @@ class BaseFuzzTargetRunner: """Fuzzes with |fuzz_target_obj| and returns the result.""" # TODO(metzman): Make children implement this so that the batch runner can # do things differently. - return fuzz_target_obj.fuzz() + result = fuzz_target_obj.fuzz() + fuzz_target_obj.free_disk_if_needed() + return result @property def quit_on_bug_found(self): @@ -100,9 +102,12 @@ class BaseFuzzTargetRunner: raise NotImplementedError('Child class must implement method') def get_fuzz_target_artifact(self, target, artifact_name): - """Returns the path of a fuzzing |artifact| named |artifact_name| for - |target|.""" - artifact_name = target.target_name + '-' + artifact_name + """Returns the path of a fuzzing artifact named |artifact_name| for + |fuzz_target|.""" + artifact_name = '{target_name}-{sanitizer}-{artifact_name}'.format( + target_name=target.target_name, + sanitizer=self.config.sanitizer, + artifact_name=artifact_name) return os.path.join(self.artifacts_dir, artifact_name) def create_fuzz_target_obj(self, target_path, run_seconds): @@ -140,12 +145,9 @@ class BaseFuzzTargetRunner: target.target_name) continue - # We found a bug in the fuzz target. - utils.binary_print(b'Fuzzer: %s. Detected bug:\n%s' % - (target.target_name.encode(), result.stacktrace)) - # TODO(metzman): Do this with filestore. - testcase_artifact_path = self.get_fuzz_target_artifact(target, 'testcase') + testcase_artifact_path = self.get_fuzz_target_artifact( + target, os.path.basename(result.testcase)) shutil.move(result.testcase, testcase_artifact_path) bug_summary_artifact_path = self.get_fuzz_target_artifact( target, 'bug-summary.txt') diff --git a/infra/cifuzz/run_fuzzers_entrypoint.py b/infra/cifuzz/run_fuzzers_entrypoint.py index f810e38f8..46e208dc0 100644 --- a/infra/cifuzz/run_fuzzers_entrypoint.py +++ b/infra/cifuzz/run_fuzzers_entrypoint.py @@ -11,11 +11,12 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -"""Runs specific OSS-Fuzz project's fuzzers for CI tools.""" +"""Runs a specific OSS-Fuzz project's fuzzers for CI tools.""" import logging import sys import config_utils +import docker import run_fuzzers # pylint: disable=c-extension-no-member @@ -26,6 +27,21 @@ logging.basicConfig( level=logging.DEBUG) +def delete_unneeded_docker_images(config): + """Deletes unneeded docker images if running in an environment with low + disk space.""" + if not config.low_disk_space: + return + logging.info('Deleting builder docker images to save disk space.') + project_image = docker.get_project_image_name(config.project_name) + images = [ + project_image, + docker.BASE_RUNNER_TAG, + docker.MSAN_LIBS_BUILDER_TAG, + ] + docker.delete_images(images) + + def main(): """Runs OSS-Fuzz project's fuzzers for CI tools. This is the entrypoint for the run_fuzzers github action. @@ -62,6 +78,7 @@ def main(): logging.error('This script needs to be run within Github actions.') return returncode + delete_unneeded_docker_images(config) # Run the specified project's fuzzers from the build. result = run_fuzzers.run_fuzzers(config) if result == run_fuzzers.RunFuzzersResult.ERROR: diff --git a/infra/cifuzz/run_fuzzers_test.py b/infra/cifuzz/run_fuzzers_test.py index 847ddf399..b2659903c 100644 --- a/infra/cifuzz/run_fuzzers_test.py +++ b/infra/cifuzz/run_fuzzers_test.py @@ -37,13 +37,13 @@ import test_helpers EXAMPLE_PROJECT = 'example' # Location of files used for testing. -TEST_FILES_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'test_files') +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), + 'test_data') -MEMORY_FUZZER_DIR = os.path.join(TEST_FILES_PATH, 'memory') +MEMORY_FUZZER_DIR = os.path.join(TEST_DATA_PATH, 'memory') MEMORY_FUZZER = 'curl_fuzzer_memory' -UNDEFINED_FUZZER_DIR = os.path.join(TEST_FILES_PATH, 'undefined') +UNDEFINED_FUZZER_DIR = os.path.join(TEST_DATA_PATH, 'undefined') UNDEFINED_FUZZER = 'curl_fuzzer_undefined' FUZZ_SECONDS = 10 @@ -227,7 +227,8 @@ class BaseFuzzTargetRunnerTest(unittest.TestCase): target.target_name = target_name fuzz_target_artifact = runner.get_fuzz_target_artifact( target, artifact_name) - expected_fuzz_target_artifact = 'artifacts-dir/target_name-artifact-name' + expected_fuzz_target_artifact = ( + 'artifacts-dir/target_name-address-artifact-name') self.assertEqual(fuzz_target_artifact, expected_fuzz_target_artifact) @@ -263,7 +264,7 @@ class CiFuzzTargetRunnerTest(fake_filesystem_unittest.TestCase): magic_mock.target_name = 'target1' mocked_create_fuzz_target_obj.return_value = magic_mock self.assertTrue(runner.run_fuzz_targets()) - self.assertIn('target1-testcase', os.listdir(runner.artifacts_dir)) + self.assertIn('target1-address-testcase', os.listdir(runner.artifacts_dir)) self.assertEqual(mocked_run_fuzz_target.call_count, 1) @@ -279,7 +280,7 @@ class BatchFuzzTargetRunnerTest(fake_filesystem_unittest.TestCase): def test_run_fuzz_targets_quits(self, mocked_create_fuzz_target_obj, mocked_run_fuzz_target, mocked_get_fuzz_targets): - """Tests that run_fuzz_targets quits on the first crash it finds.""" + """Tests that run_fuzz_targets doesn't quit on the first crash it finds.""" workspace = 'workspace' out_path = os.path.join(workspace, 'out') self.fs.create_dir(out_path) @@ -290,8 +291,8 @@ class BatchFuzzTargetRunnerTest(fake_filesystem_unittest.TestCase): mocked_get_fuzz_targets.return_value = ['target1', 'target2'] runner.initialize() - testcase1 = os.path.join(workspace, 'testcase1') - testcase2 = os.path.join(workspace, 'testcase2') + testcase1 = os.path.join(workspace, 'testcase-aaa') + testcase2 = os.path.join(workspace, 'testcase-bbb') self.fs.create_file(testcase1) self.fs.create_file(testcase2) stacktrace = b'stacktrace' @@ -312,7 +313,8 @@ class BatchFuzzTargetRunnerTest(fake_filesystem_unittest.TestCase): magic_mock.target_name = 'target1' mocked_create_fuzz_target_obj.return_value = magic_mock self.assertTrue(runner.run_fuzz_targets()) - self.assertIn('target1-testcase', os.listdir(runner.artifacts_dir)) + self.assertIn('target1-address-testcase-aaa', + os.listdir(runner.artifacts_dir)) self.assertEqual(mocked_run_fuzz_target.call_count, 2) @@ -333,7 +335,7 @@ class RunAddressFuzzersIntegrationTest(RunFuzzerIntegrationTestMixin, side_effect=[True, False]): with tempfile.TemporaryDirectory() as tmp_dir: workspace = os.path.join(tmp_dir, 'workspace') - shutil.copytree(TEST_FILES_PATH, workspace) + shutil.copytree(TEST_DATA_PATH, workspace) config = _create_config(fuzz_seconds=FUZZ_SECONDS, workspace=workspace, project_name=EXAMPLE_PROJECT) @@ -349,17 +351,17 @@ class RunAddressFuzzersIntegrationTest(RunFuzzerIntegrationTestMixin, def test_old_bug_found(self, _): """Tests run_fuzzers with a bug found in OSS-Fuzz before.""" config = _create_config(fuzz_seconds=FUZZ_SECONDS, - workspace=TEST_FILES_PATH, + workspace=TEST_DATA_PATH, project_name=EXAMPLE_PROJECT) with tempfile.TemporaryDirectory() as tmp_dir: workspace = os.path.join(tmp_dir, 'workspace') - shutil.copytree(TEST_FILES_PATH, workspace) + shutil.copytree(TEST_DATA_PATH, workspace) config = _create_config(fuzz_seconds=FUZZ_SECONDS, - workspace=TEST_FILES_PATH, + workspace=TEST_DATA_PATH, project_name=EXAMPLE_PROJECT) result = run_fuzzers.run_fuzzers(config) self.assertEqual(result, run_fuzzers.RunFuzzersResult.NO_BUG_FOUND) - build_dir = os.path.join(TEST_FILES_PATH, 'out', self.BUILD_DIR_NAME) + build_dir = os.path.join(TEST_DATA_PATH, 'out', self.BUILD_DIR_NAME) self.assertTrue(os.path.exists(build_dir)) self.assertNotEqual(0, len(os.listdir(build_dir))) diff --git a/infra/cifuzz/stack_parser.py b/infra/cifuzz/stack_parser.py index 0077caae9..69c44bc2e 100644 --- a/infra/cifuzz/stack_parser.py +++ b/infra/cifuzz/stack_parser.py @@ -13,6 +13,8 @@ # limitations under the License. """Module for parsing stacks from fuzz targets.""" +import logging + # From clusterfuzz: src/python/crash_analysis/crash_analyzer.py # Used to get the beginning of the stacktrace. STACKTRACE_TOOL_MARKERS = [ @@ -51,25 +53,33 @@ def parse_fuzzer_output(fuzzer_output, parsed_output_file_path): parsed_output_file_path: The location to store the parsed output. """ # Get index of key file points. + begin_stack = None for marker in STACKTRACE_TOOL_MARKERS: marker_index = fuzzer_output.find(marker) - if marker_index: + if marker_index != -1: begin_stack = marker_index break - end_stack = -1 + if begin_stack is None: + logging.error( + b'Could not find a begin stack marker (%s) in fuzzer output:\n%s', + STACKTRACE_TOOL_MARKERS, fuzzer_output) + return + + end_stack = None for marker in STACKTRACE_END_MARKERS: marker_index = fuzzer_output.find(marker) - if marker_index: + if marker_index != -1: end_stack = marker_index + len(marker) break - if begin_stack is None or end_stack is None: + if end_stack is None: + logging.error( + b'Could not find an end stack marker (%s) in fuzzer output:\n%s', + STACKTRACE_END_MARKERS, fuzzer_output) return summary_str = fuzzer_output[begin_stack:end_stack] - if not summary_str: - return # Write sections of fuzzer output to specific files. with open(parsed_output_file_path, 'ab') as summary_handle: diff --git a/infra/cifuzz/stack_parser_test.py b/infra/cifuzz/stack_parser_test.py index 9b05710fc..faf601fd5 100644 --- a/infra/cifuzz/stack_parser_test.py +++ b/infra/cifuzz/stack_parser_test.py @@ -14,7 +14,9 @@ """Tests for stack_parser.""" import os import unittest +from unittest import mock +import parameterized from pyfakefs import fake_filesystem_unittest import stack_parser @@ -23,9 +25,9 @@ import stack_parser # https://github.com/google/oss-fuzz/tree/master/projects/example project. EXAMPLE_PROJECT = 'example' -# Location of files used for testing. -TEST_FILES_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'test_files') +# Location of data used for testing. +TEST_DATA_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), + 'test_data') class ParseOutputTest(fake_filesystem_unittest.TestCase): @@ -33,33 +35,42 @@ class ParseOutputTest(fake_filesystem_unittest.TestCase): def setUp(self): self.setUpPyfakefs() + self.maxDiff = None # pylint: disable=invalid-name - def test_parse_valid_output(self): + @parameterized.parameterized.expand([('example_crash_fuzzer_output.txt', + 'example_crash_fuzzer_bug_summary.txt'), + ('msan_crash_fuzzer_output.txt', + 'msan_crash_fuzzer_bug_summary.txt')]) + def test_parse_valid_output(self, fuzzer_output_file, bug_summary_file): """Checks that the parse fuzzer output can correctly parse output.""" # Read the fuzzer output from disk. - fuzzer_output_path = os.path.join(TEST_FILES_PATH, - 'example_crash_fuzzer_output.txt') + fuzzer_output_path = os.path.join(TEST_DATA_PATH, fuzzer_output_file) self.fs.add_real_file(fuzzer_output_path) with open(fuzzer_output_path, 'rb') as fuzzer_output_handle: fuzzer_output = fuzzer_output_handle.read() bug_summary_path = '/bug-summary.txt' - stack_parser.parse_fuzzer_output(fuzzer_output, bug_summary_path) + with mock.patch('logging.info') as mocked_info: + stack_parser.parse_fuzzer_output(fuzzer_output, bug_summary_path) + mocked_info.assert_not_called() + with open(bug_summary_path) as bug_summary_handle: bug_summary = bug_summary_handle.read() # Compare the bug to the expected one. - expected_bug_summary_path = os.path.join(TEST_FILES_PATH, - 'bug_summary_example.txt') + expected_bug_summary_path = os.path.join(TEST_DATA_PATH, bug_summary_file) self.fs.add_real_file(expected_bug_summary_path) with open(expected_bug_summary_path) as expected_bug_summary_handle: expected_bug_summary = expected_bug_summary_handle.read() + self.assertEqual(expected_bug_summary, bug_summary) def test_parse_invalid_output(self): """Checks that no files are created when an invalid input was given.""" artifact_path = '/bug-summary.txt' - stack_parser.parse_fuzzer_output(b'not a valid output_string', - artifact_path) + with mock.patch('logging.error') as mocked_error: + stack_parser.parse_fuzzer_output(b'not a valid output_string', + artifact_path) + assert mocked_error.call_count self.assertFalse(os.path.exists(artifact_path)) diff --git a/infra/cifuzz/test_files/bug_summary_example.txt b/infra/cifuzz/test_data/example_crash_fuzzer_bug_summary.txt index 8caebad0c..8caebad0c 100644 --- a/infra/cifuzz/test_files/bug_summary_example.txt +++ b/infra/cifuzz/test_data/example_crash_fuzzer_bug_summary.txt diff --git a/infra/cifuzz/test_files/example_crash_fuzzer_output.txt b/infra/cifuzz/test_data/example_crash_fuzzer_output.txt index d316f5f40..d316f5f40 100644 --- a/infra/cifuzz/test_files/example_crash_fuzzer_output.txt +++ b/infra/cifuzz/test_data/example_crash_fuzzer_output.txt diff --git a/infra/cifuzz/test_files/example_curl_cov.json b/infra/cifuzz/test_data/example_curl_cov.json index 0936102fd..0936102fd 100644 --- a/infra/cifuzz/test_files/example_curl_cov.json +++ b/infra/cifuzz/test_data/example_curl_cov.json diff --git a/infra/cifuzz/test_files/example_curl_file_list.json b/infra/cifuzz/test_data/example_curl_file_list.json index 0ed1965c5..0ed1965c5 100644 --- a/infra/cifuzz/test_files/example_curl_file_list.json +++ b/infra/cifuzz/test_data/example_curl_file_list.json diff --git a/infra/cifuzz/test_files/example_curl_fuzzer_cov.json b/infra/cifuzz/test_data/example_curl_fuzzer_cov.json index 6f8c2498c..6f8c2498c 100644 --- a/infra/cifuzz/test_files/example_curl_fuzzer_cov.json +++ b/infra/cifuzz/test_data/example_curl_fuzzer_cov.json diff --git a/infra/cifuzz/test_files/external-project/Makefile b/infra/cifuzz/test_data/external-project/Makefile index 2c1773776..2c1773776 100644 --- a/infra/cifuzz/test_files/external-project/Makefile +++ b/infra/cifuzz/test_data/external-project/Makefile diff --git a/infra/cifuzz/test_files/external-project/do_stuff_fuzzer.cpp b/infra/cifuzz/test_data/external-project/do_stuff_fuzzer.cpp index 71fa8cae2..71fa8cae2 100644 --- a/infra/cifuzz/test_files/external-project/do_stuff_fuzzer.cpp +++ b/infra/cifuzz/test_data/external-project/do_stuff_fuzzer.cpp diff --git a/infra/cifuzz/test_files/external-project/do_stuff_fuzzer.dict b/infra/cifuzz/test_data/external-project/do_stuff_fuzzer.dict index 224679bf4..224679bf4 100644 --- a/infra/cifuzz/test_files/external-project/do_stuff_fuzzer.dict +++ b/infra/cifuzz/test_data/external-project/do_stuff_fuzzer.dict diff --git a/infra/cifuzz/test_files/external-project/my_api.cpp b/infra/cifuzz/test_data/external-project/my_api.cpp index 9a2c1bc1c..9a2c1bc1c 100644 --- a/infra/cifuzz/test_files/external-project/my_api.cpp +++ b/infra/cifuzz/test_data/external-project/my_api.cpp diff --git a/infra/cifuzz/test_files/external-project/my_api.h b/infra/cifuzz/test_data/external-project/my_api.h index 325aa15cc..325aa15cc 100644 --- a/infra/cifuzz/test_files/external-project/my_api.h +++ b/infra/cifuzz/test_data/external-project/my_api.h diff --git a/infra/cifuzz/test_files/external-project/oss-fuzz/Dockerfile b/infra/cifuzz/test_data/external-project/oss-fuzz/Dockerfile index e9dc33031..e9dc33031 100644 --- a/infra/cifuzz/test_files/external-project/oss-fuzz/Dockerfile +++ b/infra/cifuzz/test_data/external-project/oss-fuzz/Dockerfile diff --git a/infra/cifuzz/test_files/external-project/oss-fuzz/build.sh b/infra/cifuzz/test_data/external-project/oss-fuzz/build.sh index 2c52ef90f..2c52ef90f 100644 --- a/infra/cifuzz/test_files/external-project/oss-fuzz/build.sh +++ b/infra/cifuzz/test_data/external-project/oss-fuzz/build.sh diff --git a/infra/cifuzz/test_files/external-project/standalone_fuzz_target_runner.cpp b/infra/cifuzz/test_data/external-project/standalone_fuzz_target_runner.cpp index 38a0454f0..38a0454f0 100644 --- a/infra/cifuzz/test_files/external-project/standalone_fuzz_target_runner.cpp +++ b/infra/cifuzz/test_data/external-project/standalone_fuzz_target_runner.cpp diff --git a/infra/cifuzz/test_files/memory/out/curl_fuzzer_memory b/infra/cifuzz/test_data/memory/out/curl_fuzzer_memory Binary files differindex c602ce970..c602ce970 100755 --- a/infra/cifuzz/test_files/memory/out/curl_fuzzer_memory +++ b/infra/cifuzz/test_data/memory/out/curl_fuzzer_memory diff --git a/infra/cifuzz/test_data/msan_crash_fuzzer_bug_summary.txt b/infra/cifuzz/test_data/msan_crash_fuzzer_bug_summary.txt new file mode 100644 index 000000000..b55e9c6b7 --- /dev/null +++ b/infra/cifuzz/test_data/msan_crash_fuzzer_bug_summary.txt @@ -0,0 +1,22 @@ +MemorySanitizer: use-of-uninitialized-value +#0 0x52675f in LLVMFuzzerTestOneInput /src/cifuzz-example/do_stuff_fuzzer.cpp:13:7 +#1 0x45a431 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 +#2 0x45ba46 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:792:3 +#3 0x45bed9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 +#4 0x44a4bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 +#5 0x474432 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 +#6 0x7eff5562683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) +#7 0x41eab8 in _start (out/do_stuff_fuzzer+0x41eab8) + +DEDUP_TOKEN: LLVMFuzzerTestOneInput--fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)--fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) +Uninitialized value was created by a heap allocation +#0 0x4d57ad in malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:901:3 +#1 0x437c07 in operator new(unsigned long) (out/do_stuff_fuzzer+0x437c07) +#2 0x45ba46 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:792:3 +#3 0x45bed9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 +#4 0x44a4bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 +#5 0x474432 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 +#6 0x7eff5562683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) +DEDUP_TOKEN: malloc--operator new(unsigned long)--fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) + +SUMMARY:
\ No newline at end of file diff --git a/infra/cifuzz/test_data/msan_crash_fuzzer_output.txt b/infra/cifuzz/test_data/msan_crash_fuzzer_output.txt new file mode 100644 index 000000000..c803bfb1c --- /dev/null +++ b/infra/cifuzz/test_data/msan_crash_fuzzer_output.txt @@ -0,0 +1,39 @@ +Dictionary: 3 entries +INFO: Running with entropic power schedule (0xFF, 100). +INFO: Seed: 1337 +INFO: Loaded 1 modules (184 inline 8-bit counters): 184 [0x829300, 0x8293b8), +INFO: Loaded 1 PC tables (184 PCs): 184 [0x5dc910,0x5dd490), +INFO: 5 files found in /tmp/do_stuff_fuzzer_corpus +INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes +==13==WARNING: MemorySanitizer: use-of-uninitialized-value +#0 0x52675f in LLVMFuzzerTestOneInput /src/cifuzz-example/do_stuff_fuzzer.cpp:13:7 +#1 0x45a431 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 +#2 0x45ba46 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:792:3 +#3 0x45bed9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 +#4 0x44a4bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 +#5 0x474432 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 +#6 0x7eff5562683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) +#7 0x41eab8 in _start (out/do_stuff_fuzzer+0x41eab8) + +DEDUP_TOKEN: LLVMFuzzerTestOneInput--fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)--fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) +Uninitialized value was created by a heap allocation +#0 0x4d57ad in malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:901:3 +#1 0x437c07 in operator new(unsigned long) (out/do_stuff_fuzzer+0x437c07) +#2 0x45ba46 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:792:3 +#3 0x45bed9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 +#4 0x44a4bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 +#5 0x474432 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 +#6 0x7eff5562683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f) +DEDUP_TOKEN: malloc--operator new(unsigned long)--fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) + +SUMMARY: MemorySanitizer: use-of-uninitialized-value /src/cifuzz-example/do_stuff_fuzzer.cpp:13:7 in LLVMFuzzerTestOneInput +Unique heap origins: 65 +Stack depot allocated bytes: 4424 +Unique origin histories: 29 +History depot allocated bytes: 696 +Exiting +MS: 0 ; base unit: 0000000000000000000000000000000000000000 + + +artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709 +Base64: diff --git a/infra/cifuzz/test_files/out/example_crash_fuzzer b/infra/cifuzz/test_data/out/example_crash_fuzzer Binary files differindex 704800dda..704800dda 100755 --- a/infra/cifuzz/test_files/out/example_crash_fuzzer +++ b/infra/cifuzz/test_data/out/example_crash_fuzzer diff --git a/infra/cifuzz/test_files/out/example_nocrash_fuzzer b/infra/cifuzz/test_data/out/example_nocrash_fuzzer Binary files differindex e4ff86042..e4ff86042 100755 --- a/infra/cifuzz/test_files/out/example_nocrash_fuzzer +++ b/infra/cifuzz/test_data/out/example_nocrash_fuzzer diff --git a/infra/cifuzz/test_files/undefined/out/curl_fuzzer_undefined b/infra/cifuzz/test_data/undefined/out/curl_fuzzer_undefined Binary files differindex 504cab108..504cab108 100755 --- a/infra/cifuzz/test_files/undefined/out/curl_fuzzer_undefined +++ b/infra/cifuzz/test_data/undefined/out/curl_fuzzer_undefined diff --git a/infra/go/coverage/gocovsum/gocovsum.go b/infra/go/coverage/gocovsum/gocovsum.go deleted file mode 100644 index 206600619..000000000 --- a/infra/go/coverage/gocovsum/gocovsum.go +++ /dev/null @@ -1,126 +0,0 @@ -package main - -import ( - "encoding/json" - "flag" - "fmt" - "log" - - "go/ast" - "go/parser" - "go/token" - "os" - "path" - - "golang.org/x/tools/cover" -) - -type CoverageTotal struct { - Count int `json:"count"` - Covered int `json:"covered"` - Uncovered int `json:"notcovered"` - Percent float64 `json:"percent"` -} - -type CoverageTotals struct { - Functions CoverageTotal `json:"functions,omitempty"` - Lines CoverageTotal `json:"lines,omitempty"` - Regions CoverageTotal `json:"regions,omitempty"` -} - -type CoverageData struct { - Totals CoverageTotals `json:"totals,omitempty"` -} - -type PositionInterval struct { - start token.Position - end token.Position -} - -type CoverageSummary struct { - Data []CoverageData `json:"data,omitempty"` - Type string `json:"type,omitempty"` - Version string `json:"version,omitempty"` -} - -func isFunctionCovered(s token.Position, e token.Position, blocks []cover.ProfileBlock) bool { - for _, b := range blocks { - if b.StartLine >= s.Line && b.StartLine <= e.Line && b.EndLine >= s.Line && b.EndLine <= e.Line { - if b.Count > 0 { - return true - } - } - } - return false -} - -func main() { - flag.Parse() - - if len(flag.Args()) != 1 { - log.Fatalf("needs exactly one argument") - } - profiles, err := cover.ParseProfiles(flag.Args()[0]) - if err != nil { - log.Fatalf("failed to parse profiles: %v", err) - } - r := CoverageSummary{} - r.Type = "oss-fuzz.go.coverage.json.export" - r.Version = "1.0.0" - r.Data = make([]CoverageData, 1) - gopath := os.Getenv("GOPATH") - if len(gopath) == 0 { - gopath = os.Getenv("HOME") + "/go" - } - for _, p := range profiles { - fset := token.NewFileSet() // positions are relative to fset - f, err := parser.ParseFile(fset, path.Join(gopath, "src", p.FileName), nil, 0) - if err != nil { - panic(err) - } - ast.Inspect(f, func(n ast.Node) bool { - switch x := n.(type) { - case *ast.FuncLit: - startf := fset.Position(x.Pos()) - endf := fset.Position(x.End()) - r.Data[0].Totals.Functions.Count++ - if isFunctionCovered(startf, endf, p.Blocks) { - r.Data[0].Totals.Functions.Covered++ - } else { - r.Data[0].Totals.Functions.Uncovered++ - } - case *ast.FuncDecl: - startf := fset.Position(x.Pos()) - endf := fset.Position(x.End()) - r.Data[0].Totals.Functions.Count++ - if isFunctionCovered(startf, endf, p.Blocks) { - r.Data[0].Totals.Functions.Covered++ - } else { - r.Data[0].Totals.Functions.Uncovered++ - } - } - return true - }) - - for _, b := range p.Blocks { - r.Data[0].Totals.Regions.Count++ - if b.Count > 0 { - r.Data[0].Totals.Regions.Covered++ - } else { - r.Data[0].Totals.Regions.Uncovered++ - } - - r.Data[0].Totals.Lines.Count += b.NumStmt - if b.Count > 0 { - r.Data[0].Totals.Lines.Covered += b.NumStmt - } else { - r.Data[0].Totals.Lines.Uncovered += b.NumStmt - } - } - } - r.Data[0].Totals.Regions.Percent = float64(100*r.Data[0].Totals.Regions.Covered) / float64(r.Data[0].Totals.Regions.Count) - r.Data[0].Totals.Lines.Percent = float64(100*r.Data[0].Totals.Lines.Covered) / float64(r.Data[0].Totals.Lines.Count) - r.Data[0].Totals.Functions.Percent = float64(100*r.Data[0].Totals.Functions.Covered) / float64(r.Data[0].Totals.Functions.Count) - o, _ := json.Marshal(r) - fmt.Printf(string(o)) -} diff --git a/infra/go/coverage/pprof-merge/go.mod b/infra/go/coverage/pprof-merge/go.mod deleted file mode 100644 index 5d5b514ac..000000000 --- a/infra/go/coverage/pprof-merge/go.mod +++ /dev/null @@ -1,5 +0,0 @@ -module github.com/rakyll/pprof-merge - -go 1.13 - -require github.com/google/pprof v0.0.0-20190908185732-236ed259b199 diff --git a/infra/helper.py b/infra/helper.py index 8a0a640c1..e24df4ded 100755 --- a/infra/helper.py +++ b/infra/helper.py @@ -22,7 +22,6 @@ from multiprocessing.dummy import Pool as ThreadPool import argparse import datetime import errno -import multiprocessing import os import pipes import re @@ -59,15 +58,61 @@ CORPUS_BACKUP_URL_FORMAT = ( PROJECT_LANGUAGE_REGEX = re.compile(r'\s*language\s*:\s*([^\s]+)') # Languages from project.yaml that have code coverage support. -LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go'] +LANGUAGES_WITH_COVERAGE_SUPPORT = ['c', 'c++', 'go', 'rust'] +# pylint: disable=too-many-lines -def main(): # pylint: disable=too-many-branches,too-many-return-statements,too-many-statements + +def main(): # pylint: disable=too-many-branches,too-many-return-statements """Get subcommand from program arguments and do it.""" os.chdir(OSS_FUZZ_DIR) if not os.path.exists(BUILD_DIR): os.mkdir(BUILD_DIR) + args = parse_args() + + # We have different default values for `sanitizer` depending on the `engine`. + # Some commands do not have `sanitizer` argument, so `hasattr` is necessary. + if hasattr(args, 'sanitizer') and not args.sanitizer: + if args.engine == 'dataflow': + args.sanitizer = 'dataflow' + else: + args.sanitizer = 'address' + + if args.command == 'generate': + return generate(args) + if args.command == 'build_image': + return build_image(args) + if args.command == 'build_fuzzers': + return build_fuzzers(args) + if args.command == 'check_build': + return check_build(args) + if args.command == 'download_corpora': + return download_corpora(args) + if args.command == 'run_fuzzer': + return run_fuzzer(args) + if args.command == 'coverage': + return coverage(args) + if args.command == 'reproduce': + return reproduce(args) + if args.command == 'shell': + return shell(args) + if args.command == 'pull_images': + return pull_images(args) + + return 0 + + +def parse_args(args=None): + """Parses args using argparser and returns parsed args.""" + # Use default argument None for args so that in production, argparse does its + # normal behavior, but unittesting is easier. + parser = get_parser() + return parser.parse_args(args) + + +def get_parser(): # pylint: disable=too-many-statements + """Returns an argparse parser.""" parser = argparse.ArgumentParser('helper.py', description='oss-fuzz helpers') subparsers = parser.add_subparsers(dest='command') @@ -112,8 +157,9 @@ def main(): # pylint: disable=too-many-branches,too-many-return-statements,too- _add_engine_args( check_build_parser, choices=['libfuzzer', 'afl', 'honggfuzz', 'dataflow', 'none']) - _add_sanitizer_args(check_build_parser, - choices=['address', 'memory', 'undefined', 'dataflow']) + _add_sanitizer_args( + check_build_parser, + choices=['address', 'memory', 'undefined', 'dataflow', 'thread']) _add_environment_args(check_build_parser) check_build_parser.add_argument('project_name', help='name of the project') check_build_parser.add_argument('fuzzer_name', @@ -189,39 +235,7 @@ def main(): # pylint: disable=too-many-branches,too-many-return-statements,too- _add_environment_args(shell_parser) subparsers.add_parser('pull_images', help='Pull base images.') - - args = parser.parse_args() - - # We have different default values for `sanitizer` depending on the `engine`. - # Some commands do not have `sanitizer` argument, so `hasattr` is necessary. - if hasattr(args, 'sanitizer') and not args.sanitizer: - if args.engine == 'dataflow': - args.sanitizer = 'dataflow' - else: - args.sanitizer = 'address' - - if args.command == 'generate': - return generate(args) - if args.command == 'build_image': - return build_image(args) - if args.command == 'build_fuzzers': - return build_fuzzers(args) - if args.command == 'check_build': - return check_build(args) - if args.command == 'download_corpora': - return download_corpora(args) - if args.command == 'run_fuzzer': - return run_fuzzer(args) - if args.command == 'coverage': - return coverage(args) - if args.command == 'reproduce': - return reproduce(args) - if args.command == 'shell': - return shell(args) - if args.command == 'pull_images': - return pull_images(args) - - return 0 + return parser def is_base_image(image_name): @@ -335,7 +349,7 @@ def _add_engine_args(parser, def _add_sanitizer_args(parser, choices=('address', 'memory', 'undefined', 'coverage', - 'dataflow')): + 'dataflow', 'thread')): """Add common sanitizer args.""" parser.add_argument( '--sanitizer', @@ -632,7 +646,7 @@ def check_build(args): ] if args.fuzzer_name: - run_args += ['test_one', os.path.join('/out', args.fuzzer_name)] + run_args += ['test_one.py', args.fuzzer_name] else: run_args.append('test_all.py') @@ -672,14 +686,14 @@ def _get_latest_corpus(project_name, fuzz_target, base_corpus_dir): fuzz_target=fuzz_target) command = ['gsutil', 'ls', corpus_backup_url] - corpus_listing = subprocess.Popen(command, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - output, error = corpus_listing.communicate() + # Don't capture stderr. We want it to print in real time, in case gsutil is + # asking for two-factor authentication. + corpus_listing = subprocess.Popen(command, stdout=subprocess.PIPE) + output, _ = corpus_listing.communicate() # Some fuzz targets (e.g. new ones) may not have corpus yet, just skip those. if corpus_listing.returncode: - print('WARNING: corpus for {0} not found:\n{1}'.format(fuzz_target, error), + print('WARNING: corpus for {0} not found:\n'.format(fuzz_target), file=sys.stderr) return @@ -736,7 +750,7 @@ def download_corpora(args): print('Downloading corpora for %s project to %s' % (args.project_name, corpus_dir)) - thread_pool = ThreadPool(multiprocessing.cpu_count()) + thread_pool = ThreadPool() return all(thread_pool.map(_download_for_single_target, fuzz_targets)) @@ -956,9 +970,11 @@ def shell(args): 'FUZZING_ENGINE=' + args.engine, 'SANITIZER=' + args.sanitizer, 'ARCHITECTURE=' + args.architecture, - 'FUZZING_LANGUAGE=' + _get_project_language(args.project_name), ] + if args.project_name != 'base-runner-debug': + env.append('FUZZING_LANGUAGE=' + _get_project_language(args.project_name)) + if args.e: env += args.e diff --git a/infra/helper_test.py b/infra/helper_test.py new file mode 100644 index 000000000..d899a835b --- /dev/null +++ b/infra/helper_test.py @@ -0,0 +1,35 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Tests for helper.py""" + +import unittest +from unittest import mock + +import helper + + +class TestShell(unittest.TestCase): + """Tests 'shell' command.""" + + @mock.patch('helper.docker_run') + @mock.patch('helper.build_image_impl') + def test_base_runner_debug(self, mocked_build_image_impl, _): + """Tests that shell base-runner-debug works as intended.""" + image_name = 'base-runner-debug' + unparsed_args = ['shell', image_name] + args = helper.parse_args(unparsed_args) + args.sanitizer = 'address' + result = helper.shell(args) + mocked_build_image_impl.assert_called_with(image_name) + self.assertEqual(result, 0) diff --git a/infra/presubmit.py b/infra/presubmit.py index bd5e9c327..90b4f90ac 100755 --- a/infra/presubmit.py +++ b/infra/presubmit.py @@ -104,6 +104,7 @@ class ProjectYamlChecker: 'c', 'c++', 'go', + 'jvm', 'python', 'rust', ] @@ -381,8 +382,9 @@ def run_nonbuild_tests(parallel): def run_tests(_=None, parallel=False): """Runs all unit tests.""" - success = run_nonbuild_tests(parallel) - return success and run_build_tests() + nonbuild_success = run_nonbuild_tests(parallel) + build_success = run_build_tests() + return nonbuild_success and build_success def get_all_files(): diff --git a/infra/repo_manager.py b/infra/repo_manager.py index a5781b89a..a0b97b3ef 100644 --- a/infra/repo_manager.py +++ b/infra/repo_manager.py @@ -127,6 +127,14 @@ class RepoManager: return out.strip() + def fetch_all_remotes(self): + """Fetch all remotes for checkouts that track a single branch.""" + self.git([ + 'config', 'remote.origin.fetch', '+refs/heads/*:refs/remotes/origin/*' + ], + check_result=True) + self.git(['remote', 'update'], check_result=True) + def get_commit_list(self, newest_commit, oldest_commit=None): """Gets the list of commits(inclusive) between the old and new commits. diff --git a/infra/testcases/curl_test_data b/infra/testcases/curl_test_data Binary files differdeleted file mode 100644 index ed4b54ea3..000000000 --- a/infra/testcases/curl_test_data +++ /dev/null diff --git a/infra/testcases/libarchive_test_data b/infra/testcases/libarchive_test_data Binary files differdeleted file mode 100644 index 928bfec97..000000000 --- a/infra/testcases/libarchive_test_data +++ /dev/null diff --git a/infra/testcases/ndpi_test_data b/infra/testcases/ndpi_test_data Binary files differdeleted file mode 100644 index 010af8604..000000000 --- a/infra/testcases/ndpi_test_data +++ /dev/null diff --git a/infra/testcases/usrsctp_test_data b/infra/testcases/usrsctp_test_data Binary files differdeleted file mode 100644 index fa90322a2..000000000 --- a/infra/testcases/usrsctp_test_data +++ /dev/null diff --git a/infra/testcases/yara_test_data b/infra/testcases/yara_test_data deleted file mode 100644 index e2a0b94af..000000000 --- a/infra/testcases/yara_test_data +++ /dev/null @@ -1 +0,0 @@ -rule N{condition:for 1r in r(r
\ No newline at end of file diff --git a/infra/utils_test.py b/infra/utils_test.py index a56295c93..aa6ec7ba7 100644 --- a/infra/utils_test.py +++ b/infra/utils_test.py @@ -24,7 +24,7 @@ import helper EXAMPLE_PROJECT = 'example' TEST_OUT_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), - 'cifuzz', 'test_files', 'out') + 'cifuzz', 'test_data', 'out') class IsFuzzTargetLocalTest(unittest.TestCase): diff --git a/oss-fuzz.iml b/oss-fuzz.iml deleted file mode 100644 index 20f48fa7d..000000000 --- a/oss-fuzz.iml +++ /dev/null @@ -1,9 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<module type="PYTHON_MODULE" version="4"> - <component name="NewModuleRootManager" inherit-compiler-output="true"> - <exclude-output /> - <content url="file://$MODULE_DIR$" /> - <orderEntry type="jdk" jdkName="Python 2.7" jdkType="Python SDK" /> - <orderEntry type="sourceFolder" forTests="false" /> - </component> -</module>
\ No newline at end of file diff --git a/projects/bad_example/build.sh b/projects/bad_example/build.sh index eb08bd6ef..88a7caad2 100755 --- a/projects/bad_example/build.sh +++ b/projects/bad_example/build.sh @@ -22,7 +22,7 @@ $CXX $CXXFLAGS -std=c++11 -I. -DINTENTIONAL_STARTUP_CRASH \ $LIB_FUZZING_ENGINE ./libz.a -# The latest two examples won't for for coverage build, bail out. +# The latest two examples won't work for coverage build, bail out. if [[ $SANITIZER = *coverage* ]]; then exit 0 fi diff --git a/projects/bazel-rules-fuzzing-test/build.sh b/projects/bazel-rules-fuzzing-test/build.sh index 07b2a737f..056e16b3d 100644 --- a/projects/bazel-rules-fuzzing-test/build.sh +++ b/projects/bazel-rules-fuzzing-test/build.sh @@ -17,36 +17,6 @@ ################################################################################ # This is an example build script for projects using the rules_fuzzing library -# for Bazel. Use it as a starting point for your own integration. +# for Bazel. -# An easy way to build all the relevant fuzz tests for a project is to use a -# "bazel query" command. Here, we are collecting all fuzz test targets (which -# are tagged with "fuzz-test" by default). Here we also have a basic opt-out -# mechanism through the "no-oss-fuzz" tag. You can use additional filtering -# logic in your own integrations. -declare -r QUERY=' - let all_fuzz_tests = attr(tags, "fuzz-test", "//...") in - $all_fuzz_tests - attr(tags, "no-oss-fuzz", $all_fuzz_tests) -' - -# The fuzzing rules provide a special `<name>_oss_fuzz` target that creates a -# TAR archive with all the fuzz test artifacts (binary, corpus, dictionary, -# etc.) using the layout expected by OSS-Fuzz. We derive the OSS-Fuzz package -# targets from the fuzz test names using the "sed" command below. -declare -r PACKAGE_SUFFIX="_oss_fuzz" -declare -r OSS_FUZZ_TESTS="$(bazel query "${QUERY}" | sed "s/$/${PACKAGE_SUFFIX}/")" - -# We now build all the OSS-Fuzz packages using the compiler toolchain provided -# by OSS-Fuzz through $CC and $CXX. The `--config=oss-fuzz` flag takes care of -# using the correct instrumentation and fuzzing engine derived from the OSS-Fuzz -# environment. -bazel build -c opt --config=oss-fuzz --linkopt=-lc++ \ - --action_env=CC="${CC}" --action_env=CXX="${CXX}" \ - ${OSS_FUZZ_TESTS[*]} - -# Finally, we extract the contents of the OSS-Fuzz packages directly into the -# $OUT/ directory. Recall that the packages already contain all the artifacts in -# the format expected by OSS-Fuzz. -for oss_fuzz_archive in $(find bazel-bin/ -name "*${PACKAGE_SUFFIX}.tar"); do - tar -xvf "${oss_fuzz_archive}" -C "${OUT}" -done +bazel_build_fuzz_tests diff --git a/projects/bignum-fuzzer/Dockerfile b/projects/bignum-fuzzer/Dockerfile index ba08d04f8..6b7483642 100644 --- a/projects/bignum-fuzzer/Dockerfile +++ b/projects/bignum-fuzzer/Dockerfile @@ -16,11 +16,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y software-properties-common python-software-properties wget curl sudo mercurial autoconf bison texinfo libboost-all-dev cmake -RUN add-apt-repository -y ppa:gophers/archive && apt-get update && apt-get install -y golang-1.9-go -RUN ln -s /usr/lib/go-1.9/bin/go /usr/bin/go RUN wget https://www.bytereef.org/software/mpdecimal/releases/mpdecimal-2.5.0.tar.gz -RUN git clone --recursive https://github.com/golang/go RUN git clone --depth 1 https://github.com/guidovranken/bignum-fuzzer RUN git clone --depth 1 https://github.com/openssl/openssl RUN hg clone https://gmplib.org/repo/gmp/ libgmp/ diff --git a/projects/bignum-fuzzer/build.sh b/projects/bignum-fuzzer/build.sh index 699c3fa4e..8c29baff4 100755 --- a/projects/bignum-fuzzer/build.sh +++ b/projects/bignum-fuzzer/build.sh @@ -15,17 +15,6 @@ # ################################################################################ -# Compile latest Go -cd go/src -./make.bash -cd $SRC - -# Remove previous Go install (used for bootstrapping) -apt-get remove golang-1.9-go -y -rm /usr/bin/go - -export PATH=`realpath $SRC/go/bin`:$PATH - # Install Rust nightly #curl https://sh.rustup.rs -sSf | sh -s -- -y #source $HOME/.cargo/env diff --git a/projects/bind9/project.yaml b/projects/bind9/project.yaml index ef26dfed5..82ff413fa 100644 --- a/projects/bind9/project.yaml +++ b/projects/bind9/project.yaml @@ -2,6 +2,7 @@ homepage: "https://gitlab.isc.org/isc-projects/bind9" language: c primary_contact: "bind9-dev@isc.org" auto_ccs: + - "artem@isc.org" - "dfronza@isc.org" - "each@isc.org" - "marka@isc.org" @@ -9,7 +10,7 @@ auto_ccs: - "michal@isc.org" - "mnowak@isc.org" - "ondrej@isc.org" - - "wpk@isc.org" + - "pspacek@isc.org" sanitizers: - address - memory: diff --git a/projects/botan/build.sh b/projects/botan/build.sh index 0a3d53426..b88e78599 100755 --- a/projects/botan/build.sh +++ b/projects/botan/build.sh @@ -22,7 +22,7 @@ ln -s $SRC/fuzzer_corpus . ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" \ --disable-shared --disable-modules=locking_allocator \ --unsafe-fuzzer-mode --build-fuzzers=libfuzzer \ - --with-fuzzer-lib='FuzzingEngine' + --without-os-features=getrandom,getentropy --with-fuzzer-lib='FuzzingEngine' make -j$(nproc) libs make -j$(nproc) fuzzers diff --git a/projects/bs4/project.yaml b/projects/bs4/project.yaml index b541b62e5..2081650db 100644 --- a/projects/bs4/project.yaml +++ b/projects/bs4/project.yaml @@ -1,7 +1,7 @@ homepage: "https://www.crummy.com/software/BeautifulSoup/" main_repo: "https://code.launchpad.net/~leonardr/beautifulsoup/bs4" language: python -primary_contact: "leonardr@segfault.org" +primary_contact: "leonard.richardson@gmail.com" auto_ccs: - "jvoisin@google.com" - "ipudney@google.com" diff --git a/projects/c-blosc2/build.sh b/projects/c-blosc2/build.sh index 973f2cf50..afe771dae 100755 --- a/projects/c-blosc2/build.sh +++ b/projects/c-blosc2/build.sh @@ -16,6 +16,8 @@ ################################################################################ # Build project +export LDSHARED=lld + cmake . -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" -DBUILD_FUZZERS=ON make clean make -j$(nproc) diff --git a/projects/cairo/project.yaml b/projects/cairo/project.yaml index 568d47334..9a078ded9 100644 --- a/projects/cairo/project.yaml +++ b/projects/cairo/project.yaml @@ -1,9 +1,14 @@ homepage: https://gitlab.freedesktop.org/cairo/cairo language: c primary_contact: security-tps@google.com +auto_ccs: + - "psychon@znc.in" sanitizers: - address - undefined - +vendor_ccs: + - "jkew@mozilla.com" + - "jmuizelaar@mozilla.com" + - "twsmith@mozilla.com" view_restrictions: none main_repo: 'https://gitlab.freedesktop.org/cairo/cairo.git' diff --git a/projects/capnproto/Dockerfile b/projects/capnproto/Dockerfile new file mode 100644 index 000000000..dffaa4580 --- /dev/null +++ b/projects/capnproto/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y cmake zlib1g-dev +RUN git clone --depth 1 https://github.com/capnproto/capnproto +WORKDIR $SRC/capnproto +COPY build.sh $SRC/ diff --git a/projects/capnproto/build.sh b/projects/capnproto/build.sh new file mode 100755 index 000000000..176418d05 --- /dev/null +++ b/projects/capnproto/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +mkdir build +cd build +cmake -DBUILD_SHARED_LIBS=OFF .. +make -j$(nproc) +cp c++/src/capnp/*fuzzer* $OUT/ diff --git a/projects/capnproto/project.yaml b/projects/capnproto/project.yaml new file mode 100644 index 000000000..e8cffba08 --- /dev/null +++ b/projects/capnproto/project.yaml @@ -0,0 +1,8 @@ +homepage: "https://capnproto.org" +language: c++ +primary_contact: "security@sandstorm.io" +auto_ccs: + - "p.antoine@catenacyber.fr" +sanitizers: + - address +main_repo: 'https://github.com/capnproto/capnproto' diff --git a/projects/capstone/build.sh b/projects/capstone/build.sh index 35720ea09..b0da12355 100755 --- a/projects/capstone/build.sh +++ b/projects/capstone/build.sh @@ -32,6 +32,7 @@ do sed -i -e 's/#print/print/' capstone/__init__.py ( export CFLAGS="" + export AFL_NOOPT=1 python setup.py install ) cd $SRC/capstone$branch/suite diff --git a/projects/cascadia/Dockerfile b/projects/cascadia/Dockerfile index 7c6f58d87..094b5e10e 100644 --- a/projects/cascadia/Dockerfile +++ b/projects/cascadia/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/andybalholm/cascadia +RUN git clone https://github.com/andybalholm/cascadia COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/cascadia diff --git a/projects/cctz/Dockerfile b/projects/cctz/Dockerfile new file mode 100644 index 000000000..7882330f5 --- /dev/null +++ b/projects/cctz/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf libgtest-dev +RUN git clone --depth 1 https://github.com/google/cctz +WORKDIR $SRC/cctz + +COPY build.sh $SRC/ +COPY fuzz_* $SRC/ + diff --git a/projects/cctz/build.sh b/projects/cctz/build.sh new file mode 100755 index 000000000..b83b4f52a --- /dev/null +++ b/projects/cctz/build.sh @@ -0,0 +1,22 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +mkdir build && cd build +cmake -DBUILD_TESTING=OFF ../ +make + +# Compile fuzzers +cp $SRC/fuzz* . +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE ./fuzz_cctz.cc ./libcctz.a -I../include/ -o $OUT/fuzz_cctz diff --git a/projects/cctz/fuzz_cctz.cc b/projects/cctz/fuzz_cctz.cc new file mode 100644 index 000000000..2096152ff --- /dev/null +++ b/projects/cctz/fuzz_cctz.cc @@ -0,0 +1,47 @@ +/* Copyright 2020 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include <fuzzer/FuzzedDataProvider.h> + +#include <iostream> +#include <string> + +#include "cctz/civil_time.h" +#include "cctz/time_zone.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + + cctz::time_zone lax; + std::string tz = fuzzed_data.ConsumeRandomLengthString(); + if (load_time_zone(tz, &lax)) { + std::chrono::system_clock::time_point tp; + std::string date_format = fuzzed_data.ConsumeRandomLengthString(); + std::string parse_format = fuzzed_data.ConsumeRandomLengthString(); + cctz::parse(parse_format, date_format, lax, &tp); + + const auto t1 = cctz::convert(cctz::civil_second( + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>()), lax); + std::string format = fuzzed_data.ConsumeRandomLengthString(); + cctz::format(format, t1, lax); + } + + return 0; +} diff --git a/projects/cctz/project.yaml b/projects/cctz/project.yaml new file mode 100644 index 000000000..58562e613 --- /dev/null +++ b/projects/cctz/project.yaml @@ -0,0 +1,3 @@ +homepage: "https://github.com/google/cctz" +language: c++ +primary_contact: "david@adalogics.com" diff --git a/projects/cel-cpp/.bazelrc b/projects/cel-cpp/.bazelrc new file mode 100644 index 000000000..f55fb55ae --- /dev/null +++ b/projects/cel-cpp/.bazelrc @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Force the use of Clang for C++ builds. +build --action_env=CC=clang +build --action_env=CXX=clang++ + +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing_oss_fuzz//:oss_fuzz_engine +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none diff --git a/projects/cel-cpp/BUILD b/projects/cel-cpp/BUILD new file mode 100644 index 000000000..6fdd77387 --- /dev/null +++ b/projects/cel-cpp/BUILD @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +load("@rules_fuzzing//fuzzing:cc_defs.bzl", "cc_fuzz_test") + +cc_fuzz_test( + name = "fuzz_parse", + deps = ["//parser"], + srcs = ["fuzz_parse.cc"], +) diff --git a/projects/cel-cpp/Dockerfile b/projects/cel-cpp/Dockerfile new file mode 100644 index 000000000..6c4b67eef --- /dev/null +++ b/projects/cel-cpp/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone --depth 1 https://github.com/google/cel-cpp/ +COPY build.sh $SRC/ +RUN mkdir $SRC/cel-cpp/fuzz/ +COPY BUILD fuzz*.cc $SRC/cel-cpp/fuzz/ +COPY WORKSPACE .bazelrc $SRC/ +RUN cat WORKSPACE >> $SRC/cel-cpp/WORKSPACE +RUN cat .bazelrc >> $SRC/cel-cpp/.bazelrc +RUN echo "4.0.0" > $SRC/cel-cpp/.bazelversion +WORKDIR $SRC/cel-cpp diff --git a/projects/cel-cpp/WORKSPACE b/projects/cel-cpp/WORKSPACE new file mode 100644 index 000000000..bc59fa04a --- /dev/null +++ b/projects/cel-cpp/WORKSPACE @@ -0,0 +1,41 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") + +http_archive( + name = "fuzzing_rules_python", + url = "https://github.com/bazelbuild/rules_python/releases/download/0.1.0/rules_python-0.1.0.tar.gz", + sha256 = "b6d46438523a3ec0f3cead544190ee13223a52f6a6765a29eae7b7cc24cc83a0", +) + +http_archive( + name = "rules_fuzzing", + sha256 = "a5734cb42b1b69395c57e0bbd32ade394d5c3d6afbfe782b24816a96da24660d", + strip_prefix = "rules_fuzzing-0.1.1", + urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/v0.1.1.zip"], + repo_mapping = { + "@rules_python": "@fuzzing_rules_python", + }, +) + +load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies") + +rules_fuzzing_dependencies() + +load("@rules_fuzzing//fuzzing:init.bzl", "rules_fuzzing_init") + +rules_fuzzing_init() diff --git a/projects/cel-cpp/build.sh b/projects/cel-cpp/build.sh new file mode 100755 index 000000000..5a6315a35 --- /dev/null +++ b/projects/cel-cpp/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +declare -r QUERY=' + let all_fuzz_tests = attr(tags, "fuzz-test", "//...") in + $all_fuzz_tests - attr(tags, "no-oss-fuzz", $all_fuzz_tests) +' + +declare -r PACKAGE_SUFFIX="_oss_fuzz" +declare -r OSS_FUZZ_TESTS="$(bazel query "${QUERY}" | sed "s/$/${PACKAGE_SUFFIX}/")" + +bazel build -c opt --config=oss-fuzz --linkopt=-lc++ \ + --action_env=CC="${CC}" --action_env=CXX="${CXX}" \ + ${OSS_FUZZ_TESTS[*]} + +for oss_fuzz_archive in $(find bazel-bin/ -name "*${PACKAGE_SUFFIX}.tar"); do + tar -xvf "${oss_fuzz_archive}" -C "${OUT}" +done diff --git a/projects/cel-cpp/fuzz_parse.cc b/projects/cel-cpp/fuzz_parse.cc new file mode 100644 index 000000000..f4755d319 --- /dev/null +++ b/projects/cel-cpp/fuzz_parse.cc @@ -0,0 +1,34 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include <string> + +#include "parser/parser.h" + +#define MAX_RECURSION 0x100 + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + std::string str (reinterpret_cast<const char*>(data), size); + try { + auto parse_status = google::api::expr::parser::Parse(str, "fuzzinput", MAX_RECURSION); + if (!parse_status.ok()) { + parse_status.status().message(); + } + } catch (const std::exception& e) { + return 0; + } + return 0; +} diff --git a/projects/cel-cpp/project.yaml b/projects/cel-cpp/project.yaml new file mode 100644 index 000000000..ad4bf90e3 --- /dev/null +++ b/projects/cel-cpp/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://opensource.google/projects/cel" +language: c++ +primary_contact: "kyessenov@gmail.com" +auto_ccs : +- "tswadell@google.com" +- "p.antoine@catenacyber.fr" + +sanitizers: +- address +- memory +main_repo: 'https://github.com/google/cel-cpp' diff --git a/projects/cilium/Dockerfile b/projects/cilium/Dockerfile new file mode 100644 index 000000000..89f2f0016 --- /dev/null +++ b/projects/cilium/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y wget +RUN wget https://raw.githubusercontent.com/google/AFL/master/dictionaries/json.dict -O $OUT/fuzz.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus +RUN zip $OUT/fuzz_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +RUN git clone https://github.com/cilium/cilium/ cilium +RUN cp $SRC/cilium/test/fuzzing/oss-fuzz-build.sh $SRC/build.sh +WORKDIR $SRC/cilium diff --git a/projects/civetweb/build.sh b/projects/civetweb/build.sh index cd2caeefe..413dd5aec 100755 --- a/projects/civetweb/build.sh +++ b/projects/civetweb/build.sh @@ -19,4 +19,4 @@ export LDFLAGS="${LIB_FUZZING_ENGINE} ${CFLAGS}" chmod +x ./fuzztest/build.sh ./fuzztest/build.sh -mv civetweb_fuzz3 $OUT/ +mv civetweb_fuzz* $OUT/ diff --git a/projects/clamav/Dockerfile b/projects/clamav/Dockerfile index c38ae9144..0d4cc0338 100644 --- a/projects/clamav/Dockerfile +++ b/projects/clamav/Dockerfile @@ -17,9 +17,20 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y \ flex bison \ - automake autoconf pkg-config m4 libtool \ - libssl-dev \ - libcurl4-openssl-dev + python3-dev \ + pkg-config + +# +# Build static libs for dependencies +# +RUN python3 -m pip install mussels +RUN git clone --depth 1 https://github.com/Cisco-Talos/clamav-mussels-cookbook.git + +RUN mkdir /mussels +RUN cd ${SRC}/clamav-mussels-cookbook && \ + msl build clamav_deps -t host-static -w /mussels/work -i /mussels/install + +# Collect clamav source & fuzz corpus RUN git clone --depth 1 https://github.com/Cisco-Talos/clamav-devel.git RUN git clone --depth 1 https://github.com/Cisco-Talos/clamav-fuzz-corpus.git diff --git a/projects/clamav/build.sh b/projects/clamav/build.sh index 0ab07e086..1f7e902ed 100755 --- a/projects/clamav/build.sh +++ b/projects/clamav/build.sh @@ -16,6 +16,7 @@ ################################################################################ set -ex +export GIT_DISCOVERY_ACROSS_FILESYSTEM=1 # # Build the library. @@ -24,37 +25,33 @@ rm -rf ${WORK}/build mkdir -p ${WORK}/build cd ${WORK}/build -if [ -f "${SRC}/clamav-devel/autogen.sh" ] -then - /bin/chmod +x ${SRC}/clamav-devel/autogen.sh - ${SRC}/clamav-devel/autogen.sh -fi - -# Remove ltdl so clamav build doesn't detect it and add it as a dependency. -apt remove -y libtool libltdl-dev libltdl7 - # # Run ./configure # -ac_cv_c_mmap_anonymous=no \ - ${SRC}/clamav-devel/configure \ - --disable-mempool \ - --enable-fuzz=yes \ - --with-libjson=no \ - --with-pcre=no \ - --enable-static=yes \ - --enable-shared=no \ - --disable-llvm \ - --host=x86_64-unknown-linux-gnu - -# Build libclamav -make clean -make -j"$(nproc)" +export CLAMAV_DEPENDENCIES=/mussels/install +cmake ${SRC}/clamav-devel \ + -DENABLE_FUZZ=ON \ + -DHAVE_MMAP=OFF \ + -DJSONC_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include/json-c" \ + -DJSONC_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libjson-c.a" \ + -DENABLE_JSON_SHARED=OFF \ + -DBZIP2_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DBZIP2_LIBRARY_RELEASE="$CLAMAV_DEPENDENCIES/lib/libbz2_static.a" \ + -DOPENSSL_ROOT_DIR="$CLAMAV_DEPENDENCIES" \ + -DOPENSSL_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DOPENSSL_CRYPTO_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libcrypto.a" \ + -DOPENSSL_SSL_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libssl.a" \ + -DZLIB_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libssl.a" \ + -DLIBXML2_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DLIBXML2_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libxml2.a" \ + -DPCRE2_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DPCRE2_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libpcre2-8.a" \ + -DZLIB_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DZLIB_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libz.a" \ + -DCMAKE_INSTALL_PREFIX="install" -# -# Build the fuzz targets. -# -make -j"$(nproc)" fuzz-all +# Build libclamav and the fuzz targets +make -j4 cp ./fuzz/clamav_* ${OUT}/. # diff --git a/projects/clamav/project.yaml b/projects/clamav/project.yaml index d2c3f238f..1f8f5d702 100644 --- a/projects/clamav/project.yaml +++ b/projects/clamav/project.yaml @@ -6,4 +6,7 @@ auto_ccs: sanitizers: - address - undefined +fuzzing_engines: + - libfuzzer + - afl main_repo: 'https://github.com/Cisco-Talos/clamav-devel.git' diff --git a/projects/clib/project.yaml b/projects/clib/project.yaml index 1dad0da2d..bc5871351 100644 --- a/projects/clib/project.yaml +++ b/projects/clib/project.yaml @@ -4,11 +4,4 @@ primary_contact: "joseph.werle@gmail.com" auto_ccs: - "Adam@adalogics.com" - "isty001@gmail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz -sanitizers: - - address - - undefined - - memory main_repo: 'https://github.com/clibs/clib' diff --git a/projects/cosign/Dockerfile b/projects/cosign/Dockerfile new file mode 100644 index 000000000..f0282dd16 --- /dev/null +++ b/projects/cosign/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/sigstore/cosign + +COPY build.sh $SRC/ +WORKDIR $SRC/cosign diff --git a/projects/cosign/build.sh b/projects/cosign/build.sh new file mode 100755 index 000000000..87d865d2c --- /dev/null +++ b/projects/cosign/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +compile_go_fuzzer github.com/sigstore/cosign/test FuzzGetPassword fuzz_getPassword gofuzz diff --git a/projects/cosign/project.yaml b/projects/cosign/project.yaml new file mode 100644 index 000000000..dc5735fca --- /dev/null +++ b/projects/cosign/project.yaml @@ -0,0 +1,8 @@ +homepage: https://sigstore.dev/ +language: go +primary_contact: "priyawadhwa@google.com" +main_repo: "https://github.com/sigstore/cosign" +fuzzing_engines: + - libfuzzer +sanitizers: + - address diff --git a/projects/cryptofuzz/Dockerfile b/projects/cryptofuzz/Dockerfile index fb668f2b8..7ed5d425b 100644 --- a/projects/cryptofuzz/Dockerfile +++ b/projects/cryptofuzz/Dockerfile @@ -23,14 +23,9 @@ RUN apt-get update && \ apt-get update && \ apt-get install -y software-properties-common python-software-properties make autoconf automake libtool build-essential cmake mercurial gyp ninja-build zlib1g-dev libsqlite3-dev bison flex texinfo -# BoringSSL needs Go to build -RUN add-apt-repository -y ppa:gophers/archive && apt-get update && apt-get install -y golang-1.9-go -RUN ln -s /usr/lib/go-1.9/bin/go /usr/bin/go - RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz-corpora RUN git clone --depth 1 https://github.com/openssl/openssl - RUN git clone --depth 1 https://boringssl.googlesource.com/boringssl RUN git clone --depth 1 https://github.com/libressl-portable/portable libressl RUN cd $SRC/libressl && ./update.sh @@ -39,7 +34,6 @@ RUN git clone --depth 1 git://git.gnupg.org/libgcrypt.git RUN wget https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.36.tar.bz2 RUN git clone --depth 1 -b oss-fuzz https://github.com/project-everest/hacl-star evercrypt RUN git clone --depth 1 https://github.com/google/cityhash.git -RUN git clone --depth 1 https://github.com/golang/go RUN git clone --depth 1 https://github.com/randombit/botan.git RUN git clone --depth 1 https://github.com/wolfSSL/wolfssl.git RUN git clone --depth 1 https://github.com/ARMmbed/mbedtls.git diff --git a/projects/cryptofuzz/build.sh b/projects/cryptofuzz/build.sh index e363114e2..9aa3c948b 100755 --- a/projects/cryptofuzz/build.sh +++ b/projects/cryptofuzz/build.sh @@ -18,6 +18,8 @@ # TODO(metzman): Switch this to LIB_FUZZING_ENGINE when it works. # https://github.com/google/oss-fuzz/issues/2336 +export GO111MODULE=off + # Compile xxd $CC $SRC/xxd.c -o /usr/bin/xxd @@ -40,24 +42,6 @@ export INCLUDE_PATH_FLAGS="" cd $SRC/cryptofuzz python gen_repository.py -if [[ $CFLAGS = *-m32* ]] -then - export GOARCH=386 - export CGO_ENABLED=1 -fi - -export GO111MODULE=off -cd $SRC/go/src -./make.bash -export GOROOT=$(realpath $SRC/go) -export GOPATH=$GOROOT/packages -mkdir $GOPATH -export PATH=$GOROOT/bin:$PATH -export PATH=$GOROOT/packages/bin:$PATH - -apt-get remove golang-1.9-go -y -rm /usr/bin/go - go get golang.org/x/crypto/blake2b go get golang.org/x/crypto/blake2s go get golang.org/x/crypto/md4 @@ -671,3 +655,4 @@ cp $SRC/cryptofuzz/cryptofuzz $OUT/cryptofuzz-boringssl-noasm cp $SRC/cryptofuzz/cryptofuzz-dict.txt $OUT/cryptofuzz-boringssl-noasm.dict # Copy seed corpus cp $SRC/cryptofuzz-corpora/boringssl_latest.zip $OUT/cryptofuzz-boringssl-noasm_seed_corpus.zip + diff --git a/projects/cryptofuzz/project.yaml b/projects/cryptofuzz/project.yaml index 659a309e5..59c3ac43e 100644 --- a/projects/cryptofuzz/project.yaml +++ b/projects/cryptofuzz/project.yaml @@ -23,11 +23,8 @@ auto_ccs: - "david@wolfssl.com" - "kaleb@wolfssl.com" - "jacob@wolfssl.com" - - "jjones@mozilla.com" - "sledru@mozilla.com" - - "kjacobs@mozilla.com" - "bbeurdouche@mozilla.com" - - "tvandermerwe@mozilla.com" - "matthias.st.pierre@gmail.com" - "kaleb.himes@gmail.com" - "polubelovam@gmail.com" diff --git a/projects/dart/Dockerfile b/projects/dart/Dockerfile new file mode 100644 index 000000000..d60afcba6 --- /dev/null +++ b/projects/dart/Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt install -y g++-multilib git python curl + +RUN git clone --depth 1 https://chromium.googlesource.com/chromium/tools/depot_tools.git +ENV PATH="${SRC}/depot_tools:${PATH}" +RUN mkdir dart-sdk && cd dart-sdk && fetch dart +COPY build.sh $SRC +COPY patch.diff $SRC +WORKDIR $SRC/dart-sdk/sdk diff --git a/projects/dart/build.sh b/projects/dart/build.sh new file mode 100755 index 000000000..520b2756c --- /dev/null +++ b/projects/dart/build.sh @@ -0,0 +1,21 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +git apply ../../patch.diff +./tools/build.py --no-goma -j$(nproc) -m debug -a x64 --sanitizer=asan dart_libfuzzer +cp out/DebugASANX64/*fuzzer $OUT/ diff --git a/projects/dart/patch.diff b/projects/dart/patch.diff new file mode 100644 index 000000000..18729d5cb --- /dev/null +++ b/projects/dart/patch.diff @@ -0,0 +1,13 @@ +diff --git a/runtime/bin/BUILD.gn b/runtime/bin/BUILD.gn +index 1bc82252087..68e983b4902 100644 +--- a/runtime/bin/BUILD.gn ++++ b/runtime/bin/BUILD.gn +@@ -1084,6 +1084,8 @@ if (defined(is_linux) && is_linux && defined(is_asan) && is_asan && + extra_sources = [ + "../vm/libfuzzer/dart_libfuzzer.cc", + "builtin.cc", ++ "dartdev_isolate.cc", ++ "dartdev_isolate.h", + "dfe.cc", + "dfe.h", + ] diff --git a/projects/dart/project.yaml b/projects/dart/project.yaml new file mode 100644 index 000000000..155fe23dd --- /dev/null +++ b/projects/dart/project.yaml @@ -0,0 +1,9 @@ +homepage: "https://dart.dev" +language: c++ +primary_contact: "scheglov@google.com" +auto_ccs : +- "p.antoine@catenacyber.fr" + +sanitizers: +- address +main_repo: 'https://github.com/dart-lang/sdk.git' diff --git a/projects/dragonfly/Dockerfile b/projects/dragonfly/Dockerfile index 2d04a8f8f..46870a6db 100644 --- a/projects/dragonfly/Dockerfile +++ b/projects/dragonfly/Dockerfile @@ -30,4 +30,4 @@ RUN go get github.com/go-openapi/swag \ github.com/willf/bitset RUN git clone https://github.com/dragonflyoss/Dragonfly COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/Dragonfly diff --git a/projects/dragonfly/build.sh b/projects/dragonfly/build.sh index 6095149cc..6487785ea 100755 --- a/projects/dragonfly/build.sh +++ b/projects/dragonfly/build.sh @@ -15,8 +15,5 @@ # ################################################################################ -mkdir $GOPATH/src/github.com/dragonflyoss -cp -r $SRC/Dragonfly $GOPATH/src/github.com/dragonflyoss/ - compile_go_fuzzer github.com/dragonflyoss/Dragonfly/dfget/core/uploader FuzzParseParams uploader_fuzz compile_go_fuzzer github.com/dragonflyoss/Dragonfly/supernode/daemon/mgr/cdn Fuzz cdn_fuzz diff --git a/projects/dropbear/Dockerfile b/projects/dropbear/Dockerfile index 0b4ba302f..f2c235486 100644 --- a/projects/dropbear/Dockerfile +++ b/projects/dropbear/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2016 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,8 +16,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y libz-dev autoconf mercurial -RUN hg clone https://hg.ucc.asn.au/dropbear dropbear -RUN hg clone https://hg.ucc.asn.au/dropbear-fuzzcorpus dropbear/corpus +RUN hg clone https://hg.ucc.asn.au/dropbear-fuzzcorpus dropbear-corpus +RUN git clone https://github.com/mkj/dropbear dropbear WORKDIR dropbear COPY build.sh *.options $SRC/ diff --git a/projects/dropbear/build.sh b/projects/dropbear/build.sh index e3a6daec5..973211069 100644 --- a/projects/dropbear/build.sh +++ b/projects/dropbear/build.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright 2016 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +27,9 @@ make -j$(nproc) fuzz-targets FUZZLIB=$LIB_FUZZING_ENGINE TARGETS="$(make list-fuzz-targets)" -make -C $SRC/dropbear/corpus +make -C $SRC/dropbear-corpus cp -v $TARGETS $OUT/ cp -v *.options $OUT/ -cp -v $SRC/dropbear/corpus/*.zip $OUT/ -cp -v $SRC/dropbear/corpus/*.dict $OUT/ +cp -v $SRC/dropbear-corpus/*.zip $OUT/ +cp -v $SRC/dropbear-corpus/*.dict $OUT/ diff --git a/projects/dropbear/project.yaml b/projects/dropbear/project.yaml index 3c10e86e2..78ee9009f 100644 --- a/projects/dropbear/project.yaml +++ b/projects/dropbear/project.yaml @@ -1,11 +1,5 @@ homepage: "https://matt.ucc.asn.au/dropbear/dropbear.html" language: c++ primary_contact: "matt@ucc.asn.au" -sanitizers: - - address - - undefined - - memory -fuzzing_engines: - - libfuzzer - - honggfuzz builds_per_day: 4 +main_repo: "https://github.com/mkj/dropbear" diff --git a/projects/ecc-diff-fuzzer/build.sh b/projects/ecc-diff-fuzzer/build.sh index 2fb442187..9b951cae8 100755 --- a/projects/ecc-diff-fuzzer/build.sh +++ b/projects/ecc-diff-fuzzer/build.sh @@ -93,13 +93,14 @@ cd libecc #botan ( cd botan -#help it find libstdc++ -cp /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib/x86_64-linux-gnu/libstdc++.so -export LDFLAGS=$CXXFLAGS if [ "$ARCHITECTURE" = 'i386' ]; then - ./configure.py --disable-shared-library --cpu x86_32 + ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" \ + --disable-shared --disable-modules=locking_allocator --disable-shared-library \ + --without-os-features=getrandom,getentropy --cpu x86_32 else - ./configure.py --disable-shared-library + ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" \ + --disable-shared --disable-modules=locking_allocator --disable-shared-library \ + --without-os-features=getrandom,getentropy fi make -j$(nproc) make install diff --git a/projects/envoy/project.yaml b/projects/envoy/project.yaml index da1a49c69..5fae1498a 100644 --- a/projects/envoy/project.yaml +++ b/projects/envoy/project.yaml @@ -14,6 +14,9 @@ auto_ccs: - "avd@google.com" - "skerner@google.com" - "rdsmith@google.com" - - "chaoqinli16@gmail.com" + - "chaoqinli@google.com" + - "yanjunxiang@google.com" + - "arquebus@appspot.gserviceaccount.com" + - "david@adalogics.com" coverage_extra_args: -ignore-filename-regex=.*\.cache.*envoy_deps_cache.* main_repo: 'https://github.com/envoyproxy/envoy.git' diff --git a/projects/fast-dds/Dockerfile b/projects/fast-dds/Dockerfile new file mode 100644 index 000000000..df5782e63 --- /dev/null +++ b/projects/fast-dds/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt install -y autoconf automake +RUN git clone --depth 1 https://github.com/leethomason/tinyxml2 +RUN git clone --depth 1 https://github.com/chriskohlhoff/asio/ +RUN git clone --depth 1 https://github.com/eProsima/Fast-CDR.git +RUN git clone --depth 1 https://github.com/eProsima/foonathan_memory_vendor.git +RUN git clone --depth 1 https://github.com/eProsima/Fast-DDS.git +COPY patch.diff $SRC +COPY build.sh $SRC +WORKDIR $SRC/Fast-DDS diff --git a/projects/fast-dds/build.sh b/projects/fast-dds/build.sh new file mode 100755 index 000000000..6831dffe3 --- /dev/null +++ b/projects/fast-dds/build.sh @@ -0,0 +1,53 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +( +cd ../tinyxml2 +make -j$(nproc) all +cp libtinyxml2.a /usr/local/lib/ +cp *.h /usr/local/include/ +) + +( +cd ../asio/asio +sh autogen.sh +./configure +make -j$(nproc) install +) + +( +cd .. +mkdir Fast-CDR/build && cd Fast-CDR/build +cmake .. -DBUILD_SHARED_LIBS=OFF +cmake --build . --target install +) + +( +cd .. +cd foonathan_memory_vendor +mkdir build && cd build +cmake .. -DBUILD_SHARED_LIBS=OFF +cmake --build . --target install +) + +# build project +git apply ../patch.diff +mkdir build && cd build +cmake .. -DBUILD_SHARED_LIBS=OFF +make -j $(nproc) +cp src/cpp/fuzz* $OUT/ diff --git a/projects/fast-dds/patch.diff b/projects/fast-dds/patch.diff new file mode 100644 index 000000000..e4f0ba2ed --- /dev/null +++ b/projects/fast-dds/patch.diff @@ -0,0 +1,74 @@ +diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt +index b7fb777..615e955 100644 +--- a/src/cpp/CMakeLists.txt ++++ b/src/cpp/CMakeLists.txt +@@ -484,6 +484,11 @@ elseif(NOT EPROSIMA_INSTALLER) + endif() + endif() + ++if(DEFINED ENV{LIB_FUZZING_ENGINE}) ++ add_executable(fuzz_processCDRMsg rtps/messages/fuzz_processCDRMsg.cpp) ++ target_link_libraries(fuzz_processCDRMsg ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE}) ++endif() ++ + ############################################################################### + # Packaging + ############################################################################### +diff --git a/src/cpp/rtps/messages/MessageReceiver.cpp b/src/cpp/rtps/messages/MessageReceiver.cpp +index 962ca9b..0e82082 100644 +--- a/src/cpp/rtps/messages/MessageReceiver.cpp ++++ b/src/cpp/rtps/messages/MessageReceiver.cpp +@@ -324,7 +324,11 @@ void MessageReceiver::processCDRMsg( + + reset(); + ++#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ++ GuidPrefix_t participantGuidPrefix; ++#else + GuidPrefix_t participantGuidPrefix = participant_->getGuid().guidPrefix; ++#endif + dest_guid_prefix_ = participantGuidPrefix; + + msg->pos = 0; //Start reading at 0 +@@ -513,7 +517,9 @@ void MessageReceiver::processCDRMsg( + submessage->pos = next_msg_pos; + } + ++#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + participant_->assert_remote_participant_liveliness(source_guid_prefix_); ++#endif + } + + bool MessageReceiver::checkRTPSHeader( +diff --git a/src/cpp/rtps/messages/fuzz_processCDRMsg.cpp b/src/cpp/rtps/messages/fuzz_processCDRMsg.cpp +new file mode 100644 +index 0000000..6a71817 +--- /dev/null ++++ b/src/cpp/rtps/messages/fuzz_processCDRMsg.cpp +@@ -0,0 +1,26 @@ ++#include <stdio.h> ++#include <stdlib.h> ++#include <stdint.h> ++#include <stdarg.h> ++#include <string.h> ++ ++#include <fastrtps/rtps/messages/MessageReceiver.h> ++#include <fastdds/rtps/attributes/RTPSParticipantAttributes.h> ++ ++extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ++ const eprosima::fastrtps::rtps::Locator_t remoteLocator; ++ eprosima::fastrtps::rtps::MessageReceiver* rcv = new eprosima::fastrtps::rtps::MessageReceiver(NULL, 4096); ++ ++ eprosima::fastrtps::rtps::CDRMessage_t msg(0); ++ msg.wraps = true; ++ msg.buffer = const_cast<eprosima::fastrtps::rtps::octet*>(data); ++ msg.length = size; ++ msg.max_size = size; ++ msg.reserved_size = size; ++ ++ // TODO: Should we unlock in case UnregisterReceiver is called from callback ? ++ rcv->processCDRMsg(remoteLocator, &msg); ++ delete rcv; ++ return 0; ++} ++ diff --git a/projects/fast-dds/project.yaml b/projects/fast-dds/project.yaml new file mode 100644 index 000000000..970e0b10d --- /dev/null +++ b/projects/fast-dds/project.yaml @@ -0,0 +1,9 @@ +homepage: "https://www.eprosima.com/" +language: c++ +primary_contact: "miguelcompany@eprosima.com" +auto_ccs: +- "p.antoine@catenacyber.fr" +sanitizers: +- address +- undefined +main_repo: 'https://github.com/eProsima/Fast-DDS.git' diff --git a/projects/fasthttp/Dockerfile b/projects/fasthttp/Dockerfile index 690459875..368470692 100644 --- a/projects/fasthttp/Dockerfile +++ b/projects/fasthttp/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/valyala/fasthttp +RUN git clone --depth 1 https://github.com/valyala/fasthttp COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/fasthttp diff --git a/projects/fasthttp/build.sh b/projects/fasthttp/build.sh index 02fe85a71..59aec49a1 100755 --- a/projects/fasthttp/build.sh +++ b/projects/fasthttp/build.sh @@ -18,7 +18,7 @@ -ls $GOPATH/src/github.com/valyala/fasthttp/fuzzit | while read target +ls fuzzit/ | while read target do compile_go_fuzzer github.com/valyala/fasthttp/fuzzit/$target Fuzz fuzz_$target gofuzz done diff --git a/projects/fastjson/Dockerfile b/projects/fastjson/Dockerfile index 7da61ee49..9c196148d 100644 --- a/projects/fastjson/Dockerfile +++ b/projects/fastjson/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/valyala/fastjson +RUN git clone --depth 1 https://github.com/valyala/fastjson COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/fastjson diff --git a/projects/fastjson2/Dockerfile b/projects/fastjson2/Dockerfile new file mode 100644 index 000000000..e8c9f4ec8 --- /dev/null +++ b/projects/fastjson2/Dockerfile @@ -0,0 +1,31 @@ + +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y maven + +RUN git clone --depth 1 https://github.com/google/fuzzing && \ + cat fuzzing/dictionaries/json.dict > $SRC/JsonFuzzer.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus && \ + zip -q $SRC/JsonFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +RUN git clone --depth 1 https://github.com/alibaba/fastjson + +COPY build.sh $SRC/ +COPY JsonFuzzer.java $SRC/ +WORKDIR $SRC/fastjson diff --git a/projects/fastjson2/JsonFuzzer.java b/projects/fastjson2/JsonFuzzer.java new file mode 100644 index 000000000..9ac5caba5 --- /dev/null +++ b/projects/fastjson2/JsonFuzzer.java @@ -0,0 +1,28 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.alibaba.fastjson.JSON; +import com.alibaba.fastjson.JSONException; +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +public class JsonFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + try { + JSON.parse(data.consumeRemainingAsString()); + } catch (JSONException ignored) { + } + } +} diff --git a/projects/fastjson2/build.sh b/projects/fastjson2/build.sh new file mode 100644 index 000000000..121c3249a --- /dev/null +++ b/projects/fastjson2/build.sh @@ -0,0 +1,51 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Copy seed corpus and dictionary. +mv $SRC/{*.zip,*.dict} $OUT + +mvn package -Dmaven.test.skip=true -Djdk.version=15 +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) +cp "target/fastjson-$CURRENT_VERSION.jar" $OUT/fastjson.jar + +PROJECT_JARS="fastjson.jar" + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $PROJECT_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $PROJECT_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/fastjson2/project.yaml b/projects/fastjson2/project.yaml new file mode 100644 index 000000000..3fcba92ad --- /dev/null +++ b/projects/fastjson2/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/alibaba/fastjson" +language: jvm +primary_contact: "shaojin.wensj@alibaba-inc.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/alibaba/fastjson" +sanitizers: + - address diff --git a/projects/firefox/Dockerfile b/projects/firefox/Dockerfile index 18543d582..1d19ca82e 100644 --- a/projects/firefox/Dockerfile +++ b/projects/firefox/Dockerfile @@ -19,13 +19,18 @@ RUN add-apt-repository -y ppa:ubuntu-toolchain-r/test RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ gawk \ libstdc++6 \ + m4 \ python \ software-properties-common + +# This wrapper of cargo seems to interfere with our build system. +RUN rm -f /usr/local/bin/cargo + RUN git clone --depth 1 https://github.com/mozilla/gecko-dev mozilla-central RUN git clone --depth 1 https://github.com/mozillasecurity/fuzzdata WORKDIR mozilla-central # Install OS dependencies. # Will be re-run in build.sh to install missing dependencies. ENV SHELL /bin/bash -RUN ./mach bootstrap --no-interactive --application-choice browser +RUN ./mach --no-interactive bootstrap --application-choice browser COPY build.sh target.c *.options mozconfig.* $SRC/ diff --git a/projects/firefox/build.sh b/projects/firefox/build.sh index a41b99bc8..8788e190e 100755 --- a/projects/firefox/build.sh +++ b/projects/firefox/build.sh @@ -42,9 +42,22 @@ FUZZ_TARGETS=( export MOZ_OBJDIR=$WORK/obj-fuzz export MOZCONFIG=$SRC/mozconfig.$SANITIZER +# Without this, a host tool used during Rust part of the build will fail +export ASAN_OPTIONS="detect_leaks=0" + # Install remaining dependencies. export SHELL=/bin/bash -./mach bootstrap --no-interactive --application-choice browser + +# Firefox might not be buildable on the latest Rust Nightly, so we should try +# to use the same version that we use in our CI. +RUST_NIGHTLY_VERSION=$(sed -n 's/^.*--channel.*\(nightly-[0-9-]*\).*$/\1/p' \ + $SRC/mozilla-central/taskcluster/ci/toolchain/rust.yml +) + +rustup toolchain install ${RUST_NIGHTLY_VERSION} +rustup default ${RUST_NIGHTLY_VERSION}-x86_64-unknown-linux-gnu + +./mach --no-interactive bootstrap --application-choice browser # Skip patches for now rm tools/fuzzing/libfuzzer/patches/*.patch diff --git a/projects/firefox/mozconfig.address b/projects/firefox/mozconfig.address index c9eb33d0b..0bc2c36c4 100644 --- a/projects/firefox/mozconfig.address +++ b/projects/firefox/mozconfig.address @@ -1,4 +1,7 @@ . $SRC/mozconfig.coverage ac_add_options --enable-address-sanitizer -mk_add_options CFLAGS= CXXFLAGS= + +# Don't use standard CFLAGS/CXXFLAGS provided by oss-fuzz +export CFLAGS="" +export CXXFLAGS="" diff --git a/projects/fluent-bit/project.yaml b/projects/fluent-bit/project.yaml index f68179d25..aca7cccc6 100755 --- a/projects/fluent-bit/project.yaml +++ b/projects/fluent-bit/project.yaml @@ -1,9 +1,6 @@ homepage: "https://github.com/fluent/fluent-bit" primary_contact: "edsiper@gmail.com" language: c++ -fuzzing_engines: - - libfuzzer - - honggfuzz auto_ccs: - "david@adalogics.com" - "wppttt@amazon.com" diff --git a/projects/freeimage/Dockerfile b/projects/freeimage/Dockerfile index 86ab661ac..3133e71a3 100644 --- a/projects/freeimage/Dockerfile +++ b/projects/freeimage/Dockerfile @@ -16,10 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool wget -# This downloads the latest version at the time of writing. There does not -# appear to be a head version of FreeImage. -RUN wget https://downloads.sourceforge.net/freeimage/FreeImage3180.zip -RUN unzip FreeImage3180.zip -WORKDIR $SRC +RUN svn checkout https://svn.code.sf.net/p/freeimage/svn/ freeimage-svn +WORKDIR $SRC/freeimage-svn/FreeImage/trunk/ COPY build.sh $SRC/ COPY load_from_memory_fuzzer.cc $SRC/ diff --git a/projects/freeimage/build.sh b/projects/freeimage/build.sh index a418bd0a3..707440eb2 100755 --- a/projects/freeimage/build.sh +++ b/projects/freeimage/build.sh @@ -15,15 +15,13 @@ # ################################################################################ -pushd FreeImage - # b44ExpLogTable.cpp only contains a definition of main(). sed -i 's/Source\/OpenEXR\/IlmImf\/b44ExpLogTable.cpp//' Makefile.srcs make LIBRARIES=-lc++ -j$(nproc) -popd +INSTALL_DIR="$PWD/Dist" -INSTALL_DIR=$SRC/FreeImage/Dist +cd $SRC $CXX $CXXFLAGS -I${INSTALL_DIR}/ $LIB_FUZZING_ENGINE \ load_from_memory_fuzzer.cc ${INSTALL_DIR}/libfreeimage.a \ diff --git a/projects/ghostscript/Dockerfile b/projects/ghostscript/Dockerfile index 942d8c347..c21bb87d3 100644 --- a/projects/ghostscript/Dockerfile +++ b/projects/ghostscript/Dockerfile @@ -20,8 +20,9 @@ RUN apt-get update && apt-get install -y autoconf zlibc libtool liblcms2-dev lib RUN git clone --branch branch-2.2 --single-branch --depth 1 https://github.com/apple/cups.git cups RUN git clone --branch VER-2-10-1 --single-branch --depth 1 https://git.savannah.gnu.org/git/freetype/freetype2.git freetype RUN git clone --single-branch --depth 1 git://git.ghostscript.com/ghostpdl.git ghostpdl - RUN mkdir ghostpdl/fuzz -COPY gstoraster_fuzzer.cc ghostpdl/fuzz +WORKDIR ghostpdl + +COPY gstoraster_fuzzer.cc $SRC/ COPY build.sh $SRC/ diff --git a/projects/ghostscript/build.sh b/projects/ghostscript/build.sh index 07ae5ee70..b74772f13 100755 --- a/projects/ghostscript/build.sh +++ b/projects/ghostscript/build.sh @@ -16,7 +16,7 @@ ################################################################################ # Build CUPS -pushd cups +pushd $SRC/cups # Fix bad line sed -i '2110s/\(\s\)f->value/\1(int)f->value/' cups/ppd-cache.c @@ -29,13 +29,12 @@ make -C filter libs install-libs install -m755 cups-config "$WORK"/cups-config popd -cd ghostpdl rm -rf cups/libs || die rm -rf freetype || die rm -rf libpng || die rm -rf zlib || die -mv ../freetype freetype +mv $SRC/freetype freetype CUPSCONFIG="$WORK/cups-config" CUPS_CFLAGS=$($CUPSCONFIG --cflags) @@ -51,7 +50,7 @@ CPPFLAGS="${CPPFLAGS:-} $CUPS_CFLAGS -DPACIFY_VALGRIND" ./autogen.sh \ make -j$(nproc) libgs $CXX $CXXFLAGS $CUPS_LDFLAGS -std=c++11 -I. \ - fuzz/gstoraster_fuzzer.cc \ + $SRC/gstoraster_fuzzer.cc \ -o "$OUT/gstoraster_fuzzer" \ -Wl,-rpath='$ORIGIN' \ $CUPS_LIBS \ diff --git a/projects/ghostscript/gstoraster_fuzzer.cc b/projects/ghostscript/gstoraster_fuzzer.cc index 412352c32..897e99a66 100644 --- a/projects/ghostscript/gstoraster_fuzzer.cc +++ b/projects/ghostscript/gstoraster_fuzzer.cc @@ -42,7 +42,7 @@ static int gs_stdin(void *inst, char *buf, int len) return to_copy; } -static int gs_stdout(void *inst, const char *buf, int len) +static int gs_stdnull(void *inst, const char *buf, int len) { /* Just discard everything. */ return len; @@ -69,7 +69,7 @@ static int gs_to_raster_fuzz(const unsigned char *buf, size_t size) "-dBATCH", "-dNOINTERPOLATE", "-dNOMEDIAATTRS", - "-sstdout=%stderr", + "-sstdout=%%stderr", "-sOutputFile=/dev/null", "-sDEVICE=cups", "-_", @@ -86,7 +86,7 @@ static int gs_to_raster_fuzz(const unsigned char *buf, size_t size) return ret; } - gsapi_set_stdio(gs, gs_stdin, gs_stdout, NULL /* stderr */); + gsapi_set_stdio(gs, gs_stdin, gs_stdnull, gs_stdnull); ret = gsapi_set_arg_encoding(gs, GS_ARG_ENCODING_UTF8); if (ret < 0) { fprintf(stderr, "gsapi_set_arg_encoding: error %d\n", ret); diff --git a/projects/git/build.sh b/projects/git/build.sh index 0a39a9719..8770a831c 100755 --- a/projects/git/build.sh +++ b/projects/git/build.sh @@ -34,7 +34,7 @@ done zip -j $OUT/fuzz-pack-headers_seed_corpus.zip .git/objects/pack/*.pack.trimmed # build commit-graph corpus -./git commit-graph write +ASAN_OPTIONS=detect_leaks=0 ./git commit-graph write zip -j $OUT/fuzz-commit-graph_seed_corpus .git/objects/info/commit-graph # Mute stderr diff --git a/projects/gitea/Dockerfile b/projects/gitea/Dockerfile index 91f9464de..940312337 100644 --- a/projects/gitea/Dockerfile +++ b/projects/gitea/Dockerfile @@ -17,4 +17,4 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN git clone https://github.com/go-gitea/gitea COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/gitea diff --git a/projects/gitea/build.sh b/projects/gitea/build.sh index 4110a4d66..a031afb4c 100644 --- a/projects/gitea/build.sh +++ b/projects/gitea/build.sh @@ -15,9 +15,5 @@ # ################################################################################ -mkdir $GOPATH/src/code.gitea.io -mv $SRC/gitea $GOPATH/src/code.gitea.io/ -cd $GOPATH/src/code.gitea.io/gitea && go get ./... - compile_go_fuzzer code.gitea.io/gitea/tools FuzzMarkdownRenderRaw fuzz_markdown_render_raw gofuzz compile_go_fuzzer code.gitea.io/gitea/tools FuzzMarkupPostProcess fuzz_markup_post_process gofuzz diff --git a/projects/gitea/project.yaml b/projects/gitea/project.yaml index 183460bb0..8fcd31f7f 100644 --- a/projects/gitea/project.yaml +++ b/projects/gitea/project.yaml @@ -1,7 +1,14 @@ homepage: "https://github.com/go-gitea/gitea" -primary_contact: "admin@gitea.io" +primary_contact: "security@gitea.io" auto_ccs : - "adam@adalogics.com" + - "xiaolunwen@gmail.com" + - "lauris@nix.lv" + - "techknowlogick@gitea.io" + - "sapk@sapk.fr" + - "zeripath@gmail.com" + - "john.olheiser@gmail.com" + - "6543@obermui.de" language: go fuzzing_engines: - libfuzzer diff --git a/projects/go-json-iterator/Dockerfile b/projects/go-json-iterator/Dockerfile index 3d6a90c56..5d4cf02f3 100644 --- a/projects/go-json-iterator/Dockerfile +++ b/projects/go-json-iterator/Dockerfile @@ -15,7 +15,8 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/json-iterator/go +RUN git clone https://github.com/json-iterator/go json-iterator -COPY fuzz_json.go $GOPATH/src/github.com/json-iterator/go/ +COPY fuzz_json.go $SRC/json-iterator/ COPY build.sh $SRC/ +WORKDIR $SRC/json-iterator/ diff --git a/projects/go-redis/Dockerfile b/projects/go-redis/Dockerfile index 3bdaf63ad..b0ad17734 100644 --- a/projects/go-redis/Dockerfile +++ b/projects/go-redis/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/go-redis/redis +RUN git clone https://github.com/go-redis/redis redis COPY build.sh $SRC/ -WORKDIR $SRC +WORKDIR $SRC/redis diff --git a/projects/go-redis/build.sh b/projects/go-redis/build.sh index b130c457e..e297cd37c 100644 --- a/projects/go-redis/build.sh +++ b/projects/go-redis/build.sh @@ -12,5 +12,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -compile_go_fuzzer github.com/go-redis/redis/fuzz Fuzz fuzz gofuzz + +#github.com/go-redis/redis/fuzz is not a module, so needs local build +compile_go_fuzzer ./fuzz Fuzz fuzz gofuzz diff --git a/projects/go-sftp/Dockerfile b/projects/go-sftp/Dockerfile new file mode 100644 index 000000000..0269d8ee4 --- /dev/null +++ b/projects/go-sftp/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/pkg/sftp + +COPY build.sh $SRC/ +WORKDIR $SRC/sftp diff --git a/projects/go-sftp/build.sh b/projects/go-sftp/build.sh new file mode 100755 index 000000000..0e8460fc8 --- /dev/null +++ b/projects/go-sftp/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +compile_go_fuzzer . Fuzz fuzz_sftp diff --git a/projects/go-sftp/project.yaml b/projects/go-sftp/project.yaml new file mode 100644 index 000000000..5f0d4e9e4 --- /dev/null +++ b/projects/go-sftp/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/pkg/sftp" +primary_contact: "nicola.murino@gmail.com" +auto_ccs: + - "p.antoine@catenacyber.fr" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/pkg/sftp' diff --git a/projects/go-snappy/Dockerfile b/projects/go-snappy/Dockerfile new file mode 100644 index 000000000..d6d08afd0 --- /dev/null +++ b/projects/go-snappy/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/golang/snappy + +COPY build.sh $SRC/ +COPY fuzz.go $SRC/snappy +WORKDIR $SRC/snappy diff --git a/projects/go-snappy/build.sh b/projects/go-snappy/build.sh new file mode 100755 index 000000000..805eefb7a --- /dev/null +++ b/projects/go-snappy/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +compile_go_fuzzer . FuzzRoundTrip fuzz_roundtrip gofuzz +compile_go_fuzzer . FuzzDecode fuzz_decode gofuzz diff --git a/projects/go-snappy/fuzz.go b/projects/go-snappy/fuzz.go new file mode 100644 index 000000000..6722fd02d --- /dev/null +++ b/projects/go-snappy/fuzz.go @@ -0,0 +1,33 @@ +// +build gofuzz + +package snappy + +import ( + "bytes" +) + +func FuzzRoundTrip(data []byte) int { + if len(data) > 1234567 { + return 0 + } + encoded := Encode(nil, data) + decoded, err := Decode(nil, encoded) + if err != nil { + panic("Error decoding snappy-encoded") + } + if !bytes.Equal(data, decoded) { + panic("Different result on roundtrip encode/decode") + } + return 1 +} + +func FuzzDecode(data []byte) int { + if n, _ := DecodedLen(data); n > 1234567 { + return 0 + } + _, err := Decode(nil, data) + if err != nil { + return 0 + } + return 1 +} diff --git a/projects/go-snappy/project.yaml b/projects/go-snappy/project.yaml new file mode 100644 index 000000000..8a732ccb3 --- /dev/null +++ b/projects/go-snappy/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/golang/snappy" +primary_contact: "nigeltao@golang.org" +auto_ccs: + - "p.antoine@catenacyber.fr" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/golang/snappy' diff --git a/projects/go-sqlite3/Dockerfile b/projects/go-sqlite3/Dockerfile index e948b558b..f1b10e165 100644 --- a/projects/go-sqlite3/Dockerfile +++ b/projects/go-sqlite3/Dockerfile @@ -15,9 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -# TODO use upstream repo -# RUN go get -t github.com/mattn/go-sqlite3 -RUN git clone --branch fuzz --depth 1 http://github.com/catenacyber/go-sqlite3 $GOPATH/src/github.com/mattn/go-sqlite3 +RUN git clone --depth 1 http://github.com/mattn/go-sqlite3 $GOPATH/src/github.com/mattn/go-sqlite3 -COPY build.sh fuzz*.go $SRC/ +COPY build.sh $SRC/ WORKDIR $SRC/ diff --git a/projects/golang/project.yaml b/projects/golang/project.yaml index e665a71f5..ed1e86329 100644 --- a/projects/golang/project.yaml +++ b/projects/golang/project.yaml @@ -3,6 +3,7 @@ primary_contact: "golang-fuzz@googlegroups.com" auto_ccs: - "mmoroz@chromium.org" - "josharian@gmail.com" + - "emmanuel@orijtech.com" language: go sanitizers: - address diff --git a/projects/gpac/Dockerfile b/projects/gpac/Dockerfile new file mode 100755 index 000000000..cf7fc8043 --- /dev/null +++ b/projects/gpac/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y build-essential pkg-config libz-dev +RUN git clone https://github.com/gpac/gpac + +WORKDIR $SRC +COPY build.sh $SRC/ +COPY fuzz_parse.c $SRC/ diff --git a/projects/gpac/build.sh b/projects/gpac/build.sh new file mode 100755 index 000000000..904f5f234 --- /dev/null +++ b/projects/gpac/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd gpac +./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}" +make +cp $SRC/fuzz_parse.c . + +$CC $CFLAGS $LIB_FUZZING_ENGINE fuzz_parse.c -o $OUT/fuzz_parse \ + -I./include -I./ ./bin/gcc/libgpac_static.a \ + -lm -lz -lpthread -DGPAC_HAVE_CONFIG_H diff --git a/projects/gpac/fuzz_parse.c b/projects/gpac/fuzz_parse.c new file mode 100644 index 000000000..b7c9ac9a6 --- /dev/null +++ b/projects/gpac/fuzz_parse.c @@ -0,0 +1,36 @@ +/* Copyright 2021 Google LLC +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +#include <stdio.h> +#include <unistd.h> + +#include <gpac/internal/isomedia_dev.h> +#include <gpac/constants.h> + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char filename[256]; + sprintf(filename, "/tmp/libfuzzer.%d", getpid()); + + FILE *fp = fopen(filename, "wb"); + if (!fp) { + return 0; + } + fwrite(data, size, 1, fp); + fclose(fp); + + GF_ISOFile *movie = NULL; + movie = gf_isom_open_file(filename, GF_ISOM_OPEN_READ_DUMP, NULL); + if (movie != NULL) { + gf_isom_close(movie); + } + unlink(filename); + return 0; +} diff --git a/projects/gpac/project.yaml b/projects/gpac/project.yaml new file mode 100755 index 000000000..1229d1260 --- /dev/null +++ b/projects/gpac/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://gpac.wp.imt.fr/" +main_repo: "https://github.com/gpac/gpac" +primary_contact: "project.gpac@gmail.com" +language: c +auto_ccs: + - "david@adalogics.com" diff --git a/projects/graphicsmagick/Dockerfile b/projects/graphicsmagick/Dockerfile index 29f49fd68..97f3a561d 100644 --- a/projects/graphicsmagick/Dockerfile +++ b/projects/graphicsmagick/Dockerfile @@ -16,9 +16,9 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y mercurial automake autopoint cmake libtool nasm pkg-config po4a -RUN hg clone --time -b default http://hg.code.sf.net/p/graphicsmagick/code graphicsmagick || \ - hg clone --time -b default http://hg.code.sf.net/p/graphicsmagick/code graphicsmagick || \ - hg clone --time -b default http://hg.code.sf.net/p/graphicsmagick/code graphicsmagick +RUN hg clone --time -b default https://hg.osdn.net/view/graphicsmagick/GM graphicsmagick || \ + hg clone --time -b default https://hg.osdn.net/view/graphicsmagick/GM graphicsmagick || \ + hg clone --time -b default https://hg.osdn.net/view/graphicsmagick/GM graphicsmagick RUN git clone --depth 1 https://gitlab.com/libtiff/libtiff RUN git clone --depth 1 https://github.com/webmproject/libwebp @@ -31,6 +31,8 @@ RUN git clone --depth 1 https://github.com/pnggroup/libpng RUN git clone --depth 1 https://github.com/mm2/Little-CMS RUN git clone https://git.ghostscript.com/ghostpdl.git RUN git clone --depth 1 https://gitlab.com/federicomenaquintero/bzip2.git +RUN git clone --depth 1 https://github.com/jasper-software/jasper +RUN git clone --depth 1 https://gitlab.gnome.org/GNOME/libxml2.git WORKDIR graphicsmagick COPY build.sh $SRC/ diff --git a/projects/grok/Dockerfile b/projects/grok/Dockerfile index c8ea8f838..9551e85a3 100644 --- a/projects/grok/Dockerfile +++ b/projects/grok/Dockerfile @@ -15,9 +15,8 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y wget RUN git clone --depth 1 https://github.com/GrokImageCompression/grok.git grok -RUN git clone --depth 1 https://github.com/GrokImageCompression/grok-test-data.git grok/data +RUN git clone --depth 1 https://github.com/GrokImageCompression/grok-test-data.git grok-data WORKDIR grok COPY build.sh $SRC/ diff --git a/projects/grpc-gateway/Dockerfile b/projects/grpc-gateway/Dockerfile index 51997231a..9a7cad2f3 100644 --- a/projects/grpc-gateway/Dockerfile +++ b/projects/grpc-gateway/Dockerfile @@ -18,4 +18,4 @@ FROM gcr.io/oss-fuzz-base/base-builder ENV GO111MODULE on RUN git clone https://github.com/grpc-ecosystem/grpc-gateway COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/grpc-gateway diff --git a/projects/grpc-gateway/build.sh b/projects/grpc-gateway/build.sh index 386002444..19c4ac5f6 100755 --- a/projects/grpc-gateway/build.sh +++ b/projects/grpc-gateway/build.sh @@ -15,13 +15,10 @@ # ################################################################################ -mkdir $GOPATH/src/github.com/grpc-ecosystem -mv $SRC/grpc-gateway $GOPATH/src/github.com/grpc-ecosystem/ -cd $GOPATH/src/github.com/grpc-ecosystem/grpc-gateway && go get ./... - if [ "$SANITIZER" = "coverage" ] then - compile_go_fuzzer github.com/grpc-ecosystem/grpc-gateway/internal/httprule Fuzz fuzz gofuzz + go get github.com/grpc-ecosystem/grpc-gateway/... + compile_go_fuzzer github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule Fuzz fuzz gofuzz else compile_go_fuzzer github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule Fuzz fuzz gofuzz fi diff --git a/projects/grpc/Dockerfile b/projects/grpc/Dockerfile index 69f44b2f0..6d2a31074 100644 --- a/projects/grpc/Dockerfile +++ b/projects/grpc/Dockerfile @@ -14,9 +14,7 @@ # ################################################################################ -# TODO(https://github.com/google/oss-fuzz/issues/3093): Stop specifying the -# image SHA once the bug is fixed. -FROM gcr.io/oss-fuzz-base/base-builder@sha256:276813aef0ce5972db43c0230f96162003994fa742fb1b2f4e66c67498575c65 +FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y software-properties-common python-software-properties RUN add-apt-repository ppa:webupd8team/java @@ -27,7 +25,8 @@ RUN apt-get update && apt-get -y install \ make \ curl \ autoconf \ - libtool + libtool \ + rsync # Install dependencies diff --git a/projects/grpc/build.sh b/projects/grpc/build.sh index 85831535a..fc82bac30 100755 --- a/projects/grpc/build.sh +++ b/projects/grpc/build.sh @@ -24,7 +24,7 @@ readonly FUZZER_DICTIONARIES=( readonly FUZZER_TARGETS=( test/core/json:json_fuzzer - test/core/client_channel:uri_fuzzer_test + test/core/uri:uri_fuzzer_test test/core/http:request_fuzzer test/core/http:response_fuzzer test/core/nanopb:fuzzer_response @@ -129,7 +129,7 @@ cp ${SRC}/grpc/tools/fuzzer/options/*.options "${OUT}/" # We don't have a consistent naming convention between fuzzer files and corpus # directories so we resort to hard coding zipping corpuses zip "${OUT}/json_fuzzer_seed_corpus.zip" test/core/json/corpus/* -zip "${OUT}/uri_fuzzer_test_seed_corpus.zip" test/core/client_channel/uri_corpus/* +zip "${OUT}/uri_fuzzer_test_seed_corpus.zip" test/core/uri/uri_corpus/* zip "${OUT}/request_fuzzer_seed_corpus.zip" test/core/http/request_corpus/* zip "${OUT}/response_fuzzer_seed_corpus.zip" test/core/http/response_corpus/* zip "${OUT}/fuzzer_response_seed_corpus.zip" test/core/nanopb/corpus_response/* diff --git a/projects/hiredis/Dockerfile b/projects/hiredis/Dockerfile index 616330f49..3f96259eb 100644 --- a/projects/hiredis/Dockerfile +++ b/projects/hiredis/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2018 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/projects/hiredis/build.sh b/projects/hiredis/build.sh index 9159e8d18..72888bedc 100755 --- a/projects/hiredis/build.sh +++ b/projects/hiredis/build.sh @@ -1,5 +1,5 @@ #!/bin/bash -eu -# Copyright 2020 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/projects/hiredis/project.yaml b/projects/hiredis/project.yaml index 9264b769a..b863fe848 100755 --- a/projects/hiredis/project.yaml +++ b/projects/hiredis/project.yaml @@ -1,9 +1,6 @@ homepage: "https://github.com/redis/hiredis" primary_contact: "michael.grunder@gmail.com" language: c -fuzzing_engines: - - libfuzzer - - honggfuzz auto_ccs: - "Adam@adalogics.com" main_repo: "https://github.com/redis/hiredis" diff --git a/projects/httparse/Dockerfile b/projects/httparse/Dockerfile new file mode 100644 index 000000000..cffcc9f12 --- /dev/null +++ b/projects/httparse/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone https://github.com/seanmonstar/httparse +WORKDIR $SRC + +COPY build.sh $SRC/ diff --git a/projects/httparse/build.sh b/projects/httparse/build.sh new file mode 100755 index 000000000..c4fdec2ed --- /dev/null +++ b/projects/httparse/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/httparse +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/parse_request $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/parse_headers $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/parse_chunk_size $OUT/ diff --git a/projects/httparse/project.yaml b/projects/httparse/project.yaml new file mode 100644 index 000000000..43bfec406 --- /dev/null +++ b/projects/httparse/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/seanmonstar/httparse" +main_repo: "https://github.com/seanmonstar/httparse" +primary_contact: "seanmonstar@gmail.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/hugo/Dockerfile b/projects/hugo/Dockerfile index d78e24964..bfba1a283 100644 --- a/projects/hugo/Dockerfile +++ b/projects/hugo/Dockerfile @@ -16,7 +16,6 @@ FROM gcr.io/oss-fuzz-base/base-builder -ENV GO111MODULE on RUN git clone https://github.com/gohugoio/hugo -COPY build.sh $SRC/ -WORKDIR $SRC/ +COPY build.sh fuzz.go $SRC/ +WORKDIR $SRC/hugo diff --git a/projects/hugo/build.sh b/projects/hugo/build.sh index 23f6c8173..c1950ca1e 100755 --- a/projects/hugo/build.sh +++ b/projects/hugo/build.sh @@ -15,8 +15,6 @@ # ################################################################################ -mkdir $GOPATH/src/github.com/gohugoio -mv $SRC/hugo $GOPATH/src/github.com/gohugoio/ -cd $GOPATH/src/github.com/gohugoio/hugo +mv $SRC/fuzz.go $SRC/hugo/tpl/transform/ compile_go_fuzzer github.com/gohugoio/hugo/tpl/transform FuzzMarkdownify fuzzmarkdownify diff --git a/projects/hugo/fuzz.go b/projects/hugo/fuzz.go new file mode 100644 index 000000000..7a22e6d50 --- /dev/null +++ b/projects/hugo/fuzz.go @@ -0,0 +1,61 @@ +// +build gofuzz + +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package transform + +import ( + "github.com/gohugoio/hugo/common/loggers" + "github.com/gohugoio/hugo/config" + "github.com/gohugoio/hugo/deps" + "github.com/gohugoio/hugo/helpers" + "github.com/gohugoio/hugo/hugofs" + "github.com/gohugoio/hugo/langs" + "github.com/spf13/afero" + "github.com/spf13/viper" +) + +func newFuzzDeps(cfg config.Provider) *deps.Deps { + cfg.Set("contentDir", "content") + cfg.Set("i18nDir", "i18n") + + l := langs.NewLanguage("en", cfg) + + cs, _ := helpers.NewContentSpec(l, loggers.NewErrorLogger(), afero.NewMemMapFs()) + + return &deps.Deps{ + Cfg: cfg, + Fs: hugofs.NewMem(l), + ContentSpec: cs, + } +} + +func FuzzMarkdownify(data []byte) int { + v := viper.New() + v.Set("contentDir", "content") + ns := New(newFuzzDeps(v)) + + for _, test := range []struct { + s interface{} + }{ + {string(data)}, + } { + _, err := ns.Markdownify(test.s) + if err != nil { + return 0 + } + } + return 1 +} diff --git a/projects/ibmswtpm2/no_writes.patch b/projects/ibmswtpm2/no_writes.patch index a9be0dccf..ca8d7c699 100644 --- a/projects/ibmswtpm2/no_writes.patch +++ b/projects/ibmswtpm2/no_writes.patch @@ -84,12 +84,10 @@ diff --git a/makefile b/makefile index cc3e410..c10ba5a 100644 --- a/makefile +++ b/makefile -@@ -40,16 +40,19 @@ +@@ -40,16 +40,16 @@ - CC = /usr/bin/gcc -+CC = clang -+CXX = clang++ +-CC = /usr/bin/gcc -CCFLAGS = -Wall \ +CCFLAGS = $(CFLAGS) -Wall \ diff --git a/projects/image-png/Dockerfile b/projects/image-png/Dockerfile new file mode 100644 index 000000000..cb953de6d --- /dev/null +++ b/projects/image-png/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool curl cmake python llvm-dev libclang-dev clang + +RUN git clone https://github.com/image-rs/image-png +WORKDIR $SRC + +COPY build.sh $SRC/ +COPY buf_independent.rs $SRC/image-png/fuzz/fuzz_targets/buf_independent.rs diff --git a/projects/image-png/buf_independent.rs b/projects/image-png/buf_independent.rs new file mode 100644 index 000000000..f4a1f312c --- /dev/null +++ b/projects/image-png/buf_independent.rs @@ -0,0 +1,74 @@ +#![no_main] +extern crate libfuzzer_sys; +use libfuzzer_sys::fuzz_target; +extern crate png; + +use std::io::{BufRead, Read, Result}; + +/// A reader that reads at most `n` bytes. +struct SmalBuf<R: BufRead> { + inner: R, + cap: usize, +} + +impl<R: BufRead> SmalBuf<R> { + fn new(inner: R, cap: usize) -> Self { + SmalBuf { inner, cap } + } +} + +impl<R: BufRead> Read for SmalBuf<R> { + fn read(&mut self, buf: &mut [u8]) -> Result<usize> { + let len = buf.len().min(self.cap); + self.inner.read(&mut buf[..len]) + } +} + +impl<R: BufRead> BufRead for SmalBuf<R> { + fn fill_buf(&mut self) -> Result<&[u8]> { + let buf = self.inner.fill_buf()?; + let len = buf.len().min(self.cap); + Ok(&buf[..len]) + } + + fn consume(&mut self, amt: usize) { + assert!(amt <= self.cap); + self.inner.consume(amt) + } +} + +fuzz_target!(|data: &[u8]| { + // Small limits, we don't need them hopefully. + let limits = png::Limits { bytes: 1 << 16 }; + + let reference = png::Decoder::new_with_limits(data, limits); + let smal = png::Decoder::new_with_limits(SmalBuf::new(data, 1), limits); + + let _ = png_compare(reference, smal); +}); + +#[inline(always)] +fn png_compare<R: BufRead, S: BufRead>(reference: png::Decoder<R>, smal: png::Decoder<S>) + -> std::result::Result<png::OutputInfo, ()> +{ + let mut smal = Some(smal); + let (info, mut reference) = reference.read_info().map_err(|_| { + assert!(smal.take().unwrap().read_info().is_err()); + })?; + + let (sinfo, mut smal) = smal.take().unwrap().read_info().expect("Deviation"); + assert_eq!(info, sinfo); + + if info.buffer_size() > 5_000_000 { + return Err(()); + } + + let mut ref_data = vec![0; info.buffer_size()]; + let mut smal_data = vec![0; info.buffer_size()]; + + let _rref = reference.next_frame(&mut ref_data); + let _rsmal = smal.next_frame(&mut smal_data); + + assert_eq!(smal_data, ref_data); + return Ok(info); +} diff --git a/projects/image-png/build.sh b/projects/image-png/build.sh new file mode 100755 index 000000000..c8b7f4913 --- /dev/null +++ b/projects/image-png/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC +cd image-png +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/decode $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/buf_independent $OUT/ diff --git a/projects/image-png/project.yaml b/projects/image-png/project.yaml new file mode 100644 index 000000000..aa86d3a34 --- /dev/null +++ b/projects/image-png/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://docs.rs/image/0.23.14/image" +main_repo: "https://github.com/image-rs/image-png" +primary_contact: "andreas.molzer@gmx.de" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "fintelia@gmail.com" + - "david@adalogics.com" diff --git a/projects/imageio/Dockerfile b/projects/imageio/Dockerfile new file mode 100644 index 000000000..87c1811d5 --- /dev/null +++ b/projects/imageio/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone https://github.com/imageio/imageio + +COPY build.sh $SRC/ +WORKDIR $SRC/imageio diff --git a/projects/imageio/build.sh b/projects/imageio/build.sh new file mode 100644 index 000000000..aeef84ec7 --- /dev/null +++ b/projects/imageio/build.sh @@ -0,0 +1,33 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +python3 setup.py build install + +# Build fuzzers in $OUT. +for fuzzer in $(find . -name 'fuzz_*.py'); do + fuzzer_basename=$(basename -s .py $fuzzer) + fuzzer_package=${fuzzer_basename}.pkg + pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/imageio/project.yaml b/projects/imageio/project.yaml new file mode 100644 index 000000000..73389b5ed --- /dev/null +++ b/projects/imageio/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://imageio.github.io" +language: python +primary_contact: "almar.klein@gmail.com" +auto_ccs: + - "david@adalogics.com" +fuzzing_engines: + - libfuzzer +sanitizers: + - address + - undefined +main_repo: 'https://github.com/imageio/imageio' diff --git a/projects/ipfs/Dockerfile b/projects/ipfs/Dockerfile index 29590e08d..aee4c4ce1 100644 --- a/projects/ipfs/Dockerfile +++ b/projects/ipfs/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -t github.com/ipfs/go-datastore +RUN git clone --depth 1 https://github.com/ipfs/go-datastore COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/go-datastore diff --git a/projects/ipfs/build.sh b/projects/ipfs/build.sh index d7509e7da..e1d577c44 100755 --- a/projects/ipfs/build.sh +++ b/projects/ipfs/build.sh @@ -15,7 +15,7 @@ # ################################################################################ -cd $GOPATH/src/github.com/ipfs/go-datastore/fuzz +cd fuzz function compile_ds_fuzzer { fuzzer=$1 diff --git a/projects/istio/Dockerfile b/projects/istio/Dockerfile index d9a9aca3c..4ba44e2a5 100644 --- a/projects/istio/Dockerfile +++ b/projects/istio/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/istio/istio/pilot/pkg/config/kube/crd/... +RUN git clone https://github.com/istio/istio COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/istio diff --git a/projects/istio/build.sh b/projects/istio/build.sh index 7eeee16c6..cb148e828 100644 --- a/projects/istio/build.sh +++ b/projects/istio/build.sh @@ -16,5 +16,5 @@ ################################################################################ -compile_go_fuzzer istio.io/istio/tests/fuzz FuzzParseInputs fuzz_parse_inputs -compile_go_fuzzer istio.io/istio/tests/fuzz FuzzParseAndBuildSchema fuzz_parse_and_build_schema +compile_go_fuzzer ./tests/fuzz FuzzParseInputs fuzz_parse_inputs +compile_go_fuzzer ./tests/fuzz FuzzParseAndBuildSchema fuzz_parse_and_build_schema diff --git a/projects/istio/project.yaml b/projects/istio/project.yaml index f48db7db7..f877df67c 100644 --- a/projects/istio/project.yaml +++ b/projects/istio/project.yaml @@ -3,7 +3,8 @@ primary_contact: "istio-security-vulnerability-reports@googlegroups.com" auto_ccs : - "adam@adalogics.com" - "howardjohn@google.com" - - "fpesce@google.com" + - "kconner@redhat.com" + - "bavery@redhat.com" language: go fuzzing_engines: - libfuzzer diff --git a/projects/jackson-core/Dockerfile b/projects/jackson-core/Dockerfile new file mode 100644 index 000000000..1ff785046 --- /dev/null +++ b/projects/jackson-core/Dockerfile @@ -0,0 +1,35 @@ + +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y maven + +RUN git clone --depth 1 https://github.com/google/fuzzing +RUN cat fuzzing/dictionaries/json.dict > $SRC/JsonFuzzer.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus && \ + zip -j $SRC/JsonFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +ENV JACKSON_BRANCH=2.13 + +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-core +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-databind +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-annotations + +COPY build.sh $SRC/ +COPY JsonFuzzer.java $SRC/ +WORKDIR $SRC/ diff --git a/projects/jackson-core/JsonFuzzer.java b/projects/jackson-core/JsonFuzzer.java new file mode 100644 index 000000000..05c0bb365 --- /dev/null +++ b/projects/jackson-core/JsonFuzzer.java @@ -0,0 +1,44 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.databind.ObjectMapper; + +import java.io.IOException; + +public class JsonFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + ObjectMapper mapper = new ObjectMapper(); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_COMMENTS); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_SINGLE_QUOTES); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_YAML_COMMENTS); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.IGNORE_UNDEFINED); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION); + + try { + mapper.readTree(data.consumeRemainingAsBytes()); + } catch (IOException ignored) { + } + } +} diff --git a/projects/jackson-core/build.sh b/projects/jackson-core/build.sh new file mode 100644 index 000000000..5cbf19c20 --- /dev/null +++ b/projects/jackson-core/build.sh @@ -0,0 +1,57 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Copy seed corpus and dictionary. +mv $SRC/{*.zip,*.dict} $OUT + +MAVEN_ARGS="-P!java14+ -Dmaven.test.skip=true -Djavac.src.version=15 -Djavac.target.version=15" + +DEPENDENCIES="jackson-core jackson-databind jackson-annotations" +for dependency in $DEPENDENCIES; do + cd $SRC/$dependency + mvn package $MAVEN_ARGS + current_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) + cp "target/$dependency-$current_version.jar" $OUT/$dependency.jar +done + +ALL_JARS=$(echo $DEPENDENCIES | xargs printf -- "%s.jar ") + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/jackson-core/project.yaml b/projects/jackson-core/project.yaml new file mode 100644 index 000000000..90c85c585 --- /dev/null +++ b/projects/jackson-core/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/FasterXML/jackson-core" +language: jvm +primary_contact: "tatu@fasterxml.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/FasterXML/jackson-core" +sanitizers: + - address diff --git a/projects/jackson-dataformats-binary/CborFuzzer.java b/projects/jackson-dataformats-binary/CborFuzzer.java new file mode 100644 index 000000000..e0f9a488c --- /dev/null +++ b/projects/jackson-dataformats-binary/CborFuzzer.java @@ -0,0 +1,29 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.dataformat.cbor.databind.CBORMapper; +import java.io.IOException; + +public class CborFuzzer { + public static void fuzzerTestOneInput(byte[] input) { + ObjectMapper mapper = new CBORMapper(); + try { + mapper.readTree(input); + } catch (IOException ignored) { + } + } +} diff --git a/projects/jackson-dataformats-binary/Dockerfile b/projects/jackson-dataformats-binary/Dockerfile new file mode 100644 index 000000000..0e4ea8213 --- /dev/null +++ b/projects/jackson-dataformats-binary/Dockerfile @@ -0,0 +1,29 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y maven + +ENV JACKSON_BRANCH=2.13 + +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-dataformats-binary +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-databind +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-core +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-annotations + +COPY build.sh $SRC/ +COPY CborFuzzer.java SmileFuzzer.java $SRC/ +WORKDIR $SRC/ diff --git a/projects/jackson-dataformats-binary/SmileFuzzer.java b/projects/jackson-dataformats-binary/SmileFuzzer.java new file mode 100644 index 000000000..1d179fefc --- /dev/null +++ b/projects/jackson-dataformats-binary/SmileFuzzer.java @@ -0,0 +1,29 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.dataformat.smile.databind.SmileMapper; +import java.io.IOException; + +public class SmileFuzzer { + public static void fuzzerTestOneInput(byte[] input) { + ObjectMapper mapper = new SmileMapper(); + try { + mapper.readTree(input); + } catch (IOException ignored) { + } + } +} diff --git a/projects/jackson-dataformats-binary/build.sh b/projects/jackson-dataformats-binary/build.sh new file mode 100644 index 000000000..3c3c0afe6 --- /dev/null +++ b/projects/jackson-dataformats-binary/build.sh @@ -0,0 +1,66 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +MAVEN_ARGS="-P!java14+ -Dmaven.test.skip=true -Djavac.src.version=15 -Djavac.target.version=15" + +cd $SRC/jackson-dataformats-binary +mvn package $MAVEN_ARGS +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) +DATAFORMAT_PREFIX=jackson-dataformat +cp "cbor/target/$DATAFORMAT_PREFIX-cbor-$CURRENT_VERSION.jar" $OUT/$DATAFORMAT_PREFIX-cbor.jar +cp "smile/target/$DATAFORMAT_PREFIX-smile-$CURRENT_VERSION.jar" $OUT/$DATAFORMAT_PREFIX-smile.jar + +PROJECT_JARS="$DATAFORMAT_PREFIX-cbor.jar $DATAFORMAT_PREFIX-smile.jar" + +DEPENDENCIES="jackson-core jackson-databind jackson-annotations" +for dependency in $DEPENDENCIES; do + cd $SRC/$dependency + mvn package $MAVEN_ARGS + current_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) + cp "target/$dependency-$current_version.jar" $OUT/$dependency.jar +done + +FUZZER_JARS=$(echo $DEPENDENCIES | xargs printf -- "%s.jar ") + +ALL_JARS="$PROJECT_JARS $FUZZER_JARS" + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/jackson-dataformats-binary/project.yaml b/projects/jackson-dataformats-binary/project.yaml new file mode 100644 index 000000000..c556ccea9 --- /dev/null +++ b/projects/jackson-dataformats-binary/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/FasterXML/jackson-dataformats-binary" +language: jvm +primary_contact: "tatu@fasterxml.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/FasterXML/jackson-dataformats-binary" +sanitizers: + - address diff --git a/projects/java-example/Dockerfile b/projects/java-example/Dockerfile new file mode 100644 index 000000000..316e9a888 --- /dev/null +++ b/projects/java-example/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +COPY build.sh $SRC/ + +COPY ExampleFuzzerNative.h ExampleFuzzerNative.cpp $SRC/ +COPY ExampleFuzzer.java ExampleValueProfileFuzzer.java ExampleFuzzerNative.java default.options $SRC/ + +WORKDIR $SRC/ diff --git a/infra/base-images/Jenkinsfile b/projects/java-example/ExampleFuzzer.java index 67b22e9b0..4dde09adc 100644 --- a/infra/base-images/Jenkinsfile +++ b/projects/java-example/ExampleFuzzer.java @@ -1,4 +1,4 @@ -// Copyright 2016 Google Inc. +// Copyright 2021 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -14,24 +14,20 @@ // //////////////////////////////////////////////////////////////////////////////// -// Jenkins build script for base images. -node { - git url: 'https://github.com/google/oss-fuzz/' - - stage("infra/base-images/all.sh") { - sh "infra/base-images/all.sh --no-cache" +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import java.security.SecureRandom; + +public class ExampleFuzzer { + public static void fuzzerInitialize() { + // Optional initialization to be run before the first call to fuzzerTestOneInput. } - - stage("docker push") { - def images = ['ossfuzz/base-image', 'ossfuzz/base-clang', 'ossfuzz/base-libfuzzer', - 'ossfuzz/base-runner', 'ossfuzz/base-runner-debug', - 'ossfuzz/base-builder',] - - docker.withRegistry('', 'docker-login') { - for (int i = 0; i < images.size(); i++) { - def image = images[i] - docker.image(image).push() - } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + long random = 123123132; + if (input.startsWith("magicstring" + random) && input.length() > 30 + && input.charAt(25) == 'C') { + throw new IllegalStateException("Not reached"); } } } diff --git a/projects/java-example/ExampleFuzzerNative.cpp b/projects/java-example/ExampleFuzzerNative.cpp new file mode 100644 index 000000000..7ae0de80d --- /dev/null +++ b/projects/java-example/ExampleFuzzerNative.cpp @@ -0,0 +1,38 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include "ExampleFuzzerNative.h" + +#include <string> + +// simple function containing a crash that requires coverage and string compare +// instrumentation for the fuzzer to find +void parseInternal(const std::string &input) { + if (input[0] == 'a' && input[1] == 'b' && input[5] == 'c') { + if (input.find("secret_in_native_library") != std::string::npos) { + // BOOM + *(char *)1 = 2; + } + } +} + +JNIEXPORT jboolean JNICALL Java_ExampleFuzzerNative_parse( + JNIEnv *env, jobject o, jstring bytes) { + const char *input(env->GetStringUTFChars(bytes, nullptr)); + parseInternal(input); + env->ReleaseStringUTFChars(bytes, input); + return false; +} diff --git a/projects/java-example/ExampleFuzzerNative.h b/projects/java-example/ExampleFuzzerNative.h new file mode 100644 index 000000000..7c9b8a5a3 --- /dev/null +++ b/projects/java-example/ExampleFuzzerNative.h @@ -0,0 +1,37 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +/* DO NOT EDIT THIS FILE - it is machine generated */ +#include <jni.h> +/* Header for class ExampleFuzzerNative */ + +#ifndef _Included_ExampleFuzzerNative +#define _Included_ExampleFuzzerNative +#ifdef __cplusplus +extern "C" { +#endif +/* + * Class: ExampleFuzzerNative + * Method: parse + * Signature: (Ljava/lang/String;)Z + */ +JNIEXPORT jboolean JNICALL +Java_ExampleFuzzerNative_parse(JNIEnv *, jobject, jstring); + +#ifdef __cplusplus +} +#endif +#endif diff --git a/projects/java-example/ExampleFuzzerNative.java b/projects/java-example/ExampleFuzzerNative.java new file mode 100644 index 000000000..daf75fa39 --- /dev/null +++ b/projects/java-example/ExampleFuzzerNative.java @@ -0,0 +1,34 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +public class ExampleFuzzerNative { + static { + System.loadLibrary("native"); + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + int val = data.consumeInt(); + String stringData = data.consumeRemainingAsString(); + if (val == 17759716 && stringData.length() > 10 && stringData.contains("jazzer")) { + // call native function which contains a crash + parse(stringData); + } + } + + private static native boolean parse(String bytes); +} diff --git a/projects/java-example/ExampleValueProfileFuzzer.java b/projects/java-example/ExampleValueProfileFuzzer.java new file mode 100644 index 000000000..22b4ce510 --- /dev/null +++ b/projects/java-example/ExampleValueProfileFuzzer.java @@ -0,0 +1,52 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import java.util.Base64; + +public class ExampleValueProfileFuzzer { + private static String base64(byte[] input) { + return Base64.getEncoder().encodeToString(input); + } + + private static long insecureEncrypt(long input) { + long key = 0xefe4eb93215cb6b0L; + return input ^ key; + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + // Without -use_value_profile=1, the fuzzer gets stuck here as there is no direct correspondence + // between the input bytes and the compared string. With value profile, the fuzzer can guess the + // expected input byte by byte, which takes linear rather than exponential time. + if (base64(data.consumeBytes(6)).equals("SmF6emVy")) { + long[] plaintextBlocks = data.consumeLongs(2); + if (plaintextBlocks.length != 2) + return; + if (insecureEncrypt(plaintextBlocks[0]) == 0x9fc48ee64d3dc090L) { + // Without --fake_pcs (enabled by default with -use_value_profile=1), the fuzzer would get + // stuck here as the value profile information for long comparisons would not be able to + // distinguish between this comparison and the one above. + if (insecureEncrypt(plaintextBlocks[1]) == 0x888a82ff483ad9c2L) { + mustNeverBeCalled(); + } + } + } + } + + private static void mustNeverBeCalled() { + throw new IllegalStateException("mustNeverBeCalled has been called"); + } +} diff --git a/projects/java-example/build.sh b/projects/java-example/build.sh new file mode 100755 index 000000000..63f4c95f9 --- /dev/null +++ b/projects/java-example/build.sh @@ -0,0 +1,52 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build native library. +JVM_INCLUDES="-I$JAVA_HOME/include -I$JAVA_HOME/include/linux" +$CXX $CXXFLAGS $JVM_INCLUDES -fPIC -shared \ + ExampleFuzzerNative.cpp -o $OUT/libnative.so + +BUILD_CLASSPATH=$JAZZER_API_PATH + +# All class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java' -or -name '*FuzzerNative.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + if [[ $fuzzer_basename == *FuzzerNative ]]; then + driver=jazzer_driver_asan + else + driver=jazzer_driver + fi + + cp default.options $OUT/"$fuzzer_basename".options + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/java-example/default.options b/projects/java-example/default.options new file mode 100644 index 000000000..59318037a --- /dev/null +++ b/projects/java-example/default.options @@ -0,0 +1,3 @@ +[asan] +handle_segv=1 +allow_user_segv_handler=1 diff --git a/projects/java-example/project.yaml b/projects/java-example/project.yaml new file mode 100644 index 000000000..e71c40577 --- /dev/null +++ b/projects/java-example/project.yaml @@ -0,0 +1,8 @@ +homepage: "https://github.com/CodeIntelligenceTesting/jazzer" +language: jvm +primary_contact: "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/CodeIntelligenceTesting/jazzer" +sanitizers: + - address diff --git a/projects/jbig2dec/jbig2_fuzzer.cc b/projects/jbig2dec/jbig2_fuzzer.cc index b0a168939..4b94f2c7d 100644 --- a/projects/jbig2dec/jbig2_fuzzer.cc +++ b/projects/jbig2dec/jbig2_fuzzer.cc @@ -23,108 +23,104 @@ #include "jbig2.h" -#define ALIGNMENT 16 -#define MBYTE (1024 * 1024) +#define ALIGNMENT ((size_t) 16) +#define KBYTE ((size_t) 1024) +#define MBYTE (1024 * KBYTE) #define GBYTE (1024 * MBYTE) #define MAX_ALLOCATION (1 * GBYTE) -static uint64_t total = 0; -static uint64_t peak = 0; +static size_t used; -static void *jbig2_alloc(Jbig2Allocator *allocator, size_t size) +static void *jbig2_fuzzer_reached_limit(size_t oldsize, size_t size) { - void *ptr; + if (oldsize == 0) + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte allocation: %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, size); + else + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte reallocation: %zu -> %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, oldsize, size); + fflush(0); + return NULL; +} + +static void *jbig2_fuzzer_alloc(Jbig2Allocator *allocator, size_t size) +{ + char *ptr = NULL; if (size == 0) return NULL; - if (size > MAX_ALLOCATION - ALIGNMENT - total) + if (size > SIZE_MAX - ALIGNMENT) return NULL; + if (size + ALIGNMENT > MAX_ALLOCATION - used) + return jbig2_fuzzer_reached_limit(0, size + ALIGNMENT); - ptr = malloc(size + ALIGNMENT); + ptr = (char *) malloc(size + ALIGNMENT); if (ptr == NULL) return NULL; memcpy(ptr, &size, sizeof(size)); - total += size + ALIGNMENT; - - if (peak == 0 || total / MBYTE > peak / MBYTE) { - peak = total; - fprintf(stderr, "memory: limit: %u Mbyte peak usage: %u Mbyte\n", MAX_ALLOCATION, peak); - } + used += size + ALIGNMENT; - return (unsigned char *) ptr + ALIGNMENT; + return ptr + ALIGNMENT; } -static void jbig2_free(Jbig2Allocator *allocator, void *p) +static void jbig2_fuzzer_free(Jbig2Allocator *allocator, void *ptr) { - int size; + size_t size; - if (p == NULL) + if (ptr == NULL) + return; + if (ptr < (void *) ALIGNMENT) return; - memcpy(&size, (unsigned char *) p - ALIGNMENT, sizeof(size)); - total -= size + ALIGNMENT; - free((unsigned char *) p - ALIGNMENT); + ptr = (char *) ptr - ALIGNMENT; + memcpy(&size, ptr, sizeof(size)); + + used -= size + ALIGNMENT; + free(ptr); } -static void *jbig2_realloc(Jbig2Allocator *allocator, void *p, size_t size) +static void *jbig2_fuzzer_realloc(Jbig2Allocator *allocator, void *old, size_t size) { - unsigned char *oldp = p ? (unsigned char *) p - ALIGNMENT : NULL; + size_t oldsize; + char *ptr; - if (size > SIZE_MAX - ALIGNMENT) + if (old == NULL) + return jbig2_fuzzer_alloc(allocator, size); + if (old < (void *) ALIGNMENT) return NULL; - if (oldp == NULL) - { - if (size == 0) - return NULL; - if (size > MAX_ALLOCATION - ALIGNMENT - total) - return NULL; - - p = malloc(size + ALIGNMENT); - if (p == NULL) - return NULL; + if (size == 0) { + jbig2_fuzzer_free(allocator, old); + return NULL; } - else - { - int oldsize; - memcpy(&oldsize, oldp, sizeof(oldsize)); - - if (size == 0) - { - total -= oldsize + ALIGNMENT; - free(oldp); - return NULL; - } - - if (size > MAX_ALLOCATION - total + oldsize) - return NULL; + if (size > SIZE_MAX - ALIGNMENT) + return NULL; - p = realloc(oldp, size + ALIGNMENT); - if (p == NULL) - return NULL; + old = (char *) old - ALIGNMENT; + memcpy(&oldsize, old, sizeof(oldsize)); - total -= oldsize + ALIGNMENT; - } + if (size + ALIGNMENT > MAX_ALLOCATION - used + oldsize + ALIGNMENT) + return jbig2_fuzzer_reached_limit(oldsize + ALIGNMENT, size + ALIGNMENT); - memcpy(p, &size, sizeof(size)); - total += size + ALIGNMENT; + ptr = (char *) realloc(old, size + ALIGNMENT); + if (ptr == NULL) + return NULL; - if (peak == 0 || total / MBYTE > peak / MBYTE) { - peak = total; - fprintf(stderr, "memory: limit: %u Mbyte peak usage: %u Mbyte\n", MAX_ALLOCATION, peak); - } + used -= oldsize + ALIGNMENT; + memcpy(ptr, &size, sizeof(size)); + used += size + ALIGNMENT; - return (unsigned char *) p + ALIGNMENT; + return ptr + ALIGNMENT; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { Jbig2Allocator allocator; Jbig2Ctx *ctx = NULL; - allocator.alloc = jbig2_alloc; - allocator.free = jbig2_free; - allocator.realloc = jbig2_realloc; + used = 0; + + allocator.alloc = jbig2_fuzzer_alloc; + allocator.free = jbig2_fuzzer_free; + allocator.realloc = jbig2_fuzzer_realloc; ctx = jbig2_ctx_new(&allocator, (Jbig2Options) 0, NULL, NULL, NULL); if (jbig2_data_in(ctx, data, size) == 0) @@ -144,7 +140,5 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } jbig2_ctx_free(ctx); - fprintf(stderr, "memory: limit: %u Mbyte peak usage: %u Mbyte\n", MAX_ALLOCATION, peak); - return 0; } diff --git a/projects/json-sanitizer/DenylistFuzzer.java b/projects/json-sanitizer/DenylistFuzzer.java new file mode 100644 index 000000000..4e73cfcb7 --- /dev/null +++ b/projects/json-sanitizer/DenylistFuzzer.java @@ -0,0 +1,49 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium; +import com.google.json.JsonSanitizer; + +public class DenylistFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + String output; + try { + output = JsonSanitizer.sanitize(input, 10); + } catch (ArrayIndexOutOfBoundsException e) { + // ArrayIndexOutOfBoundsException is expected if nesting depth is + // exceeded. + return; + } + + // Check for forbidden substrings. As these would enable Cross-Site + // Scripting, treat every finding as a high severity vulnerability. + assert !output.contains("</script") + : new FuzzerSecurityIssueHigh("Output contains </script"); + assert !output.contains("]]>") + : new FuzzerSecurityIssueHigh("Output contains ]]>"); + + // Check for more forbidden substrings. As these would not directly enable + // Cross-Site Scripting in general, but may impact script execution on the + // embedding page, treat each finding as a medium severity vulnerability. + assert !output.contains("<script") + : new FuzzerSecurityIssueMedium("Output contains <script"); + assert !output.contains("<!--") + : new FuzzerSecurityIssueMedium("Output contains <!--"); + } +} diff --git a/projects/json-sanitizer/Dockerfile b/projects/json-sanitizer/Dockerfile new file mode 100644 index 000000000..f36a13622 --- /dev/null +++ b/projects/json-sanitizer/Dockerfile @@ -0,0 +1,39 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +RUN apt-get update && apt-get install -y maven + +RUN git clone --depth 1 https://github.com/google/fuzzing +RUN cat fuzzing/dictionaries/json.dict \ + fuzzing/dictionaries/html.dict \ + fuzzing/dictionaries/xml.dict \ + > $SRC/DenylistFuzzer.dict +RUN cp fuzzing/dictionaries/json.dict $SRC/IdempotenceFuzzer.dict +RUN cp fuzzing/dictionaries/json.dict $SRC/ValidJsonFuzzer.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus && \ + zip -q $SRC/DenylistFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* && \ + zip -q $SRC/IdempotenceFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* && \ + zip -q $SRC/ValidJsonFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +RUN git clone --depth 1 https://github.com/OWASP/json-sanitizer +COPY build.sh $SRC/ + +COPY DenylistFuzzer.java IdempotenceFuzzer.java ValidJsonFuzzer.java $SRC/ + +WORKDIR $SRC/json-sanitizer diff --git a/projects/json-sanitizer/IdempotenceFuzzer.java b/projects/json-sanitizer/IdempotenceFuzzer.java new file mode 100644 index 000000000..a42c91af9 --- /dev/null +++ b/projects/json-sanitizer/IdempotenceFuzzer.java @@ -0,0 +1,38 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +import com.google.json.JsonSanitizer; + +public class IdempotenceFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + String output; + try { + output = JsonSanitizer.sanitize(input, 10); + } catch (ArrayIndexOutOfBoundsException e) { + // ArrayIndexOutOfBoundsException is expected if nesting depth is + // exceeded. + return; + } + + // Ensure that sanitizing twice does not give different output + // (idempotence). Since failure to be idempotent is not a security issue in + // itself, fail with a regular AssertionError. + assert JsonSanitizer.sanitize(output).equals(output) : "Not idempotent"; + } +} diff --git a/projects/json-sanitizer/ValidJsonFuzzer.java b/projects/json-sanitizer/ValidJsonFuzzer.java new file mode 100644 index 000000000..c8fbe0386 --- /dev/null +++ b/projects/json-sanitizer/ValidJsonFuzzer.java @@ -0,0 +1,47 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; + +import com.google.gson.Gson; +import com.google.gson.JsonElement; +import com.google.json.JsonSanitizer; + +public class ValidJsonFuzzer { + private static Gson gson = new Gson(); + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + String output; + try { + output = JsonSanitizer.sanitize(input, 10); + } catch (ArrayIndexOutOfBoundsException e) { + // ArrayIndexOutOfBoundsException is expected if nesting depth is + // exceeded. + return; + } + + // Check that the output is valid JSON. Invalid JSON may crash other parts + // of the application that trust the output of the sanitizer. + try { + Gson gson = new Gson(); + gson.fromJson(output, JsonElement.class); + } catch (Exception e) { + throw new FuzzerSecurityIssueLow("Output is invalid JSON", e); + } + } +} diff --git a/projects/json-sanitizer/build.sh b/projects/json-sanitizer/build.sh new file mode 100755 index 000000000..64df5e5c5 --- /dev/null +++ b/projects/json-sanitizer/build.sh @@ -0,0 +1,60 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Move seed corpus and dictionary. +mv $SRC/{*.zip,*.dict} $OUT + +# Build the json-sanitizer jar. +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ +-Dexpression=project.version -q -DforceStdout) +mvn package +cp "target/json-sanitizer-$CURRENT_VERSION.jar" $OUT/json-sanitizer.jar + +# The jar files containing the project (separated by spaces). +PROJECT_JARS=json-sanitizer.jar + +# Get the fuzzer dependencies (gson). +mvn dependency:copy -Dartifact=com.google.code.gson:gson:2.8.6 -DoutputDirectory=$OUT/ + +# The jar files containing further dependencies of the fuzz targets (separated +# by spaces). +FUZZER_JARS=gson-2.8.6.jar + +# Build fuzzers in $OUT. +ALL_JARS="$PROJECT_JARS $FUZZER_JARS" +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All jars and class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):.:\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/json-sanitizer/project.yaml b/projects/json-sanitizer/project.yaml new file mode 100644 index 000000000..028335f91 --- /dev/null +++ b/projects/json-sanitizer/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/OWASP/json-sanitizer" +language: jvm +primary_contact: "mikesamuel@gmail.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/OWASP/json-sanitizer" +sanitizers: + - address diff --git a/projects/json5format/Dockerfile b/projects/json5format/Dockerfile new file mode 100644 index 000000000..c0117a59e --- /dev/null +++ b/projects/json5format/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone --depth 1 https://github.com/google/json5format +WORKDIR $SRC + +COPY build.sh $SRC/ diff --git a/projects/json5format/build.sh b/projects/json5format/build.sh new file mode 100755 index 000000000..c722bdb01 --- /dev/null +++ b/projects/json5format/build.sh @@ -0,0 +1,20 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/json5format +cargo fuzz build -O +cp ./fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_parse $OUT/fuzz_parse diff --git a/projects/json5format/project.yaml b/projects/json5format/project.yaml new file mode 100644 index 000000000..e73905ebe --- /dev/null +++ b/projects/json5format/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://crates.io/crates/json5format" +main_repo: "https://github.com/google/json5format" +primary_contact: "richkadel@google.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/jsonparser/Dockerfile b/projects/jsonparser/Dockerfile index 17f6cd199..a5d91faf6 100644 --- a/projects/jsonparser/Dockerfile +++ b/projects/jsonparser/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/buger/jsonparser +RUN git clone --depth 1 https://github.com/buger/jsonparser COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/jsonparser diff --git a/projects/jsonparser/build.sh b/projects/jsonparser/build.sh index fda6e8d97..3b576e11f 100755 --- a/projects/jsonparser/build.sh +++ b/projects/jsonparser/build.sh @@ -15,4 +15,4 @@ # ################################################################################ -$GOPATH/src/github.com/buger/jsonparser/oss-fuzz-build.sh +./oss-fuzz-build.sh diff --git a/projects/jsonschema/Dockerfile b/projects/jsonschema/Dockerfile new file mode 100644 index 000000000..ffec717b1 --- /dev/null +++ b/projects/jsonschema/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN pip3 install hypothesis + +RUN git clone --depth=1 https://github.com/Julian/jsonschema +WORKDIR $SRC/jsonschema + +COPY build.sh $SRC/ diff --git a/projects/jsonschema/build.sh b/projects/jsonschema/build.sh new file mode 100644 index 000000000..71d4ad600 --- /dev/null +++ b/projects/jsonschema/build.sh @@ -0,0 +1,34 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + fuzzer_basename=$(basename -s .py $fuzzer) + fuzzer_package=${fuzzer_basename}.pkg + pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_PRELOAD=\$this_dir/sanitizer_with_fuzzer.so \ +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/jsonschema/project.yaml b/projects/jsonschema/project.yaml new file mode 100644 index 000000000..d7ac42bc4 --- /dev/null +++ b/projects/jsonschema/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://github.com/Julian/jsonschema" +language: python +primary_contact: "Julian+Security@GrayVines.com" +auto_ccs: + - "david@adalogics.com" +fuzzing_engines: + - libfuzzer +sanitizers: + - address + - undefined +main_repo: 'https://github.com/Julian/jsonschema' diff --git a/projects/kamailio/Dockerfile b/projects/kamailio/Dockerfile new file mode 100755 index 000000000..5b67deea8 --- /dev/null +++ b/projects/kamailio/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y bison flex +RUN git clone https://github.com/kamailio/kamailio + +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/projects/kamailio/build.sh b/projects/kamailio/build.sh new file mode 100755 index 000000000..2b7c3735b --- /dev/null +++ b/projects/kamailio/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/kamailio + +export CC_OPT="${CFLAGS}" +export LD_EXTRA_OPTS="${CFLAGS}" + +sed -i 's/int main(/int main2(/g' ./src/main.c + +make || true +cd src +mkdir objects && find . -name "*.o" -exec cp {} ./objects/ \; +ar -r libkamilio.a ./objects/*.o +cd ../ +$CC $CFLAGS $LIB_FUZZING_ENGINE ./misc/fuzz/fuzz_uri.c -o $OUT/fuzz_uri \ + -DFAST_LOCK -D__CPU_i386 ./src/libkamilio.a \ + -I./src/ -I./src/core/parser -ldl -lresolv -lm diff --git a/projects/kamailio/project.yaml b/projects/kamailio/project.yaml new file mode 100755 index 000000000..46020a0c6 --- /dev/null +++ b/projects/kamailio/project.yaml @@ -0,0 +1,7 @@ +homepage: "www.kamailio.org" +main_repo: "https://github.com/kamailio/kamailio" +primary_contact: "ossfuzz@kamailio.org" +language: c +auto_ccs: + - "miconda@gmail.com" + - "david@adalogics.com" diff --git a/projects/kimageformats/Dockerfile b/projects/kimageformats/Dockerfile index e3e04567c..4acc31c91 100644 --- a/projects/kimageformats/Dockerfile +++ b/projects/kimageformats/Dockerfile @@ -22,8 +22,10 @@ RUN git clone --depth 1 https://invent.kde.org/frameworks/extra-cmake-modules.gi RUN git clone --depth 1 --branch=5.15 git://code.qt.io/qt/qtbase.git RUN git clone --depth 1 https://invent.kde.org/frameworks/karchive.git RUN git clone --depth 1 https://invent.kde.org/frameworks/kimageformats.git -RUN git clone --depth 1 -b v2.0.1 https://aomedia.googlesource.com/aom -RUN git clone --depth 1 -b v0.8.4 https://github.com/AOMediaCodec/libavif.git +RUN git clone --depth 1 -b v2.0.2 https://aomedia.googlesource.com/aom +RUN git clone --depth 1 -b v0.9.0 https://github.com/AOMediaCodec/libavif.git +RUN git clone --depth 1 https://github.com/strukturag/libde265.git +RUN git clone --depth 1 https://github.com/strukturag/libheif.git COPY build.sh $SRC COPY kimgio_fuzzer.cc $SRC WORKDIR kimageformats diff --git a/projects/kimageformats/build.sh b/projects/kimageformats/build.sh index 3cec92133..0ffa60bbb 100644 --- a/projects/kimageformats/build.sh +++ b/projects/kimageformats/build.sh @@ -56,6 +56,7 @@ cd build.libavif extra_libaom_flags='-DAOM_MAX_ALLOCABLE_MEMORY=536870912 -DDO_RANGE_CHECK_CLAMP=1' cmake -DBUILD_SHARED_LIBS=0 -DENABLE_DOCS=0 -DENABLE_EXAMPLES=0 -DENABLE_TESTDATA=0 -DENABLE_TESTS=0 -DENABLE_TOOLS=0 -DCONFIG_PIC=1 -DAOM_TARGET_CPU=generic -DCONFIG_SIZE_LIMIT=1 -DDECODE_HEIGHT_LIMIT=12288 -DDECODE_WIDTH_LIMIT=12288 -DAOM_EXTRA_C_FLAGS="${extra_libaom_flags}" -DAOM_EXTRA_CXX_FLAGS="${extra_libaom_flags}" .. make -j$(nproc) +make install -j$(nproc) cd $SRC ln -s "$SRC/aom" "$SRC/libavif/ext/" @@ -66,9 +67,27 @@ CFLAGS="$CFLAGS -fPIC" cmake -DBUILD_SHARED_LIBS=OFF -DAVIF_ENABLE_WERROR=OFF -D make -j$(nproc) cd $SRC +cd libde265 +cmake -DBUILD_SHARED_LIBS=OFF -DDISABLE_SSE=ON . +make -j$(nproc) +make install -j$(nproc) + +cd $SRC +cd libheif +#Reduce max width and height to avoid allocating too much memory +sed -i "s/static const int MAX_IMAGE_WIDTH = 32768;/static const int MAX_IMAGE_WIDTH = 8192;/g" libheif/heif_limits.h +sed -i "s/static const int MAX_IMAGE_HEIGHT = 32768;/static const int MAX_IMAGE_HEIGHT = 8192;/g" libheif/heif_limits.h +mkdir build +cd build +cmake -DBUILD_SHARED_LIBS=OFF -DWITH_AOM=ON -DWITH_DAV1D=OFF -DWITH_EXAMPLES=OFF -DWITH_LIBDE265=ON -DWITH_RAV1E=OFF -DWITH_X265=OFF .. +make -j$(nproc) +make install -j$(nproc) + +cd $SRC cd kimageformats HANDLER_TYPES="ANIHandler ani QAVIFHandler avif + HEIFHandler heif KraHandler kra OraHandler ora PCXHandler pcx @@ -84,7 +103,7 @@ echo "$HANDLER_TYPES" | while read class format; do fuzz_target_name=kimgio_${format}_fuzzer $SRC/qtbase/bin/moc $SRC/kimageformats/src/imageformats/$format.cpp -o $format.moc - $CXX $CXXFLAGS -fPIC -DHANDLER=$class -std=c++14 $SRC/kimgio_fuzzer.cc $SRC/kimageformats/src/imageformats/$format.cpp -o $OUT/$fuzz_target_name -I $SRC/qtbase/include/QtCore/ -I $SRC/qtbase/include/ -I $SRC/qtbase/include//QtGui -I $SRC/kimageformats/src/imageformats/ -I $SRC/karchive/src/ -I $SRC/qtbase/mkspecs/linux-clang-libc++/ -I $SRC/libavif/include/ -I . -L $SRC/qtbase/lib $SRC/libavif/build/libavif.a $SRC/aom/build.libavif/libaom.a -lQt5Gui -lQt5Core -lqtlibpng -lqtharfbuzz -lm -lqtpcre2 -ldl -lpthread $LIB_FUZZING_ENGINE /usr/local/lib/libzip.a /usr/local/lib/libz.a -lKF5Archive /usr/local/lib/libz.a + $CXX $CXXFLAGS -fPIC -DHANDLER=$class -std=c++14 $SRC/kimgio_fuzzer.cc $SRC/kimageformats/src/imageformats/$format.cpp -o $OUT/$fuzz_target_name -I $SRC/qtbase/include/QtCore/ -I $SRC/qtbase/include/ -I $SRC/qtbase/include//QtGui -I $SRC/kimageformats/src/imageformats/ -I $SRC/karchive/src/ -I $SRC/qtbase/mkspecs/linux-clang-libc++/ -I $SRC/libavif/include/ -I . -L $SRC/qtbase/lib $SRC/libavif/build/libavif.a /usr/local/lib/libheif.a /usr/local/lib/liblibde265.a $SRC/aom/build.libavif/libaom.a -lQt5Gui -lQt5Core -lqtlibpng -lqtharfbuzz -lm -lqtpcre2 -ldl -lpthread $LIB_FUZZING_ENGINE /usr/local/lib/libzip.a /usr/local/lib/libz.a -lKF5Archive /usr/local/lib/libz.a find . -name "*.${format}" | zip -q $OUT/${fuzz_target_name}_seed_corpus.zip -@ ) diff --git a/projects/kimageformats/kimgio_fuzzer.cc b/projects/kimageformats/kimgio_fuzzer.cc index c37bb2216..5fe9cc6b5 100644 --- a/projects/kimageformats/kimgio_fuzzer.cc +++ b/projects/kimageformats/kimgio_fuzzer.cc @@ -20,7 +20,7 @@ Usage: python infra/helper.py build_image kimageformats python infra/helper.py build_fuzzers --sanitizer undefined|address|memory kimageformats - python infra/helper.py run_fuzzer kimageformats kimgio_[ani|avif|kra|ora|pcx|pic|psd|ras|rgb|tga|xcf]_fuzzer + python infra/helper.py run_fuzzer kimageformats kimgio_[ani|avif|heif|kra|ora|pcx|pic|psd|ras|rgb|tga|xcf]_fuzzer */ @@ -30,6 +30,7 @@ #include "ani_p.h" #include "avif_p.h" +#include "heif_p.h" #include "kra.h" #include "ora.h" #include "pcx_p.h" diff --git a/projects/kubernetes/Dockerfile b/projects/kubernetes/Dockerfile index 697bf0255..e4ebed882 100644 --- a/projects/kubernetes/Dockerfile +++ b/projects/kubernetes/Dockerfile @@ -20,7 +20,7 @@ RUN go get github.com/ianlancetaylor/demangle RUN git clone --depth 1 https://github.com/kubernetes/kubernetes.git RUN git clone --depth 1 https://github.com/google/AFL RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus -RUN go get k8s.io/kops +RUN git clone --depth 1 https://github.com/kubernetes/kops WORKDIR $SRC/ COPY build.sh $SRC/ diff --git a/projects/kubernetes/build.sh b/projects/kubernetes/build.sh index 38ae4406e..d3d756f4e 100755 --- a/projects/kubernetes/build.sh +++ b/projects/kubernetes/build.sh @@ -21,11 +21,13 @@ set -o errexit set -x # Compile kOps fuzzers -$GOPATH/src/k8s.io/kops/tests/fuzz/build.sh - +( +cd kops +./tests/fuzz/build.sh +) # Compile Kubernetes fuzzers -mv $SRC/kubernetes $GOPATH/src/k8s.io/ +cd $SRC/kubernetes function compile_fuzzer { local pkg=$1 diff --git a/projects/libavif/avif_decode_seed_corpus.zip b/projects/libavif/avif_decode_seed_corpus.zip Binary files differindex eb04c208a..90c67bb18 100644 --- a/projects/libavif/avif_decode_seed_corpus.zip +++ b/projects/libavif/avif_decode_seed_corpus.zip diff --git a/projects/libavif/build.sh b/projects/libavif/build.sh index a981fa250..130709fb9 100755 --- a/projects/libavif/build.sh +++ b/projects/libavif/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - # build dav1d cd ext && bash dav1d.cmd && cd .. diff --git a/projects/libcacard/build.sh b/projects/libcacard/build.sh index 9c0c974de..719502e90 100755 --- a/projects/libcacard/build.sh +++ b/projects/libcacard/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - # Workaround for fixing AFL++ build, discarded for others. # See https://github.com/google/oss-fuzz/issues/4280#issuecomment-773977943 export AFL_LLVM_INSTRUMENT=CLASSIC,NGRAM-4 diff --git a/projects/libfido2/Dockerfile b/projects/libfido2/Dockerfile index b288499e1..e7d8a6a61 100644 --- a/projects/libfido2/Dockerfile +++ b/projects/libfido2/Dockerfile @@ -17,10 +17,11 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool RUN apt-get install -y cmake libudev-dev pkg-config chrpath -RUN git clone --branch v0.7.0 https://github.com/PJK/libcbor +RUN git clone --branch v0.8.0 https://github.com/PJK/libcbor RUN git clone --branch OpenSSL_1_1_1-stable https://github.com/openssl/openssl +RUN git clone --branch v1.2.11 https://github.com/madler/zlib RUN git clone https://github.com/Yubico/libfido2 # CIFuzz will replace the libfido directory so put the corpus outside -ADD https://ambientworks.net/libfido2/corpus.tgz corpus.tgz +ADD https://storage.googleapis.com/yubico-libfido2/corpus.tgz corpus.tgz WORKDIR libfido2 COPY build.sh $SRC/ diff --git a/projects/libfido2/build.sh b/projects/libfido2/build.sh index 8e0793220..6c680e242 100755 --- a/projects/libfido2/build.sh +++ b/projects/libfido2/build.sh @@ -20,7 +20,8 @@ cd ${SRC}/libcbor patch -l -p0 < ${SRC}/libfido2/fuzz/README mkdir build && cd build -cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=${WORK} -DSANITIZE=OFF .. +cmake -DBUILD_SHARED_LIBS=ON -DCMAKE_BUILD_TYPE=Debug \ + -DCMAKE_INSTALL_PREFIX=${WORK} -DSANITIZE=OFF .. make -j$(nproc) VERBOSE=1 make install @@ -36,6 +37,12 @@ fi make -j$(nproc) LDCMD="${CXX} ${CXXFLAGS}" make install_sw +# Build zlib, taken from oss-fuzz/projects/zlib.sh +cd ${SRC}/zlib +./configure --prefix=${WORK} +make -j$(nproc) all +make install + # Building libfido2 with ${LIB_FUZZING_ENGINE} and chosen sanitizer cd ${SRC}/libfido2 mkdir build && cd build @@ -62,8 +69,11 @@ done # Prepare seed corpora tar xzf ${SRC}/corpus.tgz -(set -e ; cd fuzz_assert/corpus ; zip -r ${OUT}/fuzz_assert_seed_corpus.zip .) -(set -e ; cd fuzz_bio/corpus ; zip -r ${OUT}/fuzz_bio_seed_corpus.zip .) -(set -e ; cd fuzz_cred/corpus ; zip -r ${OUT}/fuzz_cred_seed_corpus.zip .) -(set -e ; cd fuzz_credman/corpus ; zip -r ${OUT}/fuzz_credman_seed_corpus.zip .) -(set -e ; cd fuzz_mgmt/corpus ; zip -r ${OUT}/fuzz_mgmt_seed_corpus.zip .) +(set -e ; cd fuzz_assert/corpus ; zip -r ${OUT}/fuzz_assert_seed_corpus.zip .) +(set -e ; cd fuzz_bio/corpus ; zip -r ${OUT}/fuzz_bio_seed_corpus.zip .) +(set -e ; cd fuzz_cred/corpus ; zip -r ${OUT}/fuzz_cred_seed_corpus.zip .) +(set -e ; cd fuzz_credman/corpus ; zip -r ${OUT}/fuzz_credman_seed_corpus.zip .) +(set -e ; cd fuzz_hid/corpus ; zip -r ${OUT}/fuzz_hid_seed_corpus.zip .) +(set -e ; cd fuzz_largeblob/corpus ; zip -r ${OUT}/fuzz_largeblob_seed_corpus.zip .) +(set -e ; cd fuzz_mgmt/corpus ; zip -r ${OUT}/fuzz_mgmt_seed_corpus.zip .) +(set -e ; cd fuzz_netlink/corpus ; zip -r ${OUT}/fuzz_netlink_seed_corpus.zip .) diff --git a/projects/libiec61850/Dockerfile b/projects/libiec61850/Dockerfile new file mode 100755 index 000000000..17b63d358 --- /dev/null +++ b/projects/libiec61850/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone https://github.com/mz-automation/libiec61850 + +WORKDIR $SRC +COPY build.sh $SRC/ +COPY fuzz_decode.options $SRC/fuzz_decode.options diff --git a/projects/libiec61850/build.sh b/projects/libiec61850/build.sh new file mode 100755 index 000000000..848797320 --- /dev/null +++ b/projects/libiec61850/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd libiec61850 +mkdir build && cd build +cmake ../ +make + +$CC $CFLAGS $LIB_FUZZING_ENGINE ../fuzz/fuzz_mms_decode.c -o $OUT/fuzz_mms_decode ./src/libiec61850.a \ + -I../src/iec61850/inc -I../src/mms/inc -I../src/common/inc \ + -I../hal/inc -I../src/logging ./hal/libhal.a + +# Copy over the options file +cp $SRC/fuzz_decode.options $OUT/fuzz_decode.options diff --git a/projects/libiec61850/fuzz_decode.options b/projects/libiec61850/fuzz_decode.options new file mode 100644 index 000000000..f9d09656c --- /dev/null +++ b/projects/libiec61850/fuzz_decode.options @@ -0,0 +1,2 @@ +[libfuzzer] +detect_leaks=0 diff --git a/projects/libiec61850/project.yaml b/projects/libiec61850/project.yaml new file mode 100755 index 000000000..fe265beb8 --- /dev/null +++ b/projects/libiec61850/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://github.com/mz-automation/libiec61850" +primary_contact: "support@mz-automation.de" +auto_ccs: + - "david@adalogics.com" +language: c +main_repo: 'https://github.com/mz-automation/libiec61850' diff --git a/projects/libjpeg-turbo/Dockerfile b/projects/libjpeg-turbo/Dockerfile index 329be457d..40c8f49f6 100644 --- a/projects/libjpeg-turbo/Dockerfile +++ b/projects/libjpeg-turbo/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y make autoconf automake libtool nasm curl cmake +RUN apt-get update && apt-get install -y make autoconf automake libtool yasm curl cmake RUN git clone --depth 1 https://github.com/libjpeg-turbo/libjpeg-turbo RUN mkdir afl-testcases diff --git a/projects/liblouis/Dockerfile b/projects/liblouis/Dockerfile new file mode 100644 index 000000000..40a17c099 --- /dev/null +++ b/projects/liblouis/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool \ + pkg-config zlib1g-dev pciutils-dev libpci-dev +RUN git clone --depth 1 https://github.com/liblouis/liblouis +WORKDIR liblouis +COPY build.sh $SRC/ diff --git a/projects/liblouis/build.sh b/projects/liblouis/build.sh new file mode 100755 index 000000000..fda807cd0 --- /dev/null +++ b/projects/liblouis/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +$SRC/liblouis/tests/fuzzing/build.sh diff --git a/projects/liblouis/project.yaml b/projects/liblouis/project.yaml new file mode 100644 index 000000000..e7aa041bb --- /dev/null +++ b/projects/liblouis/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/liblouis/liblouis" +main_repo: "https://github.com/liblouis/liblouis" +language: c +primary_contact: "christian.egli@sbs.ch" +auto_ccs: + - "Adam@adalogics.com" +sanitizers: + - address + - undefined + - memory diff --git a/projects/libphonenumber/project.yaml b/projects/libphonenumber/project.yaml index 765732421..4ab9602ca 100644 --- a/projects/libphonenumber/project.yaml +++ b/projects/libphonenumber/project.yaml @@ -3,9 +3,6 @@ primary_contact: "penmetsaa@google.com" language: c++ auto_ccs: - "david@adalogics.com" -fuzzing_engines: - - libfuzzer - - honggfuzz sanitizers: - address main_repo: 'https://github.com/google/libphonenumber' diff --git a/projects/libredwg/Dockerfile b/projects/libredwg/Dockerfile new file mode 100755 index 000000000..93695c368 --- /dev/null +++ b/projects/libredwg/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y autoconf libtool texinfo +RUN git clone https://github.com/LibreDWG/libredwg + +WORKDIR $SRC +COPY build.sh $SRC/ +COPY llvmfuzz.options $SRC/ diff --git a/projects/libredwg/build.sh b/projects/libredwg/build.sh new file mode 100755 index 000000000..7737e4d6b --- /dev/null +++ b/projects/libredwg/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd libredwg +sh ./autogen.sh +# enable-release to skip unstable preR13. bindings are not fuzzed. +./configure --disable-shared --disable-bindings --enable-release +make + +$CC $CFLAGS $LIB_FUZZING_ENGINE examples/llvmfuzz.c -o $OUT/llvmfuzz \ + src/.libs/libredwg.a -I./include -I./src + +cp $SRC/llvmfuzz.options $OUT/llvmfuzz.options diff --git a/projects/libredwg/llvmfuzz.options b/projects/libredwg/llvmfuzz.options new file mode 100644 index 000000000..f9d09656c --- /dev/null +++ b/projects/libredwg/llvmfuzz.options @@ -0,0 +1,2 @@ +[libfuzzer] +detect_leaks=0 diff --git a/projects/libredwg/project.yaml b/projects/libredwg/project.yaml new file mode 100755 index 000000000..a9e5d4477 --- /dev/null +++ b/projects/libredwg/project.yaml @@ -0,0 +1,9 @@ +homepage: "https://github.com/LibreDWG/libredwg" +primary_contact: "reini.urban@gmail.com" +language: c +auto_ccs : + - "david@adalogics.com" +fuzzing_engines: + - libfuzzer + - honggfuzz +main_repo: 'https://github.com/LibreDWG/libredwg' diff --git a/projects/libreoffice/project.yaml b/projects/libreoffice/project.yaml index fdbb462d2..bcf9a4fe6 100644 --- a/projects/libreoffice/project.yaml +++ b/projects/libreoffice/project.yaml @@ -4,4 +4,6 @@ primary_contact: "caolanm@redhat.com" auto_ccs: - "officesecurity@lists.freedesktop.org" - "damjan.jov@gmail.com" + - "noelgrandin@gmail.com" - "sbergman@redhat.com" +main_repo: 'https://git.libreoffice.org/core' diff --git a/projects/libsodium/fake_random.h b/projects/libsodium/fake_random.h index 36d8d89ba..9519b0ce2 100644 --- a/projects/libsodium/fake_random.h +++ b/projects/libsodium/fake_random.h @@ -1,3 +1,17 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + #ifndef FAKE_RANDOM_H_ #define FAKE_RANDOM_H_ @@ -43,7 +57,7 @@ setup_fake_random(const unsigned char * seed, const size_t seed_size) { int fake_random_set = randombytes_set_implementation(&fake_random); assert(fake_random_set == 0); - assert(randombytes_implementation_name() == "fake_random"); + assert(strcmp(randombytes_implementation_name(), "fake_random") == 0); int initialized = sodium_init(); assert(initialized >= 0); } diff --git a/projects/libsodium/project.yaml b/projects/libsodium/project.yaml index dcbfdcc80..40b137461 100644 --- a/projects/libsodium/project.yaml +++ b/projects/libsodium/project.yaml @@ -1,6 +1,6 @@ homepage: "https://libsodium.org" language: c++ -primary_contact: "ossfuzzz+sodium@gmail.com" +primary_contact: "ossfuzzz@gmail.com" auto_ccs: - "chriswwolfe@gmail.com" architectures: diff --git a/projects/libsodium/secret_key_auth_fuzzer.cc b/projects/libsodium/secret_key_auth_fuzzer.cc index 32bb5fe83..ce46781f4 100644 --- a/projects/libsodium/secret_key_auth_fuzzer.cc +++ b/projects/libsodium/secret_key_auth_fuzzer.cc @@ -1,4 +1,19 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + #include <assert.h> +#include <stdlib.h> #include <sodium.h> #include "fake_random.h" @@ -16,6 +31,8 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { crypto_auth_keygen(key); crypto_auth(mac, data, size, key); - crypto_auth_verify(mac, data, size, key); + int err = crypto_auth_verify(mac, data, size, key); + assert(err == 0); + return 0; } diff --git a/projects/libsodium/secretbox_easy_fuzzer.cc b/projects/libsodium/secretbox_easy_fuzzer.cc index 4e25bcc7a..a37c88b6b 100644 --- a/projects/libsodium/secretbox_easy_fuzzer.cc +++ b/projects/libsodium/secretbox_easy_fuzzer.cc @@ -1,4 +1,19 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + #include <assert.h> +#include <stdlib.h> #include <sodium.h> #include "fake_random.h" @@ -17,12 +32,16 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { randombytes_buf(nonce, sizeof nonce); size_t ciphertext_len = crypto_secretbox_MACBYTES + size; - unsigned char ciphertext[ciphertext_len]; + unsigned char *ciphertext = (unsigned char *) malloc(ciphertext_len); crypto_secretbox_easy(ciphertext, data, size, nonce, key); - unsigned char decrypted[size]; - crypto_secretbox_open_easy(decrypted, ciphertext, ciphertext_len, nonce, key); + unsigned char *decrypted = (unsigned char *) malloc(size); + int err = crypto_secretbox_open_easy(decrypted, ciphertext, ciphertext_len, nonce, key); + assert(err == 0); + + free((void *) ciphertext); + free((void *) decrypted); return 0; } diff --git a/projects/libucl/Dockerfile b/projects/libucl/Dockerfile index 0babaa2c5..7824ad6bd 100644 --- a/projects/libucl/Dockerfile +++ b/projects/libucl/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2020 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,3 +21,4 @@ RUN git clone https://github.com/vstakhov/libucl WORKDIR $SRC COPY build.sh $SRC/ +COPY ucl_add_string_fuzzer.options $SRC/ucl_add_string_fuzzer.options diff --git a/projects/libucl/build.sh b/projects/libucl/build.sh index d5cce4187..e5589dd48 100644 --- a/projects/libucl/build.sh +++ b/projects/libucl/build.sh @@ -1,4 +1,4 @@ -# Copyright 2020 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,10 +14,12 @@ # ################################################################################ -export ASAN_OPTIONS=detect_leaks=0 +cp $SRC/ucl_add_string_fuzzer.options $OUT/ cd libucl ./autogen.sh && ./configure make -$CC tests/fuzzers/ucl_add_string_fuzzer.c -DHAVE_CONFIG_H -I./src -I./include src/.libs/libucl.a -I./ $CFLAGS $LIB_FUZZING_ENGINE -o $OUT/ucl_add_string_fuzzer +$CC $CFLAGS $LIB_FUZZING_ENGINE tests/fuzzers/ucl_add_string_fuzzer.c \ + -DHAVE_CONFIG_H -I./src -I./include src/.libs/libucl.a -I./ \ + -o $OUT/ucl_add_string_fuzzer diff --git a/projects/libucl/project.yaml b/projects/libucl/project.yaml index 14bead564..8a5dd2024 100644 --- a/projects/libucl/project.yaml +++ b/projects/libucl/project.yaml @@ -3,7 +3,4 @@ primary_contact: "vsevolod@highsecure.ru" auto_ccs: - "adam@adalogics.com" language: c -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: 'https://github.com/vstakhov/libucl' diff --git a/projects/libucl/ucl_add_string_fuzzer.options b/projects/libucl/ucl_add_string_fuzzer.options new file mode 100644 index 000000000..f9d09656c --- /dev/null +++ b/projects/libucl/ucl_add_string_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +detect_leaks=0 diff --git a/projects/libvips/Dockerfile b/projects/libvips/Dockerfile index 258e222a4..e792dff45 100644 --- a/projects/libvips/Dockerfile +++ b/projects/libvips/Dockerfile @@ -25,6 +25,7 @@ RUN apt-get update && apt-get install -y \ libfftw3-dev \ libexpat1-dev \ libffi-dev \ + libselinux1-dev \ glib2.0-dev RUN mkdir afl-testcases RUN curl https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz | tar xzC afl-testcases diff --git a/projects/libvips/build.sh b/projects/libvips/build.sh index e170f3714..21505d6ed 100755 --- a/projects/libvips/build.sh +++ b/projects/libvips/build.sh @@ -169,6 +169,7 @@ for fuzzer in fuzz/*_fuzzer.cc; do $LIB_FUZZING_ENGINE \ -Wl,-Bstatic \ -lfftw3 -lgmodule-2.0 -lgio-2.0 -lgobject-2.0 -lffi -lglib-2.0 -lpcre -lexpat \ + -lresolv -lsepol -lselinux \ -Wl,-Bdynamic -pthread ln -sf "seed_corpus.zip" "$OUT/${target}_seed_corpus.zip" done diff --git a/projects/libxml2/build.sh b/projects/libxml2/build.sh index 7485bc27d..4240ba7f9 100755 --- a/projects/libxml2/build.sh +++ b/projects/libxml2/build.sh @@ -16,12 +16,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - if [ "$SANITIZER" = undefined ]; then export CFLAGS="$CFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow" export CXXFLAGS="$CXXFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow" diff --git a/projects/libyal/Dockerfile b/projects/libyal/Dockerfile index 9338fdcd9..c255806e9 100644 --- a/projects/libyal/Dockerfile +++ b/projects/libyal/Dockerfile @@ -36,6 +36,7 @@ RUN git clone --depth 1 https://github.com/libyal/libmdmp.git libmdmp RUN git clone --depth 1 https://github.com/libyal/libmsiecf.git libmsiecf RUN git clone --depth 1 https://github.com/libyal/libnk2.git libnk2 RUN git clone --depth 1 https://github.com/libyal/libolecf.git libolecf +RUN git clone --depth 1 https://github.com/libyal/libpff.git libpff RUN git clone --depth 1 https://github.com/libyal/libregf.git libregf RUN git clone --depth 1 https://github.com/libyal/libscca.git libscca @@ -52,8 +53,9 @@ RUN git clone --depth 1 https://github.com/libyal/libvslvm.git libvslvm RUN git clone --depth 1 https://github.com/libyal/libvsmbr.git libvsmbr RUN git clone --depth 1 https://github.com/libyal/libewf.git libewf -RUN git clone --depth 1 https://github.com/libyal/libsmraw.git libsmraw +RUN git clone --depth 1 https://github.com/libyal/libmodi.git libmodi RUN git clone --depth 1 https://github.com/libyal/libqcow.git libqcow +RUN git clone --depth 1 https://github.com/libyal/libsmraw.git libsmraw RUN git clone --depth 1 https://github.com/libyal/libvhdi.git libvhdi RUN git clone --depth 1 https://github.com/libyal/libvmdk.git libvmdk diff --git a/projects/libyang/Dockerfile b/projects/libyang/Dockerfile new file mode 100755 index 000000000..c1c5f75c1 --- /dev/null +++ b/projects/libyang/Dockerfile @@ -0,0 +1,29 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y autoconf automake libtool subversion +RUN git clone https://github.com/CESNET/libyang + +RUN svn co svn://vcs.exim.org/pcre2/code/trunk pcre2 && \ + cd pcre2 && \ + ./autogen.sh && \ + ./configure && \ + make && \ + make install + +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/projects/libyang/build.sh b/projects/libyang/build.sh new file mode 100755 index 000000000..cb5857dd8 --- /dev/null +++ b/projects/libyang/build.sh @@ -0,0 +1,31 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd libyang +git checkout libyang2 + +sed -i 's/add_subdirectory/#add_subdirectory/g' ./tools/CMakeLists.txt +mkdir build && cd build +cmake ../ -DENABLE_STATIC=ON +make + +static_pcre=($(find /src/pcre2 -name "libpcre2-8.a")) + +for fuzzer in lyd_parse_mem_json lyd_parse_mem_xml lys_parse_mem; do + $CC $CFLAGS $LIB_FUZZING_ENGINE ../tests/fuzz/${fuzzer}.c -o $OUT/${fuzzer} \ + ./libyang.a -I../src -I./src -I./compat ${static_pcre} +done diff --git a/projects/libyang/project.yaml b/projects/libyang/project.yaml new file mode 100755 index 000000000..aac772c7b --- /dev/null +++ b/projects/libyang/project.yaml @@ -0,0 +1,12 @@ +homepage: "https://github.com/CESNET/libyang" +main_repo: 'https://github.com/CESNET/libyang' +primary_contact: "mvasko@cesnet.cz" +language: c +auto_ccs: + - "mv6606@gmail.com" + - "david@adalogics.com" + - "warband.times@gmail.com" + - "juraj.vijtiuk@sartura.hr" +sanitizers: + - address + - memory diff --git a/projects/libzmq/project.yaml b/projects/libzmq/project.yaml index b6e29cfcc..a7b946567 100644 --- a/projects/libzmq/project.yaml +++ b/projects/libzmq/project.yaml @@ -5,13 +5,6 @@ auto_ccs: - "luca.boccassi@gmail.com" - "somdoron@gmail.com" - "simon.giesecke@gmail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz -sanitizers: - - address - - memory - - undefined architectures: - x86_64 - i386 diff --git a/projects/lighttpd/Dockerfile b/projects/lighttpd/Dockerfile new file mode 100755 index 000000000..e27d80404 --- /dev/null +++ b/projects/lighttpd/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y libz-dev libtool pkg-config autoconf +RUN git clone https://github.com/lighttpd/lighttpd1.4 + +WORKDIR $SRC/lighttpd1.4 +COPY build.sh $SRC/ +COPY fuzz_* $SRC/ diff --git a/projects/lighttpd/build.sh b/projects/lighttpd/build.sh new file mode 100755 index 000000000..5cd286a7b --- /dev/null +++ b/projects/lighttpd/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./autogen.sh +./configure --without-pcre --enable-static +make +cd src +$CC $CFLAGS -c $SRC/fuzz_burl.c -I. -I../include +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_burl.o burl.o buffer.o base64.o -o $OUT/fuzz_burl diff --git a/projects/lighttpd/fuzz_burl.c b/projects/lighttpd/fuzz_burl.c new file mode 100644 index 000000000..5ba1e1c02 --- /dev/null +++ b/projects/lighttpd/fuzz_burl.c @@ -0,0 +1,56 @@ +/* Copyright 2021 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <string.h> + +#include "burl.h" +#include "buffer.h" + +void run_burl_normalize (buffer *psrc, buffer *ptmp, + int flags, int line, const char *in, + size_t in_len) { + int qs; + buffer_copy_string_len(psrc, in, in_len); + qs = burl_normalize(psrc, ptmp, flags); +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size <= 4) { + return 0; + } + int flags = ((int*)data)[0]; + data += 4; + size -= 4; + char *new_str = (char *)malloc(size+1); + if (new_str == NULL){ + return 0; + } + memcpy(new_str, data, size); + new_str[size] = '\0'; + + /* main fuzzer entrypoint for library */ + buffer *psrc = buffer_init(); + buffer *ptmp = buffer_init(); + run_burl_normalize(psrc, ptmp, flags, __LINE__, new_str, size); + buffer_urldecode_path(psrc); + + buffer_free(psrc); + buffer_free(ptmp); + free(new_str); + return 0; +} diff --git a/projects/lighttpd/project.yaml b/projects/lighttpd/project.yaml new file mode 100755 index 000000000..9a4b44246 --- /dev/null +++ b/projects/lighttpd/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://www.lighttpd.net/" +primary_contact: "lighttpd.fuzz@gmail.com" +language: c +auto_ccs : + - "david@adalogics.com" +main_repo: "https://github.com/lighttpd/lighttpd1.4" diff --git a/projects/loki/Dockerfile b/projects/loki/Dockerfile index d7ed8f851..2340618ec 100644 --- a/projects/loki/Dockerfile +++ b/projects/loki/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/grafana/loki/pkg/logql/... +RUN git clone --depth 1 https://github.com/grafana/loki/ COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/loki diff --git a/projects/loki/project.yaml b/projects/loki/project.yaml index 69cf3d9e9..5b7528628 100644 --- a/projects/loki/project.yaml +++ b/projects/loki/project.yaml @@ -4,6 +4,7 @@ auto_ccs : - "adam@adalogics.com" - "edward.welch@grafana.com" - "michel.hollands@grafana.com" + - "loki@grafana.com" language: go fuzzing_engines: - libfuzzer diff --git a/projects/lotus/Dockerfile b/projects/lotus/Dockerfile index 1a4b2df6a..08dccff6a 100644 --- a/projects/lotus/Dockerfile +++ b/projects/lotus/Dockerfile @@ -17,7 +17,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y mesa-opencl-icd ocl-icd-opencl-dev gcc \ git bzr jq pkg-config curl clang build-essential hwloc libhwloc-dev -RUN git clone --depth 1 https://github.com/filecoin-project/lotus $GOPATH/src/github.com/filecoin-project/lotus -RUN git clone --depth 1 https://github.com/filecoin-project/fuzzing-lotus $GOPATH/src/github.com/filecoin-project/fuzzing-lotus +RUN git clone --depth 1 https://github.com/filecoin-project/lotus +RUN git clone --depth 1 https://github.com/filecoin-project/fuzzing-lotus COPY build.sh $SRC/ -WORKDIR $GOPATH/src/github.com/filecoin-project/lotus +WORKDIR $SRC/lotus diff --git a/projects/lotus/build.sh b/projects/lotus/build.sh index 2d4cf9e6c..64603099b 100644 --- a/projects/lotus/build.sh +++ b/projects/lotus/build.sh @@ -17,8 +17,31 @@ make -compile_go_fuzzer github.com/filecoin-project/lotus/chain/types FuzzMessage fuzz_message gofuzz +# Not all fuzzers can be compiled with --sanitizer=coverage. +# The specific issue is that gofuzz.NewFromGofuzz is not supported when compiling with coverage. +# The current status of the coverage build is that we do not break it for the fuzzers that cannot be compiled. +#The reason that we don't break the build script is to create coverage reports for the fuzzers that compile. +if [[ $SANITIZER = *coverage* ]]; then + compile_go_fuzzer github.com/filecoin-project/lotus/chain/types FuzzMessage fuzz_message gofuzz + mkdir fuzzing + cp ../fuzzing-lotus/fuzz/fuzz.go fuzzing/ + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzBlockMsg fuzz_block_msg || true + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzBlockMsgStructural fuzz_block_msg_structural || true + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzBlockHeader fuzz_block_header || true + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzNodesForHeight fuzz_nodes_for_height || true + exit 0 +fi + +compile_go_fuzzer ./chain/types FuzzMessage fuzz_message gofuzz + + +# Fuzzers from fuzzing-lotus +cd ../fuzzing-lotus/fuzz +rm -Rf libfuzzer +go mod init github.com/filecoin-project/fuzzing-lotus/fuzz + compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzBlockMsg fuzz_block_msg compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzBlockMsgStructural fuzz_block_msg_structural compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzBlockHeader fuzz_block_header compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzNodesForHeight fuzz_nodes_for_height +exit 0 diff --git a/projects/lua/project.yaml b/projects/lua/project.yaml index 36fc31a5d..9a4b0dd3a 100644 --- a/projects/lua/project.yaml +++ b/projects/lua/project.yaml @@ -2,6 +2,6 @@ homepage: "https://github.com/lua/lua" language: c primary_contact: "roberto@inf.puc-rio.br" auto_ccs: - - "fuzz@llua.org" + - "fuzz@lua.org" - "david@adalogics.com" main_repo: 'https://github.com/lua/lua' diff --git a/projects/lxc/Dockerfile b/projects/lxc/Dockerfile new file mode 100644 index 000000000..375c22485 --- /dev/null +++ b/projects/lxc/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && \ + apt-get install -y pkgconf make libtool automake autoconf +RUN git clone --depth 1 https://github.com/lxc/lxc +WORKDIR lxc +COPY build.sh $SRC/ diff --git a/projects/lxc/build.sh b/projects/lxc/build.sh new file mode 100755 index 000000000..1f18a7ec0 --- /dev/null +++ b/projects/lxc/build.sh @@ -0,0 +1,17 @@ +#!/bin/bash -e +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +src/tests/oss-fuzz.sh diff --git a/projects/lxc/project.yaml b/projects/lxc/project.yaml new file mode 100644 index 000000000..f19d3563a --- /dev/null +++ b/projects/lxc/project.yaml @@ -0,0 +1,12 @@ +homepage: "https://github.com/lxc/lxc" +language: c +primary_contact: "christian@brauner.io" +builds_per_day: 4 +sanitizers: + - address + - undefined + - memory +auto_ccs: + - stgraber@stgraber.org + - evverx@gmail.com +main_repo: "https://github.com/lxc/lxc" diff --git a/projects/md4c/Dockerfile b/projects/md4c/Dockerfile new file mode 100755 index 000000000..65ebbff18 --- /dev/null +++ b/projects/md4c/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make cmake +RUN git clone https://github.com/mity/md4c + +WORKDIR $SRC/md4c +COPY build.sh $SRC/ diff --git a/projects/md4c/build.sh b/projects/md4c/build.sh new file mode 100755 index 000000000..51d8a805a --- /dev/null +++ b/projects/md4c/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +mkdir build && cd build +cmake ../ -DBUILD_SHARED_LIBS=OFF +make +$CC $CFLAGS $LIB_FUZZING_ENGINE ../test/fuzzers/fuzz-mdhtml.c -o $OUT/fuzz-mdhtml \ + -I../src ./src/libmd4c-html.a ./src/libmd4c.a diff --git a/projects/md4c/project.yaml b/projects/md4c/project.yaml new file mode 100755 index 000000000..33e881e00 --- /dev/null +++ b/projects/md4c/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://github.com/mity/md4c" +main_repo: "https://github.com/mity/md4c" +primary_contact: "mity@morous.org" +language: c +auto_ccs: + - "david@adalogics.com" diff --git a/projects/minify/Dockerfile b/projects/minify/Dockerfile index 025632d8f..3f3516ae5 100644 --- a/projects/minify/Dockerfile +++ b/projects/minify/Dockerfile @@ -15,6 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -u github.com/tdewolff/minify +RUN git clone --depth 1 https://github.com/tdewolff/minify +RUN git clone --depth 1 https://github.com/tdewolff/parse COPY build.sh $SRC/ WORKDIR $SRC/ diff --git a/projects/minify/build.sh b/projects/minify/build.sh index 65d728c80..1c031678a 100755 --- a/projects/minify/build.sh +++ b/projects/minify/build.sh @@ -14,4 +14,4 @@ # limitations under the License. # ################################################################################ -$GOPATH/src/github.com/tdewolff/minify/tests/oss-fuzz-build.sh +./minify/tests/oss-fuzz-build.sh diff --git a/projects/miniz/build.sh b/projects/miniz/build.sh index 9e7a489fc..e116a393c 100755 --- a/projects/miniz/build.sh +++ b/projects/miniz/build.sh @@ -17,3 +17,4 @@ # Run the OSS-Fuzz script in the project $SRC/miniz/tests/ossfuzz.sh + diff --git a/projects/muparser/project.yaml b/projects/muparser/project.yaml index 219093a95..e6be1c1aa 100644 --- a/projects/muparser/project.yaml +++ b/projects/muparser/project.yaml @@ -3,8 +3,6 @@ language: c++ primary_contact: "equinox.ib@googlemail.com" auto_ccs: - "zhichengcai@google.com" -fuzzing_engines: - - libfuzzer sanitizers: - address - undefined diff --git a/projects/mupdf/pdf_fuzzer.cc b/projects/mupdf/pdf_fuzzer.cc index fd8ad7faf..3e3f1fbb6 100644 --- a/projects/mupdf/pdf_fuzzer.cc +++ b/projects/mupdf/pdf_fuzzer.cc @@ -23,96 +23,115 @@ #include <mupdf/fitz.h> -#define ALIGNMENT 16 -#define MAX_ALLOCATION (1024 * 1024 * 1024) +#define ALIGNMENT ((size_t) 16) +#define KBYTE ((size_t) 1024) +#define MBYTE (1024 * KBYTE) +#define GBYTE (1024 * MBYTE) +#define MAX_ALLOCATION (1 * GBYTE) -static uint64_t total = 0; +static size_t used; -static void * -fz_malloc_ossfuzz(void *opaque, size_t size) +static void *fz_limit_reached_ossfuzz(size_t oldsize, size_t size) { - char *ptr = NULL; + if (oldsize == 0) + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte allocation: %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, size); + else + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte reallocation: %zu -> %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, oldsize, size); + fflush(0); + return NULL; +} - if (size == 0) - return NULL; - if (size > SIZE_MAX - ALIGNMENT) - return NULL; +static void *fz_malloc_ossfuzz(void *opaque, size_t size) +{ + char *ptr = NULL; - if (size > MAX_ALLOCATION - ALIGNMENT - total) - return NULL; + if (size == 0) + return NULL; + if (size > SIZE_MAX - ALIGNMENT) + return NULL; + if (size + ALIGNMENT > MAX_ALLOCATION - used) + return fz_limit_reached_ossfuzz(0, size + ALIGNMENT); - ptr = (char *) malloc(size + ALIGNMENT); - if (ptr == NULL) - return NULL; + ptr = (char *) malloc(size + ALIGNMENT); + if (ptr == NULL) + return NULL; - memcpy(ptr, &size, sizeof(size)); - total += size + ALIGNMENT; + memcpy(ptr, &size, sizeof(size)); + used += size + ALIGNMENT; - return ptr + ALIGNMENT; + return ptr + ALIGNMENT; } -static void -fz_free_ossfuzz(void *opaque, void *ptr) +static void fz_free_ossfuzz(void *opaque, void *ptr) { - size_t size; + size_t size; - if (ptr == NULL) - return; + if (ptr == NULL) + return; + if (ptr < (void *) ALIGNMENT) + return; - ptr = ((char *) ptr) - ALIGNMENT; + ptr = (char *) ptr - ALIGNMENT; + memcpy(&size, ptr, sizeof(size)); - memcpy(&size, ptr, sizeof(size)); - total -= size - ALIGNMENT; - free(ptr); + used -= size + ALIGNMENT; + free(ptr); } -static void * -fz_realloc_ossfuzz(void *opaque, void *old, size_t size) +static void *fz_realloc_ossfuzz(void *opaque, void *old, size_t size) { - size_t oldsize; - char *ptr; - - if (old == NULL) - return fz_malloc_ossfuzz(opaque, size); - if (size == 0) - { - fz_free_ossfuzz(opaque, old); - return NULL; - } - if (size > SIZE_MAX - ALIGNMENT) - return NULL; - - old = ((char *) old) - ALIGNMENT; - memcpy(&oldsize, old, sizeof(oldsize)); - - if (size > MAX_ALLOCATION - total + oldsize) - return NULL; - - ptr = (char *) realloc(old, size + ALIGNMENT); - if (ptr == NULL) - return NULL; - - total -= oldsize + ALIGNMENT; - memcpy(ptr, &size, sizeof(size)); - total += size + ALIGNMENT; - - return ptr + ALIGNMENT; + size_t oldsize; + char *ptr; + + if (old == NULL) + return fz_malloc_ossfuzz(opaque, size); + if (old < (void *) ALIGNMENT) + return NULL; + + if (size == 0) { + fz_free_ossfuzz(opaque, old); + return NULL; + } + if (size > SIZE_MAX - ALIGNMENT) + return NULL; + + old = (char *) old - ALIGNMENT; + memcpy(&oldsize, old, sizeof(oldsize)); + + if (size + ALIGNMENT > MAX_ALLOCATION - used + oldsize + ALIGNMENT) + return fz_limit_reached_ossfuzz(oldsize + ALIGNMENT, size + ALIGNMENT); + + ptr = (char *) realloc(old, size + ALIGNMENT); + if (ptr == NULL) + return NULL; + + used -= oldsize + ALIGNMENT; + memcpy(ptr, &size, sizeof(size)); + used += size + ALIGNMENT; + + return ptr + ALIGNMENT; } static fz_alloc_context fz_alloc_ossfuzz = { - NULL, - fz_malloc_ossfuzz, - fz_realloc_ossfuzz, - fz_free_ossfuzz + NULL, + fz_malloc_ossfuzz, + fz_realloc_ossfuzz, + fz_free_ossfuzz }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - fz_context *ctx = fz_new_context(&fz_alloc_ossfuzz, nullptr, FZ_STORE_DEFAULT); + fz_context *ctx; + fz_stream *stream; + fz_document *doc; + fz_pixmap *pix; + + used = 0; - fz_stream *stream = NULL; - fz_document *doc = NULL; - fz_pixmap *pix = NULL; + ctx = fz_new_context(&fz_alloc_ossfuzz, nullptr, FZ_STORE_DEFAULT); + stream = NULL; + doc = NULL; + pix = NULL; fz_var(stream); fz_var(doc); diff --git a/projects/nats/Dockerfile b/projects/nats/Dockerfile index 9667bd710..a9dbcf4cf 100644 --- a/projects/nats/Dockerfile +++ b/projects/nats/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/nats-io/nats-server +RUN git clone --depth 1 https://github.com/nats-io/nats-server COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/nats-server diff --git a/projects/nats/build.sh b/projects/nats/build.sh index 25089d54f..2235a6e4b 100755 --- a/projects/nats/build.sh +++ b/projects/nats/build.sh @@ -17,6 +17,6 @@ -compile_go_fuzzer github.com/nats-io/nats-server/conf Fuzz fuzz_conf -compile_go_fuzzer github.com/nats-io/nats-server/server FuzzClient fuzz_client +compile_go_fuzzer ./conf Fuzz fuzz_conf +compile_go_fuzzer ./server FuzzClient fuzz_client diff --git a/projects/nom/Dockerfile b/projects/nom/Dockerfile new file mode 100644 index 000000000..167550e33 --- /dev/null +++ b/projects/nom/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone --depth 1 https://github.com/Geal/nom/ +WORKDIR $SRC + +COPY build.sh $SRC/ diff --git a/projects/nom/build.sh b/projects/nom/build.sh new file mode 100755 index 000000000..8567ddc5d --- /dev/null +++ b/projects/nom/build.sh @@ -0,0 +1,20 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/nom +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_arithmetic $OUT/ diff --git a/projects/nom/project.yaml b/projects/nom/project.yaml new file mode 100644 index 000000000..9c2f7d840 --- /dev/null +++ b/projects/nom/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/Geal/nom" +main_repo: "https://github.com/Geal/nom" +primary_contact: "geo.couprie@gmail.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/openbabel/Dockerfile b/projects/openbabel/Dockerfile new file mode 100644 index 000000000..766293ae2 --- /dev/null +++ b/projects/openbabel/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt install -y cmake +RUN git clone --depth 1 https://github.com/openbabel/openbabel.git +COPY build.sh $SRC +WORKDIR $SRC/openbabel diff --git a/projects/openbabel/build.sh b/projects/openbabel/build.sh new file mode 100755 index 000000000..5a1b5477f --- /dev/null +++ b/projects/openbabel/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +# build project +mkdir build && cd build +cmake .. -DBUILD_SHARED=OFF -DBUILD_MIXED=ON +make -j $(nproc) +cp bin/fuzz* $OUT/ diff --git a/projects/openbabel/project.yaml b/projects/openbabel/project.yaml new file mode 100644 index 000000000..e7437df5d --- /dev/null +++ b/projects/openbabel/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://openbabel.org" +language: c++ +primary_contact: "geoff.hutchison@gmail.com" +auto_ccs : +- "p.antoine@catenacyber.fr" + +sanitizers: +- address +- undefined +main_repo: 'https://github.com/openbabel/openbabel.git' diff --git a/projects/openexr/build.sh b/projects/openexr/build.sh index a0bcfc24a..80a2e49a6 100755 --- a/projects/openexr/build.sh +++ b/projects/openexr/build.sh @@ -38,9 +38,8 @@ INCLUDES=( LIBS=( "$WORK/src/lib/OpenEXRUtil/libOpenEXRUtil.a" "$WORK/src/lib/OpenEXR/libOpenEXR.a" - "$WORK/src/lib/Iex/libIex.a" - "$WORK/src/lib/IexMath/libIexMath.a" "$WORK/src/lib/IlmThread/libIlmThread.a" + "$WORK/src/lib/Iex/libIex.a" "$WORK/_deps/imath-build/src/Imath/libImath*.a" ) diff --git a/projects/openjpeg/build.sh b/projects/openjpeg/build.sh index cd96cf787..1bc2da047 100755 --- a/projects/openjpeg/build.sh +++ b/projects/openjpeg/build.sh @@ -17,7 +17,7 @@ mkdir build cd build -cmake .. +cmake -DCMAKE_BUILD_TYPE=Release .. make clean -s make -j$(nproc) -s cd .. diff --git a/projects/opensc/project.yaml b/projects/opensc/project.yaml index 250052f2d..79d794ecb 100644 --- a/projects/opensc/project.yaml +++ b/projects/opensc/project.yaml @@ -8,7 +8,4 @@ auto_ccs: - "andreas.schwier@cardcontact.de" - "deengert@gmail.com" - "jakuje@gmail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: 'https://github.com/OpenSC/OpenSC' diff --git a/projects/openssh/build.sh b/projects/openssh/build.sh index 83c7f0f7d..49d138154 100755 --- a/projects/openssh/build.sh +++ b/projects/openssh/build.sh @@ -16,8 +16,10 @@ ################################################################################ # Enable null cipher -mv cipher.c _cipher.c -sed 's/#define CFLAG_INTERNAL.*/#define CFLAG_INTERNAL 0/' _cipher.c > cipher.c +sed -i 's/#define CFLAG_INTERNAL.*/#define CFLAG_INTERNAL 0/' cipher.c + +# Turn off agent unlock password failure delays +sed -i 's|\(usleep.*\)|// \1|' ssh-agent.c # Build project autoreconf @@ -32,37 +34,48 @@ make -j$(nproc) all EXTRA_CFLAGS="-DCIPHER_NONE_AVAIL=1" STATIC_CRYPTO="-Wl,-Bstatic -lcrypto -Wl,-Bdynamic" -COMMON=ssh-sk-null.o +SK_NULL=ssh-sk-null.o +SK_DUMMY=sk-dummy.o -$CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ - regress/misc/fuzz-harness/ssh-sk-null.cc -c -o ssh-sk-null.o +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c \ + regress/misc/fuzz-harness/ssh-sk-null.cc -o ssh-sk-null.o +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c \ + -DSK_DUMMY_INTEGRATE=1 regress/misc/sk-dummy/sk-dummy.c -o sk-dummy.o $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/pubkey_fuzz.cc -o $OUT/pubkey_fuzz \ - -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO $LIB_FUZZING_ENGINE + -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/privkey_fuzz.cc -o $OUT/privkey_fuzz \ - -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO $LIB_FUZZING_ENGINE + -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/sig_fuzz.cc -o $OUT/sig_fuzz \ - -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO $LIB_FUZZING_ENGINE + -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/authopt_fuzz.cc -o $OUT/authopt_fuzz \ - auth-options.o -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO \ + auth-options.o -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/sshsig_fuzz.cc -o $OUT/sshsig_fuzz \ - sshsig.o -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO \ + sshsig.o -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/sshsigopt_fuzz.cc -o $OUT/sshsigopt_fuzz \ - sshsig.o -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO \ + sshsig.o -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/kex_fuzz.cc -o $OUT/kex_fuzz \ - -lssh -lopenbsd-compat -lz $COMMON $STATIC_CRYPTO \ + -lssh -lopenbsd-compat -lz $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c \ + regress/misc/fuzz-harness/agent_fuzz_helper.c -o agent_fuzz_helper.o +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c -DENABLE_SK_INTERNAL=1 ssh-sk.c -o ssh-sk.o +$CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ + regress/misc/fuzz-harness/agent_fuzz.cc -o $OUT/agent_fuzz \ + $SK_DUMMY agent_fuzz_helper.o ssh-sk.o -lssh -lopenbsd-compat -lz \ + $STATIC_CRYPTO $LIB_FUZZING_ENGINE + # Prepare seed corpora CASES="$SRC/openssh-fuzz-cases" (set -e ; cd ${CASES}/key ; zip -r $OUT/pubkey_fuzz_seed_corpus.zip .) @@ -72,3 +85,4 @@ CASES="$SRC/openssh-fuzz-cases" (set -e ; cd ${CASES}/sshsig ; zip -r $OUT/sshsig_fuzz_seed_corpus.zip .) (set -e ; cd ${CASES}/sshsigopt ; zip -r $OUT/sshsigopt_fuzz_seed_corpus.zip .) (set -e ; cd ${CASES}/kex ; zip -r $OUT/kex_fuzz_seed_corpus.zip .) +(set -e ; cd ${CASES}/agent ; zip -r $OUT/agent_fuzz_seed_corpus.zip .) diff --git a/projects/openssl/build.sh b/projects/openssl/build.sh index 0832c6ad0..14768c973 100755 --- a/projects/openssl/build.sh +++ b/projects/openssl/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - CONFIGURE_FLAGS="" if [[ $CFLAGS = *sanitize=memory* ]] then diff --git a/projects/openthread/Dockerfile b/projects/openthread/Dockerfile index e54e7e780..4ef0e6e46 100644 --- a/projects/openthread/Dockerfile +++ b/projects/openthread/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y make autoconf automake libtool +RUN apt-get update && apt-get install -y cmake ninja-build RUN git clone --depth 1 https://github.com/openthread/openthread WORKDIR openthread diff --git a/projects/openthread/build.sh b/projects/openthread/build.sh index 3cd785182..019508454 100755 --- a/projects/openthread/build.sh +++ b/projects/openthread/build.sh @@ -15,53 +15,4 @@ # ################################################################################ -./bootstrap - -export CPPFLAGS=" \ - -DOPENTHREAD_CONFIG_BORDER_AGENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_BORDER_ROUTER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_CHANNEL_MANAGER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_CHANNEL_MONITOR_ENABLE=1 \ - -DOPENTHREAD_CONFIG_CHILD_SUPERVISION_ENABLE=1 \ - -DOPENTHREAD_CONFIG_COAP_API_ENABLE=1 \ - -DOPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE=1 \ - -DOPENTHREAD_CONFIG_COMMISSIONER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DHCP6_CLIENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DHCP6_SERVER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DIAG_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DNS_CLIENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_ECDSA_ENABLE=1 \ - -DOPENTHREAD_CONFIG_LEGACY_ENABLE=1 \ - -DOPENTHREAD_CONFIG_JAM_DETECTION_ENABLE=1 \ - -DOPENTHREAD_CONFIG_JOINER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_LINK_RAW_ENABLE=1 \ - -DOPENTHREAD_CONFIG_MAC_FILTER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_NCP_UART_ENABLE=1 \ - -DOPENTHREAD_CONFIG_REFERENCE_DEVICE_ENABLE=1 \ - -DOPENTHREAD_CONFIG_SNTP_CLIENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_TMF_NETDATA_SERVICE_ENABLE=1 \ - -DOPENTHREAD_CONFIG_TMF_NETWORK_DIAG_MTD_ENABLE=1 \ - -DOPENTHREAD_CONFIG_UDP_FORWARD_ENABLE=1" - -./configure \ - --enable-fuzz-targets \ - --enable-cli \ - --enable-ftd \ - --enable-joiner \ - --enable-ncp \ - --disable-docs - -make -j$(nproc) - -find . -name '*-fuzzer' -exec cp -v '{}' $OUT ';' -find . -name '*-fuzzer.dict' -exec cp -v '{}' $OUT ';' -find . -name '*-fuzzer.options' -exec cp -v '{}' $OUT ';' - -fuzzers=$(find tests/fuzz -name "*-fuzzer") -for f in $fuzzers; do - fuzzer=$(basename $f -fuzzer) - - if [ -d "tests/fuzz/corpora/${fuzzer}" ]; then - zip -j $OUT/$(basename $f)_seed_corpus.zip tests/fuzz/corpora/${fuzzer}/* - fi -done +bash tests/fuzz/oss-fuzz-build diff --git a/projects/openthread/project.yaml b/projects/openthread/project.yaml index f10bdfc61..c772d3b3c 100644 --- a/projects/openthread/project.yaml +++ b/projects/openthread/project.yaml @@ -5,7 +5,6 @@ fuzzing_engines: - libfuzzer - afl - honggfuzz - - dataflow sanitizers: - address - undefined diff --git a/projects/osquery/project.yaml b/projects/osquery/project.yaml index efe3528d2..d0944c1f8 100644 --- a/projects/osquery/project.yaml +++ b/projects/osquery/project.yaml @@ -15,4 +15,5 @@ sanitizers: - address fuzzing_engines: - libfuzzer + - afl main_repo: 'https://github.com/osquery/osquery' diff --git a/projects/p11-kit/Dockerfile b/projects/p11-kit/Dockerfile new file mode 100644 index 000000000..5ae785811 --- /dev/null +++ b/projects/p11-kit/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config libtasn1-6-dev libffi-dev +RUN echo deb http://archive.ubuntu.com/ubuntu/ bionic main >> /etc/apt/sources.list +RUN apt-get update && apt-get install -y -t bionic gettext autopoint +RUN git clone --depth 1 https://github.com/p11-glue/p11-kit.git p11-kit +WORKDIR p11-kit +COPY build.sh $SRC/ diff --git a/projects/p11-kit/build.sh b/projects/p11-kit/build.sh new file mode 100755 index 000000000..c15f9d58c --- /dev/null +++ b/projects/p11-kit/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./autogen.sh +make -j$(nproc) oss-fuzz + +cd fuzz +for dir in *.in; do + fuzzer=$(basename $dir .in)_fuzzer + zip -rj "$OUT/${fuzzer}_seed_corpus.zip" "${dir}/" +done diff --git a/projects/p11-kit/project.yaml b/projects/p11-kit/project.yaml new file mode 100644 index 000000000..55139b84a --- /dev/null +++ b/projects/p11-kit/project.yaml @@ -0,0 +1,4 @@ +homepage: https://p11-glue.github.io/p11-glue/p11-kit.html +main_repo: https://github.com/p11-glue/p11-kit +language: c +primary_contact: "daiki.ueno@gmail.com" diff --git a/projects/pcl/Dockerfile b/projects/pcl/Dockerfile new file mode 100644 index 000000000..740a3b350 --- /dev/null +++ b/projects/pcl/Dockerfile @@ -0,0 +1,45 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make cmake autoconf \ + automake libtool gettext pkg-config build-essential \ + mercurial wget libeigen3-dev libflann-dev python python-dev + +# VTK deps +RUN apt-get update && apt-get install -y \ + libavcodec-dev libavformat-dev libavutil-dev libboost-dev \ + libdouble-conversion-dev libeigen3-dev libexpat1-dev \ + libfontconfig-dev libfreetype6-dev libgdal-dev libglew-dev \ + libhdf5-dev libjpeg-dev libjsoncpp-dev liblz4-dev liblzma-dev \ + libnetcdf-dev libnetcdf-cxx-legacy-dev libogg-dev libpng-dev \ + libpython3-dev libqt5opengl5-dev libqt5x11extras5-dev libsqlite3-dev \ + libswscale-dev libtheora-dev libtiff-dev libxml2-dev libxt-dev \ + qtbase5-dev qttools5-dev zlib1g-dev + +# Install and build boost from source so we can have it use libc++ +RUN wget https://sourceforge.net/projects/boost/files/boost/1.70.0/boost_1_70_0.tar.gz && \ + tar xzf boost_1_70_0.tar.gz && \ + cd boost_1_70_0 && \ + ./bootstrap.sh --with-toolset=clang && \ + ./b2 clean && \ + ./b2 toolset=clang cxxflags="-stdlib=libc++" linkflags="-stdlib=libc++" -j$(nproc) install && \ + cd .. && \ + rm -rf boost_1_70_0] + +RUN git clone --depth 1 https://github.com/PointCloudLibrary/pcl +COPY build.sh $SRC/ +WORKDIR $SRC/ diff --git a/projects/pcl/build.sh b/projects/pcl/build.sh new file mode 100755 index 000000000..c08aeac0f --- /dev/null +++ b/projects/pcl/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +chmod +x $SRC/pcl/test/fuzz/build.sh +$SRC/pcl/test/fuzz/build.sh diff --git a/projects/pcl/project.yaml b/projects/pcl/project.yaml index 83d05068b..fdb4cb1c5 100644 --- a/projects/pcl/project.yaml +++ b/projects/pcl/project.yaml @@ -1,6 +1,9 @@ -help_url: "https://github.com/pointcloudlibrary/pcl" +main_repo: "https://github.com/pointcloudlibrary/pcl" homepage: "http://pointclouds.org" language: c++ primary_contact: "kunal.tyagi.3.1994@gmail.com" auto_ccs: - "tyagi.kunal@live.com" + - "larshg@gmail.com" + - "markus95.vieth@gmail.com" + - "k.koide.aist@gmail.com" diff --git a/projects/pillow/Dockerfile b/projects/pillow/Dockerfile index 3f5a1176b..ab9089553 100644 --- a/projects/pillow/Dockerfile +++ b/projects/pillow/Dockerfile @@ -54,12 +54,10 @@ RUN cd Pillow && depends/install_extra_test_images.sh COPY build.sh $SRC/ -# pillow runtime dependencies +# pillow optional runtime dependencies RUN apt-get install -y \ - libfribidi-dev \ - libharfbuzz-dev \ - python3-tk \ - tcl8.6-dev \ - tk8.6-dev + python3-tk \ + tcl8.6-dev \ + tk8.6-dev WORKDIR $SRC/Pillow diff --git a/projects/pillow/build.sh b/projects/pillow/build.sh index c0f791dac..e7dac3463 100644 --- a/projects/pillow/build.sh +++ b/projects/pillow/build.sh @@ -17,27 +17,22 @@ python3 setup.py build --build-base=/tmp/build install -bp="$(find /tmp/build -name '_imaging.o')" -BUILD_DIR="${bp/_imaging.o/}" -if [ -d "$BUILD_DIR" ]; then - find $BUILD_DIR -name _imagingmath.o -delete - find $BUILD_DIR -name _imagingtk.o -delete - find $BUILD_DIR -name _imagingmorph.o -delete -fi; - -# Relink with fuzzing engine -TS="$(find /usr/local/lib/python3.* -name '_imaging.*.so')" -$CXX -pthread -shared $CXXFLAGS $LIB_FUZZING_ENGINE ${BUILD_DIR}/*.o ${BUILD_DIR}/libImaging/*.o \ - -L/usr/local/lib -L/lib/x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu \ - -L/usr/lib/x86_64-linux-gnu/libfakeroot -L/usr/lib -L/lib -L/usr/local/lib \ - -ljpeg -lz -lxcb -lfreetype -lopenjp2 -ltiff -llcms2 -lwebp -lwebpmux -lwebpdemux \ - -o ${TS} -stdlib=libc++ - # Build fuzzers in $OUT. for fuzzer in $(find $SRC -name 'fuzz_*.py'); do fuzzer_basename=$(basename -s .py $fuzzer) fuzzer_package=${fuzzer_basename}.pkg - pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + pyinstaller \ + --add-binary /usr/local/lib/libjpeg.so.9:. \ + --add-binary /usr/local/lib/libfreetype.so.6:. \ + --add-binary /usr/local/lib/liblcms2.so.2:. \ + --add-binary /usr/local/lib/libopenjp2.so.7:. \ + --add-binary /usr/local/lib/libpng16.so.16:. \ + --add-binary /usr/local/lib/libtiff.so.5:. \ + --add-binary /usr/local/lib/libwebp.so.7:. \ + --add-binary /usr/local/lib/libwebpdemux.so.2:. \ + --add-binary /usr/local/lib/libwebpmux.so.3:. \ + --add-binary /usr/local/lib/libxcb.so.1:. \ + --distpath $OUT --onefile --name $fuzzer_package $fuzzer # Create execution wrapper. echo "#!/bin/sh diff --git a/projects/pillow/fuzz_pillow.py b/projects/pillow/fuzz_pillow.py deleted file mode 100644 index d501811b3..000000000 --- a/projects/pillow/fuzz_pillow.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/python3 - -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import atheris_no_libfuzzer as atheris -import sys -import os -import io -import warnings -from PIL import Image, ImageFile, ImageFilter - -def TestOneInput(data): - try: - with Image.open(io.BytesIO(data)) as im: - im.rotate(45) - im.filter(ImageFilter.DETAIL) - im.save(io.BytesIO(), "BMP") - except Exception: - # We're catching all exceptions because Pillow's exceptions are - # directly inheriting from Exception. - return - return - -def main(): - ImageFile.LOAD_TRUNCATED_IMAGES = True - warnings.filterwarnings("ignore") - atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True) - atheris.Fuzz() - -if __name__ == "__main__": - main() - diff --git a/projects/poppler/Dockerfile b/projects/poppler/Dockerfile index 6ceb73996..c1b0355cf 100644 --- a/projects/poppler/Dockerfile +++ b/projects/poppler/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y wget autoconf automake libtool pkg-config cmake gperf +RUN apt-get update && apt-get install -y wget autoconf automake libtool pkg-config gperf RUN pip3 install meson ninja RUN git clone --depth 1 https://github.com/madler/zlib.git diff --git a/projects/poppler/build.sh b/projects/poppler/build.sh index 4f2893054..23692dd5b 100755 --- a/projects/poppler/build.sh +++ b/projects/poppler/build.sh @@ -166,7 +166,7 @@ fuzzers=$(find $SRC/poppler/cpp/tests/fuzzing/ -name "*_fuzzer.cc") for f in $fuzzers; do fuzzer_name=$(basename $f .cc) - $CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/cpp \ + $CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/cpp -I$SRC/poppler/build/cpp \ $BUILD_CFLAGS \ $f -o $OUT/$fuzzer_name \ $PREDEPS_LDFLAGS \ @@ -213,7 +213,7 @@ for f in $fuzzers; do fuzzer_name=$(basename $f .cc) $CXX $CXXFLAGS -std=c++11 -fPIC \ - -I$SRC/poppler/qt5/src \ + -I$SRC/poppler/qt5/src -I$SRC/poppler/build/qt5/src \ $BUILD_CFLAGS \ $f -o $OUT/$fuzzer_name \ $PREDEPS_LDFLAGS \ diff --git a/projects/postgresql/add_fuzzers.diff b/projects/postgresql/add_fuzzers.diff index 2d3ce7b3b..86b106c22 100644 --- a/projects/postgresql/add_fuzzers.diff +++ b/projects/postgresql/add_fuzzers.diff @@ -1,26 +1,25 @@ diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c -index c9424f167c..aa2897ec63 100644 +index cb5a96117f..c9b4880085 100644 --- a/src/backend/tcop/postgres.c +++ b/src/backend/tcop/postgres.c -@@ -101,6 +101,10 @@ int max_stack_depth = 100; +@@ -102,6 +102,9 @@ int max_stack_depth = 100; /* wait N seconds to allow attach from a debugger */ int PostAuthDelay = 0; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +bool fuzzer_first_run = true; +#endif -+ /* ---------------- -@@ -505,11 +509,14 @@ static int - ReadCommand(StringInfo inBuf) +@@ -507,10 +510,15 @@ ReadCommand(StringInfo inBuf) { int result; -- + +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+ result = SocketBackend(inBuf); ++ result = SocketBackend(inBuf); +#else ++ if (whereToSendOutput == DestRemote) result = SocketBackend(inBuf); else @@ -29,34 +28,35 @@ index c9424f167c..aa2897ec63 100644 return result; } -@@ -3784,6 +3791,10 @@ PostgresMain(int argc, char *argv[], - volatile bool send_ready_for_query = true; - bool disable_idle_in_transaction_timeout = false; +@@ -3846,6 +3854,11 @@ PostgresMain(int argc, char *argv[], + bool idle_in_transaction_timeout_enabled = false; + bool idle_session_timeout_enabled = false; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+ if(fuzzer_first_run) -+ { ++ if(fuzzer_first_run) ++ { +#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */ ++ /* Initialize startup process environment if necessary. */ if (!IsUnderPostmaster) InitStandaloneProcess(argv[0]); -@@ -4151,6 +4162,11 @@ PostgresMain(int argc, char *argv[], +@@ -4207,6 +4220,11 @@ PostgresMain(int argc, char *argv[], if (!ignore_till_sync) send_ready_for_query = true; /* initially, or after error */ +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+ fuzzer_first_run=false; -+ } ++ fuzzer_first_run=false; ++ } +#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */ + /* * Non-error queries loop here. */ diff --git a/src/backend/utils/error/elog.c b/src/backend/utils/error/elog.c -index d0b368530e..02a3e9066e 100644 +index 80c2672461..c16e0423c5 100644 --- a/src/backend/utils/error/elog.c +++ b/src/backend/utils/error/elog.c -@@ -513,7 +513,9 @@ errfinish(const char *filename, int lineno, const char *funcname) +@@ -600,7 +600,9 @@ errfinish(const char *filename, int lineno, const char *funcname) pq_endcopyout(true); /* Emit the message to the right places */ diff --git a/projects/postgresql/fuzzer/simple_query_fuzzer.c b/projects/postgresql/fuzzer/simple_query_fuzzer.c index 3ba6b50ed..29c13623e 100644 --- a/projects/postgresql/fuzzer/simple_query_fuzzer.c +++ b/projects/postgresql/fuzzer/simple_query_fuzzer.c @@ -46,7 +46,7 @@ exec_simple_query(const char *query_string) StartTransactionCommand(); oldcontext = MemoryContextSwitchTo(MessageContext); - parsetree_list = raw_parser(query_string); + parsetree_list = raw_parser(query_string, RAW_PARSE_TYPE_NAME); MemoryContextSwitchTo(oldcontext); use_implicit_block = (list_length(parsetree_list) > 1); diff --git a/projects/postgresql/project.yaml b/projects/postgresql/project.yaml index 9517c603f..5cc7a3ff3 100644 --- a/projects/postgresql/project.yaml +++ b/projects/postgresql/project.yaml @@ -1,4 +1,5 @@ homepage: "https://postgresql.org" +main_repo: "https://git.postgresql.org/git/postgresql" primary_contact: "sfrost@snowman.net" language: c auto_ccs: @@ -8,5 +9,6 @@ auto_ccs: fuzzing_engines: - libfuzzer - honggfuzz + - afl sanitizers: - address diff --git a/projects/proj4/Dockerfile b/projects/proj4/Dockerfile index 8d9790698..da7263a0c 100644 --- a/projects/proj4/Dockerfile +++ b/projects/proj4/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && \ - apt-get install -y make autoconf automake libtool g++ sqlite3 pkg-config + apt-get install -y make autoconf automake libtool g++ sqlite3 pkg-config wget RUN git clone --depth 1 https://github.com/OSGeo/proj proj diff --git a/projects/prometheus/Dockerfile b/projects/prometheus/Dockerfile index d856df0cc..7e22750f9 100644 --- a/projects/prometheus/Dockerfile +++ b/projects/prometheus/Dockerfile @@ -15,7 +15,8 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/prometheus/prometheus/cmd/... +ENV GO111MODULE=on +RUN git clone https://github.com/prometheus/prometheus $GOPATH/src/github.com/prometheus/prometheus COPY build.sh $SRC/ -RUN mkdir $SRC/prometheus/ -WORKDIR $SRC/prometheus/ +# Required to avoid 'working directory is not part of a module' error. +WORKDIR $GOPATH/src/github.com/prometheus/prometheus diff --git a/projects/protobuf-c/Dockerfile b/projects/protobuf-c/Dockerfile index e0f854aee..c4407cc05 100644 --- a/projects/protobuf-c/Dockerfile +++ b/projects/protobuf-c/Dockerfile @@ -16,9 +16,9 @@ FROM gcr.io/oss-fuzz-base/base-builder MAINTAINER guidovranken@gmail.com -RUN apt-get update && apt-get install -y make autoconf automake libtool +RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config RUN git clone --depth 1 --recursive https://github.com/protocolbuffers/protobuf.git -RUN git clone --depth 1 https://github.com/protobuf-c/protobuf-c.git +RUN git clone --depth 1 https://github.com/protobuf-c/protobuf-c.git -b next RUN git clone --depth 1 https://github.com/guidovranken/fuzzing-headers.git RUN git clone --depth 1 https://github.com/guidovranken/protobuf-c-fuzzers.git COPY build.sh $SRC/ diff --git a/projects/protobuf-c/build.sh b/projects/protobuf-c/build.sh index f0aabdccf..8eda36a39 100755 --- a/projects/protobuf-c/build.sh +++ b/projects/protobuf-c/build.sh @@ -27,6 +27,11 @@ then export CXXFLAGS="$CXXFLAGS -DMSAN" fi +if [[ $SANITIZER = coverage ]] +then + export CXXFLAGS="$CXXFLAGS -fno-use-cxa-atexit" +fi + mkdir $SRC/protobuf-install/ cd $SRC/protobuf/ ./autogen.sh @@ -38,7 +43,8 @@ export PROTOC="$SRC/protobuf-install/bin/protoc" cd $SRC/protobuf-c/ ./autogen.sh -protobuf_LIBS="-L/$SRC/protobuf-install/lib -lprotobuf" protobuf_CFLAGS="-I $SRC/protobuf-install/include/" ./configure --enable-static=yes --enable-shared=false +./configure --enable-static=yes --enable-shared=false PKG_CONFIG_PATH=$SRC/protobuf-install/lib/pkgconfig + make -j$(nproc) cd $SRC/fuzzing-headers/ diff --git a/projects/protobuf-c/project.yaml b/projects/protobuf-c/project.yaml index 6ba2998df..9103f1bce 100644 --- a/projects/protobuf-c/project.yaml +++ b/projects/protobuf-c/project.yaml @@ -1,6 +1,8 @@ homepage: "https://github.com/protobuf-c/protobuf-c" language: c primary_contact: "guidovranken@gmail.com" +auto_ccs: + - "ilya.lipnitskiy@gmail.com" sanitizers: - address - memory @@ -8,3 +10,4 @@ architectures: - x86_64 - i386 main_repo: 'https://github.com/protobuf-c/protobuf-c.git' +coverage_extra_args: -ignore-filename-regex=.*/protobuf-install/.* diff --git a/projects/qemu/Dockerfile b/projects/qemu/Dockerfile index baf4d470e..779fc39a4 100644 --- a/projects/qemu/Dockerfile +++ b/projects/qemu/Dockerfile @@ -16,7 +16,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool \ - libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev patchelf wget + libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev patchelf wget \ + libattr1 libattr1-dev libcap-ng-dev # Ninja in the apt repos is too old. Get it directly from github RUN wget https://github.com/ninja-build/ninja/releases/latest/download/ninja-linux.zip \ && unzip ninja-linux.zip \ diff --git a/projects/qemu/project.yaml b/projects/qemu/project.yaml index 87a372101..09748302c 100644 --- a/projects/qemu/project.yaml +++ b/projects/qemu/project.yaml @@ -12,7 +12,6 @@ sanitizers: - undefined fuzzing_engines: - libfuzzer - - honggfuzz architectures: - x86_64 main_repo: 'https://git.qemu.org/git/qemu.git' diff --git a/projects/qt/Dockerfile b/projects/qt/Dockerfile index db47bedff..4d5e91df2 100644 --- a/projects/qt/Dockerfile +++ b/projects/qt/Dockerfile @@ -15,7 +15,11 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y ninja-build +RUN apt-get update && apt-get install -y ninja-build libc6-dev:i386 +RUN git clone --depth 1 https://github.com/AFLplusplus/AFLplusplus.git myaflplusplus && \ + cp -r myaflplusplus/dictionaries afldictionaries && \ + cp -r myaflplusplus/testcases afltestcases && \ + rm -rf myaflplusplus RUN git clone --branch dev --depth 1 --shallow-submodules \ --recurse-submodules=qtbase \ --recurse-submodules=qtsvg \ diff --git a/projects/qt/project.yaml b/projects/qt/project.yaml index d76402977..941006709 100644 --- a/projects/qt/project.yaml +++ b/projects/qt/project.yaml @@ -5,4 +5,5 @@ auto_ccs: - "shawn.t.rutledge@gmail.com" architectures: - x86_64 + - i386 main_repo: 'git://code.qt.io/qt/qt5.git' diff --git a/projects/quic-go/Dockerfile b/projects/quic-go/Dockerfile index f9889e3fc..9ee792c23 100644 --- a/projects/quic-go/Dockerfile +++ b/projects/quic-go/Dockerfile @@ -16,12 +16,12 @@ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -u -d github.com/marten-seemann/qpack/ && \ - cd /root/go/src/github.com/marten-seemann/qpack && \ +RUN git clone --depth 1 https://github.com/marten-seemann/qpack/ && \ + cd qpack && \ go build -RUN go get -u -d github.com/lucas-clemente/quic-go/ && \ - cd /root/go/src/github.com/lucas-clemente/quic-go && \ +RUN git clone --depth 1 https://github.com/lucas-clemente/quic-go/ && \ + cd quic-go && \ go build COPY build.sh . diff --git a/projects/quic-go/build.sh b/projects/quic-go/build.sh index 6be3fae66..4ed3b62d0 100644 --- a/projects/quic-go/build.sh +++ b/projects/quic-go/build.sh @@ -17,11 +17,14 @@ set -ex - - +( +cd qpack # Fuzz qpack compile_go_fuzzer github.com/marten-seemann/qpack/fuzzing Fuzz qpack_fuzzer +) +( +cd quic-go # Fuzz quic-go compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/frames Fuzz frame_fuzzer compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/header Fuzz header_fuzzer @@ -29,13 +32,18 @@ compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/transportparameters compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/tokens Fuzz token_fuzzer compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/handshake Fuzz handshake_fuzzer +if [ $SANITIZER == "coverage" ]; then + # no need for corpuses if coverage + exit 0 +fi # generate seed corpora -go generate $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/... +go generate ./fuzzing/... -zip --quiet -r $OUT/header_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/header/corpus -zip --quiet -r $OUT/frame_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/frames/corpus -zip --quiet -r $OUT/transportparameter_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/transportparameters/corpus -zip --quiet -r $OUT/handshake_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/handshake/corpus +zip --quiet -r $OUT/header_fuzzer_seed_corpus.zip fuzzing/header/corpus +zip --quiet -r $OUT/frame_fuzzer_seed_corpus.zip fuzzing/frames/corpus +zip --quiet -r $OUT/transportparameter_fuzzer_seed_corpus.zip fuzzing/transportparameters/corpus +zip --quiet -r $OUT/handshake_fuzzer_seed_corpus.zip fuzzing/handshake/corpus +) # for debugging ls -al $OUT diff --git a/projects/radon/Dockerfile b/projects/radon/Dockerfile index 9dbcd125d..fe4c6ca5d 100644 --- a/projects/radon/Dockerfile +++ b/projects/radon/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/radondb/radon/src/fuzz/sqlparser +RUN git clone --depth 1 https://github.com/radondb/radon COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/radon diff --git a/projects/radon/build.sh b/projects/radon/build.sh index 8bbc04a9c..ffc97895e 100644 --- a/projects/radon/build.sh +++ b/projects/radon/build.sh @@ -16,4 +16,6 @@ ################################################################################ -compile_go_fuzzer github.com/radondb/radon/src/fuzz/sqlparser Fuzz fuzz +cd ./src/fuzz/sqlparser +go mod init github.com/radondb/radon/src/fuzz/sqlparser +compile_go_fuzzer . Fuzz fuzz diff --git a/projects/relic/build.sh b/projects/relic/build.sh index feda5d7c8..552b14fc6 100755 --- a/projects/relic/build.sh +++ b/projects/relic/build.sh @@ -33,7 +33,13 @@ export CXXFLAGS="$CXXFLAGS -D_LIBCPP_ENABLE_CXX17_REMOVED_AUTO_PTR" cd $SRC/relic/ mkdir build/ cd build/ -cmake .. -DCOMP="$CFLAGS" -DQUIET=on -DRAND=CALL -DSHLIB=off -DSTBIN=off -DTESTS=0 -DBENCH=0 -DALLOC=DYNAMIC +if [[ $CFLAGS = *-m32* ]] +then + export RELIC_ARCH="X86" +else + export RELIC_ARCH="X64" +fi +cmake .. -DCOMP="$CFLAGS" -DQUIET=on -DRAND=CALL -DSHLIB=off -DSTBIN=off -DTESTS=0 -DBENCH=0 -DALLOC=DYNAMIC -DARCH=$RELIC_ARCH make -j$(nproc) cd ../.. export RELIC_PATH=$(realpath relic) @@ -49,7 +55,7 @@ else fi make -j$(nproc) -export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN" +export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN -DCRYPTOFUZZ_BOTAN_IS_ORACLE" export LIBBOTAN_A_PATH="$SRC/botan/libbotan-3.a" export BOTAN_INCLUDE_PATH="$SRC/botan/build/include" @@ -59,9 +65,10 @@ python gen_repository.py rm extra_options.h echo -n '"' >>extra_options.h echo -n '--force-module=relic ' >>extra_options.h -echo -n '--operations=BignumCalc,ECC_PrivateToPublic,ECDSA_Sign,ECDSA_Verify ' >>extra_options.h +echo -n '--operations=BignumCalc,ECC_PrivateToPublic,ECC_ValidatePubkey,ECDSA_Sign,ECDSA_Verify,Digest,HMAC,KDF_X963 ' >>extra_options.h echo -n '--curves=secp256k1,secp256r1 ' >>extra_options.h -echo -n '--digests=NULL ' >>extra_options.h +echo -n '--digests=NULL,SHA224,SHA256,SHA384,SHA512,BLAKE2S160,BLAKE2S256 ' >>extra_options.h +echo -n '--calcops=Abs,Add,Bit,ClearBit,Cmp,CmpAbs,Div,ExpMod,GCD,InvMod,IsEven,IsOdd,IsZero,Jacobi,LCM,LShift1,Mod,Mul,Neg,NumBits,RShift,SetBit,Sqr,Sqrt,Sub ' >>extra_options.h echo -n '"' >>extra_options.h cd modules/relic/ make -B -j$(nproc) diff --git a/projects/relic/project.yaml b/projects/relic/project.yaml index 823b4f934..98fb04fce 100644 --- a/projects/relic/project.yaml +++ b/projects/relic/project.yaml @@ -10,3 +10,4 @@ sanitizers: - memory architectures: - x86_64 + - i386 diff --git a/projects/rnp/build.sh b/projects/rnp/build.sh index 7e0833ce0..1bfd8aa5f 100755 --- a/projects/rnp/build.sh +++ b/projects/rnp/build.sh @@ -60,6 +60,6 @@ for f in $FUZZERS; do done mkdir -p "${OUT}/lib" -cp src/lib/librnp-0.so.0 "${OUT}/lib/" +cp src/lib/librnp.so.0 "${OUT}/lib/" cp /usr/lib/libbotan-2.so.16 "${OUT}/lib/" cp /lib/x86_64-linux-gnu/libjson-c.so.2 "${OUT}/lib/" diff --git a/projects/runc/Dockerfile b/projects/runc/Dockerfile new file mode 100644 index 000000000..78616e91e --- /dev/null +++ b/projects/runc/Dockerfile @@ -0,0 +1,20 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/opencontainers/runc +COPY build.sh $SRC/ +WORKDIR $SRC/runc diff --git a/projects/runc/build.sh b/projects/runc/build.sh new file mode 100644 index 000000000..4f0b084d1 --- /dev/null +++ b/projects/runc/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +$SRC/runc/tests/fuzzing/oss_fuzz_build.sh diff --git a/projects/runc/project.yaml b/projects/runc/project.yaml new file mode 100644 index 000000000..fc387c82b --- /dev/null +++ b/projects/runc/project.yaml @@ -0,0 +1,16 @@ +homepage: "https://github.com/opencontainers/runc" +main_repo: "https://github.com/opencontainers/runc" +primary_contact: "cyphar@cyphar.com" +auto_ccs: + - "adam@adalogics.com" + - "michael@docker.com" + - "mpatel@redhat.com" + - "dqminh89@gmail.com" + - "h.huangqiang@huawei.com" + - "akihiro.suda.cz@hco.ntt.co.jp" + - "kolyshkin@gmail.com" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address diff --git a/projects/rustls/Dockerfile b/projects/rustls/Dockerfile new file mode 100644 index 000000000..7406a474b --- /dev/null +++ b/projects/rustls/Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool curl cmake python llvm-dev libclang-dev clang + +RUN git clone https://github.com/ctz/rustls + +WORKDIR $SRC + +COPY build.sh $SRC/ +COPY persist.rs $SRC/rustls/fuzz/fuzzers/persist.rs diff --git a/projects/rustls/build.sh b/projects/rustls/build.sh new file mode 100755 index 000000000..d00359e98 --- /dev/null +++ b/projects/rustls/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/rustls +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/client $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/deframer $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/fragment $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/hsjoiner $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/message $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/server $OUT/ diff --git a/projects/rustls/persist.rs b/projects/rustls/persist.rs new file mode 100644 index 000000000..186cd9af6 --- /dev/null +++ b/projects/rustls/persist.rs @@ -0,0 +1,30 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +//limitations under the License. +// +//################################################################################ +#![no_main] +#[macro_use] extern crate libfuzzer_sys; +extern crate rustls; + +use rustls::internal::msgs::persist; +use rustls::internal::msgs::codec::{Reader, Codec}; + +fn try_type<T>(data: &[u8]) where T: Codec { + let mut rdr = Reader::init(data); + T::read(&mut rdr); +} + +fuzz_target!(|data: &[u8]| { + try_type::<persist::ServerSessionValue>(data); +}); diff --git a/projects/rustls/project.yaml b/projects/rustls/project.yaml new file mode 100644 index 000000000..73e4f27d6 --- /dev/null +++ b/projects/rustls/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/ctz/rustls" +main_repo: "https://github.com/ctz/rustls" +primary_contact: "jpixton@gmail.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/serenity/project.yaml b/projects/serenity/project.yaml index b781d18a1..70acba02c 100644 --- a/projects/serenity/project.yaml +++ b/projects/serenity/project.yaml @@ -8,6 +8,7 @@ auto_ccs: - "luke.wilde@live.co.uk" - "bugaevc@serenityos.org" - "b.gianfo@gmail.com" + - "idan.horowitz@gmail.com" - "~awesomekling/serenityos-dev@lists.sr.ht" # Bug reports are public by default: diff --git a/projects/skia/build.sh b/projects/skia/build.sh index a8b111d42..0f6d73fb4 100644 --- a/projects/skia/build.sh +++ b/projects/skia/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - # Build SwiftShader pushd third_party/externals/swiftshader/ export SWIFTSHADER_INCLUDE_PATH=$PWD/include @@ -44,13 +38,15 @@ elif [ $SANITIZER == "undefined" ]; then CMAKE_SANITIZER="SWIFTSHADER_UBSAN_DISABLED" elif [ $SANITIZER == "coverage" ]; then CMAKE_SANITIZER="SWIFTSHADER_EMIT_COVERAGE" +elif [ $SANITIZER == "thread" ]; then + CMAKE_SANITIZER="SWIFTSHADER_UBSAN_DISABLED" else exit 1 fi CFLAGS= CXXFLAGS="-stdlib=libc++" cmake .. -GNinja -DCMAKE_MAKE_PROGRAM="$SRC/depot_tools/ninja" -D$CMAKE_SANITIZER=1 $SRC/depot_tools/ninja libGLESv2 libEGL -cp libGLESv2.so libEGL.so $OUT +mv libGLESv2.so libEGL.so $OUT export SWIFTSHADER_LIB_PATH=$OUT popd @@ -104,6 +100,7 @@ $SRC/depot_tools/ninja -C out/Fuzz \ android_codec \ animated_image_decode \ api_create_ddl \ + api_ddl_threading \ api_draw_functions \ api_gradients \ api_image_filter \ @@ -113,6 +110,7 @@ $SRC/depot_tools/ninja -C out/Fuzz \ api_pathop \ api_polyutils \ api_raster_n32_canvas \ + api_regionop \ api_skparagraph \ api_svg_canvas \ image_decode \ @@ -139,25 +137,19 @@ $SRC/depot_tools/ninja -C out/Fuzz \ rm -rf $OUT/data mkdir $OUT/data -cp out/Fuzz/region_deserialize $OUT/region_deserialize +mv out/Fuzz/region_deserialize $OUT/region_deserialize -cp out/Fuzz/region_set_path $OUT/region_set_path -cp ../skia_data/region_set_path_seed_corpus.zip $OUT/region_set_path_seed_corpus.zip +mv out/Fuzz/region_set_path $OUT/region_set_path +mv ../skia_data/region_set_path_seed_corpus.zip $OUT/region_set_path_seed_corpus.zip -cp out/Fuzz/textblob_deserialize $OUT/textblob_deserialize -cp ../skia_data/textblob_deserialize_seed_corpus.zip $OUT/textblob_deserialize_seed_corpus.zip +mv out/Fuzz/textblob_deserialize $OUT/textblob_deserialize +mv ../skia_data/textblob_deserialize_seed_corpus.zip $OUT/textblob_deserialize_seed_corpus.zip -cp out/Fuzz/path_deserialize $OUT/path_deserialize -cp ../skia_data/path_deserialize_seed_corpus.zip $OUT/path_deserialize_seed_corpus.zip - -cp out/Fuzz/image_decode $OUT/image_decode -cp ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_seed_corpus.zip +mv out/Fuzz/path_deserialize $OUT/path_deserialize +mv ../skia_data/path_deserialize_seed_corpus.zip $OUT/path_deserialize_seed_corpus.zip -cp out/Fuzz/animated_image_decode $OUT/animated_image_decode -cp ../skia_data/animated_image_decode_seed_corpus.zip $OUT/animated_image_decode_seed_corpus.zip - -cp out/Fuzz/image_filter_deserialize $OUT/image_filter_deserialize -cp ../skia_data/image_filter_deserialize_seed_corpus.zip $OUT/image_filter_deserialize_seed_corpus.zip +mv out/Fuzz/animated_image_decode $OUT/animated_image_decode +mv ../skia_data/animated_image_decode_seed_corpus.zip $OUT/animated_image_decode_seed_corpus.zip # Only create the width version of image_filter_deserialize if building with # libfuzzer, since it depends on a libfuzzer specific flag. @@ -165,87 +157,101 @@ if [ "$FUZZING_ENGINE" == "libfuzzer" ] then # Use the same binary as image_filter_deserialize. cp out/Fuzz/image_filter_deserialize $OUT/image_filter_deserialize_width - cp ../skia_data/image_filter_deserialize_width.options $OUT/image_filter_deserialize_width.options + mv ../skia_data/image_filter_deserialize_width.options $OUT/image_filter_deserialize_width.options # Use the same seed corpus as image_filter_deserialize. cp ../skia_data/image_filter_deserialize_seed_corpus.zip $OUT/image_filter_deserialize_width_seed_corpus.zip fi -cp out/Fuzz/api_draw_functions $OUT/api_draw_functions -cp ../skia_data/api_draw_functions_seed_corpus.zip $OUT/api_draw_functions_seed_corpus.zip +mv out/Fuzz/image_filter_deserialize $OUT/image_filter_deserialize +mv ../skia_data/image_filter_deserialize_seed_corpus.zip $OUT/image_filter_deserialize_seed_corpus.zip + +mv out/Fuzz/api_draw_functions $OUT/api_draw_functions +mv ../skia_data/api_draw_functions_seed_corpus.zip $OUT/api_draw_functions_seed_corpus.zip -cp out/Fuzz/api_gradients $OUT/api_gradients -cp ../skia_data/api_gradients_seed_corpus.zip $OUT/api_gradients_seed_corpus.zip +mv out/Fuzz/api_gradients $OUT/api_gradients +mv ../skia_data/api_gradients_seed_corpus.zip $OUT/api_gradients_seed_corpus.zip -cp out/Fuzz/api_path_measure $OUT/api_path_measure -cp ../skia_data/api_path_measure_seed_corpus.zip $OUT/api_path_measure_seed_corpus.zip +mv out/Fuzz/api_path_measure $OUT/api_path_measure +mv ../skia_data/api_path_measure_seed_corpus.zip $OUT/api_path_measure_seed_corpus.zip -cp out/Fuzz/api_pathop $OUT/api_pathop -cp ../skia_data/api_pathop_seed_corpus.zip $OUT/api_pathop_seed_corpus.zip +mv out/Fuzz/api_pathop $OUT/api_pathop +mv ../skia_data/api_pathop_seed_corpus.zip $OUT/api_pathop_seed_corpus.zip -cp out/Fuzz/png_encoder $OUT/png_encoder +# These 3 use the same corpus. +mv out/Fuzz/png_encoder $OUT/png_encoder cp ../skia_data/encoder_seed_corpus.zip $OUT/png_encoder_seed_corpus.zip -cp out/Fuzz/jpeg_encoder $OUT/jpeg_encoder +mv out/Fuzz/jpeg_encoder $OUT/jpeg_encoder cp ../skia_data/encoder_seed_corpus.zip $OUT/jpeg_encoder_seed_corpus.zip -cp out/Fuzz/webp_encoder $OUT/webp_encoder -cp ../skia_data/encoder_seed_corpus.zip $OUT/webp_encoder_seed_corpus.zip +mv out/Fuzz/webp_encoder $OUT/webp_encoder +mv ../skia_data/encoder_seed_corpus.zip $OUT/webp_encoder_seed_corpus.zip -cp out/Fuzz/skottie_json $OUT/skottie_json -cp ../skia_data/skottie_json_seed_corpus.zip $OUT/skottie_json_seed_corpus.zip +mv out/Fuzz/skottie_json $OUT/skottie_json +mv ../skia_data/skottie_json_seed_corpus.zip $OUT/skottie_json_seed_corpus.zip -cp out/Fuzz/skjson $OUT/skjson -cp ../skia_data/json.dict $OUT/skjson.dict -cp ../skia_data/skjson_seed_corpus.zip $OUT/skjson_seed_corpus.zip +mv out/Fuzz/skjson $OUT/skjson +mv ../skia_data/json.dict $OUT/skjson.dict +mv ../skia_data/skjson_seed_corpus.zip $OUT/skjson_seed_corpus.zip -cp out/Fuzz/api_mock_gpu_canvas $OUT/api_mock_gpu_canvas +# These 4 use the same canvas_seed_corpus. +mv out/Fuzz/api_mock_gpu_canvas $OUT/api_mock_gpu_canvas cp ../skia_data/canvas_seed_corpus.zip $OUT/api_mock_gpu_canvas_seed_corpus.zip -cp out/Fuzz/api_raster_n32_canvas $OUT/api_raster_n32_canvas +mv out/Fuzz/api_raster_n32_canvas $OUT/api_raster_n32_canvas cp ../skia_data/canvas_seed_corpus.zip $OUT/api_raster_n32_canvas_seed_corpus.zip -cp out/Fuzz/api_image_filter $OUT/api_image_filter -cp ../skia_data/api_image_filter_seed_corpus.zip $OUT/api_image_filter_seed_corpus.zip +mv out/Fuzz/api_svg_canvas $OUT/api_svg_canvas +cp ../skia_data/canvas_seed_corpus.zip $OUT/api_svg_canvas_seed_corpus.zip -cp out/Fuzz/api_null_canvas $OUT/api_null_canvas -cp ../skia_data/canvas_seed_corpus.zip $OUT/api_null_canvas_seed_corpus.zip +mv out/Fuzz/api_null_canvas $OUT/api_null_canvas +mv ../skia_data/canvas_seed_corpus.zip $OUT/api_null_canvas_seed_corpus.zip -cp out/Fuzz/api_polyutils $OUT/api_polyutils -cp ../skia_data/api_polyutils_seed_corpus.zip $OUT/api_polyutils_seed_corpus.zip +mv out/Fuzz/api_image_filter $OUT/api_image_filter +mv ../skia_data/api_image_filter_seed_corpus.zip $OUT/api_image_filter_seed_corpus.zip -# These 2 can use the same corpus as the (non animated) image_decode. -cp out/Fuzz/android_codec $OUT/android_codec +mv out/Fuzz/api_polyutils $OUT/api_polyutils +mv ../skia_data/api_polyutils_seed_corpus.zip $OUT/api_polyutils_seed_corpus.zip + +# These 3 use the same corpus. +mv out/Fuzz/image_decode $OUT/image_decode +cp ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_seed_corpus.zip + +mv out/Fuzz/android_codec $OUT/android_codec cp ../skia_data/image_decode_seed_corpus.zip $OUT/android_codec_seed_corpus.zip. -cp out/Fuzz/image_decode_incremental $OUT/image_decode_incremental -cp ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_incremental_seed_corpus.zip +mv out/Fuzz/image_decode_incremental $OUT/image_decode_incremental +mv ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_incremental_seed_corpus.zip -cp out/Fuzz/sksl2glsl $OUT/sksl2glsl +# These 4 use the same sksl_seed_corpus. +mv out/Fuzz/sksl2glsl $OUT/sksl2glsl cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2glsl_seed_corpus.zip -cp out/Fuzz/sksl2spirv $OUT/sksl2spirv +mv out/Fuzz/sksl2spirv $OUT/sksl2spirv cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2spirv_seed_corpus.zip -cp out/Fuzz/sksl2metal $OUT/sksl2metal +mv out/Fuzz/sksl2metal $OUT/sksl2metal cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2metal_seed_corpus.zip -cp out/Fuzz/sksl2pipeline $OUT/sksl2pipeline -cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2pipeline_seed_corpus.zip +mv out/Fuzz/sksl2pipeline $OUT/sksl2pipeline +mv ../skia_data/sksl_seed_corpus.zip $OUT/sksl2pipeline_seed_corpus.zip -cp out/Fuzz/skdescriptor_deserialize $OUT/skdescriptor_deserialize +mv out/Fuzz/skdescriptor_deserialize $OUT/skdescriptor_deserialize -cp out/Fuzz/svg_dom $OUT/svg_dom -cp ../skia_data/svg_dom_seed_corpus.zip $OUT/svg_dom_seed_corpus.zip +mv out/Fuzz/svg_dom $OUT/svg_dom +mv ../skia_data/svg_dom_seed_corpus.zip $OUT/svg_dom_seed_corpus.zip -cp out/Fuzz/api_svg_canvas $OUT/api_svg_canvas -cp ../skia_data/canvas_seed_corpus.zip $OUT/api_svg_canvas_seed_corpus.zip -cp out/Fuzz/skruntimeeffect $OUT/skruntimeeffect -cp ../skia_data/sksl_with_256_padding_seed_corpus.zip $OUT/skruntimeeffect_seed_corpus.zip +mv out/Fuzz/skruntimeeffect $OUT/skruntimeeffect +mv ../skia_data/sksl_with_256_padding_seed_corpus.zip $OUT/skruntimeeffect_seed_corpus.zip + +mv out/Fuzz/api_create_ddl $OUT/api_create_ddl + +mv out/Fuzz/api_ddl_threading $OUT/api_ddl_threading -cp out/Fuzz/api_create_ddl $OUT/api_create_ddl +mv out/Fuzz/skp $OUT/skp +mv ../skia_data/skp_seed_corpus.zip $OUT/skp_seed_corpus.zip -cp out/Fuzz/skp $OUT/skp -cp ../skia_data/skp_seed_corpus.zip $OUT/skp_seed_corpus.zip +mv out/Fuzz/api_skparagraph $OUT/api_skparagraph -cp out/Fuzz/api_skparagraph $OUT/api_skparagraph +mv out/Fuzz/api_regionop $OUT/api_regionop diff --git a/projects/snappy/project.yaml b/projects/snappy/project.yaml index da83622ff..6e5338a44 100644 --- a/projects/snappy/project.yaml +++ b/projects/snappy/project.yaml @@ -3,8 +3,9 @@ language: c++ primary_contact: "costan@google.com" auto_ccs: - "Adam@adalogics.com" -sanitizers: - - address fuzzing_engines: - libfuzzer + - afl +sanitizers: + - address main_repo: 'https://github.com/google/snappy' diff --git a/projects/sound-open-firmware/project.yaml b/projects/sound-open-firmware/project.yaml index dbef99ac5..4065def34 100644 --- a/projects/sound-open-firmware/project.yaml +++ b/projects/sound-open-firmware/project.yaml @@ -3,7 +3,4 @@ primary_contact: "cujomalainey@chromium.org" language: c auto_ccs: - "ranjani.sridharan@intel.corp-partner.google.com" -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: "https://github.com/thesofproject/sof" diff --git a/projects/spidermonkey-ufi/Dockerfile b/projects/spidermonkey-ufi/Dockerfile index bf95bdfa7..25e4d2d60 100644 --- a/projects/spidermonkey-ufi/Dockerfile +++ b/projects/spidermonkey-ufi/Dockerfile @@ -19,7 +19,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ autoconf2.13 \ python \ libc++1 \ - libc++abi1 + libc++abi1 \ + m4 + +# This wrapper of cargo seems to interfere with our build system. +RUN rm -f /usr/local/bin/cargo + RUN git clone --depth=1 https://github.com/mozilla/gecko-dev mozilla-central WORKDIR mozilla-central/js/src/ COPY build.sh target.c $SRC/ diff --git a/projects/spidermonkey-ufi/build.sh b/projects/spidermonkey-ufi/build.sh index 31c5b9535..9f703305c 100755 --- a/projects/spidermonkey-ufi/build.sh +++ b/projects/spidermonkey-ufi/build.sh @@ -23,7 +23,7 @@ FUZZ_TARGETS=( # Install dependencies. export SHELL=/bin/bash -../../mach bootstrap --no-interactive --application-choice browser +../../mach --no-interactive bootstrap --application-choice browser autoconf2.13 diff --git a/projects/spidermonkey/Dockerfile b/projects/spidermonkey/Dockerfile index 91c8332aa..9c74dce54 100644 --- a/projects/spidermonkey/Dockerfile +++ b/projects/spidermonkey/Dockerfile @@ -19,9 +19,13 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \ autoconf2.13 \ libc++1 \ libc++abi1 \ + m4 \ yasm \ python +# This wrapper of cargo seems to interfere with our build system. +RUN rm -f /usr/local/bin/cargo + RUN git clone --depth=1 https://github.com/mozilla/gecko-dev mozilla-central WORKDIR mozilla-central/js/src/ COPY build.sh $SRC/ diff --git a/projects/spidermonkey/build.sh b/projects/spidermonkey/build.sh index d5f34b80f..bf2e03bfc 100755 --- a/projects/spidermonkey/build.sh +++ b/projects/spidermonkey/build.sh @@ -17,7 +17,7 @@ # Install dependencies. export SHELL=/bin/bash -../../mach bootstrap --no-interactive --application-choice browser +../../mach --no-interactive bootstrap --application-choice browser autoconf2.13 diff --git a/projects/spotify-json/Dockerfile b/projects/spotify-json/Dockerfile new file mode 100755 index 000000000..b39e5f998 --- /dev/null +++ b/projects/spotify-json/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone https://github.com/spotify/spotify-json + +WORKDIR $SRC/spotify-json +COPY build.sh $SRC/ diff --git a/projects/spotify-json/build.sh b/projects/spotify-json/build.sh new file mode 100755 index 000000000..9d1506168 --- /dev/null +++ b/projects/spotify-json/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +mkdir build && cd build +cmake -DSPOTIFY_JSON_BUILD_TESTS=OFF ../ +make + +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE ../fuzzers//fuzz_decode.cpp \ + -I../include -I../vendor/double-conversion \ + ./libspotify-json.a ./vendor/double-conversion/libdouble-conversion.a -lpthread -o $OUT/fuzz_decode diff --git a/projects/spotify-json/project.yaml b/projects/spotify-json/project.yaml new file mode 100755 index 000000000..134dd78bf --- /dev/null +++ b/projects/spotify-json/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://github.com/spotify/spotify-json" +main_repo: 'https://github.com/spotify/spotify-json' +primary_contact: "johanl@spotify.com" +language: c++ +auto_ccs: + - "david@adalogics.com" diff --git a/projects/sudoers/build.sh b/projects/sudoers/build.sh index 635739454..905450cb4 100755 --- a/projects/sudoers/build.sh +++ b/projects/sudoers/build.sh @@ -18,67 +18,22 @@ # Debugging env -# Move ASAN-specific flags into ASAN_CFLAGS and ASAN_LDFLAGS -# That way they don't affect configure but will get used when building. +# Some of the sanitizer flags cause issues with configure tests. +# Pull them out of CFLAGS and pass them to configure instead. if [ $SANITIZER == "coverage" ]; then - export ASAN_CFLAGS="$COVERAGE_FLAGS" - export ASAN_LDFLAGS="$COVERAGE_FLAGS" CFLAGS="`echo \"$CFLAGS\" | sed \"s/ $COVERAGE_FLAGS//\"`" + sanitizer_opts="$COVERAGE_FLAGS" else - export ASAN_CFLAGS="$SANITIZER_FLAGS" - export ASAN_LDFLAGS="$SANITIZER_FLAGS" CFLAGS="`echo \"$CFLAGS\" | sed \"s/ $SANITIZER_FLAGS//\"`" + sanitizer_opts="$SANITIZER_FLAGS" fi - -# Build sudo with static libs for simpler fuzzing -./configure --enable-static-sudoers --enable-static --disable-shared-libutil \ - --disable-leaks --enable-warnings --enable-werror -make -j$(nproc) - -# Fuzz I/O log JSON parser -cd lib/iolog -$CC $CFLAGS $ASAN_CFLAGS -c -I../../include -I../.. -I. \ - regress/fuzz/fuzz_iolog_json.c -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -o $OUT/fuzz_iolog_json \ - fuzz_iolog_json.o .libs/libsudo_iolog.a \ - ../eventlog/.libs/libsudo_eventlog.a ../util/.libs/libsudo_util.a - -# Corpus for fuzzing I/O log JSON parser -mkdir $WORK/corpus -for f in `find regress/iolog_json -name '*.in'`; do - cp $f $WORK/corpus/`sha1sum $f | cut -d' ' -f1` -done -zip -j $OUT/fuzz_iolog_json_seed_corpus.zip $WORK/corpus/* -rm -rf $WORK/corpus - -# Fuzz sudoers parser -cd ../../plugins/sudoers -$CC $CFLAGS $ASAN_CFLAGS -c -I../../include -I../.. -I. \ - regress/fuzz/fuzz_sudoers.c -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -o $OUT/fuzz_sudoers \ - fuzz_sudoers.o locale.o stubs.o sudo_printf.o \ - .libs/libparsesudoers.a ../../lib/util/.libs/libsudo_util.a - -# Corpus for fuzzing sudoers parser -mkdir $WORK/corpus -for f in sudoers `find regress/sudoers -name '*.in'`; do - cp $f $WORK/corpus/`sha1sum $f | cut -d' ' -f1` -done -zip -j $OUT/fuzz_sudoers_seed_corpus.zip $WORK/corpus/* -rm -rf $WORK/corpus - -# Fuzz sudoers LDIF parser (used by cvtsudoers) -cd ../../plugins/sudoers -$CC $CFLAGS $ASAN_CFLAGS -c -I../../include -I../.. -I. \ - regress/fuzz/fuzz_sudoers_ldif.c -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -o $OUT/fuzz_sudoers_ldif \ - fuzz_sudoers_ldif.o parse_ldif.o ldap_util.o fmtsudoers.o locale.o stubs.o \ - sudo_printf.o .libs/libparsesudoers.a ../../lib/util/.libs/libsudo_util.a - -# Corpus for fuzzing sudoers LDIF parser -mkdir $WORK/corpus -for f in `find regress/sudoers -name '*.ldif.ok' \! -size 0`; do - cp $f $WORK/corpus/`sha1sum $f | cut -d' ' -f1` -done -zip -j $OUT/fuzz_sudoers_ldif_seed_corpus.zip $WORK/corpus/* -rm -rf $WORK/corpus +# This is already added by --enable-fuzzer +CFLAGS="`echo \"$CFLAGS\" | sed \"s/ -fsanitize=fuzzer-no-link//\"`" + +# Build sudo with static libs and enable fuzzing targets. +# All fuzz targets are integrated into the build process. +./configure --disable-shared --disable-shared-libutil --enable-static-sudoers \ + --enable-sanitizer="$sanitizer_opts" --enable-fuzzer \ + --enable-fuzzer-engine="$LIB_FUZZING_ENGINE" --enable-fuzzer-linker="$CXX" \ + --enable-warnings --enable-werror +make -j$(nproc) && make FUZZ_DESTDIR=$OUT install-fuzzer diff --git a/projects/suricata/Dockerfile b/projects/suricata/Dockerfile index 40352073f..257e7fb04 100644 --- a/projects/suricata/Dockerfile +++ b/projects/suricata/Dockerfile @@ -15,13 +15,14 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y build-essential autoconf automake libtool make pkg-config python flex bison zlib1g-dev libpcre3-dev +RUN apt-get update && apt-get install -y build-essential autoconf automake libtool make pkg-config python flex bison zlib1g-dev libpcre3-dev libpcre2-dev cmake tshark #TODO libmagic, liblzma, pcre and other optional libraries ADD https://www.tcpdump.org/release/libpcap-1.9.1.tar.gz libpcap-1.9.1.tar.gz ADD http://www.digip.org/jansson/releases/jansson-2.12.tar.gz jansson-2.12.tar.gz RUN git clone --depth=1 https://github.com/yaml/libyaml ADD https://github.com/lz4/lz4/archive/v1.9.2.tar.gz lz4-1.9.2.tar.gz +RUN git clone --depth=1 https://github.com/catenacyber/fuzzpcap ADD https://rules.emergingthreats.net/open/suricata/emerging.rules.zip emerging.rules.zip diff --git a/projects/suricata/build.sh b/projects/suricata/build.sh index d0e152d8b..18f228047 100755 --- a/projects/suricata/build.sh +++ b/projects/suricata/build.sh @@ -37,6 +37,13 @@ make -j$(nproc) make install cd .. +cd fuzzpcap +mkdir build +cd build +cmake .. +make install +cd ../.. + cd libyaml ./bootstrap ./configure --disable-shared @@ -52,8 +59,12 @@ mv libhtp suricata/ cd suricata sh autogen.sh #run configure with right options +if [ "$SANITIZER" = "address" ] +then + export RUSTFLAGS="$RUSTFLAGS -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=4 -Cllvm-args=-sanitizer-coverage-trace-compares -Cllvm-args=-sanitizer-coverage-inline-8bit-counters -Cllvm-args=-sanitizer-coverage-trace-geps -Cllvm-args=-sanitizer-coverage-prune-blocks=0 -Cllvm-args=-sanitizer-coverage-pc-table -Clink-dead-code -Cllvm-args=-sanitizer-coverage-stack-depth" +fi ./src/tests/fuzz/oss-fuzz-configure.sh -make +make -j$(nproc) cp src/fuzz_* $OUT/ @@ -90,3 +101,13 @@ cat $t/*.rules > corpus/$i || true; echo -ne '\0' >> corpus/$i; cat $t/*.pcap >> done set -x zip -q -r $OUT/fuzz_sigpcap_seed_corpus.zip corpus +rm -Rf corpus +mkdir corpus +set +x +ls | grep -v corpus | while read t; do +cat $t/*.rules > corpus/$i || true; echo -ne '\0' >> corpus/$i; fpc_bin $t/*.pcap >> corpus/$i || rm corpus/$i; i=$((i+1)); +echo -ne '\0' >> corpus/$i; python3 $SRC/fuzzpcap/tcptofpc.py $t/*.pcap >> corpus/$i || rm corpus/$i; i=$((i+1)); +done +set -x +zip -q -r $OUT/fuzz_sigpcap_aware_seed_corpus.zip corpus +echo "\"FPC0\"" > $OUT/fuzz_sigpcap_aware.dict diff --git a/projects/systemd/Dockerfile b/projects/systemd/Dockerfile index ee351edf6..0705c568a 100644 --- a/projects/systemd/Dockerfile +++ b/projects/systemd/Dockerfile @@ -19,7 +19,7 @@ RUN apt-get update &&\ apt-get install -y gperf m4 gettext python3-pip \ libcap-dev libmount-dev libkmod-dev \ pkg-config wget &&\ - pip3 install meson ninja + pip3 install meson==0.56.2 ninja RUN git clone --depth 1 https://github.com/systemd/systemd systemd WORKDIR systemd COPY build.sh $SRC/ diff --git a/projects/syzkaller/Dockerfile b/projects/syzkaller/Dockerfile index 142313f35..fdef5b4be 100644 --- a/projects/syzkaller/Dockerfile +++ b/projects/syzkaller/Dockerfile @@ -16,11 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -u -d github.com/google/syzkaller/prog +RUN git clone --depth 1 https://github.com/google/syzkaller/ -# Dependency for one of the fuzz targets. -# Note: this should not be necessary because this package is in syzkaller/vendor. -RUN go get github.com/ianlancetaylor/demangle - -WORKDIR /root/go/src/github.com/google/syzkaller +WORKDIR $SRC/syzkaller COPY build.sh $SRC/ diff --git a/projects/syzkaller/build.sh b/projects/syzkaller/build.sh index e47096bb8..0e98093f0 100755 --- a/projects/syzkaller/build.sh +++ b/projects/syzkaller/build.sh @@ -18,6 +18,9 @@ make descriptions + +go mod tidy && go mod vendor + compile_go_fuzzer github.com/google/syzkaller/pkg/compiler Fuzz compiler_fuzzer compile_go_fuzzer github.com/google/syzkaller/prog/test FuzzDeserialize prog_deserialize_fuzzer compile_go_fuzzer github.com/google/syzkaller/prog/test FuzzParseLog prog_parselog_fuzzer diff --git a/projects/tarantool/Dockerfile b/projects/tarantool/Dockerfile new file mode 100644 index 000000000..7a40b0f6b --- /dev/null +++ b/projects/tarantool/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y \ + build-essential cmake make coreutils sed \ + autoconf automake libtool zlib1g-dev \ + libreadline-dev libncurses5-dev libssl-dev \ + libunwind-dev libicu-dev luajit +RUN git clone https://github.com/tarantool/tarantool +WORKDIR tarantool +RUN git submodule update --init --recursive +COPY build.sh $SRC/ diff --git a/projects/tarantool/build.sh b/projects/tarantool/build.sh new file mode 100755 index 000000000..940d88a2c --- /dev/null +++ b/projects/tarantool/build.sh @@ -0,0 +1,62 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +case $SANITIZER in + address) SANITIZERS_ARGS="-DENABLE_ASAN=ON" ;; + undefined) SANITIZERS_ARGS="-DENABLE_UB_SANITIZER=ON" ;; + *) SANITIZERS_ARGS="" ;; +esac + +: ${LD:="${CXX}"} +: ${LDFLAGS:="${CXXFLAGS}"} # to make sure we link with sanitizer runtime + +cmake_args=( + # Specific to Tarantool + -DENABLE_FUZZER=ON + -DOSS_FUZZ=ON + $SANITIZERS_ARGS + + # C compiler + -DCMAKE_C_COMPILER="${CC}" + -DCMAKE_C_FLAGS="${CFLAGS}" + + # C++ compiler + -DCMAKE_CXX_COMPILER="${CXX}" + -DCMAKE_CXX_FLAGS="${CXXFLAGS}" + + # Linker + -DCMAKE_LINKER="${LD}" + -DCMAKE_EXE_LINKER_FLAGS="${LDFLAGS}" + -DCMAKE_MODULE_LINKER_FLAGS="${LDFLAGS}" + -DCMAKE_SHARED_LINKER_FLAGS="${LDFLAGS}" +) + +# Build the project and fuzzers. +[[ -e build ]] && rm -rf build +cmake "${cmake_args[@]}" -S . -B build +make -j$(nproc) VERBOSE=1 -C build fuzzers + +# Archive and copy to $OUT seed corpus if the build succeeded. +for f in $(ls build/test/fuzz/*_fuzzer); +do + name=$(basename $f); + module=$(echo $name | sed 's/_fuzzer//') + corpus_dir="test/static/corpus/$module" + echo "Copying for $module"; + cp $f $OUT/ + [[ -e $corpus_dir ]] && zip -j $OUT/"$module"_fuzzer_seed_corpus.zip $corpus_dir/* +done diff --git a/projects/tarantool/project.yaml b/projects/tarantool/project.yaml new file mode 100644 index 000000000..c757a53ca --- /dev/null +++ b/projects/tarantool/project.yaml @@ -0,0 +1,16 @@ +homepage: "https://www.tarantool.io/en/" +language: c +builds_per_day: 4 +primary_contact: "kirill.yukhin@gmail.com" +auto_ccs: + - "estetus@gmail.com" + - "totktonada.ru@gmail.com" +fuzzing_engines: + - libfuzzer + - honggfuzz +sanitizers: + - address + - undefined +architectures: + - x86_64 +main_repo: "https://github.com/tarantool/tarantool" diff --git a/projects/teleport/Dockerfile b/projects/teleport/Dockerfile index bd0658129..8ffafb3a0 100644 --- a/projects/teleport/Dockerfile +++ b/projects/teleport/Dockerfile @@ -15,5 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/gravitational/teleport.git COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/teleport diff --git a/projects/teleport/build.sh b/projects/teleport/build.sh index f5d464e85..260d47952 100644 --- a/projects/teleport/build.sh +++ b/projects/teleport/build.sh @@ -15,10 +15,7 @@ # ################################################################################ - -mkdir -p $GOPATH/src/github.com/gravitational -cd $GOPATH/src/github.com/gravitational -git clone https://github.com/gravitational/teleport.git +make update-vendor compile_go_fuzzer github.com/gravitational/teleport/lib/fuzz FuzzParseProxyJump utils_fuzz gofuzz compile_go_fuzzer github.com/gravitational/teleport/lib/fuzz FuzzNewExpression parse_fuzz gofuzz diff --git a/projects/tensorflow/build.sh b/projects/tensorflow/build.sh index 8f793951d..b59e4a58b 100755 --- a/projects/tensorflow/build.sh +++ b/projects/tensorflow/build.sh @@ -47,8 +47,8 @@ fi # Determine all fuzz targets. To control what gets fuzzed with OSSFuzz, all # supported fuzzers are in `//tensorflow/security/fuzzing`. -# Ignore the identity and AttrValues fuzzer in opensource. -declare -r FUZZERS=$(bazel query 'kind(cc_.*, tests(//tensorflow/security/fuzzing/...))' | grep -v identity | grep -v AttrValues | grep -v bfloat16) +# Ignore fuzzers tagged with `no_oss` in opensource. +declare -r FUZZERS=$(bazel query 'kind(cc_.*, tests(//tensorflow/security/fuzzing/...)) - attr(tags, no_oss, kind(cc_.*, tests(//tensorflow/security/fuzzing/...)))') # Build the fuzzer targets. # Pass in `--config=libc++` to link against libc++. @@ -92,7 +92,11 @@ then ${RSYNC_CMD} ./bazel-out/k8-opt/bin/tensorflow/core/protobuf ${REMAP_PATH} # Sync external dependencies. We don't need to include `bazel-tensorflow`. + # Also, remove `external/org_tensorflow` which is a copy of the entire source + # code that Bazel creates. Not removing this would cause `rsync` to expand a + # symlink that ends up pointing to itself! pushd bazel-tensorflow + [[ -e external/org_tensorflow ]] && unlink external/org_tensorflow ${RSYNC_CMD} external/ ${REMAP_PATH} popd fi diff --git a/projects/tesseract-ocr/project.yaml b/projects/tesseract-ocr/project.yaml index 8e22d667c..522ba2b52 100644 --- a/projects/tesseract-ocr/project.yaml +++ b/projects/tesseract-ocr/project.yaml @@ -1,7 +1,4 @@ homepage: "https://github.com/tesseract-ocr/tesseract" language: c++ primary_contact: "stjoweil@googlemail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: 'https://github.com/tesseract-ocr/tesseract' diff --git a/projects/thrift/Dockerfile b/projects/thrift/Dockerfile new file mode 100644 index 000000000..040188316 --- /dev/null +++ b/projects/thrift/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y libssl-dev pkg-config autoconf automake libtool bison flex libboost-all-dev +RUN git clone --depth 1 https://github.com/apache/thrift +WORKDIR $SRC/thrift +COPY build.sh $SRC/ diff --git a/projects/thrift/build.sh b/projects/thrift/build.sh new file mode 100755 index 000000000..8194063b6 --- /dev/null +++ b/projects/thrift/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +export ASAN_OPTIONS=detect_leaks=0 + +./bootstrap.sh +# rust fails compilation with clippy warnings +./configure --with-rs=no +make -j$(nproc) +make install + +cd lib/go/test/fuzz +thrift -r --gen go ../../../../tutorial/tutorial.thrift +(cd ./gen-go/shared && go mod init shared) +(cd ./gen-go/tutorial && go mod init tutorial) +go mod tidy || true +compile_go_fuzzer . Fuzz fuzz_go_tutorial diff --git a/projects/thrift/project.yaml b/projects/thrift/project.yaml new file mode 100644 index 000000000..586da66b7 --- /dev/null +++ b/projects/thrift/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://thrift.apache.org/" +language: c++ +primary_contact: "jensg@apache.org" +auto_ccs : +- "p.antoine@catenacyber.fr" + +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/apache/thrift' diff --git a/projects/tidb/Dockerfile b/projects/tidb/Dockerfile index b06a2b5e8..5c7d0fd3b 100644 --- a/projects/tidb/Dockerfile +++ b/projects/tidb/Dockerfile @@ -17,4 +17,4 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN git clone --depth 1 https://github.com/pingcap/tidb COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/tidb diff --git a/projects/tidb/build.sh b/projects/tidb/build.sh index ee6fbd35d..c11028f24 100755 --- a/projects/tidb/build.sh +++ b/projects/tidb/build.sh @@ -18,9 +18,7 @@ # Insert empty main function sed -i '23 i\func main(){}'\\n $SRC/tidb/plugin/conn_ip_example/conn_ip_example.go -mkdir $GOPATH/src/github.com/pingcap -mv $SRC/tidb $GOPATH/src/github.com/pingcap/ -cd $GOPATH/src/github.com/pingcap/tidb && go get ./... +go get ./... compile_go_fuzzer github.com/pingcap/tidb/types FuzzMarshalJSON fuzzMarshalJSON compile_go_fuzzer github.com/pingcap/tidb/types FuzzNewBitLiteral fuzzNewBitLiteral diff --git a/projects/tinygltf/Dockerfile b/projects/tinygltf/Dockerfile new file mode 100644 index 000000000..218baeb05 --- /dev/null +++ b/projects/tinygltf/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN pip3 install meson ninja +RUN git clone --depth 1 https://github.com/syoyo/tinygltf.git +WORKDIR $SRC/tinygltf +COPY build.sh $SRC/ diff --git a/projects/tinygltf/build.sh b/projects/tinygltf/build.sh new file mode 100755 index 000000000..7c5429403 --- /dev/null +++ b/projects/tinygltf/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +cd tests/fuzzer/ +meson build +cd build +ninja -j$(nproc) +cp fuzz_gltf $OUT/ diff --git a/projects/tinygltf/project.yaml b/projects/tinygltf/project.yaml new file mode 100644 index 000000000..1b148734f --- /dev/null +++ b/projects/tinygltf/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/syoyo/tinygltf" +language: c++ +primary_contact: "syoyo@lighttransport.com" +auto_ccs: + - "p.antoine@catenacyber.fr" +fuzzing_engines: +- libfuzzer +sanitizers: +- address +main_repo: 'https://github.com/syoyo/tinygltf.git' diff --git a/projects/tpm2-tss/Dockerfile b/projects/tpm2-tss/Dockerfile index 47c6c44fd..9f74c7a14 100644 --- a/projects/tpm2-tss/Dockerfile +++ b/projects/tpm2-tss/Dockerfile @@ -50,7 +50,8 @@ RUN apt-get update && \ python3-pip \ libsqlite3-dev \ python-cryptography \ - python3-cryptography + python3-cryptography \ + acl RUN pip3 install cpp-coveralls diff --git a/projects/tpm2-tss/project.yaml b/projects/tpm2-tss/project.yaml index 65b8e3c1f..04af6fe9d 100644 --- a/projects/tpm2-tss/project.yaml +++ b/projects/tpm2-tss/project.yaml @@ -5,6 +5,7 @@ auto_ccs: - "andreas.fuchs@sit.fraunhofer.de" - "john.s.andersen@intel.com" - "william.c.roberts@intel.com" + - "tstruk@gmail.com" sanitizers: - address - memory diff --git a/projects/ujson/Dockerfile b/projects/ujson/Dockerfile index f044df681..81550c687 100644 --- a/projects/ujson/Dockerfile +++ b/projects/ujson/Dockerfile @@ -25,4 +25,4 @@ RUN git clone \ WORKDIR ultrajson -COPY build.sh json_differential_fuzzer.py ujson_fuzzer.py $SRC/ +COPY build.sh json_differential_fuzzer.py ujson_fuzzer.py hypothesis_structured_fuzzer.py $SRC/ diff --git a/projects/unbound/build.sh b/projects/unbound/build.sh index cd539d8e1..697e457b6 100755 --- a/projects/unbound/build.sh +++ b/projects/unbound/build.sh @@ -39,7 +39,7 @@ OBJECTS_TO_LINK="dns.o infra.o rrset.o dname.o \ rbtree.o regional.o rtt.o dnstree.o lookup3.o lruhash.o slabhash.o \ tcp_conn_limit.o timehist.o tube.o winsock_event.o autotrust.o val_anchor.o \ validator.o val_kcache.o val_kentry.o val_neg.o val_nsec3.o val_nsec.o \ - val_secalgo.o val_sigcrypt.o val_utils.o dns64.o cachedb.o redis.o authzone.o \ + val_secalgo.o val_sigcrypt.o val_utils.o dns64.o authzone.o \ respip.o netevent.o listen_dnsport.o outside_network.o ub_event.o keyraw.o \ sbuffer.o wire2str.o parse.o parseutil.o rrdef.o str2wire.o libunbound.o \ libworker.o context.o rpz.o" diff --git a/projects/unrar/build.sh b/projects/unrar/build.sh index d597942c2..94696828a 100644 --- a/projects/unrar/build.sh +++ b/projects/unrar/build.sh @@ -19,6 +19,10 @@ UNRAR_DEFINES="-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -DRAR_SMP -DRARDLL -DS UNRAR_WNOS="-Wno-logical-op-parentheses -Wno-switch -Wno-dangling-else" UNRAR_SRC_DIR="$SRC/unrar" +# See: https://crbug.com/oss-fuzz/19333#c3 +CFLAGS="$CFLAGS -fno-sanitize=enum" +CXXFLAGS="$CXXFLAGS -fno-sanitize=enum" + # build 'lib'. This builds libunrar.a and libunrar.so # -fPIC is required for successful compilation. make CXX=$CXX CXXFLAGS="$CXXFLAGS -fPIC $UNRAR_DEFINES $UNRAR_WNOS" \ diff --git a/projects/usbguard/project.yaml b/projects/usbguard/project.yaml index ae1a007bf..a372cd3a6 100644 --- a/projects/usbguard/project.yaml +++ b/projects/usbguard/project.yaml @@ -1,9 +1,12 @@ homepage: "https://usbguard.github.io/" language: c++ -primary_contact: "dkopecek@redhat.com" +primary_contact: "rsroka@redhat.com" sanitizers: - address - undefined - memory auto_ccs: + - "alakatos@redhat.com" - "allenwebb@google.com" + - "zfridric@redhat.com" +main_repo: "https://github.com/USBGuard/usbguard" diff --git a/projects/utf8proc/project.yaml b/projects/utf8proc/project.yaml index 8bad63fdd..c35bcea9a 100644 --- a/projects/utf8proc/project.yaml +++ b/projects/utf8proc/project.yaml @@ -6,9 +6,6 @@ auto_ccs: sanitizers: - address - memory - - undefined -fuzzing_engines: - - libfuzzer - - honggfuzz + - undefined main_repo: 'https://github.com/JuliaStrings/utf8proc' diff --git a/projects/vitess/Dockerfile b/projects/vitess/Dockerfile index 8c242c023..8f066c8ba 100644 --- a/projects/vitess/Dockerfile +++ b/projects/vitess/Dockerfile @@ -15,13 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/vitessio/vitess \ - vitess.io/vitess/go/bytes2 \ - vitess.io/vitess/go/sqltypes \ - vitess.io/vitess/go/vt/log \ - vitess.io/vitess/go/vt/proto/query \ - vitess.io/vitess/go/vt/proto/vtrpc \ - vitess.io/vitess/go/vt/vterrors \ - vitess.io/vitess/go/vt/vtgate/evalengine +RUN git clone --depth 1 https://github.com/vitessio/vitess COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/vitess diff --git a/projects/vitess/build.sh b/projects/vitess/build.sh index d8e9780e5..8a085f41d 100755 --- a/projects/vitess/build.sh +++ b/projects/vitess/build.sh @@ -15,4 +15,5 @@ # ################################################################################ -compile_go_fuzzer github.com/vitessio/vitess/go/vt/sqlparser Fuzz fuzz +chmod +x $SRC/vitess/go/test/fuzzing/oss_fuzz_build.sh +$SRC/vitess/go/test/fuzzing/oss_fuzz_build.sh diff --git a/projects/vitess/project.yaml b/projects/vitess/project.yaml index 6d20f6468..82d05297d 100644 --- a/projects/vitess/project.yaml +++ b/projects/vitess/project.yaml @@ -2,6 +2,10 @@ homepage: "https://github.com/vitessio/vitess" primary_contact: "andres@planetscale.com" auto_ccs : - "adam@adalogics.com" + - "team-ps-vitess@planetscale.com" + - "manan@planetscale.com" + - "harshit@planetscale.com" + - "florent@planetscale.com" language: go fuzzing_engines: - libfuzzer diff --git a/projects/w3m/Dockerfile b/projects/w3m/Dockerfile new file mode 100755 index 000000000..810634464 --- /dev/null +++ b/projects/w3m/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y libgc-dev +RUN git clone https://github.com/tats/w3m + +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/projects/w3m/build.sh b/projects/w3m/build.sh new file mode 100755 index 000000000..eccb30ccd --- /dev/null +++ b/projects/w3m/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +#export CFLAGS="${CFLAGS} -" +#export CXXFLAGS="${CXXFLAGS} -ltinfo" + +cd w3m +./configure + +make myctype.o +make Str.o +make libwc + +cd libwc +$CC $CFLAGS -c ../fuzz/fuzz-conv.c -o fuzz_conv.o -I../ -I./ +static_libgc=($(find /usr/lib -name "libgc.a")) +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_conv.o -o $OUT/fuzz_conv \ + -I./libwc -DUSE_UNICODE -I. -I./.. -DHAVE_CONFIG_H ../Str.o ../myctype.o libwc.a ${static_libgc} diff --git a/projects/w3m/project.yaml b/projects/w3m/project.yaml new file mode 100755 index 000000000..86409e7ed --- /dev/null +++ b/projects/w3m/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://tracker.debian.org/pkg/w3m" +primary_contact: "tats@debian.org" +language: c +auto_ccs : + - "david@adalogics.com" +main_repo: 'https://github.com/tats/w3m' diff --git a/projects/wasmtime/build.sh b/projects/wasmtime/build.sh index d302851aa..80423e376 100755 --- a/projects/wasmtime/build.sh +++ b/projects/wasmtime/build.sh @@ -26,6 +26,13 @@ build() { shift PROJECT_DIR=$SRC/$project + # ensure we get absolute paths for the coverage report + cd $PROJECT_DIR + crate_src_abspath=`cargo metadata --no-deps --format-version 1 | jq -r '.workspace_root'` + while read i; do + export RUSTFLAGS="$RUSTFLAGS --remap-path-prefix $i=$crate_src_abspath/$i" + done <<< "$(find . -name "*.rs" | cut -d/ -f2 | uniq)" + cd $PROJECT_DIR/fuzz && cargo fuzz build -O --debug-assertions "$@" FUZZ_TARGET_OUTPUT_DIR=$PROJECT_DIR/target/x86_64-unknown-linux-gnu/release @@ -50,10 +57,7 @@ build() { } # Build with peepmatic in order to enable the related fuzz targets. -build wasmtime "" "" --features peepmatic-fuzzing - -# Build the differential fuzzer with the new x86-64 backend as well. -build wasmtime diff-newbe- differential_wasmi --features experimental_x64 +build wasmtime "" "" --features "peepmatic-fuzzing experimental_x64" build wasm-tools wasm-tools- "" build regalloc.rs regalloc- bt bt diff --git a/projects/wasmtime/project.yaml b/projects/wasmtime/project.yaml index e18ebf7b4..01c7f4607 100644 --- a/projects/wasmtime/project.yaml +++ b/projects/wasmtime/project.yaml @@ -6,6 +6,7 @@ auto_ccs: - "till@tillschneidereit.net" - "ydelendik@mozilla.com" - "cfallin@gmail.com" + - "andrew.s.brown2@gmail.com" sanitizers: - address fuzzing_engines: diff --git a/projects/wireshark/build.sh b/projects/wireshark/build.sh index de41e0709..bdb34eb52 100755 --- a/projects/wireshark/build.sh +++ b/projects/wireshark/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - WIRESHARK_BUILD_PATH="$WORK/build" mkdir -p "$WIRESHARK_BUILD_PATH" diff --git a/projects/wolfssl/Dockerfile b/projects/wolfssl/Dockerfile index 39742cc7e..963f5e0e3 100644 --- a/projects/wolfssl/Dockerfile +++ b/projects/wolfssl/Dockerfile @@ -23,6 +23,7 @@ RUN git clone --depth 1 https://github.com/guidovranken/fuzzing-headers.git RUN git clone --depth 1 https://github.com/guidovranken/wolf-ssl-ssh-fuzzers RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz RUN git clone --depth 1 https://github.com/randombit/botan.git +RUN git clone --depth 1 https://github.com/google/wycheproof.git RUN wget https://dl.bintray.com/boostorg/release/1.74.0/source/boost_1_74_0.tar.bz2 RUN git clone https://github.com/wolfssl/oss-fuzz-targets --depth 1 $SRC/fuzz-targets diff --git a/projects/wolfssl/build.sh b/projects/wolfssl/build.sh index 850ef2c1a..70db45387 100755 --- a/projects/wolfssl/build.sh +++ b/projects/wolfssl/build.sh @@ -114,6 +114,55 @@ then unset WOLFCRYPT_LIBWOLFSSL_A_PATH unset WOLFCRYPT_INCLUDE_PATH + # Build sp-math-all 8bit fuzzer + cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-sp-math-all-8bit/ + cp -R $SRC/wolfssl/ $SRC/wolfssl-sp-math-all-8bit/ + cd $SRC/wolfssl-sp-math-all-8bit/ + autoreconf -ivf + CFLAGS="$CFLAGS -DHAVE_AES_ECB -DWOLFSSL_DES_ECB -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_ECDSA_SET_K_ONE_LOOP -DSP_WORD_SIZE=8" + ./configure $WOLFCRYPT_CONFIGURE_PARAMS --enable-sp-math-all + make -j$(nproc) + export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_NO_OPENSSL -DCRYPTOFUZZ_WOLFCRYPT -DCRYPTOFUZZ_BOTAN" + export WOLFCRYPT_LIBWOLFSSL_A_PATH="$SRC/wolfssl-sp-math-all-8bit/src/.libs/libwolfssl.a" + export WOLFCRYPT_INCLUDE_PATH="$SRC/wolfssl-sp-math-all-8bit/" + cd $SRC/cryptofuzz-sp-math-all-8bit/modules/wolfcrypt + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math-all-8bit/modules/botan + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math-all-8bit/ + LIBFUZZER_LINK="$LIB_FUZZING_ENGINE" make -B -j$(nproc) + cp cryptofuzz $OUT/cryptofuzz-sp-math-all-8bit + CFLAGS="$OLD_CFLAGS" + CXXFLAGS="$OLD_CXXFLAGS" + unset WOLFCRYPT_LIBWOLFSSL_A_PATH + unset WOLFCRYPT_INCLUDE_PATH + + # Build sp-math fuzzer + cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-sp-math/ + cp -R $SRC/wolfssl/ $SRC/wolfssl-sp-math/ + cd $SRC/wolfssl-sp-math/ + autoreconf -ivf + # -DHAVE_ECC_BRAINPOOL and -DHAVE_ECC_KOBLITZ are lacking from the CFLAGS; these are not supported by SP math + CFLAGS="$CFLAGS -DHAVE_AES_ECB -DWOLFSSL_DES_ECB -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_ECDSA_SET_K_ONE_LOOP" + # SP math does not support custom curves, so remove that flag + export WOLFCRYPT_CONFIGURE_PARAMS_SP_MATH=${WOLFCRYPT_CONFIGURE_PARAMS//"--enable-ecccustcurves"/} + ./configure $WOLFCRYPT_CONFIGURE_PARAMS_SP_MATH --enable-sp --enable-sp-math + make -j$(nproc) + export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_NO_OPENSSL -DCRYPTOFUZZ_WOLFCRYPT -DCRYPTOFUZZ_BOTAN" + export WOLFCRYPT_LIBWOLFSSL_A_PATH="$SRC/wolfssl-sp-math/src/.libs/libwolfssl.a" + export WOLFCRYPT_INCLUDE_PATH="$SRC/wolfssl-sp-math/" + cd $SRC/cryptofuzz-sp-math/modules/wolfcrypt + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math/modules/botan + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math/ + LIBFUZZER_LINK="$LIB_FUZZING_ENGINE" make -B -j$(nproc) + cp cryptofuzz $OUT/cryptofuzz-sp-math + CFLAGS="$OLD_CFLAGS" + CXXFLAGS="$OLD_CXXFLAGS" + unset WOLFCRYPT_LIBWOLFSSL_A_PATH + unset WOLFCRYPT_INCLUDE_PATH + # Build disable-fastmath fuzzer cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-disable-fastmath/ cp -R $SRC/wolfssl/ $SRC/wolfssl-disable-fastmath/ @@ -137,6 +186,17 @@ then unset WOLFCRYPT_LIBWOLFSSL_A_PATH unset WOLFCRYPT_INCLUDE_PATH + # Convert Wycheproof test vectors to Cryptofuzz corpus format + mkdir $SRC/corpus-cryptofuzz-wycheproof/ + find $SRC/wycheproof/testvectors/ -type f -name 'ecdsa_*' -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-wycheproof={},$SRC/corpus-cryptofuzz-wycheproof/ \; + # Pack it + zip -j $SRC/cryptofuzz_wycheproof_seed_corpus.zip $SRC/corpus-cryptofuzz-wycheproof/* + # Use it as the seed corpus for each Cryptofuzz-based fuzzer + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-sp-math-all_seed_corpus.zip + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-sp-math-all-8bit_seed_corpus.zip + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-sp-math_seed_corpus.zip + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-disable-fastmath_seed_corpus.zip + # Build SSL/SSH fuzzers NEW_SRC=$SRC/wolf-ssl-ssh-fuzzers/oss-fuzz/projects/wolf-ssl-ssh/ cp -R $SRC/wolfssl/ $NEW_SRC diff --git a/projects/wuffs/build.sh b/projects/wuffs/build.sh index d51af38cf..b8d4f5366 100755 --- a/projects/wuffs/build.sh +++ b/projects/wuffs/build.sh @@ -26,7 +26,7 @@ for f in fuzz/c/std/*_fuzzer.c; do # Make the "gzip_fuzzer" binary. First compile the (C) Wuffs code, then link # the (C++) fuzzing library. - $CC $CFLAGS -c -std=c99 $f -o $WORK/${b}_fuzzer.o + $CC $CFLAGS -c $f -o $WORK/${b}_fuzzer.o $CXX $CXXFLAGS $WORK/${b}_fuzzer.o -o $OUT/${b}_fuzzer $LIB_FUZZING_ENGINE # Make the optional "gzip_fuzzer_seed_corpus.zip" archive. This means diff --git a/projects/ygot/Dockerfile b/projects/ygot/Dockerfile new file mode 100644 index 000000000..b592c307b --- /dev/null +++ b/projects/ygot/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/openconfig/ygot + +COPY build.sh $SRC/ +COPY fuzz.go $SRC/ygot/exampleoc/ +WORKDIR $SRC/ygot diff --git a/projects/ygot/build.sh b/projects/ygot/build.sh new file mode 100755 index 000000000..3a34ffc5d --- /dev/null +++ b/projects/ygot/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +compile_go_fuzzer github.com/openconfig/ygot/exampleoc Fuzz fuzz_oc_unmarshall gofuzz diff --git a/projects/ygot/fuzz.go b/projects/ygot/fuzz.go new file mode 100644 index 000000000..c9a08826e --- /dev/null +++ b/projects/ygot/fuzz.go @@ -0,0 +1,12 @@ +// +build gofuzz + +package exampleoc + +func Fuzz(data []byte) int { + nd := &Device{} + err := Unmarshal([]byte(data), nd) + if err != nil { + return 0 + } + return 1 +} diff --git a/projects/ygot/project.yaml b/projects/ygot/project.yaml new file mode 100644 index 000000000..bd4ef7acf --- /dev/null +++ b/projects/ygot/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/openconfig/ygot" +primary_contact: "ygot-maintainers@google.com" +auto_ccs: + - "p.antoine@catenacyber.fr" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/openconfig/ygot' diff --git a/projects/zeek/build.sh b/projects/zeek/build.sh index 5e12504a0..996fe9c12 100644 --- a/projects/zeek/build.sh +++ b/projects/zeek/build.sh @@ -25,6 +25,7 @@ CFLAGS="${CFLAGS} -pthread" CXXFLAGS="${CXXFLAGS} -pthread" \ --disable-auxtools \ --disable-broker-tests + cd build ninja install diff --git a/projects/zeek/project.yaml b/projects/zeek/project.yaml index 3cd5de3b8..b0239dab7 100644 --- a/projects/zeek/project.yaml +++ b/projects/zeek/project.yaml @@ -10,9 +10,7 @@ auto_ccs: - "justin@corelight.com" - "vern@corelight.com" - "vlad@es.net" -fuzzing_engines: - - libfuzzer - - honggfuzz + - "dominik.charousset@corelight.com" sanitizers: - address main_repo: 'https://github.com/zeek/zeek' diff --git a/projects/zlib-ng/build.sh b/projects/zlib-ng/build.sh index cb225ec36..606c5af89 100755 --- a/projects/zlib-ng/build.sh +++ b/projects/zlib-ng/build.sh @@ -15,11 +15,11 @@ # ################################################################################ -export LDSHARED=$CXX +export LDSHARED=lld export LDFLAGS="$CFLAGS -stdlib=libc++" + ./configure -sed -i "/^LDSHARED=.*/s#=.*#=$CXX#" Makefile sed -i 's/$(CC) $(LDFLAGS)/$(CXX) $(LDFLAGS)/g' Makefile make -j$(nproc) clean diff --git a/projects/zlib-ng/project.yaml b/projects/zlib-ng/project.yaml index d4b41cec8..688f359a9 100644 --- a/projects/zlib-ng/project.yaml +++ b/projects/zlib-ng/project.yaml @@ -1,4 +1,4 @@ -homepage: "https://github.com/Dead2/zlib-ng" +homepage: "https://github.com/zlib-ng/zlib-ng" language: c++ primary_contact: "zlib-ng@circlestorm.org" auto_ccs: |