diff options
author | Elliott Hughes <enh@google.com> | 2021-04-02 19:51:01 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-04-02 19:51:01 +0000 |
commit | 75c8dcf71ca8652f671b4ca5fea780a558c86e08 (patch) | |
tree | 328e6c9629b196cec1de3a94ee804d9fee3a0524 /projects | |
parent | 378a8d19d33a5a62afbbe33b7f7b87b67db47236 (diff) | |
parent | 235e96b2f8ab4e43316158a2e6fa69e75a219e23 (diff) | |
download | oss-fuzz-android12-qpr3-s1-release.tar.gz |
Upgrade oss-fuzz to 947169dc86572e121c3e138f366a9f39ac6266ae am: f3764d0712 am: 1117028736 am: 235e96b2f8android-12.1.0_r9android-12.1.0_r8android-12.1.0_r7android-12.1.0_r26android-12.1.0_r25android-12.1.0_r24android-12.1.0_r23android-12.1.0_r22android-12.1.0_r21android-12.1.0_r20android-12.1.0_r19android-12.1.0_r18android-12.1.0_r17android-12.1.0_r16android-12.1.0_r15android-12.1.0_r14android-12.1.0_r13android-12.1.0_r12android-12.1.0_r11android-12.1.0_r10android-12.0.0_r32android-12.0.0_r29android-12.0.0_r28android-12.0.0_r27android-12.0.0_r26android-12.0.0_r21android-12.0.0_r20android-12.0.0_r19android-12.0.0_r18android-12.0.0_r16android12L-devandroid12L-d2-s8-releaseandroid12L-d2-s7-releaseandroid12L-d2-s6-releaseandroid12L-d2-s5-releaseandroid12L-d2-s4-releaseandroid12L-d2-s3-releaseandroid12L-d2-s2-releaseandroid12L-d2-s1-releaseandroid12L-d2-releaseandroid12-qpr3-s7-releaseandroid12-qpr3-s6-releaseandroid12-qpr3-s5-releaseandroid12-qpr3-s4-releaseandroid12-qpr3-s3-releaseandroid12-qpr3-s2-releaseandroid12-qpr3-s1-releaseandroid12-qpr3-releaseandroid12-qpr1-releaseandroid12-qpr1-d-s3-releaseandroid12-qpr1-d-s2-releaseandroid12-qpr1-d-s1-releaseandroid12-qpr1-d-releaseandroid12-dev
Original change: https://android-review.googlesource.com/c/platform/external/oss-fuzz/+/1662261
Change-Id: Ib7b7a79b38e1261c1d5fb4ccb1a5dfd106588996
Diffstat (limited to 'projects')
325 files changed, 4381 insertions, 822 deletions
diff --git a/projects/bad_example/build.sh b/projects/bad_example/build.sh index eb08bd6ef..88a7caad2 100755 --- a/projects/bad_example/build.sh +++ b/projects/bad_example/build.sh @@ -22,7 +22,7 @@ $CXX $CXXFLAGS -std=c++11 -I. -DINTENTIONAL_STARTUP_CRASH \ $LIB_FUZZING_ENGINE ./libz.a -# The latest two examples won't for for coverage build, bail out. +# The latest two examples won't work for coverage build, bail out. if [[ $SANITIZER = *coverage* ]]; then exit 0 fi diff --git a/projects/bazel-rules-fuzzing-test/build.sh b/projects/bazel-rules-fuzzing-test/build.sh index 07b2a737f..056e16b3d 100644 --- a/projects/bazel-rules-fuzzing-test/build.sh +++ b/projects/bazel-rules-fuzzing-test/build.sh @@ -17,36 +17,6 @@ ################################################################################ # This is an example build script for projects using the rules_fuzzing library -# for Bazel. Use it as a starting point for your own integration. +# for Bazel. -# An easy way to build all the relevant fuzz tests for a project is to use a -# "bazel query" command. Here, we are collecting all fuzz test targets (which -# are tagged with "fuzz-test" by default). Here we also have a basic opt-out -# mechanism through the "no-oss-fuzz" tag. You can use additional filtering -# logic in your own integrations. -declare -r QUERY=' - let all_fuzz_tests = attr(tags, "fuzz-test", "//...") in - $all_fuzz_tests - attr(tags, "no-oss-fuzz", $all_fuzz_tests) -' - -# The fuzzing rules provide a special `<name>_oss_fuzz` target that creates a -# TAR archive with all the fuzz test artifacts (binary, corpus, dictionary, -# etc.) using the layout expected by OSS-Fuzz. We derive the OSS-Fuzz package -# targets from the fuzz test names using the "sed" command below. -declare -r PACKAGE_SUFFIX="_oss_fuzz" -declare -r OSS_FUZZ_TESTS="$(bazel query "${QUERY}" | sed "s/$/${PACKAGE_SUFFIX}/")" - -# We now build all the OSS-Fuzz packages using the compiler toolchain provided -# by OSS-Fuzz through $CC and $CXX. The `--config=oss-fuzz` flag takes care of -# using the correct instrumentation and fuzzing engine derived from the OSS-Fuzz -# environment. -bazel build -c opt --config=oss-fuzz --linkopt=-lc++ \ - --action_env=CC="${CC}" --action_env=CXX="${CXX}" \ - ${OSS_FUZZ_TESTS[*]} - -# Finally, we extract the contents of the OSS-Fuzz packages directly into the -# $OUT/ directory. Recall that the packages already contain all the artifacts in -# the format expected by OSS-Fuzz. -for oss_fuzz_archive in $(find bazel-bin/ -name "*${PACKAGE_SUFFIX}.tar"); do - tar -xvf "${oss_fuzz_archive}" -C "${OUT}" -done +bazel_build_fuzz_tests diff --git a/projects/bignum-fuzzer/Dockerfile b/projects/bignum-fuzzer/Dockerfile index ba08d04f8..6b7483642 100644 --- a/projects/bignum-fuzzer/Dockerfile +++ b/projects/bignum-fuzzer/Dockerfile @@ -16,11 +16,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y software-properties-common python-software-properties wget curl sudo mercurial autoconf bison texinfo libboost-all-dev cmake -RUN add-apt-repository -y ppa:gophers/archive && apt-get update && apt-get install -y golang-1.9-go -RUN ln -s /usr/lib/go-1.9/bin/go /usr/bin/go RUN wget https://www.bytereef.org/software/mpdecimal/releases/mpdecimal-2.5.0.tar.gz -RUN git clone --recursive https://github.com/golang/go RUN git clone --depth 1 https://github.com/guidovranken/bignum-fuzzer RUN git clone --depth 1 https://github.com/openssl/openssl RUN hg clone https://gmplib.org/repo/gmp/ libgmp/ diff --git a/projects/bignum-fuzzer/build.sh b/projects/bignum-fuzzer/build.sh index 699c3fa4e..8c29baff4 100755 --- a/projects/bignum-fuzzer/build.sh +++ b/projects/bignum-fuzzer/build.sh @@ -15,17 +15,6 @@ # ################################################################################ -# Compile latest Go -cd go/src -./make.bash -cd $SRC - -# Remove previous Go install (used for bootstrapping) -apt-get remove golang-1.9-go -y -rm /usr/bin/go - -export PATH=`realpath $SRC/go/bin`:$PATH - # Install Rust nightly #curl https://sh.rustup.rs -sSf | sh -s -- -y #source $HOME/.cargo/env diff --git a/projects/bind9/project.yaml b/projects/bind9/project.yaml index ef26dfed5..82ff413fa 100644 --- a/projects/bind9/project.yaml +++ b/projects/bind9/project.yaml @@ -2,6 +2,7 @@ homepage: "https://gitlab.isc.org/isc-projects/bind9" language: c primary_contact: "bind9-dev@isc.org" auto_ccs: + - "artem@isc.org" - "dfronza@isc.org" - "each@isc.org" - "marka@isc.org" @@ -9,7 +10,7 @@ auto_ccs: - "michal@isc.org" - "mnowak@isc.org" - "ondrej@isc.org" - - "wpk@isc.org" + - "pspacek@isc.org" sanitizers: - address - memory: diff --git a/projects/botan/build.sh b/projects/botan/build.sh index 0a3d53426..b88e78599 100755 --- a/projects/botan/build.sh +++ b/projects/botan/build.sh @@ -22,7 +22,7 @@ ln -s $SRC/fuzzer_corpus . ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" \ --disable-shared --disable-modules=locking_allocator \ --unsafe-fuzzer-mode --build-fuzzers=libfuzzer \ - --with-fuzzer-lib='FuzzingEngine' + --without-os-features=getrandom,getentropy --with-fuzzer-lib='FuzzingEngine' make -j$(nproc) libs make -j$(nproc) fuzzers diff --git a/projects/bs4/project.yaml b/projects/bs4/project.yaml index b541b62e5..2081650db 100644 --- a/projects/bs4/project.yaml +++ b/projects/bs4/project.yaml @@ -1,7 +1,7 @@ homepage: "https://www.crummy.com/software/BeautifulSoup/" main_repo: "https://code.launchpad.net/~leonardr/beautifulsoup/bs4" language: python -primary_contact: "leonardr@segfault.org" +primary_contact: "leonard.richardson@gmail.com" auto_ccs: - "jvoisin@google.com" - "ipudney@google.com" diff --git a/projects/c-blosc2/build.sh b/projects/c-blosc2/build.sh index 973f2cf50..afe771dae 100755 --- a/projects/c-blosc2/build.sh +++ b/projects/c-blosc2/build.sh @@ -16,6 +16,8 @@ ################################################################################ # Build project +export LDSHARED=lld + cmake . -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" -DBUILD_FUZZERS=ON make clean make -j$(nproc) diff --git a/projects/cairo/project.yaml b/projects/cairo/project.yaml index 568d47334..9a078ded9 100644 --- a/projects/cairo/project.yaml +++ b/projects/cairo/project.yaml @@ -1,9 +1,14 @@ homepage: https://gitlab.freedesktop.org/cairo/cairo language: c primary_contact: security-tps@google.com +auto_ccs: + - "psychon@znc.in" sanitizers: - address - undefined - +vendor_ccs: + - "jkew@mozilla.com" + - "jmuizelaar@mozilla.com" + - "twsmith@mozilla.com" view_restrictions: none main_repo: 'https://gitlab.freedesktop.org/cairo/cairo.git' diff --git a/projects/capnproto/Dockerfile b/projects/capnproto/Dockerfile new file mode 100644 index 000000000..dffaa4580 --- /dev/null +++ b/projects/capnproto/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y cmake zlib1g-dev +RUN git clone --depth 1 https://github.com/capnproto/capnproto +WORKDIR $SRC/capnproto +COPY build.sh $SRC/ diff --git a/projects/capnproto/build.sh b/projects/capnproto/build.sh new file mode 100755 index 000000000..176418d05 --- /dev/null +++ b/projects/capnproto/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +mkdir build +cd build +cmake -DBUILD_SHARED_LIBS=OFF .. +make -j$(nproc) +cp c++/src/capnp/*fuzzer* $OUT/ diff --git a/projects/capnproto/project.yaml b/projects/capnproto/project.yaml new file mode 100644 index 000000000..e8cffba08 --- /dev/null +++ b/projects/capnproto/project.yaml @@ -0,0 +1,8 @@ +homepage: "https://capnproto.org" +language: c++ +primary_contact: "security@sandstorm.io" +auto_ccs: + - "p.antoine@catenacyber.fr" +sanitizers: + - address +main_repo: 'https://github.com/capnproto/capnproto' diff --git a/projects/capstone/build.sh b/projects/capstone/build.sh index 35720ea09..b0da12355 100755 --- a/projects/capstone/build.sh +++ b/projects/capstone/build.sh @@ -32,6 +32,7 @@ do sed -i -e 's/#print/print/' capstone/__init__.py ( export CFLAGS="" + export AFL_NOOPT=1 python setup.py install ) cd $SRC/capstone$branch/suite diff --git a/projects/cascadia/Dockerfile b/projects/cascadia/Dockerfile index 7c6f58d87..094b5e10e 100644 --- a/projects/cascadia/Dockerfile +++ b/projects/cascadia/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/andybalholm/cascadia +RUN git clone https://github.com/andybalholm/cascadia COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/cascadia diff --git a/projects/cctz/Dockerfile b/projects/cctz/Dockerfile new file mode 100644 index 000000000..7882330f5 --- /dev/null +++ b/projects/cctz/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf libgtest-dev +RUN git clone --depth 1 https://github.com/google/cctz +WORKDIR $SRC/cctz + +COPY build.sh $SRC/ +COPY fuzz_* $SRC/ + diff --git a/projects/cctz/build.sh b/projects/cctz/build.sh new file mode 100755 index 000000000..b83b4f52a --- /dev/null +++ b/projects/cctz/build.sh @@ -0,0 +1,22 @@ +# Copyright 2020 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +mkdir build && cd build +cmake -DBUILD_TESTING=OFF ../ +make + +# Compile fuzzers +cp $SRC/fuzz* . +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE ./fuzz_cctz.cc ./libcctz.a -I../include/ -o $OUT/fuzz_cctz diff --git a/projects/cctz/fuzz_cctz.cc b/projects/cctz/fuzz_cctz.cc new file mode 100644 index 000000000..2096152ff --- /dev/null +++ b/projects/cctz/fuzz_cctz.cc @@ -0,0 +1,47 @@ +/* Copyright 2020 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include <fuzzer/FuzzedDataProvider.h> + +#include <iostream> +#include <string> + +#include "cctz/civil_time.h" +#include "cctz/time_zone.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + FuzzedDataProvider fuzzed_data(data, size); + + cctz::time_zone lax; + std::string tz = fuzzed_data.ConsumeRandomLengthString(); + if (load_time_zone(tz, &lax)) { + std::chrono::system_clock::time_point tp; + std::string date_format = fuzzed_data.ConsumeRandomLengthString(); + std::string parse_format = fuzzed_data.ConsumeRandomLengthString(); + cctz::parse(parse_format, date_format, lax, &tp); + + const auto t1 = cctz::convert(cctz::civil_second( + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>(), + fuzzed_data.ConsumeIntegral<uint32_t>()), lax); + std::string format = fuzzed_data.ConsumeRandomLengthString(); + cctz::format(format, t1, lax); + } + + return 0; +} diff --git a/projects/cctz/project.yaml b/projects/cctz/project.yaml new file mode 100644 index 000000000..58562e613 --- /dev/null +++ b/projects/cctz/project.yaml @@ -0,0 +1,3 @@ +homepage: "https://github.com/google/cctz" +language: c++ +primary_contact: "david@adalogics.com" diff --git a/projects/cel-cpp/.bazelrc b/projects/cel-cpp/.bazelrc new file mode 100644 index 000000000..f55fb55ae --- /dev/null +++ b/projects/cel-cpp/.bazelrc @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Force the use of Clang for C++ builds. +build --action_env=CC=clang +build --action_env=CXX=clang++ + +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine=@rules_fuzzing_oss_fuzz//:oss_fuzz_engine +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_instrumentation=oss-fuzz +build:oss-fuzz --@rules_fuzzing//fuzzing:cc_engine_sanitizer=none diff --git a/projects/cel-cpp/BUILD b/projects/cel-cpp/BUILD new file mode 100644 index 000000000..6fdd77387 --- /dev/null +++ b/projects/cel-cpp/BUILD @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +load("@rules_fuzzing//fuzzing:cc_defs.bzl", "cc_fuzz_test") + +cc_fuzz_test( + name = "fuzz_parse", + deps = ["//parser"], + srcs = ["fuzz_parse.cc"], +) diff --git a/projects/cel-cpp/Dockerfile b/projects/cel-cpp/Dockerfile new file mode 100644 index 000000000..6c4b67eef --- /dev/null +++ b/projects/cel-cpp/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone --depth 1 https://github.com/google/cel-cpp/ +COPY build.sh $SRC/ +RUN mkdir $SRC/cel-cpp/fuzz/ +COPY BUILD fuzz*.cc $SRC/cel-cpp/fuzz/ +COPY WORKSPACE .bazelrc $SRC/ +RUN cat WORKSPACE >> $SRC/cel-cpp/WORKSPACE +RUN cat .bazelrc >> $SRC/cel-cpp/.bazelrc +RUN echo "4.0.0" > $SRC/cel-cpp/.bazelversion +WORKDIR $SRC/cel-cpp diff --git a/projects/cel-cpp/WORKSPACE b/projects/cel-cpp/WORKSPACE new file mode 100644 index 000000000..bc59fa04a --- /dev/null +++ b/projects/cel-cpp/WORKSPACE @@ -0,0 +1,41 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive") + +http_archive( + name = "fuzzing_rules_python", + url = "https://github.com/bazelbuild/rules_python/releases/download/0.1.0/rules_python-0.1.0.tar.gz", + sha256 = "b6d46438523a3ec0f3cead544190ee13223a52f6a6765a29eae7b7cc24cc83a0", +) + +http_archive( + name = "rules_fuzzing", + sha256 = "a5734cb42b1b69395c57e0bbd32ade394d5c3d6afbfe782b24816a96da24660d", + strip_prefix = "rules_fuzzing-0.1.1", + urls = ["https://github.com/bazelbuild/rules_fuzzing/archive/v0.1.1.zip"], + repo_mapping = { + "@rules_python": "@fuzzing_rules_python", + }, +) + +load("@rules_fuzzing//fuzzing:repositories.bzl", "rules_fuzzing_dependencies") + +rules_fuzzing_dependencies() + +load("@rules_fuzzing//fuzzing:init.bzl", "rules_fuzzing_init") + +rules_fuzzing_init() diff --git a/projects/cel-cpp/build.sh b/projects/cel-cpp/build.sh new file mode 100755 index 000000000..5a6315a35 --- /dev/null +++ b/projects/cel-cpp/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +declare -r QUERY=' + let all_fuzz_tests = attr(tags, "fuzz-test", "//...") in + $all_fuzz_tests - attr(tags, "no-oss-fuzz", $all_fuzz_tests) +' + +declare -r PACKAGE_SUFFIX="_oss_fuzz" +declare -r OSS_FUZZ_TESTS="$(bazel query "${QUERY}" | sed "s/$/${PACKAGE_SUFFIX}/")" + +bazel build -c opt --config=oss-fuzz --linkopt=-lc++ \ + --action_env=CC="${CC}" --action_env=CXX="${CXX}" \ + ${OSS_FUZZ_TESTS[*]} + +for oss_fuzz_archive in $(find bazel-bin/ -name "*${PACKAGE_SUFFIX}.tar"); do + tar -xvf "${oss_fuzz_archive}" -C "${OUT}" +done diff --git a/projects/cel-cpp/fuzz_parse.cc b/projects/cel-cpp/fuzz_parse.cc new file mode 100644 index 000000000..f4755d319 --- /dev/null +++ b/projects/cel-cpp/fuzz_parse.cc @@ -0,0 +1,34 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include <string> + +#include "parser/parser.h" + +#define MAX_RECURSION 0x100 + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + std::string str (reinterpret_cast<const char*>(data), size); + try { + auto parse_status = google::api::expr::parser::Parse(str, "fuzzinput", MAX_RECURSION); + if (!parse_status.ok()) { + parse_status.status().message(); + } + } catch (const std::exception& e) { + return 0; + } + return 0; +} diff --git a/projects/cel-cpp/project.yaml b/projects/cel-cpp/project.yaml new file mode 100644 index 000000000..ad4bf90e3 --- /dev/null +++ b/projects/cel-cpp/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://opensource.google/projects/cel" +language: c++ +primary_contact: "kyessenov@gmail.com" +auto_ccs : +- "tswadell@google.com" +- "p.antoine@catenacyber.fr" + +sanitizers: +- address +- memory +main_repo: 'https://github.com/google/cel-cpp' diff --git a/projects/cilium/Dockerfile b/projects/cilium/Dockerfile new file mode 100644 index 000000000..89f2f0016 --- /dev/null +++ b/projects/cilium/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y wget +RUN wget https://raw.githubusercontent.com/google/AFL/master/dictionaries/json.dict -O $OUT/fuzz.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus +RUN zip $OUT/fuzz_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +RUN git clone https://github.com/cilium/cilium/ cilium +RUN cp $SRC/cilium/test/fuzzing/oss-fuzz-build.sh $SRC/build.sh +WORKDIR $SRC/cilium diff --git a/projects/civetweb/build.sh b/projects/civetweb/build.sh index cd2caeefe..413dd5aec 100755 --- a/projects/civetweb/build.sh +++ b/projects/civetweb/build.sh @@ -19,4 +19,4 @@ export LDFLAGS="${LIB_FUZZING_ENGINE} ${CFLAGS}" chmod +x ./fuzztest/build.sh ./fuzztest/build.sh -mv civetweb_fuzz3 $OUT/ +mv civetweb_fuzz* $OUT/ diff --git a/projects/clamav/Dockerfile b/projects/clamav/Dockerfile index c38ae9144..0d4cc0338 100644 --- a/projects/clamav/Dockerfile +++ b/projects/clamav/Dockerfile @@ -17,9 +17,20 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y \ flex bison \ - automake autoconf pkg-config m4 libtool \ - libssl-dev \ - libcurl4-openssl-dev + python3-dev \ + pkg-config + +# +# Build static libs for dependencies +# +RUN python3 -m pip install mussels +RUN git clone --depth 1 https://github.com/Cisco-Talos/clamav-mussels-cookbook.git + +RUN mkdir /mussels +RUN cd ${SRC}/clamav-mussels-cookbook && \ + msl build clamav_deps -t host-static -w /mussels/work -i /mussels/install + +# Collect clamav source & fuzz corpus RUN git clone --depth 1 https://github.com/Cisco-Talos/clamav-devel.git RUN git clone --depth 1 https://github.com/Cisco-Talos/clamav-fuzz-corpus.git diff --git a/projects/clamav/build.sh b/projects/clamav/build.sh index 0ab07e086..1f7e902ed 100755 --- a/projects/clamav/build.sh +++ b/projects/clamav/build.sh @@ -16,6 +16,7 @@ ################################################################################ set -ex +export GIT_DISCOVERY_ACROSS_FILESYSTEM=1 # # Build the library. @@ -24,37 +25,33 @@ rm -rf ${WORK}/build mkdir -p ${WORK}/build cd ${WORK}/build -if [ -f "${SRC}/clamav-devel/autogen.sh" ] -then - /bin/chmod +x ${SRC}/clamav-devel/autogen.sh - ${SRC}/clamav-devel/autogen.sh -fi - -# Remove ltdl so clamav build doesn't detect it and add it as a dependency. -apt remove -y libtool libltdl-dev libltdl7 - # # Run ./configure # -ac_cv_c_mmap_anonymous=no \ - ${SRC}/clamav-devel/configure \ - --disable-mempool \ - --enable-fuzz=yes \ - --with-libjson=no \ - --with-pcre=no \ - --enable-static=yes \ - --enable-shared=no \ - --disable-llvm \ - --host=x86_64-unknown-linux-gnu - -# Build libclamav -make clean -make -j"$(nproc)" +export CLAMAV_DEPENDENCIES=/mussels/install +cmake ${SRC}/clamav-devel \ + -DENABLE_FUZZ=ON \ + -DHAVE_MMAP=OFF \ + -DJSONC_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include/json-c" \ + -DJSONC_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libjson-c.a" \ + -DENABLE_JSON_SHARED=OFF \ + -DBZIP2_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DBZIP2_LIBRARY_RELEASE="$CLAMAV_DEPENDENCIES/lib/libbz2_static.a" \ + -DOPENSSL_ROOT_DIR="$CLAMAV_DEPENDENCIES" \ + -DOPENSSL_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DOPENSSL_CRYPTO_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libcrypto.a" \ + -DOPENSSL_SSL_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libssl.a" \ + -DZLIB_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libssl.a" \ + -DLIBXML2_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DLIBXML2_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libxml2.a" \ + -DPCRE2_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DPCRE2_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libpcre2-8.a" \ + -DZLIB_INCLUDE_DIR="$CLAMAV_DEPENDENCIES/include" \ + -DZLIB_LIBRARY="$CLAMAV_DEPENDENCIES/lib/libz.a" \ + -DCMAKE_INSTALL_PREFIX="install" -# -# Build the fuzz targets. -# -make -j"$(nproc)" fuzz-all +# Build libclamav and the fuzz targets +make -j4 cp ./fuzz/clamav_* ${OUT}/. # diff --git a/projects/clamav/project.yaml b/projects/clamav/project.yaml index d2c3f238f..1f8f5d702 100644 --- a/projects/clamav/project.yaml +++ b/projects/clamav/project.yaml @@ -6,4 +6,7 @@ auto_ccs: sanitizers: - address - undefined +fuzzing_engines: + - libfuzzer + - afl main_repo: 'https://github.com/Cisco-Talos/clamav-devel.git' diff --git a/projects/clib/project.yaml b/projects/clib/project.yaml index 1dad0da2d..bc5871351 100644 --- a/projects/clib/project.yaml +++ b/projects/clib/project.yaml @@ -4,11 +4,4 @@ primary_contact: "joseph.werle@gmail.com" auto_ccs: - "Adam@adalogics.com" - "isty001@gmail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz -sanitizers: - - address - - undefined - - memory main_repo: 'https://github.com/clibs/clib' diff --git a/projects/cosign/Dockerfile b/projects/cosign/Dockerfile new file mode 100644 index 000000000..f0282dd16 --- /dev/null +++ b/projects/cosign/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/sigstore/cosign + +COPY build.sh $SRC/ +WORKDIR $SRC/cosign diff --git a/projects/cosign/build.sh b/projects/cosign/build.sh new file mode 100755 index 000000000..87d865d2c --- /dev/null +++ b/projects/cosign/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +compile_go_fuzzer github.com/sigstore/cosign/test FuzzGetPassword fuzz_getPassword gofuzz diff --git a/projects/cosign/project.yaml b/projects/cosign/project.yaml new file mode 100644 index 000000000..dc5735fca --- /dev/null +++ b/projects/cosign/project.yaml @@ -0,0 +1,8 @@ +homepage: https://sigstore.dev/ +language: go +primary_contact: "priyawadhwa@google.com" +main_repo: "https://github.com/sigstore/cosign" +fuzzing_engines: + - libfuzzer +sanitizers: + - address diff --git a/projects/cryptofuzz/Dockerfile b/projects/cryptofuzz/Dockerfile index fb668f2b8..7ed5d425b 100644 --- a/projects/cryptofuzz/Dockerfile +++ b/projects/cryptofuzz/Dockerfile @@ -23,14 +23,9 @@ RUN apt-get update && \ apt-get update && \ apt-get install -y software-properties-common python-software-properties make autoconf automake libtool build-essential cmake mercurial gyp ninja-build zlib1g-dev libsqlite3-dev bison flex texinfo -# BoringSSL needs Go to build -RUN add-apt-repository -y ppa:gophers/archive && apt-get update && apt-get install -y golang-1.9-go -RUN ln -s /usr/lib/go-1.9/bin/go /usr/bin/go - RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz-corpora RUN git clone --depth 1 https://github.com/openssl/openssl - RUN git clone --depth 1 https://boringssl.googlesource.com/boringssl RUN git clone --depth 1 https://github.com/libressl-portable/portable libressl RUN cd $SRC/libressl && ./update.sh @@ -39,7 +34,6 @@ RUN git clone --depth 1 git://git.gnupg.org/libgcrypt.git RUN wget https://gnupg.org/ftp/gcrypt/libgpg-error/libgpg-error-1.36.tar.bz2 RUN git clone --depth 1 -b oss-fuzz https://github.com/project-everest/hacl-star evercrypt RUN git clone --depth 1 https://github.com/google/cityhash.git -RUN git clone --depth 1 https://github.com/golang/go RUN git clone --depth 1 https://github.com/randombit/botan.git RUN git clone --depth 1 https://github.com/wolfSSL/wolfssl.git RUN git clone --depth 1 https://github.com/ARMmbed/mbedtls.git diff --git a/projects/cryptofuzz/build.sh b/projects/cryptofuzz/build.sh index e363114e2..9aa3c948b 100755 --- a/projects/cryptofuzz/build.sh +++ b/projects/cryptofuzz/build.sh @@ -18,6 +18,8 @@ # TODO(metzman): Switch this to LIB_FUZZING_ENGINE when it works. # https://github.com/google/oss-fuzz/issues/2336 +export GO111MODULE=off + # Compile xxd $CC $SRC/xxd.c -o /usr/bin/xxd @@ -40,24 +42,6 @@ export INCLUDE_PATH_FLAGS="" cd $SRC/cryptofuzz python gen_repository.py -if [[ $CFLAGS = *-m32* ]] -then - export GOARCH=386 - export CGO_ENABLED=1 -fi - -export GO111MODULE=off -cd $SRC/go/src -./make.bash -export GOROOT=$(realpath $SRC/go) -export GOPATH=$GOROOT/packages -mkdir $GOPATH -export PATH=$GOROOT/bin:$PATH -export PATH=$GOROOT/packages/bin:$PATH - -apt-get remove golang-1.9-go -y -rm /usr/bin/go - go get golang.org/x/crypto/blake2b go get golang.org/x/crypto/blake2s go get golang.org/x/crypto/md4 @@ -671,3 +655,4 @@ cp $SRC/cryptofuzz/cryptofuzz $OUT/cryptofuzz-boringssl-noasm cp $SRC/cryptofuzz/cryptofuzz-dict.txt $OUT/cryptofuzz-boringssl-noasm.dict # Copy seed corpus cp $SRC/cryptofuzz-corpora/boringssl_latest.zip $OUT/cryptofuzz-boringssl-noasm_seed_corpus.zip + diff --git a/projects/cryptofuzz/project.yaml b/projects/cryptofuzz/project.yaml index 659a309e5..59c3ac43e 100644 --- a/projects/cryptofuzz/project.yaml +++ b/projects/cryptofuzz/project.yaml @@ -23,11 +23,8 @@ auto_ccs: - "david@wolfssl.com" - "kaleb@wolfssl.com" - "jacob@wolfssl.com" - - "jjones@mozilla.com" - "sledru@mozilla.com" - - "kjacobs@mozilla.com" - "bbeurdouche@mozilla.com" - - "tvandermerwe@mozilla.com" - "matthias.st.pierre@gmail.com" - "kaleb.himes@gmail.com" - "polubelovam@gmail.com" diff --git a/projects/dart/Dockerfile b/projects/dart/Dockerfile new file mode 100644 index 000000000..d60afcba6 --- /dev/null +++ b/projects/dart/Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt install -y g++-multilib git python curl + +RUN git clone --depth 1 https://chromium.googlesource.com/chromium/tools/depot_tools.git +ENV PATH="${SRC}/depot_tools:${PATH}" +RUN mkdir dart-sdk && cd dart-sdk && fetch dart +COPY build.sh $SRC +COPY patch.diff $SRC +WORKDIR $SRC/dart-sdk/sdk diff --git a/projects/dart/build.sh b/projects/dart/build.sh new file mode 100755 index 000000000..520b2756c --- /dev/null +++ b/projects/dart/build.sh @@ -0,0 +1,21 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +git apply ../../patch.diff +./tools/build.py --no-goma -j$(nproc) -m debug -a x64 --sanitizer=asan dart_libfuzzer +cp out/DebugASANX64/*fuzzer $OUT/ diff --git a/projects/dart/patch.diff b/projects/dart/patch.diff new file mode 100644 index 000000000..18729d5cb --- /dev/null +++ b/projects/dart/patch.diff @@ -0,0 +1,13 @@ +diff --git a/runtime/bin/BUILD.gn b/runtime/bin/BUILD.gn +index 1bc82252087..68e983b4902 100644 +--- a/runtime/bin/BUILD.gn ++++ b/runtime/bin/BUILD.gn +@@ -1084,6 +1084,8 @@ if (defined(is_linux) && is_linux && defined(is_asan) && is_asan && + extra_sources = [ + "../vm/libfuzzer/dart_libfuzzer.cc", + "builtin.cc", ++ "dartdev_isolate.cc", ++ "dartdev_isolate.h", + "dfe.cc", + "dfe.h", + ] diff --git a/projects/dart/project.yaml b/projects/dart/project.yaml new file mode 100644 index 000000000..155fe23dd --- /dev/null +++ b/projects/dart/project.yaml @@ -0,0 +1,9 @@ +homepage: "https://dart.dev" +language: c++ +primary_contact: "scheglov@google.com" +auto_ccs : +- "p.antoine@catenacyber.fr" + +sanitizers: +- address +main_repo: 'https://github.com/dart-lang/sdk.git' diff --git a/projects/dragonfly/Dockerfile b/projects/dragonfly/Dockerfile index 2d04a8f8f..46870a6db 100644 --- a/projects/dragonfly/Dockerfile +++ b/projects/dragonfly/Dockerfile @@ -30,4 +30,4 @@ RUN go get github.com/go-openapi/swag \ github.com/willf/bitset RUN git clone https://github.com/dragonflyoss/Dragonfly COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/Dragonfly diff --git a/projects/dragonfly/build.sh b/projects/dragonfly/build.sh index 6095149cc..6487785ea 100755 --- a/projects/dragonfly/build.sh +++ b/projects/dragonfly/build.sh @@ -15,8 +15,5 @@ # ################################################################################ -mkdir $GOPATH/src/github.com/dragonflyoss -cp -r $SRC/Dragonfly $GOPATH/src/github.com/dragonflyoss/ - compile_go_fuzzer github.com/dragonflyoss/Dragonfly/dfget/core/uploader FuzzParseParams uploader_fuzz compile_go_fuzzer github.com/dragonflyoss/Dragonfly/supernode/daemon/mgr/cdn Fuzz cdn_fuzz diff --git a/projects/dropbear/Dockerfile b/projects/dropbear/Dockerfile index 0b4ba302f..f2c235486 100644 --- a/projects/dropbear/Dockerfile +++ b/projects/dropbear/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2016 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,8 +16,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y libz-dev autoconf mercurial -RUN hg clone https://hg.ucc.asn.au/dropbear dropbear -RUN hg clone https://hg.ucc.asn.au/dropbear-fuzzcorpus dropbear/corpus +RUN hg clone https://hg.ucc.asn.au/dropbear-fuzzcorpus dropbear-corpus +RUN git clone https://github.com/mkj/dropbear dropbear WORKDIR dropbear COPY build.sh *.options $SRC/ diff --git a/projects/dropbear/build.sh b/projects/dropbear/build.sh index e3a6daec5..973211069 100644 --- a/projects/dropbear/build.sh +++ b/projects/dropbear/build.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright 2016 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +27,9 @@ make -j$(nproc) fuzz-targets FUZZLIB=$LIB_FUZZING_ENGINE TARGETS="$(make list-fuzz-targets)" -make -C $SRC/dropbear/corpus +make -C $SRC/dropbear-corpus cp -v $TARGETS $OUT/ cp -v *.options $OUT/ -cp -v $SRC/dropbear/corpus/*.zip $OUT/ -cp -v $SRC/dropbear/corpus/*.dict $OUT/ +cp -v $SRC/dropbear-corpus/*.zip $OUT/ +cp -v $SRC/dropbear-corpus/*.dict $OUT/ diff --git a/projects/dropbear/project.yaml b/projects/dropbear/project.yaml index 3c10e86e2..78ee9009f 100644 --- a/projects/dropbear/project.yaml +++ b/projects/dropbear/project.yaml @@ -1,11 +1,5 @@ homepage: "https://matt.ucc.asn.au/dropbear/dropbear.html" language: c++ primary_contact: "matt@ucc.asn.au" -sanitizers: - - address - - undefined - - memory -fuzzing_engines: - - libfuzzer - - honggfuzz builds_per_day: 4 +main_repo: "https://github.com/mkj/dropbear" diff --git a/projects/ecc-diff-fuzzer/build.sh b/projects/ecc-diff-fuzzer/build.sh index 2fb442187..9b951cae8 100755 --- a/projects/ecc-diff-fuzzer/build.sh +++ b/projects/ecc-diff-fuzzer/build.sh @@ -93,13 +93,14 @@ cd libecc #botan ( cd botan -#help it find libstdc++ -cp /usr/lib/x86_64-linux-gnu/libstdc++.so.6 /usr/lib/x86_64-linux-gnu/libstdc++.so -export LDFLAGS=$CXXFLAGS if [ "$ARCHITECTURE" = 'i386' ]; then - ./configure.py --disable-shared-library --cpu x86_32 + ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" \ + --disable-shared --disable-modules=locking_allocator --disable-shared-library \ + --without-os-features=getrandom,getentropy --cpu x86_32 else - ./configure.py --disable-shared-library + ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" \ + --disable-shared --disable-modules=locking_allocator --disable-shared-library \ + --without-os-features=getrandom,getentropy fi make -j$(nproc) make install diff --git a/projects/envoy/project.yaml b/projects/envoy/project.yaml index da1a49c69..5fae1498a 100644 --- a/projects/envoy/project.yaml +++ b/projects/envoy/project.yaml @@ -14,6 +14,9 @@ auto_ccs: - "avd@google.com" - "skerner@google.com" - "rdsmith@google.com" - - "chaoqinli16@gmail.com" + - "chaoqinli@google.com" + - "yanjunxiang@google.com" + - "arquebus@appspot.gserviceaccount.com" + - "david@adalogics.com" coverage_extra_args: -ignore-filename-regex=.*\.cache.*envoy_deps_cache.* main_repo: 'https://github.com/envoyproxy/envoy.git' diff --git a/projects/fast-dds/Dockerfile b/projects/fast-dds/Dockerfile new file mode 100644 index 000000000..df5782e63 --- /dev/null +++ b/projects/fast-dds/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt install -y autoconf automake +RUN git clone --depth 1 https://github.com/leethomason/tinyxml2 +RUN git clone --depth 1 https://github.com/chriskohlhoff/asio/ +RUN git clone --depth 1 https://github.com/eProsima/Fast-CDR.git +RUN git clone --depth 1 https://github.com/eProsima/foonathan_memory_vendor.git +RUN git clone --depth 1 https://github.com/eProsima/Fast-DDS.git +COPY patch.diff $SRC +COPY build.sh $SRC +WORKDIR $SRC/Fast-DDS diff --git a/projects/fast-dds/build.sh b/projects/fast-dds/build.sh new file mode 100755 index 000000000..6831dffe3 --- /dev/null +++ b/projects/fast-dds/build.sh @@ -0,0 +1,53 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +( +cd ../tinyxml2 +make -j$(nproc) all +cp libtinyxml2.a /usr/local/lib/ +cp *.h /usr/local/include/ +) + +( +cd ../asio/asio +sh autogen.sh +./configure +make -j$(nproc) install +) + +( +cd .. +mkdir Fast-CDR/build && cd Fast-CDR/build +cmake .. -DBUILD_SHARED_LIBS=OFF +cmake --build . --target install +) + +( +cd .. +cd foonathan_memory_vendor +mkdir build && cd build +cmake .. -DBUILD_SHARED_LIBS=OFF +cmake --build . --target install +) + +# build project +git apply ../patch.diff +mkdir build && cd build +cmake .. -DBUILD_SHARED_LIBS=OFF +make -j $(nproc) +cp src/cpp/fuzz* $OUT/ diff --git a/projects/fast-dds/patch.diff b/projects/fast-dds/patch.diff new file mode 100644 index 000000000..e4f0ba2ed --- /dev/null +++ b/projects/fast-dds/patch.diff @@ -0,0 +1,74 @@ +diff --git a/src/cpp/CMakeLists.txt b/src/cpp/CMakeLists.txt +index b7fb777..615e955 100644 +--- a/src/cpp/CMakeLists.txt ++++ b/src/cpp/CMakeLists.txt +@@ -484,6 +484,11 @@ elseif(NOT EPROSIMA_INSTALLER) + endif() + endif() + ++if(DEFINED ENV{LIB_FUZZING_ENGINE}) ++ add_executable(fuzz_processCDRMsg rtps/messages/fuzz_processCDRMsg.cpp) ++ target_link_libraries(fuzz_processCDRMsg ${PROJECT_NAME} $ENV{LIB_FUZZING_ENGINE}) ++endif() ++ + ############################################################################### + # Packaging + ############################################################################### +diff --git a/src/cpp/rtps/messages/MessageReceiver.cpp b/src/cpp/rtps/messages/MessageReceiver.cpp +index 962ca9b..0e82082 100644 +--- a/src/cpp/rtps/messages/MessageReceiver.cpp ++++ b/src/cpp/rtps/messages/MessageReceiver.cpp +@@ -324,7 +324,11 @@ void MessageReceiver::processCDRMsg( + + reset(); + ++#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ++ GuidPrefix_t participantGuidPrefix; ++#else + GuidPrefix_t participantGuidPrefix = participant_->getGuid().guidPrefix; ++#endif + dest_guid_prefix_ = participantGuidPrefix; + + msg->pos = 0; //Start reading at 0 +@@ -513,7 +517,9 @@ void MessageReceiver::processCDRMsg( + submessage->pos = next_msg_pos; + } + ++#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + participant_->assert_remote_participant_liveliness(source_guid_prefix_); ++#endif + } + + bool MessageReceiver::checkRTPSHeader( +diff --git a/src/cpp/rtps/messages/fuzz_processCDRMsg.cpp b/src/cpp/rtps/messages/fuzz_processCDRMsg.cpp +new file mode 100644 +index 0000000..6a71817 +--- /dev/null ++++ b/src/cpp/rtps/messages/fuzz_processCDRMsg.cpp +@@ -0,0 +1,26 @@ ++#include <stdio.h> ++#include <stdlib.h> ++#include <stdint.h> ++#include <stdarg.h> ++#include <string.h> ++ ++#include <fastrtps/rtps/messages/MessageReceiver.h> ++#include <fastdds/rtps/attributes/RTPSParticipantAttributes.h> ++ ++extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { ++ const eprosima::fastrtps::rtps::Locator_t remoteLocator; ++ eprosima::fastrtps::rtps::MessageReceiver* rcv = new eprosima::fastrtps::rtps::MessageReceiver(NULL, 4096); ++ ++ eprosima::fastrtps::rtps::CDRMessage_t msg(0); ++ msg.wraps = true; ++ msg.buffer = const_cast<eprosima::fastrtps::rtps::octet*>(data); ++ msg.length = size; ++ msg.max_size = size; ++ msg.reserved_size = size; ++ ++ // TODO: Should we unlock in case UnregisterReceiver is called from callback ? ++ rcv->processCDRMsg(remoteLocator, &msg); ++ delete rcv; ++ return 0; ++} ++ diff --git a/projects/fast-dds/project.yaml b/projects/fast-dds/project.yaml new file mode 100644 index 000000000..970e0b10d --- /dev/null +++ b/projects/fast-dds/project.yaml @@ -0,0 +1,9 @@ +homepage: "https://www.eprosima.com/" +language: c++ +primary_contact: "miguelcompany@eprosima.com" +auto_ccs: +- "p.antoine@catenacyber.fr" +sanitizers: +- address +- undefined +main_repo: 'https://github.com/eProsima/Fast-DDS.git' diff --git a/projects/fasthttp/Dockerfile b/projects/fasthttp/Dockerfile index 690459875..368470692 100644 --- a/projects/fasthttp/Dockerfile +++ b/projects/fasthttp/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/valyala/fasthttp +RUN git clone --depth 1 https://github.com/valyala/fasthttp COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/fasthttp diff --git a/projects/fasthttp/build.sh b/projects/fasthttp/build.sh index 02fe85a71..59aec49a1 100755 --- a/projects/fasthttp/build.sh +++ b/projects/fasthttp/build.sh @@ -18,7 +18,7 @@ -ls $GOPATH/src/github.com/valyala/fasthttp/fuzzit | while read target +ls fuzzit/ | while read target do compile_go_fuzzer github.com/valyala/fasthttp/fuzzit/$target Fuzz fuzz_$target gofuzz done diff --git a/projects/fastjson/Dockerfile b/projects/fastjson/Dockerfile index 7da61ee49..9c196148d 100644 --- a/projects/fastjson/Dockerfile +++ b/projects/fastjson/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/valyala/fastjson +RUN git clone --depth 1 https://github.com/valyala/fastjson COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/fastjson diff --git a/projects/fastjson2/Dockerfile b/projects/fastjson2/Dockerfile new file mode 100644 index 000000000..e8c9f4ec8 --- /dev/null +++ b/projects/fastjson2/Dockerfile @@ -0,0 +1,31 @@ + +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y maven + +RUN git clone --depth 1 https://github.com/google/fuzzing && \ + cat fuzzing/dictionaries/json.dict > $SRC/JsonFuzzer.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus && \ + zip -q $SRC/JsonFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +RUN git clone --depth 1 https://github.com/alibaba/fastjson + +COPY build.sh $SRC/ +COPY JsonFuzzer.java $SRC/ +WORKDIR $SRC/fastjson diff --git a/projects/fastjson2/JsonFuzzer.java b/projects/fastjson2/JsonFuzzer.java new file mode 100644 index 000000000..9ac5caba5 --- /dev/null +++ b/projects/fastjson2/JsonFuzzer.java @@ -0,0 +1,28 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.alibaba.fastjson.JSON; +import com.alibaba.fastjson.JSONException; +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +public class JsonFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + try { + JSON.parse(data.consumeRemainingAsString()); + } catch (JSONException ignored) { + } + } +} diff --git a/projects/fastjson2/build.sh b/projects/fastjson2/build.sh new file mode 100644 index 000000000..121c3249a --- /dev/null +++ b/projects/fastjson2/build.sh @@ -0,0 +1,51 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Copy seed corpus and dictionary. +mv $SRC/{*.zip,*.dict} $OUT + +mvn package -Dmaven.test.skip=true -Djdk.version=15 +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) +cp "target/fastjson-$CURRENT_VERSION.jar" $OUT/fastjson.jar + +PROJECT_JARS="fastjson.jar" + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $PROJECT_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $PROJECT_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/fastjson2/project.yaml b/projects/fastjson2/project.yaml new file mode 100644 index 000000000..3fcba92ad --- /dev/null +++ b/projects/fastjson2/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/alibaba/fastjson" +language: jvm +primary_contact: "shaojin.wensj@alibaba-inc.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/alibaba/fastjson" +sanitizers: + - address diff --git a/projects/firefox/Dockerfile b/projects/firefox/Dockerfile index 18543d582..1d19ca82e 100644 --- a/projects/firefox/Dockerfile +++ b/projects/firefox/Dockerfile @@ -19,13 +19,18 @@ RUN add-apt-repository -y ppa:ubuntu-toolchain-r/test RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \ gawk \ libstdc++6 \ + m4 \ python \ software-properties-common + +# This wrapper of cargo seems to interfere with our build system. +RUN rm -f /usr/local/bin/cargo + RUN git clone --depth 1 https://github.com/mozilla/gecko-dev mozilla-central RUN git clone --depth 1 https://github.com/mozillasecurity/fuzzdata WORKDIR mozilla-central # Install OS dependencies. # Will be re-run in build.sh to install missing dependencies. ENV SHELL /bin/bash -RUN ./mach bootstrap --no-interactive --application-choice browser +RUN ./mach --no-interactive bootstrap --application-choice browser COPY build.sh target.c *.options mozconfig.* $SRC/ diff --git a/projects/firefox/build.sh b/projects/firefox/build.sh index a41b99bc8..8788e190e 100755 --- a/projects/firefox/build.sh +++ b/projects/firefox/build.sh @@ -42,9 +42,22 @@ FUZZ_TARGETS=( export MOZ_OBJDIR=$WORK/obj-fuzz export MOZCONFIG=$SRC/mozconfig.$SANITIZER +# Without this, a host tool used during Rust part of the build will fail +export ASAN_OPTIONS="detect_leaks=0" + # Install remaining dependencies. export SHELL=/bin/bash -./mach bootstrap --no-interactive --application-choice browser + +# Firefox might not be buildable on the latest Rust Nightly, so we should try +# to use the same version that we use in our CI. +RUST_NIGHTLY_VERSION=$(sed -n 's/^.*--channel.*\(nightly-[0-9-]*\).*$/\1/p' \ + $SRC/mozilla-central/taskcluster/ci/toolchain/rust.yml +) + +rustup toolchain install ${RUST_NIGHTLY_VERSION} +rustup default ${RUST_NIGHTLY_VERSION}-x86_64-unknown-linux-gnu + +./mach --no-interactive bootstrap --application-choice browser # Skip patches for now rm tools/fuzzing/libfuzzer/patches/*.patch diff --git a/projects/firefox/mozconfig.address b/projects/firefox/mozconfig.address index c9eb33d0b..0bc2c36c4 100644 --- a/projects/firefox/mozconfig.address +++ b/projects/firefox/mozconfig.address @@ -1,4 +1,7 @@ . $SRC/mozconfig.coverage ac_add_options --enable-address-sanitizer -mk_add_options CFLAGS= CXXFLAGS= + +# Don't use standard CFLAGS/CXXFLAGS provided by oss-fuzz +export CFLAGS="" +export CXXFLAGS="" diff --git a/projects/fluent-bit/project.yaml b/projects/fluent-bit/project.yaml index f68179d25..aca7cccc6 100755 --- a/projects/fluent-bit/project.yaml +++ b/projects/fluent-bit/project.yaml @@ -1,9 +1,6 @@ homepage: "https://github.com/fluent/fluent-bit" primary_contact: "edsiper@gmail.com" language: c++ -fuzzing_engines: - - libfuzzer - - honggfuzz auto_ccs: - "david@adalogics.com" - "wppttt@amazon.com" diff --git a/projects/freeimage/Dockerfile b/projects/freeimage/Dockerfile index 86ab661ac..3133e71a3 100644 --- a/projects/freeimage/Dockerfile +++ b/projects/freeimage/Dockerfile @@ -16,10 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool wget -# This downloads the latest version at the time of writing. There does not -# appear to be a head version of FreeImage. -RUN wget https://downloads.sourceforge.net/freeimage/FreeImage3180.zip -RUN unzip FreeImage3180.zip -WORKDIR $SRC +RUN svn checkout https://svn.code.sf.net/p/freeimage/svn/ freeimage-svn +WORKDIR $SRC/freeimage-svn/FreeImage/trunk/ COPY build.sh $SRC/ COPY load_from_memory_fuzzer.cc $SRC/ diff --git a/projects/freeimage/build.sh b/projects/freeimage/build.sh index a418bd0a3..707440eb2 100755 --- a/projects/freeimage/build.sh +++ b/projects/freeimage/build.sh @@ -15,15 +15,13 @@ # ################################################################################ -pushd FreeImage - # b44ExpLogTable.cpp only contains a definition of main(). sed -i 's/Source\/OpenEXR\/IlmImf\/b44ExpLogTable.cpp//' Makefile.srcs make LIBRARIES=-lc++ -j$(nproc) -popd +INSTALL_DIR="$PWD/Dist" -INSTALL_DIR=$SRC/FreeImage/Dist +cd $SRC $CXX $CXXFLAGS -I${INSTALL_DIR}/ $LIB_FUZZING_ENGINE \ load_from_memory_fuzzer.cc ${INSTALL_DIR}/libfreeimage.a \ diff --git a/projects/ghostscript/Dockerfile b/projects/ghostscript/Dockerfile index 942d8c347..c21bb87d3 100644 --- a/projects/ghostscript/Dockerfile +++ b/projects/ghostscript/Dockerfile @@ -20,8 +20,9 @@ RUN apt-get update && apt-get install -y autoconf zlibc libtool liblcms2-dev lib RUN git clone --branch branch-2.2 --single-branch --depth 1 https://github.com/apple/cups.git cups RUN git clone --branch VER-2-10-1 --single-branch --depth 1 https://git.savannah.gnu.org/git/freetype/freetype2.git freetype RUN git clone --single-branch --depth 1 git://git.ghostscript.com/ghostpdl.git ghostpdl - RUN mkdir ghostpdl/fuzz -COPY gstoraster_fuzzer.cc ghostpdl/fuzz +WORKDIR ghostpdl + +COPY gstoraster_fuzzer.cc $SRC/ COPY build.sh $SRC/ diff --git a/projects/ghostscript/build.sh b/projects/ghostscript/build.sh index 07ae5ee70..b74772f13 100755 --- a/projects/ghostscript/build.sh +++ b/projects/ghostscript/build.sh @@ -16,7 +16,7 @@ ################################################################################ # Build CUPS -pushd cups +pushd $SRC/cups # Fix bad line sed -i '2110s/\(\s\)f->value/\1(int)f->value/' cups/ppd-cache.c @@ -29,13 +29,12 @@ make -C filter libs install-libs install -m755 cups-config "$WORK"/cups-config popd -cd ghostpdl rm -rf cups/libs || die rm -rf freetype || die rm -rf libpng || die rm -rf zlib || die -mv ../freetype freetype +mv $SRC/freetype freetype CUPSCONFIG="$WORK/cups-config" CUPS_CFLAGS=$($CUPSCONFIG --cflags) @@ -51,7 +50,7 @@ CPPFLAGS="${CPPFLAGS:-} $CUPS_CFLAGS -DPACIFY_VALGRIND" ./autogen.sh \ make -j$(nproc) libgs $CXX $CXXFLAGS $CUPS_LDFLAGS -std=c++11 -I. \ - fuzz/gstoraster_fuzzer.cc \ + $SRC/gstoraster_fuzzer.cc \ -o "$OUT/gstoraster_fuzzer" \ -Wl,-rpath='$ORIGIN' \ $CUPS_LIBS \ diff --git a/projects/ghostscript/gstoraster_fuzzer.cc b/projects/ghostscript/gstoraster_fuzzer.cc index 412352c32..897e99a66 100644 --- a/projects/ghostscript/gstoraster_fuzzer.cc +++ b/projects/ghostscript/gstoraster_fuzzer.cc @@ -42,7 +42,7 @@ static int gs_stdin(void *inst, char *buf, int len) return to_copy; } -static int gs_stdout(void *inst, const char *buf, int len) +static int gs_stdnull(void *inst, const char *buf, int len) { /* Just discard everything. */ return len; @@ -69,7 +69,7 @@ static int gs_to_raster_fuzz(const unsigned char *buf, size_t size) "-dBATCH", "-dNOINTERPOLATE", "-dNOMEDIAATTRS", - "-sstdout=%stderr", + "-sstdout=%%stderr", "-sOutputFile=/dev/null", "-sDEVICE=cups", "-_", @@ -86,7 +86,7 @@ static int gs_to_raster_fuzz(const unsigned char *buf, size_t size) return ret; } - gsapi_set_stdio(gs, gs_stdin, gs_stdout, NULL /* stderr */); + gsapi_set_stdio(gs, gs_stdin, gs_stdnull, gs_stdnull); ret = gsapi_set_arg_encoding(gs, GS_ARG_ENCODING_UTF8); if (ret < 0) { fprintf(stderr, "gsapi_set_arg_encoding: error %d\n", ret); diff --git a/projects/git/build.sh b/projects/git/build.sh index 0a39a9719..8770a831c 100755 --- a/projects/git/build.sh +++ b/projects/git/build.sh @@ -34,7 +34,7 @@ done zip -j $OUT/fuzz-pack-headers_seed_corpus.zip .git/objects/pack/*.pack.trimmed # build commit-graph corpus -./git commit-graph write +ASAN_OPTIONS=detect_leaks=0 ./git commit-graph write zip -j $OUT/fuzz-commit-graph_seed_corpus .git/objects/info/commit-graph # Mute stderr diff --git a/projects/gitea/Dockerfile b/projects/gitea/Dockerfile index 91f9464de..940312337 100644 --- a/projects/gitea/Dockerfile +++ b/projects/gitea/Dockerfile @@ -17,4 +17,4 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN git clone https://github.com/go-gitea/gitea COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/gitea diff --git a/projects/gitea/build.sh b/projects/gitea/build.sh index 4110a4d66..a031afb4c 100644 --- a/projects/gitea/build.sh +++ b/projects/gitea/build.sh @@ -15,9 +15,5 @@ # ################################################################################ -mkdir $GOPATH/src/code.gitea.io -mv $SRC/gitea $GOPATH/src/code.gitea.io/ -cd $GOPATH/src/code.gitea.io/gitea && go get ./... - compile_go_fuzzer code.gitea.io/gitea/tools FuzzMarkdownRenderRaw fuzz_markdown_render_raw gofuzz compile_go_fuzzer code.gitea.io/gitea/tools FuzzMarkupPostProcess fuzz_markup_post_process gofuzz diff --git a/projects/gitea/project.yaml b/projects/gitea/project.yaml index 183460bb0..8fcd31f7f 100644 --- a/projects/gitea/project.yaml +++ b/projects/gitea/project.yaml @@ -1,7 +1,14 @@ homepage: "https://github.com/go-gitea/gitea" -primary_contact: "admin@gitea.io" +primary_contact: "security@gitea.io" auto_ccs : - "adam@adalogics.com" + - "xiaolunwen@gmail.com" + - "lauris@nix.lv" + - "techknowlogick@gitea.io" + - "sapk@sapk.fr" + - "zeripath@gmail.com" + - "john.olheiser@gmail.com" + - "6543@obermui.de" language: go fuzzing_engines: - libfuzzer diff --git a/projects/go-json-iterator/Dockerfile b/projects/go-json-iterator/Dockerfile index 3d6a90c56..5d4cf02f3 100644 --- a/projects/go-json-iterator/Dockerfile +++ b/projects/go-json-iterator/Dockerfile @@ -15,7 +15,8 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/json-iterator/go +RUN git clone https://github.com/json-iterator/go json-iterator -COPY fuzz_json.go $GOPATH/src/github.com/json-iterator/go/ +COPY fuzz_json.go $SRC/json-iterator/ COPY build.sh $SRC/ +WORKDIR $SRC/json-iterator/ diff --git a/projects/go-redis/Dockerfile b/projects/go-redis/Dockerfile index 3bdaf63ad..b0ad17734 100644 --- a/projects/go-redis/Dockerfile +++ b/projects/go-redis/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/go-redis/redis +RUN git clone https://github.com/go-redis/redis redis COPY build.sh $SRC/ -WORKDIR $SRC +WORKDIR $SRC/redis diff --git a/projects/go-redis/build.sh b/projects/go-redis/build.sh index b130c457e..e297cd37c 100644 --- a/projects/go-redis/build.sh +++ b/projects/go-redis/build.sh @@ -12,5 +12,6 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -compile_go_fuzzer github.com/go-redis/redis/fuzz Fuzz fuzz gofuzz + +#github.com/go-redis/redis/fuzz is not a module, so needs local build +compile_go_fuzzer ./fuzz Fuzz fuzz gofuzz diff --git a/projects/go-sftp/Dockerfile b/projects/go-sftp/Dockerfile new file mode 100644 index 000000000..0269d8ee4 --- /dev/null +++ b/projects/go-sftp/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/pkg/sftp + +COPY build.sh $SRC/ +WORKDIR $SRC/sftp diff --git a/projects/go-sftp/build.sh b/projects/go-sftp/build.sh new file mode 100755 index 000000000..0e8460fc8 --- /dev/null +++ b/projects/go-sftp/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +compile_go_fuzzer . Fuzz fuzz_sftp diff --git a/projects/go-sftp/project.yaml b/projects/go-sftp/project.yaml new file mode 100644 index 000000000..5f0d4e9e4 --- /dev/null +++ b/projects/go-sftp/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/pkg/sftp" +primary_contact: "nicola.murino@gmail.com" +auto_ccs: + - "p.antoine@catenacyber.fr" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/pkg/sftp' diff --git a/projects/go-snappy/Dockerfile b/projects/go-snappy/Dockerfile new file mode 100644 index 000000000..d6d08afd0 --- /dev/null +++ b/projects/go-snappy/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/golang/snappy + +COPY build.sh $SRC/ +COPY fuzz.go $SRC/snappy +WORKDIR $SRC/snappy diff --git a/projects/go-snappy/build.sh b/projects/go-snappy/build.sh new file mode 100755 index 000000000..805eefb7a --- /dev/null +++ b/projects/go-snappy/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +compile_go_fuzzer . FuzzRoundTrip fuzz_roundtrip gofuzz +compile_go_fuzzer . FuzzDecode fuzz_decode gofuzz diff --git a/projects/go-snappy/fuzz.go b/projects/go-snappy/fuzz.go new file mode 100644 index 000000000..6722fd02d --- /dev/null +++ b/projects/go-snappy/fuzz.go @@ -0,0 +1,33 @@ +// +build gofuzz + +package snappy + +import ( + "bytes" +) + +func FuzzRoundTrip(data []byte) int { + if len(data) > 1234567 { + return 0 + } + encoded := Encode(nil, data) + decoded, err := Decode(nil, encoded) + if err != nil { + panic("Error decoding snappy-encoded") + } + if !bytes.Equal(data, decoded) { + panic("Different result on roundtrip encode/decode") + } + return 1 +} + +func FuzzDecode(data []byte) int { + if n, _ := DecodedLen(data); n > 1234567 { + return 0 + } + _, err := Decode(nil, data) + if err != nil { + return 0 + } + return 1 +} diff --git a/projects/go-snappy/project.yaml b/projects/go-snappy/project.yaml new file mode 100644 index 000000000..8a732ccb3 --- /dev/null +++ b/projects/go-snappy/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/golang/snappy" +primary_contact: "nigeltao@golang.org" +auto_ccs: + - "p.antoine@catenacyber.fr" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/golang/snappy' diff --git a/projects/go-sqlite3/Dockerfile b/projects/go-sqlite3/Dockerfile index e948b558b..f1b10e165 100644 --- a/projects/go-sqlite3/Dockerfile +++ b/projects/go-sqlite3/Dockerfile @@ -15,9 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -# TODO use upstream repo -# RUN go get -t github.com/mattn/go-sqlite3 -RUN git clone --branch fuzz --depth 1 http://github.com/catenacyber/go-sqlite3 $GOPATH/src/github.com/mattn/go-sqlite3 +RUN git clone --depth 1 http://github.com/mattn/go-sqlite3 $GOPATH/src/github.com/mattn/go-sqlite3 -COPY build.sh fuzz*.go $SRC/ +COPY build.sh $SRC/ WORKDIR $SRC/ diff --git a/projects/golang/project.yaml b/projects/golang/project.yaml index e665a71f5..ed1e86329 100644 --- a/projects/golang/project.yaml +++ b/projects/golang/project.yaml @@ -3,6 +3,7 @@ primary_contact: "golang-fuzz@googlegroups.com" auto_ccs: - "mmoroz@chromium.org" - "josharian@gmail.com" + - "emmanuel@orijtech.com" language: go sanitizers: - address diff --git a/projects/gpac/Dockerfile b/projects/gpac/Dockerfile new file mode 100755 index 000000000..cf7fc8043 --- /dev/null +++ b/projects/gpac/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y build-essential pkg-config libz-dev +RUN git clone https://github.com/gpac/gpac + +WORKDIR $SRC +COPY build.sh $SRC/ +COPY fuzz_parse.c $SRC/ diff --git a/projects/gpac/build.sh b/projects/gpac/build.sh new file mode 100755 index 000000000..904f5f234 --- /dev/null +++ b/projects/gpac/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd gpac +./configure --static-build --extra-cflags="${CFLAGS}" --extra-ldflags="${CFLAGS}" +make +cp $SRC/fuzz_parse.c . + +$CC $CFLAGS $LIB_FUZZING_ENGINE fuzz_parse.c -o $OUT/fuzz_parse \ + -I./include -I./ ./bin/gcc/libgpac_static.a \ + -lm -lz -lpthread -DGPAC_HAVE_CONFIG_H diff --git a/projects/gpac/fuzz_parse.c b/projects/gpac/fuzz_parse.c new file mode 100644 index 000000000..b7c9ac9a6 --- /dev/null +++ b/projects/gpac/fuzz_parse.c @@ -0,0 +1,36 @@ +/* Copyright 2021 Google LLC +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +#include <stdio.h> +#include <unistd.h> + +#include <gpac/internal/isomedia_dev.h> +#include <gpac/constants.h> + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + char filename[256]; + sprintf(filename, "/tmp/libfuzzer.%d", getpid()); + + FILE *fp = fopen(filename, "wb"); + if (!fp) { + return 0; + } + fwrite(data, size, 1, fp); + fclose(fp); + + GF_ISOFile *movie = NULL; + movie = gf_isom_open_file(filename, GF_ISOM_OPEN_READ_DUMP, NULL); + if (movie != NULL) { + gf_isom_close(movie); + } + unlink(filename); + return 0; +} diff --git a/projects/gpac/project.yaml b/projects/gpac/project.yaml new file mode 100755 index 000000000..1229d1260 --- /dev/null +++ b/projects/gpac/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://gpac.wp.imt.fr/" +main_repo: "https://github.com/gpac/gpac" +primary_contact: "project.gpac@gmail.com" +language: c +auto_ccs: + - "david@adalogics.com" diff --git a/projects/graphicsmagick/Dockerfile b/projects/graphicsmagick/Dockerfile index 29f49fd68..97f3a561d 100644 --- a/projects/graphicsmagick/Dockerfile +++ b/projects/graphicsmagick/Dockerfile @@ -16,9 +16,9 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y mercurial automake autopoint cmake libtool nasm pkg-config po4a -RUN hg clone --time -b default http://hg.code.sf.net/p/graphicsmagick/code graphicsmagick || \ - hg clone --time -b default http://hg.code.sf.net/p/graphicsmagick/code graphicsmagick || \ - hg clone --time -b default http://hg.code.sf.net/p/graphicsmagick/code graphicsmagick +RUN hg clone --time -b default https://hg.osdn.net/view/graphicsmagick/GM graphicsmagick || \ + hg clone --time -b default https://hg.osdn.net/view/graphicsmagick/GM graphicsmagick || \ + hg clone --time -b default https://hg.osdn.net/view/graphicsmagick/GM graphicsmagick RUN git clone --depth 1 https://gitlab.com/libtiff/libtiff RUN git clone --depth 1 https://github.com/webmproject/libwebp @@ -31,6 +31,8 @@ RUN git clone --depth 1 https://github.com/pnggroup/libpng RUN git clone --depth 1 https://github.com/mm2/Little-CMS RUN git clone https://git.ghostscript.com/ghostpdl.git RUN git clone --depth 1 https://gitlab.com/federicomenaquintero/bzip2.git +RUN git clone --depth 1 https://github.com/jasper-software/jasper +RUN git clone --depth 1 https://gitlab.gnome.org/GNOME/libxml2.git WORKDIR graphicsmagick COPY build.sh $SRC/ diff --git a/projects/grok/Dockerfile b/projects/grok/Dockerfile index c8ea8f838..9551e85a3 100644 --- a/projects/grok/Dockerfile +++ b/projects/grok/Dockerfile @@ -15,9 +15,8 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y wget RUN git clone --depth 1 https://github.com/GrokImageCompression/grok.git grok -RUN git clone --depth 1 https://github.com/GrokImageCompression/grok-test-data.git grok/data +RUN git clone --depth 1 https://github.com/GrokImageCompression/grok-test-data.git grok-data WORKDIR grok COPY build.sh $SRC/ diff --git a/projects/grpc-gateway/Dockerfile b/projects/grpc-gateway/Dockerfile index 51997231a..9a7cad2f3 100644 --- a/projects/grpc-gateway/Dockerfile +++ b/projects/grpc-gateway/Dockerfile @@ -18,4 +18,4 @@ FROM gcr.io/oss-fuzz-base/base-builder ENV GO111MODULE on RUN git clone https://github.com/grpc-ecosystem/grpc-gateway COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/grpc-gateway diff --git a/projects/grpc-gateway/build.sh b/projects/grpc-gateway/build.sh index 386002444..19c4ac5f6 100755 --- a/projects/grpc-gateway/build.sh +++ b/projects/grpc-gateway/build.sh @@ -15,13 +15,10 @@ # ################################################################################ -mkdir $GOPATH/src/github.com/grpc-ecosystem -mv $SRC/grpc-gateway $GOPATH/src/github.com/grpc-ecosystem/ -cd $GOPATH/src/github.com/grpc-ecosystem/grpc-gateway && go get ./... - if [ "$SANITIZER" = "coverage" ] then - compile_go_fuzzer github.com/grpc-ecosystem/grpc-gateway/internal/httprule Fuzz fuzz gofuzz + go get github.com/grpc-ecosystem/grpc-gateway/... + compile_go_fuzzer github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule Fuzz fuzz gofuzz else compile_go_fuzzer github.com/grpc-ecosystem/grpc-gateway/v2/internal/httprule Fuzz fuzz gofuzz fi diff --git a/projects/grpc/Dockerfile b/projects/grpc/Dockerfile index 69f44b2f0..6d2a31074 100644 --- a/projects/grpc/Dockerfile +++ b/projects/grpc/Dockerfile @@ -14,9 +14,7 @@ # ################################################################################ -# TODO(https://github.com/google/oss-fuzz/issues/3093): Stop specifying the -# image SHA once the bug is fixed. -FROM gcr.io/oss-fuzz-base/base-builder@sha256:276813aef0ce5972db43c0230f96162003994fa742fb1b2f4e66c67498575c65 +FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y software-properties-common python-software-properties RUN add-apt-repository ppa:webupd8team/java @@ -27,7 +25,8 @@ RUN apt-get update && apt-get -y install \ make \ curl \ autoconf \ - libtool + libtool \ + rsync # Install dependencies diff --git a/projects/grpc/build.sh b/projects/grpc/build.sh index 85831535a..fc82bac30 100755 --- a/projects/grpc/build.sh +++ b/projects/grpc/build.sh @@ -24,7 +24,7 @@ readonly FUZZER_DICTIONARIES=( readonly FUZZER_TARGETS=( test/core/json:json_fuzzer - test/core/client_channel:uri_fuzzer_test + test/core/uri:uri_fuzzer_test test/core/http:request_fuzzer test/core/http:response_fuzzer test/core/nanopb:fuzzer_response @@ -129,7 +129,7 @@ cp ${SRC}/grpc/tools/fuzzer/options/*.options "${OUT}/" # We don't have a consistent naming convention between fuzzer files and corpus # directories so we resort to hard coding zipping corpuses zip "${OUT}/json_fuzzer_seed_corpus.zip" test/core/json/corpus/* -zip "${OUT}/uri_fuzzer_test_seed_corpus.zip" test/core/client_channel/uri_corpus/* +zip "${OUT}/uri_fuzzer_test_seed_corpus.zip" test/core/uri/uri_corpus/* zip "${OUT}/request_fuzzer_seed_corpus.zip" test/core/http/request_corpus/* zip "${OUT}/response_fuzzer_seed_corpus.zip" test/core/http/response_corpus/* zip "${OUT}/fuzzer_response_seed_corpus.zip" test/core/nanopb/corpus_response/* diff --git a/projects/hiredis/Dockerfile b/projects/hiredis/Dockerfile index 616330f49..3f96259eb 100644 --- a/projects/hiredis/Dockerfile +++ b/projects/hiredis/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2018 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/projects/hiredis/build.sh b/projects/hiredis/build.sh index 9159e8d18..72888bedc 100755 --- a/projects/hiredis/build.sh +++ b/projects/hiredis/build.sh @@ -1,5 +1,5 @@ #!/bin/bash -eu -# Copyright 2020 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/projects/hiredis/project.yaml b/projects/hiredis/project.yaml index 9264b769a..b863fe848 100755 --- a/projects/hiredis/project.yaml +++ b/projects/hiredis/project.yaml @@ -1,9 +1,6 @@ homepage: "https://github.com/redis/hiredis" primary_contact: "michael.grunder@gmail.com" language: c -fuzzing_engines: - - libfuzzer - - honggfuzz auto_ccs: - "Adam@adalogics.com" main_repo: "https://github.com/redis/hiredis" diff --git a/projects/httparse/Dockerfile b/projects/httparse/Dockerfile new file mode 100644 index 000000000..cffcc9f12 --- /dev/null +++ b/projects/httparse/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone https://github.com/seanmonstar/httparse +WORKDIR $SRC + +COPY build.sh $SRC/ diff --git a/projects/httparse/build.sh b/projects/httparse/build.sh new file mode 100755 index 000000000..c4fdec2ed --- /dev/null +++ b/projects/httparse/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/httparse +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/parse_request $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/parse_headers $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/parse_chunk_size $OUT/ diff --git a/projects/httparse/project.yaml b/projects/httparse/project.yaml new file mode 100644 index 000000000..43bfec406 --- /dev/null +++ b/projects/httparse/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/seanmonstar/httparse" +main_repo: "https://github.com/seanmonstar/httparse" +primary_contact: "seanmonstar@gmail.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/hugo/Dockerfile b/projects/hugo/Dockerfile index d78e24964..bfba1a283 100644 --- a/projects/hugo/Dockerfile +++ b/projects/hugo/Dockerfile @@ -16,7 +16,6 @@ FROM gcr.io/oss-fuzz-base/base-builder -ENV GO111MODULE on RUN git clone https://github.com/gohugoio/hugo -COPY build.sh $SRC/ -WORKDIR $SRC/ +COPY build.sh fuzz.go $SRC/ +WORKDIR $SRC/hugo diff --git a/projects/hugo/build.sh b/projects/hugo/build.sh index 23f6c8173..c1950ca1e 100755 --- a/projects/hugo/build.sh +++ b/projects/hugo/build.sh @@ -15,8 +15,6 @@ # ################################################################################ -mkdir $GOPATH/src/github.com/gohugoio -mv $SRC/hugo $GOPATH/src/github.com/gohugoio/ -cd $GOPATH/src/github.com/gohugoio/hugo +mv $SRC/fuzz.go $SRC/hugo/tpl/transform/ compile_go_fuzzer github.com/gohugoio/hugo/tpl/transform FuzzMarkdownify fuzzmarkdownify diff --git a/projects/hugo/fuzz.go b/projects/hugo/fuzz.go new file mode 100644 index 000000000..7a22e6d50 --- /dev/null +++ b/projects/hugo/fuzz.go @@ -0,0 +1,61 @@ +// +build gofuzz + +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package transform + +import ( + "github.com/gohugoio/hugo/common/loggers" + "github.com/gohugoio/hugo/config" + "github.com/gohugoio/hugo/deps" + "github.com/gohugoio/hugo/helpers" + "github.com/gohugoio/hugo/hugofs" + "github.com/gohugoio/hugo/langs" + "github.com/spf13/afero" + "github.com/spf13/viper" +) + +func newFuzzDeps(cfg config.Provider) *deps.Deps { + cfg.Set("contentDir", "content") + cfg.Set("i18nDir", "i18n") + + l := langs.NewLanguage("en", cfg) + + cs, _ := helpers.NewContentSpec(l, loggers.NewErrorLogger(), afero.NewMemMapFs()) + + return &deps.Deps{ + Cfg: cfg, + Fs: hugofs.NewMem(l), + ContentSpec: cs, + } +} + +func FuzzMarkdownify(data []byte) int { + v := viper.New() + v.Set("contentDir", "content") + ns := New(newFuzzDeps(v)) + + for _, test := range []struct { + s interface{} + }{ + {string(data)}, + } { + _, err := ns.Markdownify(test.s) + if err != nil { + return 0 + } + } + return 1 +} diff --git a/projects/ibmswtpm2/no_writes.patch b/projects/ibmswtpm2/no_writes.patch index a9be0dccf..ca8d7c699 100644 --- a/projects/ibmswtpm2/no_writes.patch +++ b/projects/ibmswtpm2/no_writes.patch @@ -84,12 +84,10 @@ diff --git a/makefile b/makefile index cc3e410..c10ba5a 100644 --- a/makefile +++ b/makefile -@@ -40,16 +40,19 @@ +@@ -40,16 +40,16 @@ - CC = /usr/bin/gcc -+CC = clang -+CXX = clang++ +-CC = /usr/bin/gcc -CCFLAGS = -Wall \ +CCFLAGS = $(CFLAGS) -Wall \ diff --git a/projects/image-png/Dockerfile b/projects/image-png/Dockerfile new file mode 100644 index 000000000..cb953de6d --- /dev/null +++ b/projects/image-png/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool curl cmake python llvm-dev libclang-dev clang + +RUN git clone https://github.com/image-rs/image-png +WORKDIR $SRC + +COPY build.sh $SRC/ +COPY buf_independent.rs $SRC/image-png/fuzz/fuzz_targets/buf_independent.rs diff --git a/projects/image-png/buf_independent.rs b/projects/image-png/buf_independent.rs new file mode 100644 index 000000000..f4a1f312c --- /dev/null +++ b/projects/image-png/buf_independent.rs @@ -0,0 +1,74 @@ +#![no_main] +extern crate libfuzzer_sys; +use libfuzzer_sys::fuzz_target; +extern crate png; + +use std::io::{BufRead, Read, Result}; + +/// A reader that reads at most `n` bytes. +struct SmalBuf<R: BufRead> { + inner: R, + cap: usize, +} + +impl<R: BufRead> SmalBuf<R> { + fn new(inner: R, cap: usize) -> Self { + SmalBuf { inner, cap } + } +} + +impl<R: BufRead> Read for SmalBuf<R> { + fn read(&mut self, buf: &mut [u8]) -> Result<usize> { + let len = buf.len().min(self.cap); + self.inner.read(&mut buf[..len]) + } +} + +impl<R: BufRead> BufRead for SmalBuf<R> { + fn fill_buf(&mut self) -> Result<&[u8]> { + let buf = self.inner.fill_buf()?; + let len = buf.len().min(self.cap); + Ok(&buf[..len]) + } + + fn consume(&mut self, amt: usize) { + assert!(amt <= self.cap); + self.inner.consume(amt) + } +} + +fuzz_target!(|data: &[u8]| { + // Small limits, we don't need them hopefully. + let limits = png::Limits { bytes: 1 << 16 }; + + let reference = png::Decoder::new_with_limits(data, limits); + let smal = png::Decoder::new_with_limits(SmalBuf::new(data, 1), limits); + + let _ = png_compare(reference, smal); +}); + +#[inline(always)] +fn png_compare<R: BufRead, S: BufRead>(reference: png::Decoder<R>, smal: png::Decoder<S>) + -> std::result::Result<png::OutputInfo, ()> +{ + let mut smal = Some(smal); + let (info, mut reference) = reference.read_info().map_err(|_| { + assert!(smal.take().unwrap().read_info().is_err()); + })?; + + let (sinfo, mut smal) = smal.take().unwrap().read_info().expect("Deviation"); + assert_eq!(info, sinfo); + + if info.buffer_size() > 5_000_000 { + return Err(()); + } + + let mut ref_data = vec![0; info.buffer_size()]; + let mut smal_data = vec![0; info.buffer_size()]; + + let _rref = reference.next_frame(&mut ref_data); + let _rsmal = smal.next_frame(&mut smal_data); + + assert_eq!(smal_data, ref_data); + return Ok(info); +} diff --git a/projects/image-png/build.sh b/projects/image-png/build.sh new file mode 100755 index 000000000..c8b7f4913 --- /dev/null +++ b/projects/image-png/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC +cd image-png +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/decode $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/buf_independent $OUT/ diff --git a/projects/image-png/project.yaml b/projects/image-png/project.yaml new file mode 100644 index 000000000..aa86d3a34 --- /dev/null +++ b/projects/image-png/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://docs.rs/image/0.23.14/image" +main_repo: "https://github.com/image-rs/image-png" +primary_contact: "andreas.molzer@gmx.de" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "fintelia@gmail.com" + - "david@adalogics.com" diff --git a/projects/imageio/Dockerfile b/projects/imageio/Dockerfile new file mode 100644 index 000000000..87c1811d5 --- /dev/null +++ b/projects/imageio/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone https://github.com/imageio/imageio + +COPY build.sh $SRC/ +WORKDIR $SRC/imageio diff --git a/projects/imageio/build.sh b/projects/imageio/build.sh new file mode 100644 index 000000000..aeef84ec7 --- /dev/null +++ b/projects/imageio/build.sh @@ -0,0 +1,33 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +python3 setup.py build install + +# Build fuzzers in $OUT. +for fuzzer in $(find . -name 'fuzz_*.py'); do + fuzzer_basename=$(basename -s .py $fuzzer) + fuzzer_package=${fuzzer_basename}.pkg + pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/imageio/project.yaml b/projects/imageio/project.yaml new file mode 100644 index 000000000..73389b5ed --- /dev/null +++ b/projects/imageio/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://imageio.github.io" +language: python +primary_contact: "almar.klein@gmail.com" +auto_ccs: + - "david@adalogics.com" +fuzzing_engines: + - libfuzzer +sanitizers: + - address + - undefined +main_repo: 'https://github.com/imageio/imageio' diff --git a/projects/ipfs/Dockerfile b/projects/ipfs/Dockerfile index 29590e08d..aee4c4ce1 100644 --- a/projects/ipfs/Dockerfile +++ b/projects/ipfs/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -t github.com/ipfs/go-datastore +RUN git clone --depth 1 https://github.com/ipfs/go-datastore COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/go-datastore diff --git a/projects/ipfs/build.sh b/projects/ipfs/build.sh index d7509e7da..e1d577c44 100755 --- a/projects/ipfs/build.sh +++ b/projects/ipfs/build.sh @@ -15,7 +15,7 @@ # ################################################################################ -cd $GOPATH/src/github.com/ipfs/go-datastore/fuzz +cd fuzz function compile_ds_fuzzer { fuzzer=$1 diff --git a/projects/istio/Dockerfile b/projects/istio/Dockerfile index d9a9aca3c..4ba44e2a5 100644 --- a/projects/istio/Dockerfile +++ b/projects/istio/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/istio/istio/pilot/pkg/config/kube/crd/... +RUN git clone https://github.com/istio/istio COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/istio diff --git a/projects/istio/build.sh b/projects/istio/build.sh index 7eeee16c6..cb148e828 100644 --- a/projects/istio/build.sh +++ b/projects/istio/build.sh @@ -16,5 +16,5 @@ ################################################################################ -compile_go_fuzzer istio.io/istio/tests/fuzz FuzzParseInputs fuzz_parse_inputs -compile_go_fuzzer istio.io/istio/tests/fuzz FuzzParseAndBuildSchema fuzz_parse_and_build_schema +compile_go_fuzzer ./tests/fuzz FuzzParseInputs fuzz_parse_inputs +compile_go_fuzzer ./tests/fuzz FuzzParseAndBuildSchema fuzz_parse_and_build_schema diff --git a/projects/istio/project.yaml b/projects/istio/project.yaml index f48db7db7..f877df67c 100644 --- a/projects/istio/project.yaml +++ b/projects/istio/project.yaml @@ -3,7 +3,8 @@ primary_contact: "istio-security-vulnerability-reports@googlegroups.com" auto_ccs : - "adam@adalogics.com" - "howardjohn@google.com" - - "fpesce@google.com" + - "kconner@redhat.com" + - "bavery@redhat.com" language: go fuzzing_engines: - libfuzzer diff --git a/projects/jackson-core/Dockerfile b/projects/jackson-core/Dockerfile new file mode 100644 index 000000000..1ff785046 --- /dev/null +++ b/projects/jackson-core/Dockerfile @@ -0,0 +1,35 @@ + +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y maven + +RUN git clone --depth 1 https://github.com/google/fuzzing +RUN cat fuzzing/dictionaries/json.dict > $SRC/JsonFuzzer.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus && \ + zip -j $SRC/JsonFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +ENV JACKSON_BRANCH=2.13 + +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-core +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-databind +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-annotations + +COPY build.sh $SRC/ +COPY JsonFuzzer.java $SRC/ +WORKDIR $SRC/ diff --git a/projects/jackson-core/JsonFuzzer.java b/projects/jackson-core/JsonFuzzer.java new file mode 100644 index 000000000..05c0bb365 --- /dev/null +++ b/projects/jackson-core/JsonFuzzer.java @@ -0,0 +1,44 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.databind.ObjectMapper; + +import java.io.IOException; + +public class JsonFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + ObjectMapper mapper = new ObjectMapper(); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_COMMENTS); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_SINGLE_QUOTES); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.ALLOW_YAML_COMMENTS); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.IGNORE_UNDEFINED); + if (data.consumeBoolean()) + mapper.enable(JsonParser.Feature.STRICT_DUPLICATE_DETECTION); + + try { + mapper.readTree(data.consumeRemainingAsBytes()); + } catch (IOException ignored) { + } + } +} diff --git a/projects/jackson-core/build.sh b/projects/jackson-core/build.sh new file mode 100644 index 000000000..5cbf19c20 --- /dev/null +++ b/projects/jackson-core/build.sh @@ -0,0 +1,57 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Copy seed corpus and dictionary. +mv $SRC/{*.zip,*.dict} $OUT + +MAVEN_ARGS="-P!java14+ -Dmaven.test.skip=true -Djavac.src.version=15 -Djavac.target.version=15" + +DEPENDENCIES="jackson-core jackson-databind jackson-annotations" +for dependency in $DEPENDENCIES; do + cd $SRC/$dependency + mvn package $MAVEN_ARGS + current_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) + cp "target/$dependency-$current_version.jar" $OUT/$dependency.jar +done + +ALL_JARS=$(echo $DEPENDENCIES | xargs printf -- "%s.jar ") + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/jackson-core/project.yaml b/projects/jackson-core/project.yaml new file mode 100644 index 000000000..90c85c585 --- /dev/null +++ b/projects/jackson-core/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/FasterXML/jackson-core" +language: jvm +primary_contact: "tatu@fasterxml.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/FasterXML/jackson-core" +sanitizers: + - address diff --git a/projects/jackson-dataformats-binary/CborFuzzer.java b/projects/jackson-dataformats-binary/CborFuzzer.java new file mode 100644 index 000000000..e0f9a488c --- /dev/null +++ b/projects/jackson-dataformats-binary/CborFuzzer.java @@ -0,0 +1,29 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.dataformat.cbor.databind.CBORMapper; +import java.io.IOException; + +public class CborFuzzer { + public static void fuzzerTestOneInput(byte[] input) { + ObjectMapper mapper = new CBORMapper(); + try { + mapper.readTree(input); + } catch (IOException ignored) { + } + } +} diff --git a/projects/jackson-dataformats-binary/Dockerfile b/projects/jackson-dataformats-binary/Dockerfile new file mode 100644 index 000000000..0e4ea8213 --- /dev/null +++ b/projects/jackson-dataformats-binary/Dockerfile @@ -0,0 +1,29 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y maven + +ENV JACKSON_BRANCH=2.13 + +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-dataformats-binary +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-databind +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-core +RUN git clone --depth 1 --branch=$JACKSON_BRANCH https://github.com/FasterXML/jackson-annotations + +COPY build.sh $SRC/ +COPY CborFuzzer.java SmileFuzzer.java $SRC/ +WORKDIR $SRC/ diff --git a/projects/jackson-dataformats-binary/SmileFuzzer.java b/projects/jackson-dataformats-binary/SmileFuzzer.java new file mode 100644 index 000000000..1d179fefc --- /dev/null +++ b/projects/jackson-dataformats-binary/SmileFuzzer.java @@ -0,0 +1,29 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.dataformat.smile.databind.SmileMapper; +import java.io.IOException; + +public class SmileFuzzer { + public static void fuzzerTestOneInput(byte[] input) { + ObjectMapper mapper = new SmileMapper(); + try { + mapper.readTree(input); + } catch (IOException ignored) { + } + } +} diff --git a/projects/jackson-dataformats-binary/build.sh b/projects/jackson-dataformats-binary/build.sh new file mode 100644 index 000000000..3c3c0afe6 --- /dev/null +++ b/projects/jackson-dataformats-binary/build.sh @@ -0,0 +1,66 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +MAVEN_ARGS="-P!java14+ -Dmaven.test.skip=true -Djavac.src.version=15 -Djavac.target.version=15" + +cd $SRC/jackson-dataformats-binary +mvn package $MAVEN_ARGS +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) +DATAFORMAT_PREFIX=jackson-dataformat +cp "cbor/target/$DATAFORMAT_PREFIX-cbor-$CURRENT_VERSION.jar" $OUT/$DATAFORMAT_PREFIX-cbor.jar +cp "smile/target/$DATAFORMAT_PREFIX-smile-$CURRENT_VERSION.jar" $OUT/$DATAFORMAT_PREFIX-smile.jar + +PROJECT_JARS="$DATAFORMAT_PREFIX-cbor.jar $DATAFORMAT_PREFIX-smile.jar" + +DEPENDENCIES="jackson-core jackson-databind jackson-annotations" +for dependency in $DEPENDENCIES; do + cd $SRC/$dependency + mvn package $MAVEN_ARGS + current_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ + -Dexpression=project.version -q -DforceStdout) + cp "target/$dependency-$current_version.jar" $OUT/$dependency.jar +done + +FUZZER_JARS=$(echo $DEPENDENCIES | xargs printf -- "%s.jar ") + +ALL_JARS="$PROJECT_JARS $FUZZER_JARS" + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create an execution wrapper that executes Jazzer with the correct arguments. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/jackson-dataformats-binary/project.yaml b/projects/jackson-dataformats-binary/project.yaml new file mode 100644 index 000000000..c556ccea9 --- /dev/null +++ b/projects/jackson-dataformats-binary/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/FasterXML/jackson-dataformats-binary" +language: jvm +primary_contact: "tatu@fasterxml.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/FasterXML/jackson-dataformats-binary" +sanitizers: + - address diff --git a/projects/java-example/Dockerfile b/projects/java-example/Dockerfile new file mode 100644 index 000000000..316e9a888 --- /dev/null +++ b/projects/java-example/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +COPY build.sh $SRC/ + +COPY ExampleFuzzerNative.h ExampleFuzzerNative.cpp $SRC/ +COPY ExampleFuzzer.java ExampleValueProfileFuzzer.java ExampleFuzzerNative.java default.options $SRC/ + +WORKDIR $SRC/ diff --git a/projects/java-example/ExampleFuzzer.java b/projects/java-example/ExampleFuzzer.java new file mode 100644 index 000000000..4dde09adc --- /dev/null +++ b/projects/java-example/ExampleFuzzer.java @@ -0,0 +1,33 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import java.security.SecureRandom; + +public class ExampleFuzzer { + public static void fuzzerInitialize() { + // Optional initialization to be run before the first call to fuzzerTestOneInput. + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + long random = 123123132; + if (input.startsWith("magicstring" + random) && input.length() > 30 + && input.charAt(25) == 'C') { + throw new IllegalStateException("Not reached"); + } + } +} diff --git a/projects/java-example/ExampleFuzzerNative.cpp b/projects/java-example/ExampleFuzzerNative.cpp new file mode 100644 index 000000000..7ae0de80d --- /dev/null +++ b/projects/java-example/ExampleFuzzerNative.cpp @@ -0,0 +1,38 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +#include "ExampleFuzzerNative.h" + +#include <string> + +// simple function containing a crash that requires coverage and string compare +// instrumentation for the fuzzer to find +void parseInternal(const std::string &input) { + if (input[0] == 'a' && input[1] == 'b' && input[5] == 'c') { + if (input.find("secret_in_native_library") != std::string::npos) { + // BOOM + *(char *)1 = 2; + } + } +} + +JNIEXPORT jboolean JNICALL Java_ExampleFuzzerNative_parse( + JNIEnv *env, jobject o, jstring bytes) { + const char *input(env->GetStringUTFChars(bytes, nullptr)); + parseInternal(input); + env->ReleaseStringUTFChars(bytes, input); + return false; +} diff --git a/projects/java-example/ExampleFuzzerNative.h b/projects/java-example/ExampleFuzzerNative.h new file mode 100644 index 000000000..7c9b8a5a3 --- /dev/null +++ b/projects/java-example/ExampleFuzzerNative.h @@ -0,0 +1,37 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +/* DO NOT EDIT THIS FILE - it is machine generated */ +#include <jni.h> +/* Header for class ExampleFuzzerNative */ + +#ifndef _Included_ExampleFuzzerNative +#define _Included_ExampleFuzzerNative +#ifdef __cplusplus +extern "C" { +#endif +/* + * Class: ExampleFuzzerNative + * Method: parse + * Signature: (Ljava/lang/String;)Z + */ +JNIEXPORT jboolean JNICALL +Java_ExampleFuzzerNative_parse(JNIEnv *, jobject, jstring); + +#ifdef __cplusplus +} +#endif +#endif diff --git a/projects/java-example/ExampleFuzzerNative.java b/projects/java-example/ExampleFuzzerNative.java new file mode 100644 index 000000000..daf75fa39 --- /dev/null +++ b/projects/java-example/ExampleFuzzerNative.java @@ -0,0 +1,34 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +public class ExampleFuzzerNative { + static { + System.loadLibrary("native"); + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + int val = data.consumeInt(); + String stringData = data.consumeRemainingAsString(); + if (val == 17759716 && stringData.length() > 10 && stringData.contains("jazzer")) { + // call native function which contains a crash + parse(stringData); + } + } + + private static native boolean parse(String bytes); +} diff --git a/projects/java-example/ExampleValueProfileFuzzer.java b/projects/java-example/ExampleValueProfileFuzzer.java new file mode 100644 index 000000000..22b4ce510 --- /dev/null +++ b/projects/java-example/ExampleValueProfileFuzzer.java @@ -0,0 +1,52 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import java.util.Base64; + +public class ExampleValueProfileFuzzer { + private static String base64(byte[] input) { + return Base64.getEncoder().encodeToString(input); + } + + private static long insecureEncrypt(long input) { + long key = 0xefe4eb93215cb6b0L; + return input ^ key; + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + // Without -use_value_profile=1, the fuzzer gets stuck here as there is no direct correspondence + // between the input bytes and the compared string. With value profile, the fuzzer can guess the + // expected input byte by byte, which takes linear rather than exponential time. + if (base64(data.consumeBytes(6)).equals("SmF6emVy")) { + long[] plaintextBlocks = data.consumeLongs(2); + if (plaintextBlocks.length != 2) + return; + if (insecureEncrypt(plaintextBlocks[0]) == 0x9fc48ee64d3dc090L) { + // Without --fake_pcs (enabled by default with -use_value_profile=1), the fuzzer would get + // stuck here as the value profile information for long comparisons would not be able to + // distinguish between this comparison and the one above. + if (insecureEncrypt(plaintextBlocks[1]) == 0x888a82ff483ad9c2L) { + mustNeverBeCalled(); + } + } + } + } + + private static void mustNeverBeCalled() { + throw new IllegalStateException("mustNeverBeCalled has been called"); + } +} diff --git a/projects/java-example/build.sh b/projects/java-example/build.sh new file mode 100755 index 000000000..63f4c95f9 --- /dev/null +++ b/projects/java-example/build.sh @@ -0,0 +1,52 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Build native library. +JVM_INCLUDES="-I$JAVA_HOME/include -I$JAVA_HOME/include/linux" +$CXX $CXXFLAGS $JVM_INCLUDES -fPIC -shared \ + ExampleFuzzerNative.cpp -o $OUT/libnative.so + +BUILD_CLASSPATH=$JAZZER_API_PATH + +# All class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java' -or -name '*FuzzerNative.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + if [[ $fuzzer_basename == *FuzzerNative ]]; then + driver=jazzer_driver_asan + else + driver=jazzer_driver + fi + + cp default.options $OUT/"$fuzzer_basename".options + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/java-example/default.options b/projects/java-example/default.options new file mode 100644 index 000000000..59318037a --- /dev/null +++ b/projects/java-example/default.options @@ -0,0 +1,3 @@ +[asan] +handle_segv=1 +allow_user_segv_handler=1 diff --git a/projects/java-example/project.yaml b/projects/java-example/project.yaml new file mode 100644 index 000000000..e71c40577 --- /dev/null +++ b/projects/java-example/project.yaml @@ -0,0 +1,8 @@ +homepage: "https://github.com/CodeIntelligenceTesting/jazzer" +language: jvm +primary_contact: "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/CodeIntelligenceTesting/jazzer" +sanitizers: + - address diff --git a/projects/jbig2dec/jbig2_fuzzer.cc b/projects/jbig2dec/jbig2_fuzzer.cc index b0a168939..4b94f2c7d 100644 --- a/projects/jbig2dec/jbig2_fuzzer.cc +++ b/projects/jbig2dec/jbig2_fuzzer.cc @@ -23,108 +23,104 @@ #include "jbig2.h" -#define ALIGNMENT 16 -#define MBYTE (1024 * 1024) +#define ALIGNMENT ((size_t) 16) +#define KBYTE ((size_t) 1024) +#define MBYTE (1024 * KBYTE) #define GBYTE (1024 * MBYTE) #define MAX_ALLOCATION (1 * GBYTE) -static uint64_t total = 0; -static uint64_t peak = 0; +static size_t used; -static void *jbig2_alloc(Jbig2Allocator *allocator, size_t size) +static void *jbig2_fuzzer_reached_limit(size_t oldsize, size_t size) { - void *ptr; + if (oldsize == 0) + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte allocation: %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, size); + else + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte reallocation: %zu -> %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, oldsize, size); + fflush(0); + return NULL; +} + +static void *jbig2_fuzzer_alloc(Jbig2Allocator *allocator, size_t size) +{ + char *ptr = NULL; if (size == 0) return NULL; - if (size > MAX_ALLOCATION - ALIGNMENT - total) + if (size > SIZE_MAX - ALIGNMENT) return NULL; + if (size + ALIGNMENT > MAX_ALLOCATION - used) + return jbig2_fuzzer_reached_limit(0, size + ALIGNMENT); - ptr = malloc(size + ALIGNMENT); + ptr = (char *) malloc(size + ALIGNMENT); if (ptr == NULL) return NULL; memcpy(ptr, &size, sizeof(size)); - total += size + ALIGNMENT; - - if (peak == 0 || total / MBYTE > peak / MBYTE) { - peak = total; - fprintf(stderr, "memory: limit: %u Mbyte peak usage: %u Mbyte\n", MAX_ALLOCATION, peak); - } + used += size + ALIGNMENT; - return (unsigned char *) ptr + ALIGNMENT; + return ptr + ALIGNMENT; } -static void jbig2_free(Jbig2Allocator *allocator, void *p) +static void jbig2_fuzzer_free(Jbig2Allocator *allocator, void *ptr) { - int size; + size_t size; - if (p == NULL) + if (ptr == NULL) + return; + if (ptr < (void *) ALIGNMENT) return; - memcpy(&size, (unsigned char *) p - ALIGNMENT, sizeof(size)); - total -= size + ALIGNMENT; - free((unsigned char *) p - ALIGNMENT); + ptr = (char *) ptr - ALIGNMENT; + memcpy(&size, ptr, sizeof(size)); + + used -= size + ALIGNMENT; + free(ptr); } -static void *jbig2_realloc(Jbig2Allocator *allocator, void *p, size_t size) +static void *jbig2_fuzzer_realloc(Jbig2Allocator *allocator, void *old, size_t size) { - unsigned char *oldp = p ? (unsigned char *) p - ALIGNMENT : NULL; + size_t oldsize; + char *ptr; - if (size > SIZE_MAX - ALIGNMENT) + if (old == NULL) + return jbig2_fuzzer_alloc(allocator, size); + if (old < (void *) ALIGNMENT) return NULL; - if (oldp == NULL) - { - if (size == 0) - return NULL; - if (size > MAX_ALLOCATION - ALIGNMENT - total) - return NULL; - - p = malloc(size + ALIGNMENT); - if (p == NULL) - return NULL; + if (size == 0) { + jbig2_fuzzer_free(allocator, old); + return NULL; } - else - { - int oldsize; - memcpy(&oldsize, oldp, sizeof(oldsize)); - - if (size == 0) - { - total -= oldsize + ALIGNMENT; - free(oldp); - return NULL; - } - - if (size > MAX_ALLOCATION - total + oldsize) - return NULL; + if (size > SIZE_MAX - ALIGNMENT) + return NULL; - p = realloc(oldp, size + ALIGNMENT); - if (p == NULL) - return NULL; + old = (char *) old - ALIGNMENT; + memcpy(&oldsize, old, sizeof(oldsize)); - total -= oldsize + ALIGNMENT; - } + if (size + ALIGNMENT > MAX_ALLOCATION - used + oldsize + ALIGNMENT) + return jbig2_fuzzer_reached_limit(oldsize + ALIGNMENT, size + ALIGNMENT); - memcpy(p, &size, sizeof(size)); - total += size + ALIGNMENT; + ptr = (char *) realloc(old, size + ALIGNMENT); + if (ptr == NULL) + return NULL; - if (peak == 0 || total / MBYTE > peak / MBYTE) { - peak = total; - fprintf(stderr, "memory: limit: %u Mbyte peak usage: %u Mbyte\n", MAX_ALLOCATION, peak); - } + used -= oldsize + ALIGNMENT; + memcpy(ptr, &size, sizeof(size)); + used += size + ALIGNMENT; - return (unsigned char *) p + ALIGNMENT; + return ptr + ALIGNMENT; } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { Jbig2Allocator allocator; Jbig2Ctx *ctx = NULL; - allocator.alloc = jbig2_alloc; - allocator.free = jbig2_free; - allocator.realloc = jbig2_realloc; + used = 0; + + allocator.alloc = jbig2_fuzzer_alloc; + allocator.free = jbig2_fuzzer_free; + allocator.realloc = jbig2_fuzzer_realloc; ctx = jbig2_ctx_new(&allocator, (Jbig2Options) 0, NULL, NULL, NULL); if (jbig2_data_in(ctx, data, size) == 0) @@ -144,7 +140,5 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } jbig2_ctx_free(ctx); - fprintf(stderr, "memory: limit: %u Mbyte peak usage: %u Mbyte\n", MAX_ALLOCATION, peak); - return 0; } diff --git a/projects/json-sanitizer/DenylistFuzzer.java b/projects/json-sanitizer/DenylistFuzzer.java new file mode 100644 index 000000000..4e73cfcb7 --- /dev/null +++ b/projects/json-sanitizer/DenylistFuzzer.java @@ -0,0 +1,49 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium; +import com.google.json.JsonSanitizer; + +public class DenylistFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + String output; + try { + output = JsonSanitizer.sanitize(input, 10); + } catch (ArrayIndexOutOfBoundsException e) { + // ArrayIndexOutOfBoundsException is expected if nesting depth is + // exceeded. + return; + } + + // Check for forbidden substrings. As these would enable Cross-Site + // Scripting, treat every finding as a high severity vulnerability. + assert !output.contains("</script") + : new FuzzerSecurityIssueHigh("Output contains </script"); + assert !output.contains("]]>") + : new FuzzerSecurityIssueHigh("Output contains ]]>"); + + // Check for more forbidden substrings. As these would not directly enable + // Cross-Site Scripting in general, but may impact script execution on the + // embedding page, treat each finding as a medium severity vulnerability. + assert !output.contains("<script") + : new FuzzerSecurityIssueMedium("Output contains <script"); + assert !output.contains("<!--") + : new FuzzerSecurityIssueMedium("Output contains <!--"); + } +} diff --git a/projects/json-sanitizer/Dockerfile b/projects/json-sanitizer/Dockerfile new file mode 100644 index 000000000..f36a13622 --- /dev/null +++ b/projects/json-sanitizer/Dockerfile @@ -0,0 +1,39 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +RUN apt-get update && apt-get install -y maven + +RUN git clone --depth 1 https://github.com/google/fuzzing +RUN cat fuzzing/dictionaries/json.dict \ + fuzzing/dictionaries/html.dict \ + fuzzing/dictionaries/xml.dict \ + > $SRC/DenylistFuzzer.dict +RUN cp fuzzing/dictionaries/json.dict $SRC/IdempotenceFuzzer.dict +RUN cp fuzzing/dictionaries/json.dict $SRC/ValidJsonFuzzer.dict + +RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus && \ + zip -q $SRC/DenylistFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* && \ + zip -q $SRC/IdempotenceFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* && \ + zip -q $SRC/ValidJsonFuzzer_seed_corpus.zip go-fuzz-corpus/json/corpus/* + +RUN git clone --depth 1 https://github.com/OWASP/json-sanitizer +COPY build.sh $SRC/ + +COPY DenylistFuzzer.java IdempotenceFuzzer.java ValidJsonFuzzer.java $SRC/ + +WORKDIR $SRC/json-sanitizer diff --git a/projects/json-sanitizer/IdempotenceFuzzer.java b/projects/json-sanitizer/IdempotenceFuzzer.java new file mode 100644 index 000000000..a42c91af9 --- /dev/null +++ b/projects/json-sanitizer/IdempotenceFuzzer.java @@ -0,0 +1,38 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +import com.google.json.JsonSanitizer; + +public class IdempotenceFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + String output; + try { + output = JsonSanitizer.sanitize(input, 10); + } catch (ArrayIndexOutOfBoundsException e) { + // ArrayIndexOutOfBoundsException is expected if nesting depth is + // exceeded. + return; + } + + // Ensure that sanitizing twice does not give different output + // (idempotence). Since failure to be idempotent is not a security issue in + // itself, fail with a regular AssertionError. + assert JsonSanitizer.sanitize(output).equals(output) : "Not idempotent"; + } +} diff --git a/projects/json-sanitizer/ValidJsonFuzzer.java b/projects/json-sanitizer/ValidJsonFuzzer.java new file mode 100644 index 000000000..c8fbe0386 --- /dev/null +++ b/projects/json-sanitizer/ValidJsonFuzzer.java @@ -0,0 +1,47 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow; + +import com.google.gson.Gson; +import com.google.gson.JsonElement; +import com.google.json.JsonSanitizer; + +public class ValidJsonFuzzer { + private static Gson gson = new Gson(); + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String input = data.consumeRemainingAsString(); + String output; + try { + output = JsonSanitizer.sanitize(input, 10); + } catch (ArrayIndexOutOfBoundsException e) { + // ArrayIndexOutOfBoundsException is expected if nesting depth is + // exceeded. + return; + } + + // Check that the output is valid JSON. Invalid JSON may crash other parts + // of the application that trust the output of the sanitizer. + try { + Gson gson = new Gson(); + gson.fromJson(output, JsonElement.class); + } catch (Exception e) { + throw new FuzzerSecurityIssueLow("Output is invalid JSON", e); + } + } +} diff --git a/projects/json-sanitizer/build.sh b/projects/json-sanitizer/build.sh new file mode 100755 index 000000000..64df5e5c5 --- /dev/null +++ b/projects/json-sanitizer/build.sh @@ -0,0 +1,60 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Move seed corpus and dictionary. +mv $SRC/{*.zip,*.dict} $OUT + +# Build the json-sanitizer jar. +CURRENT_VERSION=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \ +-Dexpression=project.version -q -DforceStdout) +mvn package +cp "target/json-sanitizer-$CURRENT_VERSION.jar" $OUT/json-sanitizer.jar + +# The jar files containing the project (separated by spaces). +PROJECT_JARS=json-sanitizer.jar + +# Get the fuzzer dependencies (gson). +mvn dependency:copy -Dartifact=com.google.code.gson:gson:2.8.6 -DoutputDirectory=$OUT/ + +# The jar files containing further dependencies of the fuzz targets (separated +# by spaces). +FUZZER_JARS=gson-2.8.6.jar + +# Build fuzzers in $OUT. +ALL_JARS="$PROJECT_JARS $FUZZER_JARS" +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All jars and class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):.:\$this_dir + +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/ + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/json-sanitizer/project.yaml b/projects/json-sanitizer/project.yaml new file mode 100644 index 000000000..028335f91 --- /dev/null +++ b/projects/json-sanitizer/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/OWASP/json-sanitizer" +language: jvm +primary_contact: "mikesamuel@gmail.com" +auto_ccs: + - "meumertzheim@code-intelligence.com" +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/OWASP/json-sanitizer" +sanitizers: + - address diff --git a/projects/json5format/Dockerfile b/projects/json5format/Dockerfile new file mode 100644 index 000000000..c0117a59e --- /dev/null +++ b/projects/json5format/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone --depth 1 https://github.com/google/json5format +WORKDIR $SRC + +COPY build.sh $SRC/ diff --git a/projects/json5format/build.sh b/projects/json5format/build.sh new file mode 100755 index 000000000..c722bdb01 --- /dev/null +++ b/projects/json5format/build.sh @@ -0,0 +1,20 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/json5format +cargo fuzz build -O +cp ./fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_parse $OUT/fuzz_parse diff --git a/projects/json5format/project.yaml b/projects/json5format/project.yaml new file mode 100644 index 000000000..e73905ebe --- /dev/null +++ b/projects/json5format/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://crates.io/crates/json5format" +main_repo: "https://github.com/google/json5format" +primary_contact: "richkadel@google.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/jsonparser/Dockerfile b/projects/jsonparser/Dockerfile index 17f6cd199..a5d91faf6 100644 --- a/projects/jsonparser/Dockerfile +++ b/projects/jsonparser/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/buger/jsonparser +RUN git clone --depth 1 https://github.com/buger/jsonparser COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/jsonparser diff --git a/projects/jsonparser/build.sh b/projects/jsonparser/build.sh index fda6e8d97..3b576e11f 100755 --- a/projects/jsonparser/build.sh +++ b/projects/jsonparser/build.sh @@ -15,4 +15,4 @@ # ################################################################################ -$GOPATH/src/github.com/buger/jsonparser/oss-fuzz-build.sh +./oss-fuzz-build.sh diff --git a/projects/jsonschema/Dockerfile b/projects/jsonschema/Dockerfile new file mode 100644 index 000000000..ffec717b1 --- /dev/null +++ b/projects/jsonschema/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN pip3 install hypothesis + +RUN git clone --depth=1 https://github.com/Julian/jsonschema +WORKDIR $SRC/jsonschema + +COPY build.sh $SRC/ diff --git a/projects/jsonschema/build.sh b/projects/jsonschema/build.sh new file mode 100644 index 000000000..71d4ad600 --- /dev/null +++ b/projects/jsonschema/build.sh @@ -0,0 +1,34 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + fuzzer_basename=$(basename -s .py $fuzzer) + fuzzer_package=${fuzzer_basename}.pkg + pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_PRELOAD=\$this_dir/sanitizer_with_fuzzer.so \ +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename +done diff --git a/projects/jsonschema/project.yaml b/projects/jsonschema/project.yaml new file mode 100644 index 000000000..d7ac42bc4 --- /dev/null +++ b/projects/jsonschema/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://github.com/Julian/jsonschema" +language: python +primary_contact: "Julian+Security@GrayVines.com" +auto_ccs: + - "david@adalogics.com" +fuzzing_engines: + - libfuzzer +sanitizers: + - address + - undefined +main_repo: 'https://github.com/Julian/jsonschema' diff --git a/projects/kamailio/Dockerfile b/projects/kamailio/Dockerfile new file mode 100755 index 000000000..5b67deea8 --- /dev/null +++ b/projects/kamailio/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y bison flex +RUN git clone https://github.com/kamailio/kamailio + +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/projects/kamailio/build.sh b/projects/kamailio/build.sh new file mode 100755 index 000000000..2b7c3735b --- /dev/null +++ b/projects/kamailio/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/kamailio + +export CC_OPT="${CFLAGS}" +export LD_EXTRA_OPTS="${CFLAGS}" + +sed -i 's/int main(/int main2(/g' ./src/main.c + +make || true +cd src +mkdir objects && find . -name "*.o" -exec cp {} ./objects/ \; +ar -r libkamilio.a ./objects/*.o +cd ../ +$CC $CFLAGS $LIB_FUZZING_ENGINE ./misc/fuzz/fuzz_uri.c -o $OUT/fuzz_uri \ + -DFAST_LOCK -D__CPU_i386 ./src/libkamilio.a \ + -I./src/ -I./src/core/parser -ldl -lresolv -lm diff --git a/projects/kamailio/project.yaml b/projects/kamailio/project.yaml new file mode 100755 index 000000000..46020a0c6 --- /dev/null +++ b/projects/kamailio/project.yaml @@ -0,0 +1,7 @@ +homepage: "www.kamailio.org" +main_repo: "https://github.com/kamailio/kamailio" +primary_contact: "ossfuzz@kamailio.org" +language: c +auto_ccs: + - "miconda@gmail.com" + - "david@adalogics.com" diff --git a/projects/kimageformats/Dockerfile b/projects/kimageformats/Dockerfile index e3e04567c..4acc31c91 100644 --- a/projects/kimageformats/Dockerfile +++ b/projects/kimageformats/Dockerfile @@ -22,8 +22,10 @@ RUN git clone --depth 1 https://invent.kde.org/frameworks/extra-cmake-modules.gi RUN git clone --depth 1 --branch=5.15 git://code.qt.io/qt/qtbase.git RUN git clone --depth 1 https://invent.kde.org/frameworks/karchive.git RUN git clone --depth 1 https://invent.kde.org/frameworks/kimageformats.git -RUN git clone --depth 1 -b v2.0.1 https://aomedia.googlesource.com/aom -RUN git clone --depth 1 -b v0.8.4 https://github.com/AOMediaCodec/libavif.git +RUN git clone --depth 1 -b v2.0.2 https://aomedia.googlesource.com/aom +RUN git clone --depth 1 -b v0.9.0 https://github.com/AOMediaCodec/libavif.git +RUN git clone --depth 1 https://github.com/strukturag/libde265.git +RUN git clone --depth 1 https://github.com/strukturag/libheif.git COPY build.sh $SRC COPY kimgio_fuzzer.cc $SRC WORKDIR kimageformats diff --git a/projects/kimageformats/build.sh b/projects/kimageformats/build.sh index 3cec92133..0ffa60bbb 100644 --- a/projects/kimageformats/build.sh +++ b/projects/kimageformats/build.sh @@ -56,6 +56,7 @@ cd build.libavif extra_libaom_flags='-DAOM_MAX_ALLOCABLE_MEMORY=536870912 -DDO_RANGE_CHECK_CLAMP=1' cmake -DBUILD_SHARED_LIBS=0 -DENABLE_DOCS=0 -DENABLE_EXAMPLES=0 -DENABLE_TESTDATA=0 -DENABLE_TESTS=0 -DENABLE_TOOLS=0 -DCONFIG_PIC=1 -DAOM_TARGET_CPU=generic -DCONFIG_SIZE_LIMIT=1 -DDECODE_HEIGHT_LIMIT=12288 -DDECODE_WIDTH_LIMIT=12288 -DAOM_EXTRA_C_FLAGS="${extra_libaom_flags}" -DAOM_EXTRA_CXX_FLAGS="${extra_libaom_flags}" .. make -j$(nproc) +make install -j$(nproc) cd $SRC ln -s "$SRC/aom" "$SRC/libavif/ext/" @@ -66,9 +67,27 @@ CFLAGS="$CFLAGS -fPIC" cmake -DBUILD_SHARED_LIBS=OFF -DAVIF_ENABLE_WERROR=OFF -D make -j$(nproc) cd $SRC +cd libde265 +cmake -DBUILD_SHARED_LIBS=OFF -DDISABLE_SSE=ON . +make -j$(nproc) +make install -j$(nproc) + +cd $SRC +cd libheif +#Reduce max width and height to avoid allocating too much memory +sed -i "s/static const int MAX_IMAGE_WIDTH = 32768;/static const int MAX_IMAGE_WIDTH = 8192;/g" libheif/heif_limits.h +sed -i "s/static const int MAX_IMAGE_HEIGHT = 32768;/static const int MAX_IMAGE_HEIGHT = 8192;/g" libheif/heif_limits.h +mkdir build +cd build +cmake -DBUILD_SHARED_LIBS=OFF -DWITH_AOM=ON -DWITH_DAV1D=OFF -DWITH_EXAMPLES=OFF -DWITH_LIBDE265=ON -DWITH_RAV1E=OFF -DWITH_X265=OFF .. +make -j$(nproc) +make install -j$(nproc) + +cd $SRC cd kimageformats HANDLER_TYPES="ANIHandler ani QAVIFHandler avif + HEIFHandler heif KraHandler kra OraHandler ora PCXHandler pcx @@ -84,7 +103,7 @@ echo "$HANDLER_TYPES" | while read class format; do fuzz_target_name=kimgio_${format}_fuzzer $SRC/qtbase/bin/moc $SRC/kimageformats/src/imageformats/$format.cpp -o $format.moc - $CXX $CXXFLAGS -fPIC -DHANDLER=$class -std=c++14 $SRC/kimgio_fuzzer.cc $SRC/kimageformats/src/imageformats/$format.cpp -o $OUT/$fuzz_target_name -I $SRC/qtbase/include/QtCore/ -I $SRC/qtbase/include/ -I $SRC/qtbase/include//QtGui -I $SRC/kimageformats/src/imageformats/ -I $SRC/karchive/src/ -I $SRC/qtbase/mkspecs/linux-clang-libc++/ -I $SRC/libavif/include/ -I . -L $SRC/qtbase/lib $SRC/libavif/build/libavif.a $SRC/aom/build.libavif/libaom.a -lQt5Gui -lQt5Core -lqtlibpng -lqtharfbuzz -lm -lqtpcre2 -ldl -lpthread $LIB_FUZZING_ENGINE /usr/local/lib/libzip.a /usr/local/lib/libz.a -lKF5Archive /usr/local/lib/libz.a + $CXX $CXXFLAGS -fPIC -DHANDLER=$class -std=c++14 $SRC/kimgio_fuzzer.cc $SRC/kimageformats/src/imageformats/$format.cpp -o $OUT/$fuzz_target_name -I $SRC/qtbase/include/QtCore/ -I $SRC/qtbase/include/ -I $SRC/qtbase/include//QtGui -I $SRC/kimageformats/src/imageformats/ -I $SRC/karchive/src/ -I $SRC/qtbase/mkspecs/linux-clang-libc++/ -I $SRC/libavif/include/ -I . -L $SRC/qtbase/lib $SRC/libavif/build/libavif.a /usr/local/lib/libheif.a /usr/local/lib/liblibde265.a $SRC/aom/build.libavif/libaom.a -lQt5Gui -lQt5Core -lqtlibpng -lqtharfbuzz -lm -lqtpcre2 -ldl -lpthread $LIB_FUZZING_ENGINE /usr/local/lib/libzip.a /usr/local/lib/libz.a -lKF5Archive /usr/local/lib/libz.a find . -name "*.${format}" | zip -q $OUT/${fuzz_target_name}_seed_corpus.zip -@ ) diff --git a/projects/kimageformats/kimgio_fuzzer.cc b/projects/kimageformats/kimgio_fuzzer.cc index c37bb2216..5fe9cc6b5 100644 --- a/projects/kimageformats/kimgio_fuzzer.cc +++ b/projects/kimageformats/kimgio_fuzzer.cc @@ -20,7 +20,7 @@ Usage: python infra/helper.py build_image kimageformats python infra/helper.py build_fuzzers --sanitizer undefined|address|memory kimageformats - python infra/helper.py run_fuzzer kimageformats kimgio_[ani|avif|kra|ora|pcx|pic|psd|ras|rgb|tga|xcf]_fuzzer + python infra/helper.py run_fuzzer kimageformats kimgio_[ani|avif|heif|kra|ora|pcx|pic|psd|ras|rgb|tga|xcf]_fuzzer */ @@ -30,6 +30,7 @@ #include "ani_p.h" #include "avif_p.h" +#include "heif_p.h" #include "kra.h" #include "ora.h" #include "pcx_p.h" diff --git a/projects/kubernetes/Dockerfile b/projects/kubernetes/Dockerfile index 697bf0255..e4ebed882 100644 --- a/projects/kubernetes/Dockerfile +++ b/projects/kubernetes/Dockerfile @@ -20,7 +20,7 @@ RUN go get github.com/ianlancetaylor/demangle RUN git clone --depth 1 https://github.com/kubernetes/kubernetes.git RUN git clone --depth 1 https://github.com/google/AFL RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus -RUN go get k8s.io/kops +RUN git clone --depth 1 https://github.com/kubernetes/kops WORKDIR $SRC/ COPY build.sh $SRC/ diff --git a/projects/kubernetes/build.sh b/projects/kubernetes/build.sh index 38ae4406e..d3d756f4e 100755 --- a/projects/kubernetes/build.sh +++ b/projects/kubernetes/build.sh @@ -21,11 +21,13 @@ set -o errexit set -x # Compile kOps fuzzers -$GOPATH/src/k8s.io/kops/tests/fuzz/build.sh - +( +cd kops +./tests/fuzz/build.sh +) # Compile Kubernetes fuzzers -mv $SRC/kubernetes $GOPATH/src/k8s.io/ +cd $SRC/kubernetes function compile_fuzzer { local pkg=$1 diff --git a/projects/libavif/avif_decode_seed_corpus.zip b/projects/libavif/avif_decode_seed_corpus.zip Binary files differindex eb04c208a..90c67bb18 100644 --- a/projects/libavif/avif_decode_seed_corpus.zip +++ b/projects/libavif/avif_decode_seed_corpus.zip diff --git a/projects/libavif/build.sh b/projects/libavif/build.sh index a981fa250..130709fb9 100755 --- a/projects/libavif/build.sh +++ b/projects/libavif/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - # build dav1d cd ext && bash dav1d.cmd && cd .. diff --git a/projects/libcacard/build.sh b/projects/libcacard/build.sh index 9c0c974de..719502e90 100755 --- a/projects/libcacard/build.sh +++ b/projects/libcacard/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - # Workaround for fixing AFL++ build, discarded for others. # See https://github.com/google/oss-fuzz/issues/4280#issuecomment-773977943 export AFL_LLVM_INSTRUMENT=CLASSIC,NGRAM-4 diff --git a/projects/libfido2/Dockerfile b/projects/libfido2/Dockerfile index b288499e1..e7d8a6a61 100644 --- a/projects/libfido2/Dockerfile +++ b/projects/libfido2/Dockerfile @@ -17,10 +17,11 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool RUN apt-get install -y cmake libudev-dev pkg-config chrpath -RUN git clone --branch v0.7.0 https://github.com/PJK/libcbor +RUN git clone --branch v0.8.0 https://github.com/PJK/libcbor RUN git clone --branch OpenSSL_1_1_1-stable https://github.com/openssl/openssl +RUN git clone --branch v1.2.11 https://github.com/madler/zlib RUN git clone https://github.com/Yubico/libfido2 # CIFuzz will replace the libfido directory so put the corpus outside -ADD https://ambientworks.net/libfido2/corpus.tgz corpus.tgz +ADD https://storage.googleapis.com/yubico-libfido2/corpus.tgz corpus.tgz WORKDIR libfido2 COPY build.sh $SRC/ diff --git a/projects/libfido2/build.sh b/projects/libfido2/build.sh index 8e0793220..6c680e242 100755 --- a/projects/libfido2/build.sh +++ b/projects/libfido2/build.sh @@ -20,7 +20,8 @@ cd ${SRC}/libcbor patch -l -p0 < ${SRC}/libfido2/fuzz/README mkdir build && cd build -cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=${WORK} -DSANITIZE=OFF .. +cmake -DBUILD_SHARED_LIBS=ON -DCMAKE_BUILD_TYPE=Debug \ + -DCMAKE_INSTALL_PREFIX=${WORK} -DSANITIZE=OFF .. make -j$(nproc) VERBOSE=1 make install @@ -36,6 +37,12 @@ fi make -j$(nproc) LDCMD="${CXX} ${CXXFLAGS}" make install_sw +# Build zlib, taken from oss-fuzz/projects/zlib.sh +cd ${SRC}/zlib +./configure --prefix=${WORK} +make -j$(nproc) all +make install + # Building libfido2 with ${LIB_FUZZING_ENGINE} and chosen sanitizer cd ${SRC}/libfido2 mkdir build && cd build @@ -62,8 +69,11 @@ done # Prepare seed corpora tar xzf ${SRC}/corpus.tgz -(set -e ; cd fuzz_assert/corpus ; zip -r ${OUT}/fuzz_assert_seed_corpus.zip .) -(set -e ; cd fuzz_bio/corpus ; zip -r ${OUT}/fuzz_bio_seed_corpus.zip .) -(set -e ; cd fuzz_cred/corpus ; zip -r ${OUT}/fuzz_cred_seed_corpus.zip .) -(set -e ; cd fuzz_credman/corpus ; zip -r ${OUT}/fuzz_credman_seed_corpus.zip .) -(set -e ; cd fuzz_mgmt/corpus ; zip -r ${OUT}/fuzz_mgmt_seed_corpus.zip .) +(set -e ; cd fuzz_assert/corpus ; zip -r ${OUT}/fuzz_assert_seed_corpus.zip .) +(set -e ; cd fuzz_bio/corpus ; zip -r ${OUT}/fuzz_bio_seed_corpus.zip .) +(set -e ; cd fuzz_cred/corpus ; zip -r ${OUT}/fuzz_cred_seed_corpus.zip .) +(set -e ; cd fuzz_credman/corpus ; zip -r ${OUT}/fuzz_credman_seed_corpus.zip .) +(set -e ; cd fuzz_hid/corpus ; zip -r ${OUT}/fuzz_hid_seed_corpus.zip .) +(set -e ; cd fuzz_largeblob/corpus ; zip -r ${OUT}/fuzz_largeblob_seed_corpus.zip .) +(set -e ; cd fuzz_mgmt/corpus ; zip -r ${OUT}/fuzz_mgmt_seed_corpus.zip .) +(set -e ; cd fuzz_netlink/corpus ; zip -r ${OUT}/fuzz_netlink_seed_corpus.zip .) diff --git a/projects/libiec61850/Dockerfile b/projects/libiec61850/Dockerfile new file mode 100755 index 000000000..17b63d358 --- /dev/null +++ b/projects/libiec61850/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone https://github.com/mz-automation/libiec61850 + +WORKDIR $SRC +COPY build.sh $SRC/ +COPY fuzz_decode.options $SRC/fuzz_decode.options diff --git a/projects/libiec61850/build.sh b/projects/libiec61850/build.sh new file mode 100755 index 000000000..848797320 --- /dev/null +++ b/projects/libiec61850/build.sh @@ -0,0 +1,28 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd libiec61850 +mkdir build && cd build +cmake ../ +make + +$CC $CFLAGS $LIB_FUZZING_ENGINE ../fuzz/fuzz_mms_decode.c -o $OUT/fuzz_mms_decode ./src/libiec61850.a \ + -I../src/iec61850/inc -I../src/mms/inc -I../src/common/inc \ + -I../hal/inc -I../src/logging ./hal/libhal.a + +# Copy over the options file +cp $SRC/fuzz_decode.options $OUT/fuzz_decode.options diff --git a/projects/libiec61850/fuzz_decode.options b/projects/libiec61850/fuzz_decode.options new file mode 100644 index 000000000..f9d09656c --- /dev/null +++ b/projects/libiec61850/fuzz_decode.options @@ -0,0 +1,2 @@ +[libfuzzer] +detect_leaks=0 diff --git a/projects/libiec61850/project.yaml b/projects/libiec61850/project.yaml new file mode 100755 index 000000000..fe265beb8 --- /dev/null +++ b/projects/libiec61850/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://github.com/mz-automation/libiec61850" +primary_contact: "support@mz-automation.de" +auto_ccs: + - "david@adalogics.com" +language: c +main_repo: 'https://github.com/mz-automation/libiec61850' diff --git a/projects/libjpeg-turbo/Dockerfile b/projects/libjpeg-turbo/Dockerfile index 329be457d..40c8f49f6 100644 --- a/projects/libjpeg-turbo/Dockerfile +++ b/projects/libjpeg-turbo/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y make autoconf automake libtool nasm curl cmake +RUN apt-get update && apt-get install -y make autoconf automake libtool yasm curl cmake RUN git clone --depth 1 https://github.com/libjpeg-turbo/libjpeg-turbo RUN mkdir afl-testcases diff --git a/projects/liblouis/Dockerfile b/projects/liblouis/Dockerfile new file mode 100644 index 000000000..40a17c099 --- /dev/null +++ b/projects/liblouis/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool \ + pkg-config zlib1g-dev pciutils-dev libpci-dev +RUN git clone --depth 1 https://github.com/liblouis/liblouis +WORKDIR liblouis +COPY build.sh $SRC/ diff --git a/projects/liblouis/build.sh b/projects/liblouis/build.sh new file mode 100755 index 000000000..fda807cd0 --- /dev/null +++ b/projects/liblouis/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +$SRC/liblouis/tests/fuzzing/build.sh diff --git a/projects/liblouis/project.yaml b/projects/liblouis/project.yaml new file mode 100644 index 000000000..e7aa041bb --- /dev/null +++ b/projects/liblouis/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/liblouis/liblouis" +main_repo: "https://github.com/liblouis/liblouis" +language: c +primary_contact: "christian.egli@sbs.ch" +auto_ccs: + - "Adam@adalogics.com" +sanitizers: + - address + - undefined + - memory diff --git a/projects/libphonenumber/project.yaml b/projects/libphonenumber/project.yaml index 765732421..4ab9602ca 100644 --- a/projects/libphonenumber/project.yaml +++ b/projects/libphonenumber/project.yaml @@ -3,9 +3,6 @@ primary_contact: "penmetsaa@google.com" language: c++ auto_ccs: - "david@adalogics.com" -fuzzing_engines: - - libfuzzer - - honggfuzz sanitizers: - address main_repo: 'https://github.com/google/libphonenumber' diff --git a/projects/libredwg/Dockerfile b/projects/libredwg/Dockerfile new file mode 100755 index 000000000..93695c368 --- /dev/null +++ b/projects/libredwg/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y autoconf libtool texinfo +RUN git clone https://github.com/LibreDWG/libredwg + +WORKDIR $SRC +COPY build.sh $SRC/ +COPY llvmfuzz.options $SRC/ diff --git a/projects/libredwg/build.sh b/projects/libredwg/build.sh new file mode 100755 index 000000000..7737e4d6b --- /dev/null +++ b/projects/libredwg/build.sh @@ -0,0 +1,27 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd libredwg +sh ./autogen.sh +# enable-release to skip unstable preR13. bindings are not fuzzed. +./configure --disable-shared --disable-bindings --enable-release +make + +$CC $CFLAGS $LIB_FUZZING_ENGINE examples/llvmfuzz.c -o $OUT/llvmfuzz \ + src/.libs/libredwg.a -I./include -I./src + +cp $SRC/llvmfuzz.options $OUT/llvmfuzz.options diff --git a/projects/libredwg/llvmfuzz.options b/projects/libredwg/llvmfuzz.options new file mode 100644 index 000000000..f9d09656c --- /dev/null +++ b/projects/libredwg/llvmfuzz.options @@ -0,0 +1,2 @@ +[libfuzzer] +detect_leaks=0 diff --git a/projects/libredwg/project.yaml b/projects/libredwg/project.yaml new file mode 100755 index 000000000..a9e5d4477 --- /dev/null +++ b/projects/libredwg/project.yaml @@ -0,0 +1,9 @@ +homepage: "https://github.com/LibreDWG/libredwg" +primary_contact: "reini.urban@gmail.com" +language: c +auto_ccs : + - "david@adalogics.com" +fuzzing_engines: + - libfuzzer + - honggfuzz +main_repo: 'https://github.com/LibreDWG/libredwg' diff --git a/projects/libreoffice/project.yaml b/projects/libreoffice/project.yaml index fdbb462d2..bcf9a4fe6 100644 --- a/projects/libreoffice/project.yaml +++ b/projects/libreoffice/project.yaml @@ -4,4 +4,6 @@ primary_contact: "caolanm@redhat.com" auto_ccs: - "officesecurity@lists.freedesktop.org" - "damjan.jov@gmail.com" + - "noelgrandin@gmail.com" - "sbergman@redhat.com" +main_repo: 'https://git.libreoffice.org/core' diff --git a/projects/libsodium/fake_random.h b/projects/libsodium/fake_random.h index 36d8d89ba..9519b0ce2 100644 --- a/projects/libsodium/fake_random.h +++ b/projects/libsodium/fake_random.h @@ -1,3 +1,17 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + #ifndef FAKE_RANDOM_H_ #define FAKE_RANDOM_H_ @@ -43,7 +57,7 @@ setup_fake_random(const unsigned char * seed, const size_t seed_size) { int fake_random_set = randombytes_set_implementation(&fake_random); assert(fake_random_set == 0); - assert(randombytes_implementation_name() == "fake_random"); + assert(strcmp(randombytes_implementation_name(), "fake_random") == 0); int initialized = sodium_init(); assert(initialized >= 0); } diff --git a/projects/libsodium/project.yaml b/projects/libsodium/project.yaml index dcbfdcc80..40b137461 100644 --- a/projects/libsodium/project.yaml +++ b/projects/libsodium/project.yaml @@ -1,6 +1,6 @@ homepage: "https://libsodium.org" language: c++ -primary_contact: "ossfuzzz+sodium@gmail.com" +primary_contact: "ossfuzzz@gmail.com" auto_ccs: - "chriswwolfe@gmail.com" architectures: diff --git a/projects/libsodium/secret_key_auth_fuzzer.cc b/projects/libsodium/secret_key_auth_fuzzer.cc index 32bb5fe83..ce46781f4 100644 --- a/projects/libsodium/secret_key_auth_fuzzer.cc +++ b/projects/libsodium/secret_key_auth_fuzzer.cc @@ -1,4 +1,19 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + #include <assert.h> +#include <stdlib.h> #include <sodium.h> #include "fake_random.h" @@ -16,6 +31,8 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { crypto_auth_keygen(key); crypto_auth(mac, data, size, key); - crypto_auth_verify(mac, data, size, key); + int err = crypto_auth_verify(mac, data, size, key); + assert(err == 0); + return 0; } diff --git a/projects/libsodium/secretbox_easy_fuzzer.cc b/projects/libsodium/secretbox_easy_fuzzer.cc index 4e25bcc7a..a37c88b6b 100644 --- a/projects/libsodium/secretbox_easy_fuzzer.cc +++ b/projects/libsodium/secretbox_easy_fuzzer.cc @@ -1,4 +1,19 @@ +// Copyright 2018 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + #include <assert.h> +#include <stdlib.h> #include <sodium.h> #include "fake_random.h" @@ -17,12 +32,16 @@ extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { randombytes_buf(nonce, sizeof nonce); size_t ciphertext_len = crypto_secretbox_MACBYTES + size; - unsigned char ciphertext[ciphertext_len]; + unsigned char *ciphertext = (unsigned char *) malloc(ciphertext_len); crypto_secretbox_easy(ciphertext, data, size, nonce, key); - unsigned char decrypted[size]; - crypto_secretbox_open_easy(decrypted, ciphertext, ciphertext_len, nonce, key); + unsigned char *decrypted = (unsigned char *) malloc(size); + int err = crypto_secretbox_open_easy(decrypted, ciphertext, ciphertext_len, nonce, key); + assert(err == 0); + + free((void *) ciphertext); + free((void *) decrypted); return 0; } diff --git a/projects/libucl/Dockerfile b/projects/libucl/Dockerfile index 0babaa2c5..7824ad6bd 100644 --- a/projects/libucl/Dockerfile +++ b/projects/libucl/Dockerfile @@ -1,4 +1,4 @@ -# Copyright 2020 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,3 +21,4 @@ RUN git clone https://github.com/vstakhov/libucl WORKDIR $SRC COPY build.sh $SRC/ +COPY ucl_add_string_fuzzer.options $SRC/ucl_add_string_fuzzer.options diff --git a/projects/libucl/build.sh b/projects/libucl/build.sh index d5cce4187..e5589dd48 100644 --- a/projects/libucl/build.sh +++ b/projects/libucl/build.sh @@ -1,4 +1,4 @@ -# Copyright 2020 Google Inc. +# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,10 +14,12 @@ # ################################################################################ -export ASAN_OPTIONS=detect_leaks=0 +cp $SRC/ucl_add_string_fuzzer.options $OUT/ cd libucl ./autogen.sh && ./configure make -$CC tests/fuzzers/ucl_add_string_fuzzer.c -DHAVE_CONFIG_H -I./src -I./include src/.libs/libucl.a -I./ $CFLAGS $LIB_FUZZING_ENGINE -o $OUT/ucl_add_string_fuzzer +$CC $CFLAGS $LIB_FUZZING_ENGINE tests/fuzzers/ucl_add_string_fuzzer.c \ + -DHAVE_CONFIG_H -I./src -I./include src/.libs/libucl.a -I./ \ + -o $OUT/ucl_add_string_fuzzer diff --git a/projects/libucl/project.yaml b/projects/libucl/project.yaml index 14bead564..8a5dd2024 100644 --- a/projects/libucl/project.yaml +++ b/projects/libucl/project.yaml @@ -3,7 +3,4 @@ primary_contact: "vsevolod@highsecure.ru" auto_ccs: - "adam@adalogics.com" language: c -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: 'https://github.com/vstakhov/libucl' diff --git a/projects/libucl/ucl_add_string_fuzzer.options b/projects/libucl/ucl_add_string_fuzzer.options new file mode 100644 index 000000000..f9d09656c --- /dev/null +++ b/projects/libucl/ucl_add_string_fuzzer.options @@ -0,0 +1,2 @@ +[libfuzzer] +detect_leaks=0 diff --git a/projects/libvips/Dockerfile b/projects/libvips/Dockerfile index 258e222a4..e792dff45 100644 --- a/projects/libvips/Dockerfile +++ b/projects/libvips/Dockerfile @@ -25,6 +25,7 @@ RUN apt-get update && apt-get install -y \ libfftw3-dev \ libexpat1-dev \ libffi-dev \ + libselinux1-dev \ glib2.0-dev RUN mkdir afl-testcases RUN curl https://lcamtuf.coredump.cx/afl/demo/afl_testcases.tgz | tar xzC afl-testcases diff --git a/projects/libvips/build.sh b/projects/libvips/build.sh index e170f3714..21505d6ed 100755 --- a/projects/libvips/build.sh +++ b/projects/libvips/build.sh @@ -169,6 +169,7 @@ for fuzzer in fuzz/*_fuzzer.cc; do $LIB_FUZZING_ENGINE \ -Wl,-Bstatic \ -lfftw3 -lgmodule-2.0 -lgio-2.0 -lgobject-2.0 -lffi -lglib-2.0 -lpcre -lexpat \ + -lresolv -lsepol -lselinux \ -Wl,-Bdynamic -pthread ln -sf "seed_corpus.zip" "$OUT/${target}_seed_corpus.zip" done diff --git a/projects/libxml2/build.sh b/projects/libxml2/build.sh index 7485bc27d..4240ba7f9 100755 --- a/projects/libxml2/build.sh +++ b/projects/libxml2/build.sh @@ -16,12 +16,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - if [ "$SANITIZER" = undefined ]; then export CFLAGS="$CFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow" export CXXFLAGS="$CXXFLAGS -fsanitize=unsigned-integer-overflow -fno-sanitize-recover=unsigned-integer-overflow" diff --git a/projects/libyal/Dockerfile b/projects/libyal/Dockerfile index 9338fdcd9..c255806e9 100644 --- a/projects/libyal/Dockerfile +++ b/projects/libyal/Dockerfile @@ -36,6 +36,7 @@ RUN git clone --depth 1 https://github.com/libyal/libmdmp.git libmdmp RUN git clone --depth 1 https://github.com/libyal/libmsiecf.git libmsiecf RUN git clone --depth 1 https://github.com/libyal/libnk2.git libnk2 RUN git clone --depth 1 https://github.com/libyal/libolecf.git libolecf +RUN git clone --depth 1 https://github.com/libyal/libpff.git libpff RUN git clone --depth 1 https://github.com/libyal/libregf.git libregf RUN git clone --depth 1 https://github.com/libyal/libscca.git libscca @@ -52,8 +53,9 @@ RUN git clone --depth 1 https://github.com/libyal/libvslvm.git libvslvm RUN git clone --depth 1 https://github.com/libyal/libvsmbr.git libvsmbr RUN git clone --depth 1 https://github.com/libyal/libewf.git libewf -RUN git clone --depth 1 https://github.com/libyal/libsmraw.git libsmraw +RUN git clone --depth 1 https://github.com/libyal/libmodi.git libmodi RUN git clone --depth 1 https://github.com/libyal/libqcow.git libqcow +RUN git clone --depth 1 https://github.com/libyal/libsmraw.git libsmraw RUN git clone --depth 1 https://github.com/libyal/libvhdi.git libvhdi RUN git clone --depth 1 https://github.com/libyal/libvmdk.git libvmdk diff --git a/projects/libyang/Dockerfile b/projects/libyang/Dockerfile new file mode 100755 index 000000000..c1c5f75c1 --- /dev/null +++ b/projects/libyang/Dockerfile @@ -0,0 +1,29 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y autoconf automake libtool subversion +RUN git clone https://github.com/CESNET/libyang + +RUN svn co svn://vcs.exim.org/pcre2/code/trunk pcre2 && \ + cd pcre2 && \ + ./autogen.sh && \ + ./configure && \ + make && \ + make install + +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/projects/libyang/build.sh b/projects/libyang/build.sh new file mode 100755 index 000000000..cb5857dd8 --- /dev/null +++ b/projects/libyang/build.sh @@ -0,0 +1,31 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd libyang +git checkout libyang2 + +sed -i 's/add_subdirectory/#add_subdirectory/g' ./tools/CMakeLists.txt +mkdir build && cd build +cmake ../ -DENABLE_STATIC=ON +make + +static_pcre=($(find /src/pcre2 -name "libpcre2-8.a")) + +for fuzzer in lyd_parse_mem_json lyd_parse_mem_xml lys_parse_mem; do + $CC $CFLAGS $LIB_FUZZING_ENGINE ../tests/fuzz/${fuzzer}.c -o $OUT/${fuzzer} \ + ./libyang.a -I../src -I./src -I./compat ${static_pcre} +done diff --git a/projects/libyang/project.yaml b/projects/libyang/project.yaml new file mode 100755 index 000000000..aac772c7b --- /dev/null +++ b/projects/libyang/project.yaml @@ -0,0 +1,12 @@ +homepage: "https://github.com/CESNET/libyang" +main_repo: 'https://github.com/CESNET/libyang' +primary_contact: "mvasko@cesnet.cz" +language: c +auto_ccs: + - "mv6606@gmail.com" + - "david@adalogics.com" + - "warband.times@gmail.com" + - "juraj.vijtiuk@sartura.hr" +sanitizers: + - address + - memory diff --git a/projects/libzmq/project.yaml b/projects/libzmq/project.yaml index b6e29cfcc..a7b946567 100644 --- a/projects/libzmq/project.yaml +++ b/projects/libzmq/project.yaml @@ -5,13 +5,6 @@ auto_ccs: - "luca.boccassi@gmail.com" - "somdoron@gmail.com" - "simon.giesecke@gmail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz -sanitizers: - - address - - memory - - undefined architectures: - x86_64 - i386 diff --git a/projects/lighttpd/Dockerfile b/projects/lighttpd/Dockerfile new file mode 100755 index 000000000..e27d80404 --- /dev/null +++ b/projects/lighttpd/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y libz-dev libtool pkg-config autoconf +RUN git clone https://github.com/lighttpd/lighttpd1.4 + +WORKDIR $SRC/lighttpd1.4 +COPY build.sh $SRC/ +COPY fuzz_* $SRC/ diff --git a/projects/lighttpd/build.sh b/projects/lighttpd/build.sh new file mode 100755 index 000000000..5cd286a7b --- /dev/null +++ b/projects/lighttpd/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./autogen.sh +./configure --without-pcre --enable-static +make +cd src +$CC $CFLAGS -c $SRC/fuzz_burl.c -I. -I../include +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_burl.o burl.o buffer.o base64.o -o $OUT/fuzz_burl diff --git a/projects/lighttpd/fuzz_burl.c b/projects/lighttpd/fuzz_burl.c new file mode 100644 index 000000000..5ba1e1c02 --- /dev/null +++ b/projects/lighttpd/fuzz_burl.c @@ -0,0 +1,56 @@ +/* Copyright 2021 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <string.h> + +#include "burl.h" +#include "buffer.h" + +void run_burl_normalize (buffer *psrc, buffer *ptmp, + int flags, int line, const char *in, + size_t in_len) { + int qs; + buffer_copy_string_len(psrc, in, in_len); + qs = burl_normalize(psrc, ptmp, flags); +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + if (size <= 4) { + return 0; + } + int flags = ((int*)data)[0]; + data += 4; + size -= 4; + char *new_str = (char *)malloc(size+1); + if (new_str == NULL){ + return 0; + } + memcpy(new_str, data, size); + new_str[size] = '\0'; + + /* main fuzzer entrypoint for library */ + buffer *psrc = buffer_init(); + buffer *ptmp = buffer_init(); + run_burl_normalize(psrc, ptmp, flags, __LINE__, new_str, size); + buffer_urldecode_path(psrc); + + buffer_free(psrc); + buffer_free(ptmp); + free(new_str); + return 0; +} diff --git a/projects/lighttpd/project.yaml b/projects/lighttpd/project.yaml new file mode 100755 index 000000000..9a4b44246 --- /dev/null +++ b/projects/lighttpd/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://www.lighttpd.net/" +primary_contact: "lighttpd.fuzz@gmail.com" +language: c +auto_ccs : + - "david@adalogics.com" +main_repo: "https://github.com/lighttpd/lighttpd1.4" diff --git a/projects/loki/Dockerfile b/projects/loki/Dockerfile index d7ed8f851..2340618ec 100644 --- a/projects/loki/Dockerfile +++ b/projects/loki/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/grafana/loki/pkg/logql/... +RUN git clone --depth 1 https://github.com/grafana/loki/ COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/loki diff --git a/projects/loki/project.yaml b/projects/loki/project.yaml index 69cf3d9e9..5b7528628 100644 --- a/projects/loki/project.yaml +++ b/projects/loki/project.yaml @@ -4,6 +4,7 @@ auto_ccs : - "adam@adalogics.com" - "edward.welch@grafana.com" - "michel.hollands@grafana.com" + - "loki@grafana.com" language: go fuzzing_engines: - libfuzzer diff --git a/projects/lotus/Dockerfile b/projects/lotus/Dockerfile index 1a4b2df6a..08dccff6a 100644 --- a/projects/lotus/Dockerfile +++ b/projects/lotus/Dockerfile @@ -17,7 +17,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y mesa-opencl-icd ocl-icd-opencl-dev gcc \ git bzr jq pkg-config curl clang build-essential hwloc libhwloc-dev -RUN git clone --depth 1 https://github.com/filecoin-project/lotus $GOPATH/src/github.com/filecoin-project/lotus -RUN git clone --depth 1 https://github.com/filecoin-project/fuzzing-lotus $GOPATH/src/github.com/filecoin-project/fuzzing-lotus +RUN git clone --depth 1 https://github.com/filecoin-project/lotus +RUN git clone --depth 1 https://github.com/filecoin-project/fuzzing-lotus COPY build.sh $SRC/ -WORKDIR $GOPATH/src/github.com/filecoin-project/lotus +WORKDIR $SRC/lotus diff --git a/projects/lotus/build.sh b/projects/lotus/build.sh index 2d4cf9e6c..64603099b 100644 --- a/projects/lotus/build.sh +++ b/projects/lotus/build.sh @@ -17,8 +17,31 @@ make -compile_go_fuzzer github.com/filecoin-project/lotus/chain/types FuzzMessage fuzz_message gofuzz +# Not all fuzzers can be compiled with --sanitizer=coverage. +# The specific issue is that gofuzz.NewFromGofuzz is not supported when compiling with coverage. +# The current status of the coverage build is that we do not break it for the fuzzers that cannot be compiled. +#The reason that we don't break the build script is to create coverage reports for the fuzzers that compile. +if [[ $SANITIZER = *coverage* ]]; then + compile_go_fuzzer github.com/filecoin-project/lotus/chain/types FuzzMessage fuzz_message gofuzz + mkdir fuzzing + cp ../fuzzing-lotus/fuzz/fuzz.go fuzzing/ + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzBlockMsg fuzz_block_msg || true + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzBlockMsgStructural fuzz_block_msg_structural || true + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzBlockHeader fuzz_block_header || true + compile_go_fuzzer github.com/filecoin-project/lotus/fuzzing FuzzNodesForHeight fuzz_nodes_for_height || true + exit 0 +fi + +compile_go_fuzzer ./chain/types FuzzMessage fuzz_message gofuzz + + +# Fuzzers from fuzzing-lotus +cd ../fuzzing-lotus/fuzz +rm -Rf libfuzzer +go mod init github.com/filecoin-project/fuzzing-lotus/fuzz + compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzBlockMsg fuzz_block_msg compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzBlockMsgStructural fuzz_block_msg_structural compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzBlockHeader fuzz_block_header compile_go_fuzzer github.com/filecoin-project/fuzzing-lotus/fuzz FuzzNodesForHeight fuzz_nodes_for_height +exit 0 diff --git a/projects/lua/project.yaml b/projects/lua/project.yaml index 36fc31a5d..9a4b0dd3a 100644 --- a/projects/lua/project.yaml +++ b/projects/lua/project.yaml @@ -2,6 +2,6 @@ homepage: "https://github.com/lua/lua" language: c primary_contact: "roberto@inf.puc-rio.br" auto_ccs: - - "fuzz@llua.org" + - "fuzz@lua.org" - "david@adalogics.com" main_repo: 'https://github.com/lua/lua' diff --git a/projects/lxc/Dockerfile b/projects/lxc/Dockerfile new file mode 100644 index 000000000..375c22485 --- /dev/null +++ b/projects/lxc/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && \ + apt-get install -y pkgconf make libtool automake autoconf +RUN git clone --depth 1 https://github.com/lxc/lxc +WORKDIR lxc +COPY build.sh $SRC/ diff --git a/projects/lxc/build.sh b/projects/lxc/build.sh new file mode 100755 index 000000000..1f18a7ec0 --- /dev/null +++ b/projects/lxc/build.sh @@ -0,0 +1,17 @@ +#!/bin/bash -e +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +src/tests/oss-fuzz.sh diff --git a/projects/lxc/project.yaml b/projects/lxc/project.yaml new file mode 100644 index 000000000..f19d3563a --- /dev/null +++ b/projects/lxc/project.yaml @@ -0,0 +1,12 @@ +homepage: "https://github.com/lxc/lxc" +language: c +primary_contact: "christian@brauner.io" +builds_per_day: 4 +sanitizers: + - address + - undefined + - memory +auto_ccs: + - stgraber@stgraber.org + - evverx@gmail.com +main_repo: "https://github.com/lxc/lxc" diff --git a/projects/md4c/Dockerfile b/projects/md4c/Dockerfile new file mode 100755 index 000000000..65ebbff18 --- /dev/null +++ b/projects/md4c/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make cmake +RUN git clone https://github.com/mity/md4c + +WORKDIR $SRC/md4c +COPY build.sh $SRC/ diff --git a/projects/md4c/build.sh b/projects/md4c/build.sh new file mode 100755 index 000000000..51d8a805a --- /dev/null +++ b/projects/md4c/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +mkdir build && cd build +cmake ../ -DBUILD_SHARED_LIBS=OFF +make +$CC $CFLAGS $LIB_FUZZING_ENGINE ../test/fuzzers/fuzz-mdhtml.c -o $OUT/fuzz-mdhtml \ + -I../src ./src/libmd4c-html.a ./src/libmd4c.a diff --git a/projects/md4c/project.yaml b/projects/md4c/project.yaml new file mode 100755 index 000000000..33e881e00 --- /dev/null +++ b/projects/md4c/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://github.com/mity/md4c" +main_repo: "https://github.com/mity/md4c" +primary_contact: "mity@morous.org" +language: c +auto_ccs: + - "david@adalogics.com" diff --git a/projects/minify/Dockerfile b/projects/minify/Dockerfile index 025632d8f..3f3516ae5 100644 --- a/projects/minify/Dockerfile +++ b/projects/minify/Dockerfile @@ -15,6 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -u github.com/tdewolff/minify +RUN git clone --depth 1 https://github.com/tdewolff/minify +RUN git clone --depth 1 https://github.com/tdewolff/parse COPY build.sh $SRC/ WORKDIR $SRC/ diff --git a/projects/minify/build.sh b/projects/minify/build.sh index 65d728c80..1c031678a 100755 --- a/projects/minify/build.sh +++ b/projects/minify/build.sh @@ -14,4 +14,4 @@ # limitations under the License. # ################################################################################ -$GOPATH/src/github.com/tdewolff/minify/tests/oss-fuzz-build.sh +./minify/tests/oss-fuzz-build.sh diff --git a/projects/miniz/build.sh b/projects/miniz/build.sh index 9e7a489fc..e116a393c 100755 --- a/projects/miniz/build.sh +++ b/projects/miniz/build.sh @@ -17,3 +17,4 @@ # Run the OSS-Fuzz script in the project $SRC/miniz/tests/ossfuzz.sh + diff --git a/projects/muparser/project.yaml b/projects/muparser/project.yaml index 219093a95..e6be1c1aa 100644 --- a/projects/muparser/project.yaml +++ b/projects/muparser/project.yaml @@ -3,8 +3,6 @@ language: c++ primary_contact: "equinox.ib@googlemail.com" auto_ccs: - "zhichengcai@google.com" -fuzzing_engines: - - libfuzzer sanitizers: - address - undefined diff --git a/projects/mupdf/pdf_fuzzer.cc b/projects/mupdf/pdf_fuzzer.cc index fd8ad7faf..3e3f1fbb6 100644 --- a/projects/mupdf/pdf_fuzzer.cc +++ b/projects/mupdf/pdf_fuzzer.cc @@ -23,96 +23,115 @@ #include <mupdf/fitz.h> -#define ALIGNMENT 16 -#define MAX_ALLOCATION (1024 * 1024 * 1024) +#define ALIGNMENT ((size_t) 16) +#define KBYTE ((size_t) 1024) +#define MBYTE (1024 * KBYTE) +#define GBYTE (1024 * MBYTE) +#define MAX_ALLOCATION (1 * GBYTE) -static uint64_t total = 0; +static size_t used; -static void * -fz_malloc_ossfuzz(void *opaque, size_t size) +static void *fz_limit_reached_ossfuzz(size_t oldsize, size_t size) { - char *ptr = NULL; + if (oldsize == 0) + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte allocation: %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, size); + else + fprintf(stderr, "limit: %zu Mbyte used: %zu Mbyte reallocation: %zu -> %zu: limit reached\n", MAX_ALLOCATION / MBYTE, used / MBYTE, oldsize, size); + fflush(0); + return NULL; +} - if (size == 0) - return NULL; - if (size > SIZE_MAX - ALIGNMENT) - return NULL; +static void *fz_malloc_ossfuzz(void *opaque, size_t size) +{ + char *ptr = NULL; - if (size > MAX_ALLOCATION - ALIGNMENT - total) - return NULL; + if (size == 0) + return NULL; + if (size > SIZE_MAX - ALIGNMENT) + return NULL; + if (size + ALIGNMENT > MAX_ALLOCATION - used) + return fz_limit_reached_ossfuzz(0, size + ALIGNMENT); - ptr = (char *) malloc(size + ALIGNMENT); - if (ptr == NULL) - return NULL; + ptr = (char *) malloc(size + ALIGNMENT); + if (ptr == NULL) + return NULL; - memcpy(ptr, &size, sizeof(size)); - total += size + ALIGNMENT; + memcpy(ptr, &size, sizeof(size)); + used += size + ALIGNMENT; - return ptr + ALIGNMENT; + return ptr + ALIGNMENT; } -static void -fz_free_ossfuzz(void *opaque, void *ptr) +static void fz_free_ossfuzz(void *opaque, void *ptr) { - size_t size; + size_t size; - if (ptr == NULL) - return; + if (ptr == NULL) + return; + if (ptr < (void *) ALIGNMENT) + return; - ptr = ((char *) ptr) - ALIGNMENT; + ptr = (char *) ptr - ALIGNMENT; + memcpy(&size, ptr, sizeof(size)); - memcpy(&size, ptr, sizeof(size)); - total -= size - ALIGNMENT; - free(ptr); + used -= size + ALIGNMENT; + free(ptr); } -static void * -fz_realloc_ossfuzz(void *opaque, void *old, size_t size) +static void *fz_realloc_ossfuzz(void *opaque, void *old, size_t size) { - size_t oldsize; - char *ptr; - - if (old == NULL) - return fz_malloc_ossfuzz(opaque, size); - if (size == 0) - { - fz_free_ossfuzz(opaque, old); - return NULL; - } - if (size > SIZE_MAX - ALIGNMENT) - return NULL; - - old = ((char *) old) - ALIGNMENT; - memcpy(&oldsize, old, sizeof(oldsize)); - - if (size > MAX_ALLOCATION - total + oldsize) - return NULL; - - ptr = (char *) realloc(old, size + ALIGNMENT); - if (ptr == NULL) - return NULL; - - total -= oldsize + ALIGNMENT; - memcpy(ptr, &size, sizeof(size)); - total += size + ALIGNMENT; - - return ptr + ALIGNMENT; + size_t oldsize; + char *ptr; + + if (old == NULL) + return fz_malloc_ossfuzz(opaque, size); + if (old < (void *) ALIGNMENT) + return NULL; + + if (size == 0) { + fz_free_ossfuzz(opaque, old); + return NULL; + } + if (size > SIZE_MAX - ALIGNMENT) + return NULL; + + old = (char *) old - ALIGNMENT; + memcpy(&oldsize, old, sizeof(oldsize)); + + if (size + ALIGNMENT > MAX_ALLOCATION - used + oldsize + ALIGNMENT) + return fz_limit_reached_ossfuzz(oldsize + ALIGNMENT, size + ALIGNMENT); + + ptr = (char *) realloc(old, size + ALIGNMENT); + if (ptr == NULL) + return NULL; + + used -= oldsize + ALIGNMENT; + memcpy(ptr, &size, sizeof(size)); + used += size + ALIGNMENT; + + return ptr + ALIGNMENT; } static fz_alloc_context fz_alloc_ossfuzz = { - NULL, - fz_malloc_ossfuzz, - fz_realloc_ossfuzz, - fz_free_ossfuzz + NULL, + fz_malloc_ossfuzz, + fz_realloc_ossfuzz, + fz_free_ossfuzz }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - fz_context *ctx = fz_new_context(&fz_alloc_ossfuzz, nullptr, FZ_STORE_DEFAULT); + fz_context *ctx; + fz_stream *stream; + fz_document *doc; + fz_pixmap *pix; + + used = 0; - fz_stream *stream = NULL; - fz_document *doc = NULL; - fz_pixmap *pix = NULL; + ctx = fz_new_context(&fz_alloc_ossfuzz, nullptr, FZ_STORE_DEFAULT); + stream = NULL; + doc = NULL; + pix = NULL; fz_var(stream); fz_var(doc); diff --git a/projects/nats/Dockerfile b/projects/nats/Dockerfile index 9667bd710..a9dbcf4cf 100644 --- a/projects/nats/Dockerfile +++ b/projects/nats/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/nats-io/nats-server +RUN git clone --depth 1 https://github.com/nats-io/nats-server COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/nats-server diff --git a/projects/nats/build.sh b/projects/nats/build.sh index 25089d54f..2235a6e4b 100755 --- a/projects/nats/build.sh +++ b/projects/nats/build.sh @@ -17,6 +17,6 @@ -compile_go_fuzzer github.com/nats-io/nats-server/conf Fuzz fuzz_conf -compile_go_fuzzer github.com/nats-io/nats-server/server FuzzClient fuzz_client +compile_go_fuzzer ./conf Fuzz fuzz_conf +compile_go_fuzzer ./server FuzzClient fuzz_client diff --git a/projects/nom/Dockerfile b/projects/nom/Dockerfile new file mode 100644 index 000000000..167550e33 --- /dev/null +++ b/projects/nom/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +FROM gcr.io/oss-fuzz-base/base-builder + +RUN git clone --depth 1 https://github.com/Geal/nom/ +WORKDIR $SRC + +COPY build.sh $SRC/ diff --git a/projects/nom/build.sh b/projects/nom/build.sh new file mode 100755 index 000000000..8567ddc5d --- /dev/null +++ b/projects/nom/build.sh @@ -0,0 +1,20 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/nom +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/fuzz_arithmetic $OUT/ diff --git a/projects/nom/project.yaml b/projects/nom/project.yaml new file mode 100644 index 000000000..9c2f7d840 --- /dev/null +++ b/projects/nom/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/Geal/nom" +main_repo: "https://github.com/Geal/nom" +primary_contact: "geo.couprie@gmail.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/openbabel/Dockerfile b/projects/openbabel/Dockerfile new file mode 100644 index 000000000..766293ae2 --- /dev/null +++ b/projects/openbabel/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt install -y cmake +RUN git clone --depth 1 https://github.com/openbabel/openbabel.git +COPY build.sh $SRC +WORKDIR $SRC/openbabel diff --git a/projects/openbabel/build.sh b/projects/openbabel/build.sh new file mode 100755 index 000000000..5a1b5477f --- /dev/null +++ b/projects/openbabel/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +# build project +mkdir build && cd build +cmake .. -DBUILD_SHARED=OFF -DBUILD_MIXED=ON +make -j $(nproc) +cp bin/fuzz* $OUT/ diff --git a/projects/openbabel/project.yaml b/projects/openbabel/project.yaml new file mode 100644 index 000000000..e7437df5d --- /dev/null +++ b/projects/openbabel/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://openbabel.org" +language: c++ +primary_contact: "geoff.hutchison@gmail.com" +auto_ccs : +- "p.antoine@catenacyber.fr" + +sanitizers: +- address +- undefined +main_repo: 'https://github.com/openbabel/openbabel.git' diff --git a/projects/openexr/build.sh b/projects/openexr/build.sh index a0bcfc24a..80a2e49a6 100755 --- a/projects/openexr/build.sh +++ b/projects/openexr/build.sh @@ -38,9 +38,8 @@ INCLUDES=( LIBS=( "$WORK/src/lib/OpenEXRUtil/libOpenEXRUtil.a" "$WORK/src/lib/OpenEXR/libOpenEXR.a" - "$WORK/src/lib/Iex/libIex.a" - "$WORK/src/lib/IexMath/libIexMath.a" "$WORK/src/lib/IlmThread/libIlmThread.a" + "$WORK/src/lib/Iex/libIex.a" "$WORK/_deps/imath-build/src/Imath/libImath*.a" ) diff --git a/projects/openjpeg/build.sh b/projects/openjpeg/build.sh index cd96cf787..1bc2da047 100755 --- a/projects/openjpeg/build.sh +++ b/projects/openjpeg/build.sh @@ -17,7 +17,7 @@ mkdir build cd build -cmake .. +cmake -DCMAKE_BUILD_TYPE=Release .. make clean -s make -j$(nproc) -s cd .. diff --git a/projects/opensc/project.yaml b/projects/opensc/project.yaml index 250052f2d..79d794ecb 100644 --- a/projects/opensc/project.yaml +++ b/projects/opensc/project.yaml @@ -8,7 +8,4 @@ auto_ccs: - "andreas.schwier@cardcontact.de" - "deengert@gmail.com" - "jakuje@gmail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: 'https://github.com/OpenSC/OpenSC' diff --git a/projects/openssh/build.sh b/projects/openssh/build.sh index 83c7f0f7d..49d138154 100755 --- a/projects/openssh/build.sh +++ b/projects/openssh/build.sh @@ -16,8 +16,10 @@ ################################################################################ # Enable null cipher -mv cipher.c _cipher.c -sed 's/#define CFLAG_INTERNAL.*/#define CFLAG_INTERNAL 0/' _cipher.c > cipher.c +sed -i 's/#define CFLAG_INTERNAL.*/#define CFLAG_INTERNAL 0/' cipher.c + +# Turn off agent unlock password failure delays +sed -i 's|\(usleep.*\)|// \1|' ssh-agent.c # Build project autoreconf @@ -32,37 +34,48 @@ make -j$(nproc) all EXTRA_CFLAGS="-DCIPHER_NONE_AVAIL=1" STATIC_CRYPTO="-Wl,-Bstatic -lcrypto -Wl,-Bdynamic" -COMMON=ssh-sk-null.o +SK_NULL=ssh-sk-null.o +SK_DUMMY=sk-dummy.o -$CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ - regress/misc/fuzz-harness/ssh-sk-null.cc -c -o ssh-sk-null.o +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c \ + regress/misc/fuzz-harness/ssh-sk-null.cc -o ssh-sk-null.o +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c \ + -DSK_DUMMY_INTEGRATE=1 regress/misc/sk-dummy/sk-dummy.c -o sk-dummy.o $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/pubkey_fuzz.cc -o $OUT/pubkey_fuzz \ - -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO $LIB_FUZZING_ENGINE + -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/privkey_fuzz.cc -o $OUT/privkey_fuzz \ - -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO $LIB_FUZZING_ENGINE + -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/sig_fuzz.cc -o $OUT/sig_fuzz \ - -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO $LIB_FUZZING_ENGINE + -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/authopt_fuzz.cc -o $OUT/authopt_fuzz \ - auth-options.o -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO \ + auth-options.o -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/sshsig_fuzz.cc -o $OUT/sshsig_fuzz \ - sshsig.o -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO \ + sshsig.o -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/sshsigopt_fuzz.cc -o $OUT/sshsigopt_fuzz \ - sshsig.o -lssh -lopenbsd-compat $COMMON $STATIC_CRYPTO \ + sshsig.o -lssh -lopenbsd-compat $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE $CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ regress/misc/fuzz-harness/kex_fuzz.cc -o $OUT/kex_fuzz \ - -lssh -lopenbsd-compat -lz $COMMON $STATIC_CRYPTO \ + -lssh -lopenbsd-compat -lz $SK_NULL $STATIC_CRYPTO \ $LIB_FUZZING_ENGINE +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c \ + regress/misc/fuzz-harness/agent_fuzz_helper.c -o agent_fuzz_helper.o +$CC $CFLAGS $EXTRA_CFLAGS -I. -g -c -DENABLE_SK_INTERNAL=1 ssh-sk.c -o ssh-sk.o +$CXX $CXXFLAGS -std=c++11 $EXTRA_CFLAGS -I. -L. -Lopenbsd-compat -g \ + regress/misc/fuzz-harness/agent_fuzz.cc -o $OUT/agent_fuzz \ + $SK_DUMMY agent_fuzz_helper.o ssh-sk.o -lssh -lopenbsd-compat -lz \ + $STATIC_CRYPTO $LIB_FUZZING_ENGINE + # Prepare seed corpora CASES="$SRC/openssh-fuzz-cases" (set -e ; cd ${CASES}/key ; zip -r $OUT/pubkey_fuzz_seed_corpus.zip .) @@ -72,3 +85,4 @@ CASES="$SRC/openssh-fuzz-cases" (set -e ; cd ${CASES}/sshsig ; zip -r $OUT/sshsig_fuzz_seed_corpus.zip .) (set -e ; cd ${CASES}/sshsigopt ; zip -r $OUT/sshsigopt_fuzz_seed_corpus.zip .) (set -e ; cd ${CASES}/kex ; zip -r $OUT/kex_fuzz_seed_corpus.zip .) +(set -e ; cd ${CASES}/agent ; zip -r $OUT/agent_fuzz_seed_corpus.zip .) diff --git a/projects/openssl/build.sh b/projects/openssl/build.sh index 0832c6ad0..14768c973 100755 --- a/projects/openssl/build.sh +++ b/projects/openssl/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - CONFIGURE_FLAGS="" if [[ $CFLAGS = *sanitize=memory* ]] then diff --git a/projects/openthread/Dockerfile b/projects/openthread/Dockerfile index e54e7e780..4ef0e6e46 100644 --- a/projects/openthread/Dockerfile +++ b/projects/openthread/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y make autoconf automake libtool +RUN apt-get update && apt-get install -y cmake ninja-build RUN git clone --depth 1 https://github.com/openthread/openthread WORKDIR openthread diff --git a/projects/openthread/build.sh b/projects/openthread/build.sh index 3cd785182..019508454 100755 --- a/projects/openthread/build.sh +++ b/projects/openthread/build.sh @@ -15,53 +15,4 @@ # ################################################################################ -./bootstrap - -export CPPFLAGS=" \ - -DOPENTHREAD_CONFIG_BORDER_AGENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_BORDER_ROUTER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_CHANNEL_MANAGER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_CHANNEL_MONITOR_ENABLE=1 \ - -DOPENTHREAD_CONFIG_CHILD_SUPERVISION_ENABLE=1 \ - -DOPENTHREAD_CONFIG_COAP_API_ENABLE=1 \ - -DOPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE=1 \ - -DOPENTHREAD_CONFIG_COMMISSIONER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DHCP6_CLIENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DHCP6_SERVER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DIAG_ENABLE=1 \ - -DOPENTHREAD_CONFIG_DNS_CLIENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_ECDSA_ENABLE=1 \ - -DOPENTHREAD_CONFIG_LEGACY_ENABLE=1 \ - -DOPENTHREAD_CONFIG_JAM_DETECTION_ENABLE=1 \ - -DOPENTHREAD_CONFIG_JOINER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_LINK_RAW_ENABLE=1 \ - -DOPENTHREAD_CONFIG_MAC_FILTER_ENABLE=1 \ - -DOPENTHREAD_CONFIG_NCP_UART_ENABLE=1 \ - -DOPENTHREAD_CONFIG_REFERENCE_DEVICE_ENABLE=1 \ - -DOPENTHREAD_CONFIG_SNTP_CLIENT_ENABLE=1 \ - -DOPENTHREAD_CONFIG_TMF_NETDATA_SERVICE_ENABLE=1 \ - -DOPENTHREAD_CONFIG_TMF_NETWORK_DIAG_MTD_ENABLE=1 \ - -DOPENTHREAD_CONFIG_UDP_FORWARD_ENABLE=1" - -./configure \ - --enable-fuzz-targets \ - --enable-cli \ - --enable-ftd \ - --enable-joiner \ - --enable-ncp \ - --disable-docs - -make -j$(nproc) - -find . -name '*-fuzzer' -exec cp -v '{}' $OUT ';' -find . -name '*-fuzzer.dict' -exec cp -v '{}' $OUT ';' -find . -name '*-fuzzer.options' -exec cp -v '{}' $OUT ';' - -fuzzers=$(find tests/fuzz -name "*-fuzzer") -for f in $fuzzers; do - fuzzer=$(basename $f -fuzzer) - - if [ -d "tests/fuzz/corpora/${fuzzer}" ]; then - zip -j $OUT/$(basename $f)_seed_corpus.zip tests/fuzz/corpora/${fuzzer}/* - fi -done +bash tests/fuzz/oss-fuzz-build diff --git a/projects/openthread/project.yaml b/projects/openthread/project.yaml index f10bdfc61..c772d3b3c 100644 --- a/projects/openthread/project.yaml +++ b/projects/openthread/project.yaml @@ -5,7 +5,6 @@ fuzzing_engines: - libfuzzer - afl - honggfuzz - - dataflow sanitizers: - address - undefined diff --git a/projects/osquery/project.yaml b/projects/osquery/project.yaml index efe3528d2..d0944c1f8 100644 --- a/projects/osquery/project.yaml +++ b/projects/osquery/project.yaml @@ -15,4 +15,5 @@ sanitizers: - address fuzzing_engines: - libfuzzer + - afl main_repo: 'https://github.com/osquery/osquery' diff --git a/projects/p11-kit/Dockerfile b/projects/p11-kit/Dockerfile new file mode 100644 index 000000000..5ae785811 --- /dev/null +++ b/projects/p11-kit/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config libtasn1-6-dev libffi-dev +RUN echo deb http://archive.ubuntu.com/ubuntu/ bionic main >> /etc/apt/sources.list +RUN apt-get update && apt-get install -y -t bionic gettext autopoint +RUN git clone --depth 1 https://github.com/p11-glue/p11-kit.git p11-kit +WORKDIR p11-kit +COPY build.sh $SRC/ diff --git a/projects/p11-kit/build.sh b/projects/p11-kit/build.sh new file mode 100755 index 000000000..c15f9d58c --- /dev/null +++ b/projects/p11-kit/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +./autogen.sh +make -j$(nproc) oss-fuzz + +cd fuzz +for dir in *.in; do + fuzzer=$(basename $dir .in)_fuzzer + zip -rj "$OUT/${fuzzer}_seed_corpus.zip" "${dir}/" +done diff --git a/projects/p11-kit/project.yaml b/projects/p11-kit/project.yaml new file mode 100644 index 000000000..55139b84a --- /dev/null +++ b/projects/p11-kit/project.yaml @@ -0,0 +1,4 @@ +homepage: https://p11-glue.github.io/p11-glue/p11-kit.html +main_repo: https://github.com/p11-glue/p11-kit +language: c +primary_contact: "daiki.ueno@gmail.com" diff --git a/projects/pcl/Dockerfile b/projects/pcl/Dockerfile new file mode 100644 index 000000000..740a3b350 --- /dev/null +++ b/projects/pcl/Dockerfile @@ -0,0 +1,45 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make cmake autoconf \ + automake libtool gettext pkg-config build-essential \ + mercurial wget libeigen3-dev libflann-dev python python-dev + +# VTK deps +RUN apt-get update && apt-get install -y \ + libavcodec-dev libavformat-dev libavutil-dev libboost-dev \ + libdouble-conversion-dev libeigen3-dev libexpat1-dev \ + libfontconfig-dev libfreetype6-dev libgdal-dev libglew-dev \ + libhdf5-dev libjpeg-dev libjsoncpp-dev liblz4-dev liblzma-dev \ + libnetcdf-dev libnetcdf-cxx-legacy-dev libogg-dev libpng-dev \ + libpython3-dev libqt5opengl5-dev libqt5x11extras5-dev libsqlite3-dev \ + libswscale-dev libtheora-dev libtiff-dev libxml2-dev libxt-dev \ + qtbase5-dev qttools5-dev zlib1g-dev + +# Install and build boost from source so we can have it use libc++ +RUN wget https://sourceforge.net/projects/boost/files/boost/1.70.0/boost_1_70_0.tar.gz && \ + tar xzf boost_1_70_0.tar.gz && \ + cd boost_1_70_0 && \ + ./bootstrap.sh --with-toolset=clang && \ + ./b2 clean && \ + ./b2 toolset=clang cxxflags="-stdlib=libc++" linkflags="-stdlib=libc++" -j$(nproc) install && \ + cd .. && \ + rm -rf boost_1_70_0] + +RUN git clone --depth 1 https://github.com/PointCloudLibrary/pcl +COPY build.sh $SRC/ +WORKDIR $SRC/ diff --git a/projects/pcl/build.sh b/projects/pcl/build.sh new file mode 100755 index 000000000..c08aeac0f --- /dev/null +++ b/projects/pcl/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +chmod +x $SRC/pcl/test/fuzz/build.sh +$SRC/pcl/test/fuzz/build.sh diff --git a/projects/pcl/project.yaml b/projects/pcl/project.yaml index 83d05068b..fdb4cb1c5 100644 --- a/projects/pcl/project.yaml +++ b/projects/pcl/project.yaml @@ -1,6 +1,9 @@ -help_url: "https://github.com/pointcloudlibrary/pcl" +main_repo: "https://github.com/pointcloudlibrary/pcl" homepage: "http://pointclouds.org" language: c++ primary_contact: "kunal.tyagi.3.1994@gmail.com" auto_ccs: - "tyagi.kunal@live.com" + - "larshg@gmail.com" + - "markus95.vieth@gmail.com" + - "k.koide.aist@gmail.com" diff --git a/projects/pillow/Dockerfile b/projects/pillow/Dockerfile index 3f5a1176b..ab9089553 100644 --- a/projects/pillow/Dockerfile +++ b/projects/pillow/Dockerfile @@ -54,12 +54,10 @@ RUN cd Pillow && depends/install_extra_test_images.sh COPY build.sh $SRC/ -# pillow runtime dependencies +# pillow optional runtime dependencies RUN apt-get install -y \ - libfribidi-dev \ - libharfbuzz-dev \ - python3-tk \ - tcl8.6-dev \ - tk8.6-dev + python3-tk \ + tcl8.6-dev \ + tk8.6-dev WORKDIR $SRC/Pillow diff --git a/projects/pillow/build.sh b/projects/pillow/build.sh index c0f791dac..e7dac3463 100644 --- a/projects/pillow/build.sh +++ b/projects/pillow/build.sh @@ -17,27 +17,22 @@ python3 setup.py build --build-base=/tmp/build install -bp="$(find /tmp/build -name '_imaging.o')" -BUILD_DIR="${bp/_imaging.o/}" -if [ -d "$BUILD_DIR" ]; then - find $BUILD_DIR -name _imagingmath.o -delete - find $BUILD_DIR -name _imagingtk.o -delete - find $BUILD_DIR -name _imagingmorph.o -delete -fi; - -# Relink with fuzzing engine -TS="$(find /usr/local/lib/python3.* -name '_imaging.*.so')" -$CXX -pthread -shared $CXXFLAGS $LIB_FUZZING_ENGINE ${BUILD_DIR}/*.o ${BUILD_DIR}/libImaging/*.o \ - -L/usr/local/lib -L/lib/x86_64-linux-gnu -L/usr/lib/x86_64-linux-gnu \ - -L/usr/lib/x86_64-linux-gnu/libfakeroot -L/usr/lib -L/lib -L/usr/local/lib \ - -ljpeg -lz -lxcb -lfreetype -lopenjp2 -ltiff -llcms2 -lwebp -lwebpmux -lwebpdemux \ - -o ${TS} -stdlib=libc++ - # Build fuzzers in $OUT. for fuzzer in $(find $SRC -name 'fuzz_*.py'); do fuzzer_basename=$(basename -s .py $fuzzer) fuzzer_package=${fuzzer_basename}.pkg - pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + pyinstaller \ + --add-binary /usr/local/lib/libjpeg.so.9:. \ + --add-binary /usr/local/lib/libfreetype.so.6:. \ + --add-binary /usr/local/lib/liblcms2.so.2:. \ + --add-binary /usr/local/lib/libopenjp2.so.7:. \ + --add-binary /usr/local/lib/libpng16.so.16:. \ + --add-binary /usr/local/lib/libtiff.so.5:. \ + --add-binary /usr/local/lib/libwebp.so.7:. \ + --add-binary /usr/local/lib/libwebpdemux.so.2:. \ + --add-binary /usr/local/lib/libwebpmux.so.3:. \ + --add-binary /usr/local/lib/libxcb.so.1:. \ + --distpath $OUT --onefile --name $fuzzer_package $fuzzer # Create execution wrapper. echo "#!/bin/sh diff --git a/projects/pillow/fuzz_pillow.py b/projects/pillow/fuzz_pillow.py deleted file mode 100644 index d501811b3..000000000 --- a/projects/pillow/fuzz_pillow.py +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/python3 - -# Copyright 2020 Google LLC -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import atheris_no_libfuzzer as atheris -import sys -import os -import io -import warnings -from PIL import Image, ImageFile, ImageFilter - -def TestOneInput(data): - try: - with Image.open(io.BytesIO(data)) as im: - im.rotate(45) - im.filter(ImageFilter.DETAIL) - im.save(io.BytesIO(), "BMP") - except Exception: - # We're catching all exceptions because Pillow's exceptions are - # directly inheriting from Exception. - return - return - -def main(): - ImageFile.LOAD_TRUNCATED_IMAGES = True - warnings.filterwarnings("ignore") - atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True) - atheris.Fuzz() - -if __name__ == "__main__": - main() - diff --git a/projects/poppler/Dockerfile b/projects/poppler/Dockerfile index 6ceb73996..c1b0355cf 100644 --- a/projects/poppler/Dockerfile +++ b/projects/poppler/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y wget autoconf automake libtool pkg-config cmake gperf +RUN apt-get update && apt-get install -y wget autoconf automake libtool pkg-config gperf RUN pip3 install meson ninja RUN git clone --depth 1 https://github.com/madler/zlib.git diff --git a/projects/poppler/build.sh b/projects/poppler/build.sh index 4f2893054..23692dd5b 100755 --- a/projects/poppler/build.sh +++ b/projects/poppler/build.sh @@ -166,7 +166,7 @@ fuzzers=$(find $SRC/poppler/cpp/tests/fuzzing/ -name "*_fuzzer.cc") for f in $fuzzers; do fuzzer_name=$(basename $f .cc) - $CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/cpp \ + $CXX $CXXFLAGS -std=c++11 -I$SRC/poppler/cpp -I$SRC/poppler/build/cpp \ $BUILD_CFLAGS \ $f -o $OUT/$fuzzer_name \ $PREDEPS_LDFLAGS \ @@ -213,7 +213,7 @@ for f in $fuzzers; do fuzzer_name=$(basename $f .cc) $CXX $CXXFLAGS -std=c++11 -fPIC \ - -I$SRC/poppler/qt5/src \ + -I$SRC/poppler/qt5/src -I$SRC/poppler/build/qt5/src \ $BUILD_CFLAGS \ $f -o $OUT/$fuzzer_name \ $PREDEPS_LDFLAGS \ diff --git a/projects/postgresql/add_fuzzers.diff b/projects/postgresql/add_fuzzers.diff index 2d3ce7b3b..86b106c22 100644 --- a/projects/postgresql/add_fuzzers.diff +++ b/projects/postgresql/add_fuzzers.diff @@ -1,26 +1,25 @@ diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c -index c9424f167c..aa2897ec63 100644 +index cb5a96117f..c9b4880085 100644 --- a/src/backend/tcop/postgres.c +++ b/src/backend/tcop/postgres.c -@@ -101,6 +101,10 @@ int max_stack_depth = 100; +@@ -102,6 +102,9 @@ int max_stack_depth = 100; /* wait N seconds to allow attach from a debugger */ int PostAuthDelay = 0; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +bool fuzzer_first_run = true; +#endif -+ /* ---------------- -@@ -505,11 +509,14 @@ static int - ReadCommand(StringInfo inBuf) +@@ -507,10 +510,15 @@ ReadCommand(StringInfo inBuf) { int result; -- + +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+ result = SocketBackend(inBuf); ++ result = SocketBackend(inBuf); +#else ++ if (whereToSendOutput == DestRemote) result = SocketBackend(inBuf); else @@ -29,34 +28,35 @@ index c9424f167c..aa2897ec63 100644 return result; } -@@ -3784,6 +3791,10 @@ PostgresMain(int argc, char *argv[], - volatile bool send_ready_for_query = true; - bool disable_idle_in_transaction_timeout = false; +@@ -3846,6 +3854,11 @@ PostgresMain(int argc, char *argv[], + bool idle_in_transaction_timeout_enabled = false; + bool idle_session_timeout_enabled = false; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+ if(fuzzer_first_run) -+ { ++ if(fuzzer_first_run) ++ { +#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */ ++ /* Initialize startup process environment if necessary. */ if (!IsUnderPostmaster) InitStandaloneProcess(argv[0]); -@@ -4151,6 +4162,11 @@ PostgresMain(int argc, char *argv[], +@@ -4207,6 +4220,11 @@ PostgresMain(int argc, char *argv[], if (!ignore_till_sync) send_ready_for_query = true; /* initially, or after error */ +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -+ fuzzer_first_run=false; -+ } ++ fuzzer_first_run=false; ++ } +#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */ + /* * Non-error queries loop here. */ diff --git a/src/backend/utils/error/elog.c b/src/backend/utils/error/elog.c -index d0b368530e..02a3e9066e 100644 +index 80c2672461..c16e0423c5 100644 --- a/src/backend/utils/error/elog.c +++ b/src/backend/utils/error/elog.c -@@ -513,7 +513,9 @@ errfinish(const char *filename, int lineno, const char *funcname) +@@ -600,7 +600,9 @@ errfinish(const char *filename, int lineno, const char *funcname) pq_endcopyout(true); /* Emit the message to the right places */ diff --git a/projects/postgresql/fuzzer/simple_query_fuzzer.c b/projects/postgresql/fuzzer/simple_query_fuzzer.c index 3ba6b50ed..29c13623e 100644 --- a/projects/postgresql/fuzzer/simple_query_fuzzer.c +++ b/projects/postgresql/fuzzer/simple_query_fuzzer.c @@ -46,7 +46,7 @@ exec_simple_query(const char *query_string) StartTransactionCommand(); oldcontext = MemoryContextSwitchTo(MessageContext); - parsetree_list = raw_parser(query_string); + parsetree_list = raw_parser(query_string, RAW_PARSE_TYPE_NAME); MemoryContextSwitchTo(oldcontext); use_implicit_block = (list_length(parsetree_list) > 1); diff --git a/projects/postgresql/project.yaml b/projects/postgresql/project.yaml index 9517c603f..5cc7a3ff3 100644 --- a/projects/postgresql/project.yaml +++ b/projects/postgresql/project.yaml @@ -1,4 +1,5 @@ homepage: "https://postgresql.org" +main_repo: "https://git.postgresql.org/git/postgresql" primary_contact: "sfrost@snowman.net" language: c auto_ccs: @@ -8,5 +9,6 @@ auto_ccs: fuzzing_engines: - libfuzzer - honggfuzz + - afl sanitizers: - address diff --git a/projects/proj4/Dockerfile b/projects/proj4/Dockerfile index 8d9790698..da7263a0c 100644 --- a/projects/proj4/Dockerfile +++ b/projects/proj4/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && \ - apt-get install -y make autoconf automake libtool g++ sqlite3 pkg-config + apt-get install -y make autoconf automake libtool g++ sqlite3 pkg-config wget RUN git clone --depth 1 https://github.com/OSGeo/proj proj diff --git a/projects/prometheus/Dockerfile b/projects/prometheus/Dockerfile index d856df0cc..7e22750f9 100644 --- a/projects/prometheus/Dockerfile +++ b/projects/prometheus/Dockerfile @@ -15,7 +15,8 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/prometheus/prometheus/cmd/... +ENV GO111MODULE=on +RUN git clone https://github.com/prometheus/prometheus $GOPATH/src/github.com/prometheus/prometheus COPY build.sh $SRC/ -RUN mkdir $SRC/prometheus/ -WORKDIR $SRC/prometheus/ +# Required to avoid 'working directory is not part of a module' error. +WORKDIR $GOPATH/src/github.com/prometheus/prometheus diff --git a/projects/protobuf-c/Dockerfile b/projects/protobuf-c/Dockerfile index e0f854aee..c4407cc05 100644 --- a/projects/protobuf-c/Dockerfile +++ b/projects/protobuf-c/Dockerfile @@ -16,9 +16,9 @@ FROM gcr.io/oss-fuzz-base/base-builder MAINTAINER guidovranken@gmail.com -RUN apt-get update && apt-get install -y make autoconf automake libtool +RUN apt-get update && apt-get install -y make autoconf automake libtool pkg-config RUN git clone --depth 1 --recursive https://github.com/protocolbuffers/protobuf.git -RUN git clone --depth 1 https://github.com/protobuf-c/protobuf-c.git +RUN git clone --depth 1 https://github.com/protobuf-c/protobuf-c.git -b next RUN git clone --depth 1 https://github.com/guidovranken/fuzzing-headers.git RUN git clone --depth 1 https://github.com/guidovranken/protobuf-c-fuzzers.git COPY build.sh $SRC/ diff --git a/projects/protobuf-c/build.sh b/projects/protobuf-c/build.sh index f0aabdccf..8eda36a39 100755 --- a/projects/protobuf-c/build.sh +++ b/projects/protobuf-c/build.sh @@ -27,6 +27,11 @@ then export CXXFLAGS="$CXXFLAGS -DMSAN" fi +if [[ $SANITIZER = coverage ]] +then + export CXXFLAGS="$CXXFLAGS -fno-use-cxa-atexit" +fi + mkdir $SRC/protobuf-install/ cd $SRC/protobuf/ ./autogen.sh @@ -38,7 +43,8 @@ export PROTOC="$SRC/protobuf-install/bin/protoc" cd $SRC/protobuf-c/ ./autogen.sh -protobuf_LIBS="-L/$SRC/protobuf-install/lib -lprotobuf" protobuf_CFLAGS="-I $SRC/protobuf-install/include/" ./configure --enable-static=yes --enable-shared=false +./configure --enable-static=yes --enable-shared=false PKG_CONFIG_PATH=$SRC/protobuf-install/lib/pkgconfig + make -j$(nproc) cd $SRC/fuzzing-headers/ diff --git a/projects/protobuf-c/project.yaml b/projects/protobuf-c/project.yaml index 6ba2998df..9103f1bce 100644 --- a/projects/protobuf-c/project.yaml +++ b/projects/protobuf-c/project.yaml @@ -1,6 +1,8 @@ homepage: "https://github.com/protobuf-c/protobuf-c" language: c primary_contact: "guidovranken@gmail.com" +auto_ccs: + - "ilya.lipnitskiy@gmail.com" sanitizers: - address - memory @@ -8,3 +10,4 @@ architectures: - x86_64 - i386 main_repo: 'https://github.com/protobuf-c/protobuf-c.git' +coverage_extra_args: -ignore-filename-regex=.*/protobuf-install/.* diff --git a/projects/qemu/Dockerfile b/projects/qemu/Dockerfile index baf4d470e..779fc39a4 100644 --- a/projects/qemu/Dockerfile +++ b/projects/qemu/Dockerfile @@ -16,7 +16,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool \ - libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev patchelf wget + libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev patchelf wget \ + libattr1 libattr1-dev libcap-ng-dev # Ninja in the apt repos is too old. Get it directly from github RUN wget https://github.com/ninja-build/ninja/releases/latest/download/ninja-linux.zip \ && unzip ninja-linux.zip \ diff --git a/projects/qemu/project.yaml b/projects/qemu/project.yaml index 87a372101..09748302c 100644 --- a/projects/qemu/project.yaml +++ b/projects/qemu/project.yaml @@ -12,7 +12,6 @@ sanitizers: - undefined fuzzing_engines: - libfuzzer - - honggfuzz architectures: - x86_64 main_repo: 'https://git.qemu.org/git/qemu.git' diff --git a/projects/qt/Dockerfile b/projects/qt/Dockerfile index db47bedff..4d5e91df2 100644 --- a/projects/qt/Dockerfile +++ b/projects/qt/Dockerfile @@ -15,7 +15,11 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y ninja-build +RUN apt-get update && apt-get install -y ninja-build libc6-dev:i386 +RUN git clone --depth 1 https://github.com/AFLplusplus/AFLplusplus.git myaflplusplus && \ + cp -r myaflplusplus/dictionaries afldictionaries && \ + cp -r myaflplusplus/testcases afltestcases && \ + rm -rf myaflplusplus RUN git clone --branch dev --depth 1 --shallow-submodules \ --recurse-submodules=qtbase \ --recurse-submodules=qtsvg \ diff --git a/projects/qt/project.yaml b/projects/qt/project.yaml index d76402977..941006709 100644 --- a/projects/qt/project.yaml +++ b/projects/qt/project.yaml @@ -5,4 +5,5 @@ auto_ccs: - "shawn.t.rutledge@gmail.com" architectures: - x86_64 + - i386 main_repo: 'git://code.qt.io/qt/qt5.git' diff --git a/projects/quic-go/Dockerfile b/projects/quic-go/Dockerfile index f9889e3fc..9ee792c23 100644 --- a/projects/quic-go/Dockerfile +++ b/projects/quic-go/Dockerfile @@ -16,12 +16,12 @@ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -u -d github.com/marten-seemann/qpack/ && \ - cd /root/go/src/github.com/marten-seemann/qpack && \ +RUN git clone --depth 1 https://github.com/marten-seemann/qpack/ && \ + cd qpack && \ go build -RUN go get -u -d github.com/lucas-clemente/quic-go/ && \ - cd /root/go/src/github.com/lucas-clemente/quic-go && \ +RUN git clone --depth 1 https://github.com/lucas-clemente/quic-go/ && \ + cd quic-go && \ go build COPY build.sh . diff --git a/projects/quic-go/build.sh b/projects/quic-go/build.sh index 6be3fae66..4ed3b62d0 100644 --- a/projects/quic-go/build.sh +++ b/projects/quic-go/build.sh @@ -17,11 +17,14 @@ set -ex - - +( +cd qpack # Fuzz qpack compile_go_fuzzer github.com/marten-seemann/qpack/fuzzing Fuzz qpack_fuzzer +) +( +cd quic-go # Fuzz quic-go compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/frames Fuzz frame_fuzzer compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/header Fuzz header_fuzzer @@ -29,13 +32,18 @@ compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/transportparameters compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/tokens Fuzz token_fuzzer compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/handshake Fuzz handshake_fuzzer +if [ $SANITIZER == "coverage" ]; then + # no need for corpuses if coverage + exit 0 +fi # generate seed corpora -go generate $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/... +go generate ./fuzzing/... -zip --quiet -r $OUT/header_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/header/corpus -zip --quiet -r $OUT/frame_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/frames/corpus -zip --quiet -r $OUT/transportparameter_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/transportparameters/corpus -zip --quiet -r $OUT/handshake_fuzzer_seed_corpus.zip $GOPATH/src/github.com/lucas-clemente/quic-go/fuzzing/handshake/corpus +zip --quiet -r $OUT/header_fuzzer_seed_corpus.zip fuzzing/header/corpus +zip --quiet -r $OUT/frame_fuzzer_seed_corpus.zip fuzzing/frames/corpus +zip --quiet -r $OUT/transportparameter_fuzzer_seed_corpus.zip fuzzing/transportparameters/corpus +zip --quiet -r $OUT/handshake_fuzzer_seed_corpus.zip fuzzing/handshake/corpus +) # for debugging ls -al $OUT diff --git a/projects/radon/Dockerfile b/projects/radon/Dockerfile index 9dbcd125d..fe4c6ca5d 100644 --- a/projects/radon/Dockerfile +++ b/projects/radon/Dockerfile @@ -15,6 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/radondb/radon/src/fuzz/sqlparser +RUN git clone --depth 1 https://github.com/radondb/radon COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/radon diff --git a/projects/radon/build.sh b/projects/radon/build.sh index 8bbc04a9c..ffc97895e 100644 --- a/projects/radon/build.sh +++ b/projects/radon/build.sh @@ -16,4 +16,6 @@ ################################################################################ -compile_go_fuzzer github.com/radondb/radon/src/fuzz/sqlparser Fuzz fuzz +cd ./src/fuzz/sqlparser +go mod init github.com/radondb/radon/src/fuzz/sqlparser +compile_go_fuzzer . Fuzz fuzz diff --git a/projects/relic/build.sh b/projects/relic/build.sh index feda5d7c8..552b14fc6 100755 --- a/projects/relic/build.sh +++ b/projects/relic/build.sh @@ -33,7 +33,13 @@ export CXXFLAGS="$CXXFLAGS -D_LIBCPP_ENABLE_CXX17_REMOVED_AUTO_PTR" cd $SRC/relic/ mkdir build/ cd build/ -cmake .. -DCOMP="$CFLAGS" -DQUIET=on -DRAND=CALL -DSHLIB=off -DSTBIN=off -DTESTS=0 -DBENCH=0 -DALLOC=DYNAMIC +if [[ $CFLAGS = *-m32* ]] +then + export RELIC_ARCH="X86" +else + export RELIC_ARCH="X64" +fi +cmake .. -DCOMP="$CFLAGS" -DQUIET=on -DRAND=CALL -DSHLIB=off -DSTBIN=off -DTESTS=0 -DBENCH=0 -DALLOC=DYNAMIC -DARCH=$RELIC_ARCH make -j$(nproc) cd ../.. export RELIC_PATH=$(realpath relic) @@ -49,7 +55,7 @@ else fi make -j$(nproc) -export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN" +export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN -DCRYPTOFUZZ_BOTAN_IS_ORACLE" export LIBBOTAN_A_PATH="$SRC/botan/libbotan-3.a" export BOTAN_INCLUDE_PATH="$SRC/botan/build/include" @@ -59,9 +65,10 @@ python gen_repository.py rm extra_options.h echo -n '"' >>extra_options.h echo -n '--force-module=relic ' >>extra_options.h -echo -n '--operations=BignumCalc,ECC_PrivateToPublic,ECDSA_Sign,ECDSA_Verify ' >>extra_options.h +echo -n '--operations=BignumCalc,ECC_PrivateToPublic,ECC_ValidatePubkey,ECDSA_Sign,ECDSA_Verify,Digest,HMAC,KDF_X963 ' >>extra_options.h echo -n '--curves=secp256k1,secp256r1 ' >>extra_options.h -echo -n '--digests=NULL ' >>extra_options.h +echo -n '--digests=NULL,SHA224,SHA256,SHA384,SHA512,BLAKE2S160,BLAKE2S256 ' >>extra_options.h +echo -n '--calcops=Abs,Add,Bit,ClearBit,Cmp,CmpAbs,Div,ExpMod,GCD,InvMod,IsEven,IsOdd,IsZero,Jacobi,LCM,LShift1,Mod,Mul,Neg,NumBits,RShift,SetBit,Sqr,Sqrt,Sub ' >>extra_options.h echo -n '"' >>extra_options.h cd modules/relic/ make -B -j$(nproc) diff --git a/projects/relic/project.yaml b/projects/relic/project.yaml index 823b4f934..98fb04fce 100644 --- a/projects/relic/project.yaml +++ b/projects/relic/project.yaml @@ -10,3 +10,4 @@ sanitizers: - memory architectures: - x86_64 + - i386 diff --git a/projects/rnp/build.sh b/projects/rnp/build.sh index 7e0833ce0..1bfd8aa5f 100755 --- a/projects/rnp/build.sh +++ b/projects/rnp/build.sh @@ -60,6 +60,6 @@ for f in $FUZZERS; do done mkdir -p "${OUT}/lib" -cp src/lib/librnp-0.so.0 "${OUT}/lib/" +cp src/lib/librnp.so.0 "${OUT}/lib/" cp /usr/lib/libbotan-2.so.16 "${OUT}/lib/" cp /lib/x86_64-linux-gnu/libjson-c.so.2 "${OUT}/lib/" diff --git a/projects/runc/Dockerfile b/projects/runc/Dockerfile new file mode 100644 index 000000000..78616e91e --- /dev/null +++ b/projects/runc/Dockerfile @@ -0,0 +1,20 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/opencontainers/runc +COPY build.sh $SRC/ +WORKDIR $SRC/runc diff --git a/projects/runc/build.sh b/projects/runc/build.sh new file mode 100644 index 000000000..4f0b084d1 --- /dev/null +++ b/projects/runc/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +$SRC/runc/tests/fuzzing/oss_fuzz_build.sh diff --git a/projects/runc/project.yaml b/projects/runc/project.yaml new file mode 100644 index 000000000..fc387c82b --- /dev/null +++ b/projects/runc/project.yaml @@ -0,0 +1,16 @@ +homepage: "https://github.com/opencontainers/runc" +main_repo: "https://github.com/opencontainers/runc" +primary_contact: "cyphar@cyphar.com" +auto_ccs: + - "adam@adalogics.com" + - "michael@docker.com" + - "mpatel@redhat.com" + - "dqminh89@gmail.com" + - "h.huangqiang@huawei.com" + - "akihiro.suda.cz@hco.ntt.co.jp" + - "kolyshkin@gmail.com" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address diff --git a/projects/rustls/Dockerfile b/projects/rustls/Dockerfile new file mode 100644 index 000000000..7406a474b --- /dev/null +++ b/projects/rustls/Dockerfile @@ -0,0 +1,25 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y make autoconf automake libtool curl cmake python llvm-dev libclang-dev clang + +RUN git clone https://github.com/ctz/rustls + +WORKDIR $SRC + +COPY build.sh $SRC/ +COPY persist.rs $SRC/rustls/fuzz/fuzzers/persist.rs diff --git a/projects/rustls/build.sh b/projects/rustls/build.sh new file mode 100755 index 000000000..d00359e98 --- /dev/null +++ b/projects/rustls/build.sh @@ -0,0 +1,25 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd $SRC/rustls +cargo fuzz build -O +cp fuzz/target/x86_64-unknown-linux-gnu/release/client $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/deframer $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/fragment $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/hsjoiner $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/message $OUT/ +cp fuzz/target/x86_64-unknown-linux-gnu/release/server $OUT/ diff --git a/projects/rustls/persist.rs b/projects/rustls/persist.rs new file mode 100644 index 000000000..186cd9af6 --- /dev/null +++ b/projects/rustls/persist.rs @@ -0,0 +1,30 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +//limitations under the License. +// +//################################################################################ +#![no_main] +#[macro_use] extern crate libfuzzer_sys; +extern crate rustls; + +use rustls::internal::msgs::persist; +use rustls::internal::msgs::codec::{Reader, Codec}; + +fn try_type<T>(data: &[u8]) where T: Codec { + let mut rdr = Reader::init(data); + T::read(&mut rdr); +} + +fuzz_target!(|data: &[u8]| { + try_type::<persist::ServerSessionValue>(data); +}); diff --git a/projects/rustls/project.yaml b/projects/rustls/project.yaml new file mode 100644 index 000000000..73e4f27d6 --- /dev/null +++ b/projects/rustls/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/ctz/rustls" +main_repo: "https://github.com/ctz/rustls" +primary_contact: "jpixton@gmail.com" +sanitizers: + - address +fuzzing_engines: + - libfuzzer +language: rust +auto_ccs: + - "david@adalogics.com" diff --git a/projects/serenity/project.yaml b/projects/serenity/project.yaml index b781d18a1..70acba02c 100644 --- a/projects/serenity/project.yaml +++ b/projects/serenity/project.yaml @@ -8,6 +8,7 @@ auto_ccs: - "luke.wilde@live.co.uk" - "bugaevc@serenityos.org" - "b.gianfo@gmail.com" + - "idan.horowitz@gmail.com" - "~awesomekling/serenityos-dev@lists.sr.ht" # Bug reports are public by default: diff --git a/projects/skia/build.sh b/projects/skia/build.sh index a8b111d42..0f6d73fb4 100644 --- a/projects/skia/build.sh +++ b/projects/skia/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - # Build SwiftShader pushd third_party/externals/swiftshader/ export SWIFTSHADER_INCLUDE_PATH=$PWD/include @@ -44,13 +38,15 @@ elif [ $SANITIZER == "undefined" ]; then CMAKE_SANITIZER="SWIFTSHADER_UBSAN_DISABLED" elif [ $SANITIZER == "coverage" ]; then CMAKE_SANITIZER="SWIFTSHADER_EMIT_COVERAGE" +elif [ $SANITIZER == "thread" ]; then + CMAKE_SANITIZER="SWIFTSHADER_UBSAN_DISABLED" else exit 1 fi CFLAGS= CXXFLAGS="-stdlib=libc++" cmake .. -GNinja -DCMAKE_MAKE_PROGRAM="$SRC/depot_tools/ninja" -D$CMAKE_SANITIZER=1 $SRC/depot_tools/ninja libGLESv2 libEGL -cp libGLESv2.so libEGL.so $OUT +mv libGLESv2.so libEGL.so $OUT export SWIFTSHADER_LIB_PATH=$OUT popd @@ -104,6 +100,7 @@ $SRC/depot_tools/ninja -C out/Fuzz \ android_codec \ animated_image_decode \ api_create_ddl \ + api_ddl_threading \ api_draw_functions \ api_gradients \ api_image_filter \ @@ -113,6 +110,7 @@ $SRC/depot_tools/ninja -C out/Fuzz \ api_pathop \ api_polyutils \ api_raster_n32_canvas \ + api_regionop \ api_skparagraph \ api_svg_canvas \ image_decode \ @@ -139,25 +137,19 @@ $SRC/depot_tools/ninja -C out/Fuzz \ rm -rf $OUT/data mkdir $OUT/data -cp out/Fuzz/region_deserialize $OUT/region_deserialize +mv out/Fuzz/region_deserialize $OUT/region_deserialize -cp out/Fuzz/region_set_path $OUT/region_set_path -cp ../skia_data/region_set_path_seed_corpus.zip $OUT/region_set_path_seed_corpus.zip +mv out/Fuzz/region_set_path $OUT/region_set_path +mv ../skia_data/region_set_path_seed_corpus.zip $OUT/region_set_path_seed_corpus.zip -cp out/Fuzz/textblob_deserialize $OUT/textblob_deserialize -cp ../skia_data/textblob_deserialize_seed_corpus.zip $OUT/textblob_deserialize_seed_corpus.zip +mv out/Fuzz/textblob_deserialize $OUT/textblob_deserialize +mv ../skia_data/textblob_deserialize_seed_corpus.zip $OUT/textblob_deserialize_seed_corpus.zip -cp out/Fuzz/path_deserialize $OUT/path_deserialize -cp ../skia_data/path_deserialize_seed_corpus.zip $OUT/path_deserialize_seed_corpus.zip - -cp out/Fuzz/image_decode $OUT/image_decode -cp ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_seed_corpus.zip +mv out/Fuzz/path_deserialize $OUT/path_deserialize +mv ../skia_data/path_deserialize_seed_corpus.zip $OUT/path_deserialize_seed_corpus.zip -cp out/Fuzz/animated_image_decode $OUT/animated_image_decode -cp ../skia_data/animated_image_decode_seed_corpus.zip $OUT/animated_image_decode_seed_corpus.zip - -cp out/Fuzz/image_filter_deserialize $OUT/image_filter_deserialize -cp ../skia_data/image_filter_deserialize_seed_corpus.zip $OUT/image_filter_deserialize_seed_corpus.zip +mv out/Fuzz/animated_image_decode $OUT/animated_image_decode +mv ../skia_data/animated_image_decode_seed_corpus.zip $OUT/animated_image_decode_seed_corpus.zip # Only create the width version of image_filter_deserialize if building with # libfuzzer, since it depends on a libfuzzer specific flag. @@ -165,87 +157,101 @@ if [ "$FUZZING_ENGINE" == "libfuzzer" ] then # Use the same binary as image_filter_deserialize. cp out/Fuzz/image_filter_deserialize $OUT/image_filter_deserialize_width - cp ../skia_data/image_filter_deserialize_width.options $OUT/image_filter_deserialize_width.options + mv ../skia_data/image_filter_deserialize_width.options $OUT/image_filter_deserialize_width.options # Use the same seed corpus as image_filter_deserialize. cp ../skia_data/image_filter_deserialize_seed_corpus.zip $OUT/image_filter_deserialize_width_seed_corpus.zip fi -cp out/Fuzz/api_draw_functions $OUT/api_draw_functions -cp ../skia_data/api_draw_functions_seed_corpus.zip $OUT/api_draw_functions_seed_corpus.zip +mv out/Fuzz/image_filter_deserialize $OUT/image_filter_deserialize +mv ../skia_data/image_filter_deserialize_seed_corpus.zip $OUT/image_filter_deserialize_seed_corpus.zip + +mv out/Fuzz/api_draw_functions $OUT/api_draw_functions +mv ../skia_data/api_draw_functions_seed_corpus.zip $OUT/api_draw_functions_seed_corpus.zip -cp out/Fuzz/api_gradients $OUT/api_gradients -cp ../skia_data/api_gradients_seed_corpus.zip $OUT/api_gradients_seed_corpus.zip +mv out/Fuzz/api_gradients $OUT/api_gradients +mv ../skia_data/api_gradients_seed_corpus.zip $OUT/api_gradients_seed_corpus.zip -cp out/Fuzz/api_path_measure $OUT/api_path_measure -cp ../skia_data/api_path_measure_seed_corpus.zip $OUT/api_path_measure_seed_corpus.zip +mv out/Fuzz/api_path_measure $OUT/api_path_measure +mv ../skia_data/api_path_measure_seed_corpus.zip $OUT/api_path_measure_seed_corpus.zip -cp out/Fuzz/api_pathop $OUT/api_pathop -cp ../skia_data/api_pathop_seed_corpus.zip $OUT/api_pathop_seed_corpus.zip +mv out/Fuzz/api_pathop $OUT/api_pathop +mv ../skia_data/api_pathop_seed_corpus.zip $OUT/api_pathop_seed_corpus.zip -cp out/Fuzz/png_encoder $OUT/png_encoder +# These 3 use the same corpus. +mv out/Fuzz/png_encoder $OUT/png_encoder cp ../skia_data/encoder_seed_corpus.zip $OUT/png_encoder_seed_corpus.zip -cp out/Fuzz/jpeg_encoder $OUT/jpeg_encoder +mv out/Fuzz/jpeg_encoder $OUT/jpeg_encoder cp ../skia_data/encoder_seed_corpus.zip $OUT/jpeg_encoder_seed_corpus.zip -cp out/Fuzz/webp_encoder $OUT/webp_encoder -cp ../skia_data/encoder_seed_corpus.zip $OUT/webp_encoder_seed_corpus.zip +mv out/Fuzz/webp_encoder $OUT/webp_encoder +mv ../skia_data/encoder_seed_corpus.zip $OUT/webp_encoder_seed_corpus.zip -cp out/Fuzz/skottie_json $OUT/skottie_json -cp ../skia_data/skottie_json_seed_corpus.zip $OUT/skottie_json_seed_corpus.zip +mv out/Fuzz/skottie_json $OUT/skottie_json +mv ../skia_data/skottie_json_seed_corpus.zip $OUT/skottie_json_seed_corpus.zip -cp out/Fuzz/skjson $OUT/skjson -cp ../skia_data/json.dict $OUT/skjson.dict -cp ../skia_data/skjson_seed_corpus.zip $OUT/skjson_seed_corpus.zip +mv out/Fuzz/skjson $OUT/skjson +mv ../skia_data/json.dict $OUT/skjson.dict +mv ../skia_data/skjson_seed_corpus.zip $OUT/skjson_seed_corpus.zip -cp out/Fuzz/api_mock_gpu_canvas $OUT/api_mock_gpu_canvas +# These 4 use the same canvas_seed_corpus. +mv out/Fuzz/api_mock_gpu_canvas $OUT/api_mock_gpu_canvas cp ../skia_data/canvas_seed_corpus.zip $OUT/api_mock_gpu_canvas_seed_corpus.zip -cp out/Fuzz/api_raster_n32_canvas $OUT/api_raster_n32_canvas +mv out/Fuzz/api_raster_n32_canvas $OUT/api_raster_n32_canvas cp ../skia_data/canvas_seed_corpus.zip $OUT/api_raster_n32_canvas_seed_corpus.zip -cp out/Fuzz/api_image_filter $OUT/api_image_filter -cp ../skia_data/api_image_filter_seed_corpus.zip $OUT/api_image_filter_seed_corpus.zip +mv out/Fuzz/api_svg_canvas $OUT/api_svg_canvas +cp ../skia_data/canvas_seed_corpus.zip $OUT/api_svg_canvas_seed_corpus.zip -cp out/Fuzz/api_null_canvas $OUT/api_null_canvas -cp ../skia_data/canvas_seed_corpus.zip $OUT/api_null_canvas_seed_corpus.zip +mv out/Fuzz/api_null_canvas $OUT/api_null_canvas +mv ../skia_data/canvas_seed_corpus.zip $OUT/api_null_canvas_seed_corpus.zip -cp out/Fuzz/api_polyutils $OUT/api_polyutils -cp ../skia_data/api_polyutils_seed_corpus.zip $OUT/api_polyutils_seed_corpus.zip +mv out/Fuzz/api_image_filter $OUT/api_image_filter +mv ../skia_data/api_image_filter_seed_corpus.zip $OUT/api_image_filter_seed_corpus.zip -# These 2 can use the same corpus as the (non animated) image_decode. -cp out/Fuzz/android_codec $OUT/android_codec +mv out/Fuzz/api_polyutils $OUT/api_polyutils +mv ../skia_data/api_polyutils_seed_corpus.zip $OUT/api_polyutils_seed_corpus.zip + +# These 3 use the same corpus. +mv out/Fuzz/image_decode $OUT/image_decode +cp ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_seed_corpus.zip + +mv out/Fuzz/android_codec $OUT/android_codec cp ../skia_data/image_decode_seed_corpus.zip $OUT/android_codec_seed_corpus.zip. -cp out/Fuzz/image_decode_incremental $OUT/image_decode_incremental -cp ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_incremental_seed_corpus.zip +mv out/Fuzz/image_decode_incremental $OUT/image_decode_incremental +mv ../skia_data/image_decode_seed_corpus.zip $OUT/image_decode_incremental_seed_corpus.zip -cp out/Fuzz/sksl2glsl $OUT/sksl2glsl +# These 4 use the same sksl_seed_corpus. +mv out/Fuzz/sksl2glsl $OUT/sksl2glsl cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2glsl_seed_corpus.zip -cp out/Fuzz/sksl2spirv $OUT/sksl2spirv +mv out/Fuzz/sksl2spirv $OUT/sksl2spirv cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2spirv_seed_corpus.zip -cp out/Fuzz/sksl2metal $OUT/sksl2metal +mv out/Fuzz/sksl2metal $OUT/sksl2metal cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2metal_seed_corpus.zip -cp out/Fuzz/sksl2pipeline $OUT/sksl2pipeline -cp ../skia_data/sksl_seed_corpus.zip $OUT/sksl2pipeline_seed_corpus.zip +mv out/Fuzz/sksl2pipeline $OUT/sksl2pipeline +mv ../skia_data/sksl_seed_corpus.zip $OUT/sksl2pipeline_seed_corpus.zip -cp out/Fuzz/skdescriptor_deserialize $OUT/skdescriptor_deserialize +mv out/Fuzz/skdescriptor_deserialize $OUT/skdescriptor_deserialize -cp out/Fuzz/svg_dom $OUT/svg_dom -cp ../skia_data/svg_dom_seed_corpus.zip $OUT/svg_dom_seed_corpus.zip +mv out/Fuzz/svg_dom $OUT/svg_dom +mv ../skia_data/svg_dom_seed_corpus.zip $OUT/svg_dom_seed_corpus.zip -cp out/Fuzz/api_svg_canvas $OUT/api_svg_canvas -cp ../skia_data/canvas_seed_corpus.zip $OUT/api_svg_canvas_seed_corpus.zip -cp out/Fuzz/skruntimeeffect $OUT/skruntimeeffect -cp ../skia_data/sksl_with_256_padding_seed_corpus.zip $OUT/skruntimeeffect_seed_corpus.zip +mv out/Fuzz/skruntimeeffect $OUT/skruntimeeffect +mv ../skia_data/sksl_with_256_padding_seed_corpus.zip $OUT/skruntimeeffect_seed_corpus.zip + +mv out/Fuzz/api_create_ddl $OUT/api_create_ddl + +mv out/Fuzz/api_ddl_threading $OUT/api_ddl_threading -cp out/Fuzz/api_create_ddl $OUT/api_create_ddl +mv out/Fuzz/skp $OUT/skp +mv ../skia_data/skp_seed_corpus.zip $OUT/skp_seed_corpus.zip -cp out/Fuzz/skp $OUT/skp -cp ../skia_data/skp_seed_corpus.zip $OUT/skp_seed_corpus.zip +mv out/Fuzz/api_skparagraph $OUT/api_skparagraph -cp out/Fuzz/api_skparagraph $OUT/api_skparagraph +mv out/Fuzz/api_regionop $OUT/api_regionop diff --git a/projects/snappy/project.yaml b/projects/snappy/project.yaml index da83622ff..6e5338a44 100644 --- a/projects/snappy/project.yaml +++ b/projects/snappy/project.yaml @@ -3,8 +3,9 @@ language: c++ primary_contact: "costan@google.com" auto_ccs: - "Adam@adalogics.com" -sanitizers: - - address fuzzing_engines: - libfuzzer + - afl +sanitizers: + - address main_repo: 'https://github.com/google/snappy' diff --git a/projects/sound-open-firmware/project.yaml b/projects/sound-open-firmware/project.yaml index dbef99ac5..4065def34 100644 --- a/projects/sound-open-firmware/project.yaml +++ b/projects/sound-open-firmware/project.yaml @@ -3,7 +3,4 @@ primary_contact: "cujomalainey@chromium.org" language: c auto_ccs: - "ranjani.sridharan@intel.corp-partner.google.com" -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: "https://github.com/thesofproject/sof" diff --git a/projects/spidermonkey-ufi/Dockerfile b/projects/spidermonkey-ufi/Dockerfile index bf95bdfa7..25e4d2d60 100644 --- a/projects/spidermonkey-ufi/Dockerfile +++ b/projects/spidermonkey-ufi/Dockerfile @@ -19,7 +19,12 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ autoconf2.13 \ python \ libc++1 \ - libc++abi1 + libc++abi1 \ + m4 + +# This wrapper of cargo seems to interfere with our build system. +RUN rm -f /usr/local/bin/cargo + RUN git clone --depth=1 https://github.com/mozilla/gecko-dev mozilla-central WORKDIR mozilla-central/js/src/ COPY build.sh target.c $SRC/ diff --git a/projects/spidermonkey-ufi/build.sh b/projects/spidermonkey-ufi/build.sh index 31c5b9535..9f703305c 100755 --- a/projects/spidermonkey-ufi/build.sh +++ b/projects/spidermonkey-ufi/build.sh @@ -23,7 +23,7 @@ FUZZ_TARGETS=( # Install dependencies. export SHELL=/bin/bash -../../mach bootstrap --no-interactive --application-choice browser +../../mach --no-interactive bootstrap --application-choice browser autoconf2.13 diff --git a/projects/spidermonkey/Dockerfile b/projects/spidermonkey/Dockerfile index 91c8332aa..9c74dce54 100644 --- a/projects/spidermonkey/Dockerfile +++ b/projects/spidermonkey/Dockerfile @@ -19,9 +19,13 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \ autoconf2.13 \ libc++1 \ libc++abi1 \ + m4 \ yasm \ python +# This wrapper of cargo seems to interfere with our build system. +RUN rm -f /usr/local/bin/cargo + RUN git clone --depth=1 https://github.com/mozilla/gecko-dev mozilla-central WORKDIR mozilla-central/js/src/ COPY build.sh $SRC/ diff --git a/projects/spidermonkey/build.sh b/projects/spidermonkey/build.sh index d5f34b80f..bf2e03bfc 100755 --- a/projects/spidermonkey/build.sh +++ b/projects/spidermonkey/build.sh @@ -17,7 +17,7 @@ # Install dependencies. export SHELL=/bin/bash -../../mach bootstrap --no-interactive --application-choice browser +../../mach --no-interactive bootstrap --application-choice browser autoconf2.13 diff --git a/projects/spotify-json/Dockerfile b/projects/spotify-json/Dockerfile new file mode 100755 index 000000000..b39e5f998 --- /dev/null +++ b/projects/spotify-json/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone https://github.com/spotify/spotify-json + +WORKDIR $SRC/spotify-json +COPY build.sh $SRC/ diff --git a/projects/spotify-json/build.sh b/projects/spotify-json/build.sh new file mode 100755 index 000000000..9d1506168 --- /dev/null +++ b/projects/spotify-json/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +mkdir build && cd build +cmake -DSPOTIFY_JSON_BUILD_TESTS=OFF ../ +make + +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE ../fuzzers//fuzz_decode.cpp \ + -I../include -I../vendor/double-conversion \ + ./libspotify-json.a ./vendor/double-conversion/libdouble-conversion.a -lpthread -o $OUT/fuzz_decode diff --git a/projects/spotify-json/project.yaml b/projects/spotify-json/project.yaml new file mode 100755 index 000000000..134dd78bf --- /dev/null +++ b/projects/spotify-json/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://github.com/spotify/spotify-json" +main_repo: 'https://github.com/spotify/spotify-json' +primary_contact: "johanl@spotify.com" +language: c++ +auto_ccs: + - "david@adalogics.com" diff --git a/projects/sudoers/build.sh b/projects/sudoers/build.sh index 635739454..905450cb4 100755 --- a/projects/sudoers/build.sh +++ b/projects/sudoers/build.sh @@ -18,67 +18,22 @@ # Debugging env -# Move ASAN-specific flags into ASAN_CFLAGS and ASAN_LDFLAGS -# That way they don't affect configure but will get used when building. +# Some of the sanitizer flags cause issues with configure tests. +# Pull them out of CFLAGS and pass them to configure instead. if [ $SANITIZER == "coverage" ]; then - export ASAN_CFLAGS="$COVERAGE_FLAGS" - export ASAN_LDFLAGS="$COVERAGE_FLAGS" CFLAGS="`echo \"$CFLAGS\" | sed \"s/ $COVERAGE_FLAGS//\"`" + sanitizer_opts="$COVERAGE_FLAGS" else - export ASAN_CFLAGS="$SANITIZER_FLAGS" - export ASAN_LDFLAGS="$SANITIZER_FLAGS" CFLAGS="`echo \"$CFLAGS\" | sed \"s/ $SANITIZER_FLAGS//\"`" + sanitizer_opts="$SANITIZER_FLAGS" fi - -# Build sudo with static libs for simpler fuzzing -./configure --enable-static-sudoers --enable-static --disable-shared-libutil \ - --disable-leaks --enable-warnings --enable-werror -make -j$(nproc) - -# Fuzz I/O log JSON parser -cd lib/iolog -$CC $CFLAGS $ASAN_CFLAGS -c -I../../include -I../.. -I. \ - regress/fuzz/fuzz_iolog_json.c -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -o $OUT/fuzz_iolog_json \ - fuzz_iolog_json.o .libs/libsudo_iolog.a \ - ../eventlog/.libs/libsudo_eventlog.a ../util/.libs/libsudo_util.a - -# Corpus for fuzzing I/O log JSON parser -mkdir $WORK/corpus -for f in `find regress/iolog_json -name '*.in'`; do - cp $f $WORK/corpus/`sha1sum $f | cut -d' ' -f1` -done -zip -j $OUT/fuzz_iolog_json_seed_corpus.zip $WORK/corpus/* -rm -rf $WORK/corpus - -# Fuzz sudoers parser -cd ../../plugins/sudoers -$CC $CFLAGS $ASAN_CFLAGS -c -I../../include -I../.. -I. \ - regress/fuzz/fuzz_sudoers.c -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -o $OUT/fuzz_sudoers \ - fuzz_sudoers.o locale.o stubs.o sudo_printf.o \ - .libs/libparsesudoers.a ../../lib/util/.libs/libsudo_util.a - -# Corpus for fuzzing sudoers parser -mkdir $WORK/corpus -for f in sudoers `find regress/sudoers -name '*.in'`; do - cp $f $WORK/corpus/`sha1sum $f | cut -d' ' -f1` -done -zip -j $OUT/fuzz_sudoers_seed_corpus.zip $WORK/corpus/* -rm -rf $WORK/corpus - -# Fuzz sudoers LDIF parser (used by cvtsudoers) -cd ../../plugins/sudoers -$CC $CFLAGS $ASAN_CFLAGS -c -I../../include -I../.. -I. \ - regress/fuzz/fuzz_sudoers_ldif.c -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -o $OUT/fuzz_sudoers_ldif \ - fuzz_sudoers_ldif.o parse_ldif.o ldap_util.o fmtsudoers.o locale.o stubs.o \ - sudo_printf.o .libs/libparsesudoers.a ../../lib/util/.libs/libsudo_util.a - -# Corpus for fuzzing sudoers LDIF parser -mkdir $WORK/corpus -for f in `find regress/sudoers -name '*.ldif.ok' \! -size 0`; do - cp $f $WORK/corpus/`sha1sum $f | cut -d' ' -f1` -done -zip -j $OUT/fuzz_sudoers_ldif_seed_corpus.zip $WORK/corpus/* -rm -rf $WORK/corpus +# This is already added by --enable-fuzzer +CFLAGS="`echo \"$CFLAGS\" | sed \"s/ -fsanitize=fuzzer-no-link//\"`" + +# Build sudo with static libs and enable fuzzing targets. +# All fuzz targets are integrated into the build process. +./configure --disable-shared --disable-shared-libutil --enable-static-sudoers \ + --enable-sanitizer="$sanitizer_opts" --enable-fuzzer \ + --enable-fuzzer-engine="$LIB_FUZZING_ENGINE" --enable-fuzzer-linker="$CXX" \ + --enable-warnings --enable-werror +make -j$(nproc) && make FUZZ_DESTDIR=$OUT install-fuzzer diff --git a/projects/suricata/Dockerfile b/projects/suricata/Dockerfile index 40352073f..257e7fb04 100644 --- a/projects/suricata/Dockerfile +++ b/projects/suricata/Dockerfile @@ -15,13 +15,14 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y build-essential autoconf automake libtool make pkg-config python flex bison zlib1g-dev libpcre3-dev +RUN apt-get update && apt-get install -y build-essential autoconf automake libtool make pkg-config python flex bison zlib1g-dev libpcre3-dev libpcre2-dev cmake tshark #TODO libmagic, liblzma, pcre and other optional libraries ADD https://www.tcpdump.org/release/libpcap-1.9.1.tar.gz libpcap-1.9.1.tar.gz ADD http://www.digip.org/jansson/releases/jansson-2.12.tar.gz jansson-2.12.tar.gz RUN git clone --depth=1 https://github.com/yaml/libyaml ADD https://github.com/lz4/lz4/archive/v1.9.2.tar.gz lz4-1.9.2.tar.gz +RUN git clone --depth=1 https://github.com/catenacyber/fuzzpcap ADD https://rules.emergingthreats.net/open/suricata/emerging.rules.zip emerging.rules.zip diff --git a/projects/suricata/build.sh b/projects/suricata/build.sh index d0e152d8b..18f228047 100755 --- a/projects/suricata/build.sh +++ b/projects/suricata/build.sh @@ -37,6 +37,13 @@ make -j$(nproc) make install cd .. +cd fuzzpcap +mkdir build +cd build +cmake .. +make install +cd ../.. + cd libyaml ./bootstrap ./configure --disable-shared @@ -52,8 +59,12 @@ mv libhtp suricata/ cd suricata sh autogen.sh #run configure with right options +if [ "$SANITIZER" = "address" ] +then + export RUSTFLAGS="$RUSTFLAGS -Cpasses=sancov -Cllvm-args=-sanitizer-coverage-level=4 -Cllvm-args=-sanitizer-coverage-trace-compares -Cllvm-args=-sanitizer-coverage-inline-8bit-counters -Cllvm-args=-sanitizer-coverage-trace-geps -Cllvm-args=-sanitizer-coverage-prune-blocks=0 -Cllvm-args=-sanitizer-coverage-pc-table -Clink-dead-code -Cllvm-args=-sanitizer-coverage-stack-depth" +fi ./src/tests/fuzz/oss-fuzz-configure.sh -make +make -j$(nproc) cp src/fuzz_* $OUT/ @@ -90,3 +101,13 @@ cat $t/*.rules > corpus/$i || true; echo -ne '\0' >> corpus/$i; cat $t/*.pcap >> done set -x zip -q -r $OUT/fuzz_sigpcap_seed_corpus.zip corpus +rm -Rf corpus +mkdir corpus +set +x +ls | grep -v corpus | while read t; do +cat $t/*.rules > corpus/$i || true; echo -ne '\0' >> corpus/$i; fpc_bin $t/*.pcap >> corpus/$i || rm corpus/$i; i=$((i+1)); +echo -ne '\0' >> corpus/$i; python3 $SRC/fuzzpcap/tcptofpc.py $t/*.pcap >> corpus/$i || rm corpus/$i; i=$((i+1)); +done +set -x +zip -q -r $OUT/fuzz_sigpcap_aware_seed_corpus.zip corpus +echo "\"FPC0\"" > $OUT/fuzz_sigpcap_aware.dict diff --git a/projects/systemd/Dockerfile b/projects/systemd/Dockerfile index ee351edf6..0705c568a 100644 --- a/projects/systemd/Dockerfile +++ b/projects/systemd/Dockerfile @@ -19,7 +19,7 @@ RUN apt-get update &&\ apt-get install -y gperf m4 gettext python3-pip \ libcap-dev libmount-dev libkmod-dev \ pkg-config wget &&\ - pip3 install meson ninja + pip3 install meson==0.56.2 ninja RUN git clone --depth 1 https://github.com/systemd/systemd systemd WORKDIR systemd COPY build.sh $SRC/ diff --git a/projects/syzkaller/Dockerfile b/projects/syzkaller/Dockerfile index 142313f35..fdef5b4be 100644 --- a/projects/syzkaller/Dockerfile +++ b/projects/syzkaller/Dockerfile @@ -16,11 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get -u -d github.com/google/syzkaller/prog +RUN git clone --depth 1 https://github.com/google/syzkaller/ -# Dependency for one of the fuzz targets. -# Note: this should not be necessary because this package is in syzkaller/vendor. -RUN go get github.com/ianlancetaylor/demangle - -WORKDIR /root/go/src/github.com/google/syzkaller +WORKDIR $SRC/syzkaller COPY build.sh $SRC/ diff --git a/projects/syzkaller/build.sh b/projects/syzkaller/build.sh index e47096bb8..0e98093f0 100755 --- a/projects/syzkaller/build.sh +++ b/projects/syzkaller/build.sh @@ -18,6 +18,9 @@ make descriptions + +go mod tidy && go mod vendor + compile_go_fuzzer github.com/google/syzkaller/pkg/compiler Fuzz compiler_fuzzer compile_go_fuzzer github.com/google/syzkaller/prog/test FuzzDeserialize prog_deserialize_fuzzer compile_go_fuzzer github.com/google/syzkaller/prog/test FuzzParseLog prog_parselog_fuzzer diff --git a/projects/tarantool/Dockerfile b/projects/tarantool/Dockerfile new file mode 100644 index 000000000..7a40b0f6b --- /dev/null +++ b/projects/tarantool/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y \ + build-essential cmake make coreutils sed \ + autoconf automake libtool zlib1g-dev \ + libreadline-dev libncurses5-dev libssl-dev \ + libunwind-dev libicu-dev luajit +RUN git clone https://github.com/tarantool/tarantool +WORKDIR tarantool +RUN git submodule update --init --recursive +COPY build.sh $SRC/ diff --git a/projects/tarantool/build.sh b/projects/tarantool/build.sh new file mode 100755 index 000000000..940d88a2c --- /dev/null +++ b/projects/tarantool/build.sh @@ -0,0 +1,62 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +case $SANITIZER in + address) SANITIZERS_ARGS="-DENABLE_ASAN=ON" ;; + undefined) SANITIZERS_ARGS="-DENABLE_UB_SANITIZER=ON" ;; + *) SANITIZERS_ARGS="" ;; +esac + +: ${LD:="${CXX}"} +: ${LDFLAGS:="${CXXFLAGS}"} # to make sure we link with sanitizer runtime + +cmake_args=( + # Specific to Tarantool + -DENABLE_FUZZER=ON + -DOSS_FUZZ=ON + $SANITIZERS_ARGS + + # C compiler + -DCMAKE_C_COMPILER="${CC}" + -DCMAKE_C_FLAGS="${CFLAGS}" + + # C++ compiler + -DCMAKE_CXX_COMPILER="${CXX}" + -DCMAKE_CXX_FLAGS="${CXXFLAGS}" + + # Linker + -DCMAKE_LINKER="${LD}" + -DCMAKE_EXE_LINKER_FLAGS="${LDFLAGS}" + -DCMAKE_MODULE_LINKER_FLAGS="${LDFLAGS}" + -DCMAKE_SHARED_LINKER_FLAGS="${LDFLAGS}" +) + +# Build the project and fuzzers. +[[ -e build ]] && rm -rf build +cmake "${cmake_args[@]}" -S . -B build +make -j$(nproc) VERBOSE=1 -C build fuzzers + +# Archive and copy to $OUT seed corpus if the build succeeded. +for f in $(ls build/test/fuzz/*_fuzzer); +do + name=$(basename $f); + module=$(echo $name | sed 's/_fuzzer//') + corpus_dir="test/static/corpus/$module" + echo "Copying for $module"; + cp $f $OUT/ + [[ -e $corpus_dir ]] && zip -j $OUT/"$module"_fuzzer_seed_corpus.zip $corpus_dir/* +done diff --git a/projects/tarantool/project.yaml b/projects/tarantool/project.yaml new file mode 100644 index 000000000..c757a53ca --- /dev/null +++ b/projects/tarantool/project.yaml @@ -0,0 +1,16 @@ +homepage: "https://www.tarantool.io/en/" +language: c +builds_per_day: 4 +primary_contact: "kirill.yukhin@gmail.com" +auto_ccs: + - "estetus@gmail.com" + - "totktonada.ru@gmail.com" +fuzzing_engines: + - libfuzzer + - honggfuzz +sanitizers: + - address + - undefined +architectures: + - x86_64 +main_repo: "https://github.com/tarantool/tarantool" diff --git a/projects/teleport/Dockerfile b/projects/teleport/Dockerfile index bd0658129..8ffafb3a0 100644 --- a/projects/teleport/Dockerfile +++ b/projects/teleport/Dockerfile @@ -15,5 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/gravitational/teleport.git COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/teleport diff --git a/projects/teleport/build.sh b/projects/teleport/build.sh index f5d464e85..260d47952 100644 --- a/projects/teleport/build.sh +++ b/projects/teleport/build.sh @@ -15,10 +15,7 @@ # ################################################################################ - -mkdir -p $GOPATH/src/github.com/gravitational -cd $GOPATH/src/github.com/gravitational -git clone https://github.com/gravitational/teleport.git +make update-vendor compile_go_fuzzer github.com/gravitational/teleport/lib/fuzz FuzzParseProxyJump utils_fuzz gofuzz compile_go_fuzzer github.com/gravitational/teleport/lib/fuzz FuzzNewExpression parse_fuzz gofuzz diff --git a/projects/tensorflow/build.sh b/projects/tensorflow/build.sh index 8f793951d..b59e4a58b 100755 --- a/projects/tensorflow/build.sh +++ b/projects/tensorflow/build.sh @@ -47,8 +47,8 @@ fi # Determine all fuzz targets. To control what gets fuzzed with OSSFuzz, all # supported fuzzers are in `//tensorflow/security/fuzzing`. -# Ignore the identity and AttrValues fuzzer in opensource. -declare -r FUZZERS=$(bazel query 'kind(cc_.*, tests(//tensorflow/security/fuzzing/...))' | grep -v identity | grep -v AttrValues | grep -v bfloat16) +# Ignore fuzzers tagged with `no_oss` in opensource. +declare -r FUZZERS=$(bazel query 'kind(cc_.*, tests(//tensorflow/security/fuzzing/...)) - attr(tags, no_oss, kind(cc_.*, tests(//tensorflow/security/fuzzing/...)))') # Build the fuzzer targets. # Pass in `--config=libc++` to link against libc++. @@ -92,7 +92,11 @@ then ${RSYNC_CMD} ./bazel-out/k8-opt/bin/tensorflow/core/protobuf ${REMAP_PATH} # Sync external dependencies. We don't need to include `bazel-tensorflow`. + # Also, remove `external/org_tensorflow` which is a copy of the entire source + # code that Bazel creates. Not removing this would cause `rsync` to expand a + # symlink that ends up pointing to itself! pushd bazel-tensorflow + [[ -e external/org_tensorflow ]] && unlink external/org_tensorflow ${RSYNC_CMD} external/ ${REMAP_PATH} popd fi diff --git a/projects/tesseract-ocr/project.yaml b/projects/tesseract-ocr/project.yaml index 8e22d667c..522ba2b52 100644 --- a/projects/tesseract-ocr/project.yaml +++ b/projects/tesseract-ocr/project.yaml @@ -1,7 +1,4 @@ homepage: "https://github.com/tesseract-ocr/tesseract" language: c++ primary_contact: "stjoweil@googlemail.com" -fuzzing_engines: - - libfuzzer - - honggfuzz main_repo: 'https://github.com/tesseract-ocr/tesseract' diff --git a/projects/thrift/Dockerfile b/projects/thrift/Dockerfile new file mode 100644 index 000000000..040188316 --- /dev/null +++ b/projects/thrift/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y libssl-dev pkg-config autoconf automake libtool bison flex libboost-all-dev +RUN git clone --depth 1 https://github.com/apache/thrift +WORKDIR $SRC/thrift +COPY build.sh $SRC/ diff --git a/projects/thrift/build.sh b/projects/thrift/build.sh new file mode 100755 index 000000000..8194063b6 --- /dev/null +++ b/projects/thrift/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +export ASAN_OPTIONS=detect_leaks=0 + +./bootstrap.sh +# rust fails compilation with clippy warnings +./configure --with-rs=no +make -j$(nproc) +make install + +cd lib/go/test/fuzz +thrift -r --gen go ../../../../tutorial/tutorial.thrift +(cd ./gen-go/shared && go mod init shared) +(cd ./gen-go/tutorial && go mod init tutorial) +go mod tidy || true +compile_go_fuzzer . Fuzz fuzz_go_tutorial diff --git a/projects/thrift/project.yaml b/projects/thrift/project.yaml new file mode 100644 index 000000000..586da66b7 --- /dev/null +++ b/projects/thrift/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://thrift.apache.org/" +language: c++ +primary_contact: "jensg@apache.org" +auto_ccs : +- "p.antoine@catenacyber.fr" + +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/apache/thrift' diff --git a/projects/tidb/Dockerfile b/projects/tidb/Dockerfile index b06a2b5e8..5c7d0fd3b 100644 --- a/projects/tidb/Dockerfile +++ b/projects/tidb/Dockerfile @@ -17,4 +17,4 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN git clone --depth 1 https://github.com/pingcap/tidb COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/tidb diff --git a/projects/tidb/build.sh b/projects/tidb/build.sh index ee6fbd35d..c11028f24 100755 --- a/projects/tidb/build.sh +++ b/projects/tidb/build.sh @@ -18,9 +18,7 @@ # Insert empty main function sed -i '23 i\func main(){}'\\n $SRC/tidb/plugin/conn_ip_example/conn_ip_example.go -mkdir $GOPATH/src/github.com/pingcap -mv $SRC/tidb $GOPATH/src/github.com/pingcap/ -cd $GOPATH/src/github.com/pingcap/tidb && go get ./... +go get ./... compile_go_fuzzer github.com/pingcap/tidb/types FuzzMarshalJSON fuzzMarshalJSON compile_go_fuzzer github.com/pingcap/tidb/types FuzzNewBitLiteral fuzzNewBitLiteral diff --git a/projects/tinygltf/Dockerfile b/projects/tinygltf/Dockerfile new file mode 100644 index 000000000..218baeb05 --- /dev/null +++ b/projects/tinygltf/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN pip3 install meson ninja +RUN git clone --depth 1 https://github.com/syoyo/tinygltf.git +WORKDIR $SRC/tinygltf +COPY build.sh $SRC/ diff --git a/projects/tinygltf/build.sh b/projects/tinygltf/build.sh new file mode 100755 index 000000000..7c5429403 --- /dev/null +++ b/projects/tinygltf/build.sh @@ -0,0 +1,23 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build project +cd tests/fuzzer/ +meson build +cd build +ninja -j$(nproc) +cp fuzz_gltf $OUT/ diff --git a/projects/tinygltf/project.yaml b/projects/tinygltf/project.yaml new file mode 100644 index 000000000..1b148734f --- /dev/null +++ b/projects/tinygltf/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/syoyo/tinygltf" +language: c++ +primary_contact: "syoyo@lighttransport.com" +auto_ccs: + - "p.antoine@catenacyber.fr" +fuzzing_engines: +- libfuzzer +sanitizers: +- address +main_repo: 'https://github.com/syoyo/tinygltf.git' diff --git a/projects/tpm2-tss/Dockerfile b/projects/tpm2-tss/Dockerfile index 47c6c44fd..9f74c7a14 100644 --- a/projects/tpm2-tss/Dockerfile +++ b/projects/tpm2-tss/Dockerfile @@ -50,7 +50,8 @@ RUN apt-get update && \ python3-pip \ libsqlite3-dev \ python-cryptography \ - python3-cryptography + python3-cryptography \ + acl RUN pip3 install cpp-coveralls diff --git a/projects/tpm2-tss/project.yaml b/projects/tpm2-tss/project.yaml index 65b8e3c1f..04af6fe9d 100644 --- a/projects/tpm2-tss/project.yaml +++ b/projects/tpm2-tss/project.yaml @@ -5,6 +5,7 @@ auto_ccs: - "andreas.fuchs@sit.fraunhofer.de" - "john.s.andersen@intel.com" - "william.c.roberts@intel.com" + - "tstruk@gmail.com" sanitizers: - address - memory diff --git a/projects/ujson/Dockerfile b/projects/ujson/Dockerfile index f044df681..81550c687 100644 --- a/projects/ujson/Dockerfile +++ b/projects/ujson/Dockerfile @@ -25,4 +25,4 @@ RUN git clone \ WORKDIR ultrajson -COPY build.sh json_differential_fuzzer.py ujson_fuzzer.py $SRC/ +COPY build.sh json_differential_fuzzer.py ujson_fuzzer.py hypothesis_structured_fuzzer.py $SRC/ diff --git a/projects/unbound/build.sh b/projects/unbound/build.sh index cd539d8e1..697e457b6 100755 --- a/projects/unbound/build.sh +++ b/projects/unbound/build.sh @@ -39,7 +39,7 @@ OBJECTS_TO_LINK="dns.o infra.o rrset.o dname.o \ rbtree.o regional.o rtt.o dnstree.o lookup3.o lruhash.o slabhash.o \ tcp_conn_limit.o timehist.o tube.o winsock_event.o autotrust.o val_anchor.o \ validator.o val_kcache.o val_kentry.o val_neg.o val_nsec3.o val_nsec.o \ - val_secalgo.o val_sigcrypt.o val_utils.o dns64.o cachedb.o redis.o authzone.o \ + val_secalgo.o val_sigcrypt.o val_utils.o dns64.o authzone.o \ respip.o netevent.o listen_dnsport.o outside_network.o ub_event.o keyraw.o \ sbuffer.o wire2str.o parse.o parseutil.o rrdef.o str2wire.o libunbound.o \ libworker.o context.o rpz.o" diff --git a/projects/unrar/build.sh b/projects/unrar/build.sh index d597942c2..94696828a 100644 --- a/projects/unrar/build.sh +++ b/projects/unrar/build.sh @@ -19,6 +19,10 @@ UNRAR_DEFINES="-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -DRAR_SMP -DRARDLL -DS UNRAR_WNOS="-Wno-logical-op-parentheses -Wno-switch -Wno-dangling-else" UNRAR_SRC_DIR="$SRC/unrar" +# See: https://crbug.com/oss-fuzz/19333#c3 +CFLAGS="$CFLAGS -fno-sanitize=enum" +CXXFLAGS="$CXXFLAGS -fno-sanitize=enum" + # build 'lib'. This builds libunrar.a and libunrar.so # -fPIC is required for successful compilation. make CXX=$CXX CXXFLAGS="$CXXFLAGS -fPIC $UNRAR_DEFINES $UNRAR_WNOS" \ diff --git a/projects/usbguard/project.yaml b/projects/usbguard/project.yaml index ae1a007bf..a372cd3a6 100644 --- a/projects/usbguard/project.yaml +++ b/projects/usbguard/project.yaml @@ -1,9 +1,12 @@ homepage: "https://usbguard.github.io/" language: c++ -primary_contact: "dkopecek@redhat.com" +primary_contact: "rsroka@redhat.com" sanitizers: - address - undefined - memory auto_ccs: + - "alakatos@redhat.com" - "allenwebb@google.com" + - "zfridric@redhat.com" +main_repo: "https://github.com/USBGuard/usbguard" diff --git a/projects/utf8proc/project.yaml b/projects/utf8proc/project.yaml index 8bad63fdd..c35bcea9a 100644 --- a/projects/utf8proc/project.yaml +++ b/projects/utf8proc/project.yaml @@ -6,9 +6,6 @@ auto_ccs: sanitizers: - address - memory - - undefined -fuzzing_engines: - - libfuzzer - - honggfuzz + - undefined main_repo: 'https://github.com/JuliaStrings/utf8proc' diff --git a/projects/vitess/Dockerfile b/projects/vitess/Dockerfile index 8c242c023..8f066c8ba 100644 --- a/projects/vitess/Dockerfile +++ b/projects/vitess/Dockerfile @@ -15,13 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN go get github.com/vitessio/vitess \ - vitess.io/vitess/go/bytes2 \ - vitess.io/vitess/go/sqltypes \ - vitess.io/vitess/go/vt/log \ - vitess.io/vitess/go/vt/proto/query \ - vitess.io/vitess/go/vt/proto/vtrpc \ - vitess.io/vitess/go/vt/vterrors \ - vitess.io/vitess/go/vt/vtgate/evalengine +RUN git clone --depth 1 https://github.com/vitessio/vitess COPY build.sh $SRC/ -WORKDIR $SRC/ +WORKDIR $SRC/vitess diff --git a/projects/vitess/build.sh b/projects/vitess/build.sh index d8e9780e5..8a085f41d 100755 --- a/projects/vitess/build.sh +++ b/projects/vitess/build.sh @@ -15,4 +15,5 @@ # ################################################################################ -compile_go_fuzzer github.com/vitessio/vitess/go/vt/sqlparser Fuzz fuzz +chmod +x $SRC/vitess/go/test/fuzzing/oss_fuzz_build.sh +$SRC/vitess/go/test/fuzzing/oss_fuzz_build.sh diff --git a/projects/vitess/project.yaml b/projects/vitess/project.yaml index 6d20f6468..82d05297d 100644 --- a/projects/vitess/project.yaml +++ b/projects/vitess/project.yaml @@ -2,6 +2,10 @@ homepage: "https://github.com/vitessio/vitess" primary_contact: "andres@planetscale.com" auto_ccs : - "adam@adalogics.com" + - "team-ps-vitess@planetscale.com" + - "manan@planetscale.com" + - "harshit@planetscale.com" + - "florent@planetscale.com" language: go fuzzing_engines: - libfuzzer diff --git a/projects/w3m/Dockerfile b/projects/w3m/Dockerfile new file mode 100755 index 000000000..810634464 --- /dev/null +++ b/projects/w3m/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y libgc-dev +RUN git clone https://github.com/tats/w3m + +WORKDIR $SRC +COPY build.sh $SRC/ diff --git a/projects/w3m/build.sh b/projects/w3m/build.sh new file mode 100755 index 000000000..eccb30ccd --- /dev/null +++ b/projects/w3m/build.sh @@ -0,0 +1,32 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +#export CFLAGS="${CFLAGS} -" +#export CXXFLAGS="${CXXFLAGS} -ltinfo" + +cd w3m +./configure + +make myctype.o +make Str.o +make libwc + +cd libwc +$CC $CFLAGS -c ../fuzz/fuzz-conv.c -o fuzz_conv.o -I../ -I./ +static_libgc=($(find /usr/lib -name "libgc.a")) +$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_conv.o -o $OUT/fuzz_conv \ + -I./libwc -DUSE_UNICODE -I. -I./.. -DHAVE_CONFIG_H ../Str.o ../myctype.o libwc.a ${static_libgc} diff --git a/projects/w3m/project.yaml b/projects/w3m/project.yaml new file mode 100755 index 000000000..86409e7ed --- /dev/null +++ b/projects/w3m/project.yaml @@ -0,0 +1,6 @@ +homepage: "https://tracker.debian.org/pkg/w3m" +primary_contact: "tats@debian.org" +language: c +auto_ccs : + - "david@adalogics.com" +main_repo: 'https://github.com/tats/w3m' diff --git a/projects/wasmtime/build.sh b/projects/wasmtime/build.sh index d302851aa..80423e376 100755 --- a/projects/wasmtime/build.sh +++ b/projects/wasmtime/build.sh @@ -26,6 +26,13 @@ build() { shift PROJECT_DIR=$SRC/$project + # ensure we get absolute paths for the coverage report + cd $PROJECT_DIR + crate_src_abspath=`cargo metadata --no-deps --format-version 1 | jq -r '.workspace_root'` + while read i; do + export RUSTFLAGS="$RUSTFLAGS --remap-path-prefix $i=$crate_src_abspath/$i" + done <<< "$(find . -name "*.rs" | cut -d/ -f2 | uniq)" + cd $PROJECT_DIR/fuzz && cargo fuzz build -O --debug-assertions "$@" FUZZ_TARGET_OUTPUT_DIR=$PROJECT_DIR/target/x86_64-unknown-linux-gnu/release @@ -50,10 +57,7 @@ build() { } # Build with peepmatic in order to enable the related fuzz targets. -build wasmtime "" "" --features peepmatic-fuzzing - -# Build the differential fuzzer with the new x86-64 backend as well. -build wasmtime diff-newbe- differential_wasmi --features experimental_x64 +build wasmtime "" "" --features "peepmatic-fuzzing experimental_x64" build wasm-tools wasm-tools- "" build regalloc.rs regalloc- bt bt diff --git a/projects/wasmtime/project.yaml b/projects/wasmtime/project.yaml index e18ebf7b4..01c7f4607 100644 --- a/projects/wasmtime/project.yaml +++ b/projects/wasmtime/project.yaml @@ -6,6 +6,7 @@ auto_ccs: - "till@tillschneidereit.net" - "ydelendik@mozilla.com" - "cfallin@gmail.com" + - "andrew.s.brown2@gmail.com" sanitizers: - address fuzzing_engines: diff --git a/projects/wireshark/build.sh b/projects/wireshark/build.sh index de41e0709..bdb34eb52 100755 --- a/projects/wireshark/build.sh +++ b/projects/wireshark/build.sh @@ -15,12 +15,6 @@ # ################################################################################ -# afl++ CMPLOG test: -test "$FUZZING_ENGINE" = "afl" && { - export AFL_LLVM_CMPLOG=1 - touch $OUT/afl_cmplog.txt -} - WIRESHARK_BUILD_PATH="$WORK/build" mkdir -p "$WIRESHARK_BUILD_PATH" diff --git a/projects/wolfssl/Dockerfile b/projects/wolfssl/Dockerfile index 39742cc7e..963f5e0e3 100644 --- a/projects/wolfssl/Dockerfile +++ b/projects/wolfssl/Dockerfile @@ -23,6 +23,7 @@ RUN git clone --depth 1 https://github.com/guidovranken/fuzzing-headers.git RUN git clone --depth 1 https://github.com/guidovranken/wolf-ssl-ssh-fuzzers RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz RUN git clone --depth 1 https://github.com/randombit/botan.git +RUN git clone --depth 1 https://github.com/google/wycheproof.git RUN wget https://dl.bintray.com/boostorg/release/1.74.0/source/boost_1_74_0.tar.bz2 RUN git clone https://github.com/wolfssl/oss-fuzz-targets --depth 1 $SRC/fuzz-targets diff --git a/projects/wolfssl/build.sh b/projects/wolfssl/build.sh index 850ef2c1a..70db45387 100755 --- a/projects/wolfssl/build.sh +++ b/projects/wolfssl/build.sh @@ -114,6 +114,55 @@ then unset WOLFCRYPT_LIBWOLFSSL_A_PATH unset WOLFCRYPT_INCLUDE_PATH + # Build sp-math-all 8bit fuzzer + cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-sp-math-all-8bit/ + cp -R $SRC/wolfssl/ $SRC/wolfssl-sp-math-all-8bit/ + cd $SRC/wolfssl-sp-math-all-8bit/ + autoreconf -ivf + CFLAGS="$CFLAGS -DHAVE_AES_ECB -DWOLFSSL_DES_ECB -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_ECDSA_SET_K_ONE_LOOP -DSP_WORD_SIZE=8" + ./configure $WOLFCRYPT_CONFIGURE_PARAMS --enable-sp-math-all + make -j$(nproc) + export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_NO_OPENSSL -DCRYPTOFUZZ_WOLFCRYPT -DCRYPTOFUZZ_BOTAN" + export WOLFCRYPT_LIBWOLFSSL_A_PATH="$SRC/wolfssl-sp-math-all-8bit/src/.libs/libwolfssl.a" + export WOLFCRYPT_INCLUDE_PATH="$SRC/wolfssl-sp-math-all-8bit/" + cd $SRC/cryptofuzz-sp-math-all-8bit/modules/wolfcrypt + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math-all-8bit/modules/botan + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math-all-8bit/ + LIBFUZZER_LINK="$LIB_FUZZING_ENGINE" make -B -j$(nproc) + cp cryptofuzz $OUT/cryptofuzz-sp-math-all-8bit + CFLAGS="$OLD_CFLAGS" + CXXFLAGS="$OLD_CXXFLAGS" + unset WOLFCRYPT_LIBWOLFSSL_A_PATH + unset WOLFCRYPT_INCLUDE_PATH + + # Build sp-math fuzzer + cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-sp-math/ + cp -R $SRC/wolfssl/ $SRC/wolfssl-sp-math/ + cd $SRC/wolfssl-sp-math/ + autoreconf -ivf + # -DHAVE_ECC_BRAINPOOL and -DHAVE_ECC_KOBLITZ are lacking from the CFLAGS; these are not supported by SP math + CFLAGS="$CFLAGS -DHAVE_AES_ECB -DWOLFSSL_DES_ECB -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_ECDSA_SET_K_ONE_LOOP" + # SP math does not support custom curves, so remove that flag + export WOLFCRYPT_CONFIGURE_PARAMS_SP_MATH=${WOLFCRYPT_CONFIGURE_PARAMS//"--enable-ecccustcurves"/} + ./configure $WOLFCRYPT_CONFIGURE_PARAMS_SP_MATH --enable-sp --enable-sp-math + make -j$(nproc) + export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_NO_OPENSSL -DCRYPTOFUZZ_WOLFCRYPT -DCRYPTOFUZZ_BOTAN" + export WOLFCRYPT_LIBWOLFSSL_A_PATH="$SRC/wolfssl-sp-math/src/.libs/libwolfssl.a" + export WOLFCRYPT_INCLUDE_PATH="$SRC/wolfssl-sp-math/" + cd $SRC/cryptofuzz-sp-math/modules/wolfcrypt + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math/modules/botan + make -j$(nproc) + cd $SRC/cryptofuzz-sp-math/ + LIBFUZZER_LINK="$LIB_FUZZING_ENGINE" make -B -j$(nproc) + cp cryptofuzz $OUT/cryptofuzz-sp-math + CFLAGS="$OLD_CFLAGS" + CXXFLAGS="$OLD_CXXFLAGS" + unset WOLFCRYPT_LIBWOLFSSL_A_PATH + unset WOLFCRYPT_INCLUDE_PATH + # Build disable-fastmath fuzzer cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-disable-fastmath/ cp -R $SRC/wolfssl/ $SRC/wolfssl-disable-fastmath/ @@ -137,6 +186,17 @@ then unset WOLFCRYPT_LIBWOLFSSL_A_PATH unset WOLFCRYPT_INCLUDE_PATH + # Convert Wycheproof test vectors to Cryptofuzz corpus format + mkdir $SRC/corpus-cryptofuzz-wycheproof/ + find $SRC/wycheproof/testvectors/ -type f -name 'ecdsa_*' -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-wycheproof={},$SRC/corpus-cryptofuzz-wycheproof/ \; + # Pack it + zip -j $SRC/cryptofuzz_wycheproof_seed_corpus.zip $SRC/corpus-cryptofuzz-wycheproof/* + # Use it as the seed corpus for each Cryptofuzz-based fuzzer + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-sp-math-all_seed_corpus.zip + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-sp-math-all-8bit_seed_corpus.zip + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-sp-math_seed_corpus.zip + cp $SRC/cryptofuzz_wycheproof_seed_corpus.zip $OUT/cryptofuzz-disable-fastmath_seed_corpus.zip + # Build SSL/SSH fuzzers NEW_SRC=$SRC/wolf-ssl-ssh-fuzzers/oss-fuzz/projects/wolf-ssl-ssh/ cp -R $SRC/wolfssl/ $NEW_SRC diff --git a/projects/wuffs/build.sh b/projects/wuffs/build.sh index d51af38cf..b8d4f5366 100755 --- a/projects/wuffs/build.sh +++ b/projects/wuffs/build.sh @@ -26,7 +26,7 @@ for f in fuzz/c/std/*_fuzzer.c; do # Make the "gzip_fuzzer" binary. First compile the (C) Wuffs code, then link # the (C++) fuzzing library. - $CC $CFLAGS -c -std=c99 $f -o $WORK/${b}_fuzzer.o + $CC $CFLAGS -c $f -o $WORK/${b}_fuzzer.o $CXX $CXXFLAGS $WORK/${b}_fuzzer.o -o $OUT/${b}_fuzzer $LIB_FUZZING_ENGINE # Make the optional "gzip_fuzzer_seed_corpus.zip" archive. This means diff --git a/projects/ygot/Dockerfile b/projects/ygot/Dockerfile new file mode 100644 index 000000000..b592c307b --- /dev/null +++ b/projects/ygot/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN git clone --depth 1 https://github.com/openconfig/ygot + +COPY build.sh $SRC/ +COPY fuzz.go $SRC/ygot/exampleoc/ +WORKDIR $SRC/ygot diff --git a/projects/ygot/build.sh b/projects/ygot/build.sh new file mode 100755 index 000000000..3a34ffc5d --- /dev/null +++ b/projects/ygot/build.sh @@ -0,0 +1,18 @@ +#!/bin/bash -eu +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +compile_go_fuzzer github.com/openconfig/ygot/exampleoc Fuzz fuzz_oc_unmarshall gofuzz diff --git a/projects/ygot/fuzz.go b/projects/ygot/fuzz.go new file mode 100644 index 000000000..c9a08826e --- /dev/null +++ b/projects/ygot/fuzz.go @@ -0,0 +1,12 @@ +// +build gofuzz + +package exampleoc + +func Fuzz(data []byte) int { + nd := &Device{} + err := Unmarshal([]byte(data), nd) + if err != nil { + return 0 + } + return 1 +} diff --git a/projects/ygot/project.yaml b/projects/ygot/project.yaml new file mode 100644 index 000000000..bd4ef7acf --- /dev/null +++ b/projects/ygot/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://github.com/openconfig/ygot" +primary_contact: "ygot-maintainers@google.com" +auto_ccs: + - "p.antoine@catenacyber.fr" +language: go +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: 'https://github.com/openconfig/ygot' diff --git a/projects/zeek/build.sh b/projects/zeek/build.sh index 5e12504a0..996fe9c12 100644 --- a/projects/zeek/build.sh +++ b/projects/zeek/build.sh @@ -25,6 +25,7 @@ CFLAGS="${CFLAGS} -pthread" CXXFLAGS="${CXXFLAGS} -pthread" \ --disable-auxtools \ --disable-broker-tests + cd build ninja install diff --git a/projects/zeek/project.yaml b/projects/zeek/project.yaml index 3cd5de3b8..b0239dab7 100644 --- a/projects/zeek/project.yaml +++ b/projects/zeek/project.yaml @@ -10,9 +10,7 @@ auto_ccs: - "justin@corelight.com" - "vern@corelight.com" - "vlad@es.net" -fuzzing_engines: - - libfuzzer - - honggfuzz + - "dominik.charousset@corelight.com" sanitizers: - address main_repo: 'https://github.com/zeek/zeek' diff --git a/projects/zlib-ng/build.sh b/projects/zlib-ng/build.sh index cb225ec36..606c5af89 100755 --- a/projects/zlib-ng/build.sh +++ b/projects/zlib-ng/build.sh @@ -15,11 +15,11 @@ # ################################################################################ -export LDSHARED=$CXX +export LDSHARED=lld export LDFLAGS="$CFLAGS -stdlib=libc++" + ./configure -sed -i "/^LDSHARED=.*/s#=.*#=$CXX#" Makefile sed -i 's/$(CC) $(LDFLAGS)/$(CXX) $(LDFLAGS)/g' Makefile make -j$(nproc) clean diff --git a/projects/zlib-ng/project.yaml b/projects/zlib-ng/project.yaml index d4b41cec8..688f359a9 100644 --- a/projects/zlib-ng/project.yaml +++ b/projects/zlib-ng/project.yaml @@ -1,4 +1,4 @@ -homepage: "https://github.com/Dead2/zlib-ng" +homepage: "https://github.com/zlib-ng/zlib-ng" language: c++ primary_contact: "zlib-ng@circlestorm.org" auto_ccs: |