diff options
| author | Calder Kitagawa <ckitagawa@chromium.org> | 2018-05-25 19:49:43 +0000 |
|---|---|---|
| committer | Edward Lesmes <ehmaldonado@google.com> | 2021-07-23 22:41:30 +0000 |
| commit | 75569ad9940020e9730359c52bad857be7690025 (patch) | |
| tree | efe0253fa585f04a18a2b0a2f0b8b31ca538e314 /fuzzers | |
| parent | 984b1815afc913c3021ce6a83a1fafd9da61c802 (diff) | |
| download | zucchini-75569ad9940020e9730359c52bad857be7690025.tar.gz | |
[Zucchini] ZTF Gen Fuzzer
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the full patch generation logic
exercising the patch writer and gen process. It covers ~44% of code in
100000 runs. The remaining code is split between ZTF Apply Fuzzer
(~30%) and the aggregate of DEX Disassembly (not in launch scope),
patch serialization (trusted input), and other testing/debugging/error
handling code which isn't triggered.
With the supplied seed corpus the fuzzer reaches approximately 4000
execs/s.
The file format for the seed is a FilePair proto of a ZTF base file
and a ZTF updated file as used in Raw Gen.
Also fix bug where wrong fuzzer was running for apply.
Bug: 835341
Change-Id: Ib99dd70ba01820b874d72fecb2b543ea7082f649
Reviewed-on: https://chromium-review.googlesource.com/1072229
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561978}
NOKEYCHECK=True
GitOrigin-RevId: 8b5e3a4b59cfc86fc888726e29dea5d9cb1c1a09
Diffstat (limited to 'fuzzers')
| -rw-r--r-- | fuzzers/BUILD.gn | 18 | ||||
| -rw-r--r-- | fuzzers/testdata/raw_or_ztf_gen_fuzzer/seed_proto.bin (renamed from fuzzers/testdata/raw_gen_fuzzer/seed_proto.bin) | 0 | ||||
| -rw-r--r-- | fuzzers/ztf_gen_fuzzer.cc | 59 |
3 files changed, 75 insertions, 2 deletions
diff --git a/fuzzers/BUILD.gn b/fuzzers/BUILD.gn index 7afe6db..e11efc4 100644 --- a/fuzzers/BUILD.gn +++ b/fuzzers/BUILD.gn @@ -72,7 +72,7 @@ if (current_toolchain == host_toolchain && !is_win) { fuzzer_test("zucchini_raw_apply_fuzzer") { sources = [ - "raw_gen_fuzzer.cc", + "raw_apply_fuzzer.cc", ] deps = [ ":zucchini_file_pair_proto", @@ -95,6 +95,20 @@ if (current_toolchain == host_toolchain && !is_win) { "//components/zucchini:zucchini_lib", "//third_party/libprotobuf-mutator", ] - seed_corpus = "testdata/raw_gen_fuzzer" + seed_corpus = "testdata/raw_or_ztf_gen_fuzzer" + } + + # ZTF Gen Fuzzer: + fuzzer_test("zucchini_ztf_gen_fuzzer") { + sources = [ + "ztf_gen_fuzzer.cc", + ] + deps = [ + ":zucchini_file_pair_proto", + "//base", + "//components/zucchini:zucchini_lib", + "//third_party/libprotobuf-mutator", + ] + seed_corpus = "testdata/raw_or_ztf_gen_fuzzer" } } diff --git a/fuzzers/testdata/raw_gen_fuzzer/seed_proto.bin b/fuzzers/testdata/raw_or_ztf_gen_fuzzer/seed_proto.bin index 5939c72..5939c72 100644 --- a/fuzzers/testdata/raw_gen_fuzzer/seed_proto.bin +++ b/fuzzers/testdata/raw_or_ztf_gen_fuzzer/seed_proto.bin diff --git a/fuzzers/ztf_gen_fuzzer.cc b/fuzzers/ztf_gen_fuzzer.cc new file mode 100644 index 0000000..413d841 --- /dev/null +++ b/fuzzers/ztf_gen_fuzzer.cc @@ -0,0 +1,59 @@ +// Copyright 2018 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include <stdint.h> + +#include <iostream> + +#include "base/environment.h" +#include "base/logging.h" +#include "components/zucchini/buffer_view.h" +#include "components/zucchini/fuzzers/file_pair.pb.h" +#include "components/zucchini/patch_writer.h" +#include "components/zucchini/zucchini_gen.h" +#include "testing/libfuzzer/proto/lpm_interface.h" + +namespace { + +constexpr int kMinImageSize = 16; +constexpr int kMaxImageSize = 1024; + +} // namespace + +struct Environment { + Environment() { + logging::SetMinLogLevel(logging::LOG_FATAL); // Disable console spamming. + } +}; + +Environment* env = new Environment(); + +DEFINE_BINARY_PROTO_FUZZER(const zucchini::fuzzers::FilePair& file_pair) { + // Dump code for debugging. + if (base::Environment::Create()->HasVar("LPM_DUMP_NATIVE_INPUT")) { + std::cout << "Old File: " << file_pair.old_file() << std::endl + << "New File: " << file_pair.new_or_patch_file() << std::endl; + } + + // Prepare data. These are originally Zucchini Text Format (ZTF) files but may + // in relatively unlikely circumstances mutate into other formats. + zucchini::ConstBufferView old_image( + reinterpret_cast<const uint8_t*>(file_pair.old_file().data()), + file_pair.old_file().size()); + zucchini::ConstBufferView new_image( + reinterpret_cast<const uint8_t*>(file_pair.new_or_patch_file().data()), + file_pair.new_or_patch_file().size()); + + // Restrict image sizes to speed up fuzzing. + if (old_image.size() < kMinImageSize || old_image.size() > kMaxImageSize || + new_image.size() < kMinImageSize || new_image.size() > kMaxImageSize) { + return; + } + + // Generate a patch writer. + zucchini::EnsemblePatchWriter patch_writer(old_image, new_image); + + // Fuzz Target. + zucchini::GenerateEnsemble(old_image, new_image, &patch_writer); +} |