diff options
author | Calder Kitagawa <ckitagawa@chromium.org> | 2018-05-31 16:18:01 +0000 |
---|---|---|
committer | Edward Lesmes <ehmaldonado@google.com> | 2021-07-23 22:47:12 +0000 |
commit | 16f8ef6432c0b1f3c668921aa120be7a4b16a701 (patch) | |
tree | c88ad4421bad3f8ed413137ec18d6e16ba512079 /fuzzers | |
parent | e0dd84f01629380625e5cf7d454d26343a46eaeb (diff) | |
download | zucchini-16f8ef6432c0b1f3c668921aa120be7a4b16a701.tar.gz |
[Zucchini]: Write fuzz generated patches
As discussed in the tracking bug this covers buffer_sink and
patch_writer for fuzzing by serializing the generated patch data into a
buffer. Locally this increased fuzzing coverage by ~2%. exec/s for ZTF
files is still > 1500 which is sufficient for ClusterFuzz performance.
Eventually fuzzing should be added for:
- imposed_ensemble_matcher
- disassembler_dex
But is out of scope for Windows Launch.
It may also be worth adding an apply seed for a tiny Windows binary.
Chromium doesn't contain one small enough so we may need to make a
custom test binary to patch (likely Hello World or similar).
Bug: 835341
Change-Id: Id7208f30b09cd7443287cfe10f8ef1fcda6327d1
Reviewed-on: https://chromium-review.googlesource.com/1076949
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563266}
NOKEYCHECK=True
GitOrigin-RevId: 49613c27bcd84170395588a6d93fc009eb988658
Diffstat (limited to 'fuzzers')
-rw-r--r-- | fuzzers/raw_gen_fuzzer.cc | 19 | ||||
-rw-r--r-- | fuzzers/ztf_gen_fuzzer.cc | 17 |
2 files changed, 31 insertions, 5 deletions
diff --git a/fuzzers/raw_gen_fuzzer.cc b/fuzzers/raw_gen_fuzzer.cc index 176412d..b27042e 100644 --- a/fuzzers/raw_gen_fuzzer.cc +++ b/fuzzers/raw_gen_fuzzer.cc @@ -5,9 +5,11 @@ #include <stdint.h> #include <iostream> +#include <memory> #include "base/environment.h" #include "base/logging.h" +#include "components/zucchini/buffer_sink.h" #include "components/zucchini/buffer_view.h" #include "components/zucchini/fuzzers/file_pair.pb.h" #include "components/zucchini/patch_writer.h" @@ -16,14 +18,14 @@ namespace { -constexpr int kMinImageSize = 16; -constexpr int kMaxImageSize = 1024; +constexpr size_t kMinImageSize = 16; +constexpr size_t kMaxImageSize = 1024; } // namespace struct Environment { Environment() { - logging::SetMinLogLevel(3); // Disable console spamming. + logging::SetMinLogLevel(logging::LOG_FATAL); // Disable console spamming. } }; @@ -55,4 +57,15 @@ DEFINE_BINARY_PROTO_FUZZER(const zucchini::fuzzers::FilePair& file_pair) { // Fuzz Target. zucchini::GenerateRaw(old_image, new_image, &patch_writer); + + // Check that the patch size is sane. Crash the fuzzer if this isn't the case + // as it is a failure in Zucchini's patch performance that is worth + // investigating. + size_t patch_size = patch_writer.SerializedSize(); + CHECK_LE(patch_size, kMaxImageSize * 2); + + // Write to buffer to avoid IO. + std::unique_ptr<uint8_t[]> patch_data(new uint8_t[patch_size]); + zucchini::BufferSink patch(patch_data.get(), patch_size); + patch_writer.SerializeInto(patch); } diff --git a/fuzzers/ztf_gen_fuzzer.cc b/fuzzers/ztf_gen_fuzzer.cc index 413d841..76ae44f 100644 --- a/fuzzers/ztf_gen_fuzzer.cc +++ b/fuzzers/ztf_gen_fuzzer.cc @@ -5,9 +5,11 @@ #include <stdint.h> #include <iostream> +#include <memory> #include "base/environment.h" #include "base/logging.h" +#include "components/zucchini/buffer_sink.h" #include "components/zucchini/buffer_view.h" #include "components/zucchini/fuzzers/file_pair.pb.h" #include "components/zucchini/patch_writer.h" @@ -16,8 +18,8 @@ namespace { -constexpr int kMinImageSize = 16; -constexpr int kMaxImageSize = 1024; +constexpr size_t kMinImageSize = 16; +constexpr size_t kMaxImageSize = 1024; } // namespace @@ -56,4 +58,15 @@ DEFINE_BINARY_PROTO_FUZZER(const zucchini::fuzzers::FilePair& file_pair) { // Fuzz Target. zucchini::GenerateEnsemble(old_image, new_image, &patch_writer); + + // Check that the patch size is sane. Crash the fuzzer if this isn't the case + // as it is a failure in Zucchini's patch performance that is worth + // investigating. + size_t patch_size = patch_writer.SerializedSize(); + CHECK_LE(patch_size, kMaxImageSize * 2); + + // Write to buffer to avoid IO. + std::unique_ptr<uint8_t[]> patch_data(new uint8_t[patch_size]); + zucchini::BufferSink patch(patch_data.get(), patch_size); + patch_writer.SerializeInto(patch); } |