Age | Commit message (Collapse) | Author |
|
Adds a fuzzer for the ImposedEnsembleMatcher. This achieves between
5000 and 10000 exec/s. At 10000 runs this covers 96% of the
imposed_ensemble_matcher and 50% of the io_utils (another file lacking
coverage). Uncovered lines in io_utils are attributed to debug tools.
The missing lines in imposed_ensemble_matcher are error cases which
haven't been hit yet. The seed uses duplicated back to back copies of
old.ztf and new.ztf.
Bug: 835341
Change-Id: I742ca6f4c409c9a9ec4a335da2b50fd8d4d6ed6f
Reviewed-on: https://chromium-review.googlesource.com/1117572
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572201}
NOKEYCHECK=True
GitOrigin-RevId: f7b526674131a74a43ba13394f1c4819cac9c2d2
|
|
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the full patch application logic
exercising the patch reader and apply process. It covers ~33% of code
in 1000000 runs. The bulk of remaining code ~40% is covered by ZTF Gen
Fuzzer. With the remainder (~30%) being for DEX Disassembly (not in
launch scope), patch serialization (trusted input), and other
testing/debugging/error handling code which isn't triggered.
This already found a couple bugs fixed in
https://chromium-review.googlesource.com/c/chromium/src/+/1072272
With the supplied seed corpus the fuzzer reaches approximately 12000
execs/s.
The file format for the seed is a FilePair proto of a ZTF base file
and a patch file as used in Raw Apply. This reuses the same generator
and fuzzer as Raw Apply as the type of application is encoded in the
patch itself.
Bug: 835341
Change-Id: I00f28c768a6e1c7b8c5e95979b279d64785ef515
Reviewed-on: https://chromium-review.googlesource.com/1072231
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#562260}
NOKEYCHECK=True
GitOrigin-RevId: 7206487ebd05fd4f30226ec59b730bb41c5013f2
|
|
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the full patch generation logic
exercising the patch writer and gen process. It covers ~44% of code in
100000 runs. The remaining code is split between ZTF Apply Fuzzer
(~30%) and the aggregate of DEX Disassembly (not in launch scope),
patch serialization (trusted input), and other testing/debugging/error
handling code which isn't triggered.
With the supplied seed corpus the fuzzer reaches approximately 4000
execs/s.
The file format for the seed is a FilePair proto of a ZTF base file
and a ZTF updated file as used in Raw Gen.
Also fix bug where wrong fuzzer was running for apply.
Bug: 835341
Change-Id: Ib99dd70ba01820b874d72fecb2b543ea7082f649
Reviewed-on: https://chromium-review.googlesource.com/1072229
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561978}
NOKEYCHECK=True
GitOrigin-RevId: 8b5e3a4b59cfc86fc888726e29dea5d9cb1c1a09
|
|
This is part of a series of Fuzzers to be added to Zucchini for security
review. This tests the raw data patch generation logic exercising the
patch writer and gen process. It only covers ~20% of code in 100000
executions as the bulk of the remaining code is associated with the much
more complex and expensive to fuzz reference related code.
With the supplied seed corpus the fuzzer reaches approximately 5000
execs/s. There were no bug/stability issues found in raw gen.
The file format for the seed is a FilePair proto as used in raw Apply;
however, it is static so doesn't need regeneration. The files within
the FilePair seed are ZTF (Zucchini Text Format) files based on the code
that will be landed in:
https://chromium-review.googlesource.com/c/chromium/src/+/1056147
This way the source files can be reused in the ZTF gen and apply
fuzzers which will be used to more efficiently fuzz the reference
handling code in Zucchini.
Remaining Security Review Fuzzers (For Windows Launch)
- ZTF Gen
- ZTF Apply
(ZTF = Zucchini text format)
Note that suffix array while originally discussed is already implictly
fuzzed by this fuzzer and as such shouldn't require a standalone
fuzzer.
Other remaining fuzzers (Not shipped so non-blocking of Windows Launch)
- Disassembler DEX
- Disassembler ELF (when merged from Trunk)
To create the seed file pair run the following from
components/zucchini/fuzzers/
./create_seed_file_pair.py ../../../out/Release/protoc \
testdata/old.ztxt testdata/new.ztxt testdata/seed_proto.bin
Note: you need to first build protoc in out/Release/
Bug: 835341
Change-Id: I1bf5c2a4251093bbf5bfc92904afc376a2832dbd
Reviewed-on: https://chromium-review.googlesource.com/1062412
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559676}
NOKEYCHECK=True
GitOrigin-RevId: 133fb1221e6c293dc43ff438567b2834b2e5c798
|
|
This is a reland of f4a598ff5adfe27f8153bd36984ee9cb549f99e9
Windows cannot resolve #!/usr/bin/env python depending on how it is
configured. To fix this explicitly use python in the subprocess call.
Interestingly, the Tryjobs didn't catch this and only the official
build waterfall does...
Original change's description:
> [Zucchini] (raw) Apply fuzzer
>
> This is part of a series of Fuzzers to be added to Zucchini for
> security review. This tests the raw data patch application logic
> exercising the patch reader and apply process. It only covers ~20%
> of code in 100000 executions as the bulk of the remaining code is
> associated with the much more complex and expensive to fuzz reference
> related code.
>
> With the supplied seed corpus the fuzzer reaches approximately 11000
> execs/s.
>
> This found a couple bugs which are fixed in:
> https://chromium-review.googlesource.com/c/chromium/src/+/1028575
>
>
> Bug: 835341
> Change-Id: Idc1d862bfaa6eb6313f39e10536f4750c05ab863
> Reviewed-on: https://chromium-review.googlesource.com/1028570
> Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
> Reviewed-by: Samuel Huang <huangs@chromium.org>
> Reviewed-by: Greg Thompson <grt@chromium.org>
> Reviewed-by: Max Moroz <mmoroz@chromium.org>
> Reviewed-by: Jonathan Metzman <metzman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#557185}
Bug: 835341
Change-Id: I24e94dd0c2035d84c84636f0a0a30756ae7f0c36
Reviewed-on: https://chromium-review.googlesource.com/1052567
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557286}
NOKEYCHECK=True
GitOrigin-RevId: 8e7c08d3d11c61d08ad05d3ebc283aa2d6bf7c91
|
|
This reverts commit f4a598ff5adfe27f8153bd36984ee9cb549f99e9.
Reason for revert: Does not compile on Win 64, see
https://ci.chromium.org/buildbot/chromium/Win%20x64/22249
Original change's description:
> [Zucchini] (raw) Apply fuzzer
>
> This is part of a series of Fuzzers to be added to Zucchini for
> security review. This tests the raw data patch application logic
> exercising the patch reader and apply process. It only covers ~20%
> of code in 100000 executions as the bulk of the remaining code is
> associated with the much more complex and expensive to fuzz reference
> related code.
>
> With the supplied seed corpus the fuzzer reaches approximately 11000
> execs/s.
>
> This found a couple bugs which are fixed in:
> https://chromium-review.googlesource.com/c/chromium/src/+/1028575
>
>
> Bug: 835341
> Change-Id: Idc1d862bfaa6eb6313f39e10536f4750c05ab863
> Reviewed-on: https://chromium-review.googlesource.com/1028570
> Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
> Reviewed-by: Samuel Huang <huangs@chromium.org>
> Reviewed-by: Greg Thompson <grt@chromium.org>
> Reviewed-by: Max Moroz <mmoroz@chromium.org>
> Reviewed-by: Jonathan Metzman <metzman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#557185}
TBR=huangs@chromium.org,mmoroz@chromium.org,grt@chromium.org,metzman@chromium.org,ckitagawa@google.com
Change-Id: Ia1790a01d3f31f25b243ce6e4ec5b52e423e3f6e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 835341
Reviewed-on: https://chromium-review.googlesource.com/1052287
Reviewed-by: vitaliii <vitaliii@chromium.org>
Commit-Queue: vitaliii <vitaliii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557196}
NOKEYCHECK=True
GitOrigin-RevId: 0101ff77e665851a5fab50b19427cbb5cdb54954
|
|
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the raw data patch application logic
exercising the patch reader and apply process. It only covers ~20%
of code in 100000 executions as the bulk of the remaining code is
associated with the much more complex and expensive to fuzz reference
related code.
With the supplied seed corpus the fuzzer reaches approximately 11000
execs/s.
This found a couple bugs which are fixed in:
https://chromium-review.googlesource.com/c/chromium/src/+/1028575
Bug: 835341
Change-Id: Idc1d862bfaa6eb6313f39e10536f4750c05ab863
Reviewed-on: https://chromium-review.googlesource.com/1028570
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557185}
NOKEYCHECK=True
GitOrigin-RevId: f4a598ff5adfe27f8153bd36984ee9cb549f99e9
|
|
More fuzzers need to be added to Zucchini for launch including
adding support for protobuf based fuzzers. To facilitate this a new
fuzzers/ subdirectory will help to separate Zucchini from its fuzz
related infrastructure.
Bug: 835341
Change-Id: Ib18bfe9bb0b0050e94fa7bdca22fb99c735d9141
Reviewed-on: https://chromium-review.googlesource.com/1026475
Reviewed-by: Samuel Huang <huangs@chromium.org>
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Cr-Commit-Position: refs/heads/master@{#553254}
NOKEYCHECK=True
GitOrigin-RevId: 4725b4fbb75b0f4b2dda8f56e644ca6ef546cd0e
|