Age | Commit message (Collapse) | Author |
|
This is a breaking change to zucchini patch format:
Zucchini 1.0, see changelog.
Add major/minor patch-wide version, and element version.
Also add VerifyPatch() API and command line option to verify
patch compatibility.
Design: go/zucchini-versions
Bug: 1231882
Change-Id: I19f1fbe2ee866c23f0814ffe6a912fb72812edbc
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3140224
Commit-Queue: Etienne Pierre-Doray <etiennep@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Calder Kitagawa <ckitagawa@chromium.org>
Cr-Commit-Position: refs/heads/main@{#936096}
NOKEYCHECK=True
GitOrigin-RevId: 559d77a9741428a48add017d389d104e431e6de7
|
|
Bug: 1205597
Change-Id: I19c9513db7587d843a4cc8edc9b7267992f65a2c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2897540
Auto-Submit: Nico Weber <thakis@chromium.org>
Commit-Queue: Etienne Pierre-Doray <etiennep@chromium.org>
Reviewed-by: Etienne Pierre-Doray <etiennep@chromium.org>
Cr-Commit-Position: refs/heads/master@{#883586}
NOKEYCHECK=True
GitOrigin-RevId: 27cc62076c62d78f6d67edaa93453aebd667d130
|
|
This replaces:
- base::Optional -> absl::optional
- include "base/optional.h"
->
include "third_party/abseil-cpp/absl/types/optional.h"
- base::nullopt -> absl::nullopt
- base::make_optional -> absl::make_optional
Bug: 1202909
Change-Id: If697b7bf69b199c1796f873eedca3359cdb48c64
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2897151
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Owners-Override: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Peter Kasting <pkasting@chromium.org>
Cr-Commit-Position: refs/heads/master@{#883296}
NOKEYCHECK=True
GitOrigin-RevId: 1156b5f891de178171e71b9221a96bef1ced3d3b
|
|
As a prelude to starting to move the build fully over to
Python 3, this CL changes all of the GN `action` and
`action_foreach` targets that appear to require Python 2
over to `python2_action` and `python2_action_foreach`.
This CL by itself should produce no functional change since
we'll still be using Python 2 by default, and the new templates
are passthroughs in that config.
To start using Python3, you can run
`gn gen --script-executable=python3 //out/Default` on Unix; on
Python3 you need to point to an actual python3.exe and not
the python3.bat wrapper in depot_tools; once we can roll GN forward
to a version that contains
https://gn-review.googlesource.com/c/gn/+/10560 (which will hopefully
happen in the next day or two), that won't be necessary.
The Fuchsia build will not work until http://fxrev.dev/446479 lands
and is rolled in.
No-Presubmit: true
Bug: 1112471
AX-Relnotes: n/a
Change-Id: I891155502e0940a8075cf26d675f54b803d91242
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2510878
Reviewed-by: Scott Violet <sky@chromium.org>
Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
Reviewed-by: Mark Mentovai <mark@chromium.org>
Reviewed-by: Andrew Grieve <agrieve@chromium.org>
Commit-Queue: Dirk Pranke <dpranke@google.com>
Cr-Commit-Position: refs/heads/master@{#824216}
NOKEYCHECK=True
GitOrigin-RevId: ca35ab2022b017562b9ad3d12fea3f149d18cf87
|
|
`gn format` recently changed its formatting behavior
for deps, source, and a few other elements when they
are assigned (with =) single-element lists to be consistent
with the formatting of updates (with +=) with single-element.
Now that we've rolled in a GN binary with the change,
reformat all files so that people don't get presubmit
warnings due to this.
This CL was uploaded by git cl split.
R=wfh@chromium.org
Bug: 1041419
Change-Id: Iabb4b3262df63e346520bce93cc00ce6538f76fb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1997802
Auto-Submit: Nico Weber <thakis@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#730667}
NOKEYCHECK=True
GitOrigin-RevId: 5366f1719d82185483bbc3fe35725653d384e1ea
|
|
This CL introduces a fuzzer for the ELF disassemblers in Zucchini. I
have already uploaded some corpus files to the clusterfuzz-corpus
Google Storage bucket.
Achieves ~700 exec/s locally. This is on-par with the DEX and Win32
disassemblers as it requires a largish representative file to serve
as a test. (Recommendation is ~1000 exec/s).
Brings up coverage of ELF related code from 0-30% to 80-100%
I expect this will find quite a few crashes early on but should
stabilize within a couple of weeks; est. 1-2 bugfixes per day
based on how DEX and Win32 went. Mostly checked_casts and bounds
issues.
Bug: 1013641
Change-Id: I205135547cad2a95e59f99d7f040c13d72c45b59
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1856624
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Etienne Pierre-Doray <etiennep@chromium.org>
Cr-Commit-Position: refs/heads/master@{#705245}
NOKEYCHECK=True
GitOrigin-RevId: b00aaabae0e86b84d0007f76f7736fe2db397aaf
|
|
This check isn't very helpful. It only finds pathological but valid
situations. Typically, the resulting patch is very compressible and
this only checks the uncompressed size, which is inflated due to having
many headers for ZTF and Raw regions.
Bug: 860845
Change-Id: I5747e787a1c9888c4ef70d8449572517669f39cd
Reviewed-on: https://chromium-review.googlesource.com/1128810
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#573372}
NOKEYCHECK=True
GitOrigin-RevId: 71ac85257f083f1d3ceded06f1d66992e033d389
|
|
This increases coverage by writing back the read references to the
image. In doing so we ensure the output is either valid or handled
gracefully if it is bad. This increases coverage to 88% on the Win32
related codepaths. The fuzzer still performs at ~1000 exec/s on
non-debug builds.
In doing so I also majorly refactored this fuzzer so it is simpler and
consistent with the disassembler_dex_fuzzer.
Bug: 835341
Change-Id: Ie88f04a21a9cc86045357307956ce76d0c4854e2
Reviewed-on: https://chromium-review.googlesource.com/1126483
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572839}
NOKEYCHECK=True
GitOrigin-RevId: 4b61560a53200a2231605d17b1144cd3ccd6731d
|
|
The |mutable_image| should have been resized to match
|disassembler_dex|'s size. This caused a check failure in fuzzing.
Bug: 860127
Change-Id: If168d4b62b5d3a8cfdef37cc23a38682c1b7d48e
Reviewed-on: https://chromium-review.googlesource.com/1126322
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572782}
NOKEYCHECK=True
GitOrigin-RevId: 3458b23c4dcf642e3ec7dc333949f550330d6a7a
|
|
generate_fuzzer_data.py writes a patch file to its test_data directory
that is in the source tree rather than out directory.
This moves the write target to gen/ in the out directory.
Change-Id: Ic02743ded5823385c1eb6817704311e115c00832
Reviewed-on: https://chromium-review.googlesource.com/1097043
Commit-Queue: Taiju Tsuiki <tzik@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572708}
NOKEYCHECK=True
GitOrigin-RevId: 0a16ceb9ccea6192911777ab53b8cabf3e992406
|
|
The fuzzer found another pathological case of repeated ZTF regions that
causes the patch size check to be violated due to a large number of
headers. The solution should be to increase this upper bound or remove
it entirely. I've gone with the former but if it continues to cause
trouble it might be worth removing as it only finds pathological cases
so far.
Bug: 860070
Change-Id: I276b51bc909ad0da46d9954aee9c98e03dc1973e
Reviewed-on: https://chromium-review.googlesource.com/1126164
Reviewed-by: Samuel Huang <huangs@chromium.org>
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572581}
NOKEYCHECK=True
GitOrigin-RevId: f45c2a25b3b9b774db04db8d4393727e6a6186f4
|
|
Adds a fuzzer for disassembly of DEX files. This achieves ~7500 exec/s
and covers 97% of files of interest in 10000 runs. The bulk of the
uncovered code is writers which require a patch file and this is more
complex and expensive to fuzz so like the Windows Disassembler we will
hold off on fuzzing this for now.
The source seed for fuzzing is the WebAPK shell app and is uploaded
to the Fuzzing GCS bucket as it is on the larger side.
See: zucchini_disassembler_dex_fuzzer_static
Bug: 835341
Change-Id: I40651286b571964b719ca61074d5e35934e88189
Reviewed-on: https://chromium-review.googlesource.com/1117123
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572203}
NOKEYCHECK=True
GitOrigin-RevId: c2a778621cbcd812e2687269ba3f10132a31df12
|
|
Adds a fuzzer for the ImposedEnsembleMatcher. This achieves between
5000 and 10000 exec/s. At 10000 runs this covers 96% of the
imposed_ensemble_matcher and 50% of the io_utils (another file lacking
coverage). Uncovered lines in io_utils are attributed to debug tools.
The missing lines in imposed_ensemble_matcher are error cases which
haven't been hit yet. The seed uses duplicated back to back copies of
old.ztf and new.ztf.
Bug: 835341
Change-Id: I742ca6f4c409c9a9ec4a335da2b50fd8d4d6ed6f
Reviewed-on: https://chromium-review.googlesource.com/1117572
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#572201}
NOKEYCHECK=True
GitOrigin-RevId: f7b526674131a74a43ba13394f1c4819cac9c2d2
|
|
This CL moves Zucchini-gen invocation code from zucchini_commands.cc
(in target zucchini) to zucchini_integration.cc (in target zucchini_io)
to clean up layering in Zucchini API, i.e.:
- zucchini_lib: Operates on buffers only.
- zucchini_io: Adds files interface, uses memory-mapped I/O.
- zucchini: Stand-alone executable that parses command-line arguments.
Other changes:
- Rename zucchini_lib functions (zuchcini.h), to dedup names and
emphasize that these functions operate on buffers:
- GenerateEnsemble() -> GenerateBuffer(),
- GenerateEnsembleWithImposedMatches() -> GenerateBufferImposed(),
- GenerateRaw() -> GenerateBufferRaw(),
- Apply() -> ApplyBuffer().
These renames only affect Zucchini and various tests.
- Variable renames and parameter reordering in zucchini_integration.cc.
- Remove '-dd' param in help text of Zucchini-detect (was never ported
from Trunk, and has been recently deleted there as well).
- Replace all base::File&& with base::File.
- Miscellaneous cleanup for header include.
- Update README.md.
Change-Id: I835b80d4d3d7b291fa822a7a89dab225bf9171e9
Reviewed-on: https://chromium-review.googlesource.com/1105625
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Commit-Queue: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569274}
NOKEYCHECK=True
GitOrigin-RevId: 9f0f325d6e2595deb8d50c77e0464946f3bf1ec1
|
|
The fuzzer is really smart; it discovered the worst case patch scenario
of alternating 16 byte regions of ZTF and Raw regions. This resulted in
a 310 B testcase (17 B source file) generating a 2.5 ~kB patch
(uncompressed) (470 B compressed). This is the absolute worst case
behavior which requires an intentionally badly designed archive/input.
In reality this would never occur with valid binaries. It is good to
know that this case exists but there isn't much that can be done to
prevent it in Zucchini so we can just disable this check.
Two solutions to this could be:
1. Make Zucchini smart enough to try multiple patches, compare the
compressed size and choose the best option.
2. Ignore it and in infra compare:
- Compressed ensemble patch
- Compressed raw patch
- Compressed image
Then just ship the smallest.
Option 1 adds a lot of complexity. Ideally, Zucchini should remain
naive with regards to generating compressed patches so that the infra
can choose the preferred compression and keep Zucchini fast.
The case for making the infra smarter is compelling and probably the
solution to pursue. However, because we have control over the input
binaries and this case will realistically not occur it isn't a
priority.
Bug: 848503
Change-Id: Ic505db49fd89f12dbd1eb5b100a59832f6054b2e
Reviewed-on: https://chromium-review.googlesource.com/1082008
Reviewed-by: Samuel Huang <huangs@chromium.org>
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563662}
NOKEYCHECK=True
GitOrigin-RevId: 54bf0d1da91c3db9a3682b840f7c76faa93c0072
|
|
As discussed in the tracking bug this covers buffer_sink and
patch_writer for fuzzing by serializing the generated patch data into a
buffer. Locally this increased fuzzing coverage by ~2%. exec/s for ZTF
files is still > 1500 which is sufficient for ClusterFuzz performance.
Eventually fuzzing should be added for:
- imposed_ensemble_matcher
- disassembler_dex
But is out of scope for Windows Launch.
It may also be worth adding an apply seed for a tiny Windows binary.
Chromium doesn't contain one small enough so we may need to make a
custom test binary to patch (likely Hello World or similar).
Bug: 835341
Change-Id: Id7208f30b09cd7443287cfe10f8ef1fcda6327d1
Reviewed-on: https://chromium-review.googlesource.com/1076949
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563266}
NOKEYCHECK=True
GitOrigin-RevId: 49613c27bcd84170395588a6d93fc009eb988658
|
|
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the full patch application logic
exercising the patch reader and apply process. It covers ~33% of code
in 1000000 runs. The bulk of remaining code ~40% is covered by ZTF Gen
Fuzzer. With the remainder (~30%) being for DEX Disassembly (not in
launch scope), patch serialization (trusted input), and other
testing/debugging/error handling code which isn't triggered.
This already found a couple bugs fixed in
https://chromium-review.googlesource.com/c/chromium/src/+/1072272
With the supplied seed corpus the fuzzer reaches approximately 12000
execs/s.
The file format for the seed is a FilePair proto of a ZTF base file
and a patch file as used in Raw Apply. This reuses the same generator
and fuzzer as Raw Apply as the type of application is encoded in the
patch itself.
Bug: 835341
Change-Id: I00f28c768a6e1c7b8c5e95979b279d64785ef515
Reviewed-on: https://chromium-review.googlesource.com/1072231
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#562260}
NOKEYCHECK=True
GitOrigin-RevId: 7206487ebd05fd4f30226ec59b730bb41c5013f2
|
|
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the full patch generation logic
exercising the patch writer and gen process. It covers ~44% of code in
100000 runs. The remaining code is split between ZTF Apply Fuzzer
(~30%) and the aggregate of DEX Disassembly (not in launch scope),
patch serialization (trusted input), and other testing/debugging/error
handling code which isn't triggered.
With the supplied seed corpus the fuzzer reaches approximately 4000
execs/s.
The file format for the seed is a FilePair proto of a ZTF base file
and a ZTF updated file as used in Raw Gen.
Also fix bug where wrong fuzzer was running for apply.
Bug: 835341
Change-Id: Ib99dd70ba01820b874d72fecb2b543ea7082f649
Reviewed-on: https://chromium-review.googlesource.com/1072229
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561978}
NOKEYCHECK=True
GitOrigin-RevId: 8b5e3a4b59cfc86fc888726e29dea5d9cb1c1a09
|
|
zucchini_raw_apply_seed is failing on ToTWinCFI this disables building
the target on Windows. A first attempt at a fix failed so until a better
method of diagnosing the problem is determined we will disable it as it
wasn't used by ClusterFuzz anyway (Linux only).
Bug: 844826
Change-Id: I47820432ddb94334006ee727120a242684152b97
Reviewed-on: https://chromium-review.googlesource.com/1072506
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561641}
NOKEYCHECK=True
GitOrigin-RevId: 77d87185250262afe6e43367fd2d95aef5eb186e
|
|
This is an attempted fix for ToTWinCFI. Looks like sys.executable logic
isn't working well on some Python configurations so directly using
sys.executable.
If this doesn't fix ToTCFI I'll revert the previous change until I can
determine what is happening:
https://chromium.googlesource.com/chromium/src/+/8e7c08d3d11c61d08ad05d3ebc283aa2d6bf7c91
Thanks to thakis@ for solution suggestion.
Bug: 844826
Change-Id: Ie1cb36fe19401e954cb84bc905cd95c9eefa1622
Reviewed-on: https://chromium-review.googlesource.com/1072159
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561567}
NOKEYCHECK=True
GitOrigin-RevId: ee3c0b0a933b9d9466620186bfeff8f62ea0af5f
|
|
This is part of a series of Fuzzers to be added to Zucchini for security
review. This tests the raw data patch generation logic exercising the
patch writer and gen process. It only covers ~20% of code in 100000
executions as the bulk of the remaining code is associated with the much
more complex and expensive to fuzz reference related code.
With the supplied seed corpus the fuzzer reaches approximately 5000
execs/s. There were no bug/stability issues found in raw gen.
The file format for the seed is a FilePair proto as used in raw Apply;
however, it is static so doesn't need regeneration. The files within
the FilePair seed are ZTF (Zucchini Text Format) files based on the code
that will be landed in:
https://chromium-review.googlesource.com/c/chromium/src/+/1056147
This way the source files can be reused in the ZTF gen and apply
fuzzers which will be used to more efficiently fuzz the reference
handling code in Zucchini.
Remaining Security Review Fuzzers (For Windows Launch)
- ZTF Gen
- ZTF Apply
(ZTF = Zucchini text format)
Note that suffix array while originally discussed is already implictly
fuzzed by this fuzzer and as such shouldn't require a standalone
fuzzer.
Other remaining fuzzers (Not shipped so non-blocking of Windows Launch)
- Disassembler DEX
- Disassembler ELF (when merged from Trunk)
To create the seed file pair run the following from
components/zucchini/fuzzers/
./create_seed_file_pair.py ../../../out/Release/protoc \
testdata/old.ztxt testdata/new.ztxt testdata/seed_proto.bin
Note: you need to first build protoc in out/Release/
Bug: 835341
Change-Id: I1bf5c2a4251093bbf5bfc92904afc376a2832dbd
Reviewed-on: https://chromium-review.googlesource.com/1062412
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559676}
NOKEYCHECK=True
GitOrigin-RevId: 133fb1221e6c293dc43ff438567b2834b2e5c798
|
|
This is a reland of f4a598ff5adfe27f8153bd36984ee9cb549f99e9
Windows cannot resolve #!/usr/bin/env python depending on how it is
configured. To fix this explicitly use python in the subprocess call.
Interestingly, the Tryjobs didn't catch this and only the official
build waterfall does...
Original change's description:
> [Zucchini] (raw) Apply fuzzer
>
> This is part of a series of Fuzzers to be added to Zucchini for
> security review. This tests the raw data patch application logic
> exercising the patch reader and apply process. It only covers ~20%
> of code in 100000 executions as the bulk of the remaining code is
> associated with the much more complex and expensive to fuzz reference
> related code.
>
> With the supplied seed corpus the fuzzer reaches approximately 11000
> execs/s.
>
> This found a couple bugs which are fixed in:
> https://chromium-review.googlesource.com/c/chromium/src/+/1028575
>
>
> Bug: 835341
> Change-Id: Idc1d862bfaa6eb6313f39e10536f4750c05ab863
> Reviewed-on: https://chromium-review.googlesource.com/1028570
> Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
> Reviewed-by: Samuel Huang <huangs@chromium.org>
> Reviewed-by: Greg Thompson <grt@chromium.org>
> Reviewed-by: Max Moroz <mmoroz@chromium.org>
> Reviewed-by: Jonathan Metzman <metzman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#557185}
Bug: 835341
Change-Id: I24e94dd0c2035d84c84636f0a0a30756ae7f0c36
Reviewed-on: https://chromium-review.googlesource.com/1052567
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557286}
NOKEYCHECK=True
GitOrigin-RevId: 8e7c08d3d11c61d08ad05d3ebc283aa2d6bf7c91
|
|
This reverts commit f4a598ff5adfe27f8153bd36984ee9cb549f99e9.
Reason for revert: Does not compile on Win 64, see
https://ci.chromium.org/buildbot/chromium/Win%20x64/22249
Original change's description:
> [Zucchini] (raw) Apply fuzzer
>
> This is part of a series of Fuzzers to be added to Zucchini for
> security review. This tests the raw data patch application logic
> exercising the patch reader and apply process. It only covers ~20%
> of code in 100000 executions as the bulk of the remaining code is
> associated with the much more complex and expensive to fuzz reference
> related code.
>
> With the supplied seed corpus the fuzzer reaches approximately 11000
> execs/s.
>
> This found a couple bugs which are fixed in:
> https://chromium-review.googlesource.com/c/chromium/src/+/1028575
>
>
> Bug: 835341
> Change-Id: Idc1d862bfaa6eb6313f39e10536f4750c05ab863
> Reviewed-on: https://chromium-review.googlesource.com/1028570
> Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
> Reviewed-by: Samuel Huang <huangs@chromium.org>
> Reviewed-by: Greg Thompson <grt@chromium.org>
> Reviewed-by: Max Moroz <mmoroz@chromium.org>
> Reviewed-by: Jonathan Metzman <metzman@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#557185}
TBR=huangs@chromium.org,mmoroz@chromium.org,grt@chromium.org,metzman@chromium.org,ckitagawa@google.com
Change-Id: Ia1790a01d3f31f25b243ce6e4ec5b52e423e3f6e
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 835341
Reviewed-on: https://chromium-review.googlesource.com/1052287
Reviewed-by: vitaliii <vitaliii@chromium.org>
Commit-Queue: vitaliii <vitaliii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557196}
NOKEYCHECK=True
GitOrigin-RevId: 0101ff77e665851a5fab50b19427cbb5cdb54954
|
|
This is part of a series of Fuzzers to be added to Zucchini for
security review. This tests the raw data patch application logic
exercising the patch reader and apply process. It only covers ~20%
of code in 100000 executions as the bulk of the remaining code is
associated with the much more complex and expensive to fuzz reference
related code.
With the supplied seed corpus the fuzzer reaches approximately 11000
execs/s.
This found a couple bugs which are fixed in:
https://chromium-review.googlesource.com/c/chromium/src/+/1028575
Bug: 835341
Change-Id: Idc1d862bfaa6eb6313f39e10536f4750c05ab863
Reviewed-on: https://chromium-review.googlesource.com/1028570
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Reviewed-by: Max Moroz <mmoroz@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557185}
NOKEYCHECK=True
GitOrigin-RevId: f4a598ff5adfe27f8153bd36984ee9cb549f99e9
|
|
More fuzzers need to be added to Zucchini for launch including
adding support for protobuf based fuzzers. To facilitate this a new
fuzzers/ subdirectory will help to separate Zucchini from its fuzz
related infrastructure.
Bug: 835341
Change-Id: Ib18bfe9bb0b0050e94fa7bdca22fb99c735d9141
Reviewed-on: https://chromium-review.googlesource.com/1026475
Reviewed-by: Samuel Huang <huangs@chromium.org>
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Cr-Commit-Position: refs/heads/master@{#553254}
NOKEYCHECK=True
GitOrigin-RevId: 4725b4fbb75b0f4b2dda8f56e644ca6ef546cd0e
|