From a9a730fd742fb775afea2f091ad5d55a73e68edf Mon Sep 17 00:00:00 2001 From: Benoit Blanchon Date: Thu, 7 Jun 2018 10:36:57 +0200 Subject: [PATCH] Added MessagePack fuzzing --- fuzzing/Makefile | 11 ++++--- fuzzing/fuzzer.cpp | 27 ---------------- fuzzing/{my_corpus => json_corpus}/.gitignore | 0 fuzzing/json_fuzzer.cpp | 11 +++++++ .../Comments.json | 0 .../EmptyArray.json | 0 .../EmptyObject.json | 0 .../ExcessiveNesting.json | 0 .../Numbers.json | 0 .../OpenWeatherMap.json | 0 .../Strings.json | 0 .../WeatherUnderground.json | 0 fuzzing/msgpack_corpus/.gitignore | 2 ++ fuzzing/msgpack_fuzzer.cpp | 11 +++++++ fuzzing/msgpack_seed_corpus/array16 | Bin 0 -> 15 bytes fuzzing/msgpack_seed_corpus/array32 | Bin 0 -> 15 bytes fuzzing/msgpack_seed_corpus/false | 1 + fuzzing/msgpack_seed_corpus/fixarray | 1 + fuzzing/msgpack_seed_corpus/fixint_negative | 1 + fuzzing/msgpack_seed_corpus/fixint_positive | 1 + fuzzing/msgpack_seed_corpus/fixmap | 1 + fuzzing/msgpack_seed_corpus/fixstr | 1 + fuzzing/msgpack_seed_corpus/float32 | 1 + fuzzing/msgpack_seed_corpus/float64 | 1 + fuzzing/msgpack_seed_corpus/int16 | 1 + fuzzing/msgpack_seed_corpus/int32 | 1 + fuzzing/msgpack_seed_corpus/int64 | 1 + fuzzing/msgpack_seed_corpus/int8 | 1 + fuzzing/msgpack_seed_corpus/map16 | Bin 0 -> 19 bytes fuzzing/msgpack_seed_corpus/map32 | Bin 0 -> 23 bytes fuzzing/msgpack_seed_corpus/nil | 1 + fuzzing/msgpack_seed_corpus/str16 | Bin 0 -> 8 bytes fuzzing/msgpack_seed_corpus/str32 | Bin 0 -> 10 bytes fuzzing/msgpack_seed_corpus/str8 | 1 + fuzzing/msgpack_seed_corpus/true | 1 + fuzzing/msgpack_seed_corpus/uint16 | 1 + fuzzing/msgpack_seed_corpus/uint32 | 1 + fuzzing/msgpack_seed_corpus/uint64 | 1 + fuzzing/msgpack_seed_corpus/uint8 | 1 + scripts/oss-fuzz/Vagrantfile | 11 ++++--- scripts/travis/fuzz.sh | 30 +++++++++++------- 41 files changed, 74 insertions(+), 48 deletions(-) delete mode 100644 fuzzing/fuzzer.cpp rename fuzzing/{my_corpus => json_corpus}/.gitignore (100%) create mode 100644 fuzzing/json_fuzzer.cpp rename fuzzing/{seed_corpus => json_seed_corpus}/Comments.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/EmptyArray.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/EmptyObject.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/ExcessiveNesting.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/Numbers.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/OpenWeatherMap.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/Strings.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/WeatherUnderground.json (100%) create mode 100644 fuzzing/msgpack_corpus/.gitignore create mode 100644 fuzzing/msgpack_fuzzer.cpp create mode 100644 fuzzing/msgpack_seed_corpus/array16 create mode 100644 fuzzing/msgpack_seed_corpus/array32 create mode 100644 fuzzing/msgpack_seed_corpus/false create mode 100644 fuzzing/msgpack_seed_corpus/fixarray create mode 100644 fuzzing/msgpack_seed_corpus/fixint_negative create mode 100644 fuzzing/msgpack_seed_corpus/fixint_positive create mode 100644 fuzzing/msgpack_seed_corpus/fixmap create mode 100644 fuzzing/msgpack_seed_corpus/fixstr create mode 100644 fuzzing/msgpack_seed_corpus/float32 create mode 100644 fuzzing/msgpack_seed_corpus/float64 create mode 100644 fuzzing/msgpack_seed_corpus/int16 create mode 100644 fuzzing/msgpack_seed_corpus/int32 create mode 100644 fuzzing/msgpack_seed_corpus/int64 create mode 100644 fuzzing/msgpack_seed_corpus/int8 create mode 100644 fuzzing/msgpack_seed_corpus/map16 create mode 100644 fuzzing/msgpack_seed_corpus/map32 create mode 100644 fuzzing/msgpack_seed_corpus/nil create mode 100644 fuzzing/msgpack_seed_corpus/str16 create mode 100644 fuzzing/msgpack_seed_corpus/str32 create mode 100644 fuzzing/msgpack_seed_corpus/str8 create mode 100644 fuzzing/msgpack_seed_corpus/true create mode 100644 fuzzing/msgpack_seed_corpus/uint16 create mode 100644 fuzzing/msgpack_seed_corpus/uint32 create mode 100644 fuzzing/msgpack_seed_corpus/uint64 create mode 100644 fuzzing/msgpack_seed_corpus/uint8 diff --git a/fuzzing/Makefile b/fuzzing/Makefile index f3ed397f..0f2aaabf 100644 --- a/fuzzing/Makefile +++ b/fuzzing/Makefile @@ -5,15 +5,18 @@ CXXFLAGS += -I../src all: \ $(OUT)/json_fuzzer \ $(OUT)/json_fuzzer_seed_corpus.zip \ - $(OUT)/json_fuzzer.options + $(OUT)/json_fuzzer.options \ + $(OUT)/msgpack_fuzzer \ + $(OUT)/msgpack_fuzzer_seed_corpus.zip \ + $(OUT)/msgpack_fuzzer.options -$(OUT)/json_fuzzer: fuzzer.cpp $(shell find ../src -type f) +$(OUT)/%_fuzzer: %_fuzzer.cpp $(shell find ../src -type f) $(CXX) $(CXXFLAGS) $< -o$@ $(LIB_FUZZING_ENGINE) -$(OUT)/json_fuzzer_seed_corpus.zip: seed_corpus/* +$(OUT)/%_fuzzer_seed_corpus.zip: %_seed_corpus/* zip -j $@ $? -$(OUT)/json_fuzzer.options: +$(OUT)/%_fuzzer.options: @echo "[libfuzzer]" > $@ @echo "max_len = 256" >> $@ @echo "timeout = 10" >> $@ diff --git a/fuzzing/fuzzer.cpp b/fuzzing/fuzzer.cpp deleted file mode 100644 index 8ceacaf4..00000000 --- a/fuzzing/fuzzer.cpp +++ /dev/null @@ -1,27 +0,0 @@ -#include - -class memstream : public std::istream { - struct membuf : std::streambuf { - membuf(const uint8_t *p, size_t l) { - setg((char *)p, (char *)p, (char *)p + l); - } - }; - membuf _buffer; - - public: - memstream(const uint8_t *p, size_t l) - : std::istream(&_buffer), _buffer(p, l) { - rdbuf(&_buffer); - } -}; - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - DynamicJsonDocument doc; - memstream json(data, size); - DeserializationError error = deserializeJson(doc, json); - if (error == DeserializationError::Ok) { - JsonVariant variant = doc.as(); - variant.as(); // <- serialize to JSON - } - return 0; -} diff --git a/fuzzing/my_corpus/.gitignore b/fuzzing/json_corpus/.gitignore similarity index 100% rename from fuzzing/my_corpus/.gitignore rename to fuzzing/json_corpus/.gitignore diff --git a/fuzzing/json_fuzzer.cpp b/fuzzing/json_fuzzer.cpp new file mode 100644 index 00000000..bd44def6 --- /dev/null +++ b/fuzzing/json_fuzzer.cpp @@ -0,0 +1,11 @@ +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + DynamicJsonDocument doc; + DeserializationError error = deserializeJson(doc, data, size); + if (!error) { + std::string json; + serializeJson(doc, json); + } + return 0; +} diff --git a/fuzzing/seed_corpus/Comments.json b/fuzzing/json_seed_corpus/Comments.json similarity index 100% rename from fuzzing/seed_corpus/Comments.json rename to fuzzing/json_seed_corpus/Comments.json diff --git a/fuzzing/seed_corpus/EmptyArray.json b/fuzzing/json_seed_corpus/EmptyArray.json similarity index 100% rename from fuzzing/seed_corpus/EmptyArray.json rename to fuzzing/json_seed_corpus/EmptyArray.json diff --git a/fuzzing/seed_corpus/EmptyObject.json b/fuzzing/json_seed_corpus/EmptyObject.json similarity index 100% rename from fuzzing/seed_corpus/EmptyObject.json rename to fuzzing/json_seed_corpus/EmptyObject.json diff --git a/fuzzing/seed_corpus/ExcessiveNesting.json b/fuzzing/json_seed_corpus/ExcessiveNesting.json similarity index 100% rename from fuzzing/seed_corpus/ExcessiveNesting.json rename to fuzzing/json_seed_corpus/ExcessiveNesting.json diff --git a/fuzzing/seed_corpus/Numbers.json b/fuzzing/json_seed_corpus/Numbers.json similarity index 100% rename from fuzzing/seed_corpus/Numbers.json rename to fuzzing/json_seed_corpus/Numbers.json diff --git a/fuzzing/seed_corpus/OpenWeatherMap.json b/fuzzing/json_seed_corpus/OpenWeatherMap.json similarity index 100% rename from fuzzing/seed_corpus/OpenWeatherMap.json rename to fuzzing/json_seed_corpus/OpenWeatherMap.json diff --git a/fuzzing/seed_corpus/Strings.json b/fuzzing/json_seed_corpus/Strings.json similarity index 100% rename from fuzzing/seed_corpus/Strings.json rename to fuzzing/json_seed_corpus/Strings.json diff --git a/fuzzing/seed_corpus/WeatherUnderground.json b/fuzzing/json_seed_corpus/WeatherUnderground.json similarity index 100% rename from fuzzing/seed_corpus/WeatherUnderground.json rename to fuzzing/json_seed_corpus/WeatherUnderground.json diff --git a/fuzzing/msgpack_corpus/.gitignore b/fuzzing/msgpack_corpus/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/fuzzing/msgpack_corpus/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/fuzzing/msgpack_fuzzer.cpp b/fuzzing/msgpack_fuzzer.cpp new file mode 100644 index 00000000..ef7a648e --- /dev/null +++ b/fuzzing/msgpack_fuzzer.cpp @@ -0,0 +1,11 @@ +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + DynamicJsonDocument doc; + DeserializationError error = deserializeMsgPack(doc, data, size); + if (!error) { + std::string json; + serializeMsgPack(doc, json); + } + return 0; +} diff --git a/fuzzing/msgpack_seed_corpus/array16 b/fuzzing/msgpack_seed_corpus/array16 new file mode 100644 index 0000000000000000000000000000000000000000..714ba99e70cbed2056b4e4b04c86bb1a2ff7311b GIT binary patch literal 15 Wcmcb^z_c_YH76&3X?cE8P6_}q=LTf} literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/array32 b/fuzzing/msgpack_seed_corpus/array32 new file mode 100644 index 0000000000000000000000000000000000000000..6e3ed7b1b81742fbb90a4135004b55a9a45a5769 GIT binary patch literal 15 Vcmcc1z`($C3P>=Va`5> $HOME/.profile echo "export CC='clang'" >> $HOME/.profile diff --git a/scripts/travis/fuzz.sh b/scripts/travis/fuzz.sh index 5c5fb6d8..1b2dac28 100755 --- a/scripts/travis/fuzz.sh +++ b/scripts/travis/fuzz.sh @@ -1,20 +1,26 @@ #!/bin/bash -eux ROOT_DIR=$(dirname $0)/../../ -INCLUDE_DIR=$ROOT_DIR/src/ -FUZZING_DIR=$ROOT_DIR/fuzzing/ -JSON_CORPUS_DIR=$FUZZING_DIR/my_corpus -JSON_SEED_CORPUS_DIR=$FUZZING_DIR/seed_corpus - -CXX="clang++-$CLANG" +INCLUDE_DIR=${ROOT_DIR}/src/ +FUZZING_DIR=${ROOT_DIR}/fuzzing/ CXXFLAGS="-g -fprofile-instr-generate -fcoverage-mapping -fsanitize=address,fuzzer" -$CXX $CXXFLAGS -o json_fuzzer -I$INCLUDE_DIR $FUZZING_DIR/fuzzer.cpp +fuzz() { + NAME="$1" + FUZZER="${NAME}_fuzzer" + FUZZER_CPP="${FUZZING_DIR}/${NAME}_fuzzer.cpp" + CORPUS_DIR="${FUZZING_DIR}/${NAME}_corpus" + SEED_CORPUS_DIR="${FUZZING_DIR}/${NAME}_seed_corpus" -export ASAN_OPTIONS="detect_leaks=0" -export LLVM_PROFILE_FILE="json_fuzzer.profraw" -./json_fuzzer "$JSON_CORPUS_DIR" "$JSON_SEED_CORPUS_DIR" -max_total_time=60 + clang++-${CLANG} ${CXXFLAGS} -o ${FUZZER} -I$INCLUDE_DIR ${FUZZER_CPP} -llvm-profdata-$CLANG merge -sparse json_fuzzer.profraw -o json_fuzzer.profdata + export ASAN_OPTIONS="detect_leaks=0" + export LLVM_PROFILE_FILE="${FUZZER}.profraw" + ./${FUZZER} "$CORPUS_DIR" "$SEED_CORPUS_DIR" -max_total_time=30 -llvm-cov-$CLANG report ./json_fuzzer -instr-profile=json_fuzzer.profdata + llvm-profdata-${CLANG} merge -sparse ${LLVM_PROFILE_FILE} -o ${FUZZER}.profdata + llvm-cov-${CLANG} report ./${FUZZER} -instr-profile=${FUZZER}.profdata +} + +fuzz json +fuzz msgpack