Unverified Commit 64138b70 by Patrick Steinhardt Committed by GitHub

Merge pull request #4728 from pks-t/pks/fuzzers

Fuzzers
parents 0cf75467 835d6043
......@@ -31,3 +31,5 @@ msvc/Release/
.*.swp
tags
mkmf.log
*.profdata
*.profraw
......@@ -38,33 +38,36 @@ INCLUDE(EnableWarnings)
# Build options
#
OPTION( SONAME "Set the (SO)VERSION of the target" ON )
OPTION( BUILD_SHARED_LIBS "Build Shared Library (OFF for Static)" ON )
OPTION( THREADSAFE "Build libgit2 as threadsafe" ON )
OPTION( BUILD_CLAR "Build Tests using the Clar suite" ON )
OPTION( BUILD_EXAMPLES "Build library usage example apps" OFF )
OPTION( TAGS "Generate tags" OFF )
OPTION( PROFILE "Generate profiling information" OFF )
OPTION( ENABLE_TRACE "Enables tracing support" OFF )
OPTION( LIBGIT2_FILENAME "Name of the produced binary" OFF )
SET(SHA1_BACKEND "CollisionDetection" CACHE STRING "Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, mbedTLS, CollisionDetection. ")
OPTION( USE_SSH "Link with libssh to enable SSH support" ON )
OPTION( USE_HTTPS "Enable HTTPS support. Can be set to a specific backend" ON )
OPTION( USE_GSSAPI "Link with libgssapi for SPNEGO auth" OFF )
OPTION( VALGRIND "Configure build for valgrind" OFF )
OPTION( CURL "Use curl for HTTP if available" ON)
OPTION( USE_EXT_HTTP_PARSER "Use system HTTP_Parser if available" ON)
OPTION( DEBUG_POOL "Enable debug pool allocator" OFF )
OPTION( ENABLE_WERROR "Enable compilation with -Werror" OFF )
OPTION( USE_BUNDLED_ZLIB "Use the bundled version of zlib" OFF )
OPTION(SONAME "Set the (SO)VERSION of the target" ON)
OPTION(BUILD_SHARED_LIBS "Build Shared Library (OFF for Static)" ON)
OPTION(THREADSAFE "Build libgit2 as threadsafe" ON)
OPTION(BUILD_CLAR "Build Tests using the Clar suite" ON)
OPTION(BUILD_EXAMPLES "Build library usage example apps" OFF)
OPTION(BUILD_FUZZERS "Build the fuzz targets" OFF)
OPTION(TAGS "Generate tags" OFF)
OPTION(PROFILE "Generate profiling information" OFF)
OPTION(ENABLE_TRACE "Enables tracing support" OFF)
OPTION(LIBGIT2_FILENAME "Name of the produced binary" OFF)
SET(SHA1_BACKEND "CollisionDetection" CACHE STRING
"Backend to use for SHA1. One of Generic, OpenSSL, Win32, CommonCrypto, mbedTLS, CollisionDetection.")
OPTION(USE_SSH "Link with libssh to enable SSH support" ON)
OPTION(USE_HTTPS "Enable HTTPS support. Can be set to a specific backend" ON)
OPTION(USE_GSSAPI "Link with libgssapi for SPNEGO auth" OFF)
OPTION(USE_STANDALONE_FUZZERS "Enable standalone fuzzers (compatible with gcc)" OFF)
OPTION(VALGRIND "Configure build for valgrind" OFF)
OPTION(CURL "Use curl for HTTP if available" ON)
OPTION(USE_EXT_HTTP_PARSER "Use system HTTP_Parser if available" ON)
OPTION(DEBUG_POOL "Enable debug pool allocator" OFF)
OPTION(ENABLE_WERROR "Enable compilation with -Werror" OFF)
OPTION(USE_BUNDLED_ZLIB "Use the bundled version of zlib" OFF)
IF (UNIX AND NOT APPLE)
OPTION( ENABLE_REPRODUCIBLE_BUILDS "Enable reproducible builds" OFF )
OPTION(ENABLE_REPRODUCIBLE_BUILDS "Enable reproducible builds" OFF)
ENDIF()
IF (APPLE)
OPTION( USE_ICONV "Link with and use iconv library" ON )
OPTION(USE_ICONV "Link with and use iconv library" ON)
ENDIF()
IF(MSVC)
......@@ -74,22 +77,22 @@ IF(MSVC)
#
# If you are writing a CLR program and want to link to libgit2, you'll want
# to turn this on by invoking CMake with the "-DSTDCALL=ON" argument.
OPTION( STDCALL "Build libgit2 with the __stdcall convention" OFF )
OPTION(STDCALL "Build libgit2 with the __stdcall convention" OFF)
# This option must match the settings used in your program, in particular if you
# are linking statically
OPTION( STATIC_CRT "Link the static CRT libraries" ON )
OPTION(STATIC_CRT "Link the static CRT libraries" ON)
# If you want to embed a copy of libssh2 into libgit2, pass a
# path to libssh2
OPTION( EMBED_SSH_PATH "Path to libssh2 to embed (Windows)" OFF )
OPTION(EMBED_SSH_PATH "Path to libssh2 to embed (Windows)" OFF)
ENDIF()
IF(WIN32)
# By default, libgit2 is built with WinHTTP. To use the built-in
# HTTP transport, invoke CMake with the "-DWINHTTP=OFF" argument.
OPTION( WINHTTP "Use Win32 WinHTTP routines" ON )
OPTION(WINHTTP "Use Win32 WinHTTP routines" ON)
ENDIF()
IF(MSVC)
......@@ -245,6 +248,14 @@ ELSE()
# that uses CMAKE_CONFIGURATION_TYPES and not CMAKE_BUILD_TYPE
ENDIF()
IF(BUILD_FUZZERS AND NOT USE_STANDALONE_FUZZERS)
# The actual sanitizer link target will be added when linking the fuzz
# targets.
SET(CMAKE_REQUIRED_FLAGS "-fsanitize=fuzzer-no-link")
ADD_C_FLAG(-fsanitize=fuzzer-no-link)
UNSET(CMAKE_REQUIRED_FLAGS)
ENDIF ()
ADD_SUBDIRECTORY(src)
# Tests
......@@ -282,6 +293,18 @@ IF (BUILD_EXAMPLES)
ADD_SUBDIRECTORY(examples)
ENDIF ()
IF(BUILD_FUZZERS)
IF(NOT USE_STANDALONE_FUZZERS)
IF(BUILD_EXAMPLES)
MESSAGE(FATAL_ERROR "Cannot build the fuzzer targets and the examples together")
ENDIF()
IF(BUILD_CLAR)
MESSAGE(FATAL_ERROR "Cannot build the fuzzer targets and the tests together")
ENDIF()
ENDIF()
ADD_SUBDIRECTORY(fuzzers)
ENDIF()
IF(CMAKE_VERSION VERSION_GREATER 3)
FEATURE_SUMMARY(WHAT ENABLED_FEATURES DESCRIPTION "Enabled features:")
FEATURE_SUMMARY(WHAT DISABLED_FEATURES DESCRIPTION "Disabled features:")
......
......@@ -29,7 +29,7 @@ echo "## Configuring build environment"
echo "##############################################################################"
echo cmake ${SOURCE_DIR} -DBUILD_EXAMPLES=ON ${CMAKE_OPTIONS}
cmake ${SOURCE_DIR} -DBUILD_EXAMPLES=ON ${CMAKE_OPTIONS}
cmake ${SOURCE_DIR} -DBUILD_EXAMPLES=ON -DBUILD_FUZZERS=ON -DUSE_STANDALONE_FUZZERS=ON ${CMAKE_OPTIONS}
echo ""
echo "##############################################################################"
......
......@@ -184,6 +184,17 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
unset GITTEST_REMOTE_SSH_FINGERPRINT
fi
if [ -z "$SKIP_FUZZERS" ]; then
echo ""
echo "##############################################################################"
echo "## Running fuzzers"
echo "##############################################################################"
for fuzzer in fuzzers/*_fuzzer; do
"${fuzzer}" "${SOURCE_DIR}/fuzzers/corpora/$(basename "${fuzzer%_fuzzer}")" || die $?
done
fi
echo "Success."
cleanup
exit 0
......@@ -5,6 +5,18 @@
INCLUDE(CheckCCompilerFlag)
MACRO(ADD_C_FLAG _FLAG)
STRING(TOUPPER ${_FLAG} UPCASE)
STRING(REGEX REPLACE "^-" "" UPCASE_PRETTY ${UPCASE})
CHECK_C_COMPILER_FLAG(${_FLAG} IS_${UPCASE_PRETTY}_SUPPORTED)
IF(IS_${UPCASE_PRETTY}_SUPPORTED)
SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${_FLAG}")
ELSE()
MESSAGE(FATAL_ERROR "Required flag ${_FLAG} is not supported")
ENDIF()
ENDMACRO()
MACRO(ADD_C_FLAG_IF_SUPPORTED _FLAG)
STRING(TOUPPER ${_FLAG} UPCASE)
STRING(REGEX REPLACE "^-" "" UPCASE_PRETTY ${UPCASE})
......
# Fuzzing
libgit2 is currently using [libFuzzer](https://libfuzzer.info) to perform
automated fuzz testing. libFuzzer only works with clang.
## Prerequisites** for building fuzz targets:
1. All the prerequisites for [building libgit2](https://github.com/libgit2/libgit2).
2. A recent version of clang. 6.0 is preferred. [pre-build Debian/Ubuntu
packages](https://github.com/libgit2/libgit2)
## Build
1. Create a build directory beneath the libgit2 source directory, and change
into it: `mkdir build && cd build`
2. Choose one sanitizers to add. The currently supported sanitizers are
[`address`](https://clang.llvm.org/docs/AddressSanitizer.html),
[`undefined`](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html),
and [`leak`/`address,leak`](https://clang.llvm.org/docs/LeakSanitizer.html).
3. Create the cmake build environment and configure the build with the
sanitizer chosen: `CC=/usr/bin/clang-6.0 CFLAGS="-fsanitize=address" cmake
-DBUILD_CLAR=OFF -DBUILD_FUZZERS=ON -DCMAKE_BUILD_TYPE=RelWithDebInfo ..`.
Note that building the fuzzer targets is incompatible with the
tests and examples.
4. Build libgit2: `cmake --build .`
5. Exit the cmake build environment: `cd ..`
## Run the fuzz targets
1. `ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolize-6.0
LSAN_OPTIONS=allocator_may_return_null=1
ASAN_OPTIONS=allocator_may_return_null=1 ./build/fuzz/fuzz_packfile_raw
fuzz/corpora/fuzz_packfile_raw/`
The `LSAN_OPTIONS` and `ASAN_OPTIONS` are there to allow `malloc(3)` to return
`NULL`. The `LLVM_PROFILE_FILE` is there to override the path where libFuzzer
will write the coverage report.
## Get coverage
In order to get coverage information, you need to add the "-fcoverage-mapping"
and "-fprofile-instr-generate CFLAGS, and then run the fuzz target with
`-runs=0`. That will produce a file called `default.profraw` (this behavior can
be overridden by setting the `LLVM_PROFILE_FILE="yourfile.profraw"` environment
variable).
1. `llvm-profdata-6.0 merge -sparse default.profraw -o
fuzz_packfile_raw.profdata` transforms the data from a sparse representation
into a format that can be used by the other tools.
2. `llvm-cov-6.0 report ./build/fuzz/fuzz_packfile_raw
-instr-profile=fuzz_packfile_raw.profdata` shows a high-level per-file
coverage report.
3. `llvm-cov-6.0 show ./build/fuzz/fuzz_packfile_raw
-instr-profile=fuzz_packfile_raw.profdata [source file]` shows a line-by-line
coverage analysis of all the codebase (or a single source file).
## Standalone mode
In order to ensure that there are no regresions, each fuzzer target can be run
in a standalone mode. This can be done by passing `-DUSE_STANDALONE_FUZZERS=ON`.
This makes it compatible with gcc. This does not use the fuzzing engine, but
just invokes every file in the chosen corpus.
In order to get full coverage, though, you might want to also enable one of the
sanitizers. You might need a recent version of clang to get full support.
## References
* [libFuzzer](https://llvm.org/docs/LibFuzzer.html) documentation.
* [Source-based Code
Coverage](https://clang.llvm.org/docs/SourceBasedCodeCoverage.html).
LINK_DIRECTORIES(${LIBGIT2_LIBDIRS})
INCLUDE_DIRECTORIES(${LIBGIT2_INCLUDES})
IF(BUILD_FUZZERS AND NOT USE_STANDALONE_FUZZERS)
ADD_C_FLAG(-fsanitize=fuzzer)
ENDIF ()
FILE(GLOB SRC_FUZZ RELATIVE ${CMAKE_CURRENT_SOURCE_DIR} *_fuzzer.c)
FOREACH(fuzz_target_src ${SRC_FUZZ})
STRING(REPLACE ".c" "" fuzz_target_name ${fuzz_target_src})
SET(${fuzz_target_name}_SOURCES ${fuzz_target_src} ${LIBGIT2_OBJECTS})
IF(USE_STANDALONE_FUZZERS)
LIST(APPEND ${fuzz_target_name}_SOURCES "standalone_driver.c")
ENDIF()
ADD_EXECUTABLE(${fuzz_target_name} ${${fuzz_target_name}_SOURCES})
SET_TARGET_PROPERTIES(${fuzz_target_name} PROPERTIES C_STANDARD 90)
TARGET_LINK_LIBRARIES(${fuzz_target_name} ${LIBGIT2_LIBS})
ENDFOREACH()
/*
* libgit2 raw packfile fuzz target.
*
* Copyright (C) the libgit2 contributors. All rights reserved.
*
* This file is part of libgit2, distributed under the GNU GPL v2 with
* a Linking Exception. For full terms see the included COPYING file.
*/
#include <string.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include "git2.h"
#include "git2/sys/transport.h"
#define UNUSED(x) (void)(x)
struct fuzzer_buffer {
const unsigned char *data;
size_t size;
};
struct fuzzer_stream {
git_smart_subtransport_stream base;
const unsigned char *readp;
const unsigned char *endp;
};
struct fuzzer_subtransport {
git_smart_subtransport base;
git_transport *owner;
struct fuzzer_buffer data;
};
static git_repository *repo;
static int fuzzer_stream_read(git_smart_subtransport_stream *stream,
char *buffer,
size_t buf_size,
size_t *bytes_read)
{
struct fuzzer_stream *fs = (struct fuzzer_stream *) stream;
size_t avail = fs->endp - fs->readp;
*bytes_read = (buf_size > avail) ? avail : buf_size;
memcpy(buffer, fs->readp, *bytes_read);
fs->readp += *bytes_read;
return 0;
}
static int fuzzer_stream_write(git_smart_subtransport_stream *stream,
const char *buffer, size_t len)
{
UNUSED(stream);
UNUSED(buffer);
UNUSED(len);
return 0;
}
static void fuzzer_stream_free(git_smart_subtransport_stream *stream)
{
free(stream);
}
static int fuzzer_stream_new(
struct fuzzer_stream **out,
const struct fuzzer_buffer *data)
{
struct fuzzer_stream *stream = malloc(sizeof(*stream));
if (!stream)
return -1;
stream->readp = data->data;
stream->endp = data->data + data->size;
stream->base.read = fuzzer_stream_read;
stream->base.write = fuzzer_stream_write;
stream->base.free = fuzzer_stream_free;
*out = stream;
return 0;
}
static int fuzzer_subtransport_action(
git_smart_subtransport_stream **out,
git_smart_subtransport *transport,
const char *url,
git_smart_service_t action)
{
struct fuzzer_subtransport *ft = (struct fuzzer_subtransport *) transport;
UNUSED(url);
UNUSED(action);
return fuzzer_stream_new((struct fuzzer_stream **) out, &ft->data);
}
static int fuzzer_subtransport_close(git_smart_subtransport *transport)
{
UNUSED(transport);
return 0;
}
static void fuzzer_subtransport_free(git_smart_subtransport *transport)
{
free(transport);
}
static int fuzzer_subtransport_new(
struct fuzzer_subtransport **out,
git_transport *owner,
const struct fuzzer_buffer *data)
{
struct fuzzer_subtransport *sub = malloc(sizeof(*sub));
if (!sub)
return -1;
sub->owner = owner;
sub->data.data = data->data;
sub->data.size = data->size;
sub->base.action = fuzzer_subtransport_action;
sub->base.close = fuzzer_subtransport_close;
sub->base.free = fuzzer_subtransport_free;
*out = sub;
return 0;
}
int fuzzer_subtransport_cb(
git_smart_subtransport **out,
git_transport *owner,
void *payload)
{
struct fuzzer_buffer *buf = (struct fuzzer_buffer *) payload;
struct fuzzer_subtransport *sub;
if (fuzzer_subtransport_new(&sub, owner, buf) < 0)
return -1;
*out = &sub->base;
return 0;
}
int fuzzer_transport_cb(git_transport **out, git_remote *owner, void *param)
{
git_smart_subtransport_definition def = {
fuzzer_subtransport_cb,
1,
param
};
return git_transport_smart(out, owner, &def);
}
void fuzzer_git_abort(const char *op)
{
const git_error *err = giterr_last();
fprintf(stderr, "unexpected libgit error: %s: %s\n",
op, err ? err->message : "<none>");
abort();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
char tmp[] = "/tmp/git2.XXXXXX";
UNUSED(argc);
UNUSED(argv);
if (git_libgit2_init() < 0)
abort();
if (git_libgit2_opts(GIT_OPT_SET_PACK_MAX_OBJECTS, 10000000) < 0)
abort();
if (mkdtemp(tmp) != tmp)
abort();
if (git_repository_init(&repo, tmp, 1) < 0)
fuzzer_git_abort("git_repository_init");
return 0;
}
int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size)
{
struct fuzzer_buffer buffer = { data, size };
git_remote_callbacks callbacks = GIT_REMOTE_CALLBACKS_INIT;
git_remote *remote;
if (git_remote_create_anonymous(&remote, repo, "fuzzer://remote-url") < 0)
fuzzer_git_abort("git_remote_create");
callbacks.transport = fuzzer_transport_cb;
callbacks.payload = &buffer;
if (git_remote_connect(remote, GIT_DIRECTION_FETCH,
&callbacks, NULL, NULL) < 0)
goto out;
git_remote_download(remote, NULL, NULL);
out:
git_remote_free(remote);
return 0;
}
/*
* libgit2 packfile fuzzer target.
*
* Copyright (C) the libgit2 contributors. All rights reserved.
*
* This file is part of libgit2, distributed under the GNU GPL v2 with
* a Linking Exception. For full terms see the included COPYING file.
*/
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <limits.h>
#include <unistd.h>
#include "git2.h"
#include "git2/sys/mempack.h"
#define UNUSED(x) (void)(x)
static git_odb *odb = NULL;
static git_odb_backend *mempack = NULL;
/* Arbitrary object to seed the ODB. */
static const unsigned char base_obj[] = { 07, 076 };
static const unsigned int base_obj_len = 2;
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
UNUSED(argc);
UNUSED(argv);
if (git_libgit2_init() < 0) {
fprintf(stderr, "Failed to initialize libgit2\n");
abort();
}
if (git_libgit2_opts(GIT_OPT_SET_PACK_MAX_OBJECTS, 10000000) < 0) {
fprintf(stderr, "Failed to limit maximum pack object count\n");
abort();
}
if (git_odb_new(&odb) < 0) {
fprintf(stderr, "Failed to create the odb\n");
abort();
}
if (git_mempack_new(&mempack) < 0) {
fprintf(stderr, "Failed to create the mempack\n");
abort();
}
if (git_odb_add_backend(odb, mempack, 999) < 0) {
fprintf(stderr, "Failed to add the mempack\n");
abort();
}
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
git_indexer *indexer = NULL;
git_transfer_progress stats = {0, 0};
bool append_hash = false;
git_oid id;
char hash[GIT_OID_HEXSZ + 1] = {0};
char path[PATH_MAX];
if (size == 0)
return 0;
if (!odb || !mempack) {
fprintf(stderr, "Global state not initialized\n");
abort();
}
git_mempack_reset(mempack);
if (git_odb_write(&id, odb, base_obj, base_obj_len, GIT_OBJ_BLOB) < 0) {
fprintf(stderr, "Failed to add an object to the odb\n");
abort();
}
if (git_indexer_new(&indexer, ".", 0, odb, NULL, NULL) < 0) {
fprintf(stderr, "Failed to create the indexer: %s\n",
giterr_last()->message);
abort();
}
/*
* If the first byte in the stream has the high bit set, append the
* SHA1 hash so that the packfile is somewhat valid.
*/
append_hash = *data & 0x80;
++data;
--size;
if (git_indexer_append(indexer, data, size, &stats) < 0)
goto cleanup;
if (append_hash) {
git_oid oid;
if (git_odb_hash(&oid, data, size, GIT_OBJ_BLOB) < 0) {
fprintf(stderr, "Failed to compute the SHA1 hash\n");
abort();
}
if (git_indexer_append(indexer, &oid, sizeof(oid), &stats) < 0) {
goto cleanup;
}
}
if (git_indexer_commit(indexer, &stats) < 0)
goto cleanup;
/*
* We made it! We managed to produce a valid packfile.
* Let's clean it up.
*/
git_oid_fmt(hash, git_indexer_hash(indexer));
printf("Generated packfile %s\n", hash);
snprintf(path, sizeof(path), "pack-%s.idx", hash);
unlink(path);
snprintf(path, sizeof(path), "pack-%s.pack", hash);
unlink(path);
cleanup:
git_mempack_reset(mempack);
git_indexer_free(indexer);
return 0;
}
/*
* Copyright (C) the libgit2 contributors. All rights reserved.
*
* This file is part of libgit2, distributed under the GNU GPL v2 with
* a Linking Exception. For full terms see the included COPYING file.
*/
#include <assert.h>
#include <dirent.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include "fileops.h"
#include "path.h"
extern int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size);
extern int LLVMFuzzerInitialize(int *argc, char ***argv);
static int run_one_file(const char *filename)
{
git_buf buf = GIT_BUF_INIT;
int error = 0;
if (git_futils_readbuffer(&buf, filename) < 0) {
fprintf(stderr, "Failed to read %s: %m\n", filename);
error = -1;
goto exit;
}
LLVMFuzzerTestOneInput((const unsigned char *)buf.ptr, buf.size);
exit:
git_buf_dispose(&buf);
return error;
}
int main(int argc, char **argv)
{
git_vector corpus_files = GIT_VECTOR_INIT;
char *filename = NULL;
unsigned i = 0;
int error = 0;
if (argc != 2) {
fprintf(stderr, "Usage: %s <corpus directory>\n", argv[0]);
error = -1;
goto exit;
}
fprintf(stderr, "Running %s against %s\n", argv[0], argv[1]);
LLVMFuzzerInitialize(&argc, &argv);
if (git_path_dirload(&corpus_files, argv[1], 0, 0x0) < 0) {
fprintf(stderr, "Failed to scan corpus directory: %m\n");
error = -1;
goto exit;
}
git_vector_foreach(&corpus_files, i, filename) {
fprintf(stderr, "\tRunning %s...\n", filename);
if (run_one_file(filename) < 0) {
error = -1;
goto exit;
}
}
fprintf(stderr, "Done %d runs\n", i);
exit:
git_vector_free_deep(&corpus_files);
return error;
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment