Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fuzzing application for gcoap #13898

Merged
merged 6 commits into from
May 30, 2020
Merged

Add fuzzing application for gcoap #13898

merged 6 commits into from
May 30, 2020

Conversation

nmeum
Copy link
Member

@nmeum nmeum commented Apr 18, 2020
edited
Loading

Contribution description

Based on #13157, this PR adds a fuzzing application for the gcoap module. Since it's initial implementation in 2019 the gcoap module switched to using sock_async_event. For this reason, this PR also includes an implementation of a fuzzing termination condition for sock_async_event. After the callback has been invoked, the code checks if the previous packet returned by gnrc_sock_recv was the fuzzing packet, if so the fuzzing application is terminated.

Testing procedure

One function tested extensively by this fuzzing application is coap_parse(). As such, this fuzzing application would have been capable of finding #10753. To test this, remove the following code from the coap_parse() function:

RIOT/sys/net/application_layer/nanocoap/nanocoap.c

Lines 111 to 114 in b6be8af

if (option_count >= CONFIG_NANOCOAP_NOPTS_MAX) {
DEBUG("nanocoap: max nr of options exceeded\n");
return -ENOMEM;
}

Afterwards run:

$ make -C fuzzing/gcoap all-asan
$ make -C fuzzing/gcoap fuzz

AFL should discover a crash, in the modified code branch, within a few minutes.

Issues/PRs references

@benpicco benpicco added Area: CoAP Area: Constrained Application Protocol implementations Area: security Area: Security-related libraries and subsystems Type: enhancement The issue suggests enhanceable parts / The PR enhances parts of the codebase / documentation labels Apr 18, 2020
@benpicco benpicco requested review from bergzand and kb2ma April 18, 2020 12:09
@benpicco benpicco added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Apr 18, 2020
benpicco
benpicco reviewed Apr 22, 2020
View reviewed changes
Copy link
Contributor

@benpicco benpicco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!
I like how the more examples will make it easier to write new fuzz tests.

Please add a comment to the sock inserts so they keep doing the right thing should those parts get refactored.

sys/net/sock/async/event/sock_async_event.c Show resolved Hide resolved
sys/net/gnrc/sock/gnrc_sock.c Show resolved Hide resolved
nmeum
nmeum commented Apr 22, 2020
View reviewed changes
sys/net/gnrc/sock/gnrc_sock.c Outdated Show resolved Hide resolved
@benpicco
Copy link
Contributor

This is unrelated but I've noticed make -j fuzz will only ever use one core.
Is this a limitation of afl? To me it seems such task would lend itself well to parallelization.

@nmeum
Copy link
Member Author

nmeum commented Apr 22, 2020

This is unrelated but I've noticed make -j fuzz will only ever use one core.

AFL has it's own parallel fuzzing setup. See:

@benpicco
Copy link
Contributor

@nmeum ping 😉

@nmeum
Copy link
Member Author

nmeum commented May 26, 2020

@nmeum ping 😉

Sorry, been very busy with other things lately. Pushed a few additional commits.

benpicco
benpicco approved these changes May 26, 2020
View reviewed changes
Copy link
Contributor

@benpicco benpicco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good to me

@nmeum
Copy link
Member Author

nmeum commented May 27, 2020
edited
Loading

Having thought about this further commit 7d1cf1d is probably not needed since MODULE_SOCK_ASYNC_EVENT will also cause MODULE_GNRC_SOCK to be defined for fuzzing applications anyhow.

@benpicco
Copy link
Contributor

Well feel free to drop it then 😉

@benpicco benpicco merged commit 5055a1e into RIOT-OS:master May 30, 2020
@miri64 miri64 added this to the Release 2020.07 milestone Jun 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benpicco benpicco benpicco approved these changes

@cgundogan cgundogan Awaiting requested review from cgundogan

@haukepetersen haukepetersen Awaiting requested review from haukepetersen

@miri64 miri64 Awaiting requested review from miri64 miri64 is a code owner

@PeterKietzmann PeterKietzmann Awaiting requested review from PeterKietzmann PeterKietzmann is a code owner

@bergzand bergzand Awaiting requested review from bergzand

@kb2ma kb2ma Awaiting requested review from kb2ma

Assignees
No one assigned
Labels
Area: CoAP Area: Constrained Application Protocol implementations Area: security Area: Security-related libraries and subsystems CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Type: enhancement The issue suggests enhanceable parts / The PR enhances parts of the codebase / documentation
Projects
None yet
Milestone
Release 2020.07
Development

Successfully merging this pull request may close these issues.
3 participants
@nmeum @benpicco @miri64