This repository has been archived by the owner on Nov 1, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 199
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
libfuzzer library integration tests (#681)
- Loading branch information
Showing
15 changed files
with
401 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
CC=clang | ||
CFLAGS=-fsanitize=address,fuzzer -fPIC -O0 -ggdb3 | ||
|
||
.PHONY: all clean test | ||
|
||
all: libbad.so fuzz.exe | ||
|
||
fuzz.exe: main.o | ||
$(CC) $(CFLAGS) -o $@ $< | ||
|
||
libbad.so: bad.o | ||
$(CC) -shared -o $@ $< | ||
|
||
test: all | ||
LD_LIBRARY_PATH=. ./fuzz.exe | ||
|
||
clean: | ||
rm -rf fuzz.exe *.o *.so crash-* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
#include <stdint.h> | ||
#include <stdlib.h> | ||
|
||
int func(const uint8_t *data, size_t len) { | ||
int cnt = 0; | ||
|
||
if (len < 4) { | ||
return 0; | ||
} | ||
|
||
if (data[0] == 'x') { cnt++; } | ||
if (data[1] == 'y') { cnt++; } | ||
if (data[2] == 'z') { cnt++; } | ||
|
||
if (cnt >= 3) { | ||
switch (data[3]) { | ||
case '0': { | ||
// segv | ||
int *p = NULL; *p = 123; | ||
break; | ||
} | ||
case '1': { | ||
// stack-buffer-underflow | ||
int* p = &cnt - 32; for (int i = 0; i < 32; i++) { *(p + i) = 0; } | ||
break; | ||
} | ||
case '2': { | ||
// stack-buffer-overflow | ||
int* p = &cnt + 32; for (int i = 0; i < 32; i++) { *(p - i) = 0; } | ||
break; | ||
} | ||
case '3': { | ||
// bad-free | ||
int *p = &cnt; free(p); | ||
break; | ||
} | ||
case '4': { | ||
// double-free | ||
int* p = malloc(sizeof(int)); free(p); free(p); | ||
break; | ||
} | ||
case '5': { | ||
// heap-use-after-free | ||
int* p = malloc(sizeof(int)); free(p); *p = 123; | ||
break; | ||
} | ||
case '6': { | ||
// heap-buffer-overflow | ||
int* p = malloc(8 * sizeof(int)); for (int i = 0; i < 32; i++) { *(p + i) = 0; } | ||
break; | ||
} | ||
case '7': { | ||
// fpe | ||
int x = 0; int y = 123 / x; | ||
break; | ||
} | ||
} | ||
} | ||
|
||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
#ifndef BAD_H | ||
#define BAD_H | ||
|
||
int func(const uint8_t *data, size_t len); | ||
|
||
#endif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
#include <assert.h> | ||
#include <dlfcn.h> | ||
#include <stdint.h> | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
|
||
int (*fuzz_func)(const uint8_t *data, size_t size); | ||
|
||
int LLVMFuzzerInitialize(int *argc, char ***argv) | ||
{ | ||
printf("initialize\n"); | ||
void *handle; | ||
int (*b)(void); | ||
char *error; | ||
|
||
handle = dlopen("libbad.so", RTLD_LAZY); | ||
if (!handle) | ||
{ | ||
printf("can't open %s", dlerror()); | ||
return 1; | ||
} | ||
fuzz_func = (int (*)(const uint8_t *data, size_t size))dlsym(handle, "func"); | ||
error = dlerror(); | ||
if (error != NULL) | ||
{ | ||
printf("%s\n", error); | ||
exit(EXIT_FAILURE); | ||
} | ||
return 0; | ||
} | ||
|
||
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) | ||
{ | ||
assert(fuzz_func != NULL); | ||
return fuzz_func(data, size); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
good |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
CC=clang | ||
|
||
.PHONY: all clean test | ||
|
||
all: fuzz.exe | ||
|
||
CFLAGS=-fsanitize=address,fuzzer -fPIC -O0 -ggdb3 | ||
|
||
fuzz.exe: main.o libbad1.so libbad2.so | ||
$(CC) $(CFLAGS) -o $@ $< -lbad1 -lbad2 -L. | ||
|
||
libbad1.so: bad1.o | ||
$(CC) -fsanitize=address -shared -o $@ $< | ||
|
||
libbad2.so: bad2.o | ||
$(CC) -fsanitize=address -shared -o $@ $< | ||
|
||
test: all | ||
LD_LIBRARY_PATH=. ./fuzz.exe | ||
|
||
clean: | ||
rm -rf fuzz.exe *.o *.so *.dll crash-* *.lib *.exp *.pdb |
23 changes: 23 additions & 0 deletions
23
src/integration-tests/libfuzzer-linked-library/Makefile.windows
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
CC=clang | ||
|
||
.PHONY: all clean test | ||
|
||
all: fuzz.exe | ||
|
||
CFLAGS=-g3 -fsanitize=address,fuzzer | ||
|
||
fuzz.exe: main.o bad1.dll bad2.dll | ||
$(CC) $(CFLAGS) main.o -o fuzz.exe -L. -lbad1 -lbad2 | ||
|
||
bad1.dll: bad1.o | ||
$(CC) $(CFLAGS) -shared -o bad1.dll bad1.o | ||
|
||
bad2.dll: bad2.o | ||
$(CC) $(CFLAGS) -shared -o bad2.dll bad2.o | ||
|
||
|
||
test: all | ||
LD_LIBRARY_PATH=. ./fuzz.exe | ||
|
||
clean: | ||
rm -f *.dll *.exe *.exp *.pdb *.o *.lib |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
#include <stdint.h> | ||
#include <stdlib.h> | ||
|
||
#if defined(_WIN32) | ||
#define LIBRARY_API __declspec(dllexport) | ||
#else | ||
#define LIBRARY_API | ||
#endif | ||
|
||
int LIBRARY_API func1(const uint8_t *data, size_t len) { | ||
int cnt = 0; | ||
|
||
if (len < 4) { | ||
return 0; | ||
} | ||
|
||
if (data[0] == 'x') { cnt++; } | ||
if (data[1] == 'y') { cnt++; } | ||
if (data[2] == 'z') { cnt++; } | ||
|
||
if (cnt >= 3) { | ||
switch (data[3]) { | ||
case '0': { | ||
// segv | ||
int *p = NULL; *p = 123; | ||
break; | ||
} | ||
case '1': { | ||
// stack-buffer-underflow | ||
int* p = &cnt - 32; for (int i = 0; i < 32; i++) { *(p + i) = 0; } | ||
break; | ||
} | ||
case '2': { | ||
// stack-buffer-overflow | ||
int* p = &cnt + 32; for (int i = 0; i < 32; i++) { *(p - i) = 0; } | ||
break; | ||
} | ||
case '3': { | ||
// bad-free | ||
int *p = &cnt; free(p); | ||
break; | ||
} | ||
case '4': { | ||
// double-free | ||
int* p = malloc(sizeof(int)); free(p); free(p); | ||
break; | ||
} | ||
case '5': { | ||
// heap-use-after-free | ||
int* p = malloc(sizeof(int)); free(p); *p = 123; | ||
break; | ||
} | ||
case '6': { | ||
// heap-buffer-overflow | ||
int* p = malloc(8 * sizeof(int)); for (int i = 0; i < 32; i++) { *(p + i) = 0; } | ||
break; | ||
} | ||
case '7': { | ||
// fpe | ||
int x = 0; int y = 123 / x; | ||
break; | ||
} | ||
} | ||
} | ||
|
||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
// Copyright (c) Microsoft Corporation. All rights reserved. | ||
// Licensed under the MIT License. | ||
|
||
#ifndef BAD1_H | ||
#define BAD1_H | ||
|
||
int func1(const uint8_t *data, size_t len); | ||
|
||
#endif |
Oops, something went wrong.