From e24681211ce8a71583b5233084bd1290c3c7e872 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 28 Jun 2023 16:52:22 -0400 Subject: [PATCH] Add libFuzzer support to the .sbat parser. shim takes several forms of input from several sources that are not necessarily trustworthy. As such, we need to take measures to validate that we don't have unacceptable results from bad inputs. One such measure is "fuzzing" the inputs which parse untrusted data by running them with randomized or partially randomized input. This change adds such testing using clang's "libFuzzer" to our parser for ".sbat" sections. I've run it for about half an hour and so far it found one memory leak, but no other errors. Signed-off-by: Peter Jones --- fuzz-sbat.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ include/fuzz.mk | 2 ++ 2 files changed, 48 insertions(+) create mode 100644 fuzz-sbat.c diff --git a/fuzz-sbat.c b/fuzz-sbat.c new file mode 100644 index 000000000..74d313bb8 --- /dev/null +++ b/fuzz-sbat.c @@ -0,0 +1,46 @@ +// SPDX-License-Identifier: BSD-2-Clause-Patent +/* + * fuzz-sbat-section.c - fuzz our .sbat parsing code + * Copyright Peter Jones + */ + +#ifndef SHIM_UNIT_TEST +#define SHIM_UNIT_TEST +#endif +#include "shim.h" + +#include + +list_t sbat_var; + +BOOLEAN +secure_mode() { + return 1; +} + +int +LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + uint8_t *data_copy; + EFI_STATUS status = 0; + size_t n = 0; + struct sbat_section_entry **entries = NULL; + + if (size < 1) + return 0; + + data_copy = malloc(size+1); + if (!data_copy) + return -1; + + memcpy(data_copy, data, size); + data_copy[size] = 0; + status = parse_sbat_section(data_copy, size, &n, &entries); + cleanup_sbat_section_entries(n, entries); + + free(data_copy); + + return 0; +} + +// vim:fenc=utf-8:tw=75:noet diff --git a/include/fuzz.mk b/include/fuzz.mk index 5289c6af3..f35df415c 100644 --- a/include/fuzz.mk +++ b/include/fuzz.mk @@ -69,6 +69,8 @@ libefi-test.a : -f $(TOPDIR)/gnu-efi/Makefile \ clean +fuzz-sbat_FILES = csv.c lib/variables.c lib/guid.c sbat_var.S mock-variables.c +fuzz-sbat :: CFLAGS+=-DHAVE_GET_VARIABLE -DHAVE_GET_VARIABLE_ATTR -DHAVE_SHIM_LOCK_GUID fuzzers := $(patsubst %.c,%,$(wildcard fuzz-*.c))