From 063fcbd54e133cc14f30a92aa242a72ce542dc9d Mon Sep 17 00:00:00 2001 From: Marco Elver Date: Thu, 13 Jun 2019 06:52:15 +0200 Subject: [PATCH] [hostap] Switch to new fuzz targets (#2499) --- projects/hostap/Dockerfile | 1 - projects/hostap/build.sh | 150 ++++-------------------------- projects/hostap/libfuzzer_entry.c | 56 ----------- 3 files changed, 18 insertions(+), 189 deletions(-) delete mode 100644 projects/hostap/libfuzzer_entry.c diff --git a/projects/hostap/Dockerfile b/projects/hostap/Dockerfile index 20ae162bd..5d38a06e5 100644 --- a/projects/hostap/Dockerfile +++ b/projects/hostap/Dockerfile @@ -20,4 +20,3 @@ RUN apt-get update && apt-get install -y make autoconf automake libtool g++ RUN git clone --depth 1 git://w1.fi/srv/git/hostap.git hostap WORKDIR hostap COPY build.sh $SRC/ -COPY libfuzzer_entry.c $SRC/hostap/tests/ diff --git a/projects/hostap/build.sh b/projects/hostap/build.sh index 1e06f0a5d..881146cb7 100755 --- a/projects/hostap/build.sh +++ b/projects/hostap/build.sh @@ -17,146 +17,32 @@ cd 'tests' -# Make seed corpora -( - # Need clean environment for building test-tls used to create seed corpus. - unset CC - unset CXX - unset CFLAGS - unset CXXFLAGS - unset LDFLAGS - - make clean - make test-tls - - for x in client server; do - ./test-tls $x write "${WORK}/test-tls-${x}.msg" - (cd "$WORK" && zip "${OUT}/test-tls-${x}-read_seed_corpus.zip" test-tls-${x}.msg) - done - - ( - cd p2p-fuzzer - zip "${OUT}/p2p-fuzzer-proberesp_seed_corpus.zip" proberesp*.dat - zip "${OUT}/p2p-fuzzer-action_seed_corpus.zip" go*.dat inv*.dat p2ps*.dat - ) - - (cd eapol-fuzzer && zip "${OUT}/eapol-fuzzer_seed_corpus.zip" *.dat) - (cd ap-mgmt-fuzzer && zip "${OUT}/ap-mgmt-fuzzer_seed_corpus.zip" multi.dat) - (cd wnm-fuzzer && zip "${OUT}/wnm-fuzzer_seed_corpus.zip" *.dat) - - echo '{"a":[[]],"b":1,"c":"q","d":{"e":[{}]}}' > "${WORK}/test.json" - (cd "$WORK" && zip "${OUT}/test-json_seed_corpus.zip" *.json) - - # TODO: test-x509 -) - - -make clean export LDO=$CXX export LDFLAGS="$CXXFLAGS $LIB_FUZZING_ENGINE" -export CFLAGS="$CFLAGS -DTEST_LIBFUZZER -DCONFIG_NO_STDOUT_DEBUG" +export CFLAGS="$CFLAGS -MMD" -# libFuzzer native targets (enabled via TEST_LIBFUZZER) ------------------ +# Specific to hostap's rules.include: set empty, as we directly set required +# sanitizer flags in CFLAGS and LDFLAGS (above). +export FUZZ_FLAGS= -for target in json x509; do - make test-${target} TEST_FUZZ=y - mv -v "test-${target}" "${OUT}/" -done - -# AFL compatible targets -------------------------------------------------- - -patch_afl_fuzzer() { +for target in fuzzing/*; do + [[ -d "$target" ]] || continue ( - printf '#include -char* get_fuzzer_input(const char*, size_t*); -void free_fuzzer_input(void*); -#define os_readfile get_fuzzer_input -#define os_free free_fuzzer_input -' - cat "$1" - ) > "${1}_" - mv "${1}_" "$1" -} + cd "$target" + make clean -print_ignore_leaks_options() { - cat < "${OUT}/wnm-fuzzer.options" -) - -# The below Makefiles do not honor OBJS. -recompile_libfuzzer_entry() { - rm -vf "libfuzzer_entry.o" - $CC $CFLAGS -c -o "libfuzzer_entry.o" "libfuzzer_entry.c" -} - -# test-tls variants -( - export LDFLAGS="$LDFLAGS libfuzzer_entry.o" - make clean - - # test-tls uses fopen to open the input file. - sed -i '1i\ -#define fopen fopen_fuzzer_input -' "test-tls.c" - - CFLAGS="$CFLAGS -DEXTRA_ARGS=\"server\",\"read\"," \ - recompile_libfuzzer_entry - make test-tls TEST_FUZZ=y - mv -v "test-tls" "${OUT}/test-tls-server-read" - - CFLAGS="$CFLAGS -DEXTRA_ARGS=\"client\",\"read\"," \ - recompile_libfuzzer_entry - make test-tls TEST_FUZZ=y - mv -v "test-tls" "${OUT}/test-tls-client-read" -) - -( - export LDFLAGS="$LDFLAGS ../libfuzzer_entry.o" - - # eapol-fuzzer - patch_afl_fuzzer "eapol-fuzzer/eapol-fuzzer.c" - make -C "eapol-fuzzer" clean - recompile_libfuzzer_entry - make -C "eapol-fuzzer" - mv -v "eapol-fuzzer/eapol-fuzzer" "${OUT}/" - - # p2p-fuzzer variants - patch_afl_fuzzer "p2p-fuzzer/p2p-fuzzer.c" - make -C "p2p-fuzzer" clean - CFLAGS="$CFLAGS -DEXTRA_ARGS=\"action\"," \ - recompile_libfuzzer_entry - make -C "p2p-fuzzer" - mv -v "p2p-fuzzer/p2p-fuzzer" "${OUT}/p2p-fuzzer-action" - CFLAGS="$CFLAGS -DEXTRA_ARGS=\"proberesp\"," \ - recompile_libfuzzer_entry - make -C "p2p-fuzzer" - mv -v "p2p-fuzzer/p2p-fuzzer" "${OUT}/p2p-fuzzer-proberesp" -) + if [[ -d 'corpus' ]]; then + (cd 'corpus' && zip "${OUT}/${target##*/}_seed_corpus.zip" *) + fi + ) +done # Copy required data. cp -a "hwsim" "${OUT}/" - diff --git a/projects/hostap/libfuzzer_entry.c b/projects/hostap/libfuzzer_entry.c deleted file mode 100644 index 47a6bf8ae..000000000 --- a/projects/hostap/libfuzzer_entry.c +++ /dev/null @@ -1,56 +0,0 @@ -#define _GNU_SOURCE -#include -#include -#include -#include -#include -#include -#include -#include - -#ifndef EXTRA_ARGS -#define EXTRA_ARGS -#endif - -#define DUMMY_FILE_NAME "/invalid/path/do/not/use" - -static size_t input_size = 0; -static char* input_data = NULL; -static int use_count = 0; - -int fuzzer_main(int argc, char *argv[]); - -char* get_fuzzer_input(const char* fname, size_t *size) { - assert(!strcmp(fname, DUMMY_FILE_NAME)); - *size = input_size; - ++use_count; - return input_data; -} - -void free_fuzzer_input(char* ptr) { - assert(ptr == input_data); -} - -FILE* fopen_fuzzer_input(const char* fname, const char* mode) { - assert(!strcmp(fname, DUMMY_FILE_NAME)); - ++use_count; - return fmemopen(input_data, input_size, mode); -} - -// Entry point for libFuzzer fuzzer, that wraps main of a fuzzer compatible with -// AFL (where input is passed via a file). -// -// TODO: Ideally, should add native libFuzzer entry to project's fuzzer, as this -// approach has noticable performance implications. -int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - char* argv[] = {"fuzzer", EXTRA_ARGS DUMMY_FILE_NAME}; - input_size = size; - input_data = (char*) data; - - fuzzer_main(sizeof(argv) / sizeof(char*), argv); - - if (use_count == 0) { - printf("ERROR: input not used!\n"); - } - return 0; -}