From 3d325bf20f0b09961b6c7de34aa4da0d16cfa67d Mon Sep 17 00:00:00 2001 From: Max Moroz Date: Tue, 11 Oct 2016 11:42:13 +0200 Subject: [PATCH] [WIP] Add libnss build and 15 fuzzers from crrev.com/1677803002. (#12) * Add libnss build and 15 fuzzers from crrev.com/1677803002. * Added missing $LDFLAGS and used /out/*.a. * Another attempt to link statically. The best one so far. * Manually linking with nspr/Linux*/pr/src/misc/prlog2.o. * Cleanup nss/buil.sh script and disable 2 of 15 nss fuzzers for now. * Fix comments. --- nss/Dockerfile | 23 +++++++ nss/Jenkinsfile | 25 ++++++++ nss/build.sh | 71 +++++++++++++++++++++ nss/fuzzers/asn1_algorithmid_fuzzer.cc | 19 ++++++ nss/fuzzers/asn1_any_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_bitstring_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_bmpstring_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_boolean_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_fuzzer_template.h | 45 +++++++++++++ nss/fuzzers/asn1_generalizedtime_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_ia5string_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_integer_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_null_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_objectid_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_octetstring_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_utctime_fuzzer.cc | 18 ++++++ nss/fuzzers/asn1_utf8string_fuzzer.cc | 18 ++++++ nss/fuzzers/cert_certificate_fuzzer.cc | 19 ++++++ nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc | 19 ++++++ 19 files changed, 437 insertions(+) create mode 100644 nss/Dockerfile create mode 100644 nss/Jenkinsfile create mode 100755 nss/build.sh create mode 100644 nss/fuzzers/asn1_algorithmid_fuzzer.cc create mode 100644 nss/fuzzers/asn1_any_fuzzer.cc create mode 100644 nss/fuzzers/asn1_bitstring_fuzzer.cc create mode 100644 nss/fuzzers/asn1_bmpstring_fuzzer.cc create mode 100644 nss/fuzzers/asn1_boolean_fuzzer.cc create mode 100644 nss/fuzzers/asn1_fuzzer_template.h create mode 100644 nss/fuzzers/asn1_generalizedtime_fuzzer.cc create mode 100644 nss/fuzzers/asn1_ia5string_fuzzer.cc create mode 100644 nss/fuzzers/asn1_integer_fuzzer.cc create mode 100644 nss/fuzzers/asn1_null_fuzzer.cc create mode 100644 nss/fuzzers/asn1_objectid_fuzzer.cc create mode 100644 nss/fuzzers/asn1_octetstring_fuzzer.cc create mode 100644 nss/fuzzers/asn1_utctime_fuzzer.cc create mode 100644 nss/fuzzers/asn1_utf8string_fuzzer.cc create mode 100644 nss/fuzzers/cert_certificate_fuzzer.cc create mode 100644 nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc diff --git a/nss/Dockerfile b/nss/Dockerfile new file mode 100644 index 000000000..5cf55e00a --- /dev/null +++ b/nss/Dockerfile @@ -0,0 +1,23 @@ +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM ossfuzz/base-libfuzzer +MAINTAINER mmoroz@chromium.org +RUN apt-get install -y make autoconf automake libtool mercurial zlib1g-dev + +COPY build.sh /src/ + +ENV LD_LIBRARY_PATH "$LD_LIBRARY_PATH:/out" diff --git a/nss/Jenkinsfile b/nss/Jenkinsfile new file mode 100644 index 000000000..e8baf4bb7 --- /dev/null +++ b/nss/Jenkinsfile @@ -0,0 +1,25 @@ +// Copyright 2016 Google Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy', + 'https://github.com/google/oss-fuzz.git', + 'master', null, '') + +libfuzzerBuild { + // We can't use git. We need to use mercurial (hg) and checkout 2 repos. + // build.sh does the checkout with hg. The below is just a dummy. + git = "https://github.com/google/oss-fuzz" +} diff --git a/nss/build.sh b/nss/build.sh new file mode 100755 index 000000000..446488f3a --- /dev/null +++ b/nss/build.sh @@ -0,0 +1,71 @@ +#!/bin/bash -eu +# Copyright 2016 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd /src/nss + +# Check out the code using mercurial. +rm -rf nspr +rm -rf nss +hg clone https://hg.mozilla.org/projects/nspr +hg clone https://hg.mozilla.org/projects/nss + +# Build the library. +mkdir -p /work/nss +cp -u -r /src/nss/* /work/nss/ +cd /work/nss/nss +make BUILD_OPT=1 USE_64=1 NSS_DISABLE_GTESTS=1 CC="$CC $CFLAGS" \ + CXX="$CXX $CXXFLAGS" LD="$CC $CFLAGS" ZDEFS_FLAG= clean nss_build_all +cd .. + +# Copy libraries and some objects to /work/nss/lib. +mkdir -p /work/nss/lib +cp dist/Linux*/lib/*.a /work/nss/lib +cp nspr/Linux*/pr/src/misc/prlog2.o /work/nss/lib + +# Copy includes to /work/nss/include. +mkdir -p /work/nss/include +cp -rL dist/Linux*/include/* /work/nss/include +cp -rL dist/{public,private}/nss/* /work/nss/include + + +# Build the fuzzers. +FUZZERS="asn1_algorithmid_fuzzer \ + asn1_any_fuzzer \ + asn1_bitstring_fuzzer \ + asn1_bmpstring_fuzzer \ + asn1_boolean_fuzzer \ + asn1_generalizedtime_fuzzer \ + asn1_ia5string_fuzzer \ + asn1_integer_fuzzer \ + asn1_null_fuzzer \ + asn1_objectid_fuzzer \ + asn1_octetstring_fuzzer \ + asn1_utctime_fuzzer \ + asn1_utf8string_fuzzer" + +# The following fuzzers are currently disabled due to linking issues: +# cert_certificate_fuzzer, seckey_privatekeyinfo_fuzzer + + +for fuzzer in $FUZZERS; do + $CXX $CXXFLAGS -std=c++11 /src/oss-fuzz/nss/fuzzers/$fuzzer.cc \ + -I/work/nss/include \ + /work/libfuzzer/*.o \ + /work/nss/lib/libnss.a /work/nss/lib/libnssutil.a \ + /work/nss/lib/libnspr4.a /work/nss/lib/libplc4.a /work/nss/lib/libplds4.a \ + /work/nss/lib/prlog2.o -o /out/$fuzzer $LDFLAGS +done diff --git a/nss/fuzzers/asn1_algorithmid_fuzzer.cc b/nss/fuzzers/asn1_algorithmid_fuzzer.cc new file mode 100644 index 000000000..ec2441841 --- /dev/null +++ b/nss/fuzzers/asn1_algorithmid_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_any_fuzzer.cc b/nss/fuzzers/asn1_any_fuzzer.cc new file mode 100644 index 000000000..06a0c090f --- /dev/null +++ b/nss/fuzzers/asn1_any_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_AnyTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_AnyTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_bitstring_fuzzer.cc b/nss/fuzzers/asn1_bitstring_fuzzer.cc new file mode 100644 index 000000000..26543c103 --- /dev/null +++ b/nss/fuzzers/asn1_bitstring_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_BitStringTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_BitStringTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_bmpstring_fuzzer.cc b/nss/fuzzers/asn1_bmpstring_fuzzer.cc new file mode 100644 index 000000000..a37764091 --- /dev/null +++ b/nss/fuzzers/asn1_bmpstring_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_BMPStringTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_BMPStringTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_boolean_fuzzer.cc b/nss/fuzzers/asn1_boolean_fuzzer.cc new file mode 100644 index 000000000..6e178ee02 --- /dev/null +++ b/nss/fuzzers/asn1_boolean_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_BooleanTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_BooleanTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_fuzzer_template.h b/nss/fuzzers/asn1_fuzzer_template.h new file mode 100644 index 000000000..416b707ec --- /dev/null +++ b/nss/fuzzers/asn1_fuzzer_template.h @@ -0,0 +1,45 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef ASN1_FUZZER_TEMPLATE_H_ +#define ASN1_FUZZER_TEMPLATE_H_ + +#include +#include +#include +#include +#include +#include +#include +#include + +template +void NSSFuzzOneInput(const SEC_ASN1Template* the_template, + const uint8_t* data, + size_t size) { + DestinationType* destination = new DestinationType(); + memset(destination, 0, sizeof(DestinationType)); + + PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + delete destination; + return; + } + + SECItem source; + source.type = siBuffer; + source.data = static_cast(const_cast(data)); + source.len = static_cast(size); + + DecodeFunction(arena, destination, the_template, &source); + + PORT_FreeArena(arena, PR_FALSE); + delete destination; +} + +#endif // ASN1_FUZZER_TEMPLATE_H_ diff --git a/nss/fuzzers/asn1_generalizedtime_fuzzer.cc b/nss/fuzzers/asn1_generalizedtime_fuzzer.cc new file mode 100644 index 000000000..1faf586f3 --- /dev/null +++ b/nss/fuzzers/asn1_generalizedtime_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_ia5string_fuzzer.cc b/nss/fuzzers/asn1_ia5string_fuzzer.cc new file mode 100644 index 000000000..2a33255a8 --- /dev/null +++ b/nss/fuzzers/asn1_ia5string_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_IA5StringTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_IA5StringTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_integer_fuzzer.cc b/nss/fuzzers/asn1_integer_fuzzer.cc new file mode 100644 index 000000000..4e08fec0c --- /dev/null +++ b/nss/fuzzers/asn1_integer_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_IntegerTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_IntegerTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_null_fuzzer.cc b/nss/fuzzers/asn1_null_fuzzer.cc new file mode 100644 index 000000000..4af7afb7e --- /dev/null +++ b/nss/fuzzers/asn1_null_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_NullTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_NullTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_objectid_fuzzer.cc b/nss/fuzzers/asn1_objectid_fuzzer.cc new file mode 100644 index 000000000..bdc8288b1 --- /dev/null +++ b/nss/fuzzers/asn1_objectid_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_ObjectIDTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_ObjectIDTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_octetstring_fuzzer.cc b/nss/fuzzers/asn1_octetstring_fuzzer.cc new file mode 100644 index 000000000..71b25776e --- /dev/null +++ b/nss/fuzzers/asn1_octetstring_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_OctetStringTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_OctetStringTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_utctime_fuzzer.cc b/nss/fuzzers/asn1_utctime_fuzzer.cc new file mode 100644 index 000000000..604e26098 --- /dev/null +++ b/nss/fuzzers/asn1_utctime_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_UTCTimeTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_UTCTimeTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/asn1_utf8string_fuzzer.cc b/nss/fuzzers/asn1_utf8string_fuzzer.cc new file mode 100644 index 000000000..f4a3a6ac2 --- /dev/null +++ b/nss/fuzzers/asn1_utf8string_fuzzer.cc @@ -0,0 +1,18 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_UTF8StringTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SEC_UTF8StringTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/cert_certificate_fuzzer.cc b/nss/fuzzers/cert_certificate_fuzzer.cc new file mode 100644 index 000000000..ce1efc732 --- /dev/null +++ b/nss/fuzzers/cert_certificate_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(CERT_CertificateTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(CERT_CertificateTemplate), data, size); + + return 0; +} diff --git a/nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc b/nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc new file mode 100644 index 000000000..a6dd802e9 --- /dev/null +++ b/nss/fuzzers/seckey_privatekeyinfo_fuzzer.cc @@ -0,0 +1,19 @@ +// Copyright 2016 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include +#include +#include + +#include "asn1_fuzzer_template.h" + +// Entry point for LibFuzzer. +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + NSSFuzzOneInput( + SEC_ASN1_GET(SECKEY_PrivateKeyInfoTemplate), data, size); + NSSFuzzOneInput( + SEC_ASN1_GET(SECKEY_PrivateKeyInfoTemplate), data, size); + + return 0; +}