From 75f19e2cac0f3d22d808e134a522d1c44e48e771 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Wed, 24 Aug 2022 23:56:42 +0100 Subject: [PATCH] golang: add fuzzer (#8351) Signed-off-by: AdamKorcz Signed-off-by: AdamKorcz --- projects/golang/Dockerfile | 3 ++ projects/golang/build.sh | 7 ++++ projects/golang/fuzz_h2c.options | 3 ++ projects/golang/h2c_fuzzer.go | 58 ++++++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+) create mode 100644 projects/golang/fuzz_h2c.options create mode 100644 projects/golang/h2c_fuzzer.go diff --git a/projects/golang/Dockerfile b/projects/golang/Dockerfile index a688cf563..86da2bf62 100644 --- a/projects/golang/Dockerfile +++ b/projects/golang/Dockerfile @@ -18,6 +18,7 @@ FROM gcr.io/oss-fuzz-base/base-builder-go RUN git clone --depth 1 https://github.com/dvyukov/go-fuzz-corpus golang RUN git clone --depth 1 https://github.com/golang/go +RUN git clone --depth 1 https://github.com/golang/net COPY build.sh text_fuzzer.go \ math_big_fuzzer.go \ fuzz_tar_reader.go \ @@ -28,6 +29,8 @@ COPY build.sh text_fuzzer.go \ x509_fuzzer.go \ ecdsa_fuzzer.go \ aes_fuzzer.go \ + h2c_fuzzer.go \ + fuzz_h2c.options \ elf_fuzzer.go $SRC/ WORKDIR $SRC/golang diff --git a/projects/golang/build.sh b/projects/golang/build.sh index fc7407c0b..c62d5423a 100755 --- a/projects/golang/build.sh +++ b/projects/golang/build.sh @@ -93,6 +93,13 @@ compile_native_go_fuzzer tarPackage FuzzReader fuzz_std_lib_tar_reader cd $SRC && git clone https://github.com/AdamKorcz/instrumentation cd instrumentation go run main.go $SRC/go/src/archive/tar +go run main.go $SRC/net + +cp $SRC/h2c_fuzzer.go $SRC/net/http2/h2c/ +cd $SRC/net/http2/h2c +go mod tidy -e -go=1.16 && go mod tidy -e -go=1.17 +compile_go_fuzzer . FuzzH2c fuzz_h2c +mv $SRC/fuzz_h2c.options $OUT/ cd $SRC/go/src/archive/tar cp $SRC/fuzz_tar_reader.go ./ diff --git a/projects/golang/fuzz_h2c.options b/projects/golang/fuzz_h2c.options new file mode 100644 index 000000000..793fee7fe --- /dev/null +++ b/projects/golang/fuzz_h2c.options @@ -0,0 +1,3 @@ +[libfuzzer] +max_len = 1600000 +len_control = 0 \ No newline at end of file diff --git a/projects/golang/h2c_fuzzer.go b/projects/golang/h2c_fuzzer.go new file mode 100644 index 000000000..2ffe1e28a --- /dev/null +++ b/projects/golang/h2c_fuzzer.go @@ -0,0 +1,58 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +package h2c + +import ( + "bytes" + "fmt" + "github.com/argoproj/argo-events/eventsources/common/webhook" + "golang.org/x/net/http2" + "io" + "net/http" + + fuzz "github.com/AdaLogics/go-fuzz-headers" +) + +func FuzzH2c(data []byte) int { + if len(data) < 10 { + return 0 + } + if len(data)%2 != 0 { + return 0 + } + data1 := data[:len(data)/10] + data2 := data[(len(data)/10)+1:] + f1 := fuzz.NewConsumer(data1) + headerMap := make(map[string][]string) + err := f1.FuzzMap(&headerMap) + if err != nil { + return 0 + } + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + fmt.Fprint(w, "Hello world") + }) + h2s := &http2.Server{ + // ... + } + h := NewHandler(handler, h2s) + w := &webhook.FakeHttpWriter{} + r := &http.Request{ + Body: io.NopCloser(bytes.NewReader(data2)), + } + r.Header = headerMap + h.ServeHTTP(w, r) + return 1 +}