From 80d39ec418fda8ea9ee6e3e91d7d9341affaf421 Mon Sep 17 00:00:00 2001
From: Joachim Metz <joachim.metz@gmail.com>
Date: Wed, 28 Apr 2021 11:26:56 +0200
Subject: [PATCH] Changes to build test corpus for Sleuthkit fuzz targets
 (#5682)

---
 projects/sleuthkit/Dockerfile                 |  2 +-
 projects/sleuthkit/build.sh                   | 12 ++-
 projects/sleuthkit/buildcorpus.sh             | 79 +++++++++++++++++++
 ...fuzzer.cc => sleuthkit_fls_apfs_fuzzer.cc} |  2 +-
 4 files changed, 89 insertions(+), 6 deletions(-)
 create mode 100755 projects/sleuthkit/buildcorpus.sh
 rename projects/sleuthkit/{sleuthkit_apfs_fuzzer.cc => sleuthkit_fls_apfs_fuzzer.cc} (96%)

diff --git a/projects/sleuthkit/Dockerfile b/projects/sleuthkit/Dockerfile
index cf04b56ab..a13087ffe 100644
--- a/projects/sleuthkit/Dockerfile
+++ b/projects/sleuthkit/Dockerfile
@@ -18,4 +18,4 @@ FROM gcr.io/oss-fuzz-base/base-builder
 RUN apt-get update && apt-get install -y make autoconf automake libtool
 RUN git clone --depth 1 https://github.com/sleuthkit/sleuthkit sleuthkit
 WORKDIR sleuthkit
-COPY build.sh sleuthkit_mem_img.h *_fuzzer.cc $SRC/
+COPY build.sh buildcorpus.sh sleuthkit_mem_img.h *_fuzzer.cc $SRC/
diff --git a/projects/sleuthkit/build.sh b/projects/sleuthkit/build.sh
index add1fba8b..2443ffaab 100755
--- a/projects/sleuthkit/build.sh
+++ b/projects/sleuthkit/build.sh
@@ -18,6 +18,8 @@
 export CFLAGS="$CFLAGS -Wno-error=non-c-typedef-for-linkage"
 export CXXFLAGS="$CXXFLAGS -Wno-error=non-c-typedef-for-linkage"
 
+${SRC}/buildcorpus.sh
+
 ./bootstrap
 ./configure --enable-static --disable-shared --disable-java --without-afflib --without-libewf --without-libvhdi --without-libvmdk
 make -j$(nproc)
@@ -37,16 +39,18 @@ declare -A TSK_VS_TYPES=(
   ["sun"]="TSK_VS_TYPE_SUN"
 )
 
+# The fls APFS fuzz target has a seperate source file since it uses the libtsk
+# pool layer.
+$CXX $CXXFLAGS -std=c++14 -I.. -I. -Itsk \
+    $SRC/sleuthkit_fls_apfs_fuzzer.cc -o $OUT/sleuthkit_fls_apfs_fuzzer \
+    $LIB_FUZZING_ENGINE $SRC/sleuthkit/tsk/.libs/libtsk.a
+
 for type in ${!TSK_FS_TYPES[@]}; do
   $CXX $CXXFLAGS -std=c++14 -I.. -I. -Itsk -DFSTYPE=${TSK_FS_TYPES[$type]} \
       $SRC/sleuthkit_fls_fuzzer.cc -o $OUT/sleuthkit_fls_${type}_fuzzer \
       $LIB_FUZZING_ENGINE $SRC/sleuthkit/tsk/.libs/libtsk.a
 done
 
-$CXX $CXXFLAGS -std=c++14 -I.. -I. -Itsk \
-    $SRC/sleuthkit_apfs_fuzzer.cc -o $OUT/sleuthkit_apfs_${type}_fuzzer \
-    $LIB_FUZZING_ENGINE $SRC/sleuthkit/tsk/.libs/libtsk.a
-
 for type in ${!TSK_VS_TYPES[@]}; do
   $CXX $CXXFLAGS -std=c++14 -I.. -I. -Itsk -DVSTYPE=${TSK_VS_TYPES[$type]} \
       $SRC/sleuthkit_mmls_fuzzer.cc -o $OUT/sleuthkit_mmls_${type}_fuzzer \
diff --git a/projects/sleuthkit/buildcorpus.sh b/projects/sleuthkit/buildcorpus.sh
new file mode 100755
index 000000000..f30461a81
--- /dev/null
+++ b/projects/sleuthkit/buildcorpus.sh
@@ -0,0 +1,79 @@
+#!/bin/bash -eu
+#
+# Script to downloads test data and build the corpus
+#
+# Copyright 2021 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Test data provided by:
+#
+# The Fuzzing Project: https://fuzzing-project.org/resources.html
+#   As CC0 1.0 Universal (CC0 1.0) Public Domain Dedication
+#   https://creativecommons.org/publicdomain/zero/1.0/
+#
+# The dfVFS project: https://github.com/log2timeline/dfvfs
+#   As Apache 2 https://github.com/log2timeline/dfvfs/blob/main/LICENSE
+
+OUT="."
+
+# Files to use for fls fuzz targets
+declare -A FLS_TEST_FILES=(
+  ["apfs"]="https://github.com/log2timeline/dfvfs/blob/main/test_data/apfs.raw?raw=true"
+  ["ext"]="https://files.fuzzing-project.org/filesystems/ext2.img"
+  ["fat"]="https://files.fuzzing-project.org/filesystems/exfat.img https://files.fuzzing-project.org/filesystems/fat12.img https://files.fuzzing-project.org/filesystems/fat16.img https://files.fuzzing-project.org/filesystems/fat32.img"
+  ["hfs"]="https://files.fuzzing-project.org/filesystems/hfsplus.img"
+  ["iso9660"]="https://files.fuzzing-project.org/discimages/iso9660.iso"
+  ["ntfs"]="https://files.fuzzing-project.org/filesystems/ntfs.img"
+)
+
+# Files to use for mmls fuzz targets
+declare -A MMLS_TEST_FILES=(
+  ["dos"]="https://files.fuzzing-project.org/discimages/partition-dos"
+  ["gpt"]="https://files.fuzzing-project.org/discimages/partition-gpt"
+  ["mac"]="https://files.fuzzing-project.org/discimages/partition-mac"
+)
+
+
+for type in ${!FLS_TEST_FILES[@]}; do
+  fuzz_target="sleuthkit_fls_${type}_fuzzer"
+
+  mkdir -p "test_data/${fuzz_target}"
+
+  IFS=" "; for url in ${FLS_TEST_FILES[$type]}; do
+    filename=$( echo ${url} | sed 's/?[^?]*$//' )
+    filename=$( basename ${filename} )
+
+    curl -L -o "test_data/${fuzz_target}/${filename}" "${url}"
+  done
+
+  (cd "test_data/${fuzz_target}" && zip ${OUT}/${fuzz_target}_seed_corpus.zip *)
+done
+
+
+for type in ${!MMLS_TEST_FILES[@]}; do
+  fuzz_target="sleuthkit_mmls_${type}_fuzzer"
+
+  mkdir -p "test_data/${fuzz_target}"
+
+  IFS=" "; for url in ${MMLS_TEST_FILES[$type]}; do
+    filename=$( echo ${url} | sed 's/?[^?]*$//' )
+    filename=$( basename ${filename} )
+
+    curl -L -o "test_data/${fuzz_target}/${filename}" "${url}"
+  done
+
+  (cd "test_data/${fuzz_target}" && zip ${OUT}/${fuzz_target}_seed_corpus.zip *)
+done
diff --git a/projects/sleuthkit/sleuthkit_apfs_fuzzer.cc b/projects/sleuthkit/sleuthkit_fls_apfs_fuzzer.cc
similarity index 96%
rename from projects/sleuthkit/sleuthkit_apfs_fuzzer.cc
rename to projects/sleuthkit/sleuthkit_fls_apfs_fuzzer.cc
index a55b0db87..5c0f40272 100644
--- a/projects/sleuthkit/sleuthkit_apfs_fuzzer.cc
+++ b/projects/sleuthkit/sleuthkit_fls_apfs_fuzzer.cc
@@ -36,7 +36,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     goto out_img;
   }
   // Pool start block is APFS container specific and is hard coded for now
-  pool_img = pool->get_img_info(pool, (TSK_DADDR_T) 103);
+  pool_img = pool->get_img_info(pool, (TSK_DADDR_T) 106);
 
   if (pool_img == nullptr) {
     goto out_pool;