From 9ba905cdfce1e6e29e11d7166dfcda6c1988e028 Mon Sep 17 00:00:00 2001 From: Catena cyber <35799796+catenacyber@users.noreply.github.com> Date: Mon, 9 Jan 2023 17:02:41 +0100 Subject: [PATCH] Differential fuzzing for libhtp-rs (#9359) We are transitioning from libhtp C to libhtp in rust So, here is the update of the project to fuzz the coming rust version, and also do differential fuzzing between them to check that they have the same behavior... --- projects/libhtp/Dockerfile | 4 +++- projects/libhtp/build.sh | 27 +++++++++++++++++++++++++-- projects/libhtp/multiple.txt | 11 +++++++++++ projects/libhtp/project.yaml | 7 ++++--- 4 files changed, 43 insertions(+), 6 deletions(-) create mode 100755 projects/libhtp/multiple.txt diff --git a/projects/libhtp/Dockerfile b/projects/libhtp/Dockerfile index cb44a8fec..498efa286 100644 --- a/projects/libhtp/Dockerfile +++ b/projects/libhtp/Dockerfile @@ -14,8 +14,10 @@ # ################################################################################ -FROM gcr.io/oss-fuzz-base/base-builder +FROM gcr.io/oss-fuzz-base/base-builder-rust RUN apt-get update && apt-get install -y make autoconf automake libtool zlib1g-dev liblzma-dev RUN git clone --depth 1 https://github.com/OISF/libhtp.git libhtp +RUN git clone --depth 1 https://github.com/cccs-rtmorti/libhtp-rs.git libhtp-rs WORKDIR $SRC COPY build.sh $SRC/ +COPY multiple.txt $SRC/ diff --git a/projects/libhtp/build.sh b/projects/libhtp/build.sh index 0d32cf62d..ac062e6c1 100755 --- a/projects/libhtp/build.sh +++ b/projects/libhtp/build.sh @@ -16,14 +16,37 @@ ################################################################################ # build project +( +cd libhtp-rs +export CARGO_BUILD_TARGET="x86_64-unknown-linux-gnu" +cargo fuzz build -O +cargo fuzz list | while read i; do + # debug for coverage build + cp fuzz/target/x86_64-unknown-linux-gnu/release/$i $OUT/ || cp fuzz/target/x86_64-unknown-linux-gnu/debug/$i $OUT/ +done +if [ "$SANITIZER" = "address" ] +then + export RUSTFLAGS="$RUSTFLAGS -Cpasses=sancov-module -Cllvm-args=-sanitizer-coverage-level=4 -Cllvm-args=-sanitizer-coverage-trace-compares -Cllvm-args=-sanitizer-coverage-inline-8bit-counters -Cllvm-args=-sanitizer-coverage-trace-geps -Cllvm-args=-sanitizer-coverage-prune-blocks=0 -Cllvm-args=-sanitizer-coverage-pc-table -Clink-dead-code -Cllvm-args=-sanitizer-coverage-stack-depth" +fi +cat $SRC/multiple.txt | while read i; do + git grep $i | cut -d: -f1 | uniq | xargs sed -i -e s/$i/"$i"_rs/; +done +cargo build +cp ./target/x86_64-unknown-linux-gnu/debug/libhtp.a ../libhtp-rs.a +) + cd libhtp sh autogen.sh ./configure -make +make -j$(nproc) $CC $CFLAGS -I. -c test/fuzz/fuzz_htp.c -o fuzz_htp.o $CC $CFLAGS -I. -c test/test.c -o test.o -$CXX $CXXFLAGS fuzz_htp.o test.o -o $OUT/fuzz_htp ./htp/.libs/libhtp.a $LIB_FUZZING_ENGINE -lz -llzma +$CXX $CXXFLAGS fuzz_htp.o test.o -o $OUT/fuzz_htp_c ./htp/.libs/libhtp.a $LIB_FUZZING_ENGINE -lz -llzma + +$CC $CFLAGS -I. -c test/fuzz/fuzz_diff.c -o fuzz_diff.o +$CXX $CXXFLAGS fuzz_diff.o test.o -o $OUT/fuzz_diff ./htp/.libs/libhtp.a ../libhtp-rs.a $LIB_FUZZING_ENGINE -lz -llzma # builds corpus zip -r $OUT/fuzz_htp_seed_corpus.zip test/files/*.t +zip -r $OUT/fuzz_diff_seed_corpus.zip test/files/*.t diff --git a/projects/libhtp/multiple.txt b/projects/libhtp/multiple.txt new file mode 100755 index 000000000..63c258df4 --- /dev/null +++ b/projects/libhtp/multiple.txt @@ -0,0 +1,11 @@ +bstr_alloc +bstr_free +bstr_cmp_c +bstr_dup_c +bstr_util_strdup_to_c +bstr_len +bstr_ptr +htp_connp_ +htp_tx_destroy +htp_tx_set_user_data +htp_tx_register_response_body_data diff --git a/projects/libhtp/project.yaml b/projects/libhtp/project.yaml index 753887a28..151f8cef8 100644 --- a/projects/libhtp/project.yaml +++ b/projects/libhtp/project.yaml @@ -1,5 +1,5 @@ homepage: "https://github.com/OISF/libhtp" -language: c++ +language: rust primary_contact: "vjulien@openinfosecfoundation.org" auto_ccs : - "p.antoine@catenacyber.fr" @@ -9,5 +9,6 @@ sanitizers: - address # Disabled MSAN because of https://github.com/google/oss-fuzz/issues/6294 # - memory -- undefined -main_repo: 'https://github.com/OISF/libhtp.git' \ No newline at end of file +fuzzing_engines: + - libfuzzer +main_repo: 'https://github.com/OISF/libhtp.git'