The main changes are:
- improvements to code injection sink analyser
- output of data about all functions into summary.json. This is useful
for e.g. comparing reports and making historical analysis.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
Update Centipede to [its latest commit
eb91dd2](eb91dd2157),
which added some new features and fixed runtime bugs found in recent
FuzzBench experiments.
When a corpus zip file is unzipped the destination folder is set to be
the directory corresponding to the filepath of the zip file but without
".zip" in the name. This is achieved by `for f in /corpus/*.zip; do
unzip -q $f -d ${f%%.*}` where `f%%.*` substitutes the path of `f` based
on the first occurrence of ".". This causes some issues with fuzztest
fuzzers where a fuzzer name always has a "." in it, e.g.
`escaping_test@EscapingTest.EscapingAStringNeverTriggersUndefinedBehavior`
Substituting the name in this way causes issues for some coverage builds
e.g.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53479
This changes it to substiute based on the last occurrence of ".", i.e.
just cutting off the ".zip".
Alternatively, we could substitute over
e.g. ".zip", however, this may cause some issues as a fuzztest fuzzer
may have ".zip" in the name.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
We can make this public if we want.
You can observe the logs in real time by clicking on "details" of trial
build, getting `$BUILD_ID` and then doing
`gsutil cat gs://oss-fuzz-trialbuild-logs/log-$BUILD_ID.txt`
Those directories aren't empty usually so `rmdir` fails with
```
INFO:fuzz_introspector.json_report:Finish handling sections that need json output
INFO:__main__:Ending fuzz introspector report generation
INFO:__main__:Ending fuzz introspector post-processing
Traceback (most recent call last):
File "/home/vagrant/oss-fuzz-2/./infra/helper.py", line 1513, in <module>
sys.exit(main())
File "/home/vagrant/oss-fuzz-2/./infra/helper.py", line 192, in main
result = introspector(args)
File "/home/vagrant/oss-fuzz-2/./infra/helper.py", line 1243, in introspector
os.rmdir(introspector_dst)
OSError: [Errno 39] Directory not empty: '/home/vagrant/oss-fuzz-2/build/out/dbus-broker/introspector-report'
```
It should make it possible to run `introspector` a few times in a row
when for example fuzz targets are changed locally between subsequent
runs.
It's a follow-up to https://github.com/google/oss-fuzz/pull/9243.
Make it possible to do a full run of introspector locally. This will
make it a lot easier for users to integrate it into the fuzzer building
workflow.
To trigger, just run: `python3 infra/helper.py introspector PROJ_NAME`
Other example commands:
`python3 infra/helper.py introspector --public-corpora PROJ_NAME` : will
download the latest public corpus for project PROJ_NAME and use that
when collecting coverage
`python3 infra/helper.py introspector --seconds=X PROJ_NAME`: will run
the fuzzers for X seconds for corpus collection
`python3 infra/helper.py introspector PROJ_NAME LOCAL_PATH` will do the
introspector run using the LOCAL_PATH as source code folder (for testing
modifications)
Ref: https://github.com/ossf/fuzz-introspector/issues/587
Signed-off-by: David Korczynski <david@adalogics.com>
by passing the "o" option to unzip to prevent it from asking whether
files should be overwritten or not when it's run a few times in a row.
It's a follow-up to 7556698dbc
Closes https://github.com/google/oss-fuzz/issues/9234
@DavidKorczynski could you take a look?
This is a follow-up to https://github.com/google/oss-fuzz/pull/9167 --
the change should also be applied in the build functions that are
responsible for downloading the corpus.
Signed-off-by: David Korczynski <david@adalogics.com>
Fix multiple bugs with shell detection:
1. We weren't correctly extracting the argument to be passed to
readlink. We needed to take the null terminator into account, as we
extract this string from memory.
2. readlink does **not** null terminate the output. Fix this.
3. `binary_name.compare(0, 2, "sh")` for detecting if the binary is "sh"
was too liberal, and included "shell_injection_poc_fuzzer" because the
prefix matched.
Also reduce some very noisy debug logging.
Similar to #8972, reproducing seems to assume architecture and doesn't
allow specifying a target. This PR adds the `--architecture` flag to the
reproduce command, allowing reproduction in the target platform.
Tested by running `build_fuzzers` and then `reproduce` with defaults.
Now using `--architecture aarch64` works to reproduce.
The corpus URL generated for fuzztest fuzzers is invalid due to the use
of `@` and `.` characters in the fuzzer names.
The current URL created is e.g.
`gs://fuzztest-raksha-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/fuzztest-raksha_value_test@NumberTest.RoundTripNumberThroughDatalogString/`
whereas the correct URL is
`gs://fuzztest-raksha-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/fuzztest-raksha_value_test-NumberTest-RoundTripNumberThroughDatalogString/`.
Signed-off-by: David Korczynski <david@adalogics.com>
Signed-off-by: David Korczynski <david@adalogics.com>
cc @oliverchang @Alan32Liu after #9100 and #8448
After compiling locally, I can see that
`./SystemSan ./target_dns -dict=vuln.dict`
crashes in a few seconds with
```
===BUG DETECTED: Arbitrary domain name resolution===
===Domain resolved: .f.z===
===DNS request type: 0, class: 256===
==315== ERROR: libFuzzer: deadly signal
#0 0x539131 in __sanitizer_print_stack_trace /src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
#1 0x457c48 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
#2 0x43c923 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:233:3
#3 0x7fa57940041f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1441f) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#4 0x7fa5793ff7db in send (/lib/x86_64-linux-gnu/libpthread.so.0+0x137db) (BuildId: 7b4536f41cdaa5888408e82d0836e33dcf436466)
#5 0x503ba4 in __interceptor_send /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:6802:17
#6 0x7fa578abf462 (/lib/x86_64-linux-gnu/libresolv.so.2+0xb462) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
#7 0x7fa578abbc43 in __res_context_query (/lib/x86_64-linux-gnu/libresolv.so.2+0x7c43) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
#8 0x7fa578abc8ed in __res_context_search (/lib/x86_64-linux-gnu/libresolv.so.2+0x88ed) (BuildId: 4519041bde5b859c55798ac0745b0b6199cb7d94)
#9 0x7fa578ad2cc1 (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2cc1) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
#10 0x7fa578ad2e8b in _nss_dns_gethostbyname3_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2e8b) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
#11 0x7fa578ad2f41 in _nss_dns_gethostbyname2_r (/lib/x86_64-linux-gnu/libnss_dns.so.2+0x2f41) (BuildId: 3fac4ec397ba8e8938fe298f103113f315465130)
#12 0x7fa5792fdc9d in gethostbyname2_r (/lib/x86_64-linux-gnu/libc.so.6+0x130c9d) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#13 0x7fa5792d179e (/lib/x86_64-linux-gnu/libc.so.6+0x10479e) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#14 0x7fa5792d2f58 in getaddrinfo (/lib/x86_64-linux-gnu/libc.so.6+0x105f58) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#15 0x4d93ac in getaddrinfo /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:2667:13
#16 0x56c8d9 in LLVMFuzzerTestOneInput /out/SystemSan/target_dns.cpp:35:11
#17 0x43dec3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#18 0x43d6aa in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#19 0x43ed79 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:19
#20 0x43fa45 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:895:5
#21 0x42edaf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#22 0x458402 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#23 0x7fa5791f1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#24 0x41f7ed in _start (/out/SystemSan/target_dns+0x41f7ed)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 CrossOver-ManualDict- DE: "f.z"-; base unit: ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
0x66,0x2e,0x7a,
f.z
artifact_prefix='./'; Test unit written to ./crash-926813b2d6adde373f96a10594a5314951588384
Base64: Zi56
```
You can also try
```
echo -n f.z > toto
./SystemSan ./target_dns toto
```
Co-authored-by: Oliver Chang <oliverchang@users.noreply.github.com>
Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
jonathanmetzman