oss-fuzz/projects/mysql-server/targets/fuzz_mysqld.cc

//#include <stdint.h>
//#include <stdlib.h>
//#include <stdio.h>
//#include <string>
//#include <iostream>
//#include <mysql.h>
//#include <mysql/client_plugin.h>
//#include <mysqld_error.h>
#include "sql/sql_class.h"
#include "sql/protocol_classic.h"
#include "sql/conn_handler/channel_info.h"
#include "sql/conn_handler/connection_handler.h"
#include "sql/conn_handler/connection_handler_manager.h"
#include "sql/conn_handler/init_net_server_extension.h"
#include "sql/conn_handler/connection_handler_impl.h"
#include "sql/mysqld.h"
#include "sql/set_var.h"
#include "sql/rpl_handler.h"
#include "sql/log.h"
#include "sql/opt_costconstantcache.h"
#include "sql/sql_plugin.h"
#include "sql/sql_thd_internal_api.h"
#include "sql/mysqld_thd_manager.h"
#include "mysql/psi/mysql_socket.h"
#include "violite.h"
#include "util_fuzz.h"
#include <stdlib.h>
#include <libgen.h>

using namespace std;
FILE *logfile = NULL;
extern int mysqld_main(int argc, char **argv);
char *filepath = NULL;

extern "C" int LLVMFuzzerInitialize(const int* argc, char*** argv) {
    filepath = dirname(strdup((*argv)[0]));
    return 0;
}

class Channel_info_fuzz : public Channel_info {
    bool m_is_admin_conn;

    protected:
    virtual Vio *create_and_init_vio() const {
        Vio *vio = vio_new(0, VIO_TYPE_FUZZ, VIO_LOCALHOST);
        return vio;
    }

    public:
    Channel_info_fuzz(bool is_admin_conn) : m_is_admin_conn(is_admin_conn) {}

    virtual THD *create_thd() {
        Vio *vio_tmp = create_and_init_vio();
        if (vio_tmp == NULL) return NULL;

        THD *thd = new (std::nothrow) THD();
        if (thd == NULL) {
            vio_delete(vio_tmp);
            return NULL;
        }
        thd->get_protocol_classic()->init_net(vio_tmp);
        thd->set_admin_connection(m_is_admin_conn);
        init_net_server_extension(thd);
        return thd;
    }

    virtual bool is_admin_connection() const { return m_is_admin_conn; }
};

static void try_connection(Channel_info *channel_info) {
    if (my_thread_init()) {
        channel_info->send_error_and_close_channel(ER_OUT_OF_RESOURCES, 0, false);
        return;
    }

    THD *thd = channel_info->create_thd();
    if (thd == NULL) {
        channel_info->send_error_and_close_channel(ER_OUT_OF_RESOURCES, 0, false);
        return;
    }

    thd->set_new_thread_id();

    /*
     handle_one_connection() is normally the only way a thread would
     start and would always be on the very high end of the stack ,
     therefore, the thread stack always starts at the address of the
     first local variable of handle_one_connection, which is thd. We
     need to know the start of the stack so that we could check for
     stack overruns.
     */
    thd_set_thread_stack(thd, (char *)&thd);
    thd->store_globals();

    mysql_thread_set_psi_id(thd->thread_id());
    mysql_socket_set_thread_owner(
                                  thd->get_protocol_classic()->get_vio()->mysql_socket);

    Global_THD_manager *thd_manager = Global_THD_manager::get_instance();
    thd_manager->add_thd(thd);

    if (!thd_prepare_connection(thd)) {
        //authentication bypass
        abort();
    }
    delete channel_info;
    close_connection(thd, 0, false, false);
    thd->release_resources();
    thd_manager->remove_thd(thd);
    delete thd;
}


#define MAX_SIZE 256

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    if (Size < 1) {
        return 0;
    }
    if (logfile == NULL) {
        my_progname = "fuzz_mysqld";
        /* first init was run with
         * mysqld --user=root --initialize-insecure --log-error-verbosity=5 --datadir=/out/mysql/data/ --basedir=/out/mysql/
         */
        utilfuzz_rmrf("/tmp/mysqld");
        char command[MAX_SIZE];
        char argbase[MAX_SIZE];
        char arginitfile[MAX_SIZE];
        snprintf(command, MAX_SIZE-1, "%s/mysql/data", filepath);
        utilfuzz_cpr(command, "/tmp/mysqld");

        snprintf(argbase, MAX_SIZE-1, "--basedir=%s/mysql/", filepath);
        snprintf(arginitfile, MAX_SIZE-1, "--init-file=%s/init.sql", filepath);
        char *fakeargv[] = {const_cast<char *>("fuzz_mysqld"),
            const_cast<char *>("--user=root"),
            const_cast<char *>("--secure-file-priv=NULL"),
            const_cast<char *>("--log-error-verbosity=5"),
            const_cast<char *>("--explicit_defaults_for_timestamp"),
            //we should adapt vio_fuzz to give a socket to openssl in order to support ssl
            const_cast<char *>("--skip-ssl"),
            const_cast<char *>("--mysqlx=0"),
            const_cast<char *>("--event-scheduler=DISABLED"),
            const_cast<char *>("--performance_schema=OFF"),
            const_cast<char *>("--thread_stack=1048576"),
            const_cast<char *>("--datadir=/tmp/mysqld/"),
            const_cast<char *>("--port=3303"),
            const_cast<char *>("--socket=/tmp/mysqld.sock"),
            const_cast<char *>(argbase),
            const_cast<char *>(arginitfile),
            0};
        int fakeargc = 15;
        mysqld_main(fakeargc, fakeargv);
        //terminate_compress_gtid_table_thread();

        logfile = fopen("/dev/null", "w");
    }
    // The fuzzing takes place on network data received from client
    sock_initfuzz(Data,Size-1);

    Channel_info_fuzz *channel_info = new (std::nothrow) Channel_info_fuzz(Data[Size-1] & 0x80);
    try_connection(channel_info);

    return 0;
}