mirror of https://github.com/google/oss-fuzz.git
854 lines
25 KiB
Python
Executable File
854 lines
25 KiB
Python
Executable File
#!/usr/bin/env python
|
|
# Copyright 2016 Google Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
################################################################################
|
|
|
|
from __future__ import print_function
|
|
from multiprocessing.dummy import Pool as ThreadPool
|
|
import argparse
|
|
import datetime
|
|
import errno
|
|
import multiprocessing
|
|
import os
|
|
import pipes
|
|
import re
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
import templates
|
|
|
|
OSSFUZZ_DIR = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
|
|
BUILD_DIR = os.path.join(OSSFUZZ_DIR, 'build')
|
|
|
|
BASE_IMAGES = [
|
|
'gcr.io/oss-fuzz-base/base-image',
|
|
'gcr.io/oss-fuzz-base/base-clang',
|
|
'gcr.io/oss-fuzz-base/base-builder',
|
|
'gcr.io/oss-fuzz-base/base-runner',
|
|
'gcr.io/oss-fuzz-base/base-runner-debug',
|
|
'gcr.io/oss-fuzz-base/base-msan-builder',
|
|
'gcr.io/oss-fuzz-base/msan-builder',
|
|
]
|
|
|
|
VALID_PROJECT_NAME_REGEX = re.compile(r'^[a-zA-Z0-9_-]+$')
|
|
MAX_PROJECT_NAME_LENGTH = 26
|
|
|
|
if sys.version_info[0] >= 3:
|
|
raw_input = input
|
|
|
|
CORPUS_URL_FORMAT = (
|
|
'gs://{project_name}-corpus.clusterfuzz-external.appspot.com/libFuzzer/'
|
|
'{fuzz_target}/')
|
|
CORPUS_BACKUP_URL_FORMAT = (
|
|
'gs://{project_name}-backup.clusterfuzz-external.appspot.com/corpus/'
|
|
'libFuzzer/{fuzz_target}/')
|
|
|
|
|
|
def main():
|
|
os.chdir(OSSFUZZ_DIR)
|
|
if not os.path.exists(BUILD_DIR):
|
|
os.mkdir(BUILD_DIR)
|
|
|
|
parser = argparse.ArgumentParser('helper.py', description='oss-fuzz helpers')
|
|
subparsers = parser.add_subparsers(dest='command')
|
|
|
|
generate_parser = subparsers.add_parser(
|
|
'generate', help='Generate files for new project.')
|
|
generate_parser.add_argument('project_name')
|
|
|
|
build_image_parser = subparsers.add_parser(
|
|
'build_image', help='Build an image.')
|
|
build_image_parser.add_argument('project_name')
|
|
build_image_parser.add_argument('--pull', action='store_true',
|
|
help='Pull latest base image.')
|
|
build_image_parser.add_argument('--no-pull', action='store_true',
|
|
help='Do not pull latest base image.')
|
|
|
|
build_fuzzers_parser = subparsers.add_parser(
|
|
'build_fuzzers', help='Build fuzzers for a project.')
|
|
_add_engine_args(build_fuzzers_parser)
|
|
_add_sanitizer_args(build_fuzzers_parser)
|
|
_add_environment_args(build_fuzzers_parser)
|
|
build_fuzzers_parser.add_argument('project_name')
|
|
build_fuzzers_parser.add_argument('source_path', help='path of local source',
|
|
nargs='?')
|
|
build_fuzzers_parser.add_argument('--clean', dest='clean',
|
|
action='store_true',
|
|
help='clean existing artifacts.')
|
|
build_fuzzers_parser.add_argument('--no-clean', dest='clean',
|
|
action='store_false',
|
|
help='do not clean existing artifacts '
|
|
'(default).')
|
|
build_fuzzers_parser.set_defaults(clean=False)
|
|
|
|
check_build_parser = subparsers.add_parser(
|
|
'check_build', help='Checks that fuzzers execute without errors.')
|
|
_add_engine_args(check_build_parser)
|
|
_add_sanitizer_args(check_build_parser)
|
|
_add_environment_args(check_build_parser)
|
|
check_build_parser.add_argument('project_name', help='name of the project')
|
|
check_build_parser.add_argument('fuzzer_name', help='name of the fuzzer',
|
|
nargs='?')
|
|
|
|
run_fuzzer_parser = subparsers.add_parser(
|
|
'run_fuzzer', help='Run a fuzzer.')
|
|
_add_engine_args(run_fuzzer_parser)
|
|
_add_environment_args(run_fuzzer_parser)
|
|
run_fuzzer_parser.add_argument('project_name', help='name of the project')
|
|
run_fuzzer_parser.add_argument('fuzzer_name', help='name of the fuzzer')
|
|
run_fuzzer_parser.add_argument('fuzzer_args', help='arguments to pass to the fuzzer',
|
|
nargs=argparse.REMAINDER)
|
|
|
|
coverage_parser = subparsers.add_parser(
|
|
'coverage', help='Run a fuzzer for a while and generate coverage.')
|
|
coverage_parser.add_argument('--run_time', default=60,
|
|
help='time in seconds to run fuzzer')
|
|
coverage_parser.add_argument('project_name', help='name of the project')
|
|
coverage_parser.add_argument('fuzzer_name', help='name of the fuzzer')
|
|
coverage_parser.add_argument('fuzzer_args', help='arguments to pass to the fuzzer',
|
|
nargs=argparse.REMAINDER)
|
|
|
|
profile_parser = subparsers.add_parser(
|
|
'profile', help='Generate code coverage report for the project.')
|
|
profile_parser.add_argument('--no-corpus-download', action='store_true',
|
|
help='do not download corpus backup from OSS-Fuzz; '
|
|
'use corpus located in build/corpus/<project>/<fuzz_target>/')
|
|
profile_parser.add_argument('--port', default='8008', help='specify port for '
|
|
'a local HTTP server rendering coverage report')
|
|
profile_parser.add_argument('--fuzz-target', help='specify name of a fuzz '
|
|
'target to be run for generating coverage report')
|
|
profile_parser.add_argument('--corpus-dir', help='specify location of corpus '
|
|
'to be used (requires --fuzz-target argument)')
|
|
profile_parser.add_argument('project_name', help='name of the project')
|
|
profile_parser.add_argument('extra_args', help='additional arguments to '
|
|
'pass to llvm-cov utility.', nargs='*')
|
|
|
|
reproduce_parser = subparsers.add_parser(
|
|
'reproduce', help='Reproduce a crash.')
|
|
reproduce_parser.add_argument('--valgrind', action='store_true',
|
|
help='run with valgrind')
|
|
reproduce_parser.add_argument('project_name', help='name of the project')
|
|
reproduce_parser.add_argument('fuzzer_name', help='name of the fuzzer')
|
|
reproduce_parser.add_argument('testcase_path', help='path of local testcase')
|
|
reproduce_parser.add_argument('fuzzer_args', help='arguments to pass to the fuzzer',
|
|
nargs=argparse.REMAINDER)
|
|
_add_environment_args(reproduce_parser)
|
|
|
|
shell_parser = subparsers.add_parser(
|
|
'shell', help='Run /bin/bash in an image.')
|
|
shell_parser.add_argument('project_name', help='name of the project')
|
|
_add_engine_args(shell_parser)
|
|
_add_sanitizer_args(shell_parser)
|
|
_add_environment_args(shell_parser)
|
|
|
|
pull_images_parser = subparsers.add_parser('pull_images',
|
|
help='Pull base images.')
|
|
|
|
args = parser.parse_args()
|
|
if args.command == 'generate':
|
|
return generate(args)
|
|
elif args.command == 'build_image':
|
|
return build_image(args)
|
|
elif args.command == 'build_fuzzers':
|
|
return build_fuzzers(args)
|
|
elif args.command == 'check_build':
|
|
return check_build(args)
|
|
elif args.command == 'run_fuzzer':
|
|
return run_fuzzer(args)
|
|
elif args.command == 'coverage':
|
|
return coverage(args)
|
|
elif args.command == 'profile':
|
|
return profile(args)
|
|
elif args.command == 'reproduce':
|
|
return reproduce(args)
|
|
elif args.command == 'shell':
|
|
return shell(args)
|
|
elif args.command == 'pull_images':
|
|
return pull_images(args)
|
|
|
|
return 0
|
|
|
|
|
|
def _is_base_image(image_name):
|
|
"""Checks if the image name is a base image."""
|
|
return os.path.exists(os.path.join('infra', 'base-images', image_name))
|
|
|
|
|
|
def _check_project_exists(project_name):
|
|
"""Checks if a project exists."""
|
|
if not os.path.exists(_get_project_dir(project_name)):
|
|
print(project_name, 'does not exist', file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def _check_fuzzer_exists(project_name, fuzzer_name):
|
|
"""Checks if a fuzzer exists."""
|
|
command = ['docker', 'run', '--rm']
|
|
command.extend(['-v', '%s:/out' % _get_output_dir(project_name)])
|
|
command.append('ubuntu:16.04')
|
|
|
|
command.extend(['/bin/bash', '-c', 'test -f /out/%s' % fuzzer_name])
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print(fuzzer_name,
|
|
'does not seem to exist. Please run build_fuzzers first.',
|
|
file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def _get_absolute_path(path):
|
|
"""Returns absolute path with user expansion."""
|
|
return os.path.abspath(os.path.expanduser(path))
|
|
|
|
|
|
def _get_command_string(command):
|
|
"""Returns a shell escaped command string."""
|
|
return ' '.join(pipes.quote(part) for part in command)
|
|
|
|
|
|
def _get_project_dir(project_name):
|
|
"""Returns path to the project."""
|
|
return os.path.join(OSSFUZZ_DIR, 'projects', project_name)
|
|
|
|
|
|
def _get_dockerfile_path(project_name):
|
|
"""Returns path to the project Dockerfile."""
|
|
return os.path.join(_get_project_dir(project_name), 'Dockerfile')
|
|
|
|
|
|
def _get_corpus_dir(project_name=''):
|
|
"""Returns path to /corpus directory for the given project (if specified)."""
|
|
return os.path.join(BUILD_DIR, 'corpus', project_name)
|
|
|
|
|
|
def _get_output_dir(project_name=''):
|
|
"""Returns path to /out directory for the given project (if specified)."""
|
|
return os.path.join(BUILD_DIR, 'out', project_name)
|
|
|
|
|
|
def _get_work_dir(project_name=''):
|
|
"""Returns path to /work directory for the given project (if specified)."""
|
|
return os.path.join(BUILD_DIR, 'work', project_name)
|
|
|
|
|
|
def _add_engine_args(parser):
|
|
"""Add common engine args."""
|
|
parser.add_argument('--engine', default='libfuzzer',
|
|
choices=['libfuzzer', 'afl', 'honggfuzz', 'none'])
|
|
|
|
|
|
def _add_sanitizer_args(parser):
|
|
"""Add common sanitizer args."""
|
|
parser.add_argument('--sanitizer', default='address',
|
|
choices=['address', 'memory', 'undefined', 'coverage', 'profile'])
|
|
|
|
|
|
def _add_environment_args(parser):
|
|
"""Add common environment args."""
|
|
parser.add_argument('-e', action='append',
|
|
help="set environment variable e.g. VAR=value")
|
|
|
|
|
|
def _build_image(image_name, no_cache=False, pull=False):
|
|
"""Build image."""
|
|
|
|
is_base_image = _is_base_image(image_name)
|
|
if is_base_image:
|
|
image_project = 'oss-fuzz-base'
|
|
dockerfile_dir = os.path.join('infra', 'base-images', image_name)
|
|
else:
|
|
image_project = 'oss-fuzz'
|
|
if not _check_project_exists(image_name):
|
|
return False
|
|
|
|
dockerfile_dir = os.path.join('projects', image_name)
|
|
|
|
build_args = []
|
|
if no_cache:
|
|
build_args.append('--no-cache')
|
|
|
|
build_args += ['-t', 'gcr.io/%s/%s' % (image_project, image_name), dockerfile_dir]
|
|
|
|
return docker_build(build_args, pull=pull)
|
|
|
|
|
|
def _env_to_docker_args(env_list):
|
|
"""Turn envirnoment variable list into docker arguments."""
|
|
return sum([['-e', v] for v in env_list], [])
|
|
|
|
|
|
def _workdir_from_dockerfile(project_name):
|
|
"""Parse WORKDIR from the Dockerfile for the given project."""
|
|
WORKDIR_REGEX = re.compile(r'\s*WORKDIR\s*([^\s]+)')
|
|
dockerfile_path = _get_dockerfile_path(project_name)
|
|
|
|
with open(dockerfile_path) as f:
|
|
lines = f.readlines()
|
|
|
|
for line in reversed(lines): # reversed to get last WORKDIR.
|
|
match = re.match(WORKDIR_REGEX, line)
|
|
if match:
|
|
workdir = match.group(1)
|
|
workdir = workdir.replace('$SRC', '/src')
|
|
|
|
if not os.path.isabs(workdir):
|
|
workdir = os.path.join('/src', workdir)
|
|
|
|
return os.path.normpath(workdir)
|
|
|
|
return os.path.join('/src', project_name)
|
|
|
|
|
|
def docker_run(run_args, print_output=True):
|
|
"""Call `docker run`."""
|
|
command = ['docker', 'run', '--rm', '-i', '--privileged']
|
|
command.extend(run_args)
|
|
|
|
print('Running:', _get_command_string(command))
|
|
stdout = None
|
|
if not print_output:
|
|
stdout = open(os.devnull, 'w')
|
|
|
|
try:
|
|
subprocess.check_call(command, stdout=stdout, stderr=subprocess.STDOUT)
|
|
except subprocess.CalledProcessError as e:
|
|
return e.returncode
|
|
|
|
return 0
|
|
|
|
|
|
def docker_build(build_args, pull=False):
|
|
"""Call `docker build`."""
|
|
command = ['docker', 'build']
|
|
if pull:
|
|
command.append('--pull')
|
|
|
|
command.extend(build_args)
|
|
print('Running:', _get_command_string(command))
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print('docker build failed.', file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def docker_pull(image, pull=False):
|
|
"""Call `docker pull`."""
|
|
command = ['docker', 'pull', image]
|
|
print('Running:', _get_command_string(command))
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print('docker pull failed.', file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def build_image(args):
|
|
"""Build docker image."""
|
|
if args.pull and args.no_pull:
|
|
print('Incompatible arguments --pull and --no-pull.')
|
|
return 1
|
|
|
|
if args.pull:
|
|
pull = True
|
|
elif args.no_pull:
|
|
pull = False
|
|
else:
|
|
y_or_n = raw_input('Pull latest base images (compiler/runtime)? (y/N): ')
|
|
pull = y_or_n.lower() == 'y'
|
|
|
|
if pull:
|
|
print('Pulling latest base images...')
|
|
else:
|
|
print('Using cached base images...')
|
|
|
|
# If build_image is called explicitly, don't use cache.
|
|
if _build_image(args.project_name, no_cache=True, pull=pull):
|
|
return 0
|
|
|
|
return 1
|
|
|
|
|
|
def build_fuzzers(args):
|
|
"""Build fuzzers."""
|
|
project_name = args.project_name
|
|
if not _build_image(args.project_name):
|
|
return 1
|
|
|
|
project_out_dir = _get_output_dir(project_name)
|
|
if args.clean:
|
|
print('Cleaning existing build artifacts.')
|
|
|
|
# Clean old and possibly conflicting artifacts in project's out directory.
|
|
docker_run([
|
|
'-v', '%s:/out' % project_out_dir,
|
|
'-t', 'gcr.io/oss-fuzz/%s' % project_name,
|
|
'/bin/bash', '-c', 'rm -rf /out/*'
|
|
])
|
|
else:
|
|
print('Keeping existing build artifacts as-is (if any).')
|
|
|
|
env = [
|
|
'FUZZING_ENGINE=' + args.engine,
|
|
'SANITIZER=' + args.sanitizer
|
|
]
|
|
if args.e:
|
|
env += args.e
|
|
|
|
project_work_dir = _get_work_dir(project_name)
|
|
|
|
# Copy instrumented libraries.
|
|
if args.sanitizer == 'memory':
|
|
docker_run([
|
|
'-v', '%s:/work' % project_work_dir,
|
|
'gcr.io/oss-fuzz-base/msan-builder',
|
|
'bash', '-c', 'cp -r /msan /work'])
|
|
env.append('MSAN_LIBS_PATH=' + '/work/msan')
|
|
|
|
command = (
|
|
['docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE'] +
|
|
_env_to_docker_args(env))
|
|
if args.source_path:
|
|
workdir = _workdir_from_dockerfile(args.project_name)
|
|
if workdir == '/src':
|
|
print('Cannot use local checkout with "WORKDIR /src".', file=sys.stderr)
|
|
return 1
|
|
|
|
command += [
|
|
'-v',
|
|
'%s:%s' % (_get_absolute_path(args.source_path), workdir),
|
|
]
|
|
command += [
|
|
'-v', '%s:/out' % project_out_dir,
|
|
'-v', '%s:/work' % project_work_dir,
|
|
'-t', 'gcr.io/oss-fuzz/%s' % project_name
|
|
]
|
|
|
|
print('Running:', _get_command_string(command))
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print('Fuzzers build failed.', file=sys.stderr)
|
|
return 1
|
|
|
|
# Patch MSan builds to use instrumented shared libraries.
|
|
if args.sanitizer == 'memory':
|
|
docker_run([
|
|
'-v', '%s:/out' % project_out_dir,
|
|
'-v', '%s:/work' % project_work_dir
|
|
] + _env_to_docker_args(env) + [
|
|
'gcr.io/oss-fuzz-base/base-msan-builder',
|
|
'patch_build.py', '/out'
|
|
])
|
|
|
|
return 0
|
|
|
|
|
|
def check_build(args):
|
|
"""Checks that fuzzers in the container execute without errors."""
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if (args.fuzzer_name and
|
|
not _check_fuzzer_exists(args.project_name, args.fuzzer_name)):
|
|
return 1
|
|
|
|
env = [
|
|
'FUZZING_ENGINE=' + args.engine,
|
|
'SANITIZER=' + args.sanitizer
|
|
]
|
|
if args.e:
|
|
env += args.e
|
|
|
|
run_args = _env_to_docker_args(env) + [
|
|
'-v', '%s:/out' % _get_output_dir(args.project_name),
|
|
'-t', 'gcr.io/oss-fuzz-base/base-runner'
|
|
]
|
|
|
|
if args.fuzzer_name:
|
|
run_args += [
|
|
'bad_build_check',
|
|
os.path.join('/out', args.fuzzer_name)
|
|
]
|
|
else:
|
|
run_args.append('test_all')
|
|
|
|
exit_code = docker_run(run_args)
|
|
if exit_code == 0:
|
|
print('Check build passed.')
|
|
else:
|
|
print('Check build failed.')
|
|
|
|
return exit_code
|
|
|
|
|
|
def _get_fuzz_targets(project_name):
|
|
"""Return names of fuzz targest build in the project's /out directory."""
|
|
fuzz_targets = []
|
|
for name in os.listdir(_get_output_dir(project_name)):
|
|
path = os.path.join(_get_output_dir(project_name), name)
|
|
if os.path.isfile(path) and os.access(path, os.X_OK):
|
|
fuzz_targets.append(name)
|
|
|
|
return fuzz_targets
|
|
|
|
|
|
def _get_latest_corpus(project_name, fuzz_target, base_corpus_dir):
|
|
"""Download the latest corpus for the given fuzz target."""
|
|
corpus_dir = os.path.join(base_corpus_dir, fuzz_target)
|
|
if not os.path.exists(corpus_dir):
|
|
os.makedirs(corpus_dir)
|
|
|
|
if not fuzz_target.startswith(project_name):
|
|
fuzz_target = '%s_%s' % (project_name, fuzz_target)
|
|
|
|
corpus_backup_url = CORPUS_BACKUP_URL_FORMAT.format(project_name=project_name,
|
|
fuzz_target=fuzz_target)
|
|
command = [
|
|
'gsutil',
|
|
'ls',
|
|
corpus_backup_url
|
|
]
|
|
|
|
corpus_listing = subprocess.Popen(
|
|
command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
output, error = corpus_listing.communicate()
|
|
|
|
# Some fuzz targets (e.g. new ones) may not have corpus yet, just skip those.
|
|
if corpus_listing.returncode:
|
|
print('WARNING: corpus for {0} not found:\n{1}'.format(fuzz_target, error),
|
|
file=sys.stderr)
|
|
return
|
|
|
|
if output:
|
|
latest_backup_url = output.splitlines()[-1]
|
|
archive_path = corpus_dir + '.zip'
|
|
command = [
|
|
'gsutil',
|
|
'-q',
|
|
'cp',
|
|
latest_backup_url,
|
|
archive_path
|
|
]
|
|
subprocess.check_call(command)
|
|
|
|
command = [
|
|
'unzip',
|
|
'-q',
|
|
'-o',
|
|
archive_path,
|
|
'-d',
|
|
corpus_dir
|
|
]
|
|
subprocess.check_call(command)
|
|
os.remove(archive_path)
|
|
else:
|
|
# Sync the working corpus copy if a minimized backup is not available.
|
|
corpus_url = CORPUS_URL_FORMAT.format(project_name=project_name,
|
|
fuzz_target=fuzz_target)
|
|
command = [
|
|
'gsutil',
|
|
'-m',
|
|
'-q',
|
|
'rsync',
|
|
'-R',
|
|
corpus_url,
|
|
corpus_dir
|
|
]
|
|
subprocess.check_call(command)
|
|
|
|
|
|
def download_corpus(args):
|
|
"""Download most recent corpus from GCS for the given project."""
|
|
try:
|
|
with open(os.devnull, 'w') as stdout:
|
|
subprocess.check_call(['gsutil', '--version'], stdout=stdout)
|
|
except OSError:
|
|
print('ERROR: gsutil not found. Please install it from '
|
|
'https://cloud.google.com/storage/docs/gsutil_install',
|
|
file=sys.stderr)
|
|
return False
|
|
|
|
if args.fuzz_target:
|
|
fuzz_targets = [args.fuzz_target]
|
|
else:
|
|
fuzz_targets = _get_fuzz_targets(args.project_name)
|
|
|
|
corpus_dir = _get_corpus_dir(args.project_name)
|
|
if not os.path.exists(corpus_dir):
|
|
os.makedirs(corpus_dir)
|
|
|
|
def _download_for_single_target(fuzz_target):
|
|
try:
|
|
_get_latest_corpus(args.project_name, fuzz_target, corpus_dir)
|
|
return True
|
|
except Exception as e:
|
|
print('ERROR: corpus download for %s failed: %s' % (fuzz_target, str(e)),
|
|
file=sys.stderr)
|
|
return False
|
|
|
|
print('Downloading corpus for %s project' % args.project_name)
|
|
thread_pool = ThreadPool(multiprocessing.cpu_count())
|
|
return all(thread_pool.map(_download_for_single_target, fuzz_targets))
|
|
|
|
|
|
def profile(args):
|
|
"""Generate code coverage using clang source based code coverage."""
|
|
if args.corpus_dir and not args.fuzz_target:
|
|
print('ERROR: --corpus-dir requires specifying a particular fuzz target '
|
|
'using --fuzz-target',
|
|
file=sys.stderr)
|
|
return 1
|
|
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not args.no_corpus_download and not args.corpus_dir:
|
|
if not download_corpus(args):
|
|
return 1
|
|
|
|
env = [
|
|
'FUZZING_ENGINE=libfuzzer',
|
|
'PROJECT=%s' % args.project_name,
|
|
'SANITIZER=profile',
|
|
'HTTP_PORT=%s' % args.port,
|
|
'COVERAGE_EXTRA_ARGS=%s' % ' '.join(args.extra_args),
|
|
]
|
|
|
|
run_args = _env_to_docker_args(env)
|
|
|
|
if args.corpus_dir:
|
|
if not os.path.exists(args.corpus_dir):
|
|
print('ERROR: the path provided in --corpus-dir argument does not exist',
|
|
file=sys.stderr)
|
|
return 1
|
|
corpus_dir = os.path.realpath(args.corpus_dir)
|
|
run_args.extend(['-v', '%s:/corpus/%s' % (corpus_dir, args.fuzz_target)])
|
|
else:
|
|
run_args.extend(['-v', '%s:/corpus' % _get_corpus_dir(args.project_name)])
|
|
|
|
run_args.extend([
|
|
'-v', '%s:/out' % _get_output_dir(args.project_name),
|
|
'-p', '%s:%s' % (args.port, args.port),
|
|
'-t', 'gcr.io/oss-fuzz-base/base-runner',
|
|
])
|
|
|
|
run_args.append('coverage')
|
|
if args.fuzz_target:
|
|
run_args.append(args.fuzz_target)
|
|
|
|
exit_code = docker_run(run_args)
|
|
if exit_code == 0:
|
|
print('Successfully generated clang code coverage report.')
|
|
else:
|
|
print('Failed to generate clang code coverage report.')
|
|
|
|
return exit_code
|
|
|
|
|
|
def run_fuzzer(args):
|
|
"""Runs a fuzzer in the container."""
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not _check_fuzzer_exists(args.project_name, args.fuzzer_name):
|
|
return 1
|
|
|
|
env = ['FUZZING_ENGINE=' + args.engine]
|
|
if args.e:
|
|
env += args.e
|
|
|
|
run_args = _env_to_docker_args(env) + [
|
|
'-v', '%s:/out' % _get_output_dir(args.project_name),
|
|
'-t', 'gcr.io/oss-fuzz-base/base-runner',
|
|
'run_fuzzer',
|
|
args.fuzzer_name,
|
|
] + args.fuzzer_args
|
|
|
|
return docker_run(run_args)
|
|
|
|
|
|
def coverage(args):
|
|
"""Runs a fuzzer in the container."""
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not _check_fuzzer_exists(args.project_name, args.fuzzer_name):
|
|
return 1
|
|
|
|
temp_dir = tempfile.mkdtemp()
|
|
|
|
run_args = [
|
|
'-e', 'FUZZING_ENGINE=libfuzzer',
|
|
'-e', 'ASAN_OPTIONS=coverage_dir=/cov',
|
|
'-e', 'MSAN_OPTIONS=coverage_dir=/cov',
|
|
'-e', 'UBSAN_OPTIONS=coverage_dir=/cov',
|
|
'-v', '%s:/out' % _get_output_dir(args.project_name),
|
|
'-v', '%s:/cov' % temp_dir,
|
|
'-w', '/cov',
|
|
'-t', 'gcr.io/oss-fuzz-base/base-runner',
|
|
'run_fuzzer',
|
|
args.fuzzer_name,
|
|
'-dump_coverage=1',
|
|
'-max_total_time=%s' % args.run_time
|
|
] + args.fuzzer_args
|
|
|
|
print('This may take a while (running your fuzzer for %s seconds)...' %
|
|
args.run_time)
|
|
docker_run(run_args, print_output=False)
|
|
|
|
run_args = [
|
|
'-v', '%s:/out' % _get_output_dir(args.project_name),
|
|
'-v', '%s:/cov' % temp_dir,
|
|
'-w', '/cov',
|
|
'-p', '8001:8001',
|
|
'-t', 'gcr.io/oss-fuzz/%s' % args.project_name,
|
|
'coverage_report', '/out/%s' % args.fuzzer_name,
|
|
]
|
|
|
|
docker_run(run_args)
|
|
|
|
|
|
def reproduce(args):
|
|
"""Reproduces a testcase in the container."""
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not _check_fuzzer_exists(args.project_name, args.fuzzer_name):
|
|
return 1
|
|
|
|
debugger = ''
|
|
env = []
|
|
image_name = 'base-runner'
|
|
|
|
if args.valgrind:
|
|
debugger = 'valgrind --tool=memcheck --track-origins=yes --leak-check=full'
|
|
|
|
if debugger:
|
|
image_name = 'base-runner-debug'
|
|
env += ['DEBUGGER=' + debugger]
|
|
|
|
if args.e:
|
|
env += args.e
|
|
|
|
run_args = _env_to_docker_args(env) + [
|
|
'-v', '%s:/out' % _get_output_dir(args.project_name),
|
|
'-v', '%s:/testcase' % _get_absolute_path(args.testcase_path),
|
|
'-t', 'gcr.io/oss-fuzz-base/%s' % image_name,
|
|
'reproduce',
|
|
args.fuzzer_name,
|
|
'-runs=100',
|
|
] + args.fuzzer_args
|
|
|
|
return docker_run(run_args)
|
|
|
|
|
|
def generate(args):
|
|
"""Generate empty project files."""
|
|
if len(args.project_name) > MAX_PROJECT_NAME_LENGTH:
|
|
print('Project name needs to be less than or equal to %d characters.' %
|
|
MAX_PROJECT_NAME_LENGTH, file=sys.stderr)
|
|
return 1
|
|
|
|
if not VALID_PROJECT_NAME_REGEX.match(args.project_name):
|
|
print('Invalid project name.', file=sys.stderr)
|
|
return 1
|
|
|
|
dir = os.path.join('projects', args.project_name)
|
|
|
|
try:
|
|
os.mkdir(dir)
|
|
except OSError as e:
|
|
if e.errno != errno.EEXIST:
|
|
raise
|
|
print(dir, 'already exists.', file=sys.stderr)
|
|
return 1
|
|
|
|
print('Writing new files to', dir)
|
|
|
|
template_args = {
|
|
'project_name': args.project_name,
|
|
'year': datetime.datetime.now().year
|
|
}
|
|
with open(os.path.join(dir, 'project.yaml'), 'w') as f:
|
|
f.write(templates.PROJECT_YAML_TEMPLATE % template_args)
|
|
|
|
with open(os.path.join(dir, 'Dockerfile'), 'w') as f:
|
|
f.write(templates.DOCKER_TEMPLATE % template_args)
|
|
|
|
build_sh_path = os.path.join(dir, 'build.sh')
|
|
with open(build_sh_path, 'w') as f:
|
|
f.write(templates.BUILD_TEMPLATE % template_args)
|
|
|
|
os.chmod(build_sh_path, 0o755)
|
|
return 0
|
|
|
|
|
|
def shell(args):
|
|
"""Runs a shell within a docker image."""
|
|
if not _build_image(args.project_name):
|
|
return 1
|
|
|
|
env = [
|
|
'FUZZING_ENGINE=' + args.engine,
|
|
'SANITIZER=' + args.sanitizer
|
|
]
|
|
|
|
if args.e:
|
|
env += args.e
|
|
|
|
if _is_base_image(args.project_name):
|
|
image_project = 'oss-fuzz-base'
|
|
out_dir = _get_output_dir()
|
|
else:
|
|
image_project = 'oss-fuzz'
|
|
out_dir = _get_output_dir(args.project_name)
|
|
|
|
run_args = _env_to_docker_args(env) + [
|
|
'-v', '%s:/out' % out_dir,
|
|
'-v', '%s:/work' % _get_work_dir(args.project_name),
|
|
'-t', 'gcr.io/%s/%s' % (image_project, args.project_name),
|
|
'/bin/bash'
|
|
]
|
|
|
|
docker_run(run_args)
|
|
return 0
|
|
|
|
|
|
def pull_images(args):
|
|
"""Pull base images."""
|
|
for base_image in BASE_IMAGES:
|
|
if not docker_pull(base_image):
|
|
return 1
|
|
|
|
return 0
|
|
|
|
|
|
if __name__ == '__main__':
|
|
sys.exit(main())
|