oss-fuzz/infra/base-images/base-runner/bad_build_check

247 lines
8.6 KiB
Bash
Executable File

#!/bin/bash -u
# Copyright 2017 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################
# A minimal number of runs to test fuzz target with a non-empty input.
MIN_NUMBER_OF_RUNS=4
# The "example" target has 73 with ASan, 65 with UBSan, and 6648 with MSan.
# Real world targets have greater values (arduinojson: 407, zlib: 664).
# Mercurial's bdiff_fuzzer has 116 PCs when built with ASan.
THRESHOLD_FOR_NUMBER_OF_EDGES=100
# Threshold values for different sanitizers used by instrumentation checks.
ASAN_CALLS_THRESHOLD_FOR_ASAN_BUILD=1000
ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD=0
MSAN_CALLS_THRESHOLD_FOR_MSAN_BUILD=1000
MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD=0
# Usually, a non UBSan build (e.g. ASan) has 165 calls to UBSan runtime. The
# majority of targets built with UBSan have 200+ UBSan calls, but there are
# some very small targets that may have < 200 UBSan calls even in a UBSan build.
# Use the threshold value of 170 (slightly > 165) for UBSan build.
UBSAN_CALLS_THRESHOLD_FOR_UBSAN_BUILD=170
# It would be risky to use the threshold value close to 165 for non UBSan build,
# as UBSan runtime may change any time and thus we could have different number
# of calls to UBSan runtime even in ASan build. With that, we use the threshold
# value of 200 that would detect unnecessary UBSan instrumentation in the vast
# majority of targets, except of a handful very small ones, which would not be
# a big concern either way as the overhead for them would not be significant.
UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD=200
# Verify that the given fuzz target has proper coverage instrumentation.
function check_instrumentation {
local FUZZER=$1
local FUZZER_NAME=$(basename $FUZZER)
local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
local CHECK_FAILED=0
if [[ "$FUZZING_ENGINE" == libfuzzer ]]; then
# Store fuzz target's output into a temp file to be used for further checks.
$FUZZER -runs=$MIN_NUMBER_OF_RUNS &>$FUZZER_OUTPUT
CHECK_FAILED=$(egrep "ERROR: no interesting inputs were found. Is the code instrumented" -c $FUZZER_OUTPUT)
if (( $CHECK_FAILED > 0 )); then
echo "BAD BUILD: $FUZZER does not seem to have coverage instrumentation."
# Bail out as the further check does not make any sense, there are 0 PCs.
return
fi
local NUMBER_OF_EDGES=$(grep -Po "INFO: Loaded [[:digit:]]+ module.*\(.*(counters|guards)\):[[:space:]]+\K[[:digit:]]+" $FUZZER_OUTPUT)
# If a fuzz target fails to start, grep won't find anything, so bail out early to let check_startup_crash deal with it.
[[ -z "$NUMBER_OF_EDGES" ]] && return
if (( $NUMBER_OF_EDGES < $THRESHOLD_FOR_NUMBER_OF_EDGES )); then
echo "BAD BUILD: $FUZZER seems to have only partial coverage instrumentation."
fi
elif [[ "$FUZZING_ENGINE" == afl ]]; then
AFL_NO_UI=1 SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 20s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT
CHECK_FAILED=$(egrep "No instrumentation detected" -c $FUZZER_OUTPUT)
if (( $CHECK_FAILED > 0 )); then
echo "BAD BUILD: $FUZZER does not seem to have coverage instrumentation."
fi
return
else
# TODO: add checks for other fuzzing engines if possible.
return
fi
}
# Verify that the given fuzz target has been built properly and works.
function check_startup_crash {
local FUZZER=$1
local FUZZER_NAME=$(basename $FUZZER)
local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
local CHECK_PASSED=0
if [[ "$FUZZING_ENGINE" = libfuzzer ]]; then
$FUZZER -runs=$MIN_NUMBER_OF_RUNS &>$FUZZER_OUTPUT
CHECK_PASSED=$(egrep "Done $MIN_NUMBER_OF_RUNS runs" -c $FUZZER_OUTPUT)
elif [[ "$FUZZING_ENGINE" = afl ]]; then
AFL_NO_UI=1 SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 20s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT
if [ $(egrep "target binary (crashed|terminated)" -c $FUZZER_OUTPUT) -eq 0 ]; then
CHECK_PASSED=1
fi
else
# TODO: add checks for another fuzzing engines if possible.
CHECK_PASSED=1
fi
if [ "$CHECK_PASSED" -eq "0" ]; then
echo "BAD BUILD: $FUZZER seems to have either startup crash or exit:"
cat $FUZZER_OUTPUT
fi
}
# Mixed sanitizers check for ASan build.
function check_asan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local MSAN_CALLS=$3
local UBSAN_CALLS=$4
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS < $ASAN_CALLS_THRESHOLD_FOR_ASAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with ASan."
fi
if (( $MSAN_CALLS > $MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with MSan."
fi
if (( $UBSAN_CALLS > $UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD )); then
echo "BAD BUILD: ASan build of $FUZZER seems to be compiled with UBSan."
fi
}
# Mixed sanitizers check for MSan build.
function check_msan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local MSAN_CALLS=$3
local UBSAN_CALLS=$4
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS > $ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD )); then
echo "BAD BUILD: MSan build of $FUZZER seems to be compiled with ASan."
fi
if (( $MSAN_CALLS < $MSAN_CALLS_THRESHOLD_FOR_MSAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with MSan."
fi
if (( $UBSAN_CALLS > $UBSAN_CALLS_THRESHOLD_FOR_NON_UBSAN_BUILD )); then
echo "BAD BUILD: MSan build of $FUZZER seems to be compiled with UBSan."
fi
}
# Mixed sanitizers check for UBSan build.
function check_ubsan_build {
local FUZZER=$1
local ASAN_CALLS=$2
local MSAN_CALLS=$3
local UBSAN_CALLS=$4
if [[ "$FUZZING_ENGINE" != libfuzzer ]]; then
# Ignore UBSan checks for fuzzing engines other than libFuzzer because:
# A) we (probably) are not going to use those with UBSan
# B) such builds show indistinguishable number of calls to UBSan
return
fi
# Perform all the checks for more detailed error message.
if (( $ASAN_CALLS > $ASAN_CALLS_THRESHOLD_FOR_NON_ASAN_BUILD )); then
echo "BAD BUILD: UBSan build of $FUZZER seems to be compiled with ASan."
fi
if (( $MSAN_CALLS > $MSAN_CALLS_THRESHOLD_FOR_NON_MSAN_BUILD )); then
echo "BAD BUILD: UBSan build of $FUZZER seems to be compiled with MSan."
fi
if (( $UBSAN_CALLS < $UBSAN_CALLS_THRESHOLD_FOR_UBSAN_BUILD )); then
echo "BAD BUILD: $FUZZER does not seem to be compiled with UBSan."
fi
}
# Verify that the given fuzz target is compiled with correct sanitizer.
function check_mixed_sanitizers {
local FUZZER=$1
local ASAN_CALLS=$(objdump -dC $FUZZER | egrep "callq\s+[0-9a-f]+\s+<__asan" -c)
local MSAN_CALLS=$(objdump -dC $FUZZER | egrep "callq\s+[0-9a-f]+\s+<__msan" -c)
local UBSAN_CALLS=$(objdump -dC $FUZZER | egrep "callq\s+[0-9a-f]+\s+<__ubsan" -c)
if [[ "$SANITIZER" = address ]]; then
check_asan_build $FUZZER $ASAN_CALLS $MSAN_CALLS $UBSAN_CALLS
elif [[ "$SANITIZER" = memory ]]; then
check_msan_build $FUZZER $ASAN_CALLS $MSAN_CALLS $UBSAN_CALLS
elif [[ "$SANITIZER" = undefined ]]; then
check_ubsan_build $FUZZER $ASAN_CALLS $MSAN_CALLS $UBSAN_CALLS
fi
}
# Verify that the given fuzz target doesn't crash on the seed corpus.
function check_seed_corpus {
local FUZZER=$1
local FUZZER_NAME="$(basename $FUZZER)"
local FUZZER_OUTPUT="/tmp/$FUZZER_NAME.output"
if [[ "$FUZZING_ENGINE" != libfuzzer ]]; then
return
fi
# Set up common fuzzing arguments, otherwise "run_fuzzer" errors out.
if [ -z "$FUZZER_ARGS" ]; then
export FUZZER_ARGS="-rss_limit_mb=2048 -timeout=25"
fi
bash -c "run_fuzzer $FUZZER_NAME -runs=0" &> $FUZZER_OUTPUT
# Don't output anything if fuzz target hasn't crashed.
if [ $? -ne 0 ]; then
echo "BAD BUILD: $FUZZER has a crashing input in its seed corpus:"
cat $FUZZER_OUTPUT
fi
}
function main {
local FUZZER=$1
check_instrumentation $FUZZER
check_mixed_sanitizers $FUZZER
check_startup_crash $FUZZER
# TODO: re-enable after introducing bug auto-filing for bad builds.
# check_seed_corpus $FUZZER
}
if [ $# -ne 1 ]; then
echo "Usage: $0 <fuzz_target_binary>"
exit 1
fi
# Fuzz target path.
FUZZER=$1
main $FUZZER