mirror of https://github.com/google/oss-fuzz.git
406 lines
12 KiB
Python
Executable File
406 lines
12 KiB
Python
Executable File
#!/usr/bin/env python
|
|
# Copyright 2016 Google Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
################################################################################
|
|
|
|
from __future__ import print_function
|
|
import argparse
|
|
import errno
|
|
import os
|
|
import pipes
|
|
import re
|
|
import shutil
|
|
import string
|
|
import subprocess
|
|
import sys
|
|
import tempfile
|
|
import templates
|
|
import time
|
|
|
|
OSSFUZZ_DIR = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
|
|
BUILD_DIR = os.path.join(OSSFUZZ_DIR, 'build')
|
|
|
|
GLOBAL_ARGS = None
|
|
|
|
def main():
|
|
os.chdir(OSSFUZZ_DIR)
|
|
if not os.path.exists(BUILD_DIR):
|
|
os.mkdir(BUILD_DIR)
|
|
|
|
parser = argparse.ArgumentParser('helper.py', description='oss-fuzz helpers')
|
|
parser.add_argument(
|
|
'--nopull', default=False, action='store_const', const=True,
|
|
help='do not specify --pull while building an image')
|
|
parser.add_argument(
|
|
'command',
|
|
help='One of: generate, build_image, build_fuzzers, run_fuzzer, coverage, reproduce, shell',
|
|
nargs=argparse.REMAINDER)
|
|
global GLOBAL_ARGS
|
|
GLOBAL_ARGS = args = parser.parse_args()
|
|
|
|
if not args.command:
|
|
parser.print_help()
|
|
return 1
|
|
|
|
if args.command[0] == 'generate':
|
|
return generate(args.command[1:])
|
|
elif args.command[0] == 'build_image':
|
|
return build_image(args.command[1:])
|
|
elif args.command[0] == 'build_fuzzers':
|
|
return build_fuzzers(args.command[1:])
|
|
elif args.command[0] == 'run_fuzzer':
|
|
return run_fuzzer(args.command[1:])
|
|
elif args.command[0] == 'coverage':
|
|
return coverage(args.command[1:])
|
|
elif args.command[0] == 'reproduce':
|
|
return reproduce(args.command[1:])
|
|
elif args.command[0] == 'shell':
|
|
return shell(args.command[1:])
|
|
else:
|
|
print('Unrecognised command!', file=sys.stderr)
|
|
return 1
|
|
|
|
return 0
|
|
|
|
|
|
def _is_base_image(image_name):
|
|
"""Checks if the image name is a base image."""
|
|
return os.path.exists(os.path.join('infra', 'base-images', image_name))
|
|
|
|
|
|
def _check_project_exists(project_name):
|
|
"""Checks if a project exists."""
|
|
if not os.path.exists(os.path.join(OSSFUZZ_DIR, 'projects', project_name)):
|
|
print(project_name, 'does not exist', file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def _check_fuzzer_exists(project_name, fuzzer_name):
|
|
"""Checks if a fuzzer exists."""
|
|
command = ['docker', 'run', '--rm']
|
|
command.extend(['-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', project_name)])
|
|
command.append('ubuntu:16.04')
|
|
|
|
command.extend(['/bin/bash', '-c', 'test -f /out/%s' % fuzzer_name])
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print(fuzzer_name,
|
|
'does not seem to exist. Please run build_fuzzers first.',
|
|
file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def _get_absolute_path(path):
|
|
"""Returns absolute path with user expansion."""
|
|
return os.path.abspath(os.path.expanduser(path))
|
|
|
|
|
|
def _get_command_string(command):
|
|
"""Returns a shell escaped command string."""
|
|
return ' '.join(pipes.quote(part) for part in command)
|
|
|
|
|
|
def _add_engine_args(parser):
|
|
"""Add common engine args."""
|
|
parser.add_argument('--engine', default='libfuzzer',
|
|
choices=['libfuzzer', 'afl'])
|
|
|
|
|
|
def _add_sanitizer_args(parser):
|
|
"""Add common sanitizer args."""
|
|
parser.add_argument('--sanitizer', default='address',
|
|
choices=['address', 'memory', 'undefined'])
|
|
|
|
|
|
def _build_image(image_name):
|
|
"""Build image."""
|
|
|
|
if _is_base_image(image_name):
|
|
dockerfile_dir = os.path.join('infra', 'base-images', image_name)
|
|
else:
|
|
if not _check_project_exists(image_name):
|
|
return False
|
|
|
|
dockerfile_dir = os.path.join('projects', image_name)
|
|
|
|
|
|
build_args = []
|
|
if not GLOBAL_ARGS.nopull:
|
|
build_args += ['--pull']
|
|
build_args += ['-t', 'ossfuzz/%s' % image_name, dockerfile_dir ]
|
|
|
|
command = [ 'docker', 'build' ] + build_args
|
|
print('Running:', _get_command_string(command))
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print('docker build failed.', file=sys.stderr)
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
def build_image(build_args):
|
|
"""Build docker image."""
|
|
parser = argparse.ArgumentParser('helper.py build_image')
|
|
parser.add_argument('project_name')
|
|
args = parser.parse_args(build_args)
|
|
|
|
if _build_image(args.project_name):
|
|
return 0
|
|
|
|
return 1
|
|
|
|
|
|
def build_fuzzers(build_args):
|
|
"""Build fuzzers."""
|
|
parser = argparse.ArgumentParser('helper.py build_fuzzers')
|
|
_add_engine_args(parser)
|
|
_add_sanitizer_args(parser)
|
|
parser.add_argument('-e', action='append', help="set environment variable e.g. VAR=value")
|
|
parser.add_argument('project_name')
|
|
parser.add_argument('source_path', help='path of local source',
|
|
nargs='?')
|
|
args = parser.parse_args(build_args)
|
|
project_name = args.project_name
|
|
|
|
if not _build_image(args.project_name):
|
|
return 1
|
|
|
|
env = [
|
|
'BUILD_UID=%d' % os.getuid(),
|
|
'FUZZING_ENGINE=' + args.engine,
|
|
'SANITIZER=' + args.sanitizer
|
|
]
|
|
|
|
if args.e:
|
|
env += args.e
|
|
|
|
command = (
|
|
['docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE'] +
|
|
sum([['-e', v] for v in env], [])
|
|
)
|
|
if args.source_path:
|
|
command += [
|
|
'-v',
|
|
'%s:/src/%s' % (_get_absolute_path(args.source_path), args.project_name)
|
|
]
|
|
command += [
|
|
'-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', project_name),
|
|
'-v', '%s:/work' % os.path.join(BUILD_DIR, 'work', project_name),
|
|
'-t', 'ossfuzz/%s' % project_name
|
|
]
|
|
|
|
print('Running:', _get_command_string(command))
|
|
|
|
try:
|
|
subprocess.check_call(command)
|
|
except subprocess.CalledProcessError:
|
|
print('fuzzers build failed.', file=sys.stderr)
|
|
return 1
|
|
|
|
return 0
|
|
|
|
|
|
def run_fuzzer(run_args):
|
|
"""Runs a fuzzer in the container."""
|
|
parser = argparse.ArgumentParser('helper.py run_fuzzer')
|
|
_add_engine_args(parser)
|
|
|
|
parser.add_argument('project_name', help='name of the project')
|
|
parser.add_argument('fuzzer_name', help='name of the fuzzer')
|
|
parser.add_argument('fuzzer_args', help='arguments to pass to the fuzzer',
|
|
nargs=argparse.REMAINDER)
|
|
args = parser.parse_args(run_args)
|
|
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not _check_fuzzer_exists(args.project_name, args.fuzzer_name):
|
|
return 1
|
|
|
|
if not _build_image('base-runner'):
|
|
return 1
|
|
|
|
env = ['FUZZING_ENGINE=' + args.engine]
|
|
|
|
command = [
|
|
'docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE',
|
|
] + sum([['-e', v] for v in env], []) + [
|
|
'-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', args.project_name),
|
|
'-t', 'ossfuzz/base-runner',
|
|
'run_fuzzer',
|
|
args.fuzzer_name,
|
|
] + args.fuzzer_args
|
|
|
|
print('Running:', _get_command_string(command))
|
|
pipe = subprocess.Popen(command)
|
|
pipe.communicate()
|
|
|
|
|
|
def coverage(run_args):
|
|
"""Runs a fuzzer in the container."""
|
|
parser = argparse.ArgumentParser('helper.py coverage')
|
|
parser.add_argument('--run_time', default=60,
|
|
help='time in seconds to run fuzzer')
|
|
parser.add_argument('project_name', help='name of the project')
|
|
parser.add_argument('fuzzer_name', help='name of the fuzzer')
|
|
parser.add_argument('fuzzer_args', help='arguments to pass to the fuzzer',
|
|
nargs=argparse.REMAINDER)
|
|
args = parser.parse_args(run_args)
|
|
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not _check_fuzzer_exists(args.project_name, args.fuzzer_name):
|
|
return 1
|
|
|
|
if not _build_image('base-runner'):
|
|
return 1
|
|
|
|
temp_dir = tempfile.mkdtemp()
|
|
|
|
command = [
|
|
'docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE',
|
|
'-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', args.project_name),
|
|
'-v', '%s:/cov' % temp_dir,
|
|
'-w', '/cov',
|
|
'-t', 'ossfuzz/base-runner',
|
|
'/out/%s' % args.fuzzer_name,
|
|
'-dump_coverage=1',
|
|
'-max_total_time=%s' % args.run_time
|
|
] + args.fuzzer_args
|
|
|
|
print('Running:', _get_command_string(command))
|
|
print('This may take a while (running your fuzzer for %d seconds)...' %
|
|
args.run_time)
|
|
with open(os.devnull, 'w') as f:
|
|
pipe = subprocess.Popen(command, stdout=f, stderr=subprocess.STDOUT)
|
|
pipe.communicate()
|
|
|
|
command = [
|
|
'docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE',
|
|
'-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', args.project_name),
|
|
'-v', '%s:/cov' % temp_dir,
|
|
'-w', '/cov',
|
|
'-p', '8001:8001',
|
|
'-t', 'ossfuzz/%s' % args.project_name,
|
|
'coverage_report', '/out/%s' % args.fuzzer_name,
|
|
]
|
|
|
|
print('Running:', _get_command_string(command))
|
|
pipe = subprocess.Popen(command)
|
|
pipe.communicate()
|
|
|
|
|
|
def reproduce(run_args):
|
|
"""Reproduces a testcase in the container."""
|
|
parser = argparse.ArgumentParser('helper.py reproduce')
|
|
parser.add_argument('project_name', help='name of the project')
|
|
parser.add_argument('fuzzer_name', help='name of the fuzzer')
|
|
parser.add_argument('testcase_path', help='path of local testcase')
|
|
parser.add_argument('fuzzer_args', help='arguments to pass to the fuzzer',
|
|
nargs=argparse.REMAINDER)
|
|
args = parser.parse_args(run_args)
|
|
|
|
if not _check_project_exists(args.project_name):
|
|
return 1
|
|
|
|
if not _check_fuzzer_exists(args.project_name, args.fuzzer_name):
|
|
return 1
|
|
|
|
if not _build_image('base-runner'):
|
|
return 1
|
|
|
|
command = [
|
|
'docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE',
|
|
'-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', args.project_name),
|
|
'-v', '%s:/testcase' % _get_absolute_path(args.testcase_path),
|
|
'-t', 'ossfuzz/base-runner',
|
|
'reproduce',
|
|
args.fuzzer_name,
|
|
'-runs=100',
|
|
] + args.fuzzer_args
|
|
|
|
print('Running:', _get_command_string(command))
|
|
pipe = subprocess.Popen(command)
|
|
pipe.communicate()
|
|
|
|
|
|
def generate(generate_args):
|
|
"""Generate empty project files."""
|
|
parser = argparse.ArgumentParser('helper.py generate')
|
|
parser.add_argument('project_name')
|
|
args = parser.parse_args(generate_args)
|
|
dir = os.path.join('projects', args.project_name)
|
|
|
|
try:
|
|
os.mkdir(dir)
|
|
except OSError as e:
|
|
if e.errno != errno.EEXIST:
|
|
raise
|
|
print(dir, 'already exists.', file=sys.stderr)
|
|
return 1
|
|
|
|
print('Writing new files to', dir)
|
|
|
|
template_args = {
|
|
'project_name' : args.project_name
|
|
}
|
|
with open(os.path.join(dir, 'project.yaml'), 'w') as f:
|
|
f.write(templates.PROJECT_YAML_TEMPLATE % template_args)
|
|
|
|
with open(os.path.join(dir, 'Dockerfile'), 'w') as f:
|
|
f.write(templates.DOCKER_TEMPLATE % template_args)
|
|
|
|
build_sh_path = os.path.join(dir, 'build.sh')
|
|
with open(build_sh_path, 'w') as f:
|
|
f.write(templates.BUILD_TEMPLATE % template_args)
|
|
|
|
os.chmod(build_sh_path, 0o755)
|
|
return 0
|
|
|
|
|
|
def shell(shell_args):
|
|
"""Runs a shell within a docker image."""
|
|
parser = argparse.ArgumentParser('helper.py shell')
|
|
parser.add_argument('project_name', help='name of the project')
|
|
args = parser.parse_args(shell_args)
|
|
|
|
if not _build_image(args.project_name):
|
|
return 1
|
|
|
|
command = [
|
|
'docker', 'run', '--rm', '-i', '--cap-add', 'SYS_PTRACE',
|
|
'-v', '%s:/out' % os.path.join(BUILD_DIR, 'out', args.project_name),
|
|
'-v', '%s:/work' % os.path.join(BUILD_DIR, 'work', args.project_name),
|
|
'-t', 'ossfuzz/%s' % args.project_name,
|
|
'/bin/bash'
|
|
]
|
|
print('Running:', _get_command_string(command))
|
|
pipe = subprocess.Popen(command)
|
|
pipe.communicate()
|
|
|
|
|
|
if __name__ == '__main__':
|
|
sys.exit(main())
|