Add support for building fuzzers using american fuzzy lop

Builds fuzzers using http://lcamtuf.coredump.cx/afl/
This commit is contained in:
Mark Haines 2016-05-23 17:32:24 +01:00
parent aacf115468
commit f47aabd094
6 changed files with 227 additions and 3 deletions

View file

@ -4,8 +4,11 @@ BUILD_DIR := build
RELEASE_OPTIMIZE_FLAGS ?= -g -O3 RELEASE_OPTIMIZE_FLAGS ?= -g -O3
DEBUG_OPTIMIZE_FLAGS ?= -g -O0 DEBUG_OPTIMIZE_FLAGS ?= -g -O0
JS_OPTIMIZE_FLAGS ?= -O3 JS_OPTIMIZE_FLAGS ?= -O3
FUZZING_OPTIMIZE_FLAGS ?= -O3
CC = gcc CC = gcc
EMCC = emcc EMCC = emcc
AFL_CC = afl_gcc
AFL_CXX = afl-g++
RELEASE_TARGET := $(BUILD_DIR)/libolm.so RELEASE_TARGET := $(BUILD_DIR)/libolm.so
DEBUG_TARGET := $(BUILD_DIR)/libolm_debug.so DEBUG_TARGET := $(BUILD_DIR)/libolm_debug.so
JS_TARGET := javascript/olm.js JS_TARGET := javascript/olm.js
@ -17,6 +20,10 @@ PUBLIC_HEADERS := include/olm/olm.hh
SOURCES := $(wildcard src/*.cpp) $(wildcard src/*.c) SOURCES := $(wildcard src/*.cpp) $(wildcard src/*.c)
RELEASE_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/release/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES)))) RELEASE_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/release/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
DEBUG_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/debug/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES)))) DEBUG_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/debug/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
FUZZER_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/fuzzers/objects/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
FUZZER_SOURCES := $(wildcard fuzzers/fuzz_*.cpp) $(wildcard fuzzers/fuzz_*.c)
FUZZER_BINARIES := $(patsubst fuzzers/%,$(BUILD_DIR)/fuzzers/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(FUZZER_SOURCES))))
FUZZER_DEBUG_BINARIES := $(patsubst $(BUILD_DIR)/fuzzers/fuzz_%,$(BUILD_DIR)/fuzzers/debug_%,$(FUZZER_BINARIES))
TEST_SOURCES := $(wildcard tests/test_*.cpp) $(wildcard tests/test_*.c) TEST_SOURCES := $(wildcard tests/test_*.cpp) $(wildcard tests/test_*.c)
TEST_BINARIES := $(patsubst tests/%,$(BUILD_DIR)/tests/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(TEST_SOURCES)))) TEST_BINARIES := $(patsubst tests/%,$(BUILD_DIR)/tests/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(TEST_SOURCES))))
JS_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/javascript/%,$(patsubst %.c,%.js.bc,$(patsubst %.cpp,%.js.bc,$(SOURCES)))) JS_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/javascript/%,$(patsubst %.c,%.js.bc,$(patsubst %.cpp,%.js.bc,$(SOURCES))))
@ -37,6 +44,11 @@ EMCC.c = $(EMCC) $(CFLAGS) $(CPPFLAGS) -c
EMCC.cc = $(EMCC) $(CXXFLAGS) $(CPPFLAGS) -c EMCC.cc = $(EMCC) $(CXXFLAGS) $(CPPFLAGS) -c
EMCC_LINK = $(EMCC) $(LDFLAGS) $(EMCCFLAGS) EMCC_LINK = $(EMCC) $(LDFLAGS) $(EMCCFLAGS)
AFL.c = $(AFL_CC) $(CFLAGS) $(CPPFLAGS) -c
AFL.cc = $(AFL_CXX) $(CXXFLAGS) $(CPPFLAGS) -c
AFL_LINK.c = $(AFL_CC) $(LDFLAGS) $(CFLAGS) $(CPPFLAGS)
AFL_LINK.cc = $(AFL_CXX) $(LDFLAGS) $(CXXFLAGS) $(CPPFLAGS)
# generate .d files when compiling # generate .d files when compiling
CPPFLAGS += -MMD CPPFLAGS += -MMD
@ -53,6 +65,13 @@ $(DEBUG_TARGET): LDFLAGS += $(DEBUG_OPTIMIZE_FLAGS)
$(TEST_BINARIES): CPPFLAGS += -Itests/include $(TEST_BINARIES): CPPFLAGS += -Itests/include
$(TEST_BINARIES): LDFLAGS += $(TEST_OPTIMIZE_FLAGS) -L$(BUILD_DIR) $(TEST_BINARIES): LDFLAGS += $(TEST_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
$(FUZZER_OBJECTS): CFLAGS += $(FUZZER_OPTIMIZE_FLAGS)
$(FUZZER_OBJECTS): CXXFLAGS += $(FUZZER_OPTIMIZE_FLAGS)
$(FUZZER_BINARIES): CPPFLAGS += -Ifuzzers/include
$(FUZZER_BINARIES): LDFLAGS += $(FUZZER_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
$(FUZZER_DEBUG_BINARIES): CPPFLAGS += -Ifuzzers/include
$(FUZZER_DEBUG_BINARIES): LDFLAGS += $(DEBUG_OPTIMIZE_FLAGS)
$(JS_OBJECTS): CFLAGS += $(JS_OPTIMIZE_FLAGS) $(JS_OBJECTS): CFLAGS += $(JS_OPTIMIZE_FLAGS)
$(JS_OBJECTS): CXXFLAGS += $(JS_OPTIMIZE_FLAGS) $(JS_OBJECTS): CXXFLAGS += $(JS_OPTIMIZE_FLAGS)
$(JS_TARGET): LDFLAGS += $(JS_OPTIMIZE_FLAGS) $(JS_TARGET): LDFLAGS += $(JS_OPTIMIZE_FLAGS)
@ -65,9 +84,11 @@ lib: $(RELEASE_TARGET)
# Make sure that the build directory exists. # Make sure that the build directory exists.
# We can't check the build directory into git because it is empty. # We can't check the build directory into git because it is empty.
makedirs: makedirs:
mkdir -p $(BUILD_DIR)/release $(BUILD_DIR)/debug $(BUILD_DIR)/javascript $(BUILD_DIR)/tests mkdir -p $(BUILD_DIR)/release $(BUILD_DIR)/debug $(BUILD_DIR)/javascript\
$(BUILD_DIR)/tests $(BUILD_DIR)/fuzzers/objects
.PHONY: makedirs .PHONY: makedirs
$(RELEASE_TARGET): $(RELEASE_OBJECTS) $(RELEASE_TARGET): $(RELEASE_OBJECTS)
$(CXX) $(LDFLAGS) --shared -fPIC \ $(CXX) $(LDFLAGS) --shared -fPIC \
-Wl,--version-script,version_script.ver \ -Wl,--version-script,version_script.ver \
@ -81,7 +102,6 @@ $(DEBUG_TARGET): $(DEBUG_OBJECTS)
-Wl,--version-script,version_script.ver \ -Wl,--version-script,version_script.ver \
$(OUTPUT_OPTION) $(DEBUG_OBJECTS) $(OUTPUT_OPTION) $(DEBUG_OBJECTS)
js: $(JS_TARGET) js: $(JS_TARGET)
.PHONY: js .PHONY: js
@ -98,6 +118,9 @@ clean:;
$(JS_OBJECTS) $(JS_OBJECTS:.bc=.d) $(JS_TARGET) \ $(JS_OBJECTS) $(JS_OBJECTS:.bc=.d) $(JS_TARGET) \
$(JS_EXPORTED_FUNCTIONS)\ $(JS_EXPORTED_FUNCTIONS)\
$(RELEASE_TARGET) $(DEBUG_TARGET)\ $(RELEASE_TARGET) $(DEBUG_TARGET)\
$(FUZZER_OBJECTS) $(FUZZER_OBJECTS:.o=.d)\
$(FUZZER_BINARIES) $(FUZZER_BINARIES:=.d)\
$(FUZZER_DEBUG_BINARIES) $(FUZZER_DEBUG_BINARIES:=.d)\
build_tests: $(TEST_BINARIES) build_tests: $(TEST_BINARIES)
@ -107,6 +130,9 @@ test: build_tests
$$i || exit $$?; \ $$i || exit $$?; \
done done
fuzzers: $(FUZZER_BINARIES) $(FUZZER_DEBUG_BINARIES)
.PHONY: fuzzers
$(JS_EXPORTED_FUNCTIONS): $(PUBLIC_HEADERS) $(JS_EXPORTED_FUNCTIONS): $(PUBLIC_HEADERS)
perl -MJSON -ne '/(olm_[^( ]*)\(/ && push @f, "_$$1"; END { print encode_json \@f }' $^ > $@.tmp perl -MJSON -ne '/(olm_[^( ]*)\(/ && push @f, "_$$1"; END { print encode_json \@f }' $^ > $@.tmp
mv $@.tmp $@ mv $@.tmp $@
@ -139,6 +165,23 @@ $(BUILD_DIR)/tests/%: tests/%.c $(DEBUG_OBJECTS)
$(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS) $(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
$(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@ $(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
$(BUILD_DIR)/fuzzers/objects/%.o: src/%.c | makedirs
$(AFL.c) $(OUTPUT_OPTION) $<
$(BUILD_DIR)/fuzzers/objects/%.o: src/%.cpp | makedirs
$(AFL.cc) $(OUTPUT_OPTION) $<
$(BUILD_DIR)/fuzzers/fuzz_%: fuzzers/fuzz_%.c $(FUZZER_OBJECTS)
$(AFL_LINK.c) $< $(FUZZER_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
$(BUILD_DIR)/fuzzers/fuzz_%: fuzzers/fuzz_%.cpp $(FUZZER_OBJECTS)
$(AFL_LINK.cc) $< $(FUZZER_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
$(BUILD_DIR)/fuzzers/debug_%: fuzzers/fuzz_%.c $(DEBUG_OBJECTS)
$(LINK.c) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
$(BUILD_DIR)/fuzzers/debug_%: fuzzers/fuzz_%.cpp $(DEBUG_OBJECTS)
$(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
### dependencies ### dependencies
@ -146,3 +189,6 @@ $(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
-include $(DEBUG_OBJECTS:.o=.d) -include $(DEBUG_OBJECTS:.o=.d)
-include $(JS_OBJECTS:.bc=.d) -include $(JS_OBJECTS:.bc=.d)
-include $(TEST_BINARIES:=.d) -include $(TEST_BINARIES:=.d)
-include $(FUZZER_OBJECTS:.o=.d)
-include $(FUZZER_BINARIES:=.d)
-include $(FUZZER_DEBUG_BINARIES:=.d)

View file

@ -0,0 +1,14 @@
#include "olm/message.hh"
#include "fuzzing.hh"
int main(int argc, const char *argv[]) {
int message_fd = STDIN_FILENO;
uint8_t * message_buffer;
ssize_t message_length = check_errno(
"Error reading message file", read_file(message_fd, &message_buffer)
);
olm::MessageReader * reader = new olm::MessageReader;
decode_message(*reader, message_buffer, message_length, 8);
free(message_buffer);
delete reader;
}

64
fuzzers/fuzz_decrypt.cpp Normal file
View file

@ -0,0 +1,64 @@
#include "olm/olm.hh"
#include "fuzzing.hh"
int main(int argc, const char *argv[]) {
size_t ignored;
if (argc <= 3) {
const char * message = "Usage: decrypt: <session_key> <session_file>"
" <message_type>\n";
ignored = write(STDERR_FILENO, message, strlen(message));
exit(3);
}
const char * key = argv[1];
size_t key_length = strlen(key);
int session_fd = check_errno(
"Error opening session file", open(argv[2], O_RDONLY)
);
int message_type = atoi(argv[3]);
uint8_t *session_buffer;
ssize_t session_length = check_errno(
"Error reading session file", read_file(session_fd, &session_buffer)
);
int message_fd = STDIN_FILENO;
uint8_t * message_buffer;
ssize_t message_length = check_errno(
"Error reading message file", read_file(message_fd, &message_buffer)
);
uint8_t * tmp_buffer = (uint8_t *) malloc(message_length);
memcpy(tmp_buffer, message_buffer, message_length);
uint8_t session_memory[olm_session_size()];
OlmSession * session = olm_session(session_memory);
check_session(session, "Error unpickling session", olm_unpickle_session(
session, key, key_length, session_buffer, session_length
));
size_t max_length = check_session(
session,
"Error getting plaintext length",
olm_decrypt_max_plaintext_length(
session, message_type, tmp_buffer, message_length
)
);
uint8_t plaintext[max_length];
size_t length = check_session(
session, "Error decrypting message", olm_decrypt(
session, message_type,
message_buffer, message_length,
plaintext, max_length
)
);
ignored = write(STDOUT_FILENO, plaintext, length);
ignored = write(STDOUT_FILENO, "\n", 1);
}

View file

@ -0,0 +1,14 @@
#include "olm/account.hh"
#include "fuzzing.hh"
int main(int argc, const char *argv[]) {
int pickle_fd = STDIN_FILENO;
uint8_t * pickle_buffer;
ssize_t pickle_length = check_errno(
"Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
);
olm::Account * account = new olm::Account;
unpickle(pickle_buffer, pickle_buffer + pickle_length, *account);
free(pickle_buffer);
delete account;
}

View file

@ -0,0 +1,14 @@
#include "olm/session.hh"
#include "fuzzing.hh"
int main(int argc, const char *argv[]) {
int pickle_fd = STDIN_FILENO;
uint8_t * pickle_buffer;
ssize_t pickle_length = check_errno(
"Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
);
olm::Session * session = new olm::Session;
unpickle(pickle_buffer, pickle_buffer + pickle_length, *session);
free(pickle_buffer);
delete session;
}

View file

@ -0,0 +1,72 @@
#include "olm/olm.hh"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stddef.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
ssize_t read_file(
int fd,
uint8_t **buffer
) {
size_t buffer_size = 4096;
uint8_t * current_buffer = (uint8_t *) malloc(buffer_size);
if (current_buffer == NULL) return -1;
size_t buffer_pos = 0;
while (1) {
ssize_t count = read(
fd, current_buffer + buffer_pos, buffer_size - buffer_pos
);
if (count < 0) break;
if (count == 0) {
uint8_t * return_buffer = (uint8_t *) realloc(current_buffer, buffer_pos);
if (return_buffer == NULL) break;
*buffer = return_buffer;
return buffer_pos;
}
buffer_pos += count;
if (buffer_pos == buffer_size) {
buffer_size *= 2;
uint8_t * new_buffer = (uint8_t *) realloc(current_buffer, buffer_size);
if (new_buffer == NULL) break;
current_buffer = new_buffer;
}
}
free(current_buffer);
return -1;
}
template<typename T>
T check_errno(
const char * message,
T value
) {
if (value == T(-1)) {
perror(message);
exit(1);
}
return value;
}
size_t check_session(
OlmSession * session,
const char * message,
size_t value
) {
if (value == olm_error()) {
const char * olm_message = olm_session_last_error(session);
ssize_t ignored;
ignored = write(STDERR_FILENO, message, strlen(message));
ignored = write(STDERR_FILENO, ": ", 2);
ignored = write(STDERR_FILENO, olm_message, strlen(olm_message));
ignored = write(STDERR_FILENO, "\n", 1);
exit(2);
return ignored;
}
return value;
}