-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fuzzing: Add uri_parser setup #19057
Conversation
@@ -14,6 +14,7 @@ CFLAGS += -ggdb # Make ASAN output more useful error messages | |||
CFLAGS += -D_FORTIFY_SOURCE=2 # Compiler hardening | |||
|
|||
# Various utilitiy modules | |||
USEMODULE += gnrc_ipv6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was done due to gnrc_ipv6 being mandatory (for all harness types) at the moment because sys/fuzzing/
needs refactoring. :)
f2335a4
to
61cf1cb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apart from the minor inline comments I created above this looks good to me 👍
I also prefer this over #18802.
Great work! 🤗
@@ -904,7 +904,7 @@ include $(RIOTMAKE)/tests/tests.inc.mk | |||
.PHONY: fuzz | |||
fuzz: | |||
env FLASHFILE="$(FLASHFILE)" PORT="$(PORT)" TERMFLAGS="$(TERMFLAGS)" \ | |||
"$(RIOTBASE)"/dist/tools/fuzzing/afl.sh $(AFL_FLAGS) | |||
"$(RIOTBASE)"/dist/tools/fuzzing/afl.sh $(FLAGS_FOR_AFL) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you elaborate why renaming the environment variable is necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure!
If you try to compile using AFL++ (instead of the old AFL) you will encounter this warning:
[!] WARNING: Mistyped AFL environment variable: AFL_FLAGS=
"make" -C RIOT/core/lib
Did you mean AFL_AS?
Did you mean AFL_CC?
This was introduced in Version ++3.10c of AFL++:
printing suggestions for mistyped AFL_ env variables
Check the changelog of AFL++ here.
I am aware that RIOTs fuzzing documentation states to use the old AFL 2.52b - where this warning isn't present. However, AFL is no longer maintained. Tho, we should move on towards AFL++. So far all my fuzzing with AFL++ is without issues and the backwards compatibility is nice. This warning being the only issue.
Edit:
Just realised: This can be turned of by setting AFL_IGNORE_UNKNOWN_ENVS
.
I believe changing our name is the better approach as this way we still get hints if we do have typo in some of the AFL envs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving to AFL++ is definitely a good idea! Maybe it also makes sense to update the documentation in this regard. However, I also wouldn't mind doing that in a separate merge request.
|
||
uri_parser_process(&uri_res, input_buf, input_len); | ||
|
||
exit(EXIT_SUCCESS); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the uri_parser
you might also be able to just use NATIVE_AUTO_EXIT
but explicitly calling exit is of cause also fine.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would one prefer one over the other?
sys/fuzzing/fuzzing.c
Outdated
uint8_t * | ||
fuzzing_read_bytes(int fd, size_t *size) | ||
{ | ||
uint8_t *buffer = NULL; | ||
ssize_t r; | ||
size_t csiz, rsiz; | ||
|
||
csiz = 0; | ||
rsiz = FUZZING_BSIZE; | ||
if ((buffer = realloc(buffer, rsiz)) == NULL) { | ||
return NULL; | ||
} | ||
|
||
while ((r = read(fd, &(buffer[csiz]), rsiz)) > 0) { | ||
assert((size_t)r <= rsiz); | ||
|
||
csiz += r; | ||
rsiz -= r; | ||
|
||
if (rsiz == 0) { | ||
if ((buffer = realloc(buffer, csiz + FUZZING_BSTEP)) == NULL) { | ||
return NULL; | ||
} | ||
rsiz += FUZZING_BSTEP; | ||
} | ||
} | ||
if (r == -1) { | ||
return NULL; | ||
} | ||
|
||
/* shrink packet to actual size */ | ||
if ((buffer = realloc(buffer, csiz)) == NULL) { | ||
return NULL; | ||
} | ||
|
||
*size = csiz; | ||
return buffer; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be worthwhile to refactor fuzzing_read_packet
using this new function so we don't need to maintain two functions which read all input from stdin
in the fuzzing module.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the PR accordingly. Please review the change :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think in an ideal word fuzzing_read_bytes
would write directly to the pktbuf instead of requiring the memcpy but since this is execute on native only anyhow I believe this to be good enough 👍
61cf1cb
to
82f44c5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 🎉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nmeum are you sure you don't want to have maintainer capabilities? 😉
proxy-ACK
bors merge |
Build succeeded: |
Hello!
Contribution description
This PR is a replacement for PR #18802
In this contribution:
AFL_FLAGS
is renamed toFLAGS_FOR_AFL
because AFL is always complaining thatAFL_FLAGS
is not a valid env var for it. While this is not a bug nor an issue, I found it to be annoying.(needs squashing after review)
Testing procedure
Go to
fuzzing/uri_parser
and runmake all-asan
andmake fuzz
to get some action going.Also mildly interesting:
./dist/tools/compile_test/compile_like_murdock.py -b native -a fuzzing/uri_parser
Issues/PRs references
The original PR #18802 is replaced because the generic input reader is present in both PRs but this PoC harness is much simpler.