Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fuzzing: Add uri_parser setup #19057

Merged
merged 3 commits into from
Jan 16, 2023
Merged

fuzzing: Add uri_parser setup #19057

merged 3 commits into from
Jan 16, 2023

Conversation

Teufelchen1
Copy link
Contributor

Hello!

Contribution description

This PR is a replacement for PR #18802

In this contribution:

  • The variable AFL_FLAGS is renamed to FLAGS_FOR_AFL because AFL is always complaining that AFL_FLAGS is not a valid env var for it. While this is not a bug nor an issue, I found it to be annoying.
  • A generic input reader is added to simplify building a test harness
  • The usage of this reader is demonstrated by adding a harness for fuzzing the uri_parser

(needs squashing after review)

Testing procedure

Go to fuzzing/uri_parser and run make all-asan and make fuzz to get some action going.
Also mildly interesting: ./dist/tools/compile_test/compile_like_murdock.py -b native -a fuzzing/uri_parser

Issues/PRs references

The original PR #18802 is replaced because the generic input reader is present in both PRs but this PoC harness is much simpler.

@Teufelchen1 Teufelchen1 requested a review from jia200x as a code owner December 15, 2022 14:34
@github-actions github-actions bot added Area: build system Area: Build system Area: doc Area: Documentation Area: sys Area: System Area: tests Area: tests and testing framework labels Dec 15, 2022
@@ -14,6 +14,7 @@ CFLAGS += -ggdb # Make ASAN output more useful error messages
CFLAGS += -D_FORTIFY_SOURCE=2 # Compiler hardening

# Various utilitiy modules
USEMODULE += gnrc_ipv6
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was done due to gnrc_ipv6 being mandatory (for all harness types) at the moment because sys/fuzzing/ needs refactoring. :)

Copy link
Member

@nmeum nmeum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from the minor inline comments I created above this looks good to me 👍

I also prefer this over #18802.

Great work! 🤗

@@ -904,7 +904,7 @@ include $(RIOTMAKE)/tests/tests.inc.mk
.PHONY: fuzz
fuzz:
env FLASHFILE="$(FLASHFILE)" PORT="$(PORT)" TERMFLAGS="$(TERMFLAGS)" \
"$(RIOTBASE)"/dist/tools/fuzzing/afl.sh $(AFL_FLAGS)
"$(RIOTBASE)"/dist/tools/fuzzing/afl.sh $(FLAGS_FOR_AFL)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you elaborate why renaming the environment variable is necessary?

Copy link
Contributor Author

@Teufelchen1 Teufelchen1 Dec 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure!

If you try to compile using AFL++ (instead of the old AFL) you will encounter this warning:

[!] WARNING: Mistyped AFL environment variable: AFL_FLAGS=
"make" -C RIOT/core/lib
Did you mean AFL_AS?
Did you mean AFL_CC?

This was introduced in Version ++3.10c of AFL++:
printing suggestions for mistyped AFL_ env variables
Check the changelog of AFL++ here.

I am aware that RIOTs fuzzing documentation states to use the old AFL 2.52b - where this warning isn't present. However, AFL is no longer maintained. Tho, we should move on towards AFL++. So far all my fuzzing with AFL++ is without issues and the backwards compatibility is nice. This warning being the only issue.

Edit:
Just realised: This can be turned of by setting AFL_IGNORE_UNKNOWN_ENVS.
I believe changing our name is the better approach as this way we still get hints if we do have typo in some of the AFL envs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving to AFL++ is definitely a good idea! Maybe it also makes sense to update the documentation in this regard. However, I also wouldn't mind doing that in a separate merge request.


uri_parser_process(&uri_res, input_buf, input_len);

exit(EXIT_SUCCESS);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the uri_parser you might also be able to just use NATIVE_AUTO_EXIT but explicitly calling exit is of cause also fine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would one prefer one over the other?

Comment on lines 93 to 112
uint8_t *
fuzzing_read_bytes(int fd, size_t *size)
{
uint8_t *buffer = NULL;
ssize_t r;
size_t csiz, rsiz;

csiz = 0;
rsiz = FUZZING_BSIZE;
if ((buffer = realloc(buffer, rsiz)) == NULL) {
return NULL;
}

while ((r = read(fd, &(buffer[csiz]), rsiz)) > 0) {
assert((size_t)r <= rsiz);

csiz += r;
rsiz -= r;

if (rsiz == 0) {
if ((buffer = realloc(buffer, csiz + FUZZING_BSTEP)) == NULL) {
return NULL;
}
rsiz += FUZZING_BSTEP;
}
}
if (r == -1) {
return NULL;
}

/* shrink packet to actual size */
if ((buffer = realloc(buffer, csiz)) == NULL) {
return NULL;
}

*size = csiz;
return buffer;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worthwhile to refactor fuzzing_read_packet using this new function so we don't need to maintain two functions which read all input from stdin in the fuzzing module.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated the PR accordingly. Please review the change :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think in an ideal word fuzzing_read_bytes would write directly to the pktbuf instead of requiring the memcpy but since this is execute on native only anyhow I believe this to be good enough 👍

Copy link
Member

@nmeum nmeum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🎉

Copy link
Contributor

@benpicco benpicco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nmeum are you sure you don't want to have maintainer capabilities? 😉

proxy-ACK

@benpicco benpicco added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Jan 15, 2023
@riot-ci
Copy link

riot-ci commented Jan 15, 2023

Murdock results

✔️ PASSED

82f44c5 fuzzing: Add uri_parser fuzzer setup

Success Failures Total Runtime
6782 0 6782 14m:03s

Artifacts

@benpicco
Copy link
Contributor

bors merge

@bors
Copy link
Contributor

bors bot commented Jan 16, 2023

Build succeeded:

@bors bors bot merged commit 6fb340d into RIOT-OS:master Jan 16, 2023
@jia200x jia200x added this to the Release 2023.04 milestone Apr 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: build system Area: Build system Area: doc Area: Documentation Area: sys Area: System Area: tests Area: tests and testing framework CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants