From a9a730fd742fb775afea2f091ad5d55a73e68edf Mon Sep 17 00:00:00 2001 From: Benoit Blanchon Date: Thu, 7 Jun 2018 10:36:57 +0200 Subject: [PATCH] Added MessagePack fuzzing --- fuzzing/Makefile | 11 ++++--- fuzzing/fuzzer.cpp | 27 ---------------- fuzzing/{my_corpus => json_corpus}/.gitignore | 0 fuzzing/json_fuzzer.cpp | 11 +++++++ .../Comments.json | 0 .../EmptyArray.json | 0 .../EmptyObject.json | 0 .../ExcessiveNesting.json | 0 .../Numbers.json | 0 .../OpenWeatherMap.json | 0 .../Strings.json | 0 .../WeatherUnderground.json | 0 fuzzing/msgpack_corpus/.gitignore | 2 ++ fuzzing/msgpack_fuzzer.cpp | 11 +++++++ fuzzing/msgpack_seed_corpus/array16 | Bin 0 -> 15 bytes fuzzing/msgpack_seed_corpus/array32 | Bin 0 -> 15 bytes fuzzing/msgpack_seed_corpus/false | 1 + fuzzing/msgpack_seed_corpus/fixarray | 1 + fuzzing/msgpack_seed_corpus/fixint_negative | 1 + fuzzing/msgpack_seed_corpus/fixint_positive | 1 + fuzzing/msgpack_seed_corpus/fixmap | 1 + fuzzing/msgpack_seed_corpus/fixstr | 1 + fuzzing/msgpack_seed_corpus/float32 | 1 + fuzzing/msgpack_seed_corpus/float64 | 1 + fuzzing/msgpack_seed_corpus/int16 | 1 + fuzzing/msgpack_seed_corpus/int32 | 1 + fuzzing/msgpack_seed_corpus/int64 | 1 + fuzzing/msgpack_seed_corpus/int8 | 1 + fuzzing/msgpack_seed_corpus/map16 | Bin 0 -> 19 bytes fuzzing/msgpack_seed_corpus/map32 | Bin 0 -> 23 bytes fuzzing/msgpack_seed_corpus/nil | 1 + fuzzing/msgpack_seed_corpus/str16 | Bin 0 -> 8 bytes fuzzing/msgpack_seed_corpus/str32 | Bin 0 -> 10 bytes fuzzing/msgpack_seed_corpus/str8 | 1 + fuzzing/msgpack_seed_corpus/true | 1 + fuzzing/msgpack_seed_corpus/uint16 | 1 + fuzzing/msgpack_seed_corpus/uint32 | 1 + fuzzing/msgpack_seed_corpus/uint64 | 1 + fuzzing/msgpack_seed_corpus/uint8 | 1 + scripts/oss-fuzz/Vagrantfile | 11 ++++--- scripts/travis/fuzz.sh | 30 +++++++++++------- 41 files changed, 74 insertions(+), 48 deletions(-) delete mode 100644 fuzzing/fuzzer.cpp rename fuzzing/{my_corpus => json_corpus}/.gitignore (100%) create mode 100644 fuzzing/json_fuzzer.cpp rename fuzzing/{seed_corpus => json_seed_corpus}/Comments.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/EmptyArray.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/EmptyObject.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/ExcessiveNesting.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/Numbers.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/OpenWeatherMap.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/Strings.json (100%) rename fuzzing/{seed_corpus => json_seed_corpus}/WeatherUnderground.json (100%) create mode 100644 fuzzing/msgpack_corpus/.gitignore create mode 100644 fuzzing/msgpack_fuzzer.cpp create mode 100644 fuzzing/msgpack_seed_corpus/array16 create mode 100644 fuzzing/msgpack_seed_corpus/array32 create mode 100644 fuzzing/msgpack_seed_corpus/false create mode 100644 fuzzing/msgpack_seed_corpus/fixarray create mode 100644 fuzzing/msgpack_seed_corpus/fixint_negative create mode 100644 fuzzing/msgpack_seed_corpus/fixint_positive create mode 100644 fuzzing/msgpack_seed_corpus/fixmap create mode 100644 fuzzing/msgpack_seed_corpus/fixstr create mode 100644 fuzzing/msgpack_seed_corpus/float32 create mode 100644 fuzzing/msgpack_seed_corpus/float64 create mode 100644 fuzzing/msgpack_seed_corpus/int16 create mode 100644 fuzzing/msgpack_seed_corpus/int32 create mode 100644 fuzzing/msgpack_seed_corpus/int64 create mode 100644 fuzzing/msgpack_seed_corpus/int8 create mode 100644 fuzzing/msgpack_seed_corpus/map16 create mode 100644 fuzzing/msgpack_seed_corpus/map32 create mode 100644 fuzzing/msgpack_seed_corpus/nil create mode 100644 fuzzing/msgpack_seed_corpus/str16 create mode 100644 fuzzing/msgpack_seed_corpus/str32 create mode 100644 fuzzing/msgpack_seed_corpus/str8 create mode 100644 fuzzing/msgpack_seed_corpus/true create mode 100644 fuzzing/msgpack_seed_corpus/uint16 create mode 100644 fuzzing/msgpack_seed_corpus/uint32 create mode 100644 fuzzing/msgpack_seed_corpus/uint64 create mode 100644 fuzzing/msgpack_seed_corpus/uint8 diff --git a/fuzzing/Makefile b/fuzzing/Makefile index f3ed397f..0f2aaabf 100644 --- a/fuzzing/Makefile +++ b/fuzzing/Makefile @@ -5,15 +5,18 @@ CXXFLAGS += -I../src all: \ $(OUT)/json_fuzzer \ $(OUT)/json_fuzzer_seed_corpus.zip \ - $(OUT)/json_fuzzer.options + $(OUT)/json_fuzzer.options \ + $(OUT)/msgpack_fuzzer \ + $(OUT)/msgpack_fuzzer_seed_corpus.zip \ + $(OUT)/msgpack_fuzzer.options -$(OUT)/json_fuzzer: fuzzer.cpp $(shell find ../src -type f) +$(OUT)/%_fuzzer: %_fuzzer.cpp $(shell find ../src -type f) $(CXX) $(CXXFLAGS) $< -o$@ $(LIB_FUZZING_ENGINE) -$(OUT)/json_fuzzer_seed_corpus.zip: seed_corpus/* +$(OUT)/%_fuzzer_seed_corpus.zip: %_seed_corpus/* zip -j $@ $? -$(OUT)/json_fuzzer.options: +$(OUT)/%_fuzzer.options: @echo "[libfuzzer]" > $@ @echo "max_len = 256" >> $@ @echo "timeout = 10" >> $@ diff --git a/fuzzing/fuzzer.cpp b/fuzzing/fuzzer.cpp deleted file mode 100644 index 8ceacaf4..00000000 --- a/fuzzing/fuzzer.cpp +++ /dev/null @@ -1,27 +0,0 @@ -#include - -class memstream : public std::istream { - struct membuf : std::streambuf { - membuf(const uint8_t *p, size_t l) { - setg((char *)p, (char *)p, (char *)p + l); - } - }; - membuf _buffer; - - public: - memstream(const uint8_t *p, size_t l) - : std::istream(&_buffer), _buffer(p, l) { - rdbuf(&_buffer); - } -}; - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - DynamicJsonDocument doc; - memstream json(data, size); - DeserializationError error = deserializeJson(doc, json); - if (error == DeserializationError::Ok) { - JsonVariant variant = doc.as(); - variant.as(); // <- serialize to JSON - } - return 0; -} diff --git a/fuzzing/my_corpus/.gitignore b/fuzzing/json_corpus/.gitignore similarity index 100% rename from fuzzing/my_corpus/.gitignore rename to fuzzing/json_corpus/.gitignore diff --git a/fuzzing/json_fuzzer.cpp b/fuzzing/json_fuzzer.cpp new file mode 100644 index 00000000..bd44def6 --- /dev/null +++ b/fuzzing/json_fuzzer.cpp @@ -0,0 +1,11 @@ +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + DynamicJsonDocument doc; + DeserializationError error = deserializeJson(doc, data, size); + if (!error) { + std::string json; + serializeJson(doc, json); + } + return 0; +} diff --git a/fuzzing/seed_corpus/Comments.json b/fuzzing/json_seed_corpus/Comments.json similarity index 100% rename from fuzzing/seed_corpus/Comments.json rename to fuzzing/json_seed_corpus/Comments.json diff --git a/fuzzing/seed_corpus/EmptyArray.json b/fuzzing/json_seed_corpus/EmptyArray.json similarity index 100% rename from fuzzing/seed_corpus/EmptyArray.json rename to fuzzing/json_seed_corpus/EmptyArray.json diff --git a/fuzzing/seed_corpus/EmptyObject.json b/fuzzing/json_seed_corpus/EmptyObject.json similarity index 100% rename from fuzzing/seed_corpus/EmptyObject.json rename to fuzzing/json_seed_corpus/EmptyObject.json diff --git a/fuzzing/seed_corpus/ExcessiveNesting.json b/fuzzing/json_seed_corpus/ExcessiveNesting.json similarity index 100% rename from fuzzing/seed_corpus/ExcessiveNesting.json rename to fuzzing/json_seed_corpus/ExcessiveNesting.json diff --git a/fuzzing/seed_corpus/Numbers.json b/fuzzing/json_seed_corpus/Numbers.json similarity index 100% rename from fuzzing/seed_corpus/Numbers.json rename to fuzzing/json_seed_corpus/Numbers.json diff --git a/fuzzing/seed_corpus/OpenWeatherMap.json b/fuzzing/json_seed_corpus/OpenWeatherMap.json similarity index 100% rename from fuzzing/seed_corpus/OpenWeatherMap.json rename to fuzzing/json_seed_corpus/OpenWeatherMap.json diff --git a/fuzzing/seed_corpus/Strings.json b/fuzzing/json_seed_corpus/Strings.json similarity index 100% rename from fuzzing/seed_corpus/Strings.json rename to fuzzing/json_seed_corpus/Strings.json diff --git a/fuzzing/seed_corpus/WeatherUnderground.json b/fuzzing/json_seed_corpus/WeatherUnderground.json similarity index 100% rename from fuzzing/seed_corpus/WeatherUnderground.json rename to fuzzing/json_seed_corpus/WeatherUnderground.json diff --git a/fuzzing/msgpack_corpus/.gitignore b/fuzzing/msgpack_corpus/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/fuzzing/msgpack_corpus/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore diff --git a/fuzzing/msgpack_fuzzer.cpp b/fuzzing/msgpack_fuzzer.cpp new file mode 100644 index 00000000..ef7a648e --- /dev/null +++ b/fuzzing/msgpack_fuzzer.cpp @@ -0,0 +1,11 @@ +#include + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + DynamicJsonDocument doc; + DeserializationError error = deserializeMsgPack(doc, data, size); + if (!error) { + std::string json; + serializeMsgPack(doc, json); + } + return 0; +} diff --git a/fuzzing/msgpack_seed_corpus/array16 b/fuzzing/msgpack_seed_corpus/array16 new file mode 100644 index 0000000000000000000000000000000000000000..714ba99e70cbed2056b4e4b04c86bb1a2ff7311b GIT binary patch literal 15 Wcmcb^z_c_YH76&3X?cE8P6_}q=LTf} literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/array32 b/fuzzing/msgpack_seed_corpus/array32 new file mode 100644 index 0000000000000000000000000000000000000000..6e3ed7b1b81742fbb90a4135004b55a9a45a5769 GIT binary patch literal 15 Wcmcc1z`($Cih+TF;go~N*TVoEa|E;i literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/false b/fuzzing/msgpack_seed_corpus/false new file mode 100644 index 00000000..52771883 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/false @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/fixarray b/fuzzing/msgpack_seed_corpus/fixarray new file mode 100644 index 00000000..95d54b19 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/fixarray @@ -0,0 +1 @@ +’¥hello¥world \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/fixint_negative b/fuzzing/msgpack_seed_corpus/fixint_negative new file mode 100644 index 00000000..eda5949c --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/fixint_negative @@ -0,0 +1 @@ +à \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/fixint_positive b/fuzzing/msgpack_seed_corpus/fixint_positive new file mode 100644 index 00000000..16e0e90d --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/fixint_positive @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/fixmap b/fuzzing/msgpack_seed_corpus/fixmap new file mode 100644 index 00000000..df26118e --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/fixmap @@ -0,0 +1 @@ +‚£one£two \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/fixstr b/fuzzing/msgpack_seed_corpus/fixstr new file mode 100644 index 00000000..2ff7b3f3 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/fixstr @@ -0,0 +1 @@ +«hello world \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/float32 b/fuzzing/msgpack_seed_corpus/float32 new file mode 100644 index 00000000..a574220c --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/float32 @@ -0,0 +1 @@ +Ê@Hõà \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/float64 b/fuzzing/msgpack_seed_corpus/float64 new file mode 100644 index 00000000..36088bcd --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/float64 @@ -0,0 +1 @@ +Ë@ !ÊÀƒo \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/int16 b/fuzzing/msgpack_seed_corpus/int16 new file mode 100644 index 00000000..9ffc705e --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/int16 @@ -0,0 +1 @@ +ÑÏÇ \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/int32 b/fuzzing/msgpack_seed_corpus/int32 new file mode 100644 index 00000000..d735e217 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/int32 @@ -0,0 +1 @@ +Ò¶iý. \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/int64 b/fuzzing/msgpack_seed_corpus/int64 new file mode 100644 index 00000000..9d2cd3b9 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/int64 @@ -0,0 +1 @@ +Ó4Vxš¼Þð \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/int8 b/fuzzing/msgpack_seed_corpus/int8 new file mode 100644 index 00000000..ae2ca9cc --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/int8 @@ -0,0 +1 @@ +Ðÿ \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/map16 b/fuzzing/msgpack_seed_corpus/map16 new file mode 100644 index 0000000000000000000000000000000000000000..836a71874d8589ae75e86df552072b827dfba076 GIT binary patch literal 19 acmcb|z_id~X+~;JPX5C1rRDiWIVk{8tO!T| literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/map32 b/fuzzing/msgpack_seed_corpus/map32 new file mode 100644 index 0000000000000000000000000000000000000000..97ab162ebd1c24c6e106b7d5e419b60310614858 GIT binary patch literal 23 fcmcc5z`($?q$;&2{}clQ1H+<%%u@~?Uk?KSSVstz literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/nil b/fuzzing/msgpack_seed_corpus/nil new file mode 100644 index 00000000..e7754cae --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/nil @@ -0,0 +1 @@ +À \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/str16 b/fuzzing/msgpack_seed_corpus/str16 new file mode 100644 index 0000000000000000000000000000000000000000..91c1396de2ddcc3c568f2fa0ec82ba781cbfbfb3 GIT binary patch literal 8 Pcmcb`z?zYolamhs4IKjX literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/str32 b/fuzzing/msgpack_seed_corpus/str32 new file mode 100644 index 0000000000000000000000000000000000000000..50cac52adc687845ddc2a8060c8ed15d6034f638 GIT binary patch literal 10 Rcmcc3z`($ok(!f}4*(9`0`&j@ literal 0 HcmV?d00001 diff --git a/fuzzing/msgpack_seed_corpus/str8 b/fuzzing/msgpack_seed_corpus/str8 new file mode 100644 index 00000000..ff5a2c0e --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/str8 @@ -0,0 +1 @@ +Ùhello \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/true b/fuzzing/msgpack_seed_corpus/true new file mode 100644 index 00000000..6b10f958 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/true @@ -0,0 +1 @@ +à \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/uint16 b/fuzzing/msgpack_seed_corpus/uint16 new file mode 100644 index 00000000..7f4c2e82 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/uint16 @@ -0,0 +1 @@ +Í09 \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/uint32 b/fuzzing/msgpack_seed_corpus/uint32 new file mode 100644 index 00000000..864826fb --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/uint32 @@ -0,0 +1 @@ +Î4Vx \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/uint64 b/fuzzing/msgpack_seed_corpus/uint64 new file mode 100644 index 00000000..20ede759 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/uint64 @@ -0,0 +1 @@ +Ï4Vxš¼Þð \ No newline at end of file diff --git a/fuzzing/msgpack_seed_corpus/uint8 b/fuzzing/msgpack_seed_corpus/uint8 new file mode 100644 index 00000000..6a961207 --- /dev/null +++ b/fuzzing/msgpack_seed_corpus/uint8 @@ -0,0 +1 @@ +Ìÿ \ No newline at end of file diff --git a/scripts/oss-fuzz/Vagrantfile b/scripts/oss-fuzz/Vagrantfile index 252c191c..85d0733f 100644 --- a/scripts/oss-fuzz/Vagrantfile +++ b/scripts/oss-fuzz/Vagrantfile @@ -2,11 +2,16 @@ Vagrant.configure(2) do |config| config.vm.box = "ubuntu/xenial64" - config.vm.synced_folder "E:\\Git\\Arduino\\libraries\\ArduinoJson", "/host/ArduinoJson" + config.vm.synced_folder "../..", "/host/ArduinoJson" config.vm.synced_folder "E:\\Git\\oss-fuzz", "/host/oss-fuzz" config.vm.network "forwarded_port", guest: 8001, host: 8001 + config.vm.provider "virtualbox" do |v| + v.memory = 2048 + v.cpus = 2 + end + config.vm.provision "shell", privileged: false, inline: <<-SHELL set -x @@ -18,10 +23,6 @@ Vagrant.configure(2) do |config| git clone https://github.com/google/fuzzer-test-suite.git FTS ./FTS/tutorial/install-deps.sh # Get deps ./FTS/tutorial/install-clang.sh # Get fresh clang binaries - # Get libFuzzer sources and build it - svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer - Fuzzer/build.sh - sudo mv libFuzzer.a /usr/local/lib/ echo "export PROJECT_NAME='arduinojson'" >> $HOME/.profile echo "export CC='clang'" >> $HOME/.profile diff --git a/scripts/travis/fuzz.sh b/scripts/travis/fuzz.sh index 5c5fb6d8..1b2dac28 100755 --- a/scripts/travis/fuzz.sh +++ b/scripts/travis/fuzz.sh @@ -1,20 +1,26 @@ #!/bin/bash -eux ROOT_DIR=$(dirname $0)/../../ -INCLUDE_DIR=$ROOT_DIR/src/ -FUZZING_DIR=$ROOT_DIR/fuzzing/ -JSON_CORPUS_DIR=$FUZZING_DIR/my_corpus -JSON_SEED_CORPUS_DIR=$FUZZING_DIR/seed_corpus - -CXX="clang++-$CLANG" +INCLUDE_DIR=${ROOT_DIR}/src/ +FUZZING_DIR=${ROOT_DIR}/fuzzing/ CXXFLAGS="-g -fprofile-instr-generate -fcoverage-mapping -fsanitize=address,fuzzer" -$CXX $CXXFLAGS -o json_fuzzer -I$INCLUDE_DIR $FUZZING_DIR/fuzzer.cpp +fuzz() { + NAME="$1" + FUZZER="${NAME}_fuzzer" + FUZZER_CPP="${FUZZING_DIR}/${NAME}_fuzzer.cpp" + CORPUS_DIR="${FUZZING_DIR}/${NAME}_corpus" + SEED_CORPUS_DIR="${FUZZING_DIR}/${NAME}_seed_corpus" -export ASAN_OPTIONS="detect_leaks=0" -export LLVM_PROFILE_FILE="json_fuzzer.profraw" -./json_fuzzer "$JSON_CORPUS_DIR" "$JSON_SEED_CORPUS_DIR" -max_total_time=60 + clang++-${CLANG} ${CXXFLAGS} -o ${FUZZER} -I$INCLUDE_DIR ${FUZZER_CPP} -llvm-profdata-$CLANG merge -sparse json_fuzzer.profraw -o json_fuzzer.profdata + export ASAN_OPTIONS="detect_leaks=0" + export LLVM_PROFILE_FILE="${FUZZER}.profraw" + ./${FUZZER} "$CORPUS_DIR" "$SEED_CORPUS_DIR" -max_total_time=30 -llvm-cov-$CLANG report ./json_fuzzer -instr-profile=json_fuzzer.profdata + llvm-profdata-${CLANG} merge -sparse ${LLVM_PROFILE_FILE} -o ${FUZZER}.profdata + llvm-cov-${CLANG} report ./${FUZZER} -instr-profile=${FUZZER}.profdata +} + +fuzz json +fuzz msgpack