Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

elfutils: add and expand library fuzzers #7395

Merged
merged 5 commits into from
Mar 16, 2022
Merged

elfutils: add and expand library fuzzers #7395

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
73e0d34
elfutils: make name more appropriate
DavidKorczynski Mar 16, 2022
146a63c
elfutils: update libelf fuzzer
DavidKorczynski Mar 16, 2022
ee239f4
elfutils: add fuzz-libdwfl
DavidKorczynski Mar 16, 2022
81b4195
elfutils: nits
DavidKorczynski Mar 16, 2022
09e4949
elfutils: fix build
DavidKorczynski Mar 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions projects/elfutils/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,11 +93,20 @@ $CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-dwfl-core.o \
$CC $CFLAGS \
-D_GNU_SOURCE -DHAVE_CONFIG_H \
-I. -I./lib -I./libelf -I./libebl -I./libdw -I./libdwelf -I./libdwfl -I./libasm \
-c "$SRC/fuzz-elf-get-sections.c" -o fuzz-elf-get-sections.o
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-elf-get-sections.o \
-c "$SRC/fuzz-libelf.c" -o fuzz-libelf.o
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-libelf.o \
./libasm/libasm.a ./libebl/libebl.a ./backends/libebl_backends.a ./libcpu/libcpu.a \
./libdw/libdw.a ./libelf/libelf.a ./lib/libeu.a -l:libz.a \
-o "$OUT/fuzz-elf-get-sections"
-o "$OUT/fuzz-libelf"

$CC $CFLAGS \
-D_GNU_SOURCE -DHAVE_CONFIG_H \
-I. -I./lib -I./libelf -I./libebl -I./libdw -I./libdwelf -I./libdwfl -I./libasm \
-c "$SRC/fuzz-libdwfl.c" -o fuzz-libdwfl.o
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-libdwfl.o \
./libasm/libasm.a ./libebl/libebl.a ./backends/libebl_backends.a ./libcpu/libcpu.a \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder why it's linked against these libraries? I opened #7412 where I dropped them but if it's intentional it would be great if there was a comment or something like that. Thanks!

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intentions were to expand with further fuzzers shortly so the idea was to include all the relevant elfutils libraries and then shrink the build set up to a loop instead of many individual calls to $CXX -- in this event it would be easier to link in all static libraries so as to add a new fuzzer you simply add the fuzzer name. Similar to what we did for the net-snmp library https://github.com/net-snmp/net-snmp/blob/8e14effb6626bbf5bc344ec17fdf0354b5b9a90d/testing/fuzzing/build-fuzz-tests.sh#L7-L20

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it. Thanks! I'll go ahead and close that PR then.

I think as long as issues like #7357 aren't triggered it should be possible to link all the fuzz targets with the common set of the libraries.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, sounds good and thanks for pointing #7357 out.

./libdw/libdw.a ./libelf/libelf.a ./lib/libeu.a -l:libz.a \
-o "$OUT/fuzz-libdwfl"

# Corpus
cp "$SRC/fuzz-dwfl-core_seed_corpus.zip" "$OUT"
53 changes: 53 additions & 0 deletions projects/elfutils/fuzz-libdwfl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
/* Copyright 2022 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#include <fcntl.h>
#include <gelf.h>
#include <inttypes.h>
#include <libelf.h>
#include <stdio.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "libdwfl.h"

static const char *debuginfo_path = "";
static const Dwfl_Callbacks cb = {
NULL,
dwfl_standard_find_debuginfo,
NULL,
(char **)&debuginfo_path,
};


int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char filename[256];
sprintf(filename, "/tmp/libfuzzer.%d", getpid());
FILE *fp = fopen(filename, "wb");
if (!fp) {
return 0;
}
fwrite(data, size, 1, fp);
fclose(fp);

Dwarf_Addr bias = 0;
Dwfl *dwfl = dwfl_begin(&cb);
dwfl_report_begin(dwfl);

Dwfl_Module *mod = dwfl_report_offline(dwfl, filename, filename, -1);
Dwarf *res = dwfl_module_getdwarf(mod, &bias);

dwfl_end (dwfl);
unlink(filename);
return 0;
}
44 changes: 32 additions & 12 deletions projects/elfutils/fuzz-elf-get-sections.c → projects/elfutils/fuzz-libelf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

/* Inspired by the elfgetzdata.c test */
#include <fcntl.h>
#include <gelf.h>
#include <inttypes.h>
Expand All @@ -21,17 +20,8 @@ limitations under the License.
#include <sys/types.h>
#include <unistd.h>

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char filename[256];
sprintf(filename, "/tmp/libfuzzer.%d", getpid());
FILE *fp = fopen(filename, "wb");
if (!fp) {
return 0;
}
fwrite(data, size, 1, fp);
fclose(fp);

// Main fuzz entrypoint in objdump.c
void fuzz_logic_one(char *filename, int compression_type) {
(void)elf_version(EV_CURRENT);
int fd = open(filename, O_RDONLY);
Elf *elf = elf_begin(fd, ELF_C_READ, NULL);
Expand All @@ -50,7 +40,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
// so it resembles the test code.
// Compress and get data of the section
if ((shdr->sh_flags & SHF_COMPRESSED) != 0) {
if (elf_compress(scn, 0, 0) >= 0) {
if (elf_compress(scn, compression_type, 0) >= 0) {
elf_getdata(scn, NULL);
}
} else if (name != NULL) {
Expand All @@ -63,8 +53,38 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
}
elf_end(elf);
}
close(fd);
}

void fuzz_logic_twice(char *filename, int open_flags, Elf_Cmd cmd) {
(void)elf_version(EV_CURRENT);
int fd = open(filename, open_flags);
Elf *elf = elf_begin(fd, cmd, NULL);
if (elf != NULL) {
size_t elf_size = 0;
elf_rawfile(elf, &elf_size);
elf_end(elf);
}
close(fd);
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
char filename[256];
sprintf(filename, "/tmp/libfuzzer.%d", getpid());
FILE *fp = fopen(filename, "wb");
if (!fp) {
return 0;
}
fwrite(data, size, 1, fp);
fclose(fp);

fuzz_logic_one(filename, 0);
fuzz_logic_one(filename, 1);
fuzz_logic_twice(filename, O_RDONLY, ELF_C_READ);
fuzz_logic_twice(filename, O_RDONLY | O_WRONLY, ELF_C_RDWR);
fuzz_logic_twice(filename, O_RDONLY, ELF_C_READ_MMAP);
fuzz_logic_twice(filename, O_RDONLY | O_WRONLY, ELF_C_RDWR_MMAP);

unlink(filename);
return 0;
}