[elfutils] create tmpfiles properly (#7408)

Now fuzz-libdwfl and fuzz-libelf can be run a few times in a row with files triggering crashes. It's another follow-up to #7395 and #7393.
google · Sep 18, 2022 · 730ee7b · 730ee7b
1 parent 9c8bf5c
commit 730ee7b
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 22 deletions.
diff --git a/projects/elfutils/build.sh b/projects/elfutils/build.sh
@@ -32,7 +32,8 @@
 #  $ cd oss-fuzz/projects/elfutils
 #  $ git clone git://sourceware.org/git/elfutils.git
 #  $ ./build.sh
-#  $ unzip -d CORPUS fuzz-dwfl-core_seed_corpus.zip
+#  $ wget -O fuzz-dwfl-core-corpus.zip "https://storage.googleapis.com/elfutils-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/elfutils_fuzz-dwfl-core/public.zip"
+#  $ unzip -d CORPUS fuzz-dwfl-core-corpus.zip
 #  $ ./out/fuzz-dwfl-core CORPUS/
 
 set -eux
@@ -113,6 +114,11 @@ zlib=zlib/libz.a
 # and so on. Also since a lot of bug reports coming out of the blue aren't exactly helpful
 # fuzz targets should probably be added one at a time to make it easier to keep track
 # of them.
+CFLAGS+=" -Werror -Wall -Wextra"
+CXXFLAGS+=" -Werror -Wall -Wextra"
+
+# fuzz-dwfl-core is kind of a systemd fuzz target in the sense that it resembles the
+# code systemd uses to parse coredumps. Please ping @evverx if it's changed.
 $CC $CFLAGS \
 	-D_GNU_SOURCE -DHAVE_CONFIG_H \
 	-I. -I./lib -I./libelf -I./libebl -I./libdw -I./libdwelf -I./libdwfl -I./libasm \
@@ -138,6 +144,3 @@ $CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-libdwfl.o \
 	./libasm/libasm.a ./libebl/libebl.a ./backends/libebl_backends.a ./libcpu/libcpu.a \
   ./libdw/libdw.a ./libelf/libelf.a ./lib/libeu.a "$zlib" \
 	-o "$OUT/fuzz-libdwfl"
-
-# Corpus
-cp "$SRC/fuzz-dwfl-core_seed_corpus.zip" "$OUT"
diff --git a/projects/elfutils/fuzz-dwfl-core.c b/projects/elfutils/fuzz-dwfl-core.c
@@ -38,7 +38,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	assert(fd >= 0);
 
 	n = write(fd, data, size);
-	assert(n == size);
+	assert(n == (ssize_t) size);
 
 	offset = lseek(fd, 0, SEEK_SET);
 	assert(offset == 0);

diff --git a/projects/elfutils/fuzz-dwfl-core_seed_corpus.zip b/projects/elfutils/fuzz-dwfl-core_seed_corpus.zip
diff --git a/projects/elfutils/fuzz-libdwfl.c b/projects/elfutils/fuzz-libdwfl.c
@@ -10,16 +10,19 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <assert.h>
 #include <fcntl.h>
 #include <gelf.h>
 #include <inttypes.h>
 #include <libelf.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
 #include "libdwfl.h"
+#include "system.h"
 
 static const char *debuginfo_path = "";
 static const Dwfl_Callbacks cb  = {
@@ -31,21 +34,24 @@ static const Dwfl_Callbacks cb  = {
 
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char filename[256];
-  sprintf(filename, "/tmp/libfuzzer.%d", getpid());
-  FILE *fp = fopen(filename, "wb");
-  if (!fp) {
-    return 0;
-  }
-  fwrite(data, size, 1, fp);
-  fclose(fp);
+  char filename[] = "/tmp/fuzz-libdwfl.XXXXXX";
+  int fd;
+  ssize_t n;
+
+  fd = mkstemp(filename);
+  assert(fd >= 0);
+
+  n = write_retry(fd, data, size);
+  assert(n == (ssize_t) size);
+
+  close(fd);
 
   Dwarf_Addr bias = 0;
   Dwfl *dwfl = dwfl_begin(&cb);
   dwfl_report_begin(dwfl);
 
   Dwfl_Module *mod = dwfl_report_offline(dwfl, filename, filename, -1);
-  Dwarf *res = dwfl_module_getdwarf(mod, &bias);
+  dwfl_module_getdwarf(mod, &bias);
 
   dwfl_end (dwfl);
   unlink(filename);

diff --git a/projects/elfutils/fuzz-libelf.c b/projects/elfutils/fuzz-libelf.c
@@ -10,15 +10,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+#include <assert.h>
 #include <fcntl.h>
 #include <gelf.h>
 #include <inttypes.h>
 #include <libelf.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include "system.h"
 
 
 void fuzz_logic_one(char *filename, int compression_type) {
@@ -69,14 +72,17 @@ void fuzz_logic_twice(char *filename, int open_flags, Elf_Cmd cmd) {
 }
 
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
-  char filename[256];
-  sprintf(filename, "/tmp/libfuzzer.%d", getpid());
-  FILE *fp = fopen(filename, "wb");
-  if (!fp) {
-    return 0;
-  }
-  fwrite(data, size, 1, fp);
-  fclose(fp);
+  char filename[] = "/tmp/fuzz-libelf.XXXXXX";
+  int fd;
+  ssize_t n;
+
+  fd = mkstemp(filename);
+  assert(fd >= 0);
+
+  n = write_retry(fd, data, size);
+  assert(n == (ssize_t) size);
+
+  close(fd);
 
   fuzz_logic_one(filename, 0);
   fuzz_logic_one(filename, 1);