Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nalloc sanitizer: to test allocations failures #10701

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Nalloc sanitizer: to test allocations failures #10701

wants to merge 1 commit into from

Conversation

catenacyber
Copy link
Contributor

#9902 but as a sanitizer instead of a fuzzing engine

cc @oliverchang @alan32liu

Is this less costly than a fuzzing engine ?

@github-actions
Copy link

catenacyber is a new contributor to projects/fluent-bit. The PR must be approved by known contributors before it can be merged. The past contributors are: jonathanmetzman, DavidKorczynski, leonardo-albertovich, patrick-stephens, oliverchang, devtty1er, edsiper
catenacyber is a new contributor to projects/flac. The PR must be approved by known contributors before it can be merged. The past contributors are: ktmf01, Alan32Liu, jonathanmetzman, guidovranken, oliverchang, Dor1s, rjotwani, sylvestre, posidron (unverified)
catenacyber is either the primary contact or is in the CCs list of projects/ndpi.
catenacyber has previously contributed to projects/ndpi. The previous PR was #4773
catenacyber is a new contributor to projects/libwebp. The PR must be approved by known contributors before it can be merged. The past contributors are: jzern, jonathanmetzman, inferno-chromium, devtty1er, Dor1s, tysmith (unverified), posidron (unverified), johannkoenig (unverified), YannisGuyon (unverified), pdknsk (unverified), vrabaud (unverified)
catenacyber is a new contributor to projects/systemd. The PR must be approved by known contributors before it can be merged. The past contributors are: evverx, Alan32Liu, jonathanmetzman, keszybz, bluca, oliverchang, devtty1er, Dor1s
catenacyber is either the primary contact or is in the CCs list of projects/suricata.
catenacyber has previously contributed to projects/suricata. The previous PR was #10042
catenacyber is a new contributor to projects/libpng. The PR must be approved by known contributors before it can be merged. The past contributors are: Alan32Liu, tysmith, jonathanmetzman, thealberto, inferno-chromium, devtty1er, Dor1s, oliverchang, glennrp (unverified), kcc (unverified), ssbr (unverified), mikea (unverified), kcwu (unverified)

catenacyber
catenacyber commented Jul 13, 2023
View reviewed changes
infra/base-images/base-builder/Dockerfile
@@ -72,6 +72,8 @@ ENV SANITIZER_FLAGS_thread "-fsanitize=thread"

ENV SANITIZER_FLAGS_introspector "-O0 -flto -fno-inline-functions -fuse-ld=gold -Wno-unused-command-line-argument"

ENV SANITIZER_FLAGS_nalloc "-DLLVMFuzzerTestOneInput=NaloFuzzerTestOneInput -DLLVMFuzzerInitialize=NaloFuzzerInitialize $SANITIZER_FLAGS_address"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the magic trick

Renaming LLVMFuzzerTestOneInput by macro in order to hook before it

catenacyber
catenacyber commented Jul 13, 2023
View reviewed changes
infra/base-images/base-runner/reproduce
@@ -30,5 +30,6 @@ fi
export RUN_FUZZER_MODE="interactive"
export FUZZING_ENGINE="libfuzzer"
export SKIP_SEED_CORPUS="1"
export FUZZ_REPRODUCE_VERBOSE="1"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used by nalloc to be verbose about allocation failures when reproducing (it stays quiet during batch fuzzing)

@IvanNardi
Copy link
Contributor

@catenacyber , sorry for the silly question, but I am not able to test it locally (with nDPI). I have done:

  • checkout this PR
  • remove all the docker images
  • python3 infra/helper.py build_image ndpi
  • python3 infra/helper.py build_fuzzers --sanitizer nalloc ndpi
  • python3 infra/helper.py run_fuzzer --sanitizer nalloc --architecture x86_64 ndpi fuzz_ndpi_reader

It seems that nalloc stuff is never compiled...
What am I doing wrong?

@catenacyber
Copy link
Contributor Author

@IvanNardi you have to run python3 infra/helper.py build_image --no-pull base-builder first

@catenacyber
Copy link
Contributor Author

And you also to run python3 infra/helper.py build_image --no-pull ndpi so that you use the local just-built base-builder (and not the oss-fuzz master one)

@IvanNardi
Copy link
Contributor

Now it works! Thank you very much! Astonishing work...

@catenacyber
Copy link
Contributor Author

catenacyber commented Sep 7, 2023
edited
Loading

Friendly ping @oliverchang

Could we get this new "sanitizer" to test when allocations fail ?

In addition to the projects listed here (see previous PR), there is also icu cf unicode-org/icu#2567 where a double free was found by nallocfuzz and is now fixed (and also curl cf curl/curl@22eb989 )

@jzern
Copy link
Contributor

jzern commented Sep 8, 2023

The fuzzing engine version in #9902 has been helpful in securing libwebp and libvpx. It will be used in validating similar work in libaom.

@catenacyber
Copy link
Contributor Author

Friendly ping @oliverchang

Could we get this new "sanitizer" to test when memory allocations fail ?

cc @jonathanmetzman @alan32liu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catenacyber @IvanNardi @jzern