fuzzing: extend fuzzing coverage

Try fuzzing some functions which write to file/file descriptor; to avoid slowing the fuzzer, close its stdout
ntop · Oct 9, 2023 · d76d9a1 · d76d9a1
1 parent 86115a8
commit d76d9a1
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 4 deletions.
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am
@@ -626,6 +626,7 @@ distdir:
 		-o -name '*.am' \
 		-o -name '*.h' \
 		-o -name '*.cpp' \
+		-o -name '*.options' \
 		-o -name 'ipv4_addresses.txt' \
 		-o -name 'bd_param.txt' \
 		-o -name 'splt_param.txt' \

diff --git a/fuzz/fuzz_config.cpp b/fuzz/fuzz_config.cpp
@@ -172,7 +172,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ndpi_get_ndpi_num_custom_protocols(ndpi_info_mod);
   ndpi_get_ndpi_num_supported_protocols(ndpi_info_mod);
 
-  ndpi_self_check_host_match(stderr);
+  ndpi_self_check_host_match(stdout);
+
+  ndpi_dump_protocols(ndpi_info_mod, stdout);
+  ndpi_generate_options(fuzzed_data.ConsumeIntegralInRange(0, 4), stdout);
+  ndpi_dump_risks_score(stdout);
 
   /* Basic code to try testing this "config" */
   bool_value = fuzzed_data.ConsumeBool();

diff --git a/fuzz/fuzz_config.options b/fuzz/fuzz_config.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+close_fd_mask=1
diff --git a/fuzz/fuzz_gcrypt_gcm.cpp b/fuzz/fuzz_gcrypt_gcm.cpp
@@ -20,14 +20,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   int key_len, rc_e, rc_d;
   mbedtls_cipher_id_t cipher;
   unsigned char *tag;
-  int iv_len, tag_len, input_length;
+  int iv_len, tag_len, input_length, force_auth_tag_error;
 
   /* No real memory allocations involved */
 
   if(fuzzed_data.remaining_bytes() < 1 + 4 + 512 / 8 +
 				     1 + 64 + /* iv */
 				     1 + /* tag_len */
 				     1 + 64 + /* input */
+				     1 + /* force_auth_tag_error */
 				     1 /* useless data: to be able to add the check with assert */)
     return -1;
 
@@ -55,6 +56,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   output = (unsigned char *)malloc(input_length);
   decrypted = (unsigned char *)malloc(input_length);
 
+  force_auth_tag_error = fuzzed_data.ConsumeBool();
+
   cipher = static_cast<mbedtls_cipher_id_t>(fuzzed_data.ConsumeIntegralInRange(0, (int)MBEDTLS_CIPHER_ID_CHACHA20));
 
   assert(fuzzed_data.remaining_bytes() > 0);
@@ -74,15 +77,23 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 				     output,
 				     tag_len, tag);
     if(rc_e == 0) {
+      if(force_auth_tag_error && tag_len > 0 && tag[0] != 0) {
+        tag[0] = 0;
+      } else {
+        force_auth_tag_error = 0;
+      }
+
       rc_d = mbedtls_gcm_auth_decrypt(gcm_d_ctx,
 				      input.size(),
 				      iv.data(), iv.size(),
 				      NULL, 0, /* TODO */
 				      tag, tag_len,
 				      output,
 				      decrypted);
-      if (rc_d == 0)
+      if(rc_d == 0)
         assert(memcmp(input.data(), decrypted, input.size()) == 0);
+      if(force_auth_tag_error)
+        assert(rc_d == MBEDTLS_ERR_GCM_AUTH_FAILED);
     }
   }
 

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -8777,6 +8777,7 @@ void ndpi_generate_options(u_int opt, FILE *options_out) {
 
   if (!options_out) return;
   ndpi_str = ndpi_init_detection_module(ndpi_no_prefs);
+  if (!ndpi_str) return;
 
   NDPI_BITMASK_SET_ALL(all);
   ndpi_set_protocol_detection_bitmask2(ndpi_str, &all);
@@ -8819,6 +8820,8 @@ void ndpi_generate_options(u_int opt, FILE *options_out) {
     fprintf(options_out, "%s\n", "WARNING: option -a out of range");
     break;
   }
+
+  ndpi_exit_detection_module(ndpi_str);
 }
 
 /* ****************************************************** */
@@ -9701,7 +9704,6 @@ static int ndpi_is_vowel(char c) {
   case 'y': // Not a real vowel...
   case 'x': // Not a real vowel...
     return(1);
-    break;
 
   default:
     return(0);

diff --git a/src/lib/third_party/src/gcrypt/aes.c b/src/lib/third_party/src/gcrypt/aes.c
@@ -191,7 +191,13 @@ int mbedtls_aes_setkey_enc( mbedtls_aes_context *ctx, const unsigned char *key,
     if( aes_init_done == 0 )
     {
         aes_gen_tables();
+
+        /* Allow to test both aesni and not aesni data path when fuzzing.
+           We can call aes_gen_tables() at every iteration without any issues
+           (performances asides) */
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         aes_init_done = 1;
+#endif
     }
 
     ctx->rk = RK = ctx->buf;

diff --git a/tests/ossfuzz.sh b/tests/ossfuzz.sh
@@ -51,6 +51,8 @@ ls fuzz/fuzz* | grep -v "\." | while read i; do cp $i $OUT/; done
 cp fuzz/*.dict $OUT/
 # Copy seed corpus
 cp fuzz/*.zip $OUT/
+# Copy options
+cp fuzz/*.options $OUT/
 # Copy configuration files
 cp example/protos.txt $OUT/
 cp example/categories.txt $OUT/