[tor-commits] [tor/master] Fuzzing: Add an initial fuzzing tool, for descriptors.

nickm at torproject.org nickm at torproject.org
Mon Jan 30 13:45:47 UTC 2017


commit b96c70d668f96550401057834bb9caafb5d0e412
Author: Nick Mathewson <nickm at torproject.org>
Date:   Tue Dec 13 19:15:26 2016 -0500

    Fuzzing: Add an initial fuzzing tool, for descriptors.
    
    This will need some refactoring and mocking.
---
 Makefile.am                     |  1 +
 src/include.am                  |  2 +-
 src/test/fuzz/fuzz_descriptor.c | 26 +++++++++++++++++++++
 src/test/fuzz/fuzzing.h         |  7 ++++++
 src/test/fuzz/fuzzing_common.c  | 52 +++++++++++++++++++++++++++++++++++++++++
 src/test/fuzz/include.am        | 48 +++++++++++++++++++++++++++++++++++++
 6 files changed, 135 insertions(+), 1 deletion(-)

diff --git a/Makefile.am b/Makefile.am
index b6e4e53..2e853d4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -9,6 +9,7 @@ noinst_LIBRARIES=
 EXTRA_DIST=
 noinst_HEADERS=
 bin_PROGRAMS=
+EXTRA_PROGRAMS=
 CLEANFILES=
 TESTS=
 noinst_PROGRAMS=
diff --git a/src/include.am b/src/include.am
index c468af3..d12684e 100644
--- a/src/include.am
+++ b/src/include.am
@@ -6,4 +6,4 @@ include src/test/include.am
 include src/tools/include.am
 include src/win32/include.am
 include src/config/include.am
-
+include src/test/fuzz/include.am
diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c
new file mode 100644
index 0000000..1364bf4
--- /dev/null
+++ b/src/test/fuzz/fuzz_descriptor.c
@@ -0,0 +1,26 @@
+
+#include "or.h"
+#include "routerparse.h"
+#include "routerlist.h"
+#include "fuzzing.h"
+
+int
+fuzz_init(void)
+{
+  ed25519_init();
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *data, size_t sz)
+{
+  routerinfo_t *ri;
+  const char *str = (const char*) data;
+  ri = router_parse_entry_from_string((const char *)str,
+                                      str+sz,
+                                      0, 0, 0, NULL);
+  if (ri)
+    routerinfo_free(ri);
+  return 0;
+}
+
diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h
new file mode 100644
index 0000000..fbd54da
--- /dev/null
+++ b/src/test/fuzz/fuzzing.h
@@ -0,0 +1,7 @@
+#ifndef FUZZING_H
+#define FUZZING_H
+
+int fuzz_init(void);
+int fuzz_main(const uint8_t *data, size_t sz);
+
+#endif /* FUZZING_H */
diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c
new file mode 100644
index 0000000..51d519b
--- /dev/null
+++ b/src/test/fuzz/fuzzing_common.c
@@ -0,0 +1,52 @@
+#include "orconfig.h"
+#include "torint.h"
+#include "util.h"
+#include "torlog.h"
+#include "backtrace.h"
+#include "fuzzing.h"
+
+extern const char tor_git_revision[];
+const char tor_git_revision[] = "";
+
+#define MAX_FUZZ_SIZE (128*1024)
+
+#ifdef LLVM_FUZZ
+int
+LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  static int initialized = 0;
+  if (!initialized) {
+    if (fuzz_init() < 0)
+      abort();
+  }
+
+  return fuzz_main(Data, Size);
+}
+
+#else /* Not LLVM_FUZZ, so AFL. */
+
+int
+main(int argc, char **argv)
+{
+  size_t size;
+  char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size);
+
+  tor_threads_init();
+  init_logging(1);
+
+  if (argc > 1 && !strcmp(argv[1], "--info")) {
+    log_severity_list_t sev;
+    set_log_severity_config(LOG_INFO, LOG_ERR, &sev);
+    add_stream_log(&sev, "stdout", 1);
+    configure_backtrace_handler(NULL);
+  }
+
+  tor_assert(input);
+  if (fuzz_init() < 0)
+    abort();
+  fuzz_main((const uint8_t*)input, size);
+  tor_free(input);
+  return 0;
+}
+
+#endif
+
diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am
new file mode 100644
index 0000000..323798f
--- /dev/null
+++ b/src/test/fuzz/include.am
@@ -0,0 +1,48 @@
+
+FUZZING_CPPFLAGS = \
+	$(src_test_AM_CPPFLAGS) $(TEST_CPPFLAGS)
+FUZZING_CFLAGS = \
+	$(AM_CFLAGS) $(TEST_CFLAGS)
+FUZZING_LDFLAG = \
+	@TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@
+FUZZING_LIBS = \
+	src/or/libtor-testing.a \
+	src/common/libor-crypto-testing.a \
+	$(LIBKECCAK_TINY) \
+	$(LIBDONNA) \
+	src/common/libor-testing.a \
+	src/common/libor-ctime-testing.a \
+	src/common/libor-event-testing.a \
+	src/trunnel/libor-trunnel-testing.a \
+	@TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \
+	@TOR_LIBEVENT_LIBS@ \
+	@TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \
+	@TOR_SYSTEMD_LIBS@
+
+
+noinst_HEADERS += \
+	src/test/fuzz/fuzzing_boilerplate.h
+
+src_test_fuzz_fuzz_descriptor_SOURCES = \
+	src/test/fuzz/fuzzing_common.c \
+	src/test/fuzz/fuzz_descriptor.c
+src_test_fuzz_fuzz_descriptor_CPPFLAGS = $(FUZZING_CPPFLAGS)
+src_test_fuzz_fuzz_descriptor_CFLAGS = $(FUZZING_CFLAGS)
+src_test_fuzz_fuzz_descriptor_LDFLAGS = $(FUZZING_LDFLAG)
+src_test_fuzz_fuzz_descriptor_LDADD = $(FUZZING_LIBS)
+
+src_test_fuzz_fuzz_http_SOURCES = \
+	src/test/fuzz/fuzzing_common.c \
+	src/test/fuzz/fuzz_http.c
+src_test_fuzz_fuzz_http_CPPFLAGS = $(FUZZING_CPPFLAGS)
+src_test_fuzz_fuzz_http_CFLAGS = $(FUZZING_CFLAGS)
+src_test_fuzz_fuzz_http_LDFLAGS = $(FUZZING_LDFLAG)
+src_test_fuzz_fuzz_http_LDADD = $(FUZZING_LIBS)
+
+FUZZERS = \
+	src/test/fuzz/fuzz-descriptor \
+	src/test/fuzz/fuzz-http
+
+# The fuzzers aren't built by default right now. That should change.
+EXTRA_PROGRAMS += $(FUZZERS)
+fuzzers: $(FUZZERS)





More information about the tor-commits mailing list