Add my fuzzing work to what was started by catenacyber

Author: fenner

.gitignore

@@ -38,3 +38,9 @@ netdissect.dir/
 tcpdump.dir/
 tcpdump.sln
 .vs/
+fuzz/corpus/
+fuzz/bgp_print_fuzzer
+fuzz/ether_print_fuzzer
+fuzz/ip6_print_fuzzer
+fuzz/ip_print_fuzzer
+fuzz/fuzz_pcap

fuzz/CMakeLists.txt

@@ -1,2 +1,10 @@
 add_executable(fuzz_pcap onefile.c fuzz_pcap.c)
 target_link_libraries(fuzz_pcap netdissect ${TCPDUMP_LINK_LIBRARIES})
+add_executable(bgp_print_fuzzer fuzzmain.c common.c bgp_print_fuzzer.c)
+add_executable(ip_print_fuzzer fuzzmain.c common.c ip_print_fuzzer.c)
+add_executable(ip6_print_fuzzer fuzzmain.c common.c ip6_print_fuzzer.c)
+add_executable(ether_print_fuzzer fuzzmain.c common.c ether_print_fuzzer.c)
+target_link_libraries(bgp_print_fuzzer netdissect ${TCPDUMP_LINK_LIBRARIES})
+target_link_libraries(ip_print_fuzzer netdissect ${TCPDUMP_LINK_LIBRARIES})
+target_link_libraries(ip6_print_fuzzer netdissect ${TCPDUMP_LINK_LIBRARIES})
+target_link_libraries(ether_print_fuzzer netdissect ${TCPDUMP_LINK_LIBRARIES})

fuzz/README.md

@@ -0,0 +1,122 @@
+# The oss-fuzz infrastructure #
+
+# How we use it #
+
+For fuzzing purposes, we use _vsprintf_ to format the output to a
+static buffer.  This is because during the
+fuzzing process, we sometimes get *EINTR* if writing to stdout.
+However, in order to replicate a crash, it can help to see what the
+printer was doing before it crashed, so if you set the environment
+variable *TCPDUMP_PRINT* to any value before running the replicator,
+the printer will print to stdout.  If you set the environment
+variable *REPLICATE_TRUNCATE* to any value before running the
+replicator, the code will try the given packet and all prefixes
+(to try to find additional related truncated-packet problems).
+
+# Reproducing a crash using an example #
+
+The binaries that we build in this directory can take a data file
+as generated by the fuzzing infrastructure and run it through the
+same function.  If you don't understand the output from the
+sanitizer that oss-fuzz provides, you can run again using valgrind:
+
+    ~/src/tcpdump/fuzzing @us157.sjc> TCPDUMP_PRINT=1 valgrind ./ether_print_fuzzer ../../oss-fuzz/build/out/tcpdump/crash-20aa211fc54fda2cca155539d1d5189990e6bd4e
+    ==2963== Memcheck, a memory error detector
+    ==2963== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
+    ==2963== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
+    ==2963== Command: ./ether_print_fuzzer ../../oss-fuzz/build/out/tcpdump/crash-20aa211fc54fda2cca155539d1d5189990e6bd4e
+    ==2963== 
+    StandaloneFuzzTargetMain: running 1 inputs
+    Running: ../../oss-fuzz/build/out/tcpdump/crash-20aa211fc54fda2cca155539d1d5189990e6bd4e
+    ==2963== Invalid read of size 1
+    ==2963==    at 0x454E26: rpl_dio_printopt (print-icmp6.c:665)
+    ==2963==    by 0x456C7F: rpl_dio_print (print-icmp6.c:714)
+    ==2963==    by 0x456C7F: rpl_print (print-icmp6.c:839)
+    ==2963==    by 0x456C7F: icmp6_print (print-icmp6.c:1148)
+    ==2963==    by 0x4103EB: ip6_print (print-ip6.c:351)
+    ==2963==    by 0x40C599: ethertype_print (print-ether.c:370)
+    ==2963==    by 0x40CCCD: ether_print (print-ether.c:237)
+    ==2963==    by 0x403AAF: LLVMFuzzerTestOneInput (in /home/fenner/src/tcpdump/fuzzing/ether_print_fuzzer)
+    ==2963==    by 0x403D75: main (in /home/fenner/src/tcpdump/fuzzing/ether_print_fuzzer)
+    ==2963==  Address 0x5d24b1c is 0 bytes after a block of size 156 alloc'd
+    ==2963==    at 0x4C2AC36: malloc (vg_replace_malloc.c:299)
+    ==2963==    by 0x403D12: main (in /home/fenner/src/tcpdump/fuzzing/ether_print_fuzzer)
+    ==2963== 
+    Done:    ../../oss-fuzz/build/out/tcpdump/crash-20aa211fc54fda2cca155539d1d5189990e6bd4e: (156 bytes)
+    IP6 truncated-ip6 - 4962 bytes missing!(class 0x10, hlim 58, next-header ICMPv6 (58) payload length: 14906) 793a:3a3a:3a3a:28ab:ab00:: > ce:dada:dada:dada:dada:dada:dada:9b9b: ICMP6, RPL, (CLR)DODAG Information Object [dagid:4ff:ffff:ffff:fffe:a08:d5:dada:8e61,seq:5,instance:255,rank:65344,mop:mop4,prf:4] opt:subopt:113 len:2  opt:destprefix len:7  opt:subopt:52 len:54  opt:subopt:255 len:4  opt:subopt:7 len:2  opt:pad0 opt:pad0==2963== 
+
+and, of course, when the bug is fixed you can validate it using the
+same sequence.
+
+# Reproducing a crash inside the oss-fuzz infrastructure #
+
+    ~/src/oss-fuzz @us157.sjc> python infra/helper.py reproduce -e TCPDUMP_PRINT=1 tcpdump ether_print_fuzzer build/out/tcpdump/crash-20aa211fc54fda2cca155539d1d5189990e6bd4e
+
+# Turning the example into a pcap #
+
+Of course, the tcpdump regression tests use pcap files as input.
+When the oss-fuzz framework creates a replication example, it is
+the raw data that the specific fuzzer accepts (see below).  The
+script `corpus/corpus2pcap` converts an example into a pcap, using
+a heuristic as to what type of packet it is.  (E.g., if it starts
+with 16 0xff's, then it's a BGP packet; if it starts with 0x45 then
+it is an IPv4 packet).  If it guesses wrong, there is a `--type`
+argument to tell it what the type of the input is.
+
+# When fixing a bug found by this infrastructure #
+
+Remember to assign credit to "OSS-Fuzz"
+
+# ip\_print\_fuzzer #
+
+## Input ##
+
+The ip\_print\_fuzzer takes an IPv4 packet as input.
+
+## Corpus ##
+
+The `pcap2corpus` run extracts all IPv4 packets from tests/\*.pcap
+into the ip\_print\_fuzzer\_seed\_corpus.zip
+
+# ip6\_print\_fuzzer #
+
+## Input ##
+
+The ip6\_print\_fuzzer takes an IPv6 packet as input.
+
+## Corpus ##
+
+The `pcap2corpus` run extracts all IPv6 packets from tests/\*.pcap
+into the ip6\_print\_fuzzer\_seed\_corpus.zip
+
+# bgp\_print\_fuzzer #
+
+## Input ##
+
+The bgp\_print\_fuzzer takes a BGP message, starting with marker,
+as input.
+
+## Corpus ##
+
+The `pcap2corpus` run extracts all BGP TCP payloads from tests/\*.pcap
+into the bgp\_print\_fuzzer\_seed\_corpus.zip
+
+TODO: It would be nice to also extract individual messages split at the
+marker, to allow TCP payloads with multiple BGP messages to be parsed
+as individual BGP messages.
+
+TODO: write a tool that takes MRT dump in and outputs every BGP message
+to an individual file
+
+# ether\_print\_fuzzer #
+
+## Input ##
+
+The ether\_print\_fuzzer takes an Ethernet packet, starting with
+14-byte header, as input.
+
+## Corpus ##
+
+The `pcap2corpus` run extracts all Ethernet packets that do not match
+a more-specific type above into the ether\_print\_fuzzer\_seed\_corpus.zip
+

fuzz/bgp_print_fuzzer.c

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2019
+ *      Arista Networks, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   1. Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *   2. Redistributions in binary form must reproduce the above copyright
+ *      notice, this list of conditions and the following disclaimer in
+ *      the documentation and/or other materials provided with the
+ *      distribution.
+ *   3. The names of the authors may not be used to endorse or promote
+ *      products derived from this software without specific prior
+ *      written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include "common.h"
+
+extern netdissect_options *ndo;
+
+int bgp_print_fuzz(const uint8_t *data, size_t size) {
+    int fakelen = 10000;
+
+    ndo->ndo_snapend = data + size;
+    if (fakelen < size) {
+        fakelen = size;
+    }
+    bgp_print(ndo, data, fakelen);
+    return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    fuzz_common(bgp_print_fuzz, data, size);
+    return 0;
+}

fuzz/build.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# Use $OUT as a signal that we're being run inside the oss-fuzz
+# build_fuzzers target.  See
+# https://github.com/google/oss-fuzz/blob/master/docs/new_project_guide.md
+# for the assumptions about the enviroment.
+if [ -z "$OUT" ]
+then
+    echo "This script is only used when building the fuzz targets"
+    echo "inside the oss-fuzz image."
+    exit 1
+fi
+
+# First, the pcap fuzzer.
+$CC $CFLAGS -I.. -I. -c ../fuzz/fuzz_pcap.c -o fuzz_pcap.o
+$CXX $CXXFLAGS fuzz_pcap.o -o $OUT/fuzz_pcap libnetdissect.a \
+    $SRC/libpcap/build/libpcap.a $LIB_FUZZING_ENGINE
+
+zip -r fuzz_pcap_seed_corpus.zip ../tests/*.pcap
+cp fuzz_pcap_seed_corpus.zip $OUT/
+
+# Then, the individual per-printer fuzzers
+$CC $CFLAGS -I.. -I. -c ../fuzz/common.c -o common.o
+
+for p in ip ip6 ether bgp
+do
+    $CC $CFLAGS -I.. -I. -c ../fuzz/${p}_print_fuzzer.c -o ${p}_print_fuzzer.o
+    $CXX $CXXFLAGS ${p}_print_fuzzer.o common.o -o $OUT/${p}_print_fuzzer \
+        libnetdissect.a $SRC/libpcap/build/libpcap.a $LIB_FUZZING_ENGINE
+done
+
+# Build the per-printer corpus from the tests
+cd $WORK
+mkdir corpus
+cd corpus
+$SRC/tcpdump/fuzz/corpus/pcap2corpus $SRC/tcpdump/tests/*.pcap
+for d in *
+do
+    zip -r $OUT/${d}_print_fuzzer_seed_corpus.zip $d/*
+done
+
+# Copy options
+cp $SRC/tcpdump/fuzz/*.options $OUT/

fuzz/common.c

@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2019
+ *      Arista Networks, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   1. Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *   2. Redistributions in binary form must reproduce the above copyright
+ *      notice, this list of conditions and the following disclaimer in
+ *      the documentation and/or other materials provided with the
+ *      distribution.
+ *   3. The names of the authors may not be used to endorse or promote
+ *      products derived from this software without specific prior
+ *      written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "common.h"
+#include "netdissect-alloc.h"
+
+netdissect_options *ndo;
+
+/*
+ * When fuzzing, we end up sometimes getting EINTR from printf,
+ * so instead, we sprintf (to make sure that we format the args)
+ * and then discard that string.
+ */
+static int
+ndo_mysprintf(netdissect_options *ndo, const char *fmt, ...)
+{
+    va_list args;
+    int ret;
+    char buf[1000];
+
+    va_start(args, fmt);
+    ret = vsnprintf(buf, sizeof(buf), fmt, args);
+    va_end(args);
+
+    return (ret);
+}
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+    ndo = calloc(1, sizeof(netdissect_options));
+    ndo_set_function_pointers(ndo);
+    if (!getenv("TCPDUMP_PRINT")) {
+        /* If we're replicating, we do want to print so it's easier to
+         * see where the failure is, but if we're fuzzing, we want to
+         * just use sprintf to avoid the EINTR */
+        ndo->ndo_printf = ndo_mysprintf;
+    }
+    ndo->program_name = "fuzztcpdump";
+    ndo->ndo_nflag = 1;      // don't try to look up addresses
+    ndo->ndo_vflag = 2;      // decode as much as we can
+    return 0;
+}
+
+void
+fuzz_common(int (*fuzzfunc)(const uint8_t *, size_t), const uint8_t *data, size_t size) {
+    /*
+     * longjmp-based truncation: if the infrastructure detects
+     * truncation, it longjmps to here.
+     */
+    if (setjmp(ndo->ndo_truncated) == 0) {
+	fuzzfunc(data, size);
+    } else {
+	ND_PRINT(" [|%s]", ndo->ndo_protocol);
+	return;
+    }
+    if (getenv("REPLICATE_TRUNCATE")) {
+	size_t i;
+	uint8_t *data2;
+	printf("original size %u\n", (unsigned)size);
+	for (i = size - 1; i > 1; i--) {
+	    printf("trying again with size %u\n", (unsigned)i);
+	    data2 = malloc(i);
+	    memcpy(data2, data, i);
+	    fuzzfunc(data2, i);
+	    free(data2);
+	}
+    }
+    /*
+     * If the printer allocated any memory, free it.
+     */
+    nd_free_all(ndo);
+}

fuzz/common.h

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2019
+ *      Arista Networks, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   1. Redistributions of source code must retain the above copyright
+ *      notice, this list of conditions and the following disclaimer.
+ *   2. Redistributions in binary form must reproduce the above copyright
+ *      notice, this list of conditions and the following disclaimer in
+ *      the documentation and/or other materials provided with the
+ *      distribution.
+ *   3. The names of the authors may not be used to endorse or promote
+ *      products derived from this software without specific prior
+ *      written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#ifndef FUZZ_COMMON_H
+#define FUZZ_COMMON_H
+
+#include "config.h"
+#include "netdissect-stdinc.h"
+#include "netdissect.h"
+#include "print.h"
+
+void
+fuzz_common(int (*fuzzfunc)(const uint8_t *, size_t), const uint8_t *, size_t);
+
+
+#endif