ExternalVendorCode/onefuzz
1
0
Fork 0
mirror of https://github.com/microsoft/onefuzz.git synced 2025-06-15 11:28:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

add LoadLibrary integration test (#689)

Browse Source
This commit is contained in:
bmc-msft
2021-03-19 09:46:26 -04:00
committed by GitHub
parent 3d226391fd
commit 2417c37a60
7 changed files with 145 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/ci.yml vendored
View File

@ -435,6 +435,12 @@ jobs:
cp fuzz.exe,fuzz.pdb,bad1.dll,bad1.pdb,bad2.dll,bad2.pdb,seeds ../artifacts/windows-libfuzzer-linked-library -Recurse cp fuzz.exe,fuzz.pdb,bad1.dll,bad1.pdb,bad2.dll,bad2.pdb,seeds ../artifacts/windows-libfuzzer-linked-library -Recurse
cd ../ cd ../
mkdir artifacts/windows-libfuzzer-load-library
cd libfuzzer-load-library
make
cp fuzz.exe,fuzz.pdb,bad.dll,bad.pdb,seeds ../artifacts/windows-libfuzzer-load-library -Recurse
cd ../
mkdir artifacts/windows-trivial-crash-asan mkdir artifacts/windows-trivial-crash-asan
cd trivial-crash cd trivial-crash
make clean make clean

12
src/integration-tests/integration-test.py
View File

@ -178,6 +178,18 @@ TARGETS: Dict[str, Integration] = {
}, },
use_setup=True, use_setup=True,
), ),
"windows-libfuzzer-load-library": Integration(
template=TemplateType.libfuzzer,
os=OS.windows,
target_exe="fuzz.exe",
inputs="seeds",
wait_for_files={
ContainerType.inputs: 2,
ContainerType.unique_reports: 1,
ContainerType.coverage: 1,
},
use_setup=True,
),
"windows-trivial-crash": Integration( "windows-trivial-crash": Integration(
template=TemplateType.radamsa, template=TemplateType.radamsa,
os=OS.windows, os=OS.windows,

15
src/integration-tests/libfuzzer-load-library/Makefile Normal file
View File

@ -0,0 +1,15 @@
CC=clang
CFLAGS=-fsanitize=address,fuzzer -O0
.PHONY: all clean
all: fuzz.exe
fuzz.exe: main.o bad.dll
$(CC) $(CFLAGS) -o $@ $<
bad.dll: bad.o
$(CC) $(CFLAGS) -shared -o $@ $<
clean:
rm -rf fuzz.exe *.o *.dll crash-* *.pdb *.exp *.lib

64
src/integration-tests/libfuzzer-load-library/bad.c Normal file
View File

@ -0,0 +1,64 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
#include <stdint.h>
#include <stdlib.h>
__declspec(dllexport) int func(const uint8_t *data, size_t len) {
int cnt = 0;
if (len < 4) {
return 0;
}
if (data[0] == 'x') { cnt++; }
if (data[1] == 'y') { cnt++; }
if (data[2] == 'z') { cnt++; }
if (cnt >= 3) {
switch (data[3]) {
case '0': {
// segv
int *p = NULL; *p = 123;
break;
}
case '1': {
// stack-buffer-underflow
int* p = &cnt - 32; for (int i = 0; i < 32; i++) { *(p + i) = 0; }
break;
}
case '2': {
// stack-buffer-overflow
int* p = &cnt + 32; for (int i = 0; i < 32; i++) { *(p - i) = 0; }
break;
}
case '3': {
// bad-free
int *p = &cnt; free(p);
break;
}
case '4': {
// double-free
int* p = malloc(sizeof(int)); free(p); free(p);
break;
}
case '5': {
// heap-use-after-free
int* p = malloc(sizeof(int)); free(p); *p = 123;
break;
}
case '6': {
// heap-buffer-overflow
int* p = malloc(8 * sizeof(int)); for (int i = 0; i < 32; i++) { *(p + i) = 0; }
break;
}
case '7': {
// fpe
int x = 0; int y = 123 / x;
break;
}
}
}
return 0;
}

9
src/integration-tests/libfuzzer-load-library/bad.h Normal file
View File

@ -0,0 +1,9 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
#ifndef BAD_H
#define BAD_H
int func(const uint8_t *data, size_t len);
#endif

38
src/integration-tests/libfuzzer-load-library/main.c Normal file
View File

@ -0,0 +1,38 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License.
#include <windows.h>
#include <assert.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
int (*fuzz_func)(const uint8_t *data, size_t size);
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
HINSTANCE handle;
printf("initialize\n");
handle = LoadLibrary(TEXT("bad.dll"));
if (!handle)
{
printf("can't open dll\n");
exit(EXIT_FAILURE);
}
fuzz_func = (int (*)(const uint8_t *data, size_t size))GetProcAddress(handle, "func");
if (fuzz_func == NULL) {
printf("unable to load fuzz func\n");
exit(EXIT_FAILURE);
}
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
assert(fuzz_func != NULL);
return fuzz_func(data, size);
}

1
src/integration-tests/libfuzzer-load-library/seeds/good.txt Normal file
View File

@ -0,0 +1 @@
good