libfuzzer library integration tests (#681)

2025-06-16 20:08:09 +00:00 · 2021-03-17 16:18:10 -04:00
parent 4b07fdc455
commit f41f110af8
15 changed files with 401 additions and 0 deletions
--- a/src/integration-tests/libfuzzer-linked-library/Makefile
+++ b/src/integration-tests/libfuzzer-linked-library/Makefile
@ -0,0 +1,22 @@
+CC=clang
+
+.PHONY: all clean test
+
+all: fuzz.exe
+
+CFLAGS=-fsanitize=address,fuzzer -fPIC -O0 -ggdb3
+
+fuzz.exe: main.o libbad1.so libbad2.so
+	$(CC) $(CFLAGS) -o $@ $< -lbad1 -lbad2 -L.
+
+libbad1.so: bad1.o
+	$(CC) -fsanitize=address -shared -o $@ $<
+	
+libbad2.so: bad2.o
+	$(CC) -fsanitize=address -shared -o $@ $<
+
+test: all
+	LD_LIBRARY_PATH=. ./fuzz.exe
+
+clean:
+	rm -rf fuzz.exe *.o *.so *.dll crash-* *.lib *.exp *.pdb
--- a/src/integration-tests/libfuzzer-linked-library/Makefile.windows
+++ b/src/integration-tests/libfuzzer-linked-library/Makefile.windows
@ -0,0 +1,23 @@
+CC=clang
+
+.PHONY: all clean test
+
+all: fuzz.exe
+
+CFLAGS=-g3 -fsanitize=address,fuzzer
+
+fuzz.exe: main.o bad1.dll bad2.dll
+	$(CC) $(CFLAGS) main.o -o fuzz.exe -L. -lbad1 -lbad2
+
+bad1.dll: bad1.o
+	$(CC) $(CFLAGS) -shared -o bad1.dll bad1.o
+
+bad2.dll: bad2.o
+	$(CC) $(CFLAGS) -shared -o bad2.dll bad2.o
+
+
+test: all
+	LD_LIBRARY_PATH=. ./fuzz.exe
+
+clean:
+	rm -f *.dll *.exe *.exp *.pdb *.o *.lib
--- a/src/integration-tests/libfuzzer-linked-library/bad1.c
+++ b/src/integration-tests/libfuzzer-linked-library/bad1.c
@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+  #define LIBRARY_API __declspec(dllexport)
+#else
+  #define LIBRARY_API
+#endif
+
+int LIBRARY_API func1(const uint8_t *data, size_t len) {
+  int cnt = 0;
+
+  if (len < 4) {
+    return 0;
+  }
+
+  if (data[0] == 'x') { cnt++; }
+  if (data[1] == 'y') { cnt++; }
+  if (data[2] == 'z') { cnt++; }
+
+  if (cnt >= 3) {
+    switch (data[3]) {
+      case '0': {
+        // segv
+        int *p = NULL; *p = 123;
+        break;
+      }
+      case '1': {
+        // stack-buffer-underflow
+        int* p = &cnt - 32; for (int i = 0; i < 32; i++) { *(p + i) = 0; }
+        break;
+      }
+      case '2': {
+        // stack-buffer-overflow 
+        int* p = &cnt + 32; for (int i = 0; i < 32; i++) { *(p - i) = 0; }
+        break;
+      }
+      case '3': {
+        // bad-free
+        int *p = &cnt; free(p);
+        break;
+      }
+      case '4': {
+        // double-free
+        int* p = malloc(sizeof(int)); free(p); free(p);
+        break;
+      }
+      case '5': {
+        // heap-use-after-free
+        int* p = malloc(sizeof(int)); free(p); *p = 123;
+        break;
+      }
+      case '6': {
+        // heap-buffer-overflow
+        int* p = malloc(8 * sizeof(int)); for (int i = 0; i < 32; i++) { *(p + i) = 0; }
+        break;
+      }
+      case '7': {
+        // fpe
+        int x = 0; int y = 123 / x;
+        break;
+      }
+    }
+  }
+
+  return 0;
+}
--- a/src/integration-tests/libfuzzer-linked-library/bad1.h
+++ b/src/integration-tests/libfuzzer-linked-library/bad1.h
@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef BAD1_H
+#define BAD1_H
+
+int func1(const uint8_t *data, size_t len);
+
+#endif
--- a/src/integration-tests/libfuzzer-linked-library/bad2.c
+++ b/src/integration-tests/libfuzzer-linked-library/bad2.c
@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#if defined(_WIN32)
+  #define LIBRARY_API __declspec(dllexport)
+#else
+  #define LIBRARY_API
+#endif
+
+int LIBRARY_API func2(const uint8_t *data, size_t len) {
+  int cnt = 0;
+
+  if (len < 4) {
+    return 0;
+  }
+
+  if (data[0] == 'a') { cnt++; }
+  if (data[1] == 'b') { cnt++; }
+  if (data[2] == 'c') { cnt++; }
+
+  if (cnt >= 3) {
+    switch (data[3]) {
+      case '0': {
+        // segv
+        int *p = NULL; *p = 123;
+        break;
+      }
+      case '1': {
+        // stack-buffer-underflow
+        int* p = &cnt - 32; for (int i = 0; i < 32; i++) { *(p + i) = 0; }
+        break;
+      }
+      case '2': {
+        // stack-buffer-overflow 
+        int* p = &cnt + 32; for (int i = 0; i < 32; i++) { *(p - i) = 0; }
+        break;
+      }
+      case '3': {
+        // bad-free
+        int *p = &cnt; free(p);
+        break;
+      }
+      case '4': {
+        // double-free
+        int* p = malloc(sizeof(int)); free(p); free(p);
+        break;
+      }
+      case '5': {
+        // heap-use-after-free
+        int* p = malloc(sizeof(int)); free(p); *p = 123;
+        break;
+      }
+      case '6': {
+        // heap-buffer-overflow
+        int* p = malloc(8 * sizeof(int)); for (int i = 0; i < 32; i++) { *(p + i) = 0; }
+        break;
+      }
+      case '7': {
+        // fpe
+        int x = 0; int y = 123 / x;
+        break;
+      }
+    }
+  }
+
+  return 0;
+}
--- a/src/integration-tests/libfuzzer-linked-library/bad2.h
+++ b/src/integration-tests/libfuzzer-linked-library/bad2.h
@ -0,0 +1,9 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#ifndef BAD2_H
+#define BAD2_H
+
+int func2(const uint8_t *data, size_t len);
+
+#endif
--- a/src/integration-tests/libfuzzer-linked-library/main.c
+++ b/src/integration-tests/libfuzzer-linked-library/main.c
@ -0,0 +1,14 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <stdint.h>
+#include <stdlib.h>
+
+#include "bad1.h"
+#include "bad2.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+     func1(data, size);
+     func2(data, size);
+     return 0;
+}
--- a/src/integration-tests/libfuzzer-linked-library/seeds/good.txt
+++ b/src/integration-tests/libfuzzer-linked-library/seeds/good.txt
@ -0,0 +1 @@
+good