Changeset 77564 in vbox for trunk/src/VBox/Runtime/common

Timestamp:

Mar 5, 2019 10:30:33 AM (6 years ago)

Author:

vboxsync

Message:

Runtime/fuzz: Add libFuzzer compatible wrapper to be able to evaluate our fuzzer against others

Location:

trunk/src/VBox/Runtime/common/fuzz

Files:

• fuzz.cpp (modified) (5 diffs)
• fuzzclientcmd.cpp (modified) (11 diffs)

trunk/src/VBox/Runtime/common/fuzz/fuzz.cpp

@@ -368 +368 @@
 static DECLCALLBACK(int) rtFuzzCtxMutatorByteReplacePrep(PRTFUZZCTXINT pThis, uint64_t offStart, PRTFUZZMUTATION pMutationParent,
                                                          PPRTFUZZMUTATION ppMutation);
+static DECLCALLBACK(int) rtFuzzCtxMutatorByteInsertPrep(PRTFUZZCTXINT pThis, uint64_t offStart, PRTFUZZMUTATION pMutationParent,
+                                                        PPRTFUZZMUTATION ppMutation);
 static DECLCALLBACK(int) rtFuzzCtxMutatorByteSequenceInsertAppendPrep(PRTFUZZCTXINT pThis, uint64_t offStart, PRTFUZZMUTATION pMutationParent,
                                                                       PPRTFUZZMUTATION ppMutation);
@@ -381 +383 @@
 static DECLCALLBACK(int) rtFuzzCtxMutatorByteReplaceExec(PRTFUZZCTXINT pThis, PCRTFUZZMUTATION pMutation, const void *pvMutation,
                                                          uint8_t *pbBuf, size_t cbBuf);
+static DECLCALLBACK(int) rtFuzzCtxMutatorByteInsertExec(PRTFUZZCTXINT pThis, PCRTFUZZMUTATION pMutation, const void *pvMutation,
+                                                        uint8_t *pbBuf, size_t cbBuf);
 static DECLCALLBACK(int) rtFuzzCtxMutatorByteSequenceInsertAppendExec(PRTFUZZCTXINT pThis, PCRTFUZZMUTATION pMutation, const void *pvMutation,
                                                                       uint8_t *pbBuf, size_t cbBuf);
@@ -425 +429 @@
 static RTFUZZMUTATOR const g_aMutators[] =
 {
-    /* pszId         pszDesc                                          uMutator     fFlags                      pfnPrep                                       pfnExec                                       pfnExport                                       pfnImport */
+    /* pszId         pszDesc                                          uMutator     fFlags                      pfnPrep                                       pfnExec                                       pfnExport                      pfnImport */
     { "BitFlip",     "Flips a single bit in the input",               0,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorBitFlipPrep,                  rtFuzzCtxMutatorBitFlipExec,                  rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
     { "ByteReplace", "Replaces a single byte in the input",           1,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteReplacePrep,              rtFuzzCtxMutatorByteReplaceExec,              rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
-    { "ByteSeqIns",  "Inserts a byte sequence in the input",          2,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteSequenceInsertAppendPrep, rtFuzzCtxMutatorByteSequenceInsertAppendExec, rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
-    { "ByteSeqApp",  "Appends a byte sequence to the input",          3,           RTFUZZMUTATOR_F_END_OF_BUF, rtFuzzCtxMutatorByteSequenceInsertAppendPrep, rtFuzzCtxMutatorByteSequenceInsertAppendExec, rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
-    { "ByteDelete",  "Deletes a single byte sequence from the input", 4,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteDeletePrep,               rtFuzzCtxMutatorByteDeleteExec,               NULL,                          NULL                          },
-    { "ByteSeqDel",  "Deletes a byte sequence from the input",        5,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteSequenceDeletePrep,       rtFuzzCtxMutatorByteSequenceDeleteExec,       NULL,                          NULL                          }
+    { "ByteInsert",  "Inserts a single byte sequence into the input", 2,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteInsertPrep,               rtFuzzCtxMutatorByteInsertExec,               rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
+    { "ByteSeqIns",  "Inserts a byte sequence in the input",          3,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteSequenceInsertAppendPrep, rtFuzzCtxMutatorByteSequenceInsertAppendExec, rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
+    { "ByteSeqApp",  "Appends a byte sequence to the input",          4,           RTFUZZMUTATOR_F_END_OF_BUF, rtFuzzCtxMutatorByteSequenceInsertAppendPrep, rtFuzzCtxMutatorByteSequenceInsertAppendExec, rtFuzzCtxMutatorExportDefault, rtFuzzCtxMutatorImportDefault },
+    { "ByteDelete",  "Deletes a single byte sequence from the input", 5,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteDeletePrep,               rtFuzzCtxMutatorByteDeleteExec,               NULL,                          NULL                          },
+    { "ByteSeqDel",  "Deletes a byte sequence from the input",        6,           RTFUZZMUTATOR_F_DEFAULT,    rtFuzzCtxMutatorByteSequenceDeletePrep,       rtFuzzCtxMutatorByteSequenceDeleteExec,       NULL,                          NULL                          }
 };
 
@@ -705 +710 @@
     uint8_t bReplace = *(uint8_t *)pvMutation;
     *pbBuf = bReplace;
+    return VINF_SUCCESS;
+}
+
+
+/**
+ * Mutator callback - inserts a single byte into the input.
+ */
+static DECLCALLBACK(int) rtFuzzCtxMutatorByteInsertPrep(PRTFUZZCTXINT pThis, uint64_t offStart, PRTFUZZMUTATION pMutationParent,
+                                                        PPRTFUZZMUTATION ppMutation)
+{
+    int rc = VINF_SUCCESS;
+    uint8_t *pbInsert = 0;
+    if (pMutationParent->cbInput < pThis->cbInputMax)
+    {
+        PRTFUZZMUTATION pMutation = rtFuzzMutationCreate(pThis, offStart, pMutationParent, 1 /*cbAdditional*/, (void **)&pbInsert);
+        if (RT_LIKELY(pMutation))
+        {
+            pMutation->cbInput = pMutationParent->cbInput + 1;
+            RTRandAdvBytes(pThis->hRand, pbInsert, 1);
+            *ppMutation = pMutation;
+        }
+        else
+            rc = VERR_NO_MEMORY;
+    }
+
+    return rc;
+}
+
+
+static DECLCALLBACK(int) rtFuzzCtxMutatorByteInsertExec(PRTFUZZCTXINT pThis, PCRTFUZZMUTATION pMutation, const void *pvMutation,
+                                                        uint8_t *pbBuf, size_t cbBuf)
+{
+    RT_NOREF(pThis, pMutation, pvMutation);
+
+    /* Just move the residual data one byte to the back. */
+    memmove(pbBuf + 1, pbBuf, cbBuf);
+    *pbBuf = *(uint8_t *)pvMutation;
     return VINF_SUCCESS;
 }
@@ -794 +836 @@
 {
     int rc = VINF_SUCCESS;
-    if (pMutationParent->cbInput > 1)
+    if (pMutationParent->cbInput > offStart)
     {
         size_t cbInputMutated = (size_t)RTRandAdvU64Ex(pThis->hRand, offStart, pMutationParent->cbInput - 1);

trunk/src/VBox/Runtime/common/fuzz/fuzzclientcmd.cpp

@@ -35 +35 @@
 #include <iprt/buildconfig.h>
 #include <iprt/errcore.h>
+#include <iprt/file.h>
 #include <iprt/getopt.h>
+#include <iprt/ldr.h>
 #include <iprt/mem.h>
 #include <iprt/message.h>
@@ -44 +46 @@
 
 
+
+typedef DECLCALLBACK(int) FNLLVMFUZZERTESTONEINPUT(const uint8_t *pbData, size_t cbData);
+typedef FNLLVMFUZZERTESTONEINPUT *PFNLLVMFUZZERTESTONEINPUT;
+
+
 /**
  * Fuzzing client command state.
@@ -50 +57 @@
 {
     /** Our own fuzzing context containing all the data. */
-    RTFUZZCTX               hFuzzCtx;
+    RTFUZZCTX                 hFuzzCtx;
     /** Consumption callback. */
-    PFNFUZZCLIENTCONSUME    pfnConsume;
+    PFNFUZZCLIENTCONSUME      pfnConsume;
     /** Opaque user data to pass to the consumption callback. */
-    void                    *pvUser;
+    void                      *pvUser;
+    /** The LLVM libFuzzer compatible entry point if configured */
+    PFNLLVMFUZZERTESTONEINPUT pfnLlvmFuzzerTestOneInput;
+    /** The selected input channel. */
+    RTFUZZOBSINPUTCHAN        enmInputChan;
     /** Standard input VFS handle. */
-    RTVFSIOSTREAM           hVfsStdIn;
+    RTVFSIOSTREAM             hVfsStdIn;
     /** Standard output VFS handle. */
-    RTVFSIOSTREAM           hVfsStdOut;
+    RTVFSIOSTREAM             hVfsStdOut;
 } RTFUZZCMDCLIENT;
 /** Pointer to a fuzzing client command state. */
 typedef RTFUZZCMDCLIENT *PRTFUZZCMDCLIENT;
+
+
+
+/**
+ * Runs the appropriate consumption callback with the provided data.
+ *
+ * @returns Status code, 0 for success.
+ * @param   pThis               The fuzzing client command state.
+ * @param   pvData              The data to consume.
+ * @param   cbData              Size of the data in bytes.
+ */
+static int rtFuzzCmdClientConsume(PRTFUZZCMDCLIENT pThis, const void *pvData, size_t cbData)
+{
+    if (pThis->pfnLlvmFuzzerTestOneInput)
+        return pThis->pfnLlvmFuzzerTestOneInput((const uint8_t *)pvData, cbData);
+    else
+        return pThis->pfnConsume(pvData, cbData, pThis->pvUser);
+}
 
 
@@ -89 +118 @@
             {
                 char bResp = '.';
-                int rc2 = pThis->pfnConsume(pv, cb, pThis->pvUser);
+                int rc2 = rtFuzzCmdClientConsume(pThis, pv, cb);
                 if (RT_SUCCESS(rc2))
                 {
@@ -153 +182 @@
 
 
+/**
+ * Run a single iteration of the fuzzing client and return.
+ *
+ * @returns Process exit status.
+ * @param   pThis               The fuzzing client command state.
+ */
+static RTEXITCODE rtFuzzCmdClientRunFile(PRTFUZZCMDCLIENT pThis, const char *pszFilename)
+{
+    void *pv = NULL;
+    size_t cbFile = 0;
+    int rc = RTFileReadAll(pszFilename, &pv, &cbFile);
+    if (RT_SUCCESS(rc))
+    {
+        rtFuzzCmdClientConsume(pThis, pv, cbFile);
+        RTFileReadAllFree(pv, cbFile);
+        return RTEXITCODE_SUCCESS;
+    }
+
+    return RTEXITCODE_FAILURE;
+}
+
+
 RTR3DECL(RTEXITCODE) RTFuzzCmdFuzzingClient(unsigned cArgs, char **papszArgs, PFNFUZZCLIENTCONSUME pfnConsume, void *pvUser)
 {
@@ -162 +213 @@
         { "--help",                            'h', RTGETOPT_REQ_NOTHING },
         { "--version",                         'V', RTGETOPT_REQ_NOTHING },
+        { "--llvm-input",                      'l', RTGETOPT_REQ_STRING  },
+        { "--file",                            'f', RTGETOPT_REQ_STRING  },
     };
 
@@ -172 +225 @@
         /* Option variables:  */
         RTFUZZCMDCLIENT This;
-
-        This.pfnConsume = pfnConsume;
-        This.pvUser     = pvUser;
+        RTLDRMOD hLlvmMod = NIL_RTLDRMOD;
+        const char *pszFilename = NULL;
+
+        This.pfnConsume   = pfnConsume;
+        This.pvUser       = pvUser;
+        This.enmInputChan = RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT;
 
         /* Argument parsing loop. */
         bool fContinue = true;
+        bool fExit = false;
         do
         {
@@ -188 +245 @@
                     break;
 
+                case 'f':
+                {
+                    pszFilename = ValueUnion.psz;
+                    This.enmInputChan = RTFUZZOBSINPUTCHAN_FILE;
+                    break;
+                }
+
+                case 'l':
+                {
+                    /*
+                     * Load the indicated library and try to resolve LLVMFuzzerTestOneInput,
+                     * which will act as the input callback.
+                     */
+                    rc = RTLdrLoad(ValueUnion.psz, &hLlvmMod);
+                    if (RT_SUCCESS(rc))
+                    {
+                        rc = RTLdrGetSymbol(hLlvmMod, "LLVMFuzzerTestOneInput", (void **)&This.pfnLlvmFuzzerTestOneInput);
+                        if (RT_FAILURE(rc))
+                            rcExit = RTMsgErrorExit(RTEXITCODE_FAILURE, "Failed to query '%s' from '%s': %Rrc",
+                                                    "LLVMFuzzerTestOneInput",
+                                                    ValueUnion.psz,
+                                                    rc);
+                    }
+                    break;
+                }
+
                 case 'h':
                     RTPrintf("Usage: to be written\nOption dump:\n");
@@ -193 +276 @@
                         RTPrintf(" -%c,%s\n", s_aOptions[i].iShort, s_aOptions[i].pszLong);
                     fContinue = false;
+                    fExit = true;
                     break;
 
@@ -198 +282 @@
                     RTPrintf("%sr%d\n", RTBldCfgVersion(), RTBldCfgRevision());
                     fContinue = false;
+                    fExit = true;
                     break;
 
@@ -207 +292 @@
         } while (fContinue);
 
-        if (rcExit == RTEXITCODE_SUCCESS)
-            rcExit = rtFuzzCmdClientRun(&This);
+        if (   rcExit == RTEXITCODE_SUCCESS
+            && !fExit)
+        {
+            switch (This.enmInputChan)
+            {
+                case RTFUZZOBSINPUTCHAN_FUZZING_AWARE_CLIENT:
+                    rcExit = rtFuzzCmdClientRun(&This);
+                    break;
+                case RTFUZZOBSINPUTCHAN_FILE:
+                    rcExit = rtFuzzCmdClientRunFile(&This, pszFilename);
+                    break;
+                default:
+                    rcExit = RTMsgErrorExit(RTEXITCODE_SYNTAX, "Input channel unknown/not implemented yet");
+            }
+        }
+
+        if (hLlvmMod != NIL_RTLDRMOD)
+            RTLdrClose(hLlvmMod);
     }
     else