fuzz: find bugs when parsing uapi input

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Jason A. Donenfeld 2019-12-27 14:57:09 +01:00
parent cde6f312e4
commit 2d000809dd
3 changed files with 64 additions and 3 deletions

1
src/fuzz/.gitignore vendored
View file

@ -1 +1,2 @@
config
uapi

View file

@ -2,15 +2,19 @@
#
# Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
all: config
all: config uapi
CFLAGS ?= -O3 -march=native -g
CFLAGS += -fsanitize=fuzzer -std=gnu11 -idirafter ../uapi
CC := clang
config: config.c ../config.c ../encoding.c
clang $(CFLAGS) -o $@ $<
$(CC) $(CFLAGS) -o $@ $<
uapi: uapi.c ../ipc.c ../curve25519.c ../encoding.c
$(CC) $(CFLAGS) -o $@ $<
clean:
rm -f config
rm -f config uapi
.PHONY: all clean

56
src/fuzz/uapi.c Normal file
View file

@ -0,0 +1,56 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
*/
#include <stdio.h>
#include <sys/stat.h>
static FILE *hacked_userspace_interface_file(const char *iface);
#define stat(a, b) ({ return hacked_userspace_interface_file(iface); 0; })
#define RUNSTATEDIR "/var/empty"
#undef __linux__
#include "../ipc.c"
#include "../curve25519.c"
#include "../encoding.c"
#include <stdint.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
const char *__asan_default_options()
{
return "verbosity=1";
}
union hackiface {
char ifname[IFNAMSIZ];
struct {
const uint8_t *data;
size_t len;
};
};
static FILE *hacked_userspace_interface_file(const char *iface)
{
union hackiface *hack = (union hackiface *)iface;
FILE *f = fmemopen(NULL, hack->len + 7, "r+");
fseek(f, 7, SEEK_SET);
fwrite(hack->data, hack->len, 1, f);
fseek(f, 0, SEEK_SET);
memcpy(hack->ifname, "hack", 5);
return f;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t len)
{
union hackiface hack = {
.data = data,
.len = len
};
struct wgdevice *dev = NULL;
userspace_get_device(&dev, (const char *)&hack);
free_wgdevice(dev);
return 0;
}