Add fuzz targets
Fuzzing is something that's good to do for a general purpose library and
can find bugs relatively quickly.
Enable fuzzing with libfuzzer (selected only because it was the easiest
to set up) and enable fuzz targets for 3 of our buffer-based interfaces.
Change-Id: I695a3a60ba09bea92cd462566bf2c46337eabd4b
Signed-off-by: Ed Tanous <etanous@nvidia.com>
diff --git a/base64.c b/base64.c
index 38ea0ab..5ed39c6 100644
--- a/base64.c
+++ b/base64.c
@@ -20,6 +20,10 @@
const UINT8 *src_end;
const UINT8 *in_pos;
+ if (len <= 0) {
+ return NULL;
+ }
+
if (!out_len) {
return NULL;
}
diff --git a/cper-parse.c b/cper-parse.c
index 8898089..f293fd1 100644
--- a/cper-parse.c
+++ b/cper-parse.c
@@ -374,9 +374,27 @@
//If validation bits indicate it exists, add FRU text.
if ((section_descriptor->SecValidMask & 0x2) >> 1) {
- json_object_object_add(
- section_descriptor_ir, "fruText",
- json_object_new_string(section_descriptor->FruString));
+ int fru_text_len = 0;
+ for (;
+ fru_text_len < (int)sizeof(section_descriptor->FruString);
+ fru_text_len++) {
+ char c = section_descriptor->FruString[fru_text_len];
+ if (c < 0) {
+ //printf("Fru text contains non-ASCII character\n");
+ fru_text_len = -1;
+ break;
+ }
+ if (c == '\0') {
+ break;
+ }
+ }
+ if (fru_text_len >= 0) {
+ json_object_object_add(
+ section_descriptor_ir, "fruText",
+ json_object_new_string_len(
+ section_descriptor->FruString,
+ fru_text_len));
+ }
}
//Section severity.
@@ -432,7 +450,7 @@
descriptor->SectionLength,
&encoded_len);
if (encoded == NULL) {
- printf("Failed to allocate encode output buffer. \n");
+ //printf("Failed to allocate encode output buffer. \n");
} else {
section_ir = json_object_new_object();
json_object_object_add(section_ir, "data",
@@ -451,7 +469,11 @@
json_object *cper_buf_single_section_to_ir(const unsigned char *cper_buf,
size_t size)
{
- json_object *ir = json_object_new_object();
+ const unsigned char *cper_end;
+ const unsigned char *section_begin;
+ json_object *ir;
+
+ cper_end = cper_buf + size;
//Read the section descriptor out.
EFI_ERROR_SECTION_DESCRIPTOR *section_descriptor;
@@ -459,16 +481,18 @@
printf("Failed to read section descriptor for CPER single section\n");
return NULL;
}
+
+ ir = json_object_new_object();
section_descriptor = (EFI_ERROR_SECTION_DESCRIPTOR *)cper_buf;
//Convert the section descriptor to IR.
json_object *section_descriptor_ir =
cper_section_descriptor_to_ir(section_descriptor);
json_object_object_add(ir, "sectionDescriptor", section_descriptor_ir);
+ section_begin = cper_buf + section_descriptor->SectionOffset;
- if (section_descriptor->SectionOffset +
- section_descriptor->SectionLength >
- size) {
- printf("Invalid CPER file: Invalid section descriptor (section offset + length > size).\n");
+ if (section_begin + section_descriptor->SectionLength >= cper_end) {
+ json_object_put(ir);
+ //printf("Invalid CPER file: Invalid section descriptor (section offset + length > size).\n");
return NULL;
}
@@ -495,6 +519,7 @@
if (fread(§ion_descriptor, sizeof(EFI_ERROR_SECTION_DESCRIPTOR), 1,
cper_section_file) != 1) {
printf("Failed to read section descriptor for CPER single section (fread() returned an unexpected value).\n");
+ json_object_put(ir);
return NULL;
}
@@ -515,6 +540,7 @@
printf("Section read failed: Could not read %u bytes from global offset %d.\n",
section_descriptor.SectionLength,
section_descriptor.SectionOffset);
+ json_object_put(ir);
free(section);
return NULL;
}
diff --git a/include/libcper/BaseTypes.h b/include/libcper/BaseTypes.h
index d1a123f..3bc013a 100644
--- a/include/libcper/BaseTypes.h
+++ b/include/libcper/BaseTypes.h
@@ -15,6 +15,9 @@
extern "C" {
#endif
+#include <stdint.h>
+#include <limits.h>
+
///
/// 8-byte unsigned value
///
diff --git a/ir-parse.c b/ir-parse.c
index 2cb8de0..34cc085 100644
--- a/ir-parse.c
+++ b/ir-parse.c
@@ -37,6 +37,10 @@
//Create the CPER section descriptors.
json_object *section_descriptors =
json_object_object_get(ir, "sectionDescriptors");
+ if (section_descriptors == NULL) {
+ printf("Invalid CPER file: No section descriptors.\n");
+ return;
+ }
int amt_descriptors = json_object_array_length(section_descriptors);
EFI_ERROR_SECTION_DESCRIPTOR *descriptors[amt_descriptors];
for (int i = 0; i < amt_descriptors; i++) {
@@ -52,6 +56,10 @@
//Run through each section in turn.
json_object *sections = json_object_object_get(ir, "sections");
+ if (sections == NULL) {
+ printf("Invalid CPER file: No sections.\n");
+ return;
+ }
int amt_sections = json_object_array_length(sections);
if (amt_sections == amt_descriptors) {
for (int i = 0; i < amt_sections; i++) {
diff --git a/meson.build b/meson.build
index 4936a76..7f805eb 100644
--- a/meson.build
+++ b/meson.build
@@ -30,7 +30,7 @@
project_description = 'libcper library'
-section_sources = files(
+libcper_parse_sources = files(
'sections/cper-section-ampere.c',
'sections/cper-section-arm.c',
'sections/cper-section-ccix-per.c',
@@ -83,7 +83,7 @@
json_c_dep = json_c.get_variable('json_c_dep')
endif
-libcper_parse_sources = files(
+libcper_parse_sources += files(
'base64.c',
'common-utils.c',
'cper-parse.c',
@@ -99,7 +99,6 @@
libcper_parse = library(
'cper-parse',
libcper_parse_sources,
- section_sources,
edk_sources,
version: meson.project_version(),
include_directories: libcper_include_dir,
diff --git a/meson.options b/meson.options
index f22076c..9cda0c4 100644
--- a/meson.options
+++ b/meson.options
@@ -1,3 +1,9 @@
+option(
+ 'fuzz',
+ type: 'feature',
+ value: 'enabled',
+ description: 'Build fuzz targets',
+)
option('tests', type: 'feature', value: 'enabled', description: 'Build tests')
option('utility', type: 'feature', value: 'enabled', description: 'Utility')
option(
diff --git a/tests/fuzz_cper_buf_to_ir.cpp b/tests/fuzz_cper_buf_to_ir.cpp
new file mode 100644
index 0000000..586c2ba
--- /dev/null
+++ b/tests/fuzz_cper_buf_to_ir.cpp
@@ -0,0 +1,11 @@
+#include "libcper/cper-parse.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+ json_object *ir = cper_buf_to_ir(data, size);
+ if (ir != NULL) {
+ json_object_put(ir);
+ }
+
+ return 0;
+}
diff --git a/tests/meson.build b/tests/meson.build
index 81060a2..6a4d16c 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -59,3 +59,39 @@
],
)
test('test-cper-tests', cper_tests)
+cxx = meson.get_compiler('cpp')
+if (cxx.get_id() == 'clang') and get_option('fuzz').allowed()
+ fuzz_args = [
+ '-fsanitize=fuzzer,address,leak',
+ '-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION',
+ ]
+
+ foreach fuzzer_test : ['fuzz_cper_buf_to_ir']
+ fuzz_exe = executable(
+ fuzzer_test,
+ [fuzzer_test + '.cpp'] + libcper_parse_sources + edk_sources,
+ implicit_include_directories: false,
+ include_directories: include_directories(test_include_dirs),
+ cpp_args: fuzz_args,
+ c_args: fuzz_args,
+ link_args: fuzz_args,
+ dependencies: [
+ json_c_dep,
+ gtest,
+ gmock,
+ nlohmann_json_dep,
+ valijson_dep,
+ ],
+ )
+ test(
+ fuzzer_test,
+ fuzz_exe,
+ args: [
+ '-max_total_time=10',
+ '-max_len=131072',
+ '-error_exitcode=1',
+ '-timeout_exitcode=2',
+ ],
+ )
+ endforeach
+endif