From a8675c3fa35d291df8be937afdaee78ebd8593fc Mon Sep 17 00:00:00 2001 From: davkor Date: Wed, 27 May 2020 13:22:45 +0100 Subject: [PATCH 1/6] Updated the haproxy fuzzers to build again. --- projects/haproxy/build.sh | 14 ++++++++------ projects/haproxy/fuzz_hpack_decode.c | 1 - 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/projects/haproxy/build.sh b/projects/haproxy/build.sh index 7dc4d4e97ed4..7b41b81286a5 100755 --- a/projects/haproxy/build.sh +++ b/projects/haproxy/build.sh @@ -13,7 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # -################################################################################ export ORIG_CFLAGS=${CFLAGS} cd haproxy @@ -24,20 +23,23 @@ sed 's/CFLAGS = $(ARCH_FLAGS) $(CPU_CFLAGS) $(DEBUG_CFLAGS) $(SPEC_CFLAGS)/CFLAG sed 's/LDFLAGS = $(ARCH_FLAGS) -g/LDFLAGS = $(ARCH_FLAGS) -g ${CXXFLAGS}/g' -i Makefile make TARGET=generic -cd contrib/hpack -cp /src/fuzz_hpack_decode.c . -$CC $CFLAGS -g -I../../include -I../../ebtree -fwrapv -fno-strict-aliasing -c fuzz_hpack_decode.c -o fuzz_hpack_decode.o -$CXX $CXXFLAGS $LIB_FUZZING_ENGINE ./fuzz_hpack_decode.o -o $OUT/fuzz_hpack_decode - # Make a copy of the main file since it has many global functions we need to declare # We dont want the main function but we need the rest of the stuff in haproxy.c cd /src/haproxy sed 's/int main(int argc/int main2(int argc/g' -i ./src/haproxy.c +sed 's/dladdr(main,/dladdr(main2,/g' -i ./src/standard.c +sed 's/(void*)main/(void*)main2/g' -i ./src/standard.c + $CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c -o ./src/haproxy.o ./src/haproxy.c ar cr libetree.a ./ebtree/*.o ar cr libhaproxy.a ./src/*.o +cp $SRC/fuzz_hpack_decode.c . +$CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c fuzz_hpack_decode.c -o fuzz_hpack_decode.o +$CXX -g $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_hpack_decode.o libhaproxy.a libetree.a -o $OUT/fuzz_hpack_decode + # Now compile more fuzzers cp $SRC/fuzz_cfg_parser.c . $CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c -o fuzz_cfg_parser.o fuzz_cfg_parser.c $CXX -g $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_cfg_parser.o libhaproxy.a libetree.a -o $OUT/fuzz_cfg_parser +################################################################################ diff --git a/projects/haproxy/fuzz_hpack_decode.c b/projects/haproxy/fuzz_hpack_decode.c index 563f91b0df7e..d87bf0197d29 100644 --- a/projects/haproxy/fuzz_hpack_decode.c +++ b/projects/haproxy/fuzz_hpack_decode.c @@ -36,7 +36,6 @@ uint8_t buf[MAX_RQ_SIZE]; char trash_buf[MAX_RQ_SIZE]; char tmp_buf[MAX_RQ_SIZE]; -struct buffer trash = { .area = trash_buf, .data = 0, .size = sizeof(trash_buf) }; struct buffer tmp = { .area = tmp_buf, .data = 0, .size = sizeof(tmp_buf) }; From ede6c9ec7beb6654468231878863ab7e39a90427 Mon Sep 17 00:00:00 2001 From: davkor Date: Wed, 27 May 2020 13:49:20 +0100 Subject: [PATCH 2/6] The frame decoder needs additional updates since we need to call init_h2 to initialise a memory pool. Disabling this for now as this is a larger change in the code base and will fix up in the coming week. --- projects/haproxy/build.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/projects/haproxy/build.sh b/projects/haproxy/build.sh index 7b41b81286a5..cbc3398c2fb1 100755 --- a/projects/haproxy/build.sh +++ b/projects/haproxy/build.sh @@ -34,9 +34,11 @@ $CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERS ar cr libetree.a ./ebtree/*.o ar cr libhaproxy.a ./src/*.o -cp $SRC/fuzz_hpack_decode.c . -$CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c fuzz_hpack_decode.c -o fuzz_hpack_decode.o -$CXX -g $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_hpack_decode.o libhaproxy.a libetree.a -o $OUT/fuzz_hpack_decode +# Disable this for now as updates in haproxy requires +# significant changes in the fuzzer. +#cp $SRC/fuzz_hpack_decode.c . +#$CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c fuzz_hpack_decode.c -o fuzz_hpack_decode.o +#$CXX -g $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_hpack_decode.o libhaproxy.a libetree.a -o fuzz_hpack_decode # Now compile more fuzzers cp $SRC/fuzz_cfg_parser.c . From 1b05aa7eb3c8093ba25554f1c2a625dcbacb3300 Mon Sep 17 00:00:00 2001 From: davkor Date: Wed, 27 May 2020 15:29:33 +0100 Subject: [PATCH 3/6] Fixed hpack decode. --- projects/haproxy/build.sh | 8 +++----- projects/haproxy/fuzz_hpack_decode.c | 23 ++++++++++++++++++----- 2 files changed, 21 insertions(+), 10 deletions(-) diff --git a/projects/haproxy/build.sh b/projects/haproxy/build.sh index cbc3398c2fb1..7b41b81286a5 100755 --- a/projects/haproxy/build.sh +++ b/projects/haproxy/build.sh @@ -34,11 +34,9 @@ $CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERS ar cr libetree.a ./ebtree/*.o ar cr libhaproxy.a ./src/*.o -# Disable this for now as updates in haproxy requires -# significant changes in the fuzzer. -#cp $SRC/fuzz_hpack_decode.c . -#$CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c fuzz_hpack_decode.c -o fuzz_hpack_decode.o -#$CXX -g $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_hpack_decode.o libhaproxy.a libetree.a -o fuzz_hpack_decode +cp $SRC/fuzz_hpack_decode.c . +$CC $CFLAGS -Iinclude -Iebtree -g -DUSE_POLL -DUSE_TPROXY -DCONFIG_HAPROXY_VERSION=\"\" -DCONFIG_HAPROXY_DATE=\"\" -c fuzz_hpack_decode.c -o fuzz_hpack_decode.o +$CXX -g $CXXFLAGS $LIB_FUZZING_ENGINE fuzz_hpack_decode.o libhaproxy.a libetree.a -o $OUT/fuzz_hpack_decode # Now compile more fuzzers cp $SRC/fuzz_cfg_parser.c . diff --git a/projects/haproxy/fuzz_hpack_decode.c b/projects/haproxy/fuzz_hpack_decode.c index d87bf0197d29..455897331cb3 100644 --- a/projects/haproxy/fuzz_hpack_decode.c +++ b/projects/haproxy/fuzz_hpack_decode.c @@ -23,9 +23,11 @@ #include #include #include + #include #include #include +#define HPACK_STANDALONE #define MAX_RQ_SIZE 65536 #define MAX_HDR_NUM 1000 @@ -39,6 +41,9 @@ char tmp_buf[MAX_RQ_SIZE]; struct buffer tmp = { .area = tmp_buf, .data = 0, .size = sizeof(tmp_buf) }; + + + /* Empty function we dont need - we just need a callback */ void debug_hexdump(FILE *out, const char *pfx, const char *buf, unsigned int baseaddr, int len) @@ -53,21 +58,29 @@ void debug_hexdump(FILE *out, const char *pfx, const char *buf, int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size){ char *new_str = (char *)malloc(size+1); struct hpack_dht *dht; + struct pool_head pool; int dht_size = 4096; if (new_str == NULL){ return 0; } memcpy(new_str, data, size); new_str[size] = '\0'; - struct http_hdr list[MAX_HDR_NUM]; + struct http_hdr list[MAX_HDR_NUM]; + + //dht = hpack_dht_alloc(dht_size); + + pool.size = dht_size; + pool_head_hpack_tbl = &pool; + dht = hpack_dht_alloc(); - dht = hpack_dht_alloc(dht_size); - hpack_decode_frame(dht, new_str, size, list,sizeof(list)/sizeof(list[0]), &tmp); if (dht != NULL) { - free(dht); + hpack_decode_frame(dht, new_str, size, list,sizeof(list)/sizeof(list[0]), &tmp); + if (dht != NULL) + { + free(dht); + } } - free(new_str); return 0; } From 8201c3465db7e14b33a4f3973503bd928774a95d Mon Sep 17 00:00:00 2001 From: davkor Date: Wed, 27 May 2020 15:51:08 +0100 Subject: [PATCH 4/6] Updated the yaml since we dont want memory sanitizer. --- projects/haproxy/project.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/projects/haproxy/project.yaml b/projects/haproxy/project.yaml index 2b66c5988276..f1400c295670 100755 --- a/projects/haproxy/project.yaml +++ b/projects/haproxy/project.yaml @@ -1,9 +1,9 @@ homepage: "https://github.com/haproxy/haproxy" -primary_contact: "fuzzing@haproxy.org" +primary_contact: "adam@adalogics.com" language: c++ auto_ccs: - "david@adalogics.com" - - "adam@adalogics.com" + - "timwolla@googlemail.com" + - "willy@1wt.eu" sanitizers: - address - - memory From d1763ab2d49628736398f17101768d9212f7bde0 Mon Sep 17 00:00:00 2001 From: Abhishek Arya Date: Mon, 1 Jun 2020 07:18:17 -0700 Subject: [PATCH 5/6] Remove unneeded spaces. --- projects/haproxy/fuzz_hpack_decode.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/projects/haproxy/fuzz_hpack_decode.c b/projects/haproxy/fuzz_hpack_decode.c index 455897331cb3..32c0b3ec458a 100644 --- a/projects/haproxy/fuzz_hpack_decode.c +++ b/projects/haproxy/fuzz_hpack_decode.c @@ -40,10 +40,6 @@ char tmp_buf[MAX_RQ_SIZE]; struct buffer tmp = { .area = tmp_buf, .data = 0, .size = sizeof(tmp_buf) }; - - - - /* Empty function we dont need - we just need a callback */ void debug_hexdump(FILE *out, const char *pfx, const char *buf, unsigned int baseaddr, int len) @@ -67,8 +63,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size){ new_str[size] = '\0'; struct http_hdr list[MAX_HDR_NUM]; - //dht = hpack_dht_alloc(dht_size); - pool.size = dht_size; pool_head_hpack_tbl = &pool; dht = hpack_dht_alloc(); From 69060c2d8b9cc468f75b4dcecbf67f9a4a9c5c4a Mon Sep 17 00:00:00 2001 From: davkor Date: Wed, 3 Jun 2020 18:07:03 +0100 Subject: [PATCH 6/6] Minor fix in hpack fuzzer. --- projects/haproxy/fuzz_hpack_decode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/projects/haproxy/fuzz_hpack_decode.c b/projects/haproxy/fuzz_hpack_decode.c index 32c0b3ec458a..45a7b775e259 100644 --- a/projects/haproxy/fuzz_hpack_decode.c +++ b/projects/haproxy/fuzz_hpack_decode.c @@ -15,6 +15,9 @@ * # * ################################################################################ * */ + +#define HPACK_STANDALONE + #include #include #include @@ -27,7 +30,6 @@ #include #include #include -#define HPACK_STANDALONE #define MAX_RQ_SIZE 65536 #define MAX_HDR_NUM 1000