From 9bd361ca323637b047ecfdf5de3c8cfbf64698d6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
Date: Sat, 3 Oct 2020 01:53:53 +0200
Subject: [PATCH] tests: add libFuzzer based fuzzing
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine.

LibFuzzer is linked with the library under test, and feeds fuzzed inputs
to the library via a specific fuzzing entrypoint (aka "target
function"); the fuzzer then tracks which areas of the code are reached,
and generates mutations on the corpus of input data in order to maximize
the code coverage.

So lets use libFuzzer to fuzz uci_import for the start.

Ref: https://llvm.org/docs/LibFuzzer.html
Signed-off-by: Petr Å tetiar <ynezz@true.cz>
---
 tests/CMakeLists.txt                          |   4 +
 tests/fuzz/CMakeLists.txt                     |  18 ++
 .../231ee80a172b8e1749b9d91867989d88e4faf7bb  | Bin 0 -> 15 bytes
 .../26a6253fc1eb695b61a2fc7640ee4c03c19e438e  | Bin 0 -> 9 bytes
 .../29a6e206439d792afba5e8e9c1fdf55e65a1145d  | Bin 0 -> 4 bytes
 .../51045ac5401085f5727c6d3c1cac5f8cc32a2927  |   1 +
 .../845dcf3f15f3c28235e6be148a690e7f03b07f65  | Bin 0 -> 22 bytes
 .../bb589d0621e5472f470fa3425a234c74b1e202e8  |   1 +
 .../ea387894a296772f96706df8b999a52d9334c746  | Bin 0 -> 5 bytes
 ...d:000000,sig:11,src:000001,op:flip1,pos:24 | Bin 0 -> 44 bytes
 ...sig:11,src:000022,op:arith8,pos:42,val:+26 | Bin 0 -> 43 bytes
 tests/fuzz/dict/uci.dict                      |  18 ++
 tests/fuzz/inputs/dhcp                        |  49 +++++
 tests/fuzz/inputs/firewall                    | 208 ++++++++++++++++++
 tests/fuzz/test-fuzz.c                        |  60 +++++
 15 files changed, 359 insertions(+)
 create mode 100644 tests/fuzz/CMakeLists.txt
 create mode 100644 tests/fuzz/corpus/231ee80a172b8e1749b9d91867989d88e4faf7bb
 create mode 100644 tests/fuzz/corpus/26a6253fc1eb695b61a2fc7640ee4c03c19e438e
 create mode 100644 tests/fuzz/corpus/29a6e206439d792afba5e8e9c1fdf55e65a1145d
 create mode 100644 tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927
 create mode 100644 tests/fuzz/corpus/845dcf3f15f3c28235e6be148a690e7f03b07f65
 create mode 100644 tests/fuzz/corpus/bb589d0621e5472f470fa3425a234c74b1e202e8
 create mode 100644 tests/fuzz/corpus/ea387894a296772f96706df8b999a52d9334c746
 create mode 100644 tests/fuzz/corpus/id:000000,sig:11,src:000001,op:flip1,pos:24
 create mode 100644 tests/fuzz/corpus/id:000008,sig:11,src:000022,op:arith8,pos:42,val:+26
 create mode 100644 tests/fuzz/dict/uci.dict
 create mode 100644 tests/fuzz/inputs/dhcp
 create mode 100644 tests/fuzz/inputs/firewall
 create mode 100644 tests/fuzz/test-fuzz.c

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 872ed6d..6f31b93 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -1,2 +1,6 @@
 ADD_SUBDIRECTORY(cram)
 ADD_SUBDIRECTORY(shunit2)
+
+IF(CMAKE_C_COMPILER_ID STREQUAL "Clang")
+  ADD_SUBDIRECTORY(fuzz)
+ENDIF()
diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt
new file mode 100644
index 0000000..1533c46
--- /dev/null
+++ b/tests/fuzz/CMakeLists.txt
@@ -0,0 +1,18 @@
+FILE(GLOB test_cases "test-*.c")
+
+MACRO(ADD_FUZZER_TEST name)
+  ADD_EXECUTABLE(${name} ${name}.c)
+  TARGET_COMPILE_OPTIONS(${name} PRIVATE -g -O1 -fno-omit-frame-pointer -fsanitize=fuzzer,address,leak,undefined)
+  TARGET_INCLUDE_DIRECTORIES(${name} PRIVATE ${PROJECT_SOURCE_DIR})
+  TARGET_LINK_OPTIONS(${name} PRIVATE -stdlib=libc++ -fsanitize=fuzzer,address,leak,undefined)
+  TARGET_LINK_LIBRARIES(${name} uci)
+  ADD_TEST(
+    NAME ${name}
+	COMMAND ${name} -max_len=256 -timeout=10 -max_total_time=300 -dict=${CMAKE_CURRENT_SOURCE_DIR}/dict/uci.dict ${CMAKE_CURRENT_SOURCE_DIR}/corpus
+  )
+ENDMACRO(ADD_FUZZER_TEST)
+
+FOREACH(test_case ${test_cases})
+  GET_FILENAME_COMPONENT(test_case ${test_case} NAME_WE)
+  ADD_FUZZER_TEST(${test_case})
+ENDFOREACH(test_case)
diff --git a/tests/fuzz/corpus/231ee80a172b8e1749b9d91867989d88e4faf7bb b/tests/fuzz/corpus/231ee80a172b8e1749b9d91867989d88e4faf7bb
new file mode 100644
index 0000000000000000000000000000000000000000..9c17457fb85abbcc5b28d861981937b3b2dc0fb2
GIT binary patch
literal 15
Wcmd;N;9}t7WN<9t?B<Q(QU(AEWC8*J

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/26a6253fc1eb695b61a2fc7640ee4c03c19e438e b/tests/fuzz/corpus/26a6253fc1eb695b61a2fc7640ee4c03c19e438e
new file mode 100644
index 0000000000000000000000000000000000000000..4e71cf69915767a7092e79800fabf341a74fbce3
GIT binary patch
literal 9
Qcmd;N;9}t7WN=gl00El-ivR!s

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/29a6e206439d792afba5e8e9c1fdf55e65a1145d b/tests/fuzz/corpus/29a6e206439d792afba5e8e9c1fdf55e65a1145d
new file mode 100644
index 0000000000000000000000000000000000000000..f065bd7508aa513425a67a22a7e39e3e5fbfea4c
GIT binary patch
literal 4
LcmZSJVo(ME07U>U

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927 b/tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927
new file mode 100644
index 0000000..f47ebca
--- /dev/null
+++ b/tests/fuzz/corpus/51045ac5401085f5727c6d3c1cac5f8cc32a2927
@@ -0,0 +1 @@
+ #
\ No newline at end of file
diff --git a/tests/fuzz/corpus/845dcf3f15f3c28235e6be148a690e7f03b07f65 b/tests/fuzz/corpus/845dcf3f15f3c28235e6be148a690e7f03b07f65
new file mode 100644
index 0000000000000000000000000000000000000000..cf5c1b00e262ac0b3fcf9c8c7ae43099d4f8488e
GIT binary patch
literal 22
Tcmd;N;NnC=1)K)FF<i<33s(W3

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/bb589d0621e5472f470fa3425a234c74b1e202e8 b/tests/fuzz/corpus/bb589d0621e5472f470fa3425a234c74b1e202e8
new file mode 100644
index 0000000..ad2823b
--- /dev/null
+++ b/tests/fuzz/corpus/bb589d0621e5472f470fa3425a234c74b1e202e8
@@ -0,0 +1 @@
+'
\ No newline at end of file
diff --git a/tests/fuzz/corpus/ea387894a296772f96706df8b999a52d9334c746 b/tests/fuzz/corpus/ea387894a296772f96706df8b999a52d9334c746
new file mode 100644
index 0000000000000000000000000000000000000000..2a72a978d4f0beaee9eb9d174e591243272d7413
GIT binary patch
literal 5
Mcmd;N;9^h)0046UHvj+t

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/id:000000,sig:11,src:000001,op:flip1,pos:24 b/tests/fuzz/corpus/id:000000,sig:11,src:000001,op:flip1,pos:24
new file mode 100644
index 0000000000000000000000000000000000000000..3f4e40d09a685f9641cc1e1ebea1f264ab1080dc
GIT binary patch
literal 44
dcmXS5;NoQ9GQdCz3|t@y2rA$-;Emzp1OQDZ1AG7g

literal 0
HcmV?d00001

diff --git a/tests/fuzz/corpus/id:000008,sig:11,src:000022,op:arith8,pos:42,val:+26 b/tests/fuzz/corpus/id:000008,sig:11,src:000022,op:arith8,pos:42,val:+26
new file mode 100644
index 0000000000000000000000000000000000000000..20bc48d514b1ad3d25ee34221f2de2586c77c205
GIT binary patch
literal 43
Tcmd;N;Nm2N3OEgTW4M$79Et)Y

literal 0
HcmV?d00001

diff --git a/tests/fuzz/dict/uci.dict b/tests/fuzz/dict/uci.dict
new file mode 100644
index 0000000..73c86ec
--- /dev/null
+++ b/tests/fuzz/dict/uci.dict
@@ -0,0 +1,18 @@
+"c"
+"config"
+"p"
+"package"
+"o"
+"option"
+"l"
+"list"
+"'"
+"\""
+" "
+"\x00"
+"\x0a"
+"\x0d"
+"\x09"
+"#"
+";"
+"\\"
diff --git a/tests/fuzz/inputs/dhcp b/tests/fuzz/inputs/dhcp
new file mode 100644
index 0000000..2bc0d31
--- /dev/null
+++ b/tests/fuzz/inputs/dhcp
@@ -0,0 +1,49 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '1'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option nonegcache '0'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/tmp/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+
+config dhcp 'lan'
+	option interface 'lan'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
+
+config host
+        option name 'foo'
+        option ip '192.168.1.90'
+        option mac '20:de:ad:be:ef:99'
+
+config host
+        option name 'moo-ap01'
+        option ip '192.168.1.2'
+        option mac '00:dd:8d:f7:e6:6f'
diff --git a/tests/fuzz/inputs/firewall b/tests/fuzz/inputs/firewall
new file mode 100644
index 0000000..5e22f98
--- /dev/null
+++ b/tests/fuzz/inputs/firewall
@@ -0,0 +1,208 @@
+config defaults
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		lan
+	list   network		'lan'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		ACCEPT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		lan
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fc00::/6
+	option dest_ip		fc00::/6
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		lan
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		lan
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables.  if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+	option name		Support-UDP-Traceroute
+	option src		wan
+	option dest_port	33434:33689
+	option proto		udp
+	option family		ipv4
+	option target		REJECT
+	option enabled		false
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
diff --git a/tests/fuzz/test-fuzz.c b/tests/fuzz/test-fuzz.c
new file mode 100644
index 0000000..9946a57
--- /dev/null
+++ b/tests/fuzz/test-fuzz.c
@@ -0,0 +1,60 @@
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include "uci.h"
+
+static void fuzz_uci_import(const uint8_t *input, size_t size)
+{
+	int r;
+	int fd;
+	FILE *fs = NULL;
+	struct uci_context *ctx = NULL;
+	struct uci_package *package = NULL;
+
+	fd = open("/dev/shm", O_TMPFILE | O_RDWR, S_IRUSR | S_IWUSR);
+	if (fd < 0) {
+		perror("unable to create temp file");
+		exit(-1);
+	}
+
+	r = write(fd, input, size);
+	if (r < 0) {
+		perror("unable to write()");
+		exit(-1);
+	}
+
+	fs = fdopen(fd, "r");
+	if (fs == NULL) {
+		perror("unable to fdopen()");
+		exit(-1);
+	}
+
+	fseek(fs, 0L, SEEK_SET);
+
+	ctx = uci_alloc_context();
+	if (ctx == NULL) {
+		perror("unable to uci_alloc_context()");
+		exit(-1);
+	}
+
+	uci_import(ctx, fs, NULL, &package, false);
+	uci_free_context(ctx);
+	close(fd);
+	fclose(fs);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
+{
+	fuzz_uci_import(input, size);
+	return 0;
+}
-- 
2.30.2