diff fuzz/fuzz-sshpacketmutator.c @ 1765:b688c884dad7

Fix fuzz-sshpacketmutator to work
author Matt Johnston <matt@ucc.asn.au>
date Mon, 26 Oct 2020 22:52:07 +0800
parents 2406a9987810
children b14e0a19bcbe
line wrap: on
line diff
--- a/fuzz/fuzz-sshpacketmutator.c	Mon Oct 26 22:51:44 2020 +0800
+++ b/fuzz/fuzz-sshpacketmutator.c	Mon Oct 26 22:52:07 2020 +0800
@@ -1,4 +1,5 @@
 #include "fuzz.h"
+#include "dbutil.h"
 
 size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize);
 
@@ -11,7 +12,7 @@
         buf_incrpos(inp, version - inp->data);
         unsigned char* newline = memchr(&inp->data[inp->pos], '\n', inp->len - inp->pos);
         if (newline) {
-            buf_incrpos(inp, newline - &inp->data[inp->pos]);
+            buf_incrpos(inp, newline - &inp->data[inp->pos]+1);
         } else {
             /* Give up on any version string */
             buf_setpos(inp, 0);
@@ -32,8 +33,11 @@
         }
 
         /* Read packet */
+        //printf("at %d\n", inp->pos);
+        //printhex("lenget", buf_getptr(inp, 48), 48);
         unsigned int packet_len = buf_getint(inp);
-        if (packet_len <= RECV_MAX_PACKET_LEN) {
+        // printf("len %u\n", packet_len);
+        if (packet_len > RECV_MAX_PACKET_LEN-4) {
             /* Bad length, try skipping a single byte */
             buf_decrpos(inp, 3);
             continue;
@@ -45,11 +49,11 @@
         buf_putint(new_packet, packet_len);
         buf_putbytes(new_packet, buf_getptr(inp, packet_len), packet_len);
         buf_incrpos(inp, packet_len);
+        // printf("incr pos %d to %d\n", packet_len, inp->pos);
 
         out_packets[*num_out_packets] = new_packet;
         (*num_out_packets)++;
     }
-
 }
 
 /* Mutate in-place */
@@ -76,22 +80,51 @@
 
 size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size,
               size_t MaxSize, unsigned int Seed) {
-    int i;
+
+    /* Avoid some allocations */
+    /* XXX perhaps this complication isn't worthwhile */
+    static buffer buf_oup, buf_alloc_packetA, buf_alloc_packetB;
+    static buffer *oup = &buf_oup; 
+    static buffer *alloc_packetA = &buf_alloc_packetA;
+    static buffer *alloc_packetB = &buf_alloc_packetB;
+    static int once = 1;
+    if (once) {
+        once = 0;
+        // malloc doesn't get intercepted by epoch deallocator
+        oup->size = MAX_OUT_SIZE;
+        alloc_packetA->size = RECV_MAX_PACKET_LEN;
+        alloc_packetB->size = RECV_MAX_PACKET_LEN;
+        oup->data = malloc(oup->size);
+        alloc_packetA->data = malloc(alloc_packetA->size);
+        alloc_packetB->data = malloc(alloc_packetB->size);
+    } 
+    alloc_packetA->pos = 0;
+    alloc_packetA->len = 0;
+    alloc_packetB->pos = 0;
+    alloc_packetB->len = 0;
+    oup->pos = 0;
+    oup->len = 0;
+
+    unsigned int i;
     unsigned short randstate[3] = {0,0,0};
     memcpy(randstate, &Seed, sizeof(Seed));
 
+    // printhex("mutator input", Data, Size);
+    #if 0
     /* 1% chance straight llvm mutate */
     if (nrand48(randstate) % 100 == 0) {
         return LLVMFuzzerMutate(Data, Size, MaxSize);
     }
+    #endif
 
     buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0};
     buffer *inp = &inp_buf;
 
     /* Parse packets */
-    buffer* packets[MAX_FUZZ_PACKETS] = {0};
+    buffer* packets[MAX_FUZZ_PACKETS];
     unsigned int num_packets = MAX_FUZZ_PACKETS;
     fuzz_get_packets(inp, packets, &num_packets);
+    // printf("%d packets\n", num_packets);
 
     if (num_packets == 0) {
         // gotta do something
@@ -100,7 +133,6 @@
     }
 
     /* Start output */
-    buffer *oup = buf_new(MAX_OUT_SIZE);
     /* Put a new banner to output */
     buf_putbytes(oup, FIXED_VERSION, strlen(FIXED_VERSION));
 
@@ -108,42 +140,46 @@
     for (i = 0; i < num_packets+1; i++) {
         // These are pointers to output
         buffer *out_packetA = NULL, *out_packetB = NULL;
-        // These need to be freed
-        buffer *alloc_packetA = NULL, *alloc_packetB = NULL;
+        alloc_packetA->pos = 0;
+        alloc_packetA->len = 0;
+        alloc_packetB->pos = 0;
+        alloc_packetB->len = 0;
 
         /* 5% chance each */
         const int optA = nrand48(randstate) % 20;
-        const int other = nrand48(randstate) % num_packets;
         if (optA == 0) {
             /* Copy another */
-            out_packetA = packets[nrand48(randstate) % num_packets];
+            unsigned int other = nrand48(randstate) % num_packets;
+            out_packetA = packets[other];
+            // printf("%d copy another %d\n", i, other);
         }
         if (optA == 1) {
             /* Mutate another */
-            alloc_packetA = buf_new(RECV_MAX_PACKET_LEN);
-            buffer *from = packets[nrand48(randstate) % num_packets];
+            unsigned int other = nrand48(randstate) % num_packets;
+            buffer *from = packets[other];
             buf_putbytes(alloc_packetA, from->data, from->len);
             out_packetA = alloc_packetA;
             buf_llvm_mutate(out_packetA);
+            // printf("%d mutate another %d\n", i, other);
         }
 
-        /* 10% chance each of mutate or drop */
         if (i < num_packets) {
             int optB = nrand48(randstate) % 10;
-            if (optB == 0) {
-                /* Copy as-is */
-                out_packetB = packets[i];
-            } 
             if (optB == 1) {
+                /* 10% chance of drop */
                 /* Drop it */
-            } 
-            if (optB == 2) {
-                /* Mutate it */
-                alloc_packetB = buf_new(RECV_MAX_PACKET_LEN);
+                // printf("%d drop\n", i);
+            } else if (optB <= 6) {
+                /* Mutate it, 50% chance */
+                // printf("%d mutate\n", i);
                 buffer *from = packets[nrand48(randstate) % num_packets];
                 buf_putbytes(alloc_packetB, from->data, from->len);
                 out_packetB = alloc_packetB;
                 buf_llvm_mutate(out_packetB);
+            } else {
+                /* Copy as-is */
+                out_packetB = packets[i];
+                // printf("%d as-is\n", i);
             } 
         }
 
@@ -153,14 +189,6 @@
         if (out_packetB && oup->len + out_packetB->len <= oup->size) {
             buf_putbytes(oup, out_packetB->data, out_packetB->len);
         }
-        if (alloc_packetA) {
-            buf_free(alloc_packetA);
-            alloc_packetA = NULL;
-        }
-        if (alloc_packetB) {
-            buf_free(alloc_packetB);
-            alloc_packetB = NULL;
-        }
     }
 
     for (i = 0; i < num_packets; i++) {
@@ -169,7 +197,8 @@
 
     size_t ret_len = MIN(MaxSize, oup->len);
     memcpy(Data, oup->data, ret_len);
-    buf_free(oup);
+    // printhex("mutator done", Data, ret_len);
     return ret_len;
 }
 
+