# HG changeset patch # User Matt Johnston # Date 1603004934 -28800 # Node ID 6e71440b1e47dc1eac997bdffee4031fd834722e # Parent d1b279aa5ed1dd5dad43c9c2760aed5c778f99bc Add fuzzer-client_nomaths, fix client fuzzer diff -r d1b279aa5ed1 -r 6e71440b1e47 Makefile.in --- a/Makefile.in Sun Oct 18 12:17:39 2020 +0800 +++ b/Makefile.in Sun Oct 18 15:08:54 2020 +0800 @@ -269,7 +269,7 @@ # list of fuzz targets FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \ - fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client + fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS)) @@ -311,6 +311,9 @@ fuzzer-client: fuzzer-client.o fuzz-harness.o $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ +fuzzer-client_nomaths: fuzzer-client_nomaths.o fuzz-harness.o + $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ + fuzzer-%.options: Makefile echo "[libfuzzer]" > $@ echo "max_len = 50000" >> $@ diff -r d1b279aa5ed1 -r 6e71440b1e47 cli-kex.c --- a/cli-kex.c Sun Oct 18 12:17:39 2020 +0800 +++ b/cli-kex.c Sun Oct 18 15:08:54 2020 +0800 @@ -46,6 +46,13 @@ TRACE(("send_msg_kexdh_init()")) CHECKCLEARTOWRITE(); + +#if DROPBEAR_FUZZ + if (fuzz.fuzzing && fuzz.skip_kexmaths) { + return; + } +#endif + buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT); switch (ses.newkeys->algo_kex->mode) { #if DROPBEAR_NORMAL_DH @@ -98,6 +105,12 @@ unsigned char* keyblob = NULL; TRACE(("enter recv_msg_kexdh_reply")) + +#if DROPBEAR_FUZZ + if (fuzz.fuzzing && fuzz.skip_kexmaths) { + return; + } +#endif if (cli_ses.kex_state != KEXDH_INIT_SENT) { dropbear_exit("Received out-of-order kexdhreply"); diff -r d1b279aa5ed1 -r 6e71440b1e47 cli-session.c --- a/cli-session.c Sun Oct 18 12:17:39 2020 +0800 +++ b/cli-session.c Sun Oct 18 15:08:54 2020 +0800 @@ -352,6 +352,11 @@ (void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags); (void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags); + /* Don't leak */ + m_close(cli_ses.stdincopy); + m_close(cli_ses.stdoutcopy); + m_close(cli_ses.stderrcopy); + cli_tty_cleanup(); if (cli_ses.server_sig_algs) { buf_free(cli_ses.server_sig_algs); @@ -430,17 +435,18 @@ /* Do the cleanup first, since then the terminal will be reset */ session_cleanup(); - /* Avoid printing onwards from terminal cruft */ - fprintf(stderr, "\n"); - - dropbear_log(LOG_INFO, "%s", fullmsg); - + #if DROPBEAR_FUZZ if (fuzz.do_jmp) { longjmp(fuzz.jmp, 1); } #endif + /* Avoid printing onwards from terminal cruft */ + fprintf(stderr, "\n"); + + dropbear_log(LOG_INFO, "%s", fullmsg); + exit(exitcode); } diff -r d1b279aa5ed1 -r 6e71440b1e47 fuzz-common.c --- a/fuzz-common.c Sun Oct 18 12:17:39 2020 +0800 +++ b/fuzz-common.c Sun Oct 18 15:08:54 2020 +0800 @@ -37,6 +37,7 @@ memset(&ses, 0x0, sizeof(ses)); memset(&svr_ses, 0x0, sizeof(svr_ses)); + memset(&cli_ses, 0x0, sizeof(cli_ses)); wrapfd_setup(fuzz.input); fuzz_seed(); @@ -64,6 +65,7 @@ _dropbear_exit = svr_dropbear_exit; char *argv[] = { + "dropbear", "-E", }; @@ -80,6 +82,7 @@ _dropbear_log = cli_dropbear_log; char *argv[] = { + "dbclient", "-y", "localhost", }; @@ -168,7 +171,7 @@ if (ret_errfd) { *ret_errfd = wrapfd_new(); } - ret_pid = 999; + *ret_pid = 999; return DROPBEAR_SUCCESS; } diff -r d1b279aa5ed1 -r 6e71440b1e47 fuzzer-client_nomaths.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/fuzzer-client_nomaths.c Sun Oct 18 15:08:54 2020 +0800 @@ -0,0 +1,6 @@ +#include "fuzz.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + return fuzz_run_client(Data, Size, 1); +} +