changeset 1742:6e71440b1e47 fuzz

Add fuzzer-client_nomaths, fix client fuzzer
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Oct 2020 15:08:54 +0800
parents d1b279aa5ed1
children 7d8462677355
files Makefile.in cli-kex.c cli-session.c fuzz-common.c fuzzer-client_nomaths.c
diffstat 5 files changed, 38 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/Makefile.in	Sun Oct 18 12:17:39 2020 +0800
+++ b/Makefile.in	Sun Oct 18 15:08:54 2020 +0800
@@ -269,7 +269,7 @@
 
 # list of fuzz targets
 FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \
-	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client
+	fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths
 
 FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS))
 
@@ -311,6 +311,9 @@
 fuzzer-client: fuzzer-client.o fuzz-harness.o
 	$(CXX) $(CXXFLAGS) [email protected] $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
 
+fuzzer-client_nomaths: fuzzer-client_nomaths.o fuzz-harness.o
+	$(CXX) $(CXXFLAGS) [email protected] $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@
+
 fuzzer-%.options: Makefile
 	echo "[libfuzzer]"               > $@
 	echo "max_len = 50000"          >> $@
--- a/cli-kex.c	Sun Oct 18 12:17:39 2020 +0800
+++ b/cli-kex.c	Sun Oct 18 15:08:54 2020 +0800
@@ -46,6 +46,13 @@
 	TRACE(("send_msg_kexdh_init()"))	
 
 	CHECKCLEARTOWRITE();
+
+#if DROPBEAR_FUZZ
+	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
+		return;
+	}
+#endif
+
 	buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT);
 	switch (ses.newkeys->algo_kex->mode) {
 #if DROPBEAR_NORMAL_DH
@@ -98,6 +105,12 @@
 	unsigned char* keyblob = NULL;
 
 	TRACE(("enter recv_msg_kexdh_reply"))
+	
+#if DROPBEAR_FUZZ
+	if (fuzz.fuzzing && fuzz.skip_kexmaths) {
+		return;
+	}
+#endif
 
 	if (cli_ses.kex_state != KEXDH_INIT_SENT) {
 		dropbear_exit("Received out-of-order kexdhreply");
--- a/cli-session.c	Sun Oct 18 12:17:39 2020 +0800
+++ b/cli-session.c	Sun Oct 18 15:08:54 2020 +0800
@@ -352,6 +352,11 @@
 	(void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags);
 	(void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags);
 
+	/* Don't leak */
+	m_close(cli_ses.stdincopy);
+	m_close(cli_ses.stdoutcopy);
+	m_close(cli_ses.stderrcopy);
+
 	cli_tty_cleanup();
 	if (cli_ses.server_sig_algs) {
 		buf_free(cli_ses.server_sig_algs);
@@ -430,17 +435,18 @@
 
 	/* Do the cleanup first, since then the terminal will be reset */
 	session_cleanup();
-	/* Avoid printing onwards from terminal cruft */
-	fprintf(stderr, "\n");
-
-	dropbear_log(LOG_INFO, "%s", fullmsg);
-
+	
 #if DROPBEAR_FUZZ
     if (fuzz.do_jmp) {
         longjmp(fuzz.jmp, 1);
     }
 #endif
 
+	/* Avoid printing onwards from terminal cruft */
+	fprintf(stderr, "\n");
+
+	dropbear_log(LOG_INFO, "%s", fullmsg);
+
 	exit(exitcode);
 }
 
--- a/fuzz-common.c	Sun Oct 18 12:17:39 2020 +0800
+++ b/fuzz-common.c	Sun Oct 18 15:08:54 2020 +0800
@@ -37,6 +37,7 @@
 
     memset(&ses, 0x0, sizeof(ses));
     memset(&svr_ses, 0x0, sizeof(svr_ses));
+    memset(&cli_ses, 0x0, sizeof(cli_ses));
     wrapfd_setup(fuzz.input);
 
     fuzz_seed();
@@ -64,6 +65,7 @@
     _dropbear_exit = svr_dropbear_exit;
 
     char *argv[] = { 
+		"dropbear",
         "-E", 
     };
 
@@ -80,6 +82,7 @@
 	_dropbear_log = cli_dropbear_log;
 
     char *argv[] = { 
+		"dbclient",
 		"-y",
         "localhost",
     };
@@ -168,7 +171,7 @@
     if (ret_errfd) {
         *ret_errfd = wrapfd_new();
     }
-    ret_pid = 999;
+    *ret_pid = 999;
     return DROPBEAR_SUCCESS;
 }
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/fuzzer-client_nomaths.c	Sun Oct 18 15:08:54 2020 +0800
@@ -0,0 +1,6 @@
+#include "fuzz.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+	return fuzz_run_client(Data, Size, 1);
+}
+