Mercurial > dropbear
changeset 1771:af9ed0815818
Use SSH packet mutator for preauth too
Get rid of separate client mutator.
Have 0.1% chance of llvm random mutation
Add comments
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 29 Oct 2020 22:41:37 +0800 |
| parents | 66b29b054896 |
| children | 0cc85b4a4abb |
| files | Makefile.in fuzz/fuzz-sshpacketmutator.c fuzz/fuzzer-client_mutator.c fuzz/fuzzer-client_mutator_nomaths.c |
| diffstat | 4 files changed, 30 insertions(+), 27 deletions(-) [+] |
line wrap: on
line diff
--- a/Makefile.in Thu Oct 29 22:14:38 2020 +0800 +++ b/Makefile.in Thu Oct 29 22:41:37 2020 +0800 @@ -269,8 +269,7 @@ # list of fuzz targets FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \ - fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths \ - fuzzer-client_mutator fuzzer-client_mutator_nomaths + fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS)) FUZZ_OBJS = $(addprefix fuzz/,$(addsuffix .o,$(FUZZ_TARGETS))) \ @@ -293,8 +292,10 @@ $(FUZZ_TARGETS): $(FUZZ_OBJS) $(allobjs) $(LIBTOM_DEPS) $(CXX) $(CXXFLAGS) fuzz/[email protected] $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) -lcrypt -# fuzzers that use the custom mutator -fuzzer-client_mutator fuzzer-client_mutator_nomaths: allobjs += fuzz/fuzz-sshpacketmutator.o +# fuzzers that use the custom mutator - these expect a SSH network stream +MUTATOR_FUZZERS=fuzzer-client fuzzer-client_nomaths \ + fuzzer-preauth fuzzer-preauth_nomaths +$(MUTATOR_FUZZERS): allobjs += fuzz/fuzz-sshpacketmutator.o fuzzer-%.options: Makefile echo "[libfuzzer]" > $@
--- a/fuzz/fuzz-sshpacketmutator.c Thu Oct 29 22:14:38 2020 +0800 +++ b/fuzz/fuzz-sshpacketmutator.c Thu Oct 29 22:41:37 2020 +0800 @@ -1,8 +1,28 @@ +/* A mutator/crossover for SSH protocol streams. + Attempts to mutate each SSH packet individually, keeping + lengths intact. + It will prepend a SSH-2.0-dbfuzz\r\n version string. + + Linking this file to a binary will make libfuzzer pick up the custom mutator. + + Care is taken to avoid memory allocation which would otherwise + slow exec/s substantially */ + #include "fuzz.h" #include "dbutil.h" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); +static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; +static const size_t MAX_FUZZ_PACKETS = 500; +/* XXX This might need tuning */ +static const size_t MAX_OUT_SIZE = 50000; + +/* Splits packets from an input stream buffer "inp". +The initial SSH version identifier is discarded. +If packets are not recognised it will increment until an uint32 of valid +packet length is found. */ + /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) { /* Skip any existing banner. Format is @@ -52,8 +72,8 @@ } } -/* Mutate in-place */ -void buf_llvm_mutate(buffer *buf) { +/* Mutate a packet buffer in-place */ +static void buf_llvm_mutate(buffer *buf) { /* Position it after packet_length and padding_length */ const unsigned int offset = 5; if (buf->len < offset) { @@ -69,11 +89,6 @@ } -static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; -static const size_t MAX_FUZZ_PACKETS = 500; -/* XXX This might need tuning */ -static const size_t MAX_OUT_SIZE = 50000; - /* Persistent buffers to avoid constant allocations */ static buffer *oup; static buffer *alloc_packetA; @@ -111,12 +126,11 @@ memcpy(randstate, &Seed, sizeof(Seed)); // printhex("mutator input", Data, Size); - #if 0 - /* 1% chance straight llvm mutate */ - if (nrand48(randstate) % 100 == 0) { + + /* 0.1% chance straight llvm mutate */ + if (nrand48(randstate) % 1000 == 0) { return LLVMFuzzerMutate(Data, Size, MaxSize); } - #endif buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0}; buffer *inp = &inp_buf;