add cifuzz bazel example project

simonresch · simonresch · commit 75e18d4ca6fe · 2024-09-18T12:01:46.000+02:00
diff --git a/.bazelrc b/.bazelrc
@@ -0,0 +1 @@
+coverage --java_runtime_version=remotejdk_11
diff --git a/.bazelversion b/.bazelversion
@@ -0,0 +1 @@
+7.3.1
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+/.cifuzz-*/
+/bazel-*
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,6 @@
+/bazel-*
+*_inputs
+.*_cifuzz_corpus/
+/.cifuzz-*/
+/.ijwb/
+/.clwb/
diff --git a/BUILD.bazel b/BUILD.bazel
@@ -0,0 +1,7 @@
+load("@rules_cc//cc:defs.bzl", "cc_binary")
+
+cc_binary(
+    name = "main",
+    srcs = ["main.cpp"],
+    deps = ["//src:explore_me"],
+)
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,23 @@
+FROM ubuntu:22.04
+
+WORKDIR /work
+
+# curl needed to download cifuzz and bazelisk
+# git needed by bazel to clone external repositories
+# python3 needed by rules_fuzzing to prepare the corpus direcotry
+# lcov needed by cifuzz to parse coverage reports
+RUN apt update && apt install -y curl git python3 lcov
+
+# Install bazelisk
+RUN curl https://github.com/bazelbuild/bazelisk/releases/download/v1.21.0/bazelisk-linux-amd64 -L -o /usr/bin/bazel && chmod +x /usr/bin/bazel
+
+# Install latest version of cifuzz
+ARG CIFUZZ_DOWNLOAD_TOKEN
+RUN sh -c "$(curl -fsSL https://downloads.code-intelligence.com/assets/install-cifuzz.sh)" $CIFUZZ_DOWNLOAD_TOKEN && rm cifuzz_installer
+
+# Copy example project
+COPY . .
+
+# Build the project to populate the bazel cache
+# Warning: This will take some time and produce a large docker image.
+RUN bazel build //...
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -0,0 +1,45 @@
+## Chromium sysroot
+http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+# This sysroot is used by github.com/vsco/bazel-toolchains.
+http_archive(
+    name = "org_chromium_sysroot_linux_x64",
+    build_file_content = """
+filegroup(
+  name = "sysroot",
+  srcs = glob(["*/**"]),
+  visibility = ["//visibility:public"],
+)
+""",
+    sha256 = "84656a6df544ecef62169cfe3ab6e41bb4346a62d3ba2a045dc5a0a2ecea94a3",
+    urls = ["https://commondatastorage.googleapis.com/chrome-linux-sysroot/toolchain/2202c161310ffde63729f29d27fe7bb24a0bc540/debian_stretch_amd64_sysroot.tar.xz"],
+)
+
+## LLVM toolchain
+bazel_dep(name = "toolchains_llvm", version = "v1.1.2")
+git_override(
+  module_name = "toolchains_llvm",
+  commit = "1cd9e36e498983f061aa239e18043cfd26c7ac28",
+  remote = "https://github.com/bazel-contrib/toolchains_llvm",
+)
+
+llvm = use_extension("@toolchains_llvm//toolchain/extensions:llvm.bzl", "llvm")
+llvm.toolchain(
+    name = "llvm_toolchain",
+    llvm_version = "15.0.6",
+)
+
+llvm.sysroot(
+    name = "llvm_toolchain",
+    label = "@org_chromium_sysroot_linux_x64//:sysroot",
+    targets = ["linux-x86_64"],
+)
+
+use_repo(llvm, "llvm_toolchain")
+
+register_toolchains("@llvm_toolchain//:all")
+
+## Fuzzing rules
+bazel_dep(name = "rules_fuzzing", version = "0.5.2")
+non_module_dependencies = use_extension("@rules_fuzzing//fuzzing/private:extensions.bzl", "non_module_dependencies")
+use_repo(non_module_dependencies, "rules_fuzzing_oss_fuzz")
diff --git a/MODULE.bazel.lock b/MODULE.bazel.lock
diff --git a/README.md b/README.md
@@ -0,0 +1,115 @@
+# cifuzz bazel example
+
+This is a simple bazel based project, already configured with
+**cifuzz**. It should quickly produce a finding, but slow enough to
+see the progress of the fuzzer.
+
+To start make sure you installed **cifuzz** according to the
+main [README](../../README.md).
+
+You can start the fuzzing with
+
+```bash
+cifuzz run //src:explore_me_fuzz_test
+```
+
+## Create regression test
+
+After you have discovered a finding, you may want to include this as
+part of a regression test. To replay findings from the
+`src/explore_me_fuzz_test_inputs` directory:
+
+```bash
+bazel test --config=cifuzz-replay //src:explore_me_fuzz_test --test_output=streamed
+```
+
+Note that this requires these lines in your `.bazelrc`:
+
+```bash
+# Replay cifuzz findings (C/C++ only)
+build:cifuzz-replay --@rules_fuzzing//fuzzing:cc_engine_sanitizer=asan-ubsan
+build:cifuzz-replay --compilation_mode=opt
+build:cifuzz-replay --copt=-g
+build:cifuzz-replay --copt=-U_FORTIFY_SOURCE
+build:cifuzz-replay --test_env=UBSAN_OPTIONS=halt_on_error=1
+```
+
+## C++ Toolchain
+
+This project uses
+[toolchains_llvm](https://github.com/bazel-contrib/toolchains_llvm) to configure
+the cc toolchain used by bazel to compile fuzz tests. To ensure hermetic
+builds a [chromium sysroot](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/linux/sysroot.md)
+is used.
+
+The toolchain can be tested using the provided `Dockerfile` which installs
+minimal dependencies to run this example project. Note, that no compiler and no
+C++ library headers are installed since they are provided with the cc toolchain.
+
+Start by building the docker image
+
+```
+export CIFUZZ_DOWNLOAD_TOKEN=<download token from https://downloads.code-intelligence.com>
+docker build --tag bazel-example --build-arg CIFUZZ_DOWNLOAD_TOKEN .
+```
+
+Warning: Don't push this docker image to a public repository since it could leak
+         your personal download token. This image is intended for local
+         experimentation.
+Warning: This docker image can become quite large because it populates the bazel
+         cache with all dependencies and the hermetic toolchain.
+
+Run the docker image
+
+```
+docker run --rm -it bazel-example
+```
+
+Inside the docker image you need to set `CC` and `CXX` to the toolchain clang
+compiler. This can be done with the `set_env.sh` script:
+
+```
+$ source set_env.sh
+$ $CC --version
+clang version 15.0.6
+Target: x86_64-unknown-linux-gnu
+Thread model: posix
+InstalledDir: /root/.cache/bazel/_bazel_root/1e0bb3bee2d09d2e4ad3523530d3b40c/execroot/_main/external/toolchains_llvm~~llvm~llvm_toolchain_llvm/bin
+```
+
+Now you can run cifuzz commands on the example project. For `cifuzz run` and
+`cifuzz coverage` you should get output similar to this:
+
+```
+$ cifuzz run
+🚀 Running //src:explore_me_fuzz_test_bin...
+ ✅  Building... Done.
+Log can be found here:
+    /work/.cifuzz-build/logs/build-src_explore_me_fuzz_test.log
+ ✅  Initializing... Done.
+Fuzz testing will be performed for 10m. Use '--max-fuzzing-duration' to change the duration.
+ ✅  Testing code...
+34 Unique Test Cases and 2 Findings detected in 0s.
+
+CRITICAL
+  💥 NEW [quirky_okapi] heap_buffer_overflow in exploreMe (src/explore_me.cpp:18:11)
+LOW
+  💥 NEW [stoic_jay] undefined behavior in exploreMe (src/explore_me.cpp:13:11)
+```
+
+```
+$ cifuzz coverage --format lcov
+ ✅  Building //src:explore_me_fuzz_test_bin... Done.
+ ✅  Generating lcov report for //src:explore_me_fuzz_test_bin... Done.
+ ✅  Creating coverage report... Done.
+
+                        File | Functions Hit/Found |  Lines Hit/Found | Branches Hit/Found
+          src/explore_me.cpp |      1 / 1 (100.0%) | 15 / 15 (100.0%) |     8 / 8 (100.0%)
+src/explore_me_fuzz_test.cpp |      2 / 2 (100.0%) |   8 / 8 (100.0%) |     0 / 0 (100.0%)
+                             |                     |                  |
+                             | Functions Hit/Found |  Lines Hit/Found | Branches Hit/Found
+                       Total |      3 / 3 (100.0%) | 23 / 23 (100.0%) |     8 / 8 (100.0%)
+
+LCOV report can be found here:
+    --src:explore_me_fuzz_test_bin.lcov.info
+```
diff --git a/WORKSPACE b/WORKSPACE
@@ -0,0 +1,9 @@
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+http_archive(
+    name = "cifuzz",
+    sha256 = "1e01292189b0524d1f6114e0717d107474c289f78cbe7513e79fcaff8f0dee90",
+    strip_prefix = "cifuzz-bazel-1.0.0",
+    urls = ["https://github.com/CodeIntelligenceTesting/cifuzz-bazel/archive/refs/tags/v1.0.0.zip"],
+)
+
diff --git a/cifuzz.yaml b/cifuzz.yaml
@@ -0,0 +1,35 @@
+## Configuration for a CI Fuzz project
+## Generated on 2023-04-04
+
+## The build system used to build this project. If not set, cifuzz tries
+## to detect the build system automatically.
+## Valid values: "bazel", "cmake", "other".
+#build-system: cmake
+
+## If the build system type is "other", this command is used by
+## `cifuzz run` to build the fuzz test.
+#build-command: "make my_fuzz_test"
+
+## Directories containing sample inputs for the code under test.
+## See https://llvm.org/docs/LibFuzzer.html#corpus
+#seed-corpus-dirs:
+# - path/to/seed-corpus
+
+## A file containing input language keywords or other interesting byte
+## sequences.
+## See https://llvm.org/docs/LibFuzzer.html#dictionaries
+#dict: path/to/dictionary.dct
+
+## Command-line arguments to pass to libFuzzer.
+## See https://llvm.org/docs/LibFuzzer.html#options
+#engine-args:
+# - -rss_limit_mb=4096
+
+## Maximum time to run fuzz tests. The default is to run indefinitely.
+#timeout: 30m
+
+## Set to true to print output of the `cifuzz run` command as JSON.
+#print-json: true
+
+## Set to true to disable desktop notifications
+#no-notifications: true
diff --git a/main.cpp b/main.cpp
@@ -0,0 +1,9 @@
+#include "src/explore_me.h"
+
+int main() {
+  exploreMe(1, 1, "A");
+  exploreMe(2147483647, 1, "A");
+  exploreMe(2147483647, 2147483647, "A");
+  exploreMe(2000000000, 2000000123, "A");
+  exploreMe(2000000000, 2000000123, "FUZZ");
+}
diff --git a/set_env.sh b/set_env.sh
@@ -0,0 +1,2 @@
+export CC=$(bazel info execution_root)/external/toolchains_llvm~~llvm~llvm_toolchain_llvm/bin/clang
+export CXX="$CC++"
diff --git a/src/BUILD.bazel b/src/BUILD.bazel
@@ -0,0 +1,26 @@
+load("@rules_fuzzing//fuzzing:cc_defs.bzl", "cc_fuzz_test")
+
+cc_library(
+    name = "explore_me",
+    srcs = ["explore_me.cpp"],
+    hdrs = ["explore_me.h"],
+    visibility = ["//visibility:public"],
+)
+
+cc_fuzz_test(
+    name = "explore_me_fuzz_test",
+    srcs = [
+        "explore_me_fuzz_test.cpp",
+    ],
+    corpus = glob(
+        ["explore_me_fuzz_test_inputs/**"],
+        allow_empty = True,
+    ) + select({
+        "@cifuzz//:collect_coverage": glob([".explore_me_fuzz_test_cifuzz_corpus/**"], allow_empty = True),
+        "//conditions:default": [],
+    }),
+    deps = [
+        ":explore_me",
+        "@cifuzz",
+    ],
+)
diff --git a/src/explore_me.cpp b/src/explore_me.cpp
@@ -0,0 +1,24 @@
+#include "explore_me.h"
+#include <cstdio>
+#include <cstring>
+using namespace std;
+
+// just a function with multiple paths that can be discoverd by a fuzzer
+void exploreMe(int a, int b, string c) {
+  if (a >= 20000) {
+    if (b >= 2000000) {
+      if (b - a < 100000) {
+        // Trigger the undefined behavior sanitizer
+        int n = 23;
+        n <<= 32;
+
+        if (c == "FUZZING") {
+          // Trigger a heap buffer overflow
+          char *s = (char *)malloc(1);
+          strcpy(s, "too long");
+          printf("%s\n", s);
+        }
+      }
+    }
+  }
+}
diff --git a/src/explore_me.h b/src/explore_me.h
@@ -0,0 +1,4 @@
+#include <string>
+using namespace std;
+
+void exploreMe(int a, int b, string c);
diff --git a/src/explore_me_fuzz_test.cpp b/src/explore_me_fuzz_test.cpp
@@ -0,0 +1,20 @@
+#include "src/explore_me.h"
+#include <cstdio>
+#include <cifuzz/cifuzz.h>
+#include <fuzzer/FuzzedDataProvider.h>
+
+FUZZ_TEST_SETUP() {}
+
+FUZZ_TEST(const uint8_t *data, size_t size) {
+
+  // As the function we want to fuzz expect two integers and one string we
+  // have to convert/cast the given input data into the expected variables/data
+  // types
+  FuzzedDataProvider fuzzed_data(data, size);
+  int a = fuzzed_data.ConsumeIntegral<int>();
+
+  int b = fuzzed_data.ConsumeIntegral<int>();
+  std::string c = fuzzed_data.ConsumeRandomLengthString();
+
+  exploreMe(a, b, c);
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+coverage --java_runtime_version=remotejdk_11`