new bug benchmarks

google · Jul 4, 2023 · a92bbc6 · a92bbc6
1 parent ce1be78
commit a92bbc6
Show file tree

Hide file tree

Showing 39 changed files with 1,356 additions and 7 deletions.
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -17,20 +17,26 @@ jobs:
       fail-fast: false
       matrix:
         benchmark:
+          - assimp_assimp_fuzzer_4d451f
           - bloaty_fuzz_target
           - bloaty_fuzz_target_52948c
           - curl_curl_fuzzer_http
+          - file_magic_fuzzer_2d5f85
           - freetype2_ftfuzzer
+          - grok_grk_decompress_fuzzer_9cd001
           - harfbuzz_hb-shape-fuzzer
           - harfbuzz_hb-shape-fuzzer_17863b
           - jsoncpp_jsoncpp_fuzzer
           - lcms_cms_transform_fuzzer
+          - lcms_cms_transform_all_fuzzer_97d37d
+          - libaom_av1_dec_fuzzer_6e1848
           - libjpeg-turbo_libjpeg_turbo_fuzzer
           - libpcap_fuzz_both
           - libpng_libpng_read_fuzzer
           - libxml2_xml
           - libxml2_xml_e85b9b
           - libxslt_xpath
+          - libxslt_xpath_93407f
           - mbedtls_fuzz_dtlsclient
           - mbedtls_fuzz_dtlsclient_7c6b0e
           - openh264_decoder_fuzzer
@@ -40,6 +46,7 @@ jobs:
           - proj4_proj_crs_to_crs_fuzzer
           - re2_fuzzer
           - sqlite3_ossfuzz
+          - sqlite3_ossfuzz_228a52
           - stb_stbi_read_fuzzer
           - systemd_fuzz-link-parser
           - vorbis_decode_fuzzer

diff --git a/benchmarks/assimp_assimp_fuzzer_4d451f/Dockerfile b/benchmarks/assimp_assimp_fuzzer_4d451f/Dockerfile
@@ -0,0 +1,23 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd
+
+RUN apt-get update && apt-get install -y cmake ninja-build
+RUN git clone --recursive https://github.com/assimp/assimp.git
+WORKDIR assimp
+COPY build.sh $SRC/
+
diff --git a/benchmarks/assimp_assimp_fuzzer_4d451f/benchmark.yaml b/benchmarks/assimp_assimp_fuzzer_4d451f/benchmark.yaml
@@ -0,0 +1,5 @@
+# 4515118433566720
+commit: 4D451FE437195025CB933C69670AACF4F92968B3
+fuzz_target: assimp_fuzzer
+project: assimp
+type: bug
diff --git a/benchmarks/assimp_assimp_fuzzer_4d451f/build.sh b/benchmarks/assimp_assimp_fuzzer_4d451f/build.sh
@@ -0,0 +1,27 @@
+#!/bin/bash -eu
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# generate build env and build assimp
+cmake CMakeLists.txt -G "Ninja" -DBUILD_SHARED_LIBS=OFF -DASSIMP_BUILD_ZLIB=ON \
+                                -DASSIMP_BUILD_TESTS=OFF -DASSIMP_BUILD_ASSIMP_TOOLS=OFF \
+                                -DASSIMP_BUILD_SAMPLES=OFF
+cmake --build .
+
+# Build the fuzzer
+$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -std=c++11 -I$SRC/assimp/include \
+		fuzz/assimp_fuzzer.cc -o $OUT/assimp_fuzzer  \
+		./lib/libassimp.a ./contrib/zlib/libzlibstatic.a
diff --git a/benchmarks/file_magic_fuzzer_2d5f85/Dockerfile b/benchmarks/file_magic_fuzzer_2d5f85/Dockerfile
@@ -0,0 +1,32 @@
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd
+
+RUN apt-get update && apt install -y make autoconf automake libtool shtool
+RUN apt-get update && apt install -y libbz2-dev      liblzma-dev      zlib1g-dev      libzstd-dev      liblz4-dev
+RUN apt-get update && apt install -y libbz2-dev:i386 liblzma-dev:i386 zlib1g-dev:i386 libzstd-dev:i386 liblz4-dev:i386 
+RUN git clone https://github.com/file/file.git
+
+# Supplement file's existing test files
+RUN git clone https://github.com/DavidKorczynski/binary-samples.git && \
+    git -C binary-samples checkout 50f4f6ad752e982f26fab167665e763b6877c942
+RUN git clone https://github.com/corkami/pocs && \
+    git -C pocs checkout 127008ce71f27a722cb0e6fdcc3b161cae1f8d13
+
+
+WORKDIR file
+COPY build.sh fuzzer_temp_file.h magic_fuzzer.cc magic_fuzzer_loaddb.cc magic_fuzzer_fd.cc $SRC/
diff --git a/benchmarks/file_magic_fuzzer_2d5f85/README.md b/benchmarks/file_magic_fuzzer_2d5f85/README.md
@@ -0,0 +1,29 @@
+# file v5.35
+
+Modified the source `magic_fuzzer.cc` to exercise the functionality that exposes
+these four CVEs (use `magic_file` versus `magic_buffer`).  These bugs are related, 
+but not easily found within 24hr fuzzing. 
+
+- bug benchmark
+- 4 known bugs with POCs
+
+## CVE-2019-8904
+- [bug report](https://bugs.astron.com/view.php?id=62)
+- [POC input](https://bugs.astron.com/file_download.php?file_id=40&type=bug)
+- [patch](https://github.com/file/file/commit/94b7501f48e134e77716e7ebefc73d6bbe72ba55)
+  Avoid non-nul-terminated string read.
+
+## CVE-2019-8905
+- [bug report](https://bugs.astron.com/view.php?id=63)
+- [POC input](https://bugs.astron.com/file_download.php?file_id=41&type=bug)
+- [patch](https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b)
+  limit size of file_printable.
+
+## CVE-2019-8906
+- [bug report](https://bugs.astron.com/view.php?id=64)
+- [POC input](https://bugs.astron.com/file_download.php?file_id=42&type=bug)
+
+## CVE-2019-8907
+- [bug report](https://bugs.astron.com/view.php?id=65)
+- [POC input](https://bugs.astron.com/file_download.php?file_id=43&type=bug)
+
diff --git a/benchmarks/file_magic_fuzzer_2d5f85/benchmark.yaml b/benchmarks/file_magic_fuzzer_2d5f85/benchmark.yaml
@@ -0,0 +1,11 @@
+# 4575106269839360
+commit: 2D5F85874BF3C9C4841C08D18E97E0FE16BAE19F
+commit_date: 2022-09-16T16:52:35+0000
+fuzz_target: magic_fuzzer
+project: file
+type: bug
+unsupported_fuzzers:
+  - aflcc
+  - klee
+  - lafintel
+  - honggfuzz
diff --git a/benchmarks/file_magic_fuzzer_2d5f85/build.sh b/benchmarks/file_magic_fuzzer_2d5f85/build.sh
@@ -0,0 +1,37 @@
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+autoreconf -i
+./configure --enable-static --enable-fsect-man5
+make V=1 all
+
+$CXX $CXXFLAGS -std=c++11 -Isrc/ \
+     $SRC/magic_fuzzer.cc -o $OUT/magic_fuzzer \
+     $LIB_FUZZING_ENGINE ./src/.libs/libmagic.a -l:libz.a -l:liblz4.a -l:libbz2.a -l:liblzma.a -l:libzstd.a
+$CXX $CXXFLAGS -std=c++11 -Isrc/ \
+     $SRC/magic_fuzzer_loaddb.cc -o $OUT/magic_fuzzer_loaddb \
+     $LIB_FUZZING_ENGINE ./src/.libs/libmagic.a -l:libz.a -l:liblz4.a -l:libbz2.a -l:liblzma.a -l:libzstd.a
+$CXX $CXXFLAGS -std=c++11 -Isrc/ \
+     $SRC/magic_fuzzer_fd.cc -o $OUT/magic_fuzzer_fd \
+     $LIB_FUZZING_ENGINE ./src/.libs/libmagic.a -l:libz.a -l:liblz4.a -l:libbz2.a -l:liblzma.a -l:libzstd.a
+
+cp ./magic/magic.mgc $OUT/
+
+mkdir pocs_all
+find $SRC/pocs/ -type f -print0 | xargs -0 -I % mv -f % ./pocs_all
+
+zip -j $OUT/magic_fuzzer_seed_corpus.zip ./tests/*.testfile $SRC/binary-samples/{elf,pe}-* $SRC/pocs_all
diff --git a/benchmarks/file_magic_fuzzer_2d5f85/fuzzer_temp_file.h b/benchmarks/file_magic_fuzzer_2d5f85/fuzzer_temp_file.h
@@ -0,0 +1,81 @@
+// Copyright 2022 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Adapter utility from fuzzer input to a temporary file, for fuzzing APIs that
+// require a file instead of an input buffer.
+
+#ifndef FUZZER_TEMP_FILE_H_
+#define FUZZER_TEMP_FILE_H_
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+// Pure-C interface for creating and cleaning up temporary files.
+
+static char* fuzzer_get_tmpfile(const uint8_t* data, size_t size) {
+    char* filename_buffer = strdup("/tmp/generate_temporary_file.XXXXXX");
+    if (!filename_buffer) {
+        perror("Failed to allocate file name buffer.");
+        abort();
+    }
+    const int file_descriptor = mkstemp(filename_buffer);
+    if (file_descriptor < 0) {
+        perror("Failed to make temporary file.");
+        abort();
+    }
+    FILE* file = fdopen(file_descriptor, "wb");
+    if (!file) {
+        perror("Failed to open file descriptor.");
+        close(file_descriptor);
+        abort();
+    }
+    const size_t bytes_written = fwrite(data, sizeof(uint8_t), size, file);
+    if (bytes_written < size) {
+        close(file_descriptor);
+        fprintf(stderr, "Failed to write all bytes to file (%zu out of %zu)",
+                bytes_written, size);
+        abort();
+    }
+    fclose(file);
+    return filename_buffer;
+}
+
+static void fuzzer_release_tmpfile(char* filename) {
+    if (unlink(filename) != 0) {
+        perror("WARNING: Failed to delete temporary file.");
+    }
+    free(filename);
+}
+
+// C++ RAII object for creating temporary files.
+
+#ifdef __cplusplus
+class FuzzerTemporaryFile {
+    public:
+        FuzzerTemporaryFile(const uint8_t* data, size_t size)
+            : filename_(fuzzer_get_tmpfile(data, size)) {}
+
+        ~FuzzerTemporaryFile() { fuzzer_release_tmpfile(filename_); }
+
+        const char* filename() const { return filename_; }
+
+    private:
+        char* filename_;
+};
+#endif
+
+#endif  // FUZZER_TEMP_FILE_H_
diff --git a/benchmarks/file_magic_fuzzer_2d5f85/magic_fuzzer.cc b/benchmarks/file_magic_fuzzer_2d5f85/magic_fuzzer.cc
@@ -0,0 +1,54 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <libgen.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string>
+
+#include <magic.h>
+
+struct Environment {
+  Environment(std::string data_dir) {
+    magic = magic_open(MAGIC_COMPRESS|MAGIC_CONTINUE|MAGIC_NO_COMPRESS_FORK);
+    std::string magic_path = data_dir + "/magic";
+    if (magic_load(magic, magic_path.c_str())) {
+      fprintf(stderr, "error loading magic file: %s\n", magic_error(magic));
+      exit(1);
+    }
+  }
+
+  magic_t magic;
+};
+
+static Environment* env;
+
+extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) {
+  char* exe_path = (*argv)[0];
+  // dirname() can modify its argument.
+  char* exe_path_copy = strdup(exe_path);
+  char* dir = dirname(exe_path_copy);
+  env = new Environment(dir);
+  free(exe_path_copy);
+  return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < 1)
+    return 0;
+  magic_buffer(env->magic, data, size);
+  return 0;
+}