-
Notifications
You must be signed in to change notification settings - Fork 268
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ce1be78
commit a92bbc6
Showing
39 changed files
with
1,356 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
################################################################################ | ||
|
||
FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd | ||
|
||
RUN apt-get update && apt-get install -y cmake ninja-build | ||
RUN git clone --recursive https://github.com/assimp/assimp.git | ||
WORKDIR assimp | ||
COPY build.sh $SRC/ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# 4515118433566720 | ||
commit: 4D451FE437195025CB933C69670AACF4F92968B3 | ||
fuzz_target: assimp_fuzzer | ||
project: assimp | ||
type: bug |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/bin/bash -eu | ||
# Copyright 2021 Google LLC | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
################################################################################ | ||
|
||
# generate build env and build assimp | ||
cmake CMakeLists.txt -G "Ninja" -DBUILD_SHARED_LIBS=OFF -DASSIMP_BUILD_ZLIB=ON \ | ||
-DASSIMP_BUILD_TESTS=OFF -DASSIMP_BUILD_ASSIMP_TOOLS=OFF \ | ||
-DASSIMP_BUILD_SAMPLES=OFF | ||
cmake --build . | ||
|
||
# Build the fuzzer | ||
$CXX $CXXFLAGS $LIB_FUZZING_ENGINE -std=c++11 -I$SRC/assimp/include \ | ||
fuzz/assimp_fuzzer.cc -o $OUT/assimp_fuzzer \ | ||
./lib/libassimp.a ./contrib/zlib/libzlibstatic.a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
# Copyright 2016 Google Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
################################################################################ | ||
|
||
FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd | ||
|
||
RUN apt-get update && apt install -y make autoconf automake libtool shtool | ||
RUN apt-get update && apt install -y libbz2-dev liblzma-dev zlib1g-dev libzstd-dev liblz4-dev | ||
RUN apt-get update && apt install -y libbz2-dev:i386 liblzma-dev:i386 zlib1g-dev:i386 libzstd-dev:i386 liblz4-dev:i386 | ||
RUN git clone https://github.com/file/file.git | ||
|
||
# Supplement file's existing test files | ||
RUN git clone https://github.com/DavidKorczynski/binary-samples.git && \ | ||
git -C binary-samples checkout 50f4f6ad752e982f26fab167665e763b6877c942 | ||
RUN git clone https://github.com/corkami/pocs && \ | ||
git -C pocs checkout 127008ce71f27a722cb0e6fdcc3b161cae1f8d13 | ||
|
||
|
||
WORKDIR file | ||
COPY build.sh fuzzer_temp_file.h magic_fuzzer.cc magic_fuzzer_loaddb.cc magic_fuzzer_fd.cc $SRC/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# file v5.35 | ||
|
||
Modified the source `magic_fuzzer.cc` to exercise the functionality that exposes | ||
these four CVEs (use `magic_file` versus `magic_buffer`). These bugs are related, | ||
but not easily found within 24hr fuzzing. | ||
|
||
- bug benchmark | ||
- 4 known bugs with POCs | ||
|
||
## CVE-2019-8904 | ||
- [bug report](https://bugs.astron.com/view.php?id=62) | ||
- [POC input](https://bugs.astron.com/file_download.php?file_id=40&type=bug) | ||
- [patch](https://github.com/file/file/commit/94b7501f48e134e77716e7ebefc73d6bbe72ba55) | ||
Avoid non-nul-terminated string read. | ||
|
||
## CVE-2019-8905 | ||
- [bug report](https://bugs.astron.com/view.php?id=63) | ||
- [POC input](https://bugs.astron.com/file_download.php?file_id=41&type=bug) | ||
- [patch](https://github.com/file/file/commit/d65781527c8134a1202b2649695d48d5701ac60b) | ||
limit size of file_printable. | ||
|
||
## CVE-2019-8906 | ||
- [bug report](https://bugs.astron.com/view.php?id=64) | ||
- [POC input](https://bugs.astron.com/file_download.php?file_id=42&type=bug) | ||
|
||
## CVE-2019-8907 | ||
- [bug report](https://bugs.astron.com/view.php?id=65) | ||
- [POC input](https://bugs.astron.com/file_download.php?file_id=43&type=bug) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# 4575106269839360 | ||
commit: 2D5F85874BF3C9C4841C08D18E97E0FE16BAE19F | ||
commit_date: 2022-09-16T16:52:35+0000 | ||
fuzz_target: magic_fuzzer | ||
project: file | ||
type: bug | ||
unsupported_fuzzers: | ||
- aflcc | ||
- klee | ||
- lafintel | ||
- honggfuzz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#!/bin/bash -eu | ||
# Copyright 2016 Google Inc. | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
################################################################################ | ||
|
||
autoreconf -i | ||
./configure --enable-static --enable-fsect-man5 | ||
make V=1 all | ||
|
||
$CXX $CXXFLAGS -std=c++11 -Isrc/ \ | ||
$SRC/magic_fuzzer.cc -o $OUT/magic_fuzzer \ | ||
$LIB_FUZZING_ENGINE ./src/.libs/libmagic.a -l:libz.a -l:liblz4.a -l:libbz2.a -l:liblzma.a -l:libzstd.a | ||
$CXX $CXXFLAGS -std=c++11 -Isrc/ \ | ||
$SRC/magic_fuzzer_loaddb.cc -o $OUT/magic_fuzzer_loaddb \ | ||
$LIB_FUZZING_ENGINE ./src/.libs/libmagic.a -l:libz.a -l:liblz4.a -l:libbz2.a -l:liblzma.a -l:libzstd.a | ||
$CXX $CXXFLAGS -std=c++11 -Isrc/ \ | ||
$SRC/magic_fuzzer_fd.cc -o $OUT/magic_fuzzer_fd \ | ||
$LIB_FUZZING_ENGINE ./src/.libs/libmagic.a -l:libz.a -l:liblz4.a -l:libbz2.a -l:liblzma.a -l:libzstd.a | ||
|
||
cp ./magic/magic.mgc $OUT/ | ||
|
||
mkdir pocs_all | ||
find $SRC/pocs/ -type f -print0 | xargs -0 -I % mv -f % ./pocs_all | ||
|
||
zip -j $OUT/magic_fuzzer_seed_corpus.zip ./tests/*.testfile $SRC/binary-samples/{elf,pe}-* $SRC/pocs_all |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
// Copyright 2022 Google LLC | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
// Adapter utility from fuzzer input to a temporary file, for fuzzing APIs that | ||
// require a file instead of an input buffer. | ||
|
||
#ifndef FUZZER_TEMP_FILE_H_ | ||
#define FUZZER_TEMP_FILE_H_ | ||
|
||
#include <stdint.h> | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <string.h> | ||
#include <unistd.h> | ||
|
||
// Pure-C interface for creating and cleaning up temporary files. | ||
|
||
static char* fuzzer_get_tmpfile(const uint8_t* data, size_t size) { | ||
char* filename_buffer = strdup("/tmp/generate_temporary_file.XXXXXX"); | ||
if (!filename_buffer) { | ||
perror("Failed to allocate file name buffer."); | ||
abort(); | ||
} | ||
const int file_descriptor = mkstemp(filename_buffer); | ||
if (file_descriptor < 0) { | ||
perror("Failed to make temporary file."); | ||
abort(); | ||
} | ||
FILE* file = fdopen(file_descriptor, "wb"); | ||
if (!file) { | ||
perror("Failed to open file descriptor."); | ||
close(file_descriptor); | ||
abort(); | ||
} | ||
const size_t bytes_written = fwrite(data, sizeof(uint8_t), size, file); | ||
if (bytes_written < size) { | ||
close(file_descriptor); | ||
fprintf(stderr, "Failed to write all bytes to file (%zu out of %zu)", | ||
bytes_written, size); | ||
abort(); | ||
} | ||
fclose(file); | ||
return filename_buffer; | ||
} | ||
|
||
static void fuzzer_release_tmpfile(char* filename) { | ||
if (unlink(filename) != 0) { | ||
perror("WARNING: Failed to delete temporary file."); | ||
} | ||
free(filename); | ||
} | ||
|
||
// C++ RAII object for creating temporary files. | ||
|
||
#ifdef __cplusplus | ||
class FuzzerTemporaryFile { | ||
public: | ||
FuzzerTemporaryFile(const uint8_t* data, size_t size) | ||
: filename_(fuzzer_get_tmpfile(data, size)) {} | ||
|
||
~FuzzerTemporaryFile() { fuzzer_release_tmpfile(filename_); } | ||
|
||
const char* filename() const { return filename_; } | ||
|
||
private: | ||
char* filename_; | ||
}; | ||
#endif | ||
|
||
#endif // FUZZER_TEMP_FILE_H_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
// Copyright 2016 Google Inc. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
#include <libgen.h> | ||
#include <stddef.h> | ||
#include <stdint.h> | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <string> | ||
|
||
#include <magic.h> | ||
|
||
struct Environment { | ||
Environment(std::string data_dir) { | ||
magic = magic_open(MAGIC_COMPRESS|MAGIC_CONTINUE|MAGIC_NO_COMPRESS_FORK); | ||
std::string magic_path = data_dir + "/magic"; | ||
if (magic_load(magic, magic_path.c_str())) { | ||
fprintf(stderr, "error loading magic file: %s\n", magic_error(magic)); | ||
exit(1); | ||
} | ||
} | ||
|
||
magic_t magic; | ||
}; | ||
|
||
static Environment* env; | ||
|
||
extern "C" int LLVMFuzzerInitialize(int* argc, char*** argv) { | ||
char* exe_path = (*argv)[0]; | ||
// dirname() can modify its argument. | ||
char* exe_path_copy = strdup(exe_path); | ||
char* dir = dirname(exe_path_copy); | ||
env = new Environment(dir); | ||
free(exe_path_copy); | ||
return 0; | ||
} | ||
|
||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { | ||
if (size < 1) | ||
return 0; | ||
magic_buffer(env->magic, data, size); | ||
return 0; | ||
} |
Oops, something went wrong.