From 915cd234e0fd80747e82302ffef9bea63a80276b Mon Sep 17 00:00:00 2001 From: Addison Crump Date: Fri, 20 Sep 2024 01:12:12 +0200 Subject: [PATCH] Fixup libafl_fuzzbench-based fuzzers (#2032) Fixes #2019. --- .github/workflows/benchmarks.yml | 1 + .../mruby_mruby_fuzzer_8c8bbd/Dockerfile | 24 ++++ .../mruby_mruby_fuzzer_8c8bbd/benchmark.yaml | 6 + benchmarks/mruby_mruby_fuzzer_8c8bbd/build.sh | 44 ++++++++ .../mruby_mruby_fuzzer_8c8bbd/mruby.dict | 105 ++++++++++++++++++ .../mruby_mruby_fuzzer_8c8bbd/mruby_fuzzer.c | 18 +++ fuzzers/gramatron/builder.Dockerfile | 6 +- fuzzers/gramatron/fuzzer.yaml | 2 +- fuzzers/grimoire/builder.Dockerfile | 6 +- fuzzers/grimoire/fuzzer.yaml | 2 +- fuzzers/nautilus/builder.Dockerfile | 6 +- fuzzers/nautilus/fuzzer.yaml | 2 +- fuzzers/nautilus/runner.Dockerfile | 2 + fuzzers/token_level/builder.Dockerfile | 6 +- fuzzers/token_level/fuzzer.yaml | 2 +- fuzzers/token_level/runner.Dockerfile | 2 + 16 files changed, 218 insertions(+), 16 deletions(-) create mode 100644 benchmarks/mruby_mruby_fuzzer_8c8bbd/Dockerfile create mode 100644 benchmarks/mruby_mruby_fuzzer_8c8bbd/benchmark.yaml create mode 100755 benchmarks/mruby_mruby_fuzzer_8c8bbd/build.sh create mode 100644 benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby.dict create mode 100644 benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby_fuzzer.c diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index e2dd99db7..93185329a 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -33,6 +33,7 @@ jobs: - libxslt_xpath - mbedtls_fuzz_dtlsclient - mbedtls_fuzz_dtlsclient_7c6b0e + - mruby_mruby_fuzzer_8c8bbd - openh264_decoder_fuzzer - openssl_x509 - openthread_ot-ip6-send-fuzzer diff --git a/benchmarks/mruby_mruby_fuzzer_8c8bbd/Dockerfile b/benchmarks/mruby_mruby_fuzzer_8c8bbd/Dockerfile new file mode 100644 index 000000000..e1c07b611 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer_8c8bbd/Dockerfile @@ -0,0 +1,24 @@ +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder@sha256:87ca1e9e19235e731fac8de8d1892ebe8d55caf18e7aa131346fc582a2034fdd +RUN apt-get update && apt-get install -y build-essential ruby bison ninja-build \ + cmake zlib1g-dev libbz2-dev liblzma-dev +RUN git clone \ + https://github.com/mruby/mruby +RUN git clone --depth 1 https://github.com/bshastry/mruby_seeds.git mruby_seeds +WORKDIR mruby +COPY build.sh *.c *.options *.dict $SRC/ diff --git a/benchmarks/mruby_mruby_fuzzer_8c8bbd/benchmark.yaml b/benchmarks/mruby_mruby_fuzzer_8c8bbd/benchmark.yaml new file mode 100644 index 000000000..3be8ab87e --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer_8c8bbd/benchmark.yaml @@ -0,0 +1,6 @@ +commit: 8c8bbd94dce3b3eabcf72c674e690516c075b0ee +commit_date: 2023-02-03T04:41:10+0000 +fuzz_target: mruby_fuzzer +project: mruby +type: bug +unsupported_fuzzers: diff --git a/benchmarks/mruby_mruby_fuzzer_8c8bbd/build.sh b/benchmarks/mruby_mruby_fuzzer_8c8bbd/build.sh new file mode 100755 index 000000000..f984cc040 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer_8c8bbd/build.sh @@ -0,0 +1,44 @@ +#!/bin/bash -eu +# Copyright 2019 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Instrument mruby +( +cd $SRC/mruby +export LD=$CC +export LDFLAGS="$CFLAGS -fPIE" + +# No you cannot overwrite CC/CXX, otherwise afl++, libafl, etc. wont work! +#LD=/usr/local/bin/clang CC=/usr/local/bin/clang CXX=/usr/local/bin/clang++ rake -m || true +rake -m || true + +test -f $SRC/mruby/build/host/lib/libmruby.a + +# build fuzzers +FUZZ_TARGET=$SRC/mruby_fuzzer.c +name=$(basename $FUZZ_TARGET .c) +$CC -c $CFLAGS -Iinclude \ + ${FUZZ_TARGET} -o $OUT/${name}.o +$CXX $CXXFLAGS $OUT/${name}.o $LIB_FUZZING_ENGINE -lm \ + $SRC/mruby/build/host/lib/libmruby.a -o $OUT/${name} +rm -f $OUT/${name}.o +) + +# dict +cp $SRC/mruby.dict $OUT/mruby_fuzzer.dict + +# seeds +zip -rq $OUT/mruby_fuzzer_seed_corpus $SRC/mruby_seeds diff --git a/benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby.dict b/benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby.dict new file mode 100644 index 000000000..a332d3505 --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby.dict @@ -0,0 +1,105 @@ +keyword___ENCODING__="__ENCODING__" +keyword___FILE__="__FILE__" +keyword___LINE__="__LINE__" +keyword_BEGIN="BEGIN" +keyword_END="END" +keyword_alias="alias" +keyword_and="and" +keyword_begin="begin" +keyword_break="break" +keyword_case="case" +keyword_class="class" +keyword_def="def" +keyword_do="do" +keyword_else="else" +keyword_elsif="elsif" +keyword_end="end" +keyword_ensure="ensure" +keyword_false="false" +keyword_for="for" +keyword_if="if" +keyword_in="in" +keyword_module="module" +keyword_next="next" +keyword_nil="nil" +keyword_not="not" +keyword_or="or" +keyword_redo="redo" +keyword_rescue="rescue" +keyword_retry="retry" +keyword_return="return" +keyword_self="self" +keyword_super="super" +keyword_then="then" +keyword_true="true" +keyword_undef="undef" +keyword_unless="unless" +keyword_until="until" +keyword_when="when" +keyword_while="while" +keyword_yield="yield" + +operator_a=" !" +operator_b=" ~" +operator_c=" +" +operator_d=" -" +operator_e=" []" +operator_f=" []=" +operator_g=" *" +operator_h=" /" +operator_i=" %" +operator_j=" +-" +operator_k=" >>" +operator_l=" <<" +operator_m=" &" +operator_n=" ^" +operator_o=" |" +operator_p=" <=" +operator_q=" <>" +operator_r=" >=" +operator_s=" <=>" +operator_t=" ==" +operator_u=" ===" +operator_v=" !=" +operator_w=" =~" +operator_x=" !~" +operator_y=" &&" +operator_z=" ||" +operator_aa=" .." +operator_ab=" ..." +operator_ac=" ?" +operator_ad=" :" +operator_ae=" =" +operator_af=" %=" +operator_ag=" /=" +operator_ah=" -=" +operator_ai=" +=" +operator_aj=" |=" +operator_ak=" &=" +operator_al=" >>=" +operator_am=" <<=" +operator_an=" *=" +operator_ao=" &&=" +operator_ap=" ||=" +operator_aq=" **=" +operator_ar=" ^=" +operator_as=" not" +operator_at=" or" +operator_au=" and" +operator_av=" if" +operator_aw=" unless" +operator_ax=" while" +operator_ay=" until" +operator_az=" begin" +operator_ba=" end" + +snippet_1eq1=" 1=1" +snippet_dollar=" $1" +snippet_at=" @a" +snippet_symbol=" :a" +snippet_array=" [1,2]" +snippet_block=" 1.times{|x| x}" +snippet_multi=" 1*1" + +string_single_q=" 'a'" +string_dbl_q=" \"a\"" diff --git a/benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby_fuzzer.c b/benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby_fuzzer.c new file mode 100644 index 000000000..9d3d44a5b --- /dev/null +++ b/benchmarks/mruby_mruby_fuzzer_8c8bbd/mruby_fuzzer.c @@ -0,0 +1,18 @@ +#include +#include +#include +#include + +int LLVMFuzzerTestOneInput(uint8_t *Data, size_t size) { + if (size < 1) { + return 0; + } + char *code = malloc(size+1); + memcpy(code, Data, size); + code[size] = '\0'; + mrb_state *mrb = mrb_open(); + mrb_load_string(mrb, code); + mrb_close(mrb); + free(code); + return 0; +} diff --git a/fuzzers/gramatron/builder.Dockerfile b/fuzzers/gramatron/builder.Dockerfile index f1890e47c..3ad5056f8 100644 --- a/fuzzers/gramatron/builder.Dockerfile +++ b/fuzzers/gramatron/builder.Dockerfile @@ -17,7 +17,7 @@ FROM $parent_image # Install libstdc++ to use llvm_mode. RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ + apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ apt-utils apt-transport-https ca-certificates joe curl \ python3-dev gzip @@ -32,14 +32,14 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ # Download libafl RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ + git checkout b7fc9fd143daff0190fd623ed3a8b9fbc64cc00c && \ git submodule update --init # Compile libafl RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ export CC=clang && export CXX=clang++ && \ export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release + PATH="/root/.cargo/bin:$PATH" cargo build --release -p gramatron RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ clang -c /empty_fuzzer_lib.c && \ diff --git a/fuzzers/gramatron/fuzzer.yaml b/fuzzers/gramatron/fuzzer.yaml index de283f07d..4a6f1fef2 100644 --- a/fuzzers/gramatron/fuzzer.yaml +++ b/fuzzers/gramatron/fuzzer.yaml @@ -1,4 +1,4 @@ allowed_benchmarks: - quickjs_eval-2020-01-05 - php_php-fuzz-execute - - mruby-2018-05-23 + - mruby_mruby_fuzzer_8c8bbd diff --git a/fuzzers/grimoire/builder.Dockerfile b/fuzzers/grimoire/builder.Dockerfile index f1890e47c..eff47a170 100644 --- a/fuzzers/grimoire/builder.Dockerfile +++ b/fuzzers/grimoire/builder.Dockerfile @@ -17,7 +17,7 @@ FROM $parent_image # Install libstdc++ to use llvm_mode. RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ + apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ apt-utils apt-transport-https ca-certificates joe curl \ python3-dev gzip @@ -32,14 +32,14 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ # Download libafl RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ + git checkout b7fc9fd143daff0190fd623ed3a8b9fbc64cc00c && \ git submodule update --init # Compile libafl RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ export CC=clang && export CXX=clang++ && \ export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release + PATH="/root/.cargo/bin:$PATH" cargo build --release -p grimoire RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ clang -c /empty_fuzzer_lib.c && \ diff --git a/fuzzers/grimoire/fuzzer.yaml b/fuzzers/grimoire/fuzzer.yaml index de283f07d..4a6f1fef2 100644 --- a/fuzzers/grimoire/fuzzer.yaml +++ b/fuzzers/grimoire/fuzzer.yaml @@ -1,4 +1,4 @@ allowed_benchmarks: - quickjs_eval-2020-01-05 - php_php-fuzz-execute - - mruby-2018-05-23 + - mruby_mruby_fuzzer_8c8bbd diff --git a/fuzzers/nautilus/builder.Dockerfile b/fuzzers/nautilus/builder.Dockerfile index f1890e47c..80234194a 100644 --- a/fuzzers/nautilus/builder.Dockerfile +++ b/fuzzers/nautilus/builder.Dockerfile @@ -17,7 +17,7 @@ FROM $parent_image # Install libstdc++ to use llvm_mode. RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ + apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ apt-utils apt-transport-https ca-certificates joe curl \ python3-dev gzip @@ -32,14 +32,14 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ # Download libafl RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ + git checkout b7fc9fd143daff0190fd623ed3a8b9fbc64cc00c && \ git submodule update --init # Compile libafl RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ export CC=clang && export CXX=clang++ && \ export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release + PATH="/root/.cargo/bin:$PATH" cargo build --release -p nautilus RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ clang -c /empty_fuzzer_lib.c && \ diff --git a/fuzzers/nautilus/fuzzer.yaml b/fuzzers/nautilus/fuzzer.yaml index de283f07d..4a6f1fef2 100644 --- a/fuzzers/nautilus/fuzzer.yaml +++ b/fuzzers/nautilus/fuzzer.yaml @@ -1,4 +1,4 @@ allowed_benchmarks: - quickjs_eval-2020-01-05 - php_php-fuzz-execute - - mruby-2018-05-23 + - mruby_mruby_fuzzer_8c8bbd diff --git a/fuzzers/nautilus/runner.Dockerfile b/fuzzers/nautilus/runner.Dockerfile index 7aa1da8e4..e64e00904 100644 --- a/fuzzers/nautilus/runner.Dockerfile +++ b/fuzzers/nautilus/runner.Dockerfile @@ -14,6 +14,8 @@ FROM gcr.io/fuzzbench/base-image +RUN apt update && apt -y install libexpat1-dev zlib1g-dev + # This makes interactive docker runs painless: ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" #ENV AFL_MAP_SIZE=2621440 diff --git a/fuzzers/token_level/builder.Dockerfile b/fuzzers/token_level/builder.Dockerfile index f1890e47c..00b6fcfd3 100644 --- a/fuzzers/token_level/builder.Dockerfile +++ b/fuzzers/token_level/builder.Dockerfile @@ -17,7 +17,7 @@ FROM $parent_image # Install libstdc++ to use llvm_mode. RUN apt-get update && \ - apt-get install -y wget libstdc++-5-dev libtool-bin automake flex bison \ + apt-get install -y wget libstdc++-10-dev libtool-bin automake flex bison \ libglib2.0-dev libpixman-1-dev python3-setuptools unzip \ apt-utils apt-transport-https ca-certificates joe curl \ python3-dev gzip @@ -32,14 +32,14 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /rustup.sh && \ # Download libafl RUN git clone https://github.com/AFLplusplus/libafl_fuzzbench /libafl_fuzzbench && \ cd /libafl_fuzzbench && \ - git checkout db32b7b8c1c0065a0cec2129b4dfe3897d1b9a4b && \ + git checkout b7fc9fd143daff0190fd623ed3a8b9fbc64cc00c && \ git submodule update --init # Compile libafl RUN cd /libafl_fuzzbench/ && unset CFLAGS && unset CXXFLAGS && \ export CC=clang && export CXX=clang++ && \ export LIBAFL_EDGES_MAP_SIZE=2621440 && \ - PATH="$PATH:/root/.cargo/bin/" cargo build --release + PATH="/root/.cargo/bin:$PATH" cargo build --release -p token_level RUN wget https://gist.githubusercontent.com/andreafioraldi/e5f60d68c98b31665a274207cfd05541/raw/4da351a321f1408df566a9cf2ce7cde6eeab3904/empty_fuzzer_lib.c -O /empty_fuzzer_lib.c && \ clang -c /empty_fuzzer_lib.c && \ diff --git a/fuzzers/token_level/fuzzer.yaml b/fuzzers/token_level/fuzzer.yaml index de283f07d..4a6f1fef2 100644 --- a/fuzzers/token_level/fuzzer.yaml +++ b/fuzzers/token_level/fuzzer.yaml @@ -1,4 +1,4 @@ allowed_benchmarks: - quickjs_eval-2020-01-05 - php_php-fuzz-execute - - mruby-2018-05-23 + - mruby_mruby_fuzzer_8c8bbd diff --git a/fuzzers/token_level/runner.Dockerfile b/fuzzers/token_level/runner.Dockerfile index 7aa1da8e4..e64e00904 100644 --- a/fuzzers/token_level/runner.Dockerfile +++ b/fuzzers/token_level/runner.Dockerfile @@ -14,6 +14,8 @@ FROM gcr.io/fuzzbench/base-image +RUN apt update && apt -y install libexpat1-dev zlib1g-dev + # This makes interactive docker runs painless: ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out" #ENV AFL_MAP_SIZE=2621440