1
0
mirror of https://github.com/samba-team/samba.git synced 2025-02-28 01:58:17 +03:00

7 Commits

Author SHA1 Message Date
Douglas Bagnall
0cb833b32c fuzz: fix multiple comment headers
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-05 04:16:34 +00:00
Douglas Bagnall
e0dd4d0ac0 fuzz: add a LLVMFuzzerInitialize() to all fuzzers
To compile the AFL binaries, we need every fuzzer to have a consistent
set of functions. Some fuzzers require the initialize function, so all
the rest must have an empty one.

AFL binaires are handy for testing the fuzz results in a less magical
environment than libfuzzer/honggfuzz give you.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-03-16 17:09:32 +00:00
Gary Lockyer
2ba2ce40f9 fuzzing: ndr set global_max_recursion.
Set global_max_recursion to 128, to ensure the fuzzer does not trip the
ASAN maximum stack depth which seems to be about 256?

Credit to OSS-Fuzz

REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-02-27 01:02:32 +00:00
Andrew Bartlett
66d12eb98a lib/fuzzing: Initialise st buffer in fuzz_ndr_X
An NDR pull of a function will fill in either the in. or out.
elements of this structure, but never both.

However, some structures have size_is() in the out. that reference
the in. elements.  This is the reason for the --context-file option
in ndrdump.

We have a special handler in the fuzzing case embedded in the
pidl-generated output to cope with this, by filling in pointers
for elements declared [ref,in] but it relies on the in-side
(at least) of the buffer being zeroed.

So zero the buffer before we start.  Sadly this means things
like valgrind can not find a use of uninitialised data, but that
is a price we have to pay.

Credit to OSS-Fuzz

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2019-12-18 06:39:26 +00:00
Andrew Bartlett
e6fc8e79ae lib/fuzzing: Split up automatically build fuzzers into TYPE_{IN,OUT,STRUCT}
The advise is that a fuzz target should be as small as possible
so we split this up.  Splitting up by function would build too
many fuzzers, but this should help a little.

See for example:
https://github.com/google/fuzzing/blob/master/docs/good-fuzz-target.md#large-apis

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@samba.org>
2019-12-11 02:55:32 +00:00
Andrew Bartlett
a9a8bcf731 lib/fuzzer: Allow building a fuzz binary for just one interface
This helps direct the fuzzer at a particular function that we are concerned about.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2019-12-10 07:50:28 +00:00
Douglas Bagnall
7b265830ad lib/fuzzing: add fuzz_ndr_X
This NDR fuzzer links with each "interface" in the IDL files to
create avsingle binary.  This tries to matches what the fuzzing
engines desire.

It started as a copy of ndrdump but very little of that remains
in place.

The fancy build rules try to avoid needing a lof of boilerplate
in the wscript_build files and ensure new fuzzers are generated
and run when new IDL is added automatically.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2019-12-10 07:50:28 +00:00