Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzz FuzzedDataProviderImpl #834

Merged
merged 4 commits into from
Sep 6, 2023
Merged

Fuzz FuzzedDataProviderImpl #834

merged 4 commits into from
Sep 6, 2023

Conversation

br-lewis
Copy link
Contributor

This adds a very large fuzz test for the FuzzedDataProviderImpl and modifies building fuzzed_data_provider.cpp to make it possible for the normal and shaded FuzzedDataProvider to at least load properly by duplicating the selffuzz symbols into fuzzed_data_provider.cpp manually.

I also removed the segfault fix I did just to make sure our tooling can catch it again.

@br-lewis br-lewis force-pushed the FUZZ-767-fuzz-fuzzeddataprovider branch from e5640aa to 9324161 Compare August 28, 2023 14:56
fmeum
fmeum reviewed Aug 29, 2023
View reviewed changes
...fuzz/src/test/java/com/code_intelligence/selffuzz/driver/FuzzedDataProviderImplFuzzTest.java Outdated Show resolved Hide resolved
...fuzz/src/test/java/com/code_intelligence/selffuzz/driver/FuzzedDataProviderImplFuzzTest.java Outdated Show resolved Hide resolved
...fuzz/src/test/java/com/code_intelligence/selffuzz/driver/FuzzedDataProviderImplFuzzTest.java Outdated Show resolved Hide resolved
...fuzz/src/test/java/com/code_intelligence/selffuzz/driver/FuzzedDataProviderImplFuzzTest.java Outdated Show resolved Hide resolved
...fuzz/src/test/java/com/code_intelligence/selffuzz/driver/FuzzedDataProviderImplFuzzTest.java Outdated Show resolved Hide resolved
...lligence/jazzer/driver/com_code_intelligence_selffuzz_jazzer_driver_FuzzedDataProviderImpl.h Outdated Show resolved Hide resolved
...lligence/jazzer/driver/com_code_intelligence_selffuzz_jazzer_driver_FuzzedDataProviderImpl.h Outdated Show resolved Hide resolved
@ci-fuzz-check
Copy link

ci-fuzz-check bot commented Aug 29, 2023

findings-found-icon 2 open findings detected  View Findings
The final number may be higher than displayed as the scan progresses in the background. For more information, check the Code Intelligence Documentation

@ci-fuzz-check
Copy link

ci-fuzz-check bot commented Aug 29, 2023

findings-found-icon 2 open findings detected  View Findings
The final number may be higher than displayed as the scan progresses in the background. For more information, check the Code Intelligence Documentation

@br-lewis br-lewis requested review from a team and fmeum August 31, 2023 13:38
@fmeum
Copy link
Contributor

fmeum commented Sep 1, 2023

We shouldn't include this in the current PR, but I found the following patch to work locally in cifuzz. I do get coverage feedback from the native methods backing FuzzedDataProvider with it. I also tried this out with UBSan, but that fails with an obscure error that is probably a bootstrapping problem.

It runs with --asan and -fsanitize=address, but didn't find a planted use-after-free directly. This could be interesting to look into more.

diff --git a/.github/workflows/fuzzing-featured.yaml b/.github/workflows/fuzzing-featured.yaml
index a5680d5b..6c8c9fb8 100644
--- a/.github/workflows/fuzzing-featured.yaml
+++ b/.github/workflows/fuzzing-featured.yaml
@@ -57,7 +57,10 @@ jobs:
         shell: bash
       - id: build-jazzer
         name: Build Jazzer deps
-        run: cd $CHECKOUT_DIR && bazel build //deploy:jazzer-junit-project //deploy:jazzer-project //deploy:jazzer-api-project //selffuzz:jazzer_selffuzz //selffuzz:jazzer_api_selffuzz
+        run: |
+          cd $CHECKOUT_DIR
+          bazel build //deploy:jazzer-junit-project //deploy:jazzer-project //deploy:jazzer-api-project 
+          bazel build --fsanitize=fuzzer-no-link //selffuzz:jazzer_selffuzz //selffuzz:jazzer_api_selffuzz
 
       - id: build-fuzzers
         name: Build Fuzzers
diff --git a/.github/workflows/fuzzing.yaml b/.github/workflows/fuzzing.yaml
index 13a8ef5c..10306606 100644
--- a/.github/workflows/fuzzing.yaml
+++ b/.github/workflows/fuzzing.yaml
@@ -49,7 +49,10 @@ jobs:
         shell: bash
       - id: build-jazzer
         name: Build Jazzer deps
-        run: cd $CHECKOUT_DIR && bazel build //deploy:jazzer-junit-project //deploy:jazzer-project //deploy:jazzer-api-project //selffuzz:jazzer_selffuzz //selffuzz:jazzer_api_selffuzz
+        run: |
+          cd $CHECKOUT_DIR
+          bazel build //deploy:jazzer-junit-project //deploy:jazzer-project //deploy:jazzer-api-project 
+          bazel build --copt=-fsanitize=fuzzer-no-link //selffuzz:jazzer_selffuzz //selffuzz:jazzer_api_selffuzz
 
       - id: build-fuzzers
         name: Build Fuzzers
diff --git a/selffuzz/cifuzz.yaml b/selffuzz/cifuzz.yaml
index 95f3af76..b4f61d55 100644
--- a/selffuzz/cifuzz.yaml
+++ b/selffuzz/cifuzz.yaml
@@ -38,6 +38,7 @@
 ## See https://llvm.org/docs/LibFuzzer.html#options
 engine-args:
  - --experimental_mutator
+ - --native
 
 ## Maximum time to run fuzz tests. The default is to run indefinitely.
 #timeout: 30m

@fmeum
Copy link
Contributor

fmeum commented Sep 5, 2023

Looks good, thanks! I can't approve again as that results in a 500 from GitHub, just assume I did.

@br-lewis br-lewis force-pushed the FUZZ-767-fuzz-fuzzeddataprovider branch from e74e98d to 95b2212 Compare September 6, 2023 12:07
@br-lewis br-lewis enabled auto-merge (rebase) September 6, 2023 13:12
@br-lewis br-lewis merged commit ed7e7b2 into main Sep 6, 2023
12 checks passed
@br-lewis br-lewis deleted the FUZZ-767-fuzz-fuzzeddataprovider branch September 6, 2023 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fmeum fmeum fmeum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@br-lewis @fmeum