diff --git a/.github/workflows/presubmit.yml b/.github/workflows/presubmit.yml index 5ae93faee533..a31b13a7a6d9 100644 --- a/.github/workflows/presubmit.yml +++ b/.github/workflows/presubmit.yml @@ -29,6 +29,10 @@ jobs: uses: actions/setup-python@v3 with: python-version: 3.8 + cache: pip + cache-dependency-path: | + infra/ci/requirements.txt + infra/build/functions/requirements.txt - name: Install dependencies run: | diff --git a/.github/workflows/project_tests.yml b/.github/workflows/project_tests.yml index 0b2e31cdef96..d4aa0429f118 100644 --- a/.github/workflows/project_tests.yml +++ b/.github/workflows/project_tests.yml @@ -23,6 +23,7 @@ jobs: - memory - undefined - coverage + - none architecture: - x86_64 include: @@ -73,6 +74,9 @@ jobs: uses: actions/setup-python@v3 with: python-version: 3.8 + cache: pip + cache-dependency-path: | + infra/ci/requirements.txt - name: Install dependencies run: | diff --git a/README.md b/README.md index 7eb5a6297f48..8b4cdb4f2944 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ execution environment and reporting tool. [ClusterFuzz]: https://github.com/google/clusterfuzz [ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/ -Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages +Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 and i386 builds. @@ -47,11 +47,11 @@ Read our [detailed documentation] to learn how to use OSS-Fuzz. [detailed documentation]: https://google.github.io/oss-fuzz ## Trophies -As of July 2022, OSS-Fuzz has found over [40,500] bugs in [650] open source -projects. +As of February 2023, OSS-Fuzz has helped identify and fix over [8,900] vulnerabilities and [28,000] bugs across [850] projects. -[40,500]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra&can=1 -[650]: https://github.com/google/oss-fuzz/tree/master/projects +[8,900]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%2CVerified%20Type%3DBug-Security&can=1 +[28,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%2CVerified%20Type%3DBug&can=1 +[850]: https://github.com/google/oss-fuzz/tree/master/projects ## Blog posts * 2016-12-01 - [Announcing OSS-Fuzz: Continuous fuzzing for open source software] @@ -59,9 +59,17 @@ projects. * 2018-11-06 - [A New Chapter for OSS-Fuzz] * 2020-10-09 - [Fuzzing internships for Open Source Software] * 2020-12-07 - [Improving open source security during the Google summer internship program] +* 2021-03-10 - [Fuzzing Java in OSS-Fuzz] +* 2021-12-16 - [Improving OSS-Fuzz and Jazzer to catch Log4Shell] +* 2022-09-08 - [Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically] +* 2023-02-01 - [Taking the next step: OSS-Fuzz in 2023] [Announcing OSS-Fuzz: Continuous fuzzing for open source software]: https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html [OSS-Fuzz: Five months later, and rewarding projects]: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html [A New Chapter for OSS-Fuzz]: https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html [Fuzzing internships for Open Source Software]: https://security.googleblog.com/2020/10/fuzzing-internships-for-open-source.html [Improving open source security during the Google summer internship program]: https://security.googleblog.com/2020/12/improving-open-source-security-during.html +[Fuzzing Java in OSS-Fuzz]: https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html +[Improving OSS-Fuzz and Jazzer to catch Log4Shell]: https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html +[Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically]: https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html +[Taking the next step: OSS-Fuzz in 2023]: https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock index 88febdd5c3fc..3a2a37b33f6f 100644 --- a/docs/Gemfile.lock +++ b/docs/Gemfile.lock @@ -1,12 +1,12 @@ GEM remote: https://rubygems.org/ specs: - activesupport (6.0.5.1) + activesupport (6.1.7.1) concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 0.7, < 2) - minitest (~> 5.1) - tzinfo (~> 1.1) - zeitwerk (~> 2.2, >= 2.2.2) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + zeitwerk (~> 2.3) addressable (2.8.0) public_suffix (>= 2.0.2, < 5.0) coffee-script (2.4.1) @@ -14,8 +14,8 @@ GEM execjs coffee-script-source (1.11.1) colorator (1.1.0) - commonmarker (0.23.6) - concurrent-ruby (1.1.10) + commonmarker (0.23.7) + concurrent-ruby (1.2.0) dnsruby (1.61.9) simpleidn (~> 0.1) em-websocket (0.5.3) @@ -210,7 +210,7 @@ GEM jekyll (>= 3.5, < 5.0) jekyll-feed (~> 0.9) jekyll-seo-tag (~> 2.1) - minitest (5.16.2) + minitest (5.17.0) nokogiri (1.13.10-x86_64-linux) racc (~> 1.4) octokit (4.25.1) @@ -250,7 +250,7 @@ GEM unf_ext (0.0.8.2) unicode-display_width (1.8.0) webrick (1.7.0) - zeitwerk (2.6.0) + zeitwerk (2.6.6) PLATFORMS x86_64-linux diff --git a/docs/README.md b/docs/README.md index af2bc4b318ff..3ac9b680f016 100644 --- a/docs/README.md +++ b/docs/README.md @@ -15,5 +15,5 @@ $ bundle exec jekyll serve ``` ## Theme documentation -We are using the [just the docs](https://pmarsceill.github.io/just-the-docs/) +We are using the [just the docs](https://just-the-docs.github.io/just-the-docs/) theme. diff --git a/docs/advanced-topics/fuzz_introspector.md b/docs/advanced-topics/fuzz_introspector.md new file mode 100644 index 000000000000..4c6d1440a15c --- /dev/null +++ b/docs/advanced-topics/fuzz_introspector.md @@ -0,0 +1,119 @@ +--- +layout: default +title: Fuzz Introspector +parent: Advanced topics +nav_order: 2 +permalink: /advanced-topics/fuzz-introspector/ +--- + +# Fuzz Introspector +{: .no_toc} + +For projects written in C/C++, Python and Java you can generate Fuzz +Introspector reports to help guide the development of your fuzzing suite. +These reports help to extract details about the fuzzing setup of your +project with the goal of making it easier to improve the fuzzing set up. +The Fuzz Introspector reports are generated automatically and uploaded +to the cloud like code coverage reports, and you can also generate them +locally using the OSS-Fuzz helper script. + + +- TOC +{:toc} +--- + +## Fuzz Introspector overview + +As soon as your project is run with ClusterFuzz (<1 day), you can view the Fuzz +Introspector report for your project. +[Fuzz Introspector](https://github.com/ossf/fuzz-introspector) helps you +understand your fuzzers' performance and identify any potential blockers. +It provides individual and aggregated fuzzer reachability and coverage reports. +You can monitor each fuzzer's static reachability potential and compare it +against dynamic coverage and identify any potential bottlenecks. +Fuzz Introspector can offer suggestions on increasing coverage by adding new +fuzz targets or modify existing ones. +Fuzz Introspector reports can be viewed from the [OSS-Fuzz +homepage](https://oss-fuzz.com/) or through this +[index](http://oss-fuzz-introspector.storage.googleapis.com/index.html). + +- [Fuzz Introspector documentation](https://fuzz-introspector.readthedocs.io/en/latest/) +- [Fuzz Introspector source code](https://github.com/ossf/fuzz-introspector) +- [OSS-Fuzz Fuzz Introspector reports](http://oss-fuzz-introspector.storage.googleapis.com/index.html) + + +## Tutorials and guides + +The reports generated can be a lot to digest when first viewing them. The +[Fuzz Introspector documentation](https://fuzz-introspector.readthedocs.io/en/latest/) +provides various user guides and tutorials rooted in OSS-Fuzz projects, which is +a useful reference on how to make use of the reports. + +For ideas on how to use Fuzz Introspector, see [user guides](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/index.html) which includes sections e.g. +- [Quickly extract overview of a given project](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/quick-overview.html) +- [Get ideas for new fuzz targets](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/get-ideas-for-new-targets.html) +- [Comparing introspector reports](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/comparing-introspector-reports.html) + +## Run Fuzz Introspector locally + +To generate a Fuzz Introspector report locally use `infra/helper.py` and the +`introspector` command. Fuzz Introspector relies on code coverage to +analyze a given project, and this means we need to extract code coverage in the +Fuzz Introspector process. We can do this in two ways. First, by running the fuzzers +for a given amount of time, and, second, by generating code coverage using the public +corpus available from OSS-Fuzz. + + +### Generate reports by running fuzzers for X seconds + +The following command will generate a Fuzz Introspector report for the `libdwarf` project +and will extract code coverage based on a corpus created from running the fuzzers for 30 +seconds. + +```bash +$ python3 infra/helper.py introspector libdwarf --seconds=30 +``` + +If the above command was succesful, you should see output along the lines of: + +```bash +INFO:root:To browse the report, run: python3 -m http.server 8008 --directory /home/my_user/oss-fuzz/build/out/libdwarf/introspector-report/inspector and navigate to localhost:8008/fuzz_report.html in your browser +``` +The above output gives you directions on how to start a simple webserver using +`python3 -m http.server`, which you can use to view the Fuzz Introspector report. + +### Generate reports by using public corpora + +The following command will generate a Fuzz Introspector report for the `libdwarf` project +and will extract code coverage based on a corpus created from running the fuzzers for 30 +seconds. + +```bash +$ python3 infra/helper.py introspector libdwarf --public-corpora +``` + +Assuming the above command is succesful you can view the report using `python3 -m http.server` +following the example described above. + + +## Differences in build tooling + +There are some differences in build environment for Fuzz Introspector builds +in comparison to e.g. ASAN or code coverage builds. The reason is that +Fuzz Introspector relies on certain compile-time tools to do its analysis. +This compile time tooling differs between languages, namely: +- For C/C++, Fuzz Introspector relies on [LLVM LTO](https://llvm.org/docs/LinkTimeOptimization.html) and [LLVM Gold](https://llvm.org/docs/GoldPlugin.html) +- For Python, Fuzz Introspector relies on a modified [PyCG](https://github.com/vitsalis/PyCG) +- For Java, Fuzz Introspector relies on [Soot](https://soot-oss.github.io/soot/) + +The consequence of this is your project must be compatible with these projects. +PyCG and Soot have not shown to be a blocker for many projects, however, experience +has shown that sometimes a project's build needs modification in order to compile +with LLVM LTO. The easiest way to test if your project works with LLVM is checking +whether your project can compile with the flags `-flto -fuse-ld=gold` and using +the gold linker. OSS-Fuzz automatically sets these flags and linker options when +using `infra/helper.py` to build your project with `--sanitizer=introspector`, e.g. + +```bash +python3 infra/helper.py build_fuzzers --sanitizer=introspector PROJ_NAME +``` diff --git a/docs/getting-started/integration_rewards.md b/docs/getting-started/integration_rewards.md index 3eac573862a1..be1fcc9e2edd 100644 --- a/docs/getting-started/integration_rewards.md +++ b/docs/getting-started/integration_rewards.md @@ -8,24 +8,8 @@ permalink: /getting-started/integration-rewards/ # Integration rewards -We encourage you to apply for integration rewards (up to **$20,000**) once your project -is successfully integrated with OSS-Fuzz. Please see the details in our blog post -[here](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html). +We encourage you to apply for integration rewards (up to **$30,000**) once your project +is successfully integrated with OSS-Fuzz. Please see the full details +[here](https://bughunters.google.com/about/rules/5097259337383936/oss-fuzz-reward-program-rules). -Rewards are based on the quality of integration with OSS-Fuzz, which is evaluated using -the following criteria: -* Upstream integration of the fuzz targets and build support. -* Performance of the fuzz targets and code coverage achieved with fuzzing. -* Regression testing in the upstream repository using fuzz targets and OSS-Fuzz corpora. - Enabling [CIFuzz](https://google.github.io/oss-fuzz/getting-started/continuous-integration/) - is the easiest way to address this. -* Discretion bonus to recognize outstanding work. - -For each of the points above, the OSS-Fuzz rewards panel first sets up a cap of up to $5,000. -Then, the panel decides the actual reward amount (ranging from $0 up to the cap) for each -criteria, depending on how well the criteria is satisfied. - -The highest cap values ($5,000) are awarded only to projects of a critical importance for the -global infrastructure and/or widely used products, devices, or services. - -To submit your application for a reward, please fill out [this form](https://docs.google.com/forms/d/e/1FAIpQLSd5TlIXAiWRmbsHtPDR-8aDYKAZVgkJ5tcn6Dh-ym79r4iUxA/viewform) after reading the [blog post](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html). +To submit your application for a reward, please fill out [this form](https://goo.gle/oss-fuzz-submission). diff --git a/docs/getting-started/new-project-guide/javascript_lang.md b/docs/getting-started/new-project-guide/javascript_lang.md new file mode 100644 index 000000000000..3f6895fbf2d9 --- /dev/null +++ b/docs/getting-started/new-project-guide/javascript_lang.md @@ -0,0 +1,140 @@ +--- +layout: default +title: Integrating a JavaScript project +parent: Setting up a new project +grand_parent: Getting started +nav_order: 4 +permalink: /getting-started/new-project-guide/javascript-lang/ +--- + +# Integrating a JavaScript project +{: .no_toc} + +- TOC +{:toc} +--- + +The process of integrating a project written in JavaScript for Node.js +with OSS-Fuzz is very similar to the general +[Setting up a new project]({{ site.baseurl }}/getting-started/new-project-guide/) +process. The key specifics of integrating a JavaScript project are outlined below. + +## Jazzer.js + +JavaScript fuzzing in OSS-Fuzz is powered by +[Jazzer.js](https://github.com/CodeIntelligenceTesting/jazzer.js), which is +installed during the build step. As Jazzer.js operates directly on the JavaScript +source code level, it can be applied to any project written in a language that +can be transpiled into JavaScript such as TypeScript. More information on how Jazzer.js +fuzz targets look like can be found in its +[README's Usage section](https://github.com/CodeIntelligenceTesting/jazzer.js#usage). + +## Project files + +### Example project + +We recommend viewing +[javascript-example](https://github.com/google/oss-fuzz/tree/master/projects/javascript-example) +as an example of a simple JavaScript fuzzing project. We also recommend having a look at +[typescript-example](https://github.com/google/oss-fuzz/tree/master/projects/typescript-example) +as an example of how to fuzz TypeScript projects. This example also demonstrates how to use +Jazzer.js fuzzed data provider. + +### project.yaml + +The `language` attribute must be specified as follows: + +```yaml +language: javascript +``` + +The only supported fuzzing engine is libFuzzer (`libfuzzer`). So far, native sanitizers such as +AddressSanitizer (`address`) and UndefinedBehaviorSanitizer (`undefined`) are not supported. +They would only be needed for projects that have native addons, which is a rather infrequent +use case for JavaScript projects. If you have a project where you need ASan or UBSan, please +create open an issue on [Jazzer.js GitHub repo](https://github.com/CodeIntelligenceTesting/jazzer.js). None (`none`) is the default sanitizer for +JavaScript projects, so setting it up in `project.yaml` is optional. + +```yaml +fuzzing_engines: + - libfuzzer +sanitizers: + - none +``` + +### Dockerfile + +The Dockerfile should start by `FROM gcr.io/oss-fuzz-base/base-builder-javascript` + +The OSS-Fuzz base Docker images already come with Node.js 19 and `npm` pre-installed. +Apart from that, you should usually not need to do more than to clone the +project, set a `WORKDIR`, and copy any necessary files, or install any +project-specific dependencies here as you normally would. + +### Fuzzers + +In the simplest case, every fuzzer consists of a single JavaScript file that exports +a function named `fuzz` taking a single argument of type [Buffer](https://nodejs.org/api/buffer.html). +An example fuzz target could thus be a file `fuzz_string_compare.js` with contents: + +```javascript +/** + * @param { Buffer } data + */ +module.exports.fuzz = function (data) { + const s = data.toString(); + if (s.length !== 16) { + return; + } + if ( + s.slice(0, 8) === "Awesome " && + s.slice(8, 15) === "Fuzzing" && + s[15] === "!" + ) { + throw Error("Welcome to Awesome Fuzzing!"); + } +}; +``` + +### build.sh + +The OSS-Fuzz base docker image for JavaScript comes with the [`compile_javascript_fuzzer` script](https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_javascript_fuzzer) preinstalled. In `build.sh`, you should install dependencies for your project, and if necessary compile the code into JavaScript. Then, you can use the script to build the fuzzers. The script ensures that [@Jazzer.js/core](https://www.npmjs.com/package/@jazzer.js/core) is installed so that its CLI can be used to execute your fuzz tests. It also generates a wrapper script that can be used as a drop-in replacement for libFuzzer. This means that the generated script accepts the same command line flags for libFuzzer. Under the hood these flags are simply forwarded to the libFuzzer native addon used by Jazzer.js. + +A usage example from the javascript-example project is + +```shell +compile_javascript_fuzzer example fuzz_string_compare.js --sync +``` + +Arguments are: +* relative path of the project in the $SRC directory +* relative path to the fuzz test inside the project +* remaining arguments are forwarded to the [Jazzer.js CLI](https://github.com/CodeIntelligenceTesting/jazzer.js/blob/main/docs/fuzz-targets.md#running-the-fuzz-target) + +The [javascript-example](https://github.com/google/oss-fuzz/blob/master/projects/javascript-example/build.sh) +project contains an example of a `build.sh` for JavaScript projects. + +## FuzzedDataProvider + +Jazzer.js provides a `FuzzedDataProvider` that can simplify the task of creating a +fuzz target by translating the raw input bytes received from the fuzzer into +useful primitive JavaScript types. Its functionality is similar to +`FuzzedDataProviders` available in other languages, such as +[Java](https://codeintelligencetesting.github.io/jazzer-docs/jazzer-api/com/code_intelligence/jazzer/api/FuzzedDataProvider.html) and +[C++](https://github.com/google/fuzzing/blob/master/docs/split-inputs.md). + +A fuzz target using the `FuzzedDataProvider` would look as follows: + +```javascript +const { FuzzedDataProvider } = require("@jazzer.js/core"); + +/** + * @param { Buffer } fuzzerInputData + */ +module.exports.fuzz = function (fuzzerInputData) { + const data = new FuzzedDataProvider(fuzzerInputData); + const i = data.consumeIntegral(4); + const s = data.consumeRemainingAsString(); + exploreMe(i, s); +}; +``` diff --git a/docs/index.md b/docs/index.md index 56ab007246fa..d3ba114f195c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -60,9 +60,8 @@ other resources are listed on the [useful links] page. [useful links]: {{ site.baseurl }}/reference/useful-links/#tutorials ## Trophies -As of June 2021, OSS-Fuzz has found over [30,000] bugs in [500] open source -projects. - -[30,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra&can=1 -[500]: https://github.com/google/oss-fuzz/tree/master/projects +As of February 2023, OSS-Fuzz has helped identify and fix over [8,900] vulnerabilities and [28,000] bugs across [850] projects. +[8,900]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%2CVerified%20Type%3DBug-Security&can=1 +[28,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%2CVerified%20Type%3DBug&can=1 +[850]: https://github.com/google/oss-fuzz/tree/master/projects diff --git a/docs/reference/useful_links.md b/docs/reference/useful_links.md index 3e39ba36a550..3075868c015c 100644 --- a/docs/reference/useful_links.md +++ b/docs/reference/useful_links.md @@ -35,6 +35,10 @@ parent: Reference ([Security](https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html)) * 2020-10-09 - [Fuzzing internships for Open Source Software](https://security.googleblog.com/2020/10/fuzzing-internships-for-open-source.html) * 2020-12-07 - [Improving open source security during the Google summer internship program](https://security.googleblog.com/2020/12/improving-open-source-security-during.html) +* 2021-03-10 - [Fuzzing Java in OSS-Fuzz](https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html) +* 2021-12-16 - [Improving OSS-Fuzz and Jazzer to catch Log4Shell](https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html) +* 2022-09-08 - [Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically](https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html) +* 2023-02-01 - [Taking the next step: OSS-Fuzz in 2023](https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html) ## Tutorials @@ -44,4 +48,4 @@ parent: Reference * [Structure-Aware Fuzzing with libFuzzer](https://github.com/google/fuzzer-test-suite/blob/master/tutorial/structure-aware-fuzzing.md) * [Chromium Fuzzing Page](https://chromium.googlesource.com/chromium/src/testing/libfuzzer/) * [Chromium Efficient Fuzzing Guide](https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/HEAD/efficient_fuzzing.md) -* [ClusterFuzz documentation](https://google.github.io/clusterfuzz/) +* [ClusterFuzz documentation](https://google.github.io/clusterfuzz/) \ No newline at end of file diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile index a00a6f24bfd1..eabeb55c9f0c 100644 --- a/infra/base-images/base-builder/Dockerfile +++ b/infra/base-images/base-builder/Dockerfile @@ -143,13 +143,14 @@ RUN precompile_centipede COPY cargo compile compile_afl compile_libfuzzer compile_honggfuzz \ compile_centipede \ compile_go_fuzzer \ + compile_javascript_fuzzer \ compile_native_go_fuzzer \ compile_python_fuzzer \ compile_fuzztests.sh \ python_coverage_helper.py \ debug_afl srcmap \ write_labels.py bazel_build_fuzz_tests \ - # Go, java, and swift installation scripts. + # Go, JavaScript, Java, Python, Rust, and Swift installation scripts. install_go.sh \ install_javascript.sh \ install_java.sh \ diff --git a/infra/base-images/base-builder/compile b/infra/base-images/base-builder/compile index f30da3f5c3d4..5144f4cc9326 100755 --- a/infra/base-images/base-builder/compile +++ b/infra/base-images/base-builder/compile @@ -37,6 +37,21 @@ if [ "$FUZZING_LANGUAGE" = "jvm" ]; then fi fi +if [ "$FUZZING_LANGUAGE" = "javascript" ]; then + if [ "$FUZZING_ENGINE" != "libfuzzer" ]; then + echo "ERROR: JavaScript projects can be fuzzed with libFuzzer engine only." + exit 1 + fi + if [ "$SANITIZER" != "coverage" ] && [ "$SANITIZER" != "none" ]; then + echo "ERROR: JavaScript projects cannot be fuzzed with sanitizers." + exit 1 + fi + if [ "$ARCHITECTURE" != "x86_64" ]; then + echo "ERROR: JavaScript projects can be fuzzed on x86_64 architecture only." + exit 1 + fi +fi + if [ "$FUZZING_LANGUAGE" = "python" ]; then if [ "$FUZZING_ENGINE" != "libfuzzer" ]; then echo "ERROR: Python projects can be fuzzed with libFuzzer engine only." diff --git a/infra/base-images/base-builder/compile_javascript_fuzzer b/infra/base-images/base-builder/compile_javascript_fuzzer new file mode 100755 index 000000000000..42b47fc3c275 --- /dev/null +++ b/infra/base-images/base-builder/compile_javascript_fuzzer @@ -0,0 +1,42 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +project=$1 +# Path the fuzz target source file relative to the project's root. +fuzz_target=$2 +# Arguments to pass to Jazzer.js +jazzerjs_args=${@:3} + +# Copy source code into the $OUT directory and install Jazzer.js into the project. +if [ ! -d $OUT/$project ]; then + pushd $SRC/$project + npm install @jazzer.js/core + popd + cp -r $SRC/$project $OUT/$project +fi + +fuzzer_basename=$(basename -s .js $fuzz_target) +fuzzer_dir=$(dirname $fuzz_target) + +# Create an execution wrapper that executes Jazzer.js with the correct arguments. +echo "#!/bin/bash +# LLVMFuzzerTestOneInput so that the wrapper script is recognized as a fuzz target for 'check_build'. +this_dir=\$(dirname \"\$0\") +cd $project/$fuzzer_dir +\$this_dir/$project/node_modules/.bin/jazzer $fuzzer_basename $jazzerjs_args -- \$@" > $OUT/$fuzzer_basename + +chmod +x $OUT/$fuzzer_basename diff --git a/infra/base-images/base-builder/install_javascript.sh b/infra/base-images/base-builder/install_javascript.sh index c8d06c832725..ab2784721f1d 100755 --- a/infra/base-images/base-builder/install_javascript.sh +++ b/infra/base-images/base-builder/install_javascript.sh @@ -14,3 +14,9 @@ # limitations under the License. # ################################################################################ +# Install Node.js v19.x +curl -fsSL https://deb.nodesource.com/setup_19.x | bash - +apt-get update && apt-get install -y nodejs + +# Install latest versions of npm +npm install --global npm diff --git a/infra/base-images/base-clang/Dockerfile b/infra/base-images/base-clang/Dockerfile index 6cc06bee539a..39dd2859a111 100644 --- a/infra/base-images/base-clang/Dockerfile +++ b/infra/base-images/base-clang/Dockerfile @@ -36,7 +36,7 @@ RUN apt-get update && apt-get install -y wget sudo && \ RUN apt-get update && apt-get install -y git && \ git clone https://github.com/ossf/fuzz-introspector.git fuzz-introspector && \ cd fuzz-introspector && \ - git checkout 9794553953de288e24795b39aabead57bf22c0d7 && \ + git checkout 6b21f6396192f9c01f81d9e6c61ddfe1b36b288b && \ git submodule init && \ git submodule update && \ apt-get autoremove --purge -y git && \ diff --git a/infra/base-images/base-clang/checkout_build_install_llvm.sh b/infra/base-images/base-clang/checkout_build_install_llvm.sh index 2b403cfd9b8d..65f0ea554e3e 100755 --- a/infra/base-images/base-clang/checkout_build_install_llvm.sh +++ b/infra/base-images/base-clang/checkout_build_install_llvm.sh @@ -129,7 +129,7 @@ cp -rf /fuzz-introspector/frontends/llvm/lib/Transforms/FuzzIntrospector ./llvm/ # LLVM currently does not support dynamically loading LTO passes. Thus, we # hardcode it into Clang instead. Ref: https://reviews.llvm.org/D77704 -/fuzz-introspector/sed_cmds.sh +/fuzz-introspector/frontends/llvm/patch-llvm.sh cd $OLD_WORKING_DIR mkdir -p $WORK/llvm-stage2 $WORK/llvm-stage1 diff --git a/infra/base-images/base-image/Dockerfile b/infra/base-images/base-image/Dockerfile index 6badb8847d6a..3e0ad0fd02c6 100644 --- a/infra/base-images/base-image/Dockerfile +++ b/infra/base-images/base-image/Dockerfile @@ -21,9 +21,12 @@ ARG parent_image=ubuntu:20.04 FROM $parent_image ENV DEBIAN_FRONTEND noninteractive +# Install tzadata to match ClusterFuzz +# (https://github.com/google/oss-fuzz/issues/9280). + RUN apt-get update && \ apt-get upgrade -y && \ - apt-get install -y libc6-dev binutils libgcc-9-dev && \ + apt-get install -y libc6-dev binutils libgcc-9-dev tzdata && \ apt-get autoremove -y ENV OUT=/out diff --git a/infra/base-images/base-runner/Dockerfile b/infra/base-images/base-runner/Dockerfile index bc034e198728..963d524b22f9 100755 --- a/infra/base-images/base-runner/Dockerfile +++ b/infra/base-images/base-runner/Dockerfile @@ -82,6 +82,9 @@ RUN wget https://repo1.maven.org/maven2/org/jacoco/org.jacoco.cli/0.8.7/org.jaco echo "37df187b76888101ecd745282e9cd1ad4ea508d6 /opt/jacoco-agent.jar" | shasum --check && \ echo "c1814e7bba5fd8786224b09b43c84fd6156db690 /opt/jacoco-cli.jar" | shasum --check +COPY install_javascript.sh / +RUN /install_javascript.sh && rm /install_javascript.sh + # Do this last to make developing these files easier/faster due to caching. COPY bad_build_check \ coverage \ diff --git a/infra/base-images/base-runner/bad_build_check b/infra/base-images/base-runner/bad_build_check index 542b386ad666..3ee7a0416c26 100755 --- a/infra/base-images/base-runner/bad_build_check +++ b/infra/base-images/base-runner/bad_build_check @@ -122,7 +122,7 @@ function check_engine { # binaries if they are from trial build and production build. # TODO(Dongge): Support run test with sanitized binaries for trial and # production build. - timeout --preserve-status -s INT 20s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT + SKIP_SEED_CORPUS=1 timeout --preserve-status -s INT 20s run_fuzzer $FUZZER_NAME &>$FUZZER_OUTPUT CHECK_PASSED=$(egrep "\[0] begin-fuzz: ft: 0 cov: 0" -c $FUZZER_OUTPUT) if (( $CHECK_PASSED == 0 )); then echo "BAD BUILD: fuzzing $FUZZER with centipede failed." @@ -315,6 +315,13 @@ function check_mixed_sanitizers { return 0 fi + if [ "${FUZZING_LANGUAGE:-}" = "javascript" ]; then + # Jazzer.js currently does not support using sanitizers with native Node.js addons. + # This is not relevant anyways since supporting this will be done by preloading + # the sanitizers in the wrapper script starting Jazzer.js. + return 0 + fi + if [ "${FUZZING_LANGUAGE:-}" = "python" ]; then # Sanitizer runtime is loaded via LD_PRELOAD, so this check does not apply. return 0 @@ -402,6 +409,12 @@ function check_architecture { return 0; fi + if [ "${FUZZING_LANGUAGE:-}" = "javascript" ]; then + # Jazzer.js fuzzers are wrapper scripts that start the fuzz target with + # the Jazzer.js CLI. + return 0; + fi + if [ "${FUZZING_LANGUAGE:-}" = "python" ]; then FUZZER=${FUZZER}.pkg fi diff --git a/infra/base-images/base-runner/coverage b/infra/base-images/base-runner/coverage index b2a736f3cb0e..1e6b1b33b3f2 100755 --- a/infra/base-images/base-runner/coverage +++ b/infra/base-images/base-runner/coverage @@ -380,6 +380,7 @@ elif [[ $FUZZING_LANGUAGE == "jvm" ]]; then # automated analysis. cp $jacoco_merged_exec $REPORT_PLATFORM_DIR/jacoco.exec cp $xml_report $REPORT_PLATFORM_DIR/jacoco.xml + cp $xml_report $TEXTCOV_REPORT_DIR/jacoco.xml # Write llvm-cov summary file. jacoco_report_converter.py $xml_report $SUMMARY_FILE diff --git a/infra/base-images/base-runner/install_javascript.sh b/infra/base-images/base-runner/install_javascript.sh new file mode 100755 index 000000000000..7985df71a691 --- /dev/null +++ b/infra/base-images/base-runner/install_javascript.sh @@ -0,0 +1,21 @@ +#!/bin/bash -eux +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# Install Node.js v19.x. +apt-get update && apt-get install -y curl + +curl -fsSL https://deb.nodesource.com/setup_19.x | bash - +apt-get update && apt-get install -y nodejs diff --git a/infra/base-images/base-runner/run_fuzzer b/infra/base-images/base-runner/run_fuzzer index fadda953da5b..b089dbeb56bc 100755 --- a/infra/base-images/base-runner/run_fuzzer +++ b/infra/base-images/base-runner/run_fuzzer @@ -86,6 +86,9 @@ rm -rf $FUZZER_OUT && mkdir -p $FUZZER_OUT SEED_CORPUS="${FUZZER}_seed_corpus.zip" +# TODO: Investigate why this code block is skipped +# by all default fuzzers in bad_build_check. +# They all set SKIP_SEED_CORPUS=1. if [ -f $SEED_CORPUS ] && [ -z ${SKIP_SEED_CORPUS:-} ]; then echo "Using seed corpus: $SEED_CORPUS" unzip -o -d ${CORPUS_DIR}/ $SEED_CORPUS > /dev/null diff --git a/infra/build/build_status/fuzz_introspector_page_gen.py b/infra/build/build_status/fuzz_introspector_page_gen.py new file mode 100644 index 000000000000..e72bf6bbfe22 --- /dev/null +++ b/infra/build/build_status/fuzz_introspector_page_gen.py @@ -0,0 +1,306 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +"""Logic to create Fuzz Introspector overview page.""" +import json + +from urllib.request import urlopen +from bs4 import BeautifulSoup + +TABLE_HEAD = """ + + + + + + + + +""" + +TABLE_END = """ +
+ Project Report + + Fuzz target count + + Code statically reached + + Code covered at runtime +
""" + +FUZZ_INTROSPECTOR_HTML_TOP = """ + + + + + + + + +
+
+
+ Fuzzer introspection of OSS-Fuzz projects +
+
+ For issues and ideas: + + https://github.com/ossf/fuzz-introspector/issues + +
+
+
+
+
+ Fuzz Introspector documentation:https://fuzz-introspector.readthedocs.io/en/latest/ +
+ Fuzz Introspector repository:https://github.com/ossf/fuzz-introspector +
+
""" + +FUZZ_INTROSPECTOR_HTML_BOTTOM = """
+
+ + +""" + + +def refine_percentage_string(percentage_string): + """Shortens a srting to 4 characters and prepends zeros if necessary. + We need to prepend the zero to make sorting in the final table accurrate. + """ + percentage_string = percentage_string.replace("%", "") + if len(percentage_string.split(".")[0]) == 1: + percentage_string = "0" + percentage_string + + if len(percentage_string) > 5: + percentage_string = percentage_string[:5] + + # Check if the percentage is withing range of [0.0 : 100.0] + # Some old reports from 2022 have deprecated data, which we do not want to + # display. + float_val = float(percentage_string) + if float_val < 0.0 or float_val > 100.0: + # Raise exception to make the code display '-' elements. + raise Exception('Out of range numbers') + + return percentage_string + "%" + + +def fetch_fuzz_introspector_summary(report_url): + """Given a URL to an introspector report, returns a dictionary with data + from the report. This includes, fuzzer count, reachability and code + coverage. + """ + # Extract json summary file. + summary_url = report_url.replace('fuzz_report.html', 'summary.json') + response = urlopen(summary_url) + json_data = json.loads(response.read()) + + # 1) Extract fuzzer count. This corresponds to all but two elements at the + # top level of the dictionary. + fuzzer_count = len(json_data) - 2 + + # 2) Extract reachability count. + reached_stats = "0.0%" + if 'MergedProjectProfile' in json_data: + if 'stats' in json_data['MergedProjectProfile']: + merged_profile = json_data['MergedProjectProfile'] + reached_stats = merged_profile['stats']['reached-complexity-percentage'] + + reached_stats = refine_percentage_string(str(reached_stats)) + + # Extract code coverage stats. + # Momentarily, we will get this from the HTML page because it's not yet + # in the summary.json. This will change in the near future, but in the + # spirit of time we keep it like this for now. + fuzz_report_html = urlopen(report_url).read() + soup = BeautifulSoup(fuzz_report_html, 'html.parser') + target_divs = soup.findAll('text', {'class': 'percentage'}) + + # The code coverage is the third instance of this text class. + raw_code_coverage = target_divs[2].string.strip() + code_coverage = refine_percentage_string(raw_code_coverage) + + return { + 'fuzzer_count': fuzzer_count, + 'project_complexity_reached': reached_stats, + 'code_coverage': code_coverage + } + + +def get_fuzzer_introspector_project_summary(report_url): + """Return dictionary containing summary of fuzz introspector project.""" + try: + results_dict = fetch_fuzz_introspector_summary(report_url) + except Exception: # pylint: disable=broad-except + results_dict = { + 'fuzzer_count': '-', + 'project_complexity_reached': '-', + 'code_coverage': '-' + } + return results_dict + + +def get_fuzz_introspector_row(project, report_url): + """Creates a single row in the Fuzz Introspector HTML table.""" + project_summary = get_fuzzer_introspector_project_summary(report_url) + return ("" + f"{project}" + f"{project_summary['fuzzer_count']}" + f"{project_summary['project_complexity_reached']}" + f"{project_summary['code_coverage']}" + "\n") + + +def create_introspector_overview_table(fuzz_introspector_index): + """Creates a HTML table with Fuzz Introspector summary for each project.""" + all_rows = "" + for project_name in fuzz_introspector_index: + report_url = fuzz_introspector_index[project_name] + all_rows += get_fuzz_introspector_row(project_name, report_url) + return TABLE_HEAD + all_rows + TABLE_END + + +def get_fuzz_introspector_html_page(fuzz_introspector_index): + """Creates a HTML page as a string displaying Fuzz Introspector overview.""" + html_table = create_introspector_overview_table(fuzz_introspector_index) + return (FUZZ_INTROSPECTOR_HTML_TOP + html_table + + FUZZ_INTROSPECTOR_HTML_BOTTOM) diff --git a/infra/build/build_status/update_build_status.py b/infra/build/build_status/update_build_status.py index d10e8edca099..ac6e56265db3 100644 --- a/infra/build/build_status/update_build_status.py +++ b/infra/build/build_status/update_build_status.py @@ -29,9 +29,8 @@ import build_and_run_coverage import build_lib import build_project -from datastore_entities import BuildsHistory -from datastore_entities import LastSuccessfulBuild -from datastore_entities import Project +import datastore_entities +import fuzz_introspector_page_gen BADGE_DIR = 'badge_images' BADGE_IMAGE_TYPES = {'svg': 'image/svg+xml', 'png': 'image/png'} @@ -41,6 +40,7 @@ STATUS_BUCKET = 'oss-fuzz-build-logs' INTROSPECTOR_BUCKET = 'oss-fuzz-introspector' INTROSPECTOR_BUCKET_URL = 'https://storage.googleapis.com/oss-fuzz-introspector' +INTROSPECTOR_DOC_URL = 'https://fuzz-introspector.readthedocs.io/en/latest/' INTROSPECTOR_INDEX_JSON = 'build_status.json' INTROSPECTOR_INDEX_HTML = 'index.html' @@ -48,13 +48,6 @@ COVERAGE_STATUS_FILENAME = 'status-coverage.json' INTROSPECTOR_STATUS_FILENAME = 'status-introspector.json' -HTML_PREFIX_STRING = ('\n\n' - '\t

' - 'Index of Fuzz-Introspector reports for OSS-Fuzz projects' - '

\n' - '\t\n\t\n') -HTML_SUFFIX_STRING = '\t\n\t\n' - # pylint: disable=invalid-name _client = None @@ -103,7 +96,7 @@ def key_func(project): def update_last_successful_build(project, build_tag): """Update last successful build.""" - last_successful_build = ndb.Key(LastSuccessfulBuild, + last_successful_build = ndb.Key(datastore_entities.LastSuccessfulBuild, project['name'] + '-' + build_tag).get() if not last_successful_build and 'last_successful_build' not in project: return @@ -120,7 +113,7 @@ def update_last_successful_build(project, build_tag): last_successful_build.finish_time = project['last_successful_build'][ 'finish_time'] else: - last_successful_build = LastSuccessfulBuild( + last_successful_build = datastore_entities.LastSuccessfulBuild( id=project['name'] + '-' + build_tag, project=project['name'], build_id=project['last_successful_build']['build_id'], @@ -224,8 +217,9 @@ def process_project(project_build): with concurrent.futures.ThreadPoolExecutor(max_workers=8) as executor: futures = [] - for project_build in BuildsHistory.query( - BuildsHistory.build_tag == build_tag).order('project'): + for project_build in datastore_entities.BuildsHistory.query( + datastore_entities.BuildsHistory.build_tag == build_tag).order( + 'project'): futures.append(executor.submit(process_project, project_build)) for future in concurrent.futures.as_completed(futures): @@ -306,7 +300,7 @@ def update_badges(): with concurrent.futures.ThreadPoolExecutor(max_workers=32) as executor: futures = [] - for project in Project.query(): + for project in datastore_entities.Project.query(): if project.name not in project_build_statuses: continue # Certain projects (e.g. JVM and Python) do not have any coverage @@ -336,17 +330,6 @@ def upload_index(json_index, html_string): html_blob.upload_from_string(html_string, content_type='text/html') -def generate_html_string(content): - """Generate html body for introspector index""" - html_body = HTML_PREFIX_STRING - for project in sorted(content.keys()): - url = content[project] - html_body += f'\t
  • {project}
    • \n' - - html_body += HTML_SUFFIX_STRING - return html_body - - def generate_introspector_index(): """Generate index.html for successful Fuzz Introspector projects""" status_bucket = get_storage_client().get_bucket(STATUS_BUCKET) @@ -371,7 +354,8 @@ def generate_introspector_index(): build_date, 'fuzz_report.html') - html_string = generate_html_string(introspector_index) + html_string = fuzz_introspector_page_gen.get_fuzz_introspector_html_page( + introspector_index) upload_index(introspector_index, html_string) diff --git a/infra/build/build_status/update_build_status_test.py b/infra/build/build_status/update_build_status_test.py index 24a32f676f67..d91611f2b750 100644 --- a/infra/build/build_status/update_build_status_test.py +++ b/infra/build/build_status/update_build_status_test.py @@ -18,15 +18,13 @@ import sys import unittest from unittest import mock -from unittest.mock import MagicMock from google.cloud import ndb sys.path.append(os.path.dirname(__file__)) # pylint: disable=wrong-import-position -from datastore_entities import BuildsHistory -from datastore_entities import LastSuccessfulBuild +import datastore_entities import test_utils import update_build_status @@ -162,17 +160,18 @@ def test_update_last_successful_build_new(self): expected_build_id = '1' self.assertEqual( expected_build_id, - ndb.Key(LastSuccessfulBuild, 'test-project-fuzzing').get().build_id) + ndb.Key(datastore_entities.LastSuccessfulBuild, + 'test-project-fuzzing').get().build_id) def test_update_last_successful_build_datastore(self): """When last successful build is only available in datastore.""" with ndb.Client().context(): project = {'name': 'test-project'} - LastSuccessfulBuild(id='test-project-fuzzing', - build_tag='fuzzing', - project='test-project', - build_id='1', - finish_time='test_time').put() + datastore_entities.LastSuccessfulBuild(id='test-project-fuzzing', + build_tag='fuzzing', + project='test-project', + build_id='1', + finish_time='test_time').put() update_build_status.update_last_successful_build(project, 'fuzzing') expected_project = { @@ -194,17 +193,18 @@ def test_update_last_successful_build(self): 'finish_time': 'test_time' } } - LastSuccessfulBuild(id='test-project-fuzzing', - build_tag='fuzzing', - project='test-project', - build_id='1', - finish_time='test_time').put() + datastore_entities.LastSuccessfulBuild(id='test-project-fuzzing', + build_tag='fuzzing', + project='test-project', + build_id='1', + finish_time='test_time').put() update_build_status.update_last_successful_build(project, 'fuzzing') expected_build_id = '2' self.assertEqual( expected_build_id, - ndb.Key(LastSuccessfulBuild, 'test-project-fuzzing').get().build_id) + ndb.Key(datastore_entities.LastSuccessfulBuild, + 'test-project-fuzzing').get().build_id) @classmethod def tearDownClass(cls): @@ -232,24 +232,24 @@ def test_update_build_status(self, mock_upload_log, mock_cloud_build, mock_google_auth): """Testing update build status as a whole.""" del self, mock_cloud_build, mock_google_auth - update_build_status.upload_status = MagicMock() + update_build_status.upload_status = mock.MagicMock() mock_upload_log.return_value = True status_filename = 'status.json' with ndb.Client().context(): - BuildsHistory(id='test-project-1-fuzzing', - build_tag='fuzzing', - project='test-project-1', - build_ids=['1']).put() - - BuildsHistory(id='test-project-2-fuzzing', - build_tag='fuzzing', - project='test-project-2', - build_ids=['2']).put() - - BuildsHistory(id='test-project-3-fuzzing', - build_tag='fuzzing', - project='test-project-3', - build_ids=['3']).put() + datastore_entities.BuildsHistory(id='test-project-1-fuzzing', + build_tag='fuzzing', + project='test-project-1', + build_ids=['1']).put() + + datastore_entities.BuildsHistory(id='test-project-2-fuzzing', + build_tag='fuzzing', + project='test-project-2', + build_ids=['2']).put() + + datastore_entities.BuildsHistory(id='test-project-3-fuzzing', + build_tag='fuzzing', + project='test-project-3', + build_ids=['3']).put() builds = [{ 'build_id': '1', diff --git a/infra/build/functions/build_and_run_coverage.py b/infra/build/functions/build_and_run_coverage.py index 1eefad01e0f9..cc6fa3a17074 100755 --- a/infra/build/functions/build_and_run_coverage.py +++ b/infra/build/functions/build_and_run_coverage.py @@ -45,7 +45,7 @@ 'c', 'c++', 'go', 'jvm', 'rust', 'swift', 'python' ] -LANGUAGES_WITH_INTROSPECTOR_SUPPORT = ['c', 'c++', 'python'] +LANGUAGES_WITH_INTROSPECTOR_SUPPORT = ['c', 'c++', 'python', 'jvm'] class Bucket: # pylint: disable=too-few-public-methods @@ -56,7 +56,6 @@ def __init__(self, project, date, platform, testing): self.bucket_name = self.BUCKET_NAME if testing: self.bucket_name += '-testing' - self.date = date self.project = project self.html_report_url = ( @@ -173,9 +172,9 @@ def get_build_steps( # pylint: disable=too-many-locals, too-many-arguments }) # TODO(navidem): - # Currently python coverage does not produce per_target reports. + # Currently python and jvm coverage does not produce per_target reports. # Skipping python for now to avoid breakage. - if (project.fuzzing_language != 'python' and + if (project.fuzzing_language not in ['python', 'jvm'] and project.fuzzing_language in LANGUAGES_WITH_INTROSPECTOR_SUPPORT): build_steps.append(build_lib.gsutil_rm_rf_step(upload_report_by_target_url)) build_steps.append({ diff --git a/infra/build/functions/build_lib.py b/infra/build/functions/build_lib.py index 311ab74d857f..c22d8dc3158c 100644 --- a/infra/build/functions/build_lib.py +++ b/infra/build/functions/build_lib.py @@ -25,9 +25,9 @@ from googleapiclient.discovery import build as cloud_build import googleapiclient.discovery -from google.api_core.client_options import ClientOptions +import google.api_core.client_options import google.auth -from oauth2client.service_account import ServiceAccountCredentials +from oauth2client import service_account as service_account_lib import requests import yaml @@ -87,7 +87,7 @@ 'GCB_BUILDPOOL_NAME', 'projects/oss-fuzz/locations/us-central1/' 'workerPools/buildpool') -US_CENTRAL_CLIENT_OPTIONS = ClientOptions( +US_CENTRAL_CLIENT_OPTIONS = google.api_core.client_options.ClientOptions( api_endpoint='https://us-central1-cloudbuild.googleapis.com/') DOCKER_TOOL_IMAGE = 'gcr.io/cloud-builders/docker' @@ -169,8 +169,9 @@ def get_signed_url(path, method='PUT', content_type=''): service_account_path = os.environ.get('GOOGLE_APPLICATION_CREDENTIALS') if service_account_path: - creds = ServiceAccountCredentials.from_json_keyfile_name( - os.environ['GOOGLE_APPLICATION_CREDENTIALS']) + creds = ( + service_account_lib.ServiceAccountCredentials.from_json_keyfile_name( + os.environ['GOOGLE_APPLICATION_CREDENTIALS'])) client_id = creds.service_account_email signature = base64.b64encode(creds.sign_blob(blob)[1]) else: diff --git a/infra/build/functions/project_sync_test.py b/infra/build/functions/project_sync_test.py index 288a81d13ef9..b3af63e91521 100644 --- a/infra/build/functions/project_sync_test.py +++ b/infra/build/functions/project_sync_test.py @@ -25,10 +25,8 @@ sys.path.append(os.path.dirname(__file__)) # pylint: disable=wrong-import-position -from datastore_entities import Project -from project_sync import get_projects -from project_sync import ProjectMetadata -from project_sync import sync_projects +import datastore_entities +import project_sync import test_utils # pylint: disable=no-member @@ -122,22 +120,22 @@ def test_sync_projects_update(self): cloud_scheduler_client = CloudSchedulerClient() with ndb.Client().context(): - Project(name='test1', - schedule='0 8 * * *', - project_yaml_contents='', - dockerfile_contents='').put() - Project(name='test2', - schedule='0 9 * * *', - project_yaml_contents='', - dockerfile_contents='').put() + datastore_entities.Project(name='test1', + schedule='0 8 * * *', + project_yaml_contents='', + dockerfile_contents='').put() + datastore_entities.Project(name='test2', + schedule='0 9 * * *', + project_yaml_contents='', + dockerfile_contents='').put() projects = { - 'test1': ProjectMetadata('0 8 * * *', '', ''), - 'test2': ProjectMetadata('0 7 * * *', '', '') + 'test1': project_sync.ProjectMetadata('0 8 * * *', '', ''), + 'test2': project_sync.ProjectMetadata('0 7 * * *', '', '') } - sync_projects(cloud_scheduler_client, projects) + project_sync.sync_projects(cloud_scheduler_client, projects) - projects_query = Project.query() + projects_query = datastore_entities.Project.query() self.assertEqual({ 'test1': '0 8 * * *', 'test2': '0 7 * * *' @@ -148,18 +146,18 @@ def test_sync_projects_create(self): cloud_scheduler_client = CloudSchedulerClient() with ndb.Client().context(): - Project(name='test1', - schedule='0 8 * * *', - project_yaml_contents='', - dockerfile_contents='').put() + datastore_entities.Project(name='test1', + schedule='0 8 * * *', + project_yaml_contents='', + dockerfile_contents='').put() projects = { - 'test1': ProjectMetadata('0 8 * * *', '', ''), - 'test2': ProjectMetadata('0 7 * * *', '', '') + 'test1': project_sync.ProjectMetadata('0 8 * * *', '', ''), + 'test2': project_sync.ProjectMetadata('0 7 * * *', '', '') } - sync_projects(cloud_scheduler_client, projects) + project_sync.sync_projects(cloud_scheduler_client, projects) - projects_query = Project.query() + projects_query = datastore_entities.Project.query() self.assertEqual({ 'test1': '0 8 * * *', 'test2': '0 7 * * *' @@ -235,19 +233,19 @@ def test_sync_projects_delete(self): cloud_scheduler_client = CloudSchedulerClient() with ndb.Client().context(): - Project(name='test1', - schedule='0 8 * * *', - project_yaml_contents='', - dockerfile_contents='').put() - Project(name='test2', - schedule='0 9 * * *', - project_yaml_contents='', - dockerfile_contents='').put() - - projects = {'test1': ProjectMetadata('0 8 * * *', '', '')} - sync_projects(cloud_scheduler_client, projects) - - projects_query = Project.query() + datastore_entities.Project(name='test1', + schedule='0 8 * * *', + project_yaml_contents='', + dockerfile_contents='').put() + datastore_entities.Project(name='test2', + schedule='0 9 * * *', + project_yaml_contents='', + dockerfile_contents='').put() + + projects = {'test1': project_sync.ProjectMetadata('0 8 * * *', '', '')} + project_sync.sync_projects(cloud_scheduler_client, projects) + + projects_query = datastore_entities.Project.query() self.assertEqual( {'test1': '0 8 * * *'}, {project.name: project.schedule for project in projects_query}) @@ -269,13 +267,13 @@ def test_get_projects_yaml(self): repo.contents[1].contents[1].set_yaml_contents(b'builds_per_day: 3') self.assertEqual( - get_projects(repo), { + project_sync.get_projects(repo), { 'test0': - ProjectMetadata('0 6,18 * * *', 'builds_per_day: 2', - 'name: test'), + project_sync.ProjectMetadata('0 6,18 * * *', + 'builds_per_day: 2', 'name: test'), 'test1': - ProjectMetadata('0 6,14,22 * * *', 'builds_per_day: 3', - 'name: test') + project_sync.ProjectMetadata('0 6,14,22 * * *', + 'builds_per_day: 3', 'name: test') }) def test_get_projects_no_docker_file(self): @@ -290,8 +288,11 @@ def test_get_projects_no_docker_file(self): ]) self.assertEqual( - get_projects(repo), - {'test0': ProjectMetadata('0 6 * * *', 'name: test', 'name: test')}) + project_sync.get_projects(repo), { + 'test0': + project_sync.ProjectMetadata('0 6 * * *', 'name: test', + 'name: test') + }) def test_get_projects_invalid_project_name(self): """Testing get_projects() with invalid project name""" @@ -308,8 +309,11 @@ def test_get_projects_invalid_project_name(self): ]) self.assertEqual( - get_projects(repo), - {'test0': ProjectMetadata('0 6 * * *', 'name: test', 'name: test')}) + project_sync.get_projects(repo), { + 'test0': + project_sync.ProjectMetadata('0 6 * * *', 'name: test', + 'name: test') + }) def test_get_projects_non_directory_type_project(self): """Testing get_projects() when a file in projects/ is not of type 'dir'.""" @@ -323,8 +327,11 @@ def test_get_projects_non_directory_type_project(self): ]) self.assertEqual( - get_projects(repo), - {'test0': ProjectMetadata('0 6 * * *', 'name: test', 'name: test')}) + project_sync.get_projects(repo), { + 'test0': + project_sync.ProjectMetadata('0 6 * * *', 'name: test', + 'name: test') + }) def test_invalid_yaml_format(self): """Testing invalid yaml schedule parameter argument.""" @@ -338,7 +345,7 @@ def test_invalid_yaml_format(self): repo.contents[0].contents[1].set_yaml_contents( b'builds_per_day: some-string') - self.assertEqual(get_projects(repo), {}) + self.assertEqual(project_sync.get_projects(repo), {}) def test_yaml_out_of_range(self): """Testing invalid yaml schedule parameter argument.""" @@ -351,7 +358,7 @@ def test_yaml_out_of_range(self): ]) repo.contents[0].contents[1].set_yaml_contents(b'builds_per_day: 5') - self.assertEqual(get_projects(repo), {}) + self.assertEqual(project_sync.get_projects(repo), {}) @classmethod def tearDownClass(cls): diff --git a/infra/build/functions/request_build.py b/infra/build/functions/request_build.py index b4574f616613..2b113dacaea9 100644 --- a/infra/build/functions/request_build.py +++ b/infra/build/functions/request_build.py @@ -21,8 +21,7 @@ import yaml import build_project -from datastore_entities import BuildsHistory -from datastore_entities import Project +import datastore_entities BASE_PROJECT = 'oss-fuzz-base' MAX_BUILD_HISTORY_LENGTH = 64 @@ -31,14 +30,16 @@ def update_build_history(project_name, build_id, build_tag): """Update build history of project.""" - project_key = ndb.Key(BuildsHistory, project_name + '-' + build_tag) + project_key = ndb.Key(datastore_entities.BuildsHistory, + project_name + '-' + build_tag) project = project_key.get() if not project: - project = BuildsHistory(id=project_name + '-' + build_tag, - build_tag=build_tag, - project=project_name, - build_ids=[]) + project = datastore_entities.BuildsHistory(id=project_name + '-' + + build_tag, + build_tag=build_tag, + project=project_name, + build_ids=[]) if len(project.build_ids) >= MAX_BUILD_HISTORY_LENGTH: project.build_ids.pop(0) @@ -49,7 +50,8 @@ def update_build_history(project_name, build_id, build_tag): def get_project_data(project_name): """Retrieve project metadata from datastore.""" - query = Project.query(Project.name == project_name) + query = datastore_entities.Project.query( + datastore_entities.Project.name == project_name) project = query.get() if not project: raise RuntimeError( diff --git a/infra/build/functions/requirements.txt b/infra/build/functions/requirements.txt index fc660a2bdfaf..f002433983ca 100644 --- a/infra/build/functions/requirements.txt +++ b/infra/build/functions/requirements.txt @@ -29,3 +29,4 @@ google-api-python-client==1.9.3 oauth2client==4.1.3 python-dateutil==2.8.1 protobuf==3.20.2 +beautifulsoup4==4.11.1 diff --git a/infra/cifuzz/fuzz_target.py b/infra/cifuzz/fuzz_target.py index 5a5ca51898fd..345852f2d91e 100644 --- a/infra/cifuzz/fuzz_target.py +++ b/infra/cifuzz/fuzz_target.py @@ -193,7 +193,7 @@ def fuzz(self, batch=False): result = engine_impl.fuzz(self.target_path, options, artifacts_dir, self.duration) - print(result.logs) + print(f'Fuzzing logs:\n{result.logs}') if not result.crashes: # Libfuzzer max time was reached. @@ -201,6 +201,11 @@ def fuzz(self, batch=False): self.target_name) return FuzzResult(None, None, self.latest_corpus_path) + if result.timed_out: + logging.info('Not reporting crash in %s because process timed out.', + self.target_name) + return FuzzResult(None, None, self.latest_corpus_path) + # Only report first crash. crash = result.crashes[0] logging.info('Fuzzer: %s. Detected bug.', self.target_name) diff --git a/infra/experimental/SystemSan/inspect_dns.cpp b/infra/experimental/SystemSan/inspect_dns.cpp index 8f08e3a3f7c3..030446345096 100644 --- a/infra/experimental/SystemSan/inspect_dns.cpp +++ b/infra/experimental/SystemSan/inspect_dns.cpp @@ -108,6 +108,7 @@ struct DnsRequest parse_dns_request(std::vector data, size_t offset) while(offset < data.size()) { uint8_t rlen = uint8_t(data[offset]); if (rlen == 0) { + offset++; break; } r.nb_levels++; diff --git a/infra/helper.py b/infra/helper.py index dc9d23033386..8dbf9c7a2c28 100755 --- a/infra/helper.py +++ b/infra/helper.py @@ -172,7 +172,10 @@ def main(): # pylint: disable=too-many-branches,too-many-return-statements # We have different default values for `sanitizer` depending on the `engine`. # Some commands do not have `sanitizer` argument, so `hasattr` is necessary. if hasattr(args, 'sanitizer') and not args.sanitizer: - args.sanitizer = constants.DEFAULT_SANITIZER + if args.project.language == 'javascript': + args.sanitizer = 'none' + else: + args.sanitizer = constants.DEFAULT_SANITIZER if args.command == 'generate': result = generate(args) diff --git a/infra/presubmit.py b/infra/presubmit.py index 82a985cd3dc4..753d2fc76013 100755 --- a/infra/presubmit.py +++ b/infra/presubmit.py @@ -66,7 +66,7 @@ def _check_one_lib_fuzzing_engine(build_sh_file): def check_lib_fuzzing_engine(paths): """Calls _check_one_lib_fuzzing_engine on each path in |paths|. Returns True if the result of every call is True.""" - return all([_check_one_lib_fuzzing_engine(path) for path in paths]) + return all(_check_one_lib_fuzzing_engine(path) for path in paths) class ProjectYamlChecker: @@ -222,10 +222,30 @@ def check_project_yaml(paths): return all([_check_one_project_yaml(path) for path in paths]) +def _check_one_seed_corpus(path): + """Returns False and prints error if |path| is a seed corpus.""" + if os.path.dirname(os.path.dirname(path)) != 'projects': + return True + + if os.path.splitext(path)[1] == 'zip': + print('Don\'t commit seed corpora into the ClusterFuzz repo,' + 'they bloat it forever.') + return False + + return True + + +def check_seed_corpus(paths): + """Calls _check_one_seed_corpus on each path in |paths|. Returns True if the + result of every call is True.""" + return all([_check_one_seed_corpus(path) for path in paths]) + + def do_checks(changed_files): """Runs all presubmit checks. Returns False if any fails.""" checks = [ - check_license, yapf, lint, check_project_yaml, check_lib_fuzzing_engine + check_license, yapf, lint, check_project_yaml, check_lib_fuzzing_engine, + check_seed_corpus ] # Use a list comprehension here and in other cases where we use all() so that # we don't quit early on failure. This is more user-friendly since the more diff --git a/projects/abseil-cpp/BUILD b/projects/abseil-cpp/BUILD index d40194ed5f48..f91e3624239f 100644 --- a/projects/abseil-cpp/BUILD +++ b/projects/abseil-cpp/BUILD @@ -24,7 +24,8 @@ cc_binary( name = "string_utilities_fuzzer", deps = [ "@com_google_absl//absl/strings", - "@com_google_absl//absl/strings:cord" + "@com_google_absl//absl/strings:cord", + "@com_google_absl//absl/strings:str_format" ], srcs = ["string_utilities_fuzzer.cc"], -) \ No newline at end of file +) diff --git a/projects/angus-mail/ASCIIUtilityFuzzer.java b/projects/angus-mail/ASCIIUtilityFuzzer.java index 815f53c0130a..478a98d7d4e5 100644 --- a/projects/angus-mail/ASCIIUtilityFuzzer.java +++ b/projects/angus-mail/ASCIIUtilityFuzzer.java @@ -17,9 +17,10 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import com.sun.mail.util.ASCIIUtility; import java.lang.NumberFormatException; +import org.eclipse.angus.mail.util.ASCIIUtility; + public class ASCIIUtilityFuzzer { public static void fuzzerTestOneInput(FuzzedDataProvider data) { byte[] input = data.consumeRemainingAsBytes(); diff --git a/projects/angus-mail/BASE64EncoderStreamFuzzer.java b/projects/angus-mail/BASE64EncoderStreamFuzzer.java index 7f066510c73e..352ccdff8a7b 100644 --- a/projects/angus-mail/BASE64EncoderStreamFuzzer.java +++ b/projects/angus-mail/BASE64EncoderStreamFuzzer.java @@ -16,11 +16,13 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider; -import com.sun.mail.util.BASE64EncoderStream; import java.lang.NumberFormatException; import java.io.ByteArrayOutputStream; import java.io.IOException; +import org.eclipse.angus.mail.util.BASE64EncoderStream; +import org.eclipse.angus.mail.util.ASCIIUtility; + public class BASE64EncoderStreamFuzzer { public static void fuzzerTestOneInput(FuzzedDataProvider data) { ByteArrayOutputStream baos = new ByteArrayOutputStream(); diff --git a/projects/apache-axis2/Dockerfile b/projects/apache-axis2/Dockerfile new file mode 100644 index 000000000000..b3ea2acaf9af --- /dev/null +++ b/projects/apache-axis2/Dockerfile @@ -0,0 +1,53 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-jvm + +# +# install maven configuration, which is also used by gradles's publishToMavenLocal +# +ADD maven-settings.xml ${SRC}/ +RUN apt-get install -y xmlstarlet +RUN mkdir -p ~/.m2 && \ + xmlstarlet ed \ + -u "settings/localRepository" -v "${OUT}/m2/repository" \ + < ${SRC}/maven-settings.xml > ~/.m2/settings.xml + +# +# install maven and gradle +# +RUN curl -L https://downloads.apache.org/maven/maven-3/3.8.7/binaries/apache-maven-3.8.7-bin.zip -o maven.zip && \ + unzip maven.zip -d $SRC/maven-3.8.7 && \ + rm -rf maven.zip + +ENV MVN $SRC/maven-3.8.7/apache-maven-3.8.7/bin/mvn + +RUN curl -L https://services.gradle.org/distributions/gradle-7.6-bin.zip -o gradle.zip && \ + unzip gradle.zip -d $SRC/gradle && \ + rm -rf gradle.zip + +ENV GRADLE $SRC/gradle/gradle-7.6/bin/gradle + +ENV LIBRARY_NAME axis-axis2-java-core +WORKDIR ${SRC} +# +# clone repository +# +RUN git clone https://github.com/apache/axis-axis2-java-core.git ${LIBRARY_NAME} + +ADD build.sh ${SRC}/ +ADD ${LIBRARY_NAME}-fuzzer ${SRC}/${LIBRARY_NAME}-fuzzer/ +WORKDIR ${SRC}/${LIBRARY_NAME} \ No newline at end of file diff --git a/projects/apache-axis2/axis-axis2-java-core-fuzzer/pom.xml b/projects/apache-axis2/axis-axis2-java-core-fuzzer/pom.xml new file mode 100644 index 000000000000..509125df5786 --- /dev/null +++ b/projects/apache-axis2/axis-axis2-java-core-fuzzer/pom.xml @@ -0,0 +1,93 @@ + + 4.0.0 + + ossfuzz + axis-axis2-java-core-fuzzer + ${fuzzedLibaryVersion} + jar + + + 15 + 15 + UTF-8 + 1.8.2 + ossfuzz.HttpInterfaceFuzzer + + + + + + + + com.code-intelligence + jazzer-api + 0.12.0 + + + org.apache.axis2 + axis2-adb + ${fuzzedLibaryVersion} + + + org.apache.axis2 + axis2-kernel + ${fuzzedLibaryVersion} + + + org.apache.axis2 + axis2-jaxws + ${fuzzedLibaryVersion} + + + org.apache.axis2 + axis2-transport-http + ${fuzzedLibaryVersion} + + + org.apache.axis2 + axis2-transport-local + ${fuzzedLibaryVersion} + + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.3.0 + + + + *:* + + META-INF/*.SF + META-INF/*.DSA + META-INF/*.RSA + + + + + + + package + + shade + + + + + + + \ No newline at end of file diff --git a/projects/apache-axis2/axis-axis2-java-core-fuzzer/src/main/java/org/apache/axis2/HttpInterfaceFuzzer.java b/projects/apache-axis2/axis-axis2-java-core-fuzzer/src/main/java/org/apache/axis2/HttpInterfaceFuzzer.java new file mode 100644 index 000000000000..ae4075d2674f --- /dev/null +++ b/projects/apache-axis2/axis-axis2-java-core-fuzzer/src/main/java/org/apache/axis2/HttpInterfaceFuzzer.java @@ -0,0 +1,64 @@ +package org.apache.axis2; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +import java.io.DataOutputStream; +import java.io.IOException; +import java.net.*; +import org.apache.http.client.utils.URIBuilder; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; + +import org.apache.axis2.kernel.SimpleAxis2Server; + + +public class HttpInterfaceFuzzer extends SimpleAxis2Server { + + private FuzzedDataProvider fuzzedDataProvider; + + public HttpInterfaceFuzzer(FuzzedDataProvider fuzzedDataProvider) throws Exception { + super(null, null); + this.fuzzedDataProvider = fuzzedDataProvider; + + deployService("samples.quickstart.service.pojo.StockQuoteService"); + } + + void test() { + try{ + start(); + + var client = HttpClient.newHttpClient(); + URI uri = new URI("http://localhost:6060/axis2/services/StockQuoteService/" + fuzzedDataProvider.consumeRemainingAsString()); + var request = HttpRequest.newBuilder(uri) + .GET() + .build(); + var reponse = client.send(request, HttpResponse.BodyHandlers.ofString()); + } catch (MalformedURLException e) { + + } catch (IOException e) { + + } catch (URISyntaxException e) { + + } catch (InterruptedException e) { + + } + + try { + stop(); + } catch (Exception ex) { + + } + + + } + + public static void fuzzerTestOneInput(FuzzedDataProvider fuzzedDataProvider) throws Exception { + + HttpInterfaceFuzzer fixture = new HttpInterfaceFuzzer(fuzzedDataProvider); + fixture.test(); + + fixture = null; + Thread.sleep(100); // good old way to get sockets closed. + } +} \ No newline at end of file diff --git a/projects/apache-axis2/axis-axis2-java-core-fuzzer/src/main/java/samples/quickstart/service/pojo/StockQuoteService.java b/projects/apache-axis2/axis-axis2-java-core-fuzzer/src/main/java/samples/quickstart/service/pojo/StockQuoteService.java new file mode 100644 index 000000000000..345252444aad --- /dev/null +++ b/projects/apache-axis2/axis-axis2-java-core-fuzzer/src/main/java/samples/quickstart/service/pojo/StockQuoteService.java @@ -0,0 +1,49 @@ +/* + * from https://github.com/apache/axis-axis2-java-core/blob/d8237fd1058354874a3e4c2f07da780a27bcf3ff/modules/samples/quickstart/src/samples/quickstart/service/pojo/StockQuoteService.java + */ + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package samples.quickstart.service.pojo; + +import java.util.HashMap; + +public class StockQuoteService { + private HashMap map = new HashMap(); + + void printMap(HashMap map) { + for (Object name: map.keySet()) { + String key = name.toString(); + String value = map.get(name).toString(); + System.out.println(key + "=" + value); + } + } + + public double getPrice(String symbol) { + Double price = (Double) map.get(symbol); + if(price != null){ + return price.doubleValue(); + } + return 42.00; + } + + public void update(String symbol, double price) { + map.put(symbol, new Double(price)); + } +} diff --git a/projects/apache-axis2/build.sh b/projects/apache-axis2/build.sh new file mode 100644 index 000000000000..7c1389bff8c8 --- /dev/null +++ b/projects/apache-axis2/build.sh @@ -0,0 +1,80 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +MVN_FLAGS="-DskipTests" +ALL_JARS="" + +# Install the build servers' jazzer-api into the maven repository. +pushd "/tmp" + ${MVN} install:install-file -Dfile=${JAZZER_API_PATH} \ + -DgroupId="com.code-intelligence" \ + -DartifactId="jazzer-api" \ + -Dversion="0.12.0" \ + -Dpackaging=jar +popd + +pushd "${SRC}/${LIBRARY_NAME}" + ${MVN} install ${MVN_FLAGS} + CURRENT_VERSION=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) +popd + +pushd "${SRC}/${LIBRARY_NAME}-fuzzer" + ${MVN} package -DfuzzedLibaryVersion="${CURRENT_VERSION}" ${MVN_FLAGS} + install -v target/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar ${OUT}/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar + ALL_JARS="${ALL_JARS} ${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar" +popd + + + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +MVN_FUZZERS_PREFIX="src/main/java" + +for fuzzer in $(find ${SRC} -name '*Fuzzer.java'); do + # Find our fuzzer inside the maven structure + stripped_path=$(echo ${fuzzer} | sed \ + -e 's|^.*src/main/java/\(.*\).java$|\1|' \ + -e 's|^.*src/test/java/\(.*\).java$|\1|' \ + ); + # The .java suffix was stripped by sed. + if (echo ${stripped_path} | grep ".java$"); then + continue; + fi + + fuzzer_basename=$(basename -s .java $fuzzer) + fuzzer_classname=$(echo ${stripped_path} | sed 's|/|.|g'); + + # Create an execution wrapper that executes Jazzer with the correct arguments. + + echo "#!/bin/sh +# LLVMFuzzerTestOneInput Magic String required for infra/base-images/base-runner/test_all.py. DO NOT REMOVE + + +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"\$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=${RUNTIME_CLASSPATH} \ +--target_class=${fuzzer_classname} \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/${fuzzer_basename} + chmod u+x $OUT/${fuzzer_basename} +done \ No newline at end of file diff --git a/projects/apache-axis2/maven-settings.xml b/projects/apache-axis2/maven-settings.xml new file mode 100644 index 000000000000..4359e57ec065 --- /dev/null +++ b/projects/apache-axis2/maven-settings.xml @@ -0,0 +1,3 @@ + + ${user.home}/.m2/repository + \ No newline at end of file diff --git a/projects/apache-axis2/project.yaml b/projects/apache-axis2/project.yaml new file mode 100644 index 000000000000..6ff366a653e3 --- /dev/null +++ b/projects/apache-axis2/project.yaml @@ -0,0 +1,15 @@ +homepage: "https://axis.apache.org/axis2/java/core/" +language: jvm +main_repo: "https://github.com/apache/axis-axis2-java-core.git" +fuzzing_engines: + - libfuzzer +sanitizers: + - address +vendor_ccs: + - "wagner@code-intelligence.com" + - "yakdan@code-intelligence.com" + - "glendowne@code-intelligence.com" + - "patrice.salathe@code-intelligence.com" + - "hlin@code-intelligence.com" + - "schaich@code-intelligence.com" + - "bug-disclosure@code-intelligence.com" diff --git a/projects/babel/Dockerfile b/projects/babel/Dockerfile new file mode 100644 index 000000000000..564af13e9201 --- /dev/null +++ b/projects/babel/Dockerfile @@ -0,0 +1,19 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN pip3 install --upgrade pip && pip3 install cython +RUN git clone https://github.com/python-babel/babel babel +COPY *.sh *py $SRC/ +WORKDIR $SRC/babel diff --git a/projects/babel/build.sh b/projects/babel/build.sh new file mode 100644 index 000000000000..dd11fafc62bb --- /dev/null +++ b/projects/babel/build.sh @@ -0,0 +1,21 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/babel/fuzz_lexer.py b/projects/babel/fuzz_lexer.py new file mode 100644 index 000000000000..2c76652c5905 --- /dev/null +++ b/projects/babel/fuzz_lexer.py @@ -0,0 +1,43 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris + +from babel.messages.jslexer import tokenize +import babel + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + try: + l1 = list(tokenize(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize))) + except ( + babel.messages.pofile.PoFileError, + babel.core.UnknownLocaleError, + babel.messages.catalog.TranslationError, + babel.numbers.UnknownCurrencyError, + babel.plural.RuleError + ): + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/babel/fuzz_profile.py b/projects/babel/fuzz_profile.py new file mode 100644 index 000000000000..4d679bd86142 --- /dev/null +++ b/projects/babel/fuzz_profile.py @@ -0,0 +1,42 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris + +from babel.messages.pofile import read_po +import babel + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + try: + read_po(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + except ( + babel.messages.pofile.PoFileError, + babel.core.UnknownLocaleError, + babel.messages.catalog.TranslationError, + babel.plural.RuleError + ): + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/babel/project.yaml b/projects/babel/project.yaml new file mode 100644 index 000000000000..d1324386ad80 --- /dev/null +++ b/projects/babel/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/python-babel/babel +main_repo: https://github.com/python-babel/babel +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/bind9/build.sh b/projects/bind9/build.sh index 5b9c2a528622..1d53eb42ef69 100644 --- a/projects/bind9/build.sh +++ b/projects/bind9/build.sh @@ -23,7 +23,7 @@ autoreconf -fi LIBISC_CFLAGS="-Ilib/isc/unix/include -Ilib/isc/pthreads/include -Ilib/isc/include" LIBDNS_CFLAGS="-Ilib/dns/include" -LIBISC_LIBS="lib/isc/.libs/libisc.a -Wl,-Bstatic -lssl -lcrypto -luv -lnghttp2 -Wl,-Bdynamic" +LIBISC_LIBS="lib/isc/.libs/libisc.a -Wl,-Bstatic -Wl,-u,isc__initialize,-u,isc__shutdown -lssl -lcrypto -luv -lnghttp2 -Wl,-Bdynamic" LIBDNS_LIBS="lib/dns/.libs/libdns.a -Wl,-Bstatic -lcrypto -Wl,-Bdynamic" # dns_name_fromwire needs old.c/old.h code to be linked in diff --git a/projects/binutils/build.sh b/projects/binutils/build.sh index a91db402e6ec..a57225276cbe 100755 --- a/projects/binutils/build.sh +++ b/projects/binutils/build.sh @@ -42,7 +42,7 @@ mkdir fuzz cp ../fuzz_*.c fuzz/ cd fuzz -LIBS="../opcodes/libopcodes.a ../libctf/.libs/libctf.a ../bfd/libbfd.a ../zlib/libz.a ../libsframe/.libs/libsframe.a ../libiberty/libiberty.a" +LIBS="../opcodes/libopcodes.a ../libctf/.libs/libctf.a ../bfd/.libs/libbfd.a ../zlib/libz.a ../libsframe/.libs/libsframe.a ../libiberty/libiberty.a" for i in fuzz_disassemble fuzz_bfd fuzz_bfd_ext; do $CC $CFLAGS -I ../include -I ../bfd -I ../opcodes -c $i.c -o $i.o $CXX $CXXFLAGS $i.o -o $OUT/$i $LIB_FUZZING_ENGINE -Wl,--start-group ${LIBS} -Wl,--end-group diff --git a/projects/bitcoin-core/build.sh b/projects/bitcoin-core/build.sh index 4eb86ff1d4e2..3975d2312f46 100755 --- a/projects/bitcoin-core/build.sh +++ b/projects/bitcoin-core/build.sh @@ -29,7 +29,7 @@ fi ( cd depends sed -i --regexp-extended '/.*rm -rf .*extract_dir.*/d' ./funcs.mk # Keep extracted source - make HOST=$BUILD_TRIPLET NO_QT=1 NO_BDB=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 libevent_cflags="${CFLAGS}" sqlite_cflags="${CFLAGS}" -j$(nproc) + make HOST=$BUILD_TRIPLET NO_QT=1 NO_BDB=1 NO_ZMQ=1 NO_UPNP=1 NO_NATPMP=1 -j$(nproc) # DEBUG=1 is temporarily disabled due to libc++ bugs ) diff --git a/projects/bitcoin-core/project.yaml b/projects/bitcoin-core/project.yaml index 15ae7ded9c3c..271796070642 100644 --- a/projects/bitcoin-core/project.yaml +++ b/projects/bitcoin-core/project.yaml @@ -4,11 +4,9 @@ language: c++ primary_contact: "macro.fuzzing.uxuga@aleeas.com" auto_ccs: - "fanquake@gmail.com" - - "john@johnnewbery.com" - "jonas@chaincode.com" - "laanwj@gmail.com" - "pieter@chaincode.com" - - "thomas.j.bitcoin@protonmail.com" sanitizers: - address - undefined diff --git a/projects/boringssl/project.yaml b/projects/boringssl/project.yaml index ab49fcb97edd..046c43924856 100644 --- a/projects/boringssl/project.yaml +++ b/projects/boringssl/project.yaml @@ -2,6 +2,7 @@ homepage: "https://boringssl.googlesource.com/boringssl/" language: c++ primary_contact: "agl@google.com" auto_ccs: + - "bbe@google.com" - "davidben@google.com" - "svaldez@google.com" sanitizers: diff --git a/projects/bottleneck/Dockerfile b/projects/bottleneck/Dockerfile index 38496d27305d..f552a5843998 100644 --- a/projects/bottleneck/Dockerfile +++ b/projects/bottleneck/Dockerfile @@ -16,11 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder-python RUN apt-get update && apt-get install -y make autoconf automake libtool -RUN pip3 install --upgrade pip && pip3 install cython -RUN git clone https://github.com/numpy/numpy && cd numpy && git submodule update --init -RUN cd $SRC/numpy && \ - pip3 install . && \ - python3 setup.py install +RUN pip3 install --upgrade pip && pip3 install cython numpy RUN git clone --depth 1 https://github.com/pydata/bottleneck WORKDIR bottleneck COPY build.sh *.py $SRC/ diff --git a/projects/bz2file/Dockerfile b/projects/bz2file/Dockerfile new file mode 100644 index 000000000000..beddeb8b39df --- /dev/null +++ b/projects/bz2file/Dockerfile @@ -0,0 +1,19 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN pip3 install --upgrade pip +RUN git clone https://github.com/nvawda/bz2file bz2file +COPY *.sh *py $SRC/ +WORKDIR $SRC/bz2file diff --git a/projects/bz2file/build.sh b/projects/bz2file/build.sh new file mode 100644 index 000000000000..d0b48f4eb816 --- /dev/null +++ b/projects/bz2file/build.sh @@ -0,0 +1,21 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done \ No newline at end of file diff --git a/projects/bz2file/fuzz_bz2file.py b/projects/bz2file/fuzz_bz2file.py new file mode 100644 index 000000000000..ab27d955be51 --- /dev/null +++ b/projects/bz2file/fuzz_bz2file.py @@ -0,0 +1,42 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris + +import bz2file + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + bzfile_path = '/tmp/random_file.txt' + with open(bzfile_path, 'wb') as f: + f.write(fdp.ConsumeBytes(sys.maxsize)) + + try: + with bz2file.open(bzfile_path) as target_file: + target_file.seek(fdp.ConsumeIntInRange(-1, 100)) + target_file.read(size=fdp.ConsumeIntInRange(-1, 100)) + except (ValueError,EOFError,OSError): + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/bz2file/project.yaml b/projects/bz2file/project.yaml new file mode 100644 index 000000000000..a1465db95234 --- /dev/null +++ b/projects/bz2file/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/nvawda/bz2file +main_repo: https://github.com/nvawda/bz2file +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/c-ares/build.sh b/projects/c-ares/build.sh index 2d68ee7e141f..b339262b2026 100755 --- a/projects/c-ares/build.sh +++ b/projects/c-ares/build.sh @@ -17,7 +17,7 @@ # Build the project. ./buildconf -./configure --enable-debug +./configure --enable-debug --disable-tests make clean make -j$(nproc) V=1 all diff --git a/projects/c-blosc/build.sh b/projects/c-blosc/build.sh index 4b1a5a6d332b..496c07fb627b 100755 --- a/projects/c-blosc/build.sh +++ b/projects/c-blosc/build.sh @@ -16,7 +16,9 @@ ################################################################################ # Build project -cmake . -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" -DBUILD_FUZZERS=ON +cmake . -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" \ + -DBUILD_FUZZERS=ON -DBUILD_TESTS=OFF -DBUILD_BENCHMARKS=OFF \ + -DBUILD_EXAMPLES=OFF -DBUILD_STATIC=ON -DBUILD_SHARED=OFF make clean make -j$(nproc) @@ -26,4 +28,4 @@ zip -j $OUT/decompress_fuzzer_seed_corpus.zip compat/*.cdata # Copy the fuzzer executables, zip-ed corpora, and dictionary files to $OUT find . -name '*_fuzzer' -exec cp -v '{}' $OUT ';' find . -name '*_fuzzer.dict' -exec cp -v '{}' $OUT ';' -find . -name '*_fuzzer_seed_corpus.zip' -exec cp -v '{}' $OUT ';' \ No newline at end of file +find . -name '*_fuzzer_seed_corpus.zip' -exec cp -v '{}' $OUT ';' diff --git a/projects/c-blosc2/build.sh b/projects/c-blosc2/build.sh index afe771daec3d..00c1050624ad 100755 --- a/projects/c-blosc2/build.sh +++ b/projects/c-blosc2/build.sh @@ -18,7 +18,9 @@ # Build project export LDSHARED=lld -cmake . -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" -DBUILD_FUZZERS=ON +cmake . -DCMAKE_C_FLAGS="$CFLAGS" -DCMAKE_CXX_FLAGS="$CXXFLAGS" \ + -DBUILD_FUZZERS=ON -DBUILD_TESTS=OFF -DBUILD_BENCHMARKS=OFF \ + -DBUILD_EXAMPLES=OFF -DBUILD_STATIC=ON -DBUILD_SHARED=OFF make clean make -j$(nproc) diff --git a/projects/cgif/Dockerfile b/projects/cgif/Dockerfile new file mode 100644 index 000000000000..47221e16ba0d --- /dev/null +++ b/projects/cgif/Dockerfile @@ -0,0 +1,22 @@ +# Copyright 2023 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder +RUN apt-get update && apt-get install -y python3-pip zip +RUN pip3 install meson ninja +RUN git clone --depth 1 https://github.com/dloebl/cgif.git +WORKDIR cgif +COPY build.sh $SRC/ diff --git a/projects/cgif/build.sh b/projects/cgif/build.sh new file mode 100644 index 000000000000..c20f15513652 --- /dev/null +++ b/projects/cgif/build.sh @@ -0,0 +1,29 @@ +#!/bin/bash -eu +# Copyright 2023 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# build and install cgif +meson setup -Dfuzzer=true --prefix=$WORK --libdir=lib --default-library=static build +meson install -C build +# run tests: +# This is going to generate the seed corpus from all the tests +meson test -C build + +cp "build/fuzz/cgif_fuzzer_seed_corpus.zip" $OUT/. + +# build cgif's fuzz target +$CXX $CXXFLAGS -o "$OUT/cgif_fuzzer" -I"$WORK/include" \ + $LIB_FUZZING_ENGINE fuzz/cgif_fuzzer.c "$WORK/lib/libcgif.a" diff --git a/projects/cgif/project.yaml b/projects/cgif/project.yaml new file mode 100644 index 000000000000..6d48d8f62351 --- /dev/null +++ b/projects/cgif/project.yaml @@ -0,0 +1,13 @@ +homepage: "https://github.com/dloebl/cgif" +language: c +primary_contact: "dloebl.2000@gmail.com" +auto_ccs: + - "matthias.loebl@rwth-aachen.de" +sanitizers: +- address +- undefined +- memory +architectures: + - x86_64 + - i386 +main_repo: "https://github.com/dloebl/cgif.git" diff --git a/projects/cmark/Dockerfile b/projects/cmark/Dockerfile index 99d811250fa0..a03212977c84 100644 --- a/projects/cmark/Dockerfile +++ b/projects/cmark/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y make cmake +RUN apt-get update && apt-get install -y make cmake python3 RUN git clone --depth 1 https://github.com/commonmark/cmark.git cmark WORKDIR cmark COPY build.sh *.dict *.options $SRC/ diff --git a/projects/cmark/build.sh b/projects/cmark/build.sh index 627fa6c43f0f..b3e4ba696e75 100755 --- a/projects/cmark/build.sh +++ b/projects/cmark/build.sh @@ -17,22 +17,14 @@ make -j$(nproc) cmake_build -$CC $CFLAGS -Isrc -Ibuild/src -c $SRC/cmark/test/cmark-fuzz.c -o cmark_fuzzer.o +$CC $CFLAGS -Isrc -Ibuild/src -c test/cmark-fuzz.c -o cmark_fuzzer.o $CXX $CXXFLAGS $LIB_FUZZING_ENGINE cmark_fuzzer.o build/src/libcmark.a -o $OUT/cmark_fuzzer cp $SRC/*.options $OUT/ -cp $SRC/cmark/test/fuzzing_dictionary $OUT/cmark.dict +cp test/fuzzing_dictionary $OUT/cmark.dict mkdir -p corpus -cp $SRC/cmark/test/afl_test_cases/* corpus - -git clone --depth 1 https://github.com/michelf/mdtest.git mdtest -find mdtest/*.mdtest -type f -name '*.text' | while read in_file -do - # Genreate unique name for each input... - out_file=$(sha1sum "$in_file" | cut -c 1-32) - # ... and prepend a four-byte 'options' header - printf "\0\0\0\0" > "corpus/$out_file" - cat "$in_file" >> "corpus/$out_file" -done +python3 test/spec_tests.py --fuzz-corpus corpus --spec test/spec.txt +python3 test/spec_tests.py --fuzz-corpus corpus --spec test/regression.txt +python3 test/spec_tests.py --fuzz-corpus corpus --spec test/smart_punct.txt zip -j $OUT/cmark_fuzzer_seed_corpus.zip corpus/* diff --git a/projects/cras/build.sh b/projects/cras/build.sh index de1a48235a76..8049e845c6d2 100755 --- a/projects/cras/build.sh +++ b/projects/cras/build.sh @@ -22,29 +22,48 @@ # Expects /src/cras to contain a cras checkout. cd ${SRC}/adhd/cras -./git_prepare.sh -mkdir -p ${WORK}/build && cd ${WORK}/build + export CARGO_BUILD_TARGET="x86_64-unknown-linux-gnu" -CFLAGS="${CFLAGS}" ${SRC}/adhd/cras/configure --enable-fuzzer --disable-featured -make -C src common/cras_dbus_bindings.h -make -C src -j$(nproc) cras -cp ${WORK}/build/src/server/rust/target/${CARGO_BUILD_TARGET}/release/libcras_rust.a /usr/local/lib - -CRAS_FUZZERS="rclient_message cras_hfp_slc cras_fl_media_fuzzer" - -for fuzzer in ${CRAS_FUZZERS}; -do -$CXX $CXXFLAGS $FUZZER_LDFLAGS \ - ${SRC}/adhd/cras/src/fuzz/${fuzzer}.cc -o ${OUT}/${fuzzer} \ - -D HAVE_FUZZER=1 \ - -I ${SRC}/adhd/cras/src/server \ - -I ${SRC}/adhd/cras/src/common \ - $(pkg-config --cflags dbus-1) \ - ${WORK}/build/src/.libs/libcrasserver.a \ - -lcras_rust -lpthread -lrt -ludev -ldl -lm -lsystemd \ - $LIB_FUZZING_ENGINE \ - -Wl,-Bstatic -liniparser -lasound -lspeexdsp -ldbus-1 -lsbc -Wl,-Bdynamic -done +cargo build --release --manifest-path=src/server/rust/Cargo.toml --target-dir=${WORK}/cargo_out +cp ${WORK}/cargo_out/${CARGO_BUILD_TARGET}/release/libcras_rust.a /usr/local/lib + +# Set bazel options. +# See also: +# https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/bazel_build_fuzz_tests +# https://github.com/bazelbuild/rules_fuzzing/blob/master/fuzzing/private/oss_fuzz/repository.bzl +bazel_opts=( + "--verbose_failures" + "--curses=no" + "--spawn_strategy=standalone" + "--action_env=CC=${CC}" + "--action_env=CXX=${CXX}" + "--action_env=BAZEL_CONLYOPTS=${CFLAGS// /:}" + "--action_env=BAZEL_CXXOPTS=${CXXFLAGS// /:}" + "--action_env=BAZEL_LINKOPTS=${CXXFLAGS// /:}" + "-c" "opt" + "--cxxopt=-stdlib=libc++" + "--linkopt=-lc++" + "--//:fuzzer" + "--//:system_cras_rust" +) +if [[ "$SANITIZER" == "undefined" ]]; then + bazel_opts+=("--linkopt=-fsanitize-link-c++-runtime") +fi + +# Statlic linking hacks +export OSS_FUZZ_STATIC_PKG_CONFIG_DEPS=1 +bazel_opts+=("--linkopt=-lsystemd") + +# Print inferred @fuzz_engine +bazel cquery "${bazel_opts[@]}" --output=build @fuzz_engine//:fuzz_engine + +bazel run "${bazel_opts[@]}" //dist -- ${WORK}/build + +# Preserve historical names +mv ${WORK}/build/fuzzer/cras_rclient_message_fuzzer ${OUT}/rclient_message +mv ${WORK}/build/fuzzer/cras_hfp_slc_fuzzer ${OUT}/cras_hfp_slc + +mv ${WORK}/build/fuzzer/* ${OUT}/ zip -j ${OUT}/rclient_message_corpus.zip ${SRC}/adhd/cras/src/fuzz/corpus/* cp "${SRC}/adhd/cras/src/fuzz/cras_hfp_slc.dict" "${OUT}/cras_hfp_slc.dict" diff --git a/projects/croaring/build.sh b/projects/croaring/build.sh index 8fd0f7071553..dbcca4533ade 100755 --- a/projects/croaring/build.sh +++ b/projects/croaring/build.sh @@ -16,7 +16,7 @@ ################################################################################ mkdir build-dir && cd build-dir -cmake .. +cmake -DENABLE_ROARING_TESTS=OFF .. make -j$(nproc) @@ -27,4 +27,4 @@ $CC $CFLAGS $LIB_FUZZING_ENGINE fuzzer.o \ -o $OUT/croaring_fuzzer $SRC/croaring/build-dir/src/libroaring.a zip $OUT/croaring_fuzzer_seed_corpus.zip $SRC/croaring/tests/testdata/*bin -cp $SRC/croaring/tests/testdata/*bin $OUT/ \ No newline at end of file +cp $SRC/croaring/tests/testdata/*bin $OUT/ diff --git a/projects/crossplane/Dockerfile b/projects/crossplane/Dockerfile index 4068bb84c2ff..c6c0e7c967ea 100644 --- a/projects/crossplane/Dockerfile +++ b/projects/crossplane/Dockerfile @@ -15,7 +15,6 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder-go -RUN git clone --depth 1 https://github.com/crossplane/crossplane -RUN git clone --depth 1 https://github.com/cncf/cncf-fuzzing +RUN git clone --depth 1 https://github.com/crossplane/crossplane $SRC/crossplane COPY build.sh $SRC/ WORKDIR $SRC/crossplane diff --git a/projects/crossplane/build.sh b/projects/crossplane/build.sh index 5ac52ac61cb6..7048d83625a9 100644 --- a/projects/crossplane/build.sh +++ b/projects/crossplane/build.sh @@ -15,4 +15,4 @@ # ################################################################################ -$SRC/cncf-fuzzing/projects/crossplane/build.sh +$SRC/crossplane/test/fuzz/oss_fuzz_build.sh diff --git a/projects/crossplane/project.yaml b/projects/crossplane/project.yaml index 9e74eade22fa..e021e3713b17 100644 --- a/projects/crossplane/project.yaml +++ b/projects/crossplane/project.yaml @@ -5,6 +5,7 @@ auto_ccs : - "me@muvaf.com" - "nicc@rk0n.org" - "alper.oss.fuzz@gmail.com" + - "p.scorsolini@gmail.com" vendor_ccs : - "adam@adalogics.com" language: go diff --git a/projects/cryptofuzz/Dockerfile b/projects/cryptofuzz/Dockerfile index 0a792f61d5c3..88c6072ea90e 100644 --- a/projects/cryptofuzz/Dockerfile +++ b/projects/cryptofuzz/Dockerfile @@ -46,7 +46,6 @@ RUN git clone --depth 1 https://github.com/indutny/bn.js.git RUN git clone --depth 1 https://github.com/MikeMcl/bignumber.js.git RUN git clone --depth 1 https://github.com/guidovranken/libfuzzer-js.git RUN git clone --depth 1 https://github.com/brix/crypto-js.git -RUN git clone --depth 1 https://github.com/LoupVaillant/Monocypher.git RUN git clone --depth 1 https://github.com/trezor/trezor-firmware.git RUN git clone --depth 1 https://github.com/Cyan4973/xxHash.git RUN git clone --depth 1 https://github.com/paulmillr/noble-ed25519.git diff --git a/projects/cryptofuzz/build.sh b/projects/cryptofuzz/build.sh index e937f70d8101..d8956cc3d17e 100755 --- a/projects/cryptofuzz/build.sh +++ b/projects/cryptofuzz/build.sh @@ -142,17 +142,6 @@ then make -B fi -# Compile Monocypher -cd $SRC/Monocypher/ -make CC="$CC" CFLAGS="$CFLAGS" -export LIBMONOCYPHER_A_PATH=$(realpath lib/libmonocypher.a) -export MONOCYPHER_INCLUDE_PATH=$(realpath src/) -export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_MONOCYPHER" - -# Compile Cryptofuzz monocypher module -cd $SRC/cryptofuzz/modules/monocypher -make -B - # Rename blake2b_* functions to avoid symbol collisions with other libraries cd $SRC/trezor-firmware/crypto sed -i "s/\ /etc/apt/sources.list.d/networkradius-extras.list +RUN apt-get install -y gnupg +RUN apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys BE18FC5A41382202 +RUN apt-get update +RUN apt-get install -y libtalloc-dev libkqueue-dev libunwind-dev # OpenSSL 1.1 ARG OPENSSL_VERSION=1.1.1g @@ -33,5 +37,5 @@ ENV OPENSSL_ROOT_DIR=/usr/local/openssl-${OPENSSL_VERSION} RUN git clone --depth 1 https://github.com/FreeRADIUS/freeradius-server.git COPY build.sh $SRC -COPY patch.diff $SRC +# COPY patch.diff $SRC WORKDIR $SRC/freeradius-server diff --git a/projects/freeradius/build.sh b/projects/freeradius/build.sh index 209a0075d310..45d188195314 100755 --- a/projects/freeradius/build.sh +++ b/projects/freeradius/build.sh @@ -24,7 +24,7 @@ function copy_lib mkdir -p $OUT/lib -git apply --ignore-whitespace $SRC/patch.diff +# git apply --ignore-whitespace $SRC/patch.diff # build project ./configure --enable-fuzzer --enable-coverage --enable-address-sanitizer # make tries to compile regular programs as fuzz targets diff --git a/projects/freeradius/patch.diff b/projects/freeradius/patch.diff deleted file mode 100644 index 5436820d808f..000000000000 --- a/projects/freeradius/patch.diff +++ /dev/null @@ -1,64 +0,0 @@ -diff --git a/configure.ac b/configure.ac -index 56e9600..ad488e8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -21,7 +21,7 @@ dnl # - dnl ############################################################# - - AC_PREREQ([2.59]) --export CFLAGS LIBS LDFLAGS CPPFLAGS -+#export CFLAGS LIBS LDFLAGS CPPFLAGS - - AC_INIT([freeradius],[$]Id[$],[http://bugs.freeradius.org],,[http://www.freeradius.org]) - AC_CONFIG_SRCDIR([src/bin/radiusd.c]) -@@ -185,7 +185,7 @@ dnl # -g3 so nice things like macro values are included. Other arguments are - dnl # added later when we know what compiler were using. - dnl # - if test "x$developer" = "xyes"; then -- : ${CFLAGS=-g3} -+ : ${CFLAGS="$CFLAGS -g3"} - fi - - dnl # - -diff --git a/src/bin/fuzzer.c b/src/bin/fuzzer.c -index 9c2eb50..82d6fd6 100644 ---- a/src/bin/fuzzer.c -+++ b/src/bin/fuzzer.c -@@ -125,7 +125,21 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) - } - } - -- if (!dict_dir) dict_dir = DICTDIR; -+ int free_dict = 0; -+ int free_lib = 0; -+ if (!dict_dir) { -+ dict_dir = malloc(strlen((*argv)[0]) + 1); -+ memcpy(dict_dir, (*argv)[0], strlen((*argv)[0]) + 1); -+ snprintf(strrchr(dict_dir, '/'), 6, "/dict"); -+ free_dict = 1; -+ } -+ if (!lib_dir) { -+ lib_dir = malloc(strlen((*argv)[0]) + 1); -+ memcpy(lib_dir, (*argv)[0], strlen((*argv)[0]) + 1); -+ snprintf(strrchr(lib_dir, '/'), 5, "/lib"); -+ setenv("FR_LIBRARY_PATH", lib_dir, 1); -+ free_lib = 1; -+ } - - /* - * When jobs=N is specified the fuzzer spawns worker processes via -@@ -182,6 +196,13 @@ int LLVMFuzzerInitialize(int *argc, char ***argv) - - init = true; - -+ if (free_lib) { -+ free(lib_dir); -+ } -+ if (free_dict) { -+ free(dict_dir); -+ } -+ - return 1; - } - diff --git a/projects/gitoxide/Dockerfile b/projects/gitoxide/Dockerfile new file mode 100644 index 000000000000..30be15ad4c2f --- /dev/null +++ b/projects/gitoxide/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-rust +RUN git clone --depth 1 https://github.com/Byron/gitoxide.git gitoxide +WORKDIR gitoxide +RUN rustup component add rust-src +COPY build.sh $SRC/ diff --git a/projects/gitoxide/build.sh b/projects/gitoxide/build.sh new file mode 100755 index 000000000000..4addbe6a294d --- /dev/null +++ b/projects/gitoxide/build.sh @@ -0,0 +1,34 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +set -eox pipefail + +FUZZ_CRATE_DIRS=$(find . -type d -name fuzz -exec dirname $(readlink -f {}) \;) + +for CRATE_DIR in ${FUZZ_CRATE_DIRS[@]}; +do + echo "Building crate: $CRATE_DIR" + cd $CRATE_DIR + cargo +nightly fuzz build -O --debug-assertions + FUZZ_TARGET_OUTPUT_DIR=fuzz/target/x86_64-unknown-linux-gnu/release + for f in fuzz/fuzz_targets/*.rs + do + FUZZ_TARGET_NAME=$(basename ${f%.*}) + CRATE_NAME=$(basename $CRATE_DIR) + cp $FUZZ_TARGET_OUTPUT_DIR/$FUZZ_TARGET_NAME $OUT/$CRATE_NAME-$FUZZ_TARGET_NAME + done +done diff --git a/projects/gitoxide/project.yaml b/projects/gitoxide/project.yaml new file mode 100644 index 000000000000..a798c37742cc --- /dev/null +++ b/projects/gitoxide/project.yaml @@ -0,0 +1,11 @@ +homepage: "https://crates.io/crates/gitoxide" +language: rust +primary_contact: "byronimo@gmail.com" +auto_ccs: + - "nathaniel.brough@gmail.com" +main_repo: "https://github.com/Byron/gitoxide" +file_github_issue: true +sanitizers: + - address +fuzzing_engines: + - libfuzzer diff --git a/projects/glib/project.yaml b/projects/glib/project.yaml index 0df3abed7494..2671548d2057 100644 --- a/projects/glib/project.yaml +++ b/projects/glib/project.yaml @@ -7,6 +7,7 @@ auto_ccs: - iain@orangesquash.org.uk - slomo@coaxion.net - trevi55@gmail.com +- mcatanza@redhat.com sanitizers: - address - undefined diff --git a/projects/gson/Dockerfile b/projects/gson/Dockerfile index 51d96a90007a..611265446e3f 100644 --- a/projects/gson/Dockerfile +++ b/projects/gson/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder-jvm -RUN apt-get update && apt-get install -y make autoconf automake libtool wget +RUN apt-get update && apt-get install -y make autoconf automake libtool wget openjdk-17-jdk RUN curl -L https://downloads.apache.org/maven/maven-3/3.8.7/binaries/apache-maven-3.8.7-bin.zip -o maven.zip && \ unzip maven.zip -d $SRC/maven && \ diff --git a/projects/gson/build.sh b/projects/gson/build.sh index 1bf765cdb5b6..46fa7b924c22 100755 --- a/projects/gson/build.sh +++ b/projects/gson/build.sh @@ -15,6 +15,10 @@ # ################################################################################ +export JAVA_HOME="$OUT/open-jdk-17" +mkdir -p $JAVA_HOME +rsync -aL --exclude=*.zip "/usr/lib/jvm/java-17-openjdk-amd64/" "$JAVA_HOME" + # Skip ProGuard because it is only needed for tests (which are skipped as well) and # because it would fail since `jmods` JDK folder is removed from this Docker image MAVEN_ARGS="-DskipTests -Dproguard.skip" @@ -42,7 +46,8 @@ if [[ \"\$@\" =~ (^| )-runs=[0-9]+($| ) ]]; then else mem_settings='-Xmx2048m:-Xss1024k' fi -LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +JAVA_HOME=\"\$this_dir/open-jdk-17/\" \ +LD_LIBRARY_PATH=\"\$this_dir/open-jdk-17/lib/server\":\$this_dir \ \$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ --cp=$RUNTIME_CLASSPATH \ --target_class=$fuzzer_basename \ diff --git a/projects/hdf5/build.sh b/projects/hdf5/build.sh index 95bb2e7df51b..4ad5937bd134 100755 --- a/projects/hdf5/build.sh +++ b/projects/hdf5/build.sh @@ -24,9 +24,10 @@ cd build-dir cmake -G "Unix Makefiles" \ -DCMAKE_BUILD_TYPE:STRING=Release \ -DBUILD_SHARED_LIBS:BOOL=OFF \ - -DBUILD_TESTING:BOOL=ON \ - -DHDF5_BUILD_TOOLS:BOOL=ON \ + -DBUILD_TESTING:BOOL=OFF \ -DCMAKE_VERBOSE_MAKEFILES:BOOL=ON \ + -DHDF5_BUILD_EXAMPLES:BOOL=OFF \ + -DHDF5_BUILD_TOOLS:BOOL=OFF \ -DHDF5_ENABLE_SANITIZERS:BOOL=ON \ -DHDF5_ENABLE_Z_LIB_SUPPORT:BOOL=ON \ .. @@ -36,6 +37,5 @@ cmake --build . --verbose --config Release -j$(nproc) cd $SRC/hdf5 $CC $CXXFLAGS $LIB_FUZZING_ENGINE -std=c99 \ - -I/src/hdf5/tools/lib -I/src/hdf5/src -I/src/hdf5/build-dir/src \ - -I./tools/src/h5repack -I./src/H5FDsubfiling/ \ + -I/src/hdf5/src -I/src/hdf5/build-dir/src -I./src/H5FDsubfiling/ \ $SRC/h5_read_fuzzer.c ./build-dir/bin/libhdf5.a -lz -o $OUT/h5_read_fuzzer diff --git a/projects/hermes/Dockerfile b/projects/hermes/Dockerfile index fc1c029b3eed..5afbe11fa179 100644 --- a/projects/hermes/Dockerfile +++ b/projects/hermes/Dockerfile @@ -17,16 +17,39 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && \ apt-get install -y make autoconf automake libtool wget \ - python zip libreadline-dev libatomic-ops-dev + python3 zip libreadline-dev libatomic-ops-dev + +# Building ninja requires PEP 517. +RUN pip3 install "pip>=22.3.1" RUN pip3 install meson ninja RUN ln -s /usr/local/bin/ninja /usr/bin/ninja +# Add JS dictionaries +RUN git clone --depth 1 https://github.com/chromium/chromium && \ + cat chromium/testing/libfuzzer/fuzzers/dicts/javascript_parser_proto.dict > $SRC/hermes.dict && \ + cat chromium/testing/libfuzzer/fuzzers/dicts/generated/javascript.dict >> $SRC/hermes.dict + RUN wget https://github.com/unicode-org/icu/archive/refs/tags/cldr/2021-08-25.tar.gz && \ tar xzvf ./2021-08-25.tar.gz && \ mv ./icu-cldr-2021-08-25/icu4c $SRC/icu RUN git clone https://github.com/facebook/hermes.git + +# Add tests from project directory as seed corpus. +RUN find hermes/test -iname '*.js' | zip -@ -q $SRC/hermes_seed_corpus.zip + +# Add tests from test262 as seed corpus +RUN git clone --depth 1 https://github.com/tc39/test262 && \ + find test262/test -iname '*.js' | zip -@ -q $SRC/hermes_seed_corpus.zip + +# Add V8 PoCs as seed corpus. +COPY filter-corpus.py $SRC/ +RUN git clone --depth 1 https://github.com/Zon8Research/v8-vulnerabilities && \ + python filter-corpus.py && \ + find v8-vulnerabilities/pocs -iname '*.js' | zip -@ -q $SRC/hermes_seed_corpus.zip +RUN rm $SRC/filter-corpus.py + WORKDIR $SRC COPY build.sh $SRC/ # This is to fix Fuzz Introspector build by using LLVM old pass manager diff --git a/projects/hermes/build.sh b/projects/hermes/build.sh index 14f75342c0b7..34cc4f22965d 100755 --- a/projects/hermes/build.sh +++ b/projects/hermes/build.sh @@ -15,6 +15,12 @@ # ################################################################################ +# Copy seed corpora +mv $SRC/hermes_seed_corpus.zip $OUT + +# Copy dictionary file +mv $SRC/hermes.dict $OUT + # build ICU for linking statically. cd $SRC/icu/source ./configure --disable-shared --enable-static --disable-layoutex \ diff --git a/projects/hermes/filter-corpus.py b/projects/hermes/filter-corpus.py new file mode 100644 index 000000000000..294004a8efbc --- /dev/null +++ b/projects/hermes/filter-corpus.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python3 +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +from pathlib import Path +import re + +excluded_CVEs_or_CRBugs = [ + 'CR410030', + 'CR445267', +] + +keywords_to_exclude = [ + 'WebAssembly', + 'Worker', +] + +# v8 runtime functions regex - https://chromium.googlesource.com/v8/v8/+/refs/heads/main/src/runtime/runtime.h +v8_runtime_function_pattern = r"%\w+\(" + +if __name__ == '__main__': + v8_pocs_dir = Path('./v8-vulnerabilities/pocs') + v8_pocs = [x for x in v8_pocs_dir.glob('**/*.js') if v8_pocs_dir.is_dir()] + for poc in v8_pocs: + try: + # Exclude specific CVEs or CR bugs + if any(f"{id}.js" in str(poc) for id in excluded_CVEs_or_CRBugs): + print(f"Removed: {poc}") + poc.unlink() + continue + + poc_code = poc.open().read() + + # Exclude JIT bugs and other bugs using v8 runtime functions + if re.search(v8_runtime_function_pattern, poc_code): + print(f"Removed: {poc}") + poc.unlink() + continue + + # Exclude bugs with features Hermes does not support + for keyword in keywords_to_exclude: + if keyword in poc_code: + print(f"Removed: {poc}") + poc.unlink() + break + + except UnicodeDecodeError: + # The PoC was likely generated by a fuzzer mutating at the byte level which we can exclude from the corpus + pass diff --git a/projects/hermes/project.yaml b/projects/hermes/project.yaml index 4e0c2e982a7c..5b8b25b076ac 100644 --- a/projects/hermes/project.yaml +++ b/projects/hermes/project.yaml @@ -8,11 +8,14 @@ auto_ccs: - "avp@fb.com" - "jsx@fb.com" - "luigiconiglio@fb.com" + - "edq@fb.com" vendor_ccs: - "oss-fuzz@fb.com" fuzzing_engines: - libfuzzer - afl + - honggfuzz + - centipede sanitizers: - address - undefined diff --git a/projects/hiredis/build.sh b/projects/hiredis/build.sh index 72888bedc225..66c479da5e39 100755 --- a/projects/hiredis/build.sh +++ b/projects/hiredis/build.sh @@ -15,7 +15,7 @@ # ################################################################################ -make USE_SSL=0 +make USE_SSL=0 static mv fuzzing/format_command_fuzzer.c . $CC $CFLAGS -std=c99 -pedantic -c -O3 -fPIC \ diff --git a/projects/html5lib-python/Dockerfile b/projects/html5lib-python/Dockerfile new file mode 100644 index 000000000000..78ad236096c9 --- /dev/null +++ b/projects/html5lib-python/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/html5lib/html5lib-python html5lib-python +COPY *.sh *py $SRC/ +WORKDIR $SRC/html5lib-python diff --git a/projects/html5lib-python/build.sh b/projects/html5lib-python/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/html5lib-python/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/html5lib-python/fuzz_parse.py b/projects/html5lib-python/fuzz_parse.py new file mode 100644 index 000000000000..47a0008c4543 --- /dev/null +++ b/projects/html5lib-python/fuzz_parse.py @@ -0,0 +1,32 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import html5lib + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + html5lib.parse(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/html5lib-python/project.yaml b/projects/html5lib-python/project.yaml new file mode 100644 index 000000000000..2754585f4627 --- /dev/null +++ b/projects/html5lib-python/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/html5lib/html5lib-python +main_repo: https://github.com/html5lib/html5lib-python +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/htmlunit/patch-disable-pgp.diff b/projects/htmlunit/patch-disable-pgp.diff index a9ea61e1f429..2660b9b036bd 100644 --- a/projects/htmlunit/patch-disable-pgp.diff +++ b/projects/htmlunit/patch-disable-pgp.diff @@ -20,7 +20,7 @@ index 03c5306e90..9d1466b531 100644 check @@ -253,6 +254,7 @@ - 1.16.0 + 1.17.0 + none diff --git a/projects/http-parser/build.sh b/projects/http-parser/build.sh index dcd2ac2e6137..97fb22f40792 100755 --- a/projects/http-parser/build.sh +++ b/projects/http-parser/build.sh @@ -16,7 +16,7 @@ ################################################################################ cd http-parser -make +make http_parser.o $CC $CFLAGS -I. -DHTTP_PARSER_STRICT=0 -Wall -Wextra -Werror -c fuzzers/fuzz_parser.c -o fuzz_parser.o $CXX $CXXFLAGS $LIB_FUZZING_ENGINE -Wall -Wextra -Werror http_parser.o fuzz_parser.o -o $OUT/fuzz_parser diff --git a/projects/httpx/Dockerfile b/projects/httpx/Dockerfile new file mode 100644 index 000000000000..bfad04f4bd70 --- /dev/null +++ b/projects/httpx/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/encode/httpx httpx +COPY *.sh *py $SRC/ +WORKDIR $SRC/httpx diff --git a/projects/httpx/build.sh b/projects/httpx/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/httpx/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/httpx/fuzz_api.py b/projects/httpx/fuzz_api.py new file mode 100644 index 000000000000..cc2db4afda65 --- /dev/null +++ b/projects/httpx/fuzz_api.py @@ -0,0 +1,70 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import httpx +import time +import socket +import threading + + +fuzzed_input = b"" + +# somehow ugly as fuzzing cannot be run in parallel +def SetFuzzedInput(input_bytes): + global fuzzed_input + fuzzed_input = input_bytes + +class ServerThread(threading.Thread): + def __init__(self): + self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.s.bind(("127.0.0.1", 8001)) + self.s.listen(1) + + threading.Thread.__init__(self) + + def run(self): + global fuzzed_input + conn, addr = self.s.accept() + conn.recv(1024) + conn.send(fuzzed_input) + time.sleep(0.005) + conn.close() + self.s.shutdown(1) + self.s.close() + time.sleep(0.01) + + +def TestOneInput(data): + t1 = ServerThread() + # Launch threads + t1.start() + SetFuzzedInput(data) + try: + httpx.get('http://127.0.0.1:8001/') + except httpx.RemoteProtocolError: + pass + t1.join() + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/httpx/fuzz_decoders.py b/projects/httpx/fuzz_decoders.py new file mode 100644 index 000000000000..f3c08799a045 --- /dev/null +++ b/projects/httpx/fuzz_decoders.py @@ -0,0 +1,41 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import httpx +from httpx._decoders import ByteChunker, LineDecoder, TextChunker, TextDecoder + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + + ByteChunker(chunk_size=fdp.ConsumeIntInRange(1, 100)).decode( + fdp.ConsumeBytes(sys.maxsize) + ) + LineDecoder().decode(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + TextChunker(chunk_size=fdp.ConsumeIntInRange(1, 100)).decode( + fdp.ConsumeUnicodeNoSurrogates(sys.maxsize) + ) + TextDecoder().decode(fdp.ConsumeBytes(sys.maxsize)) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/httpx/fuzz_url.py b/projects/httpx/fuzz_url.py new file mode 100644 index 000000000000..e0e95b7932a2 --- /dev/null +++ b/projects/httpx/fuzz_url.py @@ -0,0 +1,35 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import httpx + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + try: + httpx._urlparse.urlparse(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + except httpx._exceptions.InvalidURL: + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/httpx/project.yaml b/projects/httpx/project.yaml new file mode 100644 index 000000000000..5f5f44015b55 --- /dev/null +++ b/projects/httpx/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/encode/httpx +main_repo: https://github.com/encode/httpx +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/imageio/build.sh b/projects/imageio/build.sh index 8bf0fe5ab2db..b0a4116dbbd3 100644 --- a/projects/imageio/build.sh +++ b/projects/imageio/build.sh @@ -19,15 +19,5 @@ python3 setup.py build install # Build fuzzers in $OUT. for fuzzer in $(find . -name 'fuzz_*.py'); do - fuzzer_basename=$(basename -s .py $fuzzer) - fuzzer_package=${fuzzer_basename}.pkg - pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer - - # Create execution wrapper. - echo "#!/bin/sh -# LLVMFuzzerTestOneInput for fuzzer detection. -this_dir=\$(dirname \"\$0\") -ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ -\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename - chmod +x $OUT/$fuzzer_basename + compile_python_fuzzer $fuzzer done diff --git a/projects/itext7/.gitignore b/projects/itext7/.gitignore new file mode 100644 index 000000000000..2a6c4585fde6 --- /dev/null +++ b/projects/itext7/.gitignore @@ -0,0 +1,4 @@ +project-parent/itext7 +project-parent/fuzz-targets/target +project-parent/fuzz-targets/src/test/resources +project-parent/fuzz-targets/pom.xml.versionsBackup \ No newline at end of file diff --git a/projects/itext7/Dockerfile b/projects/itext7/Dockerfile new file mode 100644 index 000000000000..8658e5c91b14 --- /dev/null +++ b/projects/itext7/Dockerfile @@ -0,0 +1,37 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-jvm + +RUN curl -L https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.zip -o maven.zip && \ + unzip maven.zip -d $SRC/maven && \ + rm -rf maven.zip + +ENV MVN $SRC/maven/apache-maven-3.6.3/bin/mvn + +RUN git clone --depth 1 https://github.com/google/fuzzing +RUN cp fuzzing/dictionaries/pdf.dict $SRC/PdfFuzzer.dict + +RUN git clone --depth 1 https://github.com/strongcourage/fuzzing-corpus.git && \ + zip -q -r -j $SRC/PdfFuzzer_seed_corpus.zip fuzzing-corpus/pdf/* + +COPY project-parent $SRC/project-parent/ + +RUN rm -rf $SRC/project-parent/itext7 +RUN git clone --depth 1 https://github.com/itext/itext7 $SRC/project-parent/itext7 + +COPY build.sh $SRC/ +WORKDIR $SRC/ \ No newline at end of file diff --git a/projects/itext7/build.sh b/projects/itext7/build.sh new file mode 100755 index 000000000000..08dd8bd8ba6b --- /dev/null +++ b/projects/itext7/build.sh @@ -0,0 +1,82 @@ +#!/bin/bash -eu +# Copyright 2021 Google Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +PROJECT=itext7 +PROJECT_GROUP_ID=com.itextpdf +PROJECT_ARTIFACT_ID=kernel +MAIN_REPOSITORY=https://github.com/itext/itext7 + +function set_project_version_in_fuzz_targets_dependency { + PROJECT_VERSION=$(cd $PROJECT && $MVN org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) + # set dependency project version in fuzz-targets + (cd fuzz-targets && $MVN versions:use-dep-version -Dincludes=$PROJECT_GROUP_ID:$PROJECT_ARTIFACT_ID -DdepVersion=$PROJECT_VERSION -DforceVersion=true) +} + +cd project-parent + +# LOCAL_DEV env variable need to be set in local development env +if [[ -v LOCAL_DEV ]]; then + MVN=mvn + + # checkout latest project version + git -C $PROJECT pull || git clone $MAIN_REPOSITORY $PROJECT + + set_project_version_in_fuzz_targets_dependency + + #install + mvn -pl $PROJECT install -DskipTests + mvn -pl $PROJECT/kernel install -DskipTests #only build kernel subproject (root is useless) + mvn -pl fuzz-targets install + +else + # Move seed corpus and dictionary. + mv $SRC/{*.zip,*.dict} $OUT + + set_project_version_in_fuzz_targets_dependency + + #install + $MVN -pl $PROJECT install -DskipTests -Dmaven.repo.local=$OUT/m2 + $MVN -pl $PROJECT/kernel install -DskipTests -Dmaven.repo.local=$OUT/m2 + $MVN -pl fuzz-targets install -Dmaven.repo.local=$OUT/m2 + + # build classpath + $MVN -pl fuzz-targets dependency:build-classpath -Dmdep.outputFile=cp.txt -Dmaven.repo.local=$OUT/m2 + cp -r $SRC/project-parent/fuzz-targets/target/test-classes/ $OUT/test-classes + # RUNTIME_CLASSPATH="$(cat fuzz-targets/cp.txt):$OUT/test-classes" + RUNTIME_CLASSPATH_ABSOLUTE="$(cat fuzz-targets/cp.txt):$OUT/test-classes" + RUNTIME_CLASSPATH_RELATIVE=$(echo $RUNTIME_CLASSPATH_ABSOLUTE | sed "s|$OUT|.|g") + + for fuzzer in $(find $SRC/project-parent -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + + # Create an execution wrapper for every fuzztarget + echo "#!/bin/bash + # LLVMFuzzerTestOneInput comment for fuzzer detection by infrastructure. + if [[ \"\$@\" =~ (^| )-runs=[0-9]+($| ) ]]; then + mem_settings='-Xmx1900m -Xss900k' + else + mem_settings='-Xmx2048m -Xss1024k' + fi + java -cp $RUNTIME_CLASSPATH_RELATIVE \ + \$mem_settings \ + com.code_intelligence.jazzer.Jazzer \ + --target_class=com.example.$fuzzer_basename \ + \$@" > $OUT/$fuzzer_basename + chmod u+x $OUT/$fuzzer_basename + done + +fi \ No newline at end of file diff --git a/projects/itext7/project-parent/fuzz-targets/pom.xml b/projects/itext7/project-parent/fuzz-targets/pom.xml new file mode 100644 index 000000000000..323c9a4731dc --- /dev/null +++ b/projects/itext7/project-parent/fuzz-targets/pom.xml @@ -0,0 +1,55 @@ + + + + 4.0.0 + com.fuzzer + fuzz-targets + 0.0.1-SNAPSHOT + fuzz + fuzz + + + 11 + 11 + 11 + + + + + + com.code-intelligence + jazzer-junit + 0.13.0 + + + + org.junit.jupiter + junit-jupiter-engine + 5.9.0 + test + + + + com.itextpdf + kernel + 8.0.0-SNAPSHOT + + + + + + + + maven-surefire-plugin + 2.22.2 + + + + + ${project.basedir}/src/test/resources + + + + + \ No newline at end of file diff --git a/projects/itext7/project-parent/fuzz-targets/src/test/java/com/example/PdfFuzzer.java b/projects/itext7/project-parent/fuzz-targets/src/test/java/com/example/PdfFuzzer.java new file mode 100644 index 000000000000..fdc3fd5efb38 --- /dev/null +++ b/projects/itext7/project-parent/fuzz-targets/src/test/java/com/example/PdfFuzzer.java @@ -0,0 +1,44 @@ +// Copyright 2021 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// +package com.example; + +import java.io.*; +import java.nio.charset.StandardCharsets; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +import com.itextpdf.kernel.pdf.PdfReader; +import com.itextpdf.kernel.pdf.PdfDocument; +import com.itextpdf.io.exceptions.*; + +public class PdfFuzzer { + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + try { + InputStream stream = new ByteArrayInputStream(data.consumeRemainingAsString().getBytes(StandardCharsets.UTF_8)); + PdfReader reader = new PdfReader(stream); + PdfDocument pdfDoc = new PdfDocument(reader); + } + + /* + Catching multiple exceptions and errors in order to allow fuzzing to continue to the most intresting findings. + As of this commit, libfuzzer is triggering com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow in local testing. + Once that issue is addressed, further testing can be performed by a removing some of these caught exceptions + and errors. In particular, the java.lang.AssertionError may be a bug that should be addressed. + */ + catch (java.io.IOException | com.itextpdf.io.exceptions.IOException | com.itextpdf.kernel.exceptions.PdfException + | java.lang.AssertionError | java.lang.ClassCastException | java.lang.StringIndexOutOfBoundsException e) { } + } +} \ No newline at end of file diff --git a/projects/itext7/project-parent/fuzz-targets/src/test/resources/junit-platform.properties b/projects/itext7/project-parent/fuzz-targets/src/test/resources/junit-platform.properties new file mode 100644 index 000000000000..2ee55286ae2e --- /dev/null +++ b/projects/itext7/project-parent/fuzz-targets/src/test/resources/junit-platform.properties @@ -0,0 +1 @@ +jazzer.instrument=com.example.**,com.other.package.**,org.jsoup.** \ No newline at end of file diff --git a/projects/itext7/project-parent/pom.xml b/projects/itext7/project-parent/pom.xml new file mode 100644 index 000000000000..d2db36e90bb5 --- /dev/null +++ b/projects/itext7/project-parent/pom.xml @@ -0,0 +1,16 @@ + + + 4.0.0 + + com.fuzzer + project-parent + 0.1.0 + pom + + + itext7 + fuzz-targets + + + \ No newline at end of file diff --git a/projects/itext7/project.yaml b/projects/itext7/project.yaml new file mode 100644 index 000000000000..68d5d08024a2 --- /dev/null +++ b/projects/itext7/project.yaml @@ -0,0 +1,10 @@ +homepage: "https://itextpdf.com/products/itext-7" +language: jvm +fuzzing_engines: + - libfuzzer +main_repo: "https://github.com/itext/itext7" +sanitizers: + - address +vendor_ccs: + - "bug-disclosure@code-intelligence.com" + - "michael.nothhard@code-intelligence.com" \ No newline at end of file diff --git a/projects/javascript-example/Dockerfile b/projects/javascript-example/Dockerfile new file mode 100644 index 000000000000..85c00ed94662 --- /dev/null +++ b/projects/javascript-example/Dockerfile @@ -0,0 +1,30 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-javascript + +COPY build.sh $SRC/ + +# For real projects, you would clone your repo in the next step. +RUN mkdir -p $SRC/example + +# Ideally, you have already configured fuzz tests in your repo so that they +# run (in Jazzer.js regression mode) as part of unit testing. Keeping the fuzz +# tests in sync with the source code ensures that they are adjusted continue +# to work after code changes. Here, we copy them into the example project directory. +COPY fuzz_string_compare.js fuzz_promise.js fuzz_value_profiling.js package.json $SRC/example/ + +WORKDIR $SRC/example diff --git a/projects/javascript-example/build.sh b/projects/javascript-example/build.sh new file mode 100755 index 000000000000..4247e18694b9 --- /dev/null +++ b/projects/javascript-example/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Install dependencies. +npm install + +# Build Fuzzers. +compile_javascript_fuzzer example fuzz_promise.js +compile_javascript_fuzzer example fuzz_string_compare.js --sync +compile_javascript_fuzzer example fuzz_value_profiling.js --sync diff --git a/projects/javascript-example/fuzz_promise.js b/projects/javascript-example/fuzz_promise.js new file mode 100644 index 000000000000..2b76e07f0fc3 --- /dev/null +++ b/projects/javascript-example/fuzz_promise.js @@ -0,0 +1,51 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +let lastInvocationCount = 0; +let invocationCount = lastInvocationCount + 1; + +/** + * @param { Buffer } data + */ +module.exports.fuzz = function (data) { + return new Promise((resolve, reject) => { + if (data.length < 3) { + resolve(invocationCount++); + return; + } + setTimeout(() => { + let one = data.readInt8(0); + let two = data.readInt8(1); + let three = data.readInt8(2); + if (one + two + three === 42) { + reject( + new Error( + `${one} + ${two} + ${three} = 42 (invocation ${invocationCount})` + ) + ); + } else { + resolve(invocationCount++); + } + }, 10); + }).then((value) => { + if (value !== lastInvocationCount + 1) { + throw new Error( + `Invalid invocation order, received ${value} but last invocation was ${lastInvocationCount}.` + ); + } + lastInvocationCount = value; + }); +}; diff --git a/projects/javascript-example/fuzz_string_compare.js b/projects/javascript-example/fuzz_string_compare.js new file mode 100644 index 000000000000..16806bce8a70 --- /dev/null +++ b/projects/javascript-example/fuzz_string_compare.js @@ -0,0 +1,32 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +/** + * @param { Buffer } data + */ +module.exports.fuzz = function (data) { + const s = data.toString(); + if (s.length !== 16) { + return; + } + if ( + s.slice(0, 8) === "Awesome " && + s.slice(8, 15) === "Fuzzing" && + s[15] === "!" + ) { + throw Error("Welcome to Awesome Fuzzing!"); + } +}; diff --git a/projects/javascript-example/fuzz_value_profiling.js b/projects/javascript-example/fuzz_value_profiling.js new file mode 100644 index 000000000000..36204441f818 --- /dev/null +++ b/projects/javascript-example/fuzz_value_profiling.js @@ -0,0 +1,39 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// + +/** + * @param {number} n + */ +function encrypt(n) { + return n ^ 0x11223344; +} + +/** + * @param { Buffer } data + */ +module.exports.fuzz = function (data) { + if (data.length < 16) { + return; + } + if ( + encrypt(data.readInt32BE(0)) === 0x50555637 && + encrypt(data.readInt32BE(4)) === 0x7e4f5664 && + encrypt(data.readInt32BE(8)) === 0x5757493e && + encrypt(data.readInt32BE(12)) === 0x784c5465 + ) { + throw Error("XOR with a constant is not a secure encryption method ;-)"); + } +}; diff --git a/projects/javascript-example/package.json b/projects/javascript-example/package.json new file mode 100644 index 000000000000..0960f7de43a5 --- /dev/null +++ b/projects/javascript-example/package.json @@ -0,0 +1,5 @@ +{ + "name": "jazzerjs-examples", + "version": "1.0.0", + "description": "Examples of fuzz tests for Jazzer.js" +} diff --git a/projects/javascript-example/project.yaml b/projects/javascript-example/project.yaml new file mode 100644 index 000000000000..521c0030aacd --- /dev/null +++ b/projects/javascript-example/project.yaml @@ -0,0 +1,12 @@ +homepage: https://github.com/CodeIntelligenceTesting/jazzer.js +language: javascript +main_repo: https://github.com/CodeIntelligenceTesting/jazzer.js +fuzzing_engines: +- libfuzzer +sanitizers: +- none +vendor_ccs: +- yakdan@code-intelligence.com +- norbert.schneider@code-intelligence.com +- peter.samarin@code-intelligence.com +- christopher.krah@code-intelligence.com diff --git a/projects/jaxrpc-api/0001-support-new-jdk.patch b/projects/jaxrpc-api/0001-support-new-jdk.patch new file mode 100644 index 000000000000..b711965ccdb3 --- /dev/null +++ b/projects/jaxrpc-api/0001-support-new-jdk.patch @@ -0,0 +1,12 @@ +diff --git a/jaxrpc-ri/pom.xml b/jaxrpc-ri/pom.xml +--- a/jaxrpc-ri/pom.xml ++++ b/jaxrpc-ri/pom.xml +@@ -49,6 +49,8 @@ + 1.2.16 + 1.4.2 + 1.9.13 ++ 1.8 ++ 1.8 + + ${maven.multiModuleProjectDirectory}/.. + diff --git a/projects/jaxrpc-api/0002-avoid-ConcurrentModificationException.patch b/projects/jaxrpc-api/0002-avoid-ConcurrentModificationException.patch new file mode 100644 index 000000000000..37c38251efa9 --- /dev/null +++ b/projects/jaxrpc-api/0002-avoid-ConcurrentModificationException.patch @@ -0,0 +1,12 @@ +diff --git a/jaxrpc-ri/pom.xml b/jaxrpc-ri/pom.xml +--- a/jaxrpc-ri/pom.xml ++++ b/jaxrpc-ri/pom.xml +@@ -147,7 +149,7 @@ + + org.apache.felix + maven-bundle-plugin +- 4.2.1 ++ 5.1.8 + + + <_removeheaders>Bnd-LastModified,Build-Jdk,Built-By,Include-Resource diff --git a/projects/jaxrpc-api/Dockerfile b/projects/jaxrpc-api/Dockerfile new file mode 100644 index 000000000000..688d220d7049 --- /dev/null +++ b/projects/jaxrpc-api/Dockerfile @@ -0,0 +1,59 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-jvm + +# +# install maven configuration, which is also used by gradles's publishToMavenLocal +# +ADD maven-settings.xml ${SRC}/ +RUN apt-get install -y xmlstarlet +RUN mkdir -p ~/.m2 && \ + xmlstarlet ed \ + -u "settings/localRepository" -v "${OUT}/m2/repository" \ + < ${SRC}/maven-settings.xml > ~/.m2/settings.xml + +# +# install maven and gradle +# +RUN curl -L https://downloads.apache.org/maven/maven-3/3.8.7/binaries/apache-maven-3.8.7-bin.zip -o maven.zip && \ + unzip maven.zip -d $SRC/maven-3.8.7 && \ + rm -rf maven.zip + +ENV MVN $SRC/maven-3.8.7/apache-maven-3.8.7/bin/mvn + +RUN curl -L https://services.gradle.org/distributions/gradle-7.6-bin.zip -o gradle.zip && \ + unzip gradle.zip -d $SRC/gradle && \ + rm -rf gradle.zip + +ENV GRADLE $SRC/gradle/gradle-7.6/bin/gradle + +ENV LIBRARY_NAME jaxrpc-api +WORKDIR ${SRC} +# +# clone repository +# +RUN git clone https://github.com/eclipse-ee4j/jax-rpc-ri.git ${LIBRARY_NAME} + +# +# apply fixes +# +ADD *.patch ${SRC}/ +RUN cd ${SRC}/${LIBRARY_NAME} && (for i in ${SRC}/*.patch; do tr -d '\015' < $i | git apply -v; done ) + +ADD build.sh ${SRC}/ +ADD ${LIBRARY_NAME}-fuzzer ${SRC}/${LIBRARY_NAME}-fuzzer/ +WORKDIR ${SRC}/${LIBRARY_NAME} \ No newline at end of file diff --git a/projects/jaxrpc-api/build.sh b/projects/jaxrpc-api/build.sh new file mode 100644 index 000000000000..6f1649025cf3 --- /dev/null +++ b/projects/jaxrpc-api/build.sh @@ -0,0 +1,82 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +SRC_SUBDIR="jaxrpc-ri" +MVN_FLAGS="-Djavac.src.version=15 -Djavac.target.version=15 -DskipTests" +ALL_JARS="" + +# Install the build servers' jazzer-api into the maven repository. +pushd "/tmp" + ${MVN} install:install-file -Dfile=${JAZZER_API_PATH} \ + -DgroupId="com.code-intelligence" \ + -DartifactId="jazzer-api" \ + -Dversion="0.14.0" \ + -Dpackaging=jar +popd + +pushd "${SRC}/${LIBRARY_NAME}/${SRC_SUBDIR}" + ${MVN} install ${MVN_FLAGS} + CURRENT_VERSION=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) +popd + +pushd "${SRC}/${LIBRARY_NAME}-fuzzer" + ${MVN} package -DfuzzedLibaryVersion="${CURRENT_VERSION}" ${MVN_FLAGS} + install -v target/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar ${OUT}/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar + ALL_JARS="${ALL_JARS} ${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar" +popd + + + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +MVN_FUZZERS_PREFIX="src/main/java" + +for fuzzer in $(find ${SRC} -name '*Fuzzer.java'); do + # Find our fuzzer inside the maven structure + stripped_path=$(echo ${fuzzer} | sed \ + -e 's|^.*src/main/java/\(.*\).java$|\1|' \ + -e 's|^.*src/test/java/\(.*\).java$|\1|' \ + ); + # The .java suffix was stripped by sed. + if (echo ${stripped_path} | grep ".java$"); then + continue; + fi + + fuzzer_basename=$(basename -s .java $fuzzer) + fuzzer_classname=$(echo ${stripped_path} | sed 's|/|.|g'); + + # Create an execution wrapper that executes Jazzer with the correct arguments. + + echo "#!/bin/sh +# LLVMFuzzerTestOneInput Magic String required for infra/base-images/base-runner/test_all.py. DO NOT REMOVE + + +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"\$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=${RUNTIME_CLASSPATH} \ +--target_class=${fuzzer_classname} \ +--jvm_args=\"-Xmx2048m\" \ +--instrumentation_includes=\"com.sun.xml.rpc.**\" +\$@" > $OUT/${fuzzer_basename} + chmod u+x $OUT/${fuzzer_basename} +done \ No newline at end of file diff --git a/projects/jaxrpc-api/jaxrpc-api-fuzzer/pom.xml b/projects/jaxrpc-api/jaxrpc-api-fuzzer/pom.xml new file mode 100644 index 000000000000..068fc0ba8368 --- /dev/null +++ b/projects/jaxrpc-api/jaxrpc-api-fuzzer/pom.xml @@ -0,0 +1,78 @@ + + 4.0.0 + + ossfuzz + jaxrpc-api-fuzzer + ${fuzzedLibaryVersion} + jar + + + 15 + 15 + UTF-8 + 1.8.2 + com.sun.xml.rpc.processor.modeler.rmi.SOAPSimpleTypeCreatorFuzzer + + + + + + + + com.code-intelligence + jazzer-api + 0.14.0 + + + com.sun.xml.rpc + jaxrpc-spi + ${fuzzedLibaryVersion} + + + com.sun.xml.rpc + jaxrpc-impl + ${fuzzedLibaryVersion} + + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.3.0 + + + + *:* + + META-INF/*.SF + META-INF/*.DSA + META-INF/*.RSA + + + + + + + package + + shade + + + + + + + \ No newline at end of file diff --git a/projects/jaxrpc-api/jaxrpc-api-fuzzer/src/main/java/com/sun/xml/rpc/processor/modeler/rmi/SOAPSimpleTypeCreatorFuzzer.java b/projects/jaxrpc-api/jaxrpc-api-fuzzer/src/main/java/com/sun/xml/rpc/processor/modeler/rmi/SOAPSimpleTypeCreatorFuzzer.java new file mode 100644 index 000000000000..c78f936facc4 --- /dev/null +++ b/projects/jaxrpc-api/jaxrpc-api-fuzzer/src/main/java/com/sun/xml/rpc/processor/modeler/rmi/SOAPSimpleTypeCreatorFuzzer.java @@ -0,0 +1,32 @@ +package com.sun.xml.rpc.processor.modeler.rmi; + +import com.sun.xml.rpc.util.JAXRPCClassFactory; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + + +public class SOAPSimpleTypeCreatorFuzzer { + + private FuzzedDataProvider fuzzedDataProvider; + + public SOAPSimpleTypeCreatorFuzzer(FuzzedDataProvider fuzzedDataProvider) throws Exception { + this.fuzzedDataProvider = fuzzedDataProvider; + } + + void test() { + String data = fuzzedDataProvider.consumeRemainingAsString(); + + JAXRPCClassFactory factory = JAXRPCClassFactory.newInstance(); + + try { + factory.createSOAPSimpleTypeCreator().getJavaSimpleType(data); + } catch (Exception e) { + } + } + + public static void fuzzerTestOneInput(FuzzedDataProvider fuzzedDataProvider) throws Exception { + + SOAPSimpleTypeCreatorFuzzer fixture = new SOAPSimpleTypeCreatorFuzzer(fuzzedDataProvider); + fixture.test(); + } +} \ No newline at end of file diff --git a/projects/jaxrpc-api/maven-settings.xml b/projects/jaxrpc-api/maven-settings.xml new file mode 100644 index 000000000000..4359e57ec065 --- /dev/null +++ b/projects/jaxrpc-api/maven-settings.xml @@ -0,0 +1,3 @@ + + ${user.home}/.m2/repository + \ No newline at end of file diff --git a/projects/jaxrpc-api/project.yaml b/projects/jaxrpc-api/project.yaml new file mode 100644 index 000000000000..0725dec0ed5a --- /dev/null +++ b/projects/jaxrpc-api/project.yaml @@ -0,0 +1,15 @@ +homepage: "https://github.com/eclipse-ee4j/jax-rpc-ri" +language: jvm +main_repo: "https://github.com/eclipse-ee4j/jax-rpc-ri.git" +fuzzing_engines: + - libfuzzer +sanitizers: + - address +vendor_ccs: + - "wagner@code-intelligence.com" + - "yakdan@code-intelligence.com" + - "glendowne@code-intelligence.com" + - "patrice.salathe@code-intelligence.com" + - "hlin@code-intelligence.com" + - "schaich@code-intelligence.com" + - "bug-disclosure@code-intelligence.com" diff --git a/projects/jedi/Dockerfile b/projects/jedi/Dockerfile new file mode 100644 index 000000000000..ceab01b31558 --- /dev/null +++ b/projects/jedi/Dockerfile @@ -0,0 +1,19 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN pip3 install --upgrade pip +RUN git clone --recurse-submodules https://github.com/davidhalter/jedi jedi +COPY *.sh *py $SRC/ +WORKDIR $SRC/jedi diff --git a/projects/all.sh b/projects/jedi/build.sh old mode 100755 new mode 100644 similarity index 62% rename from projects/all.sh rename to projects/jedi/build.sh index 1942953c0f47..ea9c67f1f1f1 --- a/projects/all.sh +++ b/projects/jedi/build.sh @@ -1,6 +1,5 @@ #!/bin/bash -eu -# -# Copyright 2016 Google Inc. +# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,21 +15,9 @@ # ################################################################################ -for project in projects/*; do - if [[ -f $project ]]; then continue; fi - echo "@ Building $project" - docker build -t gcr.io/oss-fuzz/$project $project/ - - # Execute command ($1) if any - case ${1-} in - "") - ;; - compile) - docker run --rm -ti gcr.io/oss-fuzz/$project $@ - ;; - *) - echo $"Usage: $0 {|compile}" - exit 1 - esac +python3 setup.py install +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer done diff --git a/projects/jedi/fuzz_script.py b/projects/jedi/fuzz_script.py new file mode 100644 index 000000000000..ca4b3ecd0e35 --- /dev/null +++ b/projects/jedi/fuzz_script.py @@ -0,0 +1,33 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris + +import jedi + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + jedi.Script(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/jedi/project.yaml b/projects/jedi/project.yaml new file mode 100644 index 000000000000..ba840eb7800a --- /dev/null +++ b/projects/jedi/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/davidhalter/jedi +main_repo: https://github.com/davidhalter/jedi +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/jstl-api/0001-support-new-jdk.patch b/projects/jstl-api/0001-support-new-jdk.patch new file mode 100644 index 000000000000..b711965ccdb3 --- /dev/null +++ b/projects/jstl-api/0001-support-new-jdk.patch @@ -0,0 +1,12 @@ +diff --git a/jaxrpc-ri/pom.xml b/jaxrpc-ri/pom.xml +--- a/jaxrpc-ri/pom.xml ++++ b/jaxrpc-ri/pom.xml +@@ -49,6 +49,8 @@ + 1.2.16 + 1.4.2 + 1.9.13 ++ 1.8 ++ 1.8 + + ${maven.multiModuleProjectDirectory}/.. + diff --git a/projects/jstl-api/0002-avoid-ConcurrentModificationException.patch b/projects/jstl-api/0002-avoid-ConcurrentModificationException.patch new file mode 100644 index 000000000000..37c38251efa9 --- /dev/null +++ b/projects/jstl-api/0002-avoid-ConcurrentModificationException.patch @@ -0,0 +1,12 @@ +diff --git a/jaxrpc-ri/pom.xml b/jaxrpc-ri/pom.xml +--- a/jaxrpc-ri/pom.xml ++++ b/jaxrpc-ri/pom.xml +@@ -147,7 +149,7 @@ + + org.apache.felix + maven-bundle-plugin +- 4.2.1 ++ 5.1.8 + + + <_removeheaders>Bnd-LastModified,Build-Jdk,Built-By,Include-Resource diff --git a/projects/jstl-api/Dockerfile b/projects/jstl-api/Dockerfile new file mode 100644 index 000000000000..008a5090b818 --- /dev/null +++ b/projects/jstl-api/Dockerfile @@ -0,0 +1,49 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-jvm + +# Install maven configuration, which is also used by gradles's publishToMavenLocal. + +ADD maven-settings.xml ${SRC}/ +RUN apt-get install -y xmlstarlet +RUN mkdir -p ~/.m2 && \ + xmlstarlet ed \ + -u "settings/localRepository" -v "${OUT}/m2/repository" \ + < ${SRC}/maven-settings.xml > ~/.m2/settings.xml + + +# install maven and gradle + +RUN curl -L https://downloads.apache.org/maven/maven-3/3.8.7/binaries/apache-maven-3.8.7-bin.zip -o maven.zip && \ + unzip maven.zip -d $SRC/maven-3.8.7 && \ + rm -rf maven.zip + +ENV MVN $SRC/maven-3.8.7/apache-maven-3.8.7/bin/mvn + +RUN curl -L https://services.gradle.org/distributions/gradle-7.6-bin.zip -o gradle.zip && \ + unzip gradle.zip -d $SRC/gradle && \ + rm -rf gradle.zip + +ENV GRADLE $SRC/gradle/gradle-7.6/bin/gradle + +ENV LIBRARY_NAME jstl-api +WORKDIR ${SRC} +RUN git clone https://github.com/eclipse-ee4j/jstl-api.git ${LIBRARY_NAME} + +ADD build.sh ${SRC}/ +ADD ${LIBRARY_NAME}-fuzzer ${SRC}/${LIBRARY_NAME}-fuzzer/ +WORKDIR ${SRC}/${LIBRARY_NAME} \ No newline at end of file diff --git a/projects/jstl-api/build.sh b/projects/jstl-api/build.sh new file mode 100644 index 000000000000..499da559cf9c --- /dev/null +++ b/projects/jstl-api/build.sh @@ -0,0 +1,92 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +SRC_SUBDIR="" +MVN_FLAGS="-Djavac.src.version=15 -Djavac.target.version=15 -DskipTests" +ALL_JARS="" + +# Install the build servers' jazzer-api into the maven repository. +pushd "/tmp" + ${MVN} install:install-file -Dfile=${JAZZER_API_PATH} \ + -DgroupId="com.code-intelligence" \ + -DartifactId="jazzer-api" \ + -Dversion="0.14.0" \ + -Dpackaging=jar +popd + +pushd "${SRC}/${LIBRARY_NAME}/${SRC_SUBDIR}" + ${MVN} install ${MVN_FLAGS} + CURRENT_VERSION=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) +popd + +#this package uses multiple versions [...] +pushd "${SRC}/${LIBRARY_NAME}/api" + CURRENT_VERSION_API=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) +popd +pushd "${SRC}/${LIBRARY_NAME}/impl" + CURRENT_VERSION_IMPL=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) +popd + +pushd "${SRC}/${LIBRARY_NAME}-fuzzer" + ${MVN} package -DfuzzedLibaryVersion="${CURRENT_VERSION}" \ + -DapiVersion="${CURRENT_VERSION_API}" \ + -DimplVersion="${CURRENT_VERSION_IMPL}" \ + ${MVN_FLAGS} + install -v target/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar ${OUT}/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar + ALL_JARS="${ALL_JARS} ${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar" +popd + + + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +MVN_FUZZERS_PREFIX="src/main/java" + +for fuzzer in $(find ${SRC} -name '*Fuzzer.java'); do + # Find our fuzzer inside the maven structure + stripped_path=$(echo ${fuzzer} | sed \ + -e 's|^.*src/main/java/\(.*\).java$|\1|' \ + -e 's|^.*src/test/java/\(.*\).java$|\1|' \ + ); + # The .java suffix was stripped by sed. + if (echo ${stripped_path} | grep ".java$"); then + continue; + fi + + fuzzer_basename=$(basename -s .java $fuzzer) + fuzzer_classname=$(echo ${stripped_path} | sed 's|/|.|g'); + + # Create an execution wrapper that executes Jazzer with the correct arguments. + + echo "#!/bin/sh +# LLVMFuzzerTestOneInput Magic String required for infra/base-images/base-runner/test_all.py. DO NOT REMOVE + + +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"\$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=${RUNTIME_CLASSPATH} \ +--target_class=${fuzzer_classname} \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/${fuzzer_basename} + chmod u+x $OUT/${fuzzer_basename} +done \ No newline at end of file diff --git a/projects/jstl-api/jstl-api-fuzzer/pom.xml b/projects/jstl-api/jstl-api-fuzzer/pom.xml new file mode 100644 index 000000000000..939589ddc355 --- /dev/null +++ b/projects/jstl-api/jstl-api-fuzzer/pom.xml @@ -0,0 +1,95 @@ + + 4.0.0 + + ossfuzz + jstl-api-fuzzer + ${fuzzedLibaryVersion} + jar + + + 15 + 15 + UTF-8 + 3.0.0 + com.sun.xml.rpc.processor.modeler.rmi.SOAPSimpleTypeCreatorFuzzer + + + + + + + + com.code-intelligence + jazzer-api + 0.14.0 + + + jakarta.servlet.jsp.jstl + jakarta.servlet.jsp.jstl-api + ${apiVersion} + + + org.glassfish.web + jakarta.servlet.jsp.jstl + ${implVersion} + + + + + jakarta.servlet + jakarta.servlet-api + 6.0.0 + + + jakarta.servlet.jsp + jakarta.servlet.jsp-api + 3.1.0 + + + jakarta.el + jakarta.el-api + 5.0.0 + + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.3.0 + + + + *:* + + META-INF/*.SF + META-INF/*.DSA + META-INF/*.RSA + + + + + + + package + + shade + + + + + + + \ No newline at end of file diff --git a/projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java b/projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java new file mode 100644 index 000000000000..310065c1d541 --- /dev/null +++ b/projects/jstl-api/jstl-api-fuzzer/src/main/java/jakarta/servlet/jsp/ParserFuzzer.java @@ -0,0 +1,31 @@ +package jakarta.servlet.jsp; + +import org.apache.taglibs.standard.lang.jstl.Evaluator; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + + +public class ParserFuzzer { + + private FuzzedDataProvider fuzzedDataProvider; + + public ParserFuzzer(FuzzedDataProvider fuzzedDataProvider) throws Exception { + this.fuzzedDataProvider = fuzzedDataProvider; + } + + void test() { + try { + String result = Evaluator.parseAndRender(fuzzedDataProvider.consumeRemainingAsString()); + } catch (JspException ex) { + /* documented, ignore */ + } catch (IllegalArgumentException ex) { + /* general purpose, ignore */ + } + } + + public static void fuzzerTestOneInput(FuzzedDataProvider fuzzedDataProvider) throws Exception { + + ParserFuzzer fixture = new ParserFuzzer(fuzzedDataProvider); + fixture.test(); + } +} \ No newline at end of file diff --git a/projects/jstl-api/maven-settings.xml b/projects/jstl-api/maven-settings.xml new file mode 100644 index 000000000000..4359e57ec065 --- /dev/null +++ b/projects/jstl-api/maven-settings.xml @@ -0,0 +1,3 @@ + + ${user.home}/.m2/repository + \ No newline at end of file diff --git a/projects/jstl-api/project.yaml b/projects/jstl-api/project.yaml new file mode 100644 index 000000000000..323d62c74016 --- /dev/null +++ b/projects/jstl-api/project.yaml @@ -0,0 +1,15 @@ +homepage: "https://github.com/eclipse-ee4j/jstl-api" +language: jvm +main_repo: "https://github.com/eclipse-ee4j/jstl-api.git" +fuzzing_engines: + - libfuzzer +sanitizers: + - address +vendor_ccs: + - "wagner@code-intelligence.com" + - "yakdan@code-intelligence.com" + - "glendowne@code-intelligence.com" + - "patrice.salathe@code-intelligence.com" + - "hlin@code-intelligence.com" + - "schaich@code-intelligence.com" + - "bug-disclosure@code-intelligence.com" diff --git a/projects/jupyter-nbconvert/Dockerfile b/projects/jupyter-nbconvert/Dockerfile new file mode 100644 index 000000000000..66eaccc99a67 --- /dev/null +++ b/projects/jupyter-nbconvert/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/jupyter/nbconvert nbconvert +COPY *.sh *py $SRC/ +WORKDIR $SRC/nbconvert diff --git a/projects/jupyter-nbconvert/build.sh b/projects/jupyter-nbconvert/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/jupyter-nbconvert/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/jupyter-nbconvert/fuzz_markdown_converter.py b/projects/jupyter-nbconvert/fuzz_markdown_converter.py new file mode 100644 index 000000000000..292410118ac4 --- /dev/null +++ b/projects/jupyter-nbconvert/fuzz_markdown_converter.py @@ -0,0 +1,34 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import nbconvert + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + nbconvert.filters.markdown_mistune.markdown2html_mistune( + fdp.ConsumeUnicodeNoSurrogates(sys.maxsize) + ) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/jupyter-nbconvert/project.yaml b/projects/jupyter-nbconvert/project.yaml new file mode 100644 index 000000000000..59e4dfa5f532 --- /dev/null +++ b/projects/jupyter-nbconvert/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/jupyter/nbconvert +language: python +main_repo: https://github.com/jupyter/nbconvert +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/karchive/Dockerfile b/projects/karchive/Dockerfile index d6c65e0f5a7f..98cd7ca78e6f 100644 --- a/projects/karchive/Dockerfile +++ b/projects/karchive/Dockerfile @@ -21,8 +21,8 @@ RUN git clone --depth 1 https://github.com/nih-at/libzip.git RUN wget https://sourceware.org/pub/bzip2/bzip2-1.0.8.tar.gz RUN git clone https://git.tukaani.org/xz.git RUN git clone --depth 1 --branch=5.15 git://code.qt.io/qt/qtbase.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/extra-cmake-modules.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/karchive.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/extra-cmake-modules.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/karchive.git COPY build.sh $SRC COPY karchive_fuzzer.cc $SRC WORKDIR karchive diff --git a/projects/kcodecs/Dockerfile b/projects/kcodecs/Dockerfile index 1c563cf0d04f..d7de53a70251 100644 --- a/projects/kcodecs/Dockerfile +++ b/projects/kcodecs/Dockerfile @@ -18,8 +18,8 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get install --yes cmake RUN curl -L http://ftp.gnu.org/pub/gnu/gperf/gperf-3.1.tar.gz -O RUN git clone --depth 1 --branch=5.15 git://code.qt.io/qt/qtbase.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/kcodecs.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/extra-cmake-modules.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/kcodecs.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/extra-cmake-modules.git RUN git clone --depth 1 https://gitlab.freedesktop.org/uchardet/uchardet.git COPY build.sh $SRC COPY kcodecs_fuzzer.cc $SRC diff --git a/projects/kimageformats/Dockerfile b/projects/kimageformats/Dockerfile index 5c569bf576ed..e88cb0b74340 100644 --- a/projects/kimageformats/Dockerfile +++ b/projects/kimageformats/Dockerfile @@ -18,15 +18,15 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install --yes cmake autoconf libtool pkg-config RUN git clone --depth 1 https://github.com/madler/zlib.git RUN git clone --depth 1 https://github.com/nih-at/libzip.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/extra-cmake-modules.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/extra-cmake-modules.git RUN git clone --depth 1 --branch=5.15 git://code.qt.io/qt/qtbase.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/karchive.git -RUN git clone --depth 1 https://invent.kde.org/frameworks/kimageformats.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/karchive.git +RUN git clone --depth 1 -b kf5 https://invent.kde.org/frameworks/kimageformats.git RUN git clone --depth 1 -b v3.5.0 https://aomedia.googlesource.com/aom RUN git clone --depth 1 -b v0.11.1 https://github.com/AOMediaCodec/libavif.git RUN git clone --depth 1 https://github.com/strukturag/libde265.git RUN git clone --depth 1 https://github.com/strukturag/libheif.git -RUN git clone --depth=1 --branch v0.7.x --recursive https://github.com/libjxl/libjxl.git +RUN git clone --depth=1 --branch v0.8.x --recursive https://github.com/libjxl/libjxl.git RUN git clone --depth 1 https://github.com/LibRaw/LibRaw COPY build.sh $SRC COPY kimgio_fuzzer.cc $SRC diff --git a/projects/kimageformats/build.sh b/projects/kimageformats/build.sh index 731178cf0d3b..62a6712aa567 100644 --- a/projects/kimageformats/build.sh +++ b/projects/kimageformats/build.sh @@ -101,7 +101,7 @@ cd $SRC cd libjxl mkdir build cd build -CXXFLAGS="$CXXFLAGS -DHWY_COMPILE_ONLY_SCALAR" cmake -DBUILD_SHARED_LIBS=OFF -DBUILD_TESTING=OFF -DJPEGXL_BUNDLE_SKCMS=ON -DJPEGXL_ENABLE_BENCHMARK=OFF -DJPEGXL_ENABLE_DOXYGEN=OFF -DJPEGXL_ENABLE_EXAMPLES=OFF -DJPEGXL_ENABLE_JNI=OFF -DJPEGXL_ENABLE_MANPAGES=OFF -DJPEGXL_ENABLE_OPENEXR=OFF -DJPEGXL_ENABLE_PLUGINS=OFF -DJPEGXL_ENABLE_SJPEG=OFF -DJPEGXL_ENABLE_SKCMS=ON -DJPEGXL_ENABLE_TCMALLOC=OFF -DJPEGXL_ENABLE_TOOLS=OFF .. +CXXFLAGS="$CXXFLAGS -DHWY_COMPILE_ONLY_SCALAR" cmake -DBUILD_SHARED_LIBS=OFF -DBUILD_TESTING=OFF -DJPEGXL_BUNDLE_SKCMS=ON -DJPEGXL_ENABLE_BENCHMARK=OFF -DJPEGXL_ENABLE_DOXYGEN=OFF -DJPEGXL_ENABLE_EXAMPLES=OFF -DJPEGXL_ENABLE_JNI=OFF -DJPEGXL_ENABLE_JPEGLI_LIBJPEG=OFF -DJPEGXL_ENABLE_MANPAGES=OFF -DJPEGXL_ENABLE_OPENEXR=OFF -DJPEGXL_ENABLE_PLUGINS=OFF -DJPEGXL_ENABLE_SJPEG=OFF -DJPEGXL_ENABLE_SKCMS=ON -DJPEGXL_ENABLE_TCMALLOC=OFF -DJPEGXL_ENABLE_TOOLS=OFF .. make -j$(nproc) jxl-static jxl_threads-static cd $SRC diff --git a/projects/libaom/build.sh b/projects/libaom/build.sh index 590b45ac5978..53c87ebfccc8 100755 --- a/projects/libaom/build.sh +++ b/projects/libaom/build.sh @@ -46,7 +46,7 @@ cmake $SRC/aom -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS_RELEASE='-O3 -g' \ -DCMAKE_CXX_FLAGS_RELEASE='-O3 -g' -DCONFIG_PIC=1 -DCONFIG_LOWBITDEPTH=1 \ -DCONFIG_AV1_ENCODER=0 -DENABLE_EXAMPLES=0 -DENABLE_DOCS=0 -DENABLE_TESTS=0 \ -DCONFIG_SIZE_LIMIT=1 -DDECODE_HEIGHT_LIMIT=12288 -DDECODE_WIDTH_LIMIT=12288 \ - -DAOM_EXTRA_C_FLAGS="${extra_c_flags}" \ + -DAOM_EXTRA_C_FLAGS="${extra_c_flags}" -DENABLE_TOOLS=0 \ -DAOM_EXTRA_CXX_FLAGS="${extra_c_flags}" ${extra_cmake_flags} make -j$(nproc) popd diff --git a/projects/libarchive/libarchive_fuzzer.cc b/projects/libarchive/libarchive_fuzzer.cc index 40eac29f409c..c7f3ec70dfe0 100644 --- a/projects/libarchive/libarchive_fuzzer.cc +++ b/projects/libarchive/libarchive_fuzzer.cc @@ -33,7 +33,11 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { return 0; } - archive_read_open_memory(a, buf, len); + if (ARCHIVE_OK != archive_read_open_memory(a, buf, len)) { + archive_read_free(a); + return 0; + } + archive_read_add_passphrase(a, "secret"); while(1) { diff --git a/projects/libavc/Dockerfile b/projects/libavc/Dockerfile index 9998c2430db9..c492381d7484 100644 --- a/projects/libavc/Dockerfile +++ b/projects/libavc/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y wget cmake -RUN git clone https://android.googlesource.com/platform/external/libavc +RUN git clone https://github.com/ittiam-systems/libavc.git ADD https://storage.googleapis.com/android_media/external/libavc/fuzzer/avc_dec_fuzzer_seed_corpus.zip $SRC/ COPY build.sh $SRC/ WORKDIR libavc diff --git a/projects/libavc/project.yaml b/projects/libavc/project.yaml index e8a3e79016ac..21aa7cc538fd 100644 --- a/projects/libavc/project.yaml +++ b/projects/libavc/project.yaml @@ -1,4 +1,4 @@ -homepage: "https://android.googlesource.com/platform/external/libavc/" +homepage: "https://github.com/ittiam-systems/libavc" language: c++ primary_contact: "harish.mahendrakar@ittiam.com" sanitizers: @@ -23,4 +23,4 @@ vendor_ccs: architectures: - x86_64 - i386 -main_repo: 'https://android.googlesource.com/platform/external/libavc' +main_repo: 'https://github.com/ittiam-systems/libavc.git' diff --git a/projects/libecc/Dockerfile b/projects/libecc/Dockerfile index f211ac6a01bc..491b8ff39f4b 100644 --- a/projects/libecc/Dockerfile +++ b/projects/libecc/Dockerfile @@ -18,7 +18,7 @@ # Please fix failure and upgrade. FROM gcr.io/oss-fuzz-base/base-builder@sha256:111d6b9d3a52bd3392602c71dc8936c628607a7a9bc86d381db7586f9b1e840f RUN apt-get update && apt-get install -y make autoconf automake libtool wget python bison flex texinfo lzip -RUN git clone https://github.com/ANSSI-FR/libecc.git +RUN git clone --depth 1 --branch cryptofuzz https://github.com/libecc/libecc.git RUN git clone --depth 1 https://github.com/randombit/botan.git RUN git clone https://github.com/wolfssl/wolfssl RUN git clone --depth 1 https://github.com/guidovranken/cryptofuzz diff --git a/projects/libecc/build.sh b/projects/libecc/build.sh index 7b85ef988b1b..e37b8a7bfc19 100755 --- a/projects/libecc/build.sh +++ b/projects/libecc/build.sh @@ -28,7 +28,6 @@ cp -R boost/ /usr/include/ # Build libecc cd $SRC/libecc -git checkout cryptofuzz export CFLAGS="$CFLAGS -DUSE_CRYPTOFUZZ" make -j$(nproc) build/libsign.a export LIBECC_PATH=$(realpath .) diff --git a/projects/libfido2/build.sh b/projects/libfido2/build.sh index 401614562e07..1e2412a9615f 100755 --- a/projects/libfido2/build.sh +++ b/projects/libfido2/build.sh @@ -46,7 +46,8 @@ make install # Building libfido2 with ${LIB_FUZZING_ENGINE} and chosen sanitizer cd ${SRC}/libfido2 mkdir build && cd build -cmake -DFUZZ=1 -DFUZZ_LDFLAGS=${LIB_FUZZING_ENGINE} \ +cmake -DFUZZ=1 -DFUZZ_LDFLAGS="${LIB_FUZZING_ENGINE}" \ + -DFUZZ_LINKER_LANGUAGE=CXX \ -DPKG_CONFIG_USE_CMAKE_PREFIX_PATH=1 \ -DCMAKE_PREFIX_PATH=${WORK} \ -DCMAKE_INSTALL_PREFIX=${WORK} \ diff --git a/projects/libfido2/project.yaml b/projects/libfido2/project.yaml index adf557bbc555..62b44e56f245 100644 --- a/projects/libfido2/project.yaml +++ b/projects/libfido2/project.yaml @@ -13,4 +13,7 @@ sanitizers: - memory fuzzing_engines: - libfuzzer + - afl + - centipede + - honggfuzz main_repo: 'https://github.com/Yubico/libfido2' diff --git a/projects/libgit2/build.sh b/projects/libgit2/build.sh index 9e72ca70e633..e9a89944be36 100755 --- a/projects/libgit2/build.sh +++ b/projects/libgit2/build.sh @@ -31,8 +31,11 @@ for fuzzer in ../fuzzers/*_fuzzer.c do fuzzer_name=$(basename "${fuzzer%.c}") - $CC $CFLAGS -c -I./src -I../src/libgit2 -I../src/util -I../include \ + $CC $CFLAGS -c \ + -I./src -I./src/util -I./include/ -I./include/git2 \ + -I../src/libgit2 -I../src/util -I../include \ "$fuzzer" -o "$WORK/$fuzzer_name.o" + $CXX $CXXFLAGS -std=c++11 -o "$OUT/$fuzzer_name" \ $LIB_FUZZING_ENGINE "$WORK/$fuzzer_name.o" "$WORK/lib/libgit2.a" diff --git a/projects/libhevc/Dockerfile b/projects/libhevc/Dockerfile index d483313b27c5..93e0a0c4493b 100644 --- a/projects/libhevc/Dockerfile +++ b/projects/libhevc/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y wget cmake -RUN git clone https://android.googlesource.com/platform/external/libhevc +RUN git clone https://github.com/ittiam-systems/libhevc.git ADD https://storage.googleapis.com/android_media/external/libhevc/fuzzer/hevc_dec_fuzzer_seed_corpus.zip $SRC/ COPY build.sh $SRC/ WORKDIR libhevc diff --git a/projects/libhevc/project.yaml b/projects/libhevc/project.yaml index 47842353f685..c817ef0298ec 100644 --- a/projects/libhevc/project.yaml +++ b/projects/libhevc/project.yaml @@ -1,4 +1,4 @@ -homepage: "https://android.googlesource.com/platform/external/libhevc/" +homepage: "https://github.com/ittiam-systems/libhevc" language: c++ primary_contact: "harish.mahendrakar@ittiam.com" sanitizers: @@ -23,4 +23,4 @@ vendor_ccs: architectures: - x86_64 - i386 -main_repo: 'https://android.googlesource.com/platform/external/libhevc' +main_repo: 'https://github.com/ittiam-systems/libhevc.git' diff --git a/projects/libhtp/project.yaml b/projects/libhtp/project.yaml index 151f8cef8207..ef5d3942e1eb 100644 --- a/projects/libhtp/project.yaml +++ b/projects/libhtp/project.yaml @@ -4,6 +4,7 @@ primary_contact: "vjulien@openinfosecfoundation.org" auto_ccs : - "p.antoine@catenacyber.fr" - "jish@openinfosecfoundation.org " +- "todd.mortimer@gmail.com" sanitizers: - address diff --git a/projects/libjpeg-turbo/Dockerfile b/projects/libjpeg-turbo/Dockerfile index 2e31ee31299d..dc5f1d24df40 100644 --- a/projects/libjpeg-turbo/Dockerfile +++ b/projects/libjpeg-turbo/Dockerfile @@ -1,5 +1,5 @@ # Copyright 2016 Google Inc. -# Copyright 2022 D. R. Commander +# Copyright 2022-2023 D. R. Commander # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,9 +17,10 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make yasm cmake -RUN git clone --depth 1 https://github.com/libjpeg-turbo/libjpeg-turbo libjpeg-turbo.main -RUN git clone --depth 1 https://github.com/libjpeg-turbo/libjpeg-turbo -b 2.0.x libjpeg-turbo.2.0.x -RUN git clone --depth 1 https://github.com/libjpeg-turbo/libjpeg-turbo -b dev libjpeg-turbo.dev || /bin/true +RUN git clone --depth 1 https://github.com/libjpeg-turbo/fuzz && \ + cat fuzz/branches.txt | while read branch; do \ + git clone --depth 1 https://github.com/libjpeg-turbo/libjpeg-turbo -b $branch libjpeg-turbo.$branch; \ + done RUN git clone --depth 1 https://github.com/libjpeg-turbo/seed-corpora RUN cd seed-corpora && zip -r ../decompress_fuzzer_seed_corpus.zip afl-testcases/jpeg* bugs/decompress* $SRC/libjpeg-turbo/testimages/*.jpg diff --git a/projects/libjpeg-turbo/build.sh b/projects/libjpeg-turbo/build.sh index c547fe6941b2..b3ae06f30a2b 100644 --- a/projects/libjpeg-turbo/build.sh +++ b/projects/libjpeg-turbo/build.sh @@ -1,4 +1,4 @@ -# Copyright 2022 D. R. Commander +# Copyright 2022-2023 D. R. Commander # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,10 +17,7 @@ set -e set -u -for branch in main 2.0.x dev; do - if [ "$branch" = "dev" -a ! -d libjpeg-turbo.$branch ]; then - continue - fi +cat fuzz/branches.txt | while read branch; do pushd libjpeg-turbo.$branch if [ "$branch" = "main" ]; then sh fuzz/build.sh diff --git a/projects/libmpeg2/Dockerfile b/projects/libmpeg2/Dockerfile index 9d823a126ac6..716b262f41ac 100644 --- a/projects/libmpeg2/Dockerfile +++ b/projects/libmpeg2/Dockerfile @@ -16,7 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y wget cmake -RUN git clone https://android.googlesource.com/platform/external/libmpeg2 +RUN git clone https://github.com/ittiam-systems/libmpeg2.git ADD https://storage.googleapis.com/android_media/external/libmpeg2/fuzzer/mpeg2_dec_fuzzer_seed_corpus.zip $SRC/ COPY build.sh $SRC/ WORKDIR libmpeg2 diff --git a/projects/libmpeg2/project.yaml b/projects/libmpeg2/project.yaml index 281a80d5a20f..675152e16b5d 100644 --- a/projects/libmpeg2/project.yaml +++ b/projects/libmpeg2/project.yaml @@ -1,4 +1,4 @@ -homepage: "https://android.googlesource.com/platform/external/libmpeg2/" +homepage: "https://github.com/ittiam-systems/libmpeg2" language: c++ primary_contact: "harish.mahendrakar@ittiam.com" sanitizers: @@ -23,4 +23,4 @@ vendor_ccs: architectures: - x86_64 - i386 -main_repo: 'https://android.googlesource.com/platform/external/libmpeg2' +main_repo: 'https://github.com/ittiam-systems/libmpeg2.git' diff --git a/projects/libvips/build.sh b/projects/libvips/build.sh index f74ab3f1ee08..a1532ce69ba7 100755 --- a/projects/libvips/build.sh +++ b/projects/libvips/build.sh @@ -223,8 +223,8 @@ for fuzzer in fuzz/*_fuzzer.cc; do -I/usr/include/glib-2.0 \ -I/usr/lib/x86_64-linux-gnu/glib-2.0/include \ $LDFLAGS \ - -lvips -lexif -llcms2 -ljpeg -lpng -lspng -lz \ - -ltiff -lwebpmux -lwebpdemux -lwebp -lsharpyuv -lheif -laom \ + -lvips -lexif -llcms2 -ltiff -ljpeg -lpng -lspng -lz \ + -lwebpmux -lwebpdemux -lwebp -lsharpyuv -lheif -laom \ -limagequant -lcgif -lpdfium \ $LIB_FUZZING_ENGINE \ -Wl,-Bstatic \ diff --git a/projects/libvnc/project.yaml b/projects/libvnc/project.yaml index 473bbfbeb5e7..14182e5b44c0 100644 --- a/projects/libvnc/project.yaml +++ b/projects/libvnc/project.yaml @@ -3,4 +3,6 @@ language: c++ primary_contact: "dontmind@sdf.org" auto_ccs: - "p.antoine@catenacyber.fr" + - "info@christianbeier.net" + - "christian.cb.beier@gmail.com" main_repo: 'https://github.com/LibVNC/libvncserver.git' diff --git a/projects/markdown-it-py/Dockerfile b/projects/markdown-it-py/Dockerfile new file mode 100644 index 000000000000..815ac9e049da --- /dev/null +++ b/projects/markdown-it-py/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/executablebooks/markdown-it-py markdown-it-py +COPY *.sh *py $SRC/ +WORKDIR $SRC/markdown-it-py diff --git a/projects/markdown-it-py/build.sh b/projects/markdown-it-py/build.sh new file mode 100644 index 000000000000..0629bee585f0 --- /dev/null +++ b/projects/markdown-it-py/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done \ No newline at end of file diff --git a/projects/markdown-it-py/fuzz_markdown.py b/projects/markdown-it-py/fuzz_markdown.py new file mode 100644 index 000000000000..1ffcf78ff6bd --- /dev/null +++ b/projects/markdown-it-py/fuzz_markdown.py @@ -0,0 +1,35 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +from markdown_it import MarkdownIt + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + md = MarkdownIt() + raw_markdown = fdp.ConsumeUnicodeNoSurrogates(sys.maxsize) + md.parse(raw_markdown) + md.render(raw_markdown) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/markdown-it-py/project.yaml b/projects/markdown-it-py/project.yaml new file mode 100644 index 000000000000..c944bab81a3f --- /dev/null +++ b/projects/markdown-it-py/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/executablebooks/markdown-it-py +main_repo: https://github.com/executablebooks/markdown-it-py +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/markupsafe/build.sh b/projects/markupsafe/build.sh index e0949506a752..95f3540d8099 100644 --- a/projects/markupsafe/build.sh +++ b/projects/markupsafe/build.sh @@ -15,8 +15,7 @@ # ################################################################################ -# Build native code with sanitizers -python3 setup.py install +pip3 install . # Build fuzzers in $OUT. for fuzzer in $(find $SRC -name 'fuzz_*.py'); do diff --git a/projects/mdurl/Dockerfile b/projects/mdurl/Dockerfile new file mode 100644 index 000000000000..89ba704e693a --- /dev/null +++ b/projects/mdurl/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/executablebooks/mdurl mdurl +COPY *.sh *py $SRC/ +WORKDIR $SRC/mdurl diff --git a/projects/mdurl/build.sh b/projects/mdurl/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/mdurl/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/mdurl/fuzz_mdurl.py b/projects/mdurl/fuzz_mdurl.py new file mode 100644 index 000000000000..7da76fd95610 --- /dev/null +++ b/projects/mdurl/fuzz_mdurl.py @@ -0,0 +1,34 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import mdurl + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + mdurl.parse(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + mdurl.decode(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + mdurl.encode(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/mdurl/project.yaml b/projects/mdurl/project.yaml new file mode 100644 index 000000000000..eb8d370e3933 --- /dev/null +++ b/projects/mdurl/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/executablebooks/mdurl +main_repo: https://github.com/executablebooks/mdurl +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/mosquitto/Dockerfile b/projects/mosquitto/Dockerfile new file mode 100644 index 000000000000..70a601e0a3a6 --- /dev/null +++ b/projects/mosquitto/Dockerfile @@ -0,0 +1,26 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder + +# Main repo +RUN git clone --depth 1 -b develop https://github.com/eclipse/mosquitto ${SRC}/mosquitto + +# Get dependencies +RUN $SRC/mosquitto/fuzzing/scripts/oss-fuzz-dependencies.sh + +WORKDIR $SRC/mosquitto +COPY build.sh $SRC/ diff --git a/projects/mosquitto/build.sh b/projects/mosquitto/build.sh new file mode 100644 index 000000000000..e28e71902c4a --- /dev/null +++ b/projects/mosquitto/build.sh @@ -0,0 +1,19 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Run build script from the mosquitto repo +./fuzzing/scripts/oss-fuzz-build.sh diff --git a/projects/mosquitto/project.yaml b/projects/mosquitto/project.yaml new file mode 100644 index 000000000000..0ac5430ed8c4 --- /dev/null +++ b/projects/mosquitto/project.yaml @@ -0,0 +1,12 @@ +homepage: "https://mosquitto.org/" +language: c +primary_contact: "roger@atchoo.org" +auto_ccs: + - "security@eclipse.org" + - "rogerlight@gmail.com" +sanitizers: + - address + - memory: + experimental: True + - undefined +main_repo: 'https://github.com/eclipse/mosquitto' diff --git a/projects/mp4parse-rust/project.yaml b/projects/mp4parse-rust/project.yaml index eee731e029a6..3eabf467b0db 100644 --- a/projects/mp4parse-rust/project.yaml +++ b/projects/mp4parse-rust/project.yaml @@ -6,7 +6,6 @@ fuzzing_engines: - libfuzzer language: rust vendor_ccs: -- "bvandyk@mozilla.com" -- "jbauman@mozilla.com" +- "media-alerts@mozilla.com" - "twsmith@mozilla.com" main_repo: 'https://github.com/mozilla/mp4parse-rust' diff --git a/projects/muduo/build.sh b/projects/muduo/build.sh index 023146ec743f..bf0aa0077075 100755 --- a/projects/muduo/build.sh +++ b/projects/muduo/build.sh @@ -17,7 +17,7 @@ sed -i '34 a $ENV{CXXFLAGS}' CMakeLists.txt mkdir -p build-dir && cd build-dir -cmake -DCMAKE_BUILD_TYPE="release" \ +cmake -DCMAKE_BUILD_TYPE="release" -DMUDUO_BUILD_EXAMPLES=OFF \ .. make -j$(nproc) diff --git a/projects/ndpi/Dockerfile b/projects/ndpi/Dockerfile index 6ec83f691443..142212e9d0a3 100644 --- a/projects/ndpi/Dockerfile +++ b/projects/ndpi/Dockerfile @@ -16,7 +16,6 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake autogen pkg-config libtool flex bison cmake libnuma-dev libpcre2-dev -RUN git clone --depth 1 https://github.com/json-c/json-c.git json-c RUN git clone --depth 1 https://github.com/ntop/nDPI.git ndpi ADD https://www.tcpdump.org/release/libpcap-1.9.1.tar.gz libpcap-1.9.1.tar.gz COPY build.sh $SRC/ diff --git a/projects/ndpi/build.sh b/projects/ndpi/build.sh index 90f29ec2b1d4..b00960be9b1a 100755 --- a/projects/ndpi/build.sh +++ b/projects/ndpi/build.sh @@ -32,13 +32,6 @@ make -j$(nproc) make install cd .. -cd json-c -mkdir build -cd build -cmake -DBUILD_SHARED_LIBS=OFF .. -make install -cd ../.. - if [[ "$SANITIZER" != "memory" ]]; then #Re-enable code instrumentation export CFLAGS="${CFLAGS_SAVE}" @@ -54,6 +47,8 @@ LDFLAGS="-lpcap" ./autogen.sh --enable-fuzztargets --with-only-libndpi make -j$(nproc) # Copy fuzzers ls fuzz/fuzz* | grep -v "\." | while read i; do cp $i $OUT/; done +# Copy dictionaries +cp fuzz/*.dict $OUT/ # Copy seed corpus cp fuzz/*.zip $OUT/ # Copy configuration files diff --git a/projects/ndpi/project.yaml b/projects/ndpi/project.yaml index 0c213cfa225e..8aef20b8395e 100644 --- a/projects/ndpi/project.yaml +++ b/projects/ndpi/project.yaml @@ -8,6 +8,7 @@ fuzzing_engines: - libfuzzer - afl - honggfuzz + - centipede sanitizers: - address - undefined diff --git a/projects/netcdf/Dockerfile b/projects/netcdf/Dockerfile index 41f0aca6f3d0..bb603efc41fc 100644 --- a/projects/netcdf/Dockerfile +++ b/projects/netcdf/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y cmake m4 zlib1g-dev +RUN apt-get update && apt-get install -y cmake m4 zlib1g-dev libcurlpp-dev libcurl4-openssl-dev RUN git clone --depth 1 https://github.com/Unidata/netcdf-c COPY build.sh $SRC WORKDIR $SRC/netcdf-c diff --git a/projects/netty/project.yaml b/projects/netty/project.yaml index 04b7b29520e0..abb6beba0969 100644 --- a/projects/netty/project.yaml +++ b/projects/netty/project.yaml @@ -4,6 +4,7 @@ main_repo: "https://github.com/netty/netty.git" primary_contact: "mr.chrisvest@gmail.com" auto_ccs: - "norman_maurer@apple.com" + - "t@motd.kr" fuzzing_engines: - libfuzzer sanitizers: diff --git a/projects/notary/project.yaml b/projects/notary/project.yaml index 9c615a2ab9d3..fa9843bf6f57 100644 --- a/projects/notary/project.yaml +++ b/projects/notary/project.yaml @@ -3,9 +3,11 @@ main_repo: "https://github.com/notaryproject" primary_contact: "yizha1@microsoft.com" auto_ccs : - "vaninrao@amazon.com" - - "hbandi@gmail.com" + - "priteshbandi@gmail.com" - "shizh@microsoft.com" - "justin.cormack@docker.com" + - "toddysm@gmail.com" + - "notarycncf@gmail.com" vendor_ccs : - "Adam@adalogics.com" - "David@adalogics.com" diff --git a/projects/paramiko/fuzz_packetizer.py b/projects/paramiko/fuzz_packetizer.py index f684d2b6503a..ae203d186ace 100644 --- a/projects/paramiko/fuzz_packetizer.py +++ b/projects/paramiko/fuzz_packetizer.py @@ -24,7 +24,7 @@ from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes from paramiko import Message, Packetizer -from paramiko.common import byte_chr, zero_byte, asbytes +from paramiko.common import byte_chr, zero_byte # Extract path of fuzzer so we can include loop.py if getattr(sys, 'frozen', False): diff --git a/projects/parso/Dockerfile b/projects/parso/Dockerfile new file mode 100644 index 000000000000..a598a9f15f41 --- /dev/null +++ b/projects/parso/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/davidhalter/parso parso +COPY *.sh *py $SRC/ +WORKDIR $SRC/parso diff --git a/projects/parso/build.sh b/projects/parso/build.sh new file mode 100644 index 000000000000..bc99fef7b7d9 --- /dev/null +++ b/projects/parso/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name '*_fuzz.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/parso/parso_fuzz.py b/projects/parso/parso_fuzz.py new file mode 100644 index 000000000000..029c906ad5c7 --- /dev/null +++ b/projects/parso/parso_fuzz.py @@ -0,0 +1,36 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import parso + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + try: + parso.parse(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + except RecursionError: + # Not interesting + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/parso/project.yaml b/projects/parso/project.yaml new file mode 100644 index 000000000000..c6233f6fd757 --- /dev/null +++ b/projects/parso/project.yaml @@ -0,0 +1,10 @@ +fuzzing_engines: +- libfuzzer +homepage: https://github.com/davidhalter/parso +language: python +main_repo: https://github.com/davidhalter/parso +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/pendulum/Dockerfile b/projects/pendulum/Dockerfile new file mode 100644 index 000000000000..eb243c83eda1 --- /dev/null +++ b/projects/pendulum/Dockerfile @@ -0,0 +1,19 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN pip3 install --upgrade pip tzdata +RUN git clone https://github.com/sdispater/pendulum pendulum +COPY *.sh *py $SRC/ +WORKDIR $SRC/pendulum diff --git a/projects/pendulum/build.sh b/projects/pendulum/build.sh new file mode 100644 index 000000000000..66382c64a700 --- /dev/null +++ b/projects/pendulum/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer --hidden-import=tzdata +done diff --git a/projects/pendulum/fuzz_parse.py b/projects/pendulum/fuzz_parse.py new file mode 100644 index 000000000000..a919c08c4e8b --- /dev/null +++ b/projects/pendulum/fuzz_parse.py @@ -0,0 +1,41 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris + +import pendulum + + +def TestOneInput(data): + if len(data) == 0: + return + fdp = atheris.FuzzedDataProvider(data) + try: + pendulum.parse(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + except pendulum.parsing.exceptions.ParserError: + pass + except ValueError: + # Runs into this quickly + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/pendulum/project.yaml b/projects/pendulum/project.yaml new file mode 100644 index 000000000000..41c988c0e7f6 --- /dev/null +++ b/projects/pendulum/project.yaml @@ -0,0 +1,10 @@ +fuzzing_engines: +- libfuzzer +homepage: https://github.com/sdispater/pendulum +language: python +main_repo: https://github.com/sdispater/pendulum +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/pyjson5/Dockerfile b/projects/pyjson5/Dockerfile new file mode 100644 index 000000000000..5d66a5a4c6fd --- /dev/null +++ b/projects/pyjson5/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/dpranke/pyjson5 pyjson5 +COPY *.sh *py $SRC/ +WORKDIR $SRC/pyjson5 diff --git a/projects/pyjson5/build.sh b/projects/pyjson5/build.sh new file mode 100644 index 000000000000..0629bee585f0 --- /dev/null +++ b/projects/pyjson5/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done \ No newline at end of file diff --git a/projects/pyjson5/fuzz_json.py b/projects/pyjson5/fuzz_json.py new file mode 100644 index 000000000000..b3aec57f96f5 --- /dev/null +++ b/projects/pyjson5/fuzz_json.py @@ -0,0 +1,37 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import json5 + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + try: + json5.loads(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + except (ValueError, TypeError, RecursionError) as e: + # ValueError and TypeError are raised by the function + # RecursionError is not interesting. + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/pyjson5/project.yaml b/projects/pyjson5/project.yaml new file mode 100644 index 000000000000..0ff0f50db271 --- /dev/null +++ b/projects/pyjson5/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/dpranke/pyjson5 +main_repo: https://github.com/dpranke/pyjson5 +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/python-email-validator/Dockerfile b/projects/python-email-validator/Dockerfile index 9dde6f84c809..51d7e8fe3b9b 100644 --- a/projects/python-email-validator/Dockerfile +++ b/projects/python-email-validator/Dockerfile @@ -16,6 +16,7 @@ FROM gcr.io/oss-fuzz-base/base-builder-python RUN apt-get update && apt-get install -y make autoconf automake libtool -RUN git clone --depth 1 https://github.com/JoshData/python-email-validator python-email-validator +RUN git clone --depth 1 https://github.com/JoshData/python-email-validator python-email-validator +RUN git clone --depth 1 https://github.com/manunio/fuzz-corpus fuzz-corpus WORKDIR python-email-validator COPY build.sh *.py $SRC/ diff --git a/projects/python-email-validator/build.sh b/projects/python-email-validator/build.sh index 34bff4d7a108..ba8ceb8d8177 100755 --- a/projects/python-email-validator/build.sh +++ b/projects/python-email-validator/build.sh @@ -15,6 +15,8 @@ # ################################################################################ +zip -r $OUT/fuzz_validator_seed_corpus.zip $SRC/fuzz-corpus/python-email-validator + pip3 install . for fuzzer in $(find $SRC -name 'fuzz_*.py');do compile_python_fuzzer $fuzzer diff --git a/projects/python-email-validator/fuzz_validator.py b/projects/python-email-validator/fuzz_validator.py index dd6e7230cc86..e31dc807262e 100644 --- a/projects/python-email-validator/fuzz_validator.py +++ b/projects/python-email-validator/fuzz_validator.py @@ -21,17 +21,17 @@ def TestOneInput(data): - try: - validate_email(data) - except (EmailSyntaxError, EmailUndeliverableError): - pass + try: + validate_email(data) + except (EmailSyntaxError, EmailUndeliverableError): + pass def main(): - atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True) - atheris.instrument_all() - atheris.Fuzz() + atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True) + atheris.instrument_all() + atheris.Fuzz() if __name__ == "__main__": - main() + main() diff --git a/projects/python-fastjsonschema/Dockerfile b/projects/python-fastjsonschema/Dockerfile new file mode 100644 index 000000000000..c8d08dfa5488 --- /dev/null +++ b/projects/python-fastjsonschema/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/horejsek/python-fastjsonschema python-fastjsonschema +COPY *.sh *py $SRC/ +WORKDIR $SRC/python-fastjsonschema diff --git a/projects/python-fastjsonschema/build.sh b/projects/python-fastjsonschema/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/python-fastjsonschema/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/python-fastjsonschema/fuzz_compile.py b/projects/python-fastjsonschema/fuzz_compile.py new file mode 100644 index 000000000000..78576db7383c --- /dev/null +++ b/projects/python-fastjsonschema/fuzz_compile.py @@ -0,0 +1,42 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import fastjsonschema + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + + # Create a random dictionary + try: + json_dict = json.loads(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + except: + return + if not isinstance(json_dict, dict): + return + + # Ensure we can compile it + fastjsonschema.compile(json_dict) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/python-fastjsonschema/project.yaml b/projects/python-fastjsonschema/project.yaml new file mode 100644 index 000000000000..9e1f442f2538 --- /dev/null +++ b/projects/python-fastjsonschema/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/horejsek/python-fastjsonschema +main_repo: https://github.com/horejsek/python-fastjsonschema +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/qpdf/build.sh b/projects/qpdf/build.sh index 91f867bd91bd..d216814936be 100755 --- a/projects/qpdf/build.sh +++ b/projects/qpdf/build.sh @@ -24,7 +24,7 @@ popd # libjpeg-turbo pushd $SRC/libjpeg-turbo -cmake . -DCMAKE_INSTALL_PREFIX="$WORK" -DENABLE_STATIC:bool=on +cmake . -DCMAKE_INSTALL_PREFIX="$WORK" -DENABLE_STATIC=1 -DENABLE_SHARED=0 -DCMAKE_POSITION_INDEPENDENT_CODE=1 make -j$(nproc) make install popd diff --git a/projects/quic-go/Dockerfile b/projects/quic-go/Dockerfile index ebc07a080857..11cfc239a74f 100644 --- a/projects/quic-go/Dockerfile +++ b/projects/quic-go/Dockerfile @@ -20,7 +20,7 @@ RUN git clone --depth 1 https://github.com/quic-go/qpack/ && \ cd qpack && \ go build -RUN git clone --depth 1 https://github.com/lucas-clemente/quic-go/ && \ +RUN git clone --depth 1 https://github.com/quic-go/quic-go/ && \ cd quic-go && \ go build diff --git a/projects/quic-go/build.sh b/projects/quic-go/build.sh index f0dc211733b7..f6a864351692 100644 --- a/projects/quic-go/build.sh +++ b/projects/quic-go/build.sh @@ -26,11 +26,11 @@ compile_go_fuzzer github.com/quic-go/qpack/fuzzing Fuzz qpack_fuzzer ( cd quic-go # Fuzz quic-go -compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/frames Fuzz frame_fuzzer -compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/header Fuzz header_fuzzer -compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/transportparameters Fuzz transportparameter_fuzzer -compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/tokens Fuzz token_fuzzer -compile_go_fuzzer github.com/lucas-clemente/quic-go/fuzzing/handshake Fuzz handshake_fuzzer +compile_go_fuzzer github.com/quic-go/quic-go/fuzzing/frames Fuzz frame_fuzzer +compile_go_fuzzer github.com/quic-go/quic-go/fuzzing/header Fuzz header_fuzzer +compile_go_fuzzer github.com/quic-go/quic-go/fuzzing/transportparameters Fuzz transportparameter_fuzzer +compile_go_fuzzer github.com/quic-go/quic-go/fuzzing/tokens Fuzz token_fuzzer +compile_go_fuzzer github.com/quic-go/quic-go/fuzzing/handshake Fuzz handshake_fuzzer if [ $SANITIZER == "coverage" ]; then # no need for corpuses if coverage diff --git a/projects/quic-go/project.yaml b/projects/quic-go/project.yaml index 445b3d2f2064..d629077b3d6a 100644 --- a/projects/quic-go/project.yaml +++ b/projects/quic-go/project.yaml @@ -1,8 +1,8 @@ -homepage: "https://github.com/lucas-clemente/quic-go" +homepage: "https://github.com/quic-go/quic-go" primary_contact: "martenseemann@gmail.com" language: go fuzzing_engines: - libfuzzer sanitizers: - address -main_repo: 'https://github.com/lucas-clemente/quic-go' +main_repo: 'https://github.com/quic-go/quic-go' diff --git a/projects/rekor/project.yaml b/projects/rekor/project.yaml index 86db84b27b33..7fc6ac544e9f 100644 --- a/projects/rekor/project.yaml +++ b/projects/rekor/project.yaml @@ -3,7 +3,7 @@ main_repo: "https://github.com/sigstore/rekor" primary_contact: "bcallaway@sigstore.dev" auto_ccs: - naveensrinivasan@protonmail.com - - dlorenc@sigstore.dev + - dlorenc@protonmail.com - lhinds@sigstore.dev - hblauzvern@sigstore.dev - asraa@sigstore.dev diff --git a/projects/rich/Dockerfile b/projects/rich/Dockerfile new file mode 100644 index 000000000000..7aac05e2c61e --- /dev/null +++ b/projects/rich/Dockerfile @@ -0,0 +1,19 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN pip3 install --upgrade pip +RUN git clone https://github.com/Textualize/rich rich +COPY *.sh *py $SRC/ +WORKDIR $SRC/rich diff --git a/projects/rich/build.sh b/projects/rich/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/rich/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/rich/fuzz_markdown.py b/projects/rich/fuzz_markdown.py new file mode 100644 index 000000000000..f127b7d8786a --- /dev/null +++ b/projects/rich/fuzz_markdown.py @@ -0,0 +1,38 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import io +import sys +import atheris + +from rich.console import Console +from rich.markdown import Markdown + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + markdown = Markdown(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + if markdown.parsed: + console = Console(width=80, file=io.StringIO(), color_system="truecolor") + console.print(markdown) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/rich/project.yaml b/projects/rich/project.yaml new file mode 100644 index 000000000000..d5fe81f0f07a --- /dev/null +++ b/projects/rich/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/Textualize/rich +main_repo: https://github.com/Textualize/rich +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/rustls/build.sh b/projects/rustls/build.sh index 3e05fe4d0230..7d44aa48e9d8 100755 --- a/projects/rustls/build.sh +++ b/projects/rustls/build.sh @@ -25,13 +25,14 @@ fi cd $SRC/rustls cargo fuzz build -O -cp fuzz/target/x86_64-unknown-linux-gnu/release/client $OUT/ -cp fuzz/target/x86_64-unknown-linux-gnu/release/deframer $OUT/ -cp fuzz/target/x86_64-unknown-linux-gnu/release/fragment $OUT/ -cp fuzz/target/x86_64-unknown-linux-gnu/release/hsjoiner $OUT/ -cp fuzz/target/x86_64-unknown-linux-gnu/release/message $OUT/ -if [ "$SANITIZER" != "coverage" ] +for f in $SRC/rustls/fuzz/fuzzers/*.rs +do + FUZZ_TARGET=$(basename ${f%.*}) + cp fuzz/target/x86_64-unknown-linux-gnu/release/${FUZZ_TARGET} $OUT/ +done + +if [ "$SANITIZER" == "coverage" ] then - cp fuzz/target/x86_64-unknown-linux-gnu/release/server $OUT/ - cp fuzz/target/x86_64-unknown-linux-gnu/release/persist $OUT/ + rm $OUT/server + rm $OUT/persist fi diff --git a/projects/sigstore/project.yaml b/projects/sigstore/project.yaml index 331a6b266ccc..e1c9c7756cd4 100644 --- a/projects/sigstore/project.yaml +++ b/projects/sigstore/project.yaml @@ -3,7 +3,7 @@ main_repo: "https://github.com/sigstore/sigstore" primary_contact: "bcallaway@sigstore.dev" auto_ccs: - naveensrinivasan@protonmail.com - - dlorenc@sigstore.dev + - dlorenc@protonmail.com - lhinds@sigstore.dev - hblauzvern@sigstore.dev - asraa@sigstore.dev diff --git a/projects/skia/Dockerfile b/projects/skia/Dockerfile index 9ba30a1176f4..d572fdffa395 100644 --- a/projects/skia/Dockerfile +++ b/projects/skia/Dockerfile @@ -28,6 +28,8 @@ RUN git clone https://skia.googlesource.com/skia.git --depth 1 WORKDIR skia RUN python3 bin/sync +RUN python3 bin/fetch-gn +RUN python3 bin/fetch-ninja # Make a directory for fuzzing artifacts that won't be clobbered by CIFuzz. RUN mkdir $SRC/skia_data diff --git a/projects/skia/build.sh b/projects/skia/build.sh index 8a1bdd9d1428..4b781730c5bd 100644 --- a/projects/skia/build.sh +++ b/projects/skia/build.sh @@ -46,10 +46,10 @@ else fi # These deprecated warnings get quite noisy and mask other issues. CFLAGS= CXXFLAGS="-stdlib=libc++ -Wno-deprecated-declarations" cmake .. -GNinja \ - -DCMAKE_MAKE_PROGRAM="$SRC/depot_tools/ninja" -D$CMAKE_SANITIZER=1 -DSWIFTSHADER_WARNINGS_AS_ERRORS=FALSE + -DCMAKE_MAKE_PROGRAM="$SRC/skia/third_party/ninja/ninja" -D$CMAKE_SANITIZER=1 -DSWIFTSHADER_WARNINGS_AS_ERRORS=FALSE # Swiftshader only supports Vulkan, so we will build our fuzzers with Vulkan too. -$SRC/depot_tools/ninja libvk_swiftshader.so +$SRC/skia/third_party/ninja/ninja libvk_swiftshader.so mv libvk_swiftshader.so $OUT export SWIFTSHADER_LIB_PATH=$OUT @@ -70,8 +70,6 @@ export CFLAGS_ARR=`echo $CFLAGS | sed -e "s/\s/\",\"/g"` export CXXFLAGS_ARR=`echo $CXXFLAGS | sed -e "s/\s/\",\"/g"` export LDFLAGS_ARR=`echo $LDFLAGS | sed -e "s/\s/\",\"/g"` -$SRC/skia/bin/fetch-gn - # Avoid OOMs on the CI due to lower memory constraints LIMITED_LINK_POOL="link_pool_depth=1" @@ -115,7 +113,7 @@ $SRC/skia/bin/gn gen out/FuzzDebug\ extra_cflags_cc=["-DSK_DEBUG","'"$CXXFLAGS_ARR"'"] extra_ldflags=["'"$LDFLAGS_ARR"'"]' -$SRC/depot_tools/ninja -C out/Fuzz \ +$SRC/skia/third_party/ninja/ninja -C out/Fuzz \ android_codec \ animated_image_decode \ api_create_ddl \ @@ -150,7 +148,8 @@ $SRC/depot_tools/ninja -C out/Fuzz \ textblob_deserialize \ webp_encoder -$SRC/depot_tools/ninja -C out/FuzzDebug \ +$SRC/skia/third_party/ninja/ninja -C out/FuzzDebug \ + cubic_quad_roots \ skmeshspecification \ skruntimeeffect \ sksl2glsl \ @@ -294,3 +293,6 @@ mv out/Fuzz/api_triangulation $OUT/api_triangulation mv out/Fuzz/colrv1 $OUT/colrv1 mv ../skia_data/colrv1_seed_corpus.zip $OUT/colrv1_seed_corpus.zip + +# This just takes 4 floats - no seed corpus necessary +mv out/FuzzDebug/cubic_quad_roots $OUT/cubic_quad_roots diff --git a/projects/skia/project.yaml b/projects/skia/project.yaml index 90283a08b844..bc7b6c6c76de 100644 --- a/projects/skia/project.yaml +++ b/projects/skia/project.yaml @@ -13,6 +13,7 @@ auto_ccs: - "fuzz@skia.org" - "armansito@google.com" - "drott@chromium.org" + - "jvanverth@google.com" vendor_ccs: - "lsalzman@mozilla.com" - "twsmith@mozilla.com" diff --git a/projects/snakeyaml/DefaultYamlFuzzer.java b/projects/snakeyaml/DefaultYamlFuzzer.java index c33240ec7bfb..a27f27ae72d0 100644 --- a/projects/snakeyaml/DefaultYamlFuzzer.java +++ b/projects/snakeyaml/DefaultYamlFuzzer.java @@ -16,6 +16,7 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.SafeConstructor; import org.yaml.snakeyaml.error.YAMLException; @@ -23,7 +24,7 @@ public class DefaultYamlFuzzer { public static void fuzzerTestOneInput(FuzzedDataProvider data) { try{ - Yaml yaml = new Yaml(new SafeConstructor()); + Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions())); yaml.load(data.consumeRemainingAsString()); } catch (YAMLException | IllegalArgumentException e){ diff --git a/projects/spirv-tools/Dockerfile b/projects/spirv-tools/Dockerfile index 9ef1e805e987..5fd0d337b79a 100644 --- a/projects/spirv-tools/Dockerfile +++ b/projects/spirv-tools/Dockerfile @@ -16,6 +16,6 @@ FROM gcr.io/oss-fuzz-base/base-builder RUN apt-get update && apt-get install -y make autoconf automake libtool ninja-build -RUN git clone --depth 1 https://github.com/KhronosGroup/SPIRV-Tools.git spirv-tools +RUN git clone --filter=tree:0 https://github.com/KhronosGroup/SPIRV-Tools.git spirv-tools WORKDIR spirv-tools COPY build.sh $SRC/ diff --git a/projects/spring-boot-actuator/SanitizerFuzzer.java b/projects/spring-boot-actuator/SanitizerFuzzer.java index 706dbca03311..0fe8a14e3f56 100644 --- a/projects/spring-boot-actuator/SanitizerFuzzer.java +++ b/projects/spring-boot-actuator/SanitizerFuzzer.java @@ -1,5 +1,6 @@ import com.code_intelligence.jazzer.api.FuzzedDataProvider; import com.code_intelligence.jazzer.api.FuzzerSecurityIssueMedium; +import org.springframework.boot.actuate.endpoint.SanitizableData; import org.springframework.boot.actuate.endpoint.Sanitizer; public class SanitizerFuzzer { @@ -12,8 +13,7 @@ public static void fuzzerTestOneInput(FuzzedDataProvider data) { } Sanitizer sanitizer = new Sanitizer(); - sanitizer.keysToSanitize(key); - String result = (String) sanitizer.sanitize(key, value); + String result = (String) sanitizer.sanitize(new SanitizableData(null, key, value), false); if (!result.equals("******")) { throw new FuzzerSecurityIssueMedium("Value not sanitized. key: " + key + " value:" + value + " result:" + result); } diff --git a/projects/spring-boot/build.sh b/projects/spring-boot/build.sh index 143dbea451cc..6086547788c1 100755 --- a/projects/spring-boot/build.sh +++ b/projects/spring-boot/build.sh @@ -31,7 +31,7 @@ CURRENT_VERSION=$(./gradlew properties --no-daemon --console=plain | sed -nr "s/ cp "spring-boot-project/spring-boot/build/libs/spring-boot-$CURRENT_VERSION.jar" "$OUT/spring-boot.jar" cp "spring-boot-project/spring-boot-tools/spring-boot-loader/build/libs/spring-boot-loader-$CURRENT_VERSION.jar" "$OUT/spring-boot-loader.jar" cp "spring-boot-project/spring-boot-starters/spring-boot-starter-web/build/libs/spring-boot-starter-web-$CURRENT_VERSION.jar" "$OUT/spring-boot-starter-web.jar" -cp "spring-boot-project/spring-boot-tools/spring-boot-configuration-processor/build/libs/spring-boot-configuration-processor-3.0.0-SNAPSHOT.jar" "$OUT/spring-boot-configure-processor.jar" +cp "spring-boot-project/spring-boot-tools/spring-boot-configuration-processor/build/libs/spring-boot-configuration-processor-$CURRENT_VERSION.jar" "$OUT/spring-boot-configure-processor.jar" cp "spring-boot-project/spring-boot-actuator-autoconfigure/build/libs/spring-boot-actuator-autoconfigure-$CURRENT_VERSION.jar" "$OUT/spring-boot-actuator-autoconfigure.jar" cp "spring-boot-project/spring-boot-autoconfigure/build/libs/spring-boot-autoconfigure-$CURRENT_VERSION.jar" "$OUT/spring-boot-autoconfigure.jar" diff --git a/projects/spring-cloud-sleuth-brave/Dockerfile b/projects/spring-cloud-sleuth-brave/Dockerfile new file mode 100644 index 000000000000..0a3b7fc5707e --- /dev/null +++ b/projects/spring-cloud-sleuth-brave/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-jvm + +RUN apt update && apt install -y openjdk-17-jdk + +RUN git clone --depth 1 https://github.com/google/fuzzing + +RUN git clone --depth 1 https://github.com/spring-cloud/spring-cloud-sleuth.git + +COPY build.sh $SRC/ +COPY *Fuzzer.java $SRC/ +WORKDIR $SRC/spring-cloud-sleuth \ No newline at end of file diff --git a/projects/spring-cloud-sleuth-brave/W3CPropagationFuzzer.java b/projects/spring-cloud-sleuth-brave/W3CPropagationFuzzer.java new file mode 100644 index 000000000000..0ce691fb0d24 --- /dev/null +++ b/projects/spring-cloud-sleuth-brave/W3CPropagationFuzzer.java @@ -0,0 +1,40 @@ +// Copyright 2022 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +//////////////////////////////////////////////////////////////////////////////// +package org.springframework.cloud.sleuth.brave.bridge; + +import java.lang.reflect.*; +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + +public class W3CPropagationFuzzer { + static Method extractContextFromTraceParent_Method; + + public static void fuzzerInitialize() { + // expose a private method "extractContextFromTraceParent" of the class W3CPropagation + try { + extractContextFromTraceParent_Method = W3CPropagation.class.getDeclaredMethod("extractContextFromTraceParent", String.class); + extractContextFromTraceParent_Method.setAccessible(true); + } catch (NoSuchMethodException e) { + } catch (ExceptionInInitializerError e) {} + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + String content = data.consumeRemainingAsString(); + try { + extractContextFromTraceParent_Method.invoke(W3CPropagation.class, content); + } catch (IllegalAccessException e) { + } catch (InvocationTargetException e) {} + } +} diff --git a/projects/spring-cloud-sleuth-brave/build.sh b/projects/spring-cloud-sleuth-brave/build.sh new file mode 100755 index 000000000000..415dde6cc46d --- /dev/null +++ b/projects/spring-cloud-sleuth-brave/build.sh @@ -0,0 +1,70 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +MVNW=./mvnw + +sed -i "s/1.6<\/java.version>/1.7<\/java.version>/g" pom.xml + +export JAVA_HOME="$OUT/open-jdk-17" +mkdir -p $JAVA_HOME +rsync -aL --exclude=*.zip "/usr/lib/jvm/java-17-openjdk-amd64/" "$JAVA_HOME" + +JVM_LD_LIBRARY_PATH="${JAVA_HOME}/lib/server" + +MAVEN_ARGS="-Dmaven.test.skip=true -Dmaven.repo.local=$WORK/m2" + +# comment out logging from W3CPropagation.java +sed -i "s|logger\.info|\/\/logger\.info|g" spring-cloud-sleuth-brave/src/main/java/org/springframework/cloud/sleuth/brave/bridge/W3CPropagation.java + +# Build the target jar. +${MVNW} clean package org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade $MAVEN_ARGS + +# Is this some old maven version that used to be more verbose? It prints too much, but we only need the last line of the output containing the version +CURRENT_VERSION=$(${MVNW} -Dexec.executable="echo" -Dexec.args='${project.version}' --non-recursive exec:exec -q -DforceStdout | tail -1) + +cp "spring-cloud-sleuth-brave/target/spring-cloud-sleuth-brave-$CURRENT_VERSION.jar" $OUT/spring-sleuth-brave.jar + +# The jar files containing the project (separated by spaces). +PROJECT_JARS=spring-sleuth-brave.jar + +# Get the fuzzer dependencies (gson). +${MVNW} dependency:copy -Dartifact=com.google.code.gson:gson:2.8.6 -DoutputDirectory=$OUT/ + +# The jar files containing further dependencies of the fuzz targets (separated +# by spaces). +FUZZER_JARS=gson-2.8.6.jar +ALL_JARS="$PROJECT_JARS $FUZZER_JARS" +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):.:\$this_dir +mkdir -p $OUT/org/springframework/cloud/sleuth/brave/bridge +for fuzzer in $(find $SRC -name '*Fuzzer.java'); do + fuzzer_basename=$(basename -s .java $fuzzer) + javac -cp $BUILD_CLASSPATH --release 15 $fuzzer + cp $SRC/$fuzzer_basename.class $OUT/org/springframework/cloud/sleuth/brave/bridge/ + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +JAVA_HOME=\"\$this_dir/open-jdk-17/\" \ +LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=$RUNTIME_CLASSPATH \ +--target_class=org.springframework.cloud.sleuth.brave.bridge.$fuzzer_basename \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/$fuzzer_basename + chmod +x $OUT/$fuzzer_basename +done diff --git a/projects/spring-cloud-sleuth-brave/project.yaml b/projects/spring-cloud-sleuth-brave/project.yaml new file mode 100644 index 000000000000..09d73b56af1c --- /dev/null +++ b/projects/spring-cloud-sleuth-brave/project.yaml @@ -0,0 +1,16 @@ +homepage: "https://spring.io/projects/spring-cloud-sleuth" +language: jvm +main_repo: "https://github.com/spring-cloud/spring-cloud-sleuth" +primary_contact: "" +fuzzing_engines: + - libfuzzer +sanitizers: + - address +vendor_ccs: + - "wagner@code-intelligence.com" + - "yakdan@code-intelligence.com" + - "glendowne@code-intelligence.com" + - "patrice.salathe@code-intelligence.com" + - "hlin@code-intelligence.com" + - "jacek.trossen@code-intelligence.com" + - "peter.samarin@code-intelligence.com" diff --git a/projects/spring-framework/add-shadow-oxm.diff b/projects/spring-framework/add-shadow-oxm.diff new file mode 100644 index 000000000000..0fb18da4956a --- /dev/null +++ b/projects/spring-framework/add-shadow-oxm.diff @@ -0,0 +1,20 @@ +--- a/spring-oxm/spring-oxm.gradle ++++ b/spring-oxm/spring-oxm.gradle +@@ -2,6 +2,8 @@ plugins { + id "org.unbroken-dome.xjc" + } + ++apply plugin: "com.github.johnrengelman.shadow" ++ + description = "Spring Object/XML Marshalling" + + xjc { +@@ -19,7 +21,7 @@ dependencies { + api(project(":spring-core")) + optional("jakarta.xml.bind:jakarta.xml.bind-api") + optional("jakarta.activation:jakarta.activation-api") +- optional("com.thoughtworks.xstream:xstream") ++ implementation("com.thoughtworks.xstream:xstream") + testImplementation(project(":spring-context")) + testImplementation(testFixtures(project(":spring-core"))) + testImplementation("org.codehaus.jettison:jettison") { diff --git a/projects/spring-framework/build.sh b/projects/spring-framework/build.sh index f2fe802edf45..c486331580d1 100755 --- a/projects/spring-framework/build.sh +++ b/projects/spring-framework/build.sh @@ -33,18 +33,19 @@ function install_shadowJar { fi } -install_shadowJar spring-context; -install_shadowJar spring-core; -install_shadowJar spring-jdbc; -install_shadowJar spring-orm; -install_shadowJar spring-web; -install_shadowJar spring-webmvc; -install_shadowJar spring-test; -install_shadowJar spring-tx; -install_shadowJar spring-messaging; -install_shadowJar spring-jms; -install_shadowJar spring-webflux; -install_shadowJar spring-websocket; +install_shadowJar spring-context +install_shadowJar spring-core +install_shadowJar spring-jdbc +install_shadowJar spring-orm +install_shadowJar spring-web +install_shadowJar spring-webmvc +install_shadowJar spring-test +install_shadowJar spring-tx +install_shadowJar spring-messaging +install_shadowJar spring-jms +install_shadowJar spring-webflux +install_shadowJar spring-websocket +install_shadowJar spring-oxm ALL_JARS=$(find $OUT -name "spring*.jar" -printf "%f ") @@ -102,6 +103,7 @@ create_fuzz_targets spring-jdbc create_fuzz_targets spring-messaging create_fuzz_targets spring-jms create_fuzz_targets spring-webflux -create_fuzz_targets spring-websocket "\$this_dir/spring-websocket.jar:\$this_dir" # Overwrite class path to avoid logging to stdout +create_fuzz_targets spring-oxm +create_fuzz_targets spring-websocket "\$this_dir/spring-websocket.jar:\$this_dir"; # Overwrite class path to avoid logging to stdout cp $SRC/spring-jdbc/*.xml $OUT/spring-jdbc/ diff --git a/projects/spring-framework/spring-oxm/XStreamMarshallerFuzzer.java b/projects/spring-framework/spring-oxm/XStreamMarshallerFuzzer.java new file mode 100644 index 000000000000..9380b5f1149b --- /dev/null +++ b/projects/spring-framework/spring-oxm/XStreamMarshallerFuzzer.java @@ -0,0 +1,101 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.thoughtworks.xstream.XStreamException; +import com.thoughtworks.xstream.io.StreamException; +import org.junit.platform.commons.logging.LoggerFactory; +import org.springframework.oxm.xstream.XStreamMarshaller; + +import javax.xml.transform.stream.StreamResult; +import javax.xml.transform.stream.StreamSource; +import java.io.*; +import java.util.*; + +public class XStreamMarshallerFuzzer { + public static Class[] classes = { DummyClass.class, Integer.class, String.class, Byte.class, List.class, Map.class, + TreeMap.class, BitSet.class, TimeZone.class, Date.class, Calendar.class, Locale.class }; + + private static final PrintStream noopStream = new PrintStream(new OutputStream() { + @Override + public void write(int b) {} + }); + + public static void fuzzerInitialize() { + System.setErr(noopStream); + System.setOut(noopStream); + } + + public static void fuzzerTestOneInput(FuzzedDataProvider data) { + XStreamMarshaller marshaller = new XStreamMarshaller(); + + HashMap aliases = new HashMap<>(); + for (int i = 0; i < data.consumeInt(0, 100); i++) { + aliases.put(data.consumeString(100), data.pickValue(classes)); + } + + if (data.consumeBoolean()) { + marshaller.setAliases(aliases); + } + + if (data.consumeBoolean()) { + marshaller.supports(data.pickValue(classes)); + } + + if (data.consumeBoolean()) { + marshaller.setEncoding(data.consumeString(100)); + } + + byte[] buffer = data.consumeBytes(1000); + Writer writer = new StringWriter(); + Reader reader = new StringReader(writer.toString()); + + // Marshal & unmarshal + try { + marshaller.marshal(buffer, new StreamResult(writer)); + marshaller.unmarshal(new StreamSource(reader)); + } catch (IOException | StreamException e) {} + } + + public static class DummyClass { + public TreeMap _treeMap; + public List _arrayList; + public Set _hashSet; + public Map _hashMap; + public List _asList = Arrays.asList(1, 2, 3); + public int[] _intArray; + public long[] _longArray; + public short[] _shortArray; + public float[] _floatArray; + public double[] _doubleArray; + public byte[] _byteArray; + public char[] _charArray; + public String[] _stringArray; + public BitSet _bitSet; + public Date _date; + public TimeZone _timeZone; + public Calendar _calendar; + public Locale _locale; + public Integer[] _integerArray; + public boolean _boolean; + public char _char; + public byte _byte; + public short _short; + public int _int; + public float _float; + + public void foo(String dummy) {} + } +} \ No newline at end of file diff --git a/projects/suricata/build.sh b/projects/suricata/build.sh index 6d0b51063e0b..556e900e09ab 100755 --- a/projects/suricata/build.sh +++ b/projects/suricata/build.sh @@ -25,6 +25,9 @@ then make -j$(nproc) all make -j$(nproc) install ) + # Temporary workaround for https://github.com/rust-lang/rust/issues/107149 + # until oss-fuzz clang is up to rustc clang (15.0.6). + export RUSTFLAGS="$RUSTFLAGS -Zsanitizer-memory-track-origins -Cllvm-args=-msan-eager-checks=0" fi ( @@ -99,7 +102,7 @@ sh autogen.sh ./src/tests/fuzz/oss-fuzz-configure.sh make -j$(nproc) -./src/suricata --list-app-layer-protos | tail -n +2 | while read i; do cp src/fuzz_applayerparserparse $OUT/fuzz_applayerparserparse_$i$branch; done +./src/suricata --list-app-layer-protos | tail -n +2 | while read i; do cp src/fuzz_applayerparserparse $OUT/fuzz_applayerparserparse"$branch"_$i; done ( cd src @@ -108,7 +111,7 @@ ls fuzz_* | while read i; do cp $i $OUT/$i$branch; done # dictionaries ./src/suricata --list-keywords | grep "\- " | sed 's/- //' | awk '{print "\""$0"\""}' > $OUT/fuzz_siginit$branch.dict -echo \"SMB\" > $OUT/fuzz_applayerparserparse_smb$branch.dict +echo \"SMB\" > $OUT/fuzz_applayerparserparse"$branch"_smb.dict echo "\"FPC0\"" > $OUT/fuzz_sigpcap_aware$branch.dict echo "\"FPC0\"" > $OUT/fuzz_predefpcap_aware$branch.dict diff --git a/projects/tensorflow/build.sh b/projects/tensorflow/build.sh index 8c30235c09d1..8ef9165c58fe 100755 --- a/projects/tensorflow/build.sh +++ b/projects/tensorflow/build.sh @@ -95,6 +95,9 @@ else export FUZZTEST_EXTRA_ARGS="${FUZZTEST_EXTRA_ARGS} --local_ram_resources=HOST_RAM*1.0 --local_cpu_resources=HOST_CPUS*.5 --strip=never" fi +# Do not sync bazel-out to /out/ for coverage builds, as this is done +# at the end of this script instead. +export FUZZTEST_DO_SYNC="no" compile_fuzztests.sh # In the CI we bail out after having compiled the first set of fuzzers. This is @@ -182,13 +185,18 @@ then declare -r REMAP_PATH=${OUT}/proc/self/cwd/ mkdir -p ${REMAP_PATH} + # Synchronize the folder bazel-BAZEL_OUT_PROJECT. + declare -r RSYNC_FILTER_ARGS=("--include" "*.h" "--include" "*.cc" "--include" \ + "*.hpp" "--include" "*.cpp" "--include" "*.c" "--include" "*/" "--include" "*.inc" \ + "--exclude" "*") + # Sync existing code. - ${RSYNC_CMD} tensorflow/ ${REMAP_PATH} + ${RSYNC_CMD} "${RSYNC_FILTER_ARGS[@]}" tensorflow/ ${REMAP_PATH} # Sync generated proto files. - ${RSYNC_CMD} ./bazel-out/k8-opt/bin/tensorflow/ ${REMAP_PATH} - ${RSYNC_CMD} ./bazel-out/k8-opt/bin/external/ ${REMAP_PATH} - ${RSYNC_CMD} ./bazel-out/k8-opt/bin/third_party/ ${REMAP_PATH} + ${RSYNC_CMD} "${RSYNC_FILTER_ARGS[@]}" ./bazel-out/k8-opt/bin/tensorflow/ ${REMAP_PATH} + ${RSYNC_CMD} "${RSYNC_FILTER_ARGS[@]}" ./bazel-out/k8-opt/bin/external/ ${REMAP_PATH} + ${RSYNC_CMD} "${RSYNC_FILTER_ARGS[@]}" ./bazel-out/k8-opt/bin/third_party/ ${REMAP_PATH} # Sync external dependencies. We don't need to include `bazel-tensorflow`. # Also, remove `external/org_tensorflow` which is a copy of the entire source diff --git a/projects/tensorflow/fuzz_patch.patch b/projects/tensorflow/fuzz_patch.patch index b89164cdf5b7..cba32a7647ee 100644 --- a/projects/tensorflow/fuzz_patch.patch +++ b/projects/tensorflow/fuzz_patch.patch @@ -1,35 +1,31 @@ diff --git a/tensorflow/security/fuzzing/cc/BUILD b/tensorflow/security/fuzzing/cc/BUILD -index 8f49e6503d0..d10a688b6d8 100644 +index c32a54ab..621d6f8c 100644 --- a/tensorflow/security/fuzzing/cc/BUILD +++ b/tensorflow/security/fuzzing/cc/BUILD -@@ -17,12 +17,11 @@ package( - tf_cc_test( +@@ -8,19 +8,24 @@ load( + "//tensorflow/security/fuzzing:tf_fuzzing.bzl", + "tf_cc_fuzz_test", + ) ++load( ++ "//tensorflow:tensorflow.bzl", ++ "tf_cc_test", ++) + + package( + # copybara:uncomment default_applicable_licenses = ["//tensorflow:license"], + licenses = ["notice"], + ) + +-tf_cc_fuzz_test( ++tf_cc_test( name = "status_fuzz", srcs = ["status_fuzz.cc"], - tags = ["no_oss"], deps = [ - ":fuzz_helpers", + ":fuzz_domains", "//tensorflow/core/platform:status", - "@com_google_fuzztest//fuzztest", -- "@com_google_googletest//:gtest_main", -+ "@com_google_fuzztest//fuzztest:fuzztest_gtest_main", ++ "@com_google_fuzztest//fuzztest", ++ "@com_google_fuzztest//fuzztest:fuzztest_gtest_main", ], ) -diff --git a/tensorflow/workspace2.bzl b/tensorflow/workspace2.bzl -index 0236c258bf5..55e4b394a63 100644 ---- a/tensorflow/workspace2.bzl -+++ b/tensorflow/workspace2.bzl -@@ -479,9 +479,9 @@ def _tf_repositories(): - - tf_http_archive( - name = "com_google_fuzztest", -- sha256 = "3fe79ede8e860ba7331987b2c1f84d3eeaf5bea00fd76398d6ff0006635586c6", -- strip_prefix = "fuzztest-6d79ceb1dc2398e02a39efc23ce40d68baa16a42", -- urls = tf_mirror_urls("https://github.com/google/fuzztest/archive/6d79ceb1dc2398e02a39efc23ce40d68baa16a42.zip"), -+ sha256 = "0867fae7dce74a62d92b0811b0f735e35f9ea3ba8426a3cb7958ff7b158bed53", -+ strip_prefix = "fuzztest-0fdfd1aa286054cbf42bbf93006404caa2b827b8", -+ urls = tf_mirror_urls("https://github.com/google/fuzztest/archive/0fdfd1aa286054cbf42bbf93006404caa2b827b8.zip"), - ) - - tf_http_archive( diff --git a/projects/tinycss2/Dockerfile b/projects/tinycss2/Dockerfile new file mode 100644 index 000000000000..d3c771bc2083 --- /dev/null +++ b/projects/tinycss2/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/Kozea/tinycss2/ tinycss2 +COPY *.sh *py $SRC/ +WORKDIR $SRC/tinycss2 diff --git a/projects/tinycss2/build.sh b/projects/tinycss2/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/tinycss2/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/tinycss2/fuzz_parse.py b/projects/tinycss2/fuzz_parse.py new file mode 100644 index 000000000000..e356376202ff --- /dev/null +++ b/projects/tinycss2/fuzz_parse.py @@ -0,0 +1,35 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import tinycss2 + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + + tinycss2.parse_component_value_list( + fdp.ConsumeUnicodeNoSurrogates(sys.maxsize) + ) + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/tinycss2/project.yaml b/projects/tinycss2/project.yaml new file mode 100644 index 000000000000..48bfc0652e52 --- /dev/null +++ b/projects/tinycss2/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/Kozea/tinycss2/ +main_repo: https://github.com/Kozea/tinycss2/ +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/tinyusb/build.sh b/projects/tinyusb/build.sh index 93f0945735d5..ccb910507801 100755 --- a/projects/tinyusb/build.sh +++ b/projects/tinyusb/build.sh @@ -22,5 +22,9 @@ do make -C $h get-deps make -C $h all cp $h/_build/$(basename $h) $OUT/ + corpus=$h/$(basename $h)_seed_corpus.zip + if test -f $corpus; then + cp $corpus $OUT/ + fi done diff --git a/projects/tinyusb/project.yaml b/projects/tinyusb/project.yaml index 73386bf8d416..9768f86959aa 100644 --- a/projects/tinyusb/project.yaml +++ b/projects/tinyusb/project.yaml @@ -5,7 +5,18 @@ main_repo: "https://github.com/hathach/tinyusb.git" primary_contact: "tinyusb.org@gmail.com" auto_ccs: - "nathaniel.brough@gmail.com" + sanitizers: - address - undefined - memory + +fuzzing_engines: + - libfuzzer + - afl + - honggfuzz + - centipede + +architectures: +- x86_64 +- aarch64 diff --git a/projects/tinyxml2/build.sh b/projects/tinyxml2/build.sh index 0c43f40ce282..a3b4272a631d 100644 --- a/projects/tinyxml2/build.sh +++ b/projects/tinyxml2/build.sh @@ -14,6 +14,10 @@ # limitations under the License. # ################################################################################ + +# Make sure OSS-Fuzz's CXXFLAGS are propagated into the build +sed -i 's/CXXFLAGS =/#CXXFLAGS/g' Makefile + make -j$(nproc) clean make -j$(nproc) all diff --git a/projects/tomlkit/Dockerfile b/projects/tomlkit/Dockerfile new file mode 100644 index 000000000000..13af5f23c7ac --- /dev/null +++ b/projects/tomlkit/Dockerfile @@ -0,0 +1,18 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/sdispater/tomlkit tomlkit +COPY *.sh *py $SRC/ +WORKDIR $SRC/tomlkit diff --git a/projects/tomlkit/build.sh b/projects/tomlkit/build.sh new file mode 100644 index 000000000000..0f26fbc3c229 --- /dev/null +++ b/projects/tomlkit/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +pip3 install . + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/tomlkit/fuzz_parser.py b/projects/tomlkit/fuzz_parser.py new file mode 100644 index 000000000000..53ed3d370655 --- /dev/null +++ b/projects/tomlkit/fuzz_parser.py @@ -0,0 +1,40 @@ +#!/usr/bin/python3 +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import sys +import atheris +import tomlkit + + +def TestOneInput(data): + fdp = atheris.FuzzedDataProvider(data) + parser = tomlkit.parser.Parser(fdp.ConsumeUnicodeNoSurrogates(sys.maxsize)) + try: + parser.parse() + except ( + tomlkit.exceptions.TOMLKitError, + RecursionError + ): + # Recursion errors are not interesting + pass + + +def main(): + atheris.instrument_all() + atheris.Setup(sys.argv, TestOneInput) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/tomlkit/project.yaml b/projects/tomlkit/project.yaml new file mode 100644 index 000000000000..8c48a298fa85 --- /dev/null +++ b/projects/tomlkit/project.yaml @@ -0,0 +1,10 @@ +homepage: https://github.com/sdispater/tomlkit +main_repo: https://github.com/sdispater/tomlkit +language: python +fuzzing_engines: +- libfuzzer +sanitizers: +- address +- undefined +vendor_ccs: +- david@adalogics.com diff --git a/projects/trafficserver/fuzzer/FuzzEsi.cc b/projects/trafficserver/fuzzer/FuzzEsi.cc index 9b00500b76b8..4a91abd4f6ce 100644 --- a/projects/trafficserver/fuzzer/FuzzEsi.cc +++ b/projects/trafficserver/fuzzer/FuzzEsi.cc @@ -15,6 +15,7 @@ limitations under the License. #include #include "EsiParser.h" +#include "Utils.h" using std::string; using namespace EsiLib; @@ -42,6 +43,7 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) return 0; } + Utils::init(&Debug, &Error); EsiParser parser("parser_test", &Debug, &Error); bool ret; diff --git a/projects/typescript-example/Dockerfile b/projects/typescript-example/Dockerfile new file mode 100644 index 000000000000..41c64d1cbb22 --- /dev/null +++ b/projects/typescript-example/Dockerfile @@ -0,0 +1,30 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-javascript + +COPY build.sh $SRC/ + +# For real projects, you would clone your repo in the next step. +RUN mkdir -p $SRC/example + +# Ideally, you have already configured fuzz tests in your repo so that they +# run (in Jazzer.js regression mode) as part of unit testing. Keeping the fuzz +# tests in sync with the source code ensures that they are adjusted continue +# to work after code changes. Here, we copy them into the example project directory. +COPY fuzz_explore_me.ts target.ts package.json tsconfig.json $SRC/example/ + +WORKDIR $SRC/example diff --git a/projects/typescript-example/build.sh b/projects/typescript-example/build.sh new file mode 100755 index 000000000000..c1b364125ab1 --- /dev/null +++ b/projects/typescript-example/build.sh @@ -0,0 +1,29 @@ +#!/bin/bash -eu +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Install dependencies. +npm install + +# Install Jazzer.js before building the code since use the fuzzed data provider +# in the fuzz test +npm install --save-dev @jazzer.js/core + +# Compile TypeScript code. +npm run build + +# Build Fuzzers. +compile_javascript_fuzzer example dist/fuzz_explore_me.js --sync diff --git a/projects/typescript-example/fuzz_explore_me.ts b/projects/typescript-example/fuzz_explore_me.ts new file mode 100644 index 000000000000..6aa468dcdaa4 --- /dev/null +++ b/projects/typescript-example/fuzz_explore_me.ts @@ -0,0 +1,27 @@ +// Copyright 2023 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +/////////////////////////////////////////////////////////////////////////////// + +import { FuzzedDataProvider } from "@jazzer.js/core" +import { exploreMe } from "./target"; + +export function fuzz(data: Buffer) { + const fdp = new FuzzedDataProvider(data) + exploreMe( + fdp.consumeIntegral(4), + fdp.consumeIntegral(4), + fdp.consumeRemainingAsString() + ) +} diff --git a/projects/typescript-example/package.json b/projects/typescript-example/package.json new file mode 100644 index 000000000000..6299588a6b73 --- /dev/null +++ b/projects/typescript-example/package.json @@ -0,0 +1,12 @@ +{ + "name": "jazzerjs-typescript-example", + "version": "1.0.0", + "description": "An example how to fuzz TypeScript projects with Jazzer.js", + "scripts": { + "build": "tsc" + }, + "devDependencies": { + "@types/node": "^18.11.18", + "typescript": "^4.7.4" + } +} diff --git a/projects/typescript-example/project.yaml b/projects/typescript-example/project.yaml new file mode 100644 index 000000000000..521c0030aacd --- /dev/null +++ b/projects/typescript-example/project.yaml @@ -0,0 +1,12 @@ +homepage: https://github.com/CodeIntelligenceTesting/jazzer.js +language: javascript +main_repo: https://github.com/CodeIntelligenceTesting/jazzer.js +fuzzing_engines: +- libfuzzer +sanitizers: +- none +vendor_ccs: +- yakdan@code-intelligence.com +- norbert.schneider@code-intelligence.com +- peter.samarin@code-intelligence.com +- christopher.krah@code-intelligence.com diff --git a/projects/typescript-example/target.ts b/projects/typescript-example/target.ts new file mode 100644 index 000000000000..1a366a5f667b --- /dev/null +++ b/projects/typescript-example/target.ts @@ -0,0 +1,8 @@ +export function exploreMe(a: number, b: number, c: string ) { + if (a > 2000 && + b > 20000 && + b - a < 10000 + && c === "Hello World!") { + throw Error("Crash!") + } +} \ No newline at end of file diff --git a/projects/typescript-example/tsconfig.json b/projects/typescript-example/tsconfig.json new file mode 100644 index 000000000000..dcbfa352ffc8 --- /dev/null +++ b/projects/typescript-example/tsconfig.json @@ -0,0 +1,18 @@ +{ + "compilerOptions": { + "target": "ES2022", + "module": "commonjs", + "moduleResolution": "node", + "allowJs": true, + "checkJs": true, + "rootDir": ".", + "outDir": "./dist", + "esModuleInterop": true, + "forceConsistentCasingInFileNames": true, + "strict": true, + "skipLibCheck": true, + "declaration": true, + "composite": true, + "sourceMap": true + } +} diff --git a/projects/wolfmqtt/Dockerfile b/projects/wolfmqtt/Dockerfile index 8f4948654712..68e3e08880d5 100644 --- a/projects/wolfmqtt/Dockerfile +++ b/projects/wolfmqtt/Dockerfile @@ -15,7 +15,7 @@ ################################################################################ FROM gcr.io/oss-fuzz-base/base-builder -RUN apt-get update && apt-get install -y make autoconf automake libtool +RUN apt-get update && apt-get install -y make autoconf automake libtool bsdmainutils RUN git clone --depth 1 https://github.com/wolfSSL/wolfssl.git RUN git clone --depth 1 https://github.com/wolfSSL/wolfMQTT.git wolfmqtt RUN git clone --depth 1 https://github.com/guidovranken/wolfmqtt-fuzzers.git diff --git a/projects/wolfssl/Dockerfile b/projects/wolfssl/Dockerfile index a08f99746858..2cf71fb068c9 100644 --- a/projects/wolfssl/Dockerfile +++ b/projects/wolfssl/Dockerfile @@ -18,7 +18,7 @@ # Please fix failure and upgrade. FROM gcr.io/oss-fuzz-base/base-builder@sha256:111d6b9d3a52bd3392602c71dc8936c628607a7a9bc86d381db7586f9b1e840f -RUN apt-get update && apt-get install -y make autoconf automake libtool zip wget python +RUN apt-get update && apt-get install -y make autoconf automake libtool zip wget python bsdmainutils RUN git clone https://github.com/wolfssl/wolfssl --depth 1 $SRC/wolfssl RUN git clone --depth 1 https://github.com/wolfSSL/wolfssh.git RUN git clone --depth 1 https://github.com/guidovranken/fuzzing-headers.git @@ -47,7 +47,6 @@ RUN gsutil cp gs://num-bigint-backup.clusterfuzz-external.appspot.com/corpus/lib RUN gsutil cp gs://wolfssl-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/wolfssl_cryptofuzz-sp-math-all/public.zip $SRC/corpus_wolfssl_sp-math-all.zip RUN gsutil cp gs://wolfssl-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/wolfssl_cryptofuzz-sp-math-all-8bit/public.zip $SRC/corpus_wolfssl_sp-math-all-8bit.zip RUN gsutil cp gs://wolfssl-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/wolfssl_cryptofuzz-sp-math/public.zip $SRC/corpus_wolfssl_sp-math.zip -RUN gsutil cp gs://wolfssl-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/wolfssl_cryptofuzz-disable-fastmath/public.zip $SRC/corpus_wolfssl_disable-fastmath.zip # Botan corpora, which require a special import procedure RUN gsutil cp gs://botan-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/botan_ecc_p256/public.zip $SRC/corpus_botan_ecc_p256.zip diff --git a/projects/wolfssl/build.sh b/projects/wolfssl/build.sh index 8472a5f31288..db95adaceb54 100755 --- a/projects/wolfssl/build.sh +++ b/projects/wolfssl/build.sh @@ -17,7 +17,8 @@ if [[ $CFLAGS != *sanitize=dataflow* ]] then - WOLFCRYPT_CONFIGURE_PARAMS="--enable-static --enable-md2 --enable-md4 --enable-ripemd --enable-blake2 --enable-blake2s --enable-pwdbased --enable-scrypt --enable-hkdf --enable-cmac --enable-arc4 --enable-camellia --enable-aesccm --enable-aesctr --enable-xts --enable-des3 --enable-x963kdf --enable-harden --enable-aescfb --enable-aesofb --enable-aeskeywrap --enable-aessiv --enable-keygen --enable-curve25519 --enable-curve448 --enable-shake256 --disable-crypttests --disable-examples --enable-compkey --enable-ed448 --enable-ed25519 --enable-ecccustcurves --enable-xchacha --enable-cryptocb --enable-eccencrypt --enable-aesgcm-stream --enable-smallstack --enable-ed25519-stream --enable-ed448-stream --enable-aesgcm-stream --enable-shake128 --enable-siphash" + cd $SRC/wolfssl/ + WOLFCRYPT_CONFIGURE_PARAMS="--enable-static --enable-md2 --enable-md4 --enable-ripemd --enable-blake2 --enable-blake2s --enable-pwdbased --enable-scrypt --enable-hkdf --enable-cmac --enable-arc4 --enable-camellia --enable-aesccm --enable-aesctr --enable-xts --enable-des3 --enable-x963kdf --enable-harden --enable-aescfb --enable-aesofb --enable-aeskeywrap --enable-aessiv --enable-keygen --enable-curve25519 --enable-curve448 --enable-shake256 --disable-crypttests --disable-examples --enable-compkey --enable-ed448 --enable-ed25519 --enable-ecccustcurves --enable-xchacha --enable-cryptocb --enable-eccencrypt --enable-aesgcm-stream --enable-smallstack --enable-ed25519-stream --enable-ed448-stream --enable-aesgcm-stream --enable-shake128 --enable-siphash --enable-eccsi --with-eccminsz=0" if [[ $CFLAGS = *sanitize=memory* ]] then WOLFCRYPT_CONFIGURE_PARAMS="$WOLFCRYPT_CONFIGURE_PARAMS --disable-asm" @@ -31,7 +32,18 @@ then CFLAGS="" CXXFLAGS="" ./b2 headers cp -R boost/ /usr/include/ + # Build Botan export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN_IS_ORACLE" + cd $SRC/botan + if [[ $CFLAGS != *-m32* ]] + then + ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" --disable-shared --disable-modules=locking_allocator --build-targets=static --without-documentation + else + ./configure.py --cpu=x86_32 --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" --disable-shared --disable-modules=locking_allocator --build-targets=static --without-documentation + fi + make -j$(nproc) + export LIBBOTAN_A_PATH="$SRC/botan/libbotan-3.a" + export BOTAN_INCLUDE_PATH="$SRC/botan/build/include" OLD_CFLAGS="$CFLAGS" OLD_CXXFLAGS="$CXXFLAGS" @@ -92,21 +104,12 @@ then echo -n 'ECIES_Decrypt,' >>extra_options.h echo -n 'ECC_Point_Add,' >>extra_options.h echo -n 'ECC_Point_Mul,' >>extra_options.h - echo -n 'ECDH_Derive ' >>extra_options.h + echo -n 'ECC_Point_Dbl,' >>extra_options.h + echo -n 'ECDH_Derive,' >>extra_options.h + echo -n 'ECCSI_Sign,' >>extra_options.h + echo -n 'ECCSI_Verify ' >>extra_options.h echo -n '"' >>extra_options.h - # Build Botan - cd $SRC/botan - if [[ $CFLAGS != *-m32* ]] - then - ./configure.py --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" --disable-shared --disable-modules=locking_allocator --build-targets=static --without-documentation - else - ./configure.py --cpu=x86_32 --cc-bin=$CXX --cc-abi-flags="$CXXFLAGS" --disable-shared --disable-modules=locking_allocator --build-targets=static --without-documentation - fi - make -j$(nproc) - export LIBBOTAN_A_PATH="$SRC/botan/libbotan-3.a" - export BOTAN_INCLUDE_PATH="$SRC/botan/build/include" - # Build normal math fuzzer cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-normal-math/ cp -R $SRC/wolfssl/ $SRC/wolfssl-normal-math/ @@ -219,24 +222,24 @@ then unset WOLFCRYPT_LIBWOLFSSL_A_PATH unset WOLFCRYPT_INCLUDE_PATH - # Build disable-fastmath fuzzer - cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-disable-fastmath/ - cp -R $SRC/wolfssl/ $SRC/wolfssl-disable-fastmath/ - cd $SRC/wolfssl-disable-fastmath/ + # Build fastmath fuzzer + cp -R $SRC/cryptofuzz/ $SRC/cryptofuzz-fastmath/ + cp -R $SRC/wolfssl/ $SRC/wolfssl-fastmath/ + cd $SRC/wolfssl-fastmath/ autoreconf -ivf CFLAGS="$CFLAGS -DHAVE_AES_ECB -DWOLFSSL_DES_ECB -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3 -DHAVE_ECC_BRAINPOOL -DHAVE_ECC_KOBLITZ -DWOLFSSL_ECDSA_SET_K -DWOLFSSL_ECDSA_SET_K_ONE_LOOP" - ./configure $WOLFCRYPT_CONFIGURE_PARAMS --disable-fastmath + ./configure $WOLFCRYPT_CONFIGURE_PARAMS --enable-fastmath make -j$(nproc) export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_NO_OPENSSL -DCRYPTOFUZZ_WOLFCRYPT -DCRYPTOFUZZ_BOTAN" - export WOLFCRYPT_LIBWOLFSSL_A_PATH="$SRC/wolfssl-disable-fastmath/src/.libs/libwolfssl.a" - export WOLFCRYPT_INCLUDE_PATH="$SRC/wolfssl-disable-fastmath/" - cd $SRC/cryptofuzz-disable-fastmath/modules/wolfcrypt + export WOLFCRYPT_LIBWOLFSSL_A_PATH="$SRC/wolfssl-fastmath/src/.libs/libwolfssl.a" + export WOLFCRYPT_INCLUDE_PATH="$SRC/wolfssl-fastmath/" + cd $SRC/cryptofuzz-fastmath/modules/wolfcrypt make -j$(nproc) - cd $SRC/cryptofuzz-disable-fastmath/modules/botan + cd $SRC/cryptofuzz-fastmath/modules/botan make -j$(nproc) - cd $SRC/cryptofuzz-disable-fastmath/ + cd $SRC/cryptofuzz-fastmath/ LIBFUZZER_LINK="$LIB_FUZZING_ENGINE" make -B -j$(nproc) - cp cryptofuzz $OUT/cryptofuzz-disable-fastmath + cp cryptofuzz $OUT/cryptofuzz-fastmath CFLAGS="$OLD_CFLAGS" CXXFLAGS="$OLD_CXXFLAGS" unset WOLFCRYPT_LIBWOLFSSL_A_PATH @@ -245,51 +248,53 @@ then mkdir $SRC/cryptofuzz-seed-corpus/ # Convert Wycheproof test vectors to Cryptofuzz corpus format - find $SRC/wycheproof/testvectors/ -type f -name 'ecdsa_*' -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-wycheproof={},$SRC/cryptofuzz-seed-corpus/ \; - find $SRC/wycheproof/testvectors/ -type f -name 'ecdh_*' -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-wycheproof={},$SRC/cryptofuzz-seed-corpus/ \; + find $SRC/wycheproof/testvectors/ -type f -name 'ecdsa_*' -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-wycheproof={},$SRC/cryptofuzz-seed-corpus/ \; + find $SRC/wycheproof/testvectors/ -type f -name 'ecdh_*' -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-wycheproof={},$SRC/cryptofuzz-seed-corpus/ \; # Unpack corpora from other projects - unzip -n $SRC/corpus_bearssl.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_nettle.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_libecc.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_relic.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_cryptofuzz-openssl.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_cryptofuzz-boringssl.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_cryptofuzz-nss.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_bitcoin-core-w2-p2.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_bitcoin-core-w15-p4.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_bitcoin-core-w20-p8.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_num-bigint.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_wolfssl_sp-math-all.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_wolfssl_sp-math-all-8bit.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_wolfssl_sp-math.zip -d $SRC/cryptofuzz_seed_corpus/ - unzip -n $SRC/corpus_wolfssl_disable-fastmath.zip -d $SRC/cryptofuzz_seed_corpus/ + unzip -n $SRC/corpus_bearssl.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_nettle.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_libecc.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_relic.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_cryptofuzz-openssl.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_cryptofuzz-boringssl.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_cryptofuzz-nss.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_bitcoin-core-w2-p2.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_bitcoin-core-w15-p4.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_bitcoin-core-w20-p8.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_num-bigint.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_wolfssl_sp-math-all.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_wolfssl_sp-math-all-8bit.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null + unzip -n $SRC/corpus_wolfssl_sp-math.zip -d $SRC/cryptofuzz_seed_corpus/ >/dev/null # Import Botan corpora mkdir $SRC/botan-p256-corpus/ - unzip $SRC/corpus_botan_ecc_p256.zip -d $SRC/botan-p256-corpus/ - find $SRC/botan-p256-corpus/ -type f -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,secp256r1 \; + unzip $SRC/corpus_botan_ecc_p256.zip -d $SRC/botan-p256-corpus/ >/dev/null + find $SRC/botan-p256-corpus/ -type f -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,secp256r1 \; mkdir $SRC/botan-p384-corpus/ - unzip $SRC/corpus_botan_ecc_p384.zip -d $SRC/botan-p384-corpus/ - find $SRC/botan-p384-corpus/ -type f -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,secp384r1 \; + unzip $SRC/corpus_botan_ecc_p384.zip -d $SRC/botan-p384-corpus/ >/dev/null + find $SRC/botan-p384-corpus/ -type f -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,secp384r1 \; mkdir $SRC/botan-p521-corpus/ - unzip $SRC/corpus_botan_ecc_p521.zip -d $SRC/botan-p521-corpus/ - find $SRC/botan-p521-corpus/ -type f -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,secp521r1 \; + unzip $SRC/corpus_botan_ecc_p521.zip -d $SRC/botan-p521-corpus/ >/dev/null + find $SRC/botan-p521-corpus/ -type f -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,secp521r1 \; mkdir $SRC/botan-bp256-corpus/ - unzip $SRC/corpus_botan_ecc_bp256.zip -d $SRC/botan-bp256-corpus/ - find $SRC/botan-bp256-corpus/ -type f -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,brainpool256r1 \; + unzip $SRC/corpus_botan_ecc_bp256.zip -d $SRC/botan-bp256-corpus/ >/dev/null + find $SRC/botan-bp256-corpus/ -type f -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-botan={},$SRC/cryptofuzz-seed-corpus/,brainpool256r1 \; # Import OpenSSL/LibreSSL corpora mkdir $SRC/openssl-expmod-corpus/ - unzip $SRC/corpus_openssl_expmod.zip -d $SRC/openssl-expmod-corpus/ - find $SRC/openssl-expmod-corpus/ -type f -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-openssl-expmod={},$SRC/cryptofuzz-seed-corpus/ \; + unzip $SRC/corpus_openssl_expmod.zip -d $SRC/openssl-expmod-corpus/ >/dev/null + find $SRC/openssl-expmod-corpus/ -type f -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-openssl-expmod={},$SRC/cryptofuzz-seed-corpus/ \; mkdir $SRC/libressl-expmod-corpus/ - unzip $SRC/corpus_libressl_expmod.zip -d $SRC/libressl-expmod-corpus/ - find $SRC/libressl-expmod-corpus/ -type f -exec $SRC/cryptofuzz-disable-fastmath/cryptofuzz --from-openssl-expmod={},$SRC/cryptofuzz-seed-corpus/ \; + unzip $SRC/corpus_libressl_expmod.zip -d $SRC/libressl-expmod-corpus/ >/dev/null + find $SRC/libressl-expmod-corpus/ -type f -exec $SRC/cryptofuzz-fastmath/cryptofuzz --from-openssl-expmod={},$SRC/cryptofuzz-seed-corpus/ \; + + # Write Cryptofuzz built-in tests + $SRC/cryptofuzz-fastmath/cryptofuzz --from-builtin-tests=$SRC/cryptofuzz-seed-corpus/ # Pack it cd $SRC/cryptofuzz_seed_corpus @@ -300,7 +305,7 @@ then cp $SRC/cryptofuzz_seed_corpus.zip $OUT/cryptofuzz-sp-math-all_seed_corpus.zip cp $SRC/cryptofuzz_seed_corpus.zip $OUT/cryptofuzz-sp-math-all-8bit_seed_corpus.zip cp $SRC/cryptofuzz_seed_corpus.zip $OUT/cryptofuzz-sp-math_seed_corpus.zip - cp $SRC/cryptofuzz_seed_corpus.zip $OUT/cryptofuzz-disable-fastmath_seed_corpus.zip + cp $SRC/cryptofuzz_seed_corpus.zip $OUT/cryptofuzz-fastmath_seed_corpus.zip # Remove files that are no longer needed to prevent running out of disk space rm -rf $SRC/botan-p256-corpus/ diff --git a/projects/xnio-api/0001-avoid-ConcurrentModificationException.patch b/projects/xnio-api/0001-avoid-ConcurrentModificationException.patch new file mode 100644 index 000000000000..3ee5393f8066 --- /dev/null +++ b/projects/xnio-api/0001-avoid-ConcurrentModificationException.patch @@ -0,0 +1,24 @@ +diff --git a/api/pom.xml b/api/pom.xml +index 5d29ee4d..b72b3395 100644 +--- a/api/pom.xml ++++ b/api/pom.xml +@@ -194,6 +194,7 @@ + + org.apache.felix + maven-bundle-plugin ++ 5.1.8 + + + org.xnio.Version +diff --git a/nio-impl/pom.xml b/nio-impl/pom.xml +index 2f229929..f3e6c388 100644 +--- a/nio-impl/pom.xml ++++ b/nio-impl/pom.xml +@@ -176,6 +176,7 @@ + + org.apache.felix + maven-bundle-plugin ++ 5.1.8 + + + org.xnio.Version diff --git a/projects/xnio-api/Dockerfile b/projects/xnio-api/Dockerfile new file mode 100644 index 000000000000..d07f50d7f75e --- /dev/null +++ b/projects/xnio-api/Dockerfile @@ -0,0 +1,59 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-jvm + +# +# install maven configuration, which is also used by gradles's publishToMavenLocal +# +ADD maven-settings.xml ${SRC}/ +RUN apt-get install -y xmlstarlet +RUN mkdir -p ~/.m2 && \ + xmlstarlet ed \ + -u "settings/localRepository" -v "${OUT}/m2/repository" \ + < ${SRC}/maven-settings.xml > ~/.m2/settings.xml + +# +# install maven and gradle +# +RUN curl -L https://downloads.apache.org/maven/maven-3/3.8.7/binaries/apache-maven-3.8.7-bin.zip -o maven.zip && \ + unzip maven.zip -d $SRC/maven-3.8.7 && \ + rm -rf maven.zip + +ENV MVN $SRC/maven-3.8.7/apache-maven-3.8.7/bin/mvn + +RUN curl -L https://services.gradle.org/distributions/gradle-7.6-bin.zip -o gradle.zip && \ + unzip gradle.zip -d $SRC/gradle && \ + rm -rf gradle.zip + +ENV GRADLE $SRC/gradle/gradle-7.6/bin/gradle + +ENV LIBRARY_NAME xnio +WORKDIR ${SRC} +# +# clone repository +# +RUN git clone https://github.com/xnio/xnio ${LIBRARY_NAME} + +# +# apply fixes +# +ADD *.patch ${SRC}/ +RUN cd ${SRC}/${LIBRARY_NAME} && (for i in ${SRC}/*.patch; do tr -d '\015' < $i | git apply -v; done ) + +ADD build.sh ${SRC}/ +ADD ${LIBRARY_NAME}-fuzzer ${SRC}/${LIBRARY_NAME}-fuzzer/ +WORKDIR ${SRC}/${LIBRARY_NAME} \ No newline at end of file diff --git a/projects/xnio-api/build.sh b/projects/xnio-api/build.sh new file mode 100644 index 000000000000..fd02c8efa194 --- /dev/null +++ b/projects/xnio-api/build.sh @@ -0,0 +1,81 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +SRC_SUBDIR="" +MVN_FLAGS="-Djavac.src.version=15 -Djavac.target.version=15 -DskipTests" +ALL_JARS="" + +# Install the build servers' jazzer-api into the maven repository. +pushd "/tmp" + ${MVN} install:install-file -Dfile=${JAZZER_API_PATH} \ + -DgroupId="com.code-intelligence" \ + -DartifactId="jazzer-api" \ + -Dversion="0.14.0" \ + -Dpackaging=jar +popd + +pushd "${SRC}/${LIBRARY_NAME}/${SRC_SUBDIR}" + ${MVN} install ${MVN_FLAGS} + CURRENT_VERSION=$(${MVN} org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout) +popd + +pushd "${SRC}/${LIBRARY_NAME}-fuzzer" + ${MVN} package -DfuzzedLibaryVersion="${CURRENT_VERSION}" ${MVN_FLAGS} + install -v target/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar ${OUT}/${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar + ALL_JARS="${ALL_JARS} ${LIBRARY_NAME}-fuzzer-${CURRENT_VERSION}.jar" +popd + + + +# The classpath at build-time includes the project jars in $OUT as well as the +# Jazzer API. +BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH + +# All .jar and .class files lie in the same directory as the fuzzer at runtime. +RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir + +MVN_FUZZERS_PREFIX="src/main/java" + +for fuzzer in $(find ${SRC} -name '*Fuzzer.java'); do + # Find our fuzzer inside the maven structure + stripped_path=$(echo ${fuzzer} | sed \ + -e 's|^.*src/main/java/\(.*\).java$|\1|' \ + -e 's|^.*src/test/java/\(.*\).java$|\1|' \ + ); + # The .java suffix was stripped by sed. + if (echo ${stripped_path} | grep ".java$"); then + continue; + fi + + fuzzer_basename=$(basename -s .java $fuzzer) + fuzzer_classname=$(echo ${stripped_path} | sed 's|/|.|g'); + + # Create an execution wrapper that executes Jazzer with the correct arguments. + + echo "#!/bin/sh +# LLVMFuzzerTestOneInput Magic String required for infra/base-images/base-runner/test_all.py. DO NOT REMOVE + + +this_dir=\$(dirname \"\$0\") +LD_LIBRARY_PATH=\"\$JVM_LD_LIBRARY_PATH\":\$this_dir \ +\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \ +--cp=${RUNTIME_CLASSPATH} \ +--target_class=${fuzzer_classname} \ +--jvm_args=\"-Xmx2048m\" \ +\$@" > $OUT/${fuzzer_basename} + chmod u+x $OUT/${fuzzer_basename} +done \ No newline at end of file diff --git a/projects/xnio-api/maven-settings.xml b/projects/xnio-api/maven-settings.xml new file mode 100644 index 000000000000..4359e57ec065 --- /dev/null +++ b/projects/xnio-api/maven-settings.xml @@ -0,0 +1,3 @@ + + ${user.home}/.m2/repository + \ No newline at end of file diff --git a/projects/xnio-api/project.yaml b/projects/xnio-api/project.yaml new file mode 100644 index 000000000000..0725dec0ed5a --- /dev/null +++ b/projects/xnio-api/project.yaml @@ -0,0 +1,15 @@ +homepage: "https://github.com/eclipse-ee4j/jax-rpc-ri" +language: jvm +main_repo: "https://github.com/eclipse-ee4j/jax-rpc-ri.git" +fuzzing_engines: + - libfuzzer +sanitizers: + - address +vendor_ccs: + - "wagner@code-intelligence.com" + - "yakdan@code-intelligence.com" + - "glendowne@code-intelligence.com" + - "patrice.salathe@code-intelligence.com" + - "hlin@code-intelligence.com" + - "schaich@code-intelligence.com" + - "bug-disclosure@code-intelligence.com" diff --git a/projects/xnio-api/xnio-fuzzer/pom.xml b/projects/xnio-api/xnio-fuzzer/pom.xml new file mode 100644 index 000000000000..9327f5911df4 --- /dev/null +++ b/projects/xnio-api/xnio-fuzzer/pom.xml @@ -0,0 +1,73 @@ + + 4.0.0 + + ossfuzz + xnio-fuzzer + ${fuzzedLibaryVersion} + jar + + + 15 + 15 + UTF-8 + 3.8.8.Final + com.sun.xml.rpc.processor.modeler.rmi.SOAPSimpleTypeCreatorFuzzer + + + + + + + + com.code-intelligence + jazzer-api + 0.14.0 + + + org.jboss.xnio + xnio-api + ${fuzzedLibaryVersion} + + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.3.0 + + + + *:* + + META-INF/*.SF + META-INF/*.DSA + META-INF/*.RSA + + + + + + + package + + shade + + + + + + + \ No newline at end of file diff --git a/projects/xnio-api/xnio-fuzzer/src/main/java/org/xnio/http/HttpParserFuzzer.java b/projects/xnio-api/xnio-fuzzer/src/main/java/org/xnio/http/HttpParserFuzzer.java new file mode 100644 index 000000000000..67c7eac83170 --- /dev/null +++ b/projects/xnio-api/xnio-fuzzer/src/main/java/org/xnio/http/HttpParserFuzzer.java @@ -0,0 +1,47 @@ +package org.xnio.http; + +import java.io.IOException; +import java.nio.ByteBuffer; + +import com.code_intelligence.jazzer.api.FuzzedDataProvider; + + +public class HttpParserFuzzer { + + private FuzzedDataProvider fuzzedDataProvider; + + public HttpParserFuzzer(FuzzedDataProvider fuzzedDataProvider) throws Exception { + this.fuzzedDataProvider = fuzzedDataProvider; + } + + void test() { + byte b[] = new byte[]{ 1 }; + int n = fuzzedDataProvider.remainingBytes(); + if(n != 0) { + b = fuzzedDataProvider.consumeBytes(n); + } + HttpUpgradeParser parser = new HttpUpgradeParser(); + ByteBuffer buffer = ByteBuffer.wrap(b); + + try { + /* + * read everything, like HttpParserTestCase.testOneCharacterAtATime does, + * but read junk after that, too + */ + for(int i=0; i!=n; ++i) { + buffer.limit(i); + parser.parse(buffer); + } + } catch (IOException exception) { + /* ignore */ + } catch (IllegalArgumentException excepion) { + /* ignore */ + } + } + + public static void fuzzerTestOneInput(FuzzedDataProvider fuzzedDataProvider) throws Exception { + + HttpParserFuzzer fixture = new HttpParserFuzzer(fuzzedDataProvider); + fixture.test(); + } +} \ No newline at end of file diff --git a/projects/xs/build.sh b/projects/xs/build.sh index aba5361677a8..0360c0ac903a 100755 --- a/projects/xs/build.sh +++ b/projects/xs/build.sh @@ -28,7 +28,7 @@ REALBIN_PATH=$OUT # build main target cd "$MODDABLE/xs/makefiles/lin" -FUZZING=1 OSSFUZZ=1 make debug +FUZZING=1 OSSFUZZ=1 FUZZ_METER=10240000 make debug cd "$MODDABLE" cp ./build/bin/lin/debug/xst $REALBIN_PATH/xst @@ -37,7 +37,7 @@ cp $SRC/xst.options $OUT/ # build jsonparse target cd "$MODDABLE/xs/makefiles/lin" make -f xst.mk clean -FUZZING=1 OSSFUZZ=1 OSSFUZZ_JSONPARSE=1 make debug +FUZZING=1 OSSFUZZ=1 OSSFUZZ_JSONPARSE=1 FUZZ_METER=10240000 make debug cd "$MODDABLE" cp ./build/bin/lin/debug/xst $REALBIN_PATH/xst_jsonparse diff --git a/projects/zstd/project.yaml b/projects/zstd/project.yaml index 0a27d53d6814..b3f9c6d3714e 100644 --- a/projects/zstd/project.yaml +++ b/projects/zstd/project.yaml @@ -31,4 +31,7 @@ sanitizers: - address - memory - undefined +architectures: + - x86_64 + - i386 main_repo: 'https://github.com/facebook/zstd'