Add fuzz tests for parsers #1

New Issue

p · 2020-10-10T23:56:23+02:00

p commented

2020-10-10 23:56:23 +02:00

Consider AFL and libFuzzer. The latter appears to be more promising, especially combined with sanitisers.

In any case, we'll need to figure out build. I don't want this to explode into numerous files for each little parser. LLVMFuzzerTestOneInput only has the data for arguments, though LLVMFuzzerInitialize may switch targets according to arguments--we'll have to erase elements from the argv array for this. Perhaps scan for a new custom -test=choice option that either sets the target or lists all choices when not found (and returns failure).

Complex things may make use of seeds but let's see how far we can get without. It would be possible to add a "fuzz" directory with some samples, prefixed by test name.

The "superdriver" will want to use the -artifact_prefix option of libFuzzer. It might very well be a simple shell script since CMake would be hard to convince to use a different subcompiler--everything depends on clang.

Targets: config_item_parse(), base64_decode(), utf8_validate(), ws_parser_push(), scgi_parser_push(), irc_parse_message(), attrs_decode(), mpd_client_process_input(), fcgi_nv_parser_push(), fcgi_parser_push(), http_parse_upgrade(), http_parse_media_type()

Consider AFL and libFuzzer. The latter appears to be more promising, especially combined with sanitisers. In any case, we'll need to figure out build. I don't want this to explode into numerous files for each little parser. `LLVMFuzzerTestOneInput` only has the data for arguments, though `LLVMFuzzerInitialize` may switch targets according to arguments--we'll have to erase elements from the argv array for this. Perhaps scan for a new custom `-test=choice` option that either sets the target or lists all choices when not found (and returns failure). Complex things may make use of seeds but let's see how far we can get without. It would be possible to add a "fuzz" directory with some samples, prefixed by test name. The "superdriver" will want to use the `-artifact_prefix` option of libFuzzer. It might very well be a simple shell script since CMake would be hard to convince to use a different subcompiler--everything depends on clang. Targets: `config_item_parse()`, `base64_decode()`, `utf8_validate()`, `ws_parser_push()`, `scgi_parser_push()`, `irc_parse_message()`, `attrs_decode()`, `mpd_client_process_input()`, `fcgi_nv_parser_push()`, `fcgi_parser_push()`, `http_parse_upgrade()`, `http_parse_media_type()`

p self-assigned this 2020-10-10 23:56:23 +02:00

p referenced this issue from a commit

2020-10-11 20:06:12 +02:00

Add a basic fuzzing framework using libFuzzer Updates #1

p commented

2020-10-11 20:19:31 +02:00

Remaining: config_item_parse(), attrs_decode(), mpd_client_process_input(), fcgi_nv_parser_push(), fcgi_parser_push()

I suppose I won't think of any better way to use the fuzzer than to give it in the script a length limit and a timeout and enumerate all available targets. I'm slightly disappointed. On the other hand, nothing has failed so far.

Remaining: `config_item_parse()`, `attrs_decode()`, `mpd_client_process_input()`, `fcgi_nv_parser_push()`, `fcgi_parser_push()` I suppose I won't think of any better way to use the fuzzer than to give it in the script a length limit and a timeout and enumerate all available targets. I'm slightly disappointed. On the other hand, nothing has failed so far.

p referenced this issue from a commit

2020-10-12 02:08:41 +02:00

Add remaining fuzzing entry points Closes #1

p closed this issue

2020-10-12 02:08:42 +02:00

Sign in to join this conversation.