Merge pull request #13898 from nmeum/pr/fuzzing-gcoap

Add fuzzing application for gcoap
2025-01-18 12:52:44 +01:00 · 2020-05-30 18:40:37 +02:00 · 2020-05-30 18:40:37 +02:00 · 5055a1ef30
commit 5055a1ef30
parent 172c63209c bab916d084
8 changed files with 99 additions and 4 deletions
--- a/fuzzing/gcoap/Makefile
+++ b/fuzzing/gcoap/Makefile
@ -0,0 +1,6 @@
+include ../Makefile.fuzzing_common
+
+USEMODULE += gnrc_ipv6
+USEMODULE += gcoap
+
+include $(RIOTBASE)/Makefile.include
--- a/fuzzing/gcoap/input/confirmable-get.dat
+++ b/fuzzing/gcoap/input/confirmable-get.dat
@ -0,0 +1 @@
+@¹'=fe80::8813:2ff:fec1:98ef%tap0‹.well-knowncore
--- a/fuzzing/gcoap/input/confirmable-post.dat
+++ b/fuzzing/gcoap/input/confirmable-post.dat
@ -0,0 +1 @@
+@ą'=fe80::8813:2ff:fec1:98ef%tap0„riotvalue˙foo
--- a/fuzzing/gcoap/input/non-confirmable-get.dat
+++ b/fuzzing/gcoap/input/non-confirmable-get.dat
@ -0,0 +1 @@
+Pą'=fe80::8813:2ff:fec1:98ef%tap0„riotboard
--- a/fuzzing/gcoap/main.c
+++ b/fuzzing/gcoap/main.c
@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2019 Sören Tempel <tempel@uni-bremen.de>
+ *
+ * This file is subject to the terms and conditions of the GNU Lesser
+ * General Public License v2.1. See the file LICENSE in the top level
+ * directory for more details.
+ */
+
+#include <err.h>
+#include <stdlib.h>
+
+#include "thread.h"
+#include "fuzzing.h"
+#include "kernel_types.h"
+
+#include "net/gcoap.h"
+#include "net/gnrc/udp.h"
+#include "net/gnrc/pkt.h"
+#include "net/ipv6/addr.h"
+#include "net/gnrc/nettype.h"
+#include "net/gnrc/ipv6/hdr.h"
+
+static uint32_t demux = COAP_PORT;
+static gnrc_nettype_t ntype = GNRC_NETTYPE_UDP;
+
+void initialize(void)
+{
+    if (fuzzing_init(NULL, 0)) {
+        errx(EXIT_FAILURE, "fuzzing_init failed");
+    }
+
+    gcoap_init();
+}
+
+int main(void)
+{
+    gnrc_pktsnip_t *ipkt, *upkt, *cpkt;
+
+    initialize();
+    if (!(ipkt = gnrc_ipv6_hdr_build(NULL, NULL, &ipv6_addr_loopback))) {
+        errx(EXIT_FAILURE, "gnrc_ipv6_hdr_build failed");
+    }
+    if (!(upkt = gnrc_udp_hdr_build(ipkt, 2342, COAP_PORT))) {
+        errx(EXIT_FAILURE, "gnrc_udp_hdr_build failed");
+    }
+
+    if (!(cpkt = gnrc_pktbuf_add(upkt, NULL, 0, GNRC_NETTYPE_UNDEF))) {
+        errx(EXIT_FAILURE, "gnrc_pktbuf_add failed");
+    }
+    if (fuzzing_read_packet(STDIN_FILENO, cpkt)) {
+        errx(EXIT_FAILURE, "fuzzing_read_packet failed");
+    }
+
+    if (!gnrc_netapi_dispatch_receive(ntype, demux, cpkt)) {
+        errx(EXIT_FAILURE, "couldn't find any subscriber");
+    }
+
+    return EXIT_SUCCESS;
+}
--- a/sys/net/gnrc/pktbuf_malloc/gnrc_pktbuf_malloc.c
+++ b/sys/net/gnrc/pktbuf_malloc/gnrc_pktbuf_malloc.c
@ -54,6 +54,10 @@ static inline void *_malloc(size_t size)
 static inline void _free(void *ptr)
 {
    if (ptr != NULL) {
+        /* The fuzzing module is only enabled when building a fuzzing
+         * application from the fuzzing/ subdirectory. If _free is
+         * called on the crafted fuzzing packet, the setup assumes that
+         * input processing has completed and the application terminates. */
 #if defined(MODULE_FUZZING) && !defined(MODULE_GNRC_SOCK)
        if (ptr == gnrc_pktbuf_fuzzptr) {
           exit(EXIT_SUCCESS);
--- a/sys/net/gnrc/sock/gnrc_sock.c
+++ b/sys/net/gnrc/sock/gnrc_sock.c
@ -31,6 +31,7 @@

 #ifdef MODULE_FUZZING
 extern gnrc_pktsnip_t *gnrc_pktbuf_fuzzptr;
+gnrc_pktsnip_t *gnrc_sock_prevpkt = NULL;
 #endif

 #ifdef MODULE_XTIMER
@ -92,9 +93,15 @@ ssize_t gnrc_sock_recv(gnrc_sock_reg_t *reg, gnrc_pktsnip_t **pkt_out,
    gnrc_pktsnip_t *pkt, *netif;
    msg_t msg;

-#ifdef MODULE_FUZZING
-    static gnrc_pktsnip_t *prevpkt;
-    if (prevpkt && prevpkt == gnrc_pktbuf_fuzzptr) {
+    /* The fuzzing module is only enabled when building a fuzzing
+     * application from the fuzzing/ subdirectory. When using gnrc_sock
+     * the fuzzer assumes that gnrc_sock_recv is called in a loop. If it
+     * is called again and the previous return value was the special
+     * crafted fuzzing packet, the fuzzing application terminates.
+     *
+     * sock_async_event has its on fuzzing termination condition. */
+#if defined(MODULE_FUZZING) && !defined(MODULE_SOCK_ASYNC_EVENT)
+    if (gnrc_sock_prevpkt && gnrc_sock_prevpkt == gnrc_pktbuf_fuzzptr) {
        exit(EXIT_SUCCESS);
    }
 #endif
@ -159,7 +166,7 @@ ssize_t gnrc_sock_recv(gnrc_sock_reg_t *reg, gnrc_pktsnip_t **pkt_out,
    }
 #endif
 #ifdef MODULE_FUZZING
-    prevpkt = pkt;
+    gnrc_sock_prevpkt = pkt;
 #endif

    return 0;
--- a/sys/net/sock/async/event/sock_async_event.c
+++ b/sys/net/sock/async/event/sock_async_event.c
@ -16,6 +16,11 @@
 #include "irq.h"
 #include "net/sock/async/event.h"

+#ifdef MODULE_FUZZING
+extern gnrc_pktsnip_t *gnrc_pktbuf_fuzzptr;
+extern gnrc_pktsnip_t *gnrc_sock_prevpkt;
+#endif
+
 static void _event_handler(event_t *ev)
 {
    sock_event_t *event = (sock_event_t *)ev;
@ -36,6 +41,17 @@ static inline void _cb(void *sock, sock_async_flags_t type, void *arg,
    ctx->event.cb_arg = arg;
    ctx->event.type |= type;
    event_post(ctx->queue, &ctx->event.super);
+
+    /* The fuzzing module is only enabled when building a fuzzing
+     * application from the fuzzing/ subdirectory. The fuzzing setup
+     * assumes that gnrc_sock_recv is called by the event callback. If
+     * the value returned by gnrc_sock_recv was the fuzzing packet, the
+     * fuzzing application is terminated as input processing finished. */
+#ifdef MODULE_FUZZING
+    if (gnrc_sock_prevpkt && gnrc_sock_prevpkt == gnrc_pktbuf_fuzzptr) {
+        exit(EXIT_SUCCESS);
+    }
+#endif
 }

 static void _set_ctx(sock_async_ctx_t *ctx, event_queue_t *ev_queue)
				`@ -0,0 +1 @@`
				`@¹'=fe80::8813:2ff:fec1:98ef%tap0‹.well-knowncore`
				`@ -0,0 +1 @@`
				`@ą'=fe80::8813:2ff:fec1:98ef%tap0„riotvalue˙foo`
				`@ -0,0 +1 @@`
				`Pą'=fe80::8813:2ff:fec1:98ef%tap0„riotboard`