[v4]
1) `--enable-afl` was added to make it possible to build and run
the fuzz target with afl-gcc/afl-g++/afl-fuzz. It's compatible
with both AFL and AFL++ and can be tested on Ubuntu by running
the following commands:
```
apt-get install afl++
autoreconf -i -f
./configure --enable-maintainer-mode --enable-afl
make -j$(nproc) V=1
make check V=1 VERBOSE=1 TESTS=run-fuzz-dwfl-core.sh FUZZ_TIME=600
```
It's compatible with ASan/UBsan as well so something like
`--enable-sanitize-address` and `--enable-sanitize-undefined` can
additionally be passed to run the fuzzer under ASan/UBsan.
It was tested on Fedora with AFL (https://github.com/google/AFL) and
on Ubuntu with AFL++ (https://github.com/AFLplusplus/AFLplusplus/).
2) Both `use_afl` and `use_honggfuzz` are now shown among the additional
test features printed by `./configure` to make it easier to figure out
how exactly elfutils is tested.
[v3]
The test handles infinite loops much better now.
In https://sourceware.org/bugzilla/show_bug.cgi?id=28715#c4 it took
it about 5 hours on Packit to discover an infinite loop on 32 bit
platforms because it didn't enforce any timeouts. It was fixed
by passing --tmout_sigvtalrm to honggfuzz (which treats timeouts
as normal crashes) and by additionally running the fuzz target
with timeout -s9.
[v2]
1) In https://sourceware.org/pipermail/elfutils-devel/2021q4/004541.html
it was pointed out that build-fuzzers.sh is too tied to OSS-Fuzz
and while it was kind of decoupled from it as much as possible
in the sense that it was enough to install clang and run the script to build
the fuzz target with libFuzzer it's true that it can't be integrated smoothly
into buildbot for example where gcc is used and various configure options
control what exactly is testsed. To address that, `--enable-honggfuzz` is
introduced. It looks for hfuzz-gcc, hfuzz-g++ and honggfuzz and if
they exist elfutils is built with those wrappers and the fuzz target
is additionally run for a few minutes under honggfuzz to make
regression testing more effective. It was tested on Fedora 35 and
in https://github.com/evverx/elfutils/pull/53 on Ubuntu Focal with both gcc and
clang with and without sanitizers/Valgrind
and with two versions of honggfuzz (including the latest stable version).
To make it work on Ubuntu the following commands should be run
```
apt-get install libbfd-dev libunwind8-dev
git clone https://github.com/google/honggfuzz
cd honggfuzz
git checkout 2.4
make
make PREFIX=/usr install
cd PATH/TO/ELFUTILS
autoreconf -i -f
./configure --enable-maintainer-mode --enable-honggfuzz
make check V=1 VERBOSE=1 # FUZZ_TIME can be optionally passed
```
If hongfuzz is installed elsewhere it's possible to point
configure to it with CC, CXX and HONGGFUZZ
```
./configure CC=path-to-hfuzz-gcc CXX=path-to-hfuzz-g++ HONGGFUZZ=path-to-honggfuzz
```
I decided to use honggfuzz instead of AFL because AFL doesn't seem
to be maintained actively anymore. Other than that I can't seem to
make it work with various combinations of compilers, sanitizers and
so on. But thanks to the way the fuzz target is written it should
be possible to add it eventually by analogy with honggfuzz.
2) fuzz-dwfl-core-corpus was renamed to fuzz-dwfl-core-crashes to
make it more clear that it isn't exaclty a seed corpus.
3) run-strip-g.sh and run-strip-nothing.sh started to compile test programs
using temporary files instead of gcc -xc -. It should address
https://github.com/google/honggfuzz/issues/431 but more generally
autoconf uses temporary files to make sure compiler works so
it seems in general it's safer to rely on compiler features that
are known to work.
4) A comment was added where I tried to expand on why the fuzz target
is written that way.
[v1]
The fuzz target was integrated into OSS-Fuzz in
https://github.com/google/oss-fuzz/pull/6944 and since then it
has been running there continously (uncovering various issues
along the way). It's all well and good but since OSS-Fuzz
is far from the elfutils repository it's unnecessarily hard
to build the fuzz target locally, verify patches and more generally
test new code to make sure that it doesn't introduce new issues (
or reintroduce regressions). This patch aims to address all those
issues by moving the fuzz target into the elfutils repository,
integrating it into the testsuite and also providing a script
that can be used to build full-fledged fuzzers utilizing libFuzzer.
With this patch applied `make check` can be used to make sure
that files kept in tests/fuzz-dwfl-core-corpus don't crash the
code on various architecures.
`--enable-sanitize-{address,undefined}` and/or `--enable-valgrind`
can additionally be used to uncover issues like
https://sourceware.org/bugzilla/show_bug.cgi?id=28685
that don't always manifest themselves in simple segfaults. On top
of all that now the fuzz target can be built and linked against
libFuzzer locally by just running `./tests/build-fuzzers.sh`.
The patch was tested in https://github.com/evverx/elfutils/pull/53 :
* the testsuite was run on aarch64, armhfp, i386, ppc64le, s390x
and x86_64
* Fedora packages were built on those architectures;
* elfutils was built with both clang and gcc with and without sanitizers
to make sure the tests pass there;
* `make distcheck` passed;
* coverage reports were built to make sure "static" builds are intact;
* the fuzz target was built and run with ClusterFuzzLite to make sure
it's still compatible with OSS-Fuzz;
* the code was analyzed by various static analyzers to make sure new alerts
aren't introduced.
Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
---
ChangeLog | 4 +
configure.ac | 39 ++++++++
tests/.gitignore | 1 +
tests/ChangeLog | 8 ++
tests/Makefile.am | 34 ++++++-
tests/build-fuzzers.sh | 95 ++++++++++++++++++
tests/fuzz-dwfl-core-crashes/bugzilla-28660 | Bin 0 -> 20890 bytes
tests/fuzz-dwfl-core-crashes/empty | 0
tests/fuzz-dwfl-core-crashes/oss-fuzz-41566 | Bin 0 -> 1553 bytes
tests/fuzz-dwfl-core-crashes/oss-fuzz-41570 | Bin 0 -> 1233 bytes
tests/fuzz-dwfl-core-crashes/oss-fuzz-41572 | Bin 0 -> 4872 bytes
tests/fuzz-dwfl-core.c | 58 +++++++++++
tests/fuzz-main.c | 43 +++++++++
tests/fuzz.h | 9 ++
tests/run-fuzz-dwfl-core.sh | 102 ++++++++++++++++++++
tests/run-strip-g.sh | 7 +-
tests/run-strip-nothing.sh | 7 +-
17 files changed, 400 insertions(+), 7 deletions(-)
create mode 100755 tests/build-fuzzers.sh
create mode 100644 tests/fuzz-dwfl-core-crashes/bugzilla-28660
create mode 100644 tests/fuzz-dwfl-core-crashes/empty
create mode 100644 tests/fuzz-dwfl-core-crashes/oss-fuzz-41566
create mode 100644 tests/fuzz-dwfl-core-crashes/oss-fuzz-41570
create mode 100644 tests/fuzz-dwfl-core-crashes/oss-fuzz-41572
create mode 100644 tests/fuzz-dwfl-core.c
create mode 100644 tests/fuzz-main.c
create mode 100644 tests/fuzz.h
create mode 100755 tests/run-fuzz-dwfl-core.sh
@@ -1,3 +1,7 @@
+2021-12-26 Evgeny Vereshchagin <evvers@ya.ru>
+
+ * configure.ac: Add --enable-afl and --enable-honggfuzz.
+
2021-12-04 Mark Wielaard <mark@klomp.org>
* configure.ac: Add --enable-sanitize-address.
@@ -87,6 +87,43 @@ AS_IF([test "$use_locks" = yes],
AH_TEMPLATE([USE_LOCKS], [Defined if libraries should be thread-safe.])
+AC_ARG_ENABLE([afl],
+AS_HELP_STRING([--enable-afl],[run fuzzers with afl]), [use_afl=$enableval], [use_afl=no])
+if test "$use_afl" = yes; then
+ AC_CHECK_PROG(CC, afl-gcc, afl-gcc)
+ if test -z "$CC"; then
+ AC_MSG_ERROR([failed to find afl-gcc])
+ fi
+ AC_CHECK_PROG(CXX, afl-g++, afl-g++)
+ if test -z "$CXX"; then
+ AC_MSG_ERROR([failed to find afl-g++])
+ fi
+ AC_CHECK_PROG(AFL_FUZZ, afl-fuzz, afl-fuzz)
+ if test -z "$AFL_FUZZ"; then
+ AC_MSG_ERROR([failed to find afl-fuzz])
+ fi
+fi
+
+AC_ARG_ENABLE([honggfuzz],
+AS_HELP_STRING([--enable-honggfuzz],[run fuzzers with honggfuzz]), [use_honggfuzz=$enableval], [use_honggfuzz=no])
+if test "$use_honggfuzz" = yes; then
+ if test "$use_afl" = yes; then
+ AC_MSG_ERROR([cannot enable afl and honggfuzz together])
+ fi
+ AC_CHECK_PROG(CC, hfuzz-gcc, hfuzz-gcc)
+ if test -z "$CC"; then
+ AC_MSG_ERROR([failed to find hfuzz-gcc])
+ fi
+ AC_CHECK_PROG(CXX, hfuzz-g++, hfuzz-g++)
+ if test -z "$CXX"; then
+ AC_MSG_ERROR([failed to find hfuzz-g++])
+ fi
+ AC_CHECK_PROG(HONGGFUZZ, honggfuzz, honggfuzz)
+ if test -z "$HONGGFUZZ"; then
+ AC_MSG_ERROR([failed to find honggfuzz])
+ fi
+fi
+
AC_PROG_CC_C99
AC_PROG_RANLIB
AC_PROG_YACC
@@ -831,6 +868,8 @@ AC_MSG_NOTICE([
debug branch prediction : ${use_debugpred}
gprof support : ${use_gprof}
gcov support : ${use_gcov}
+ run fuzzers with honggfuzz : ${use_honggfuzz}
+ run fuzzers with AFL : ${use_afl}
run all tests under valgrind : ${use_valgrind}
gcc undefined behaviour sanitizer : ${use_undefined}
gcc address sanitizer : ${use_address}
@@ -66,6 +66,7 @@
/find-prologues
/funcretval
/funcscopes
+/fuzz-dwfl-core
/get-aranges
/get-files
/get-lines
@@ -1,3 +1,11 @@
+2021-12-26 Evgeny Vereshchagin <evvers@ya.ru>
+
+ * Makefile.am: Integrate fuzz-dwfl-core into the testsuite and add a
+ script linking it against libFuzzer.
+ * run-strip-g.sh,run-strip-nothing.sh: Switch to temporary files
+ instead of using CC -xc - to get around a honggfuzz issue mentioned at
+ https://github.com/google/honggfuzz/issues/431 .
+
2021-12-17 Mark Wielaard <mark@klomp.org>
* run-debuginfod-query-retry.sh: Use /bin/sh instead of /bin/ls.
@@ -62,6 +62,7 @@ check_PROGRAMS = arextract arsymtest newfile saridx scnnames sectiondump \
getphdrnum leb128 read_unaligned \
msg_tst system-elf-libelf-test \
nvidia_extended_linemap_libdw \
+ fuzz-dwfl-core \
$(asm_TESTS)
asm_TESTS = asm-tst1 asm-tst2 asm-tst3 asm-tst4 asm-tst5 \
@@ -197,7 +198,8 @@ TESTS = run-arextract.sh run-arsymtest.sh run-ar.sh newfile test-nlist \
msg_tst system-elf-libelf-test \
$(asm_TESTS) run-disasm-bpf.sh run-low_high_pc-dw-form-indirect.sh \
run-nvidia-extended-linemap-libdw.sh run-nvidia-extended-linemap-readelf.sh \
- run-readelf-dw-form-indirect.sh run-strip-largealign.sh
+ run-readelf-dw-form-indirect.sh run-strip-largealign.sh \
+ run-fuzz-dwfl-core.sh
if !BIARCH
export ELFUTILS_DISABLE_BIARCH = 1
@@ -580,14 +582,19 @@ EXTRA_DIST = run-arextract.sh run-arsymtest.sh run-ar.sh \
run-readelf-dw-form-indirect.sh testfile-dw-form-indirect.bz2 \
run-nvidia-extended-linemap-libdw.sh run-nvidia-extended-linemap-readelf.sh \
testfile_nvidia_linemap.bz2 \
- testfile-largealign.o.bz2 run-strip-largealign.sh
+ testfile-largealign.o.bz2 run-strip-largealign.sh \
+ run-fuzz-dwfl-core.sh \
+ fuzz-dwfl-core-crashes/empty \
+ fuzz-dwfl-core-crashes/bugzilla-28660 \
+ fuzz-dwfl-core-crashes/oss-fuzz-41566 \
+ fuzz-dwfl-core-crashes/oss-fuzz-41570 \
+ fuzz-dwfl-core-crashes/oss-fuzz-41572
if USE_VALGRIND
valgrind_cmd=valgrind -q --leak-check=full --error-exitcode=1
endif
-
installed_TESTS_ENVIRONMENT = libdir='$(DESTDIR)$(libdir)'; \
bindir='$(DESTDIR)$(bindir)'; \
LC_ALL=C; LANG=C; \
@@ -595,9 +602,13 @@ installed_TESTS_ENVIRONMENT = libdir='$(DESTDIR)$(libdir)'; \
abs_srcdir='$(abs_srcdir)'; \
abs_builddir='$(abs_builddir)'; \
abs_top_builddir='$(abs_top_builddir)'; \
+ afl_fuzz='$(AFL_FUZZ)'; \
+ honggfuzz='$(HONGGFUZZ)'; \
export abs_srcdir; export abs_builddir; \
export abs_top_builddir; \
export libdir; export bindir; \
+ export afl_fuzz; \
+ export honggfuzz; \
export LC_ALL; export LANG; export VALGRIND_CMD; \
unset DEBUGINFOD_URLS; \
NM='$(NM)'; export NM; \
@@ -609,8 +620,12 @@ TESTS_ENVIRONMENT = LC_ALL=C; LANG=C; VALGRIND_CMD='$(valgrind_cmd)'; \
abs_srcdir='$(abs_srcdir)'; \
abs_builddir='$(abs_builddir)'; \
abs_top_builddir='$(abs_top_builddir)'; \
+ afl_fuzz='$(AFL_FUZZ)'; \
+ honggfuzz='$(HONGGFUZZ)'; \
export abs_srcdir; export abs_builddir; \
export abs_top_builddir; \
+ export afl_fuzz; \
+ export honggfuzz; \
export LC_ALL; export LANG; export VALGRIND_CMD; \
unset DEBUGINFOD_URLS; \
NM='$(NM)'; export NM; \
@@ -755,6 +770,19 @@ leb128_LDADD = $(libelf) $(libdw)
read_unaligned_LDADD = $(libelf) $(libdw)
nvidia_extended_linemap_libdw_LDADD = $(libelf) $(libdw)
+# Fuzz targets are split into two files so that they can be
+# compatible with the test suite, OSS-Fuzz and various fuzzing
+# engines. OSS-Fuzz takes files containing LLVMFuzzerTestOneInput
+# and links them against libFuzzer, AFL++ and honggfuzz.
+# The testsuite links them against fuzz-main.c (which is a local driver reading
+# files into buffers and passing those buffers to LLVMFuzzerTestOneInput).
+# And various fuzzing engines working with binaries reading files
+# they generate can be used as well because fuzz-main.c provides
+# exactly what they expect.
+noinst_HEADERS=fuzz.h
+fuzz_dwfl_core_SOURCES = fuzz-main.c fuzz-dwfl-core.c
+fuzz_dwfl_core_LDADD = $(libelf) $(libdw)
+
# We want to test the libelf header against the system elf.h header.
# Don't include any -I CPPFLAGS. Except when we install our own elf.h.
if !INSTALL_ELFH
new file mode 100755
@@ -0,0 +1,95 @@
+#!/bin/bash -eu
+
+# This script is supposed to be compatible with OSS-Fuzz, i.e. it has to use
+# environment variables like $CC, $CFLAGS and $OUT, link the fuzz targets with CXX
+# (even though the project is written in C) and so on:
+# https://google.github.io/oss-fuzz/getting-started/new-project-guide/#buildsh
+
+# The fuzz targets it builds can't make any assumptions about
+# their runtime environment apart from /tmp being writable:
+# https://google.github.io/oss-fuzz/further-reading/fuzzer-environment/ .
+# Even though it says there that it's possible to link fuzz targets against
+# their dependencies dynamically by moving them to $OUT and changing
+# rpath, it tends to break coverage reports from time to time https://github.com/google/oss-fuzz/issues/6524
+# so all the dependencies are linked statically here.
+
+# This script is configured via https://github.com/google/oss-fuzz/blob/master/projects/elfutils/project.yaml
+# and used to build the elfutils project on OSS-Fuzz with three fuzzing engines
+# (libFuzzer, AFL++ and honggfuzz) on two architectures (x86_64 and i386)
+# with three sanitizers (ASan, UBSan and MSan) with coverage reports on top of
+# all that: https://oss-fuzz.com/coverage-report/job/libfuzzer_asan_elfutils/latest
+# so before changing anything ideally it should be tested with the OSS-Fuzz toolchain
+# described at https://google.github.io/oss-fuzz/advanced-topics/reproducing/#building-using-docker
+# by running something like:
+#
+# ./infra/helper.py pull_images
+# ./infra/helper.py build_image --no-pull elfutils
+# for sanitizer in address undefined memory; do
+# for engine in libfuzzer afl honggfuzz; do
+# ./infra/helper.py build_fuzzers --clean --sanitizer=$sanitizer --engine=$engine elfutils PATH/TO/ELFUTILS
+# ./infra/helper.py check_build --sanitizer=$sanitizer --engine=$engine -e ALLOWED_BROKEN_TARGETS_PERCENTAGE=0 elfutils
+# done
+# done
+#
+# ./infra/helper.py build_fuzzers --clean --architecture=i386 elfutils PATH/TO/ELFUTILS
+# ./infra/helper.py check_build --architecture=i386 -e ALLOWED_BROKEN_TARGETS_PERCENTAGE=0 elfutils
+#
+# ./infra/helper.py build_fuzzers --clean --sanitizer=coverage elfutils PATH/TO/ELFUTILS
+# ./infra/helper.py coverage --no-corpus-download --fuzz-target=fuzz-dwfl-core --corpus-dir=PATH/TO/ELFUTILS/tests/fuzz-dwfl-core-crashes/ elfutils
+#
+# It should be possible to eventually automate that with ClusterFuzzLite https://google.github.io/clusterfuzzlite/
+# but it doesn't seem to be compatible with buildbot currently.
+
+# The script can also be used to build and run the fuzz target locally without Docker.
+# After installing clang and the build dependencies of libelf by running something
+# like `dnf build-dep elfutils-devel` on Fedora or `apt-get build-dep libelf-dev`
+# on Debian/Ubuntu, the following commands should be run:
+#
+# $ ./tests/build-fuzzers.sh
+# $ ./out/fuzz-dwfl-core tests/fuzz-dwfl-core-crashes/
+
+set -eux
+
+cd "$(dirname -- "$0")/.."
+
+SANITIZER=${SANITIZER:-address}
+flags="-O1 -fno-omit-frame-pointer -g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER -fsanitize=fuzzer-no-link"
+
+export CC=${CC:-clang}
+export CFLAGS=${CFLAGS:-$flags}
+
+export CXX=${CXX:-clang++}
+export CXXFLAGS=${CXXFLAGS:-$flags}
+
+export OUT=${OUT:-"$(pwd)/out"}
+mkdir -p "$OUT"
+
+export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}
+
+make clean || true
+
+# ASan isn't compatible with -Wl,--no-undefined: https://github.com/google/sanitizers/issues/380
+find -name Makefile.am | xargs sed -i 's/,--no-undefined//'
+
+# ASan isn't compatible with -Wl,-z,defs either:
+# https://clang.llvm.org/docs/AddressSanitizer.html#usage
+sed -i 's/^\(ZDEFS_LDFLAGS=\).*/\1/' configure.ac
+
+autoreconf -i -f
+if ! ./configure --enable-maintainer-mode --disable-debuginfod --disable-libdebuginfod \
+ --without-bzlib --without-lzma --without-zstd \
+ CC="$CC" CFLAGS="-Wno-error $CFLAGS" CXX="-Wno-error $CXX" CXXFLAGS="$CXXFLAGS" LDFLAGS="$CFLAGS"; then
+ cat config.log
+ exit 1
+fi
+
+ASAN_OPTIONS=detect_leaks=0 make -j$(nproc) V=1
+
+$CC $CFLAGS \
+ -D_GNU_SOURCE -DHAVE_CONFIG_H \
+ -I. -I./lib -I./libelf -I./libebl -I./libdw -I./libdwelf -I./libdwfl -I./libasm \
+ -c tests/fuzz-dwfl-core.c -o fuzz-dwfl-core.o
+$CXX $CXXFLAGS $LIB_FUZZING_ENGINE fuzz-dwfl-core.o \
+ ./libdw/libdw.a ./libelf/libelf.a -l:libz.a \
+ -o "$OUT/fuzz-dwfl-core"
+zip -r -j "$OUT/fuzz-dwfl-core_seed_corpus.zip" tests/fuzz-dwfl-core-crashes
new file mode 100644
GIT binary patch
literal 20890
zcmeHPUx<`d6u+*c>z}gKEZ5fTTQL$s9sfjIseGINAi^e5sE1-iYc)g{bwNVdji?Nw
zq9US)+zor^r8X)Eg4#$bddVQldZ>s*p^SRa!lLQ?&OPUwJ9lShXU5rSX6HL_=iGb0
zd+xdS+;jh(d++pbymM2_q)A30Vb+;!$e2(+I5;$2=4uL`CYO--wkg>JEm^NQdASpC
zyx_sKfkXx!L!WMU60{B2K%2w~1|73XN__IRq3>Nfi8iC@rZGRI3p?`AW%`wz>3c;I
zil@=nRBJAs$4B{saw;+l@k5aI_!Xh!a;7Yq39g^HAX_S<`J0qTS@MbGvQ_AMZ^)&S
zXfr(5`W!mumzD&<ntXJb-v&8V#9t(%x#r@2PpKwDsXEu}IIwf~x*3!-l;qRi%Bl*K
zYC3&sH}hBlg<WpO654%*^(a=ML_#Pa+`&I=u@$>?%&$#_+CpU^kZ|IN<)_%CLnDv8
zVChDV=i;!#(!IC9Vx>bW&>eoora$~fE>?Y047~%OjBs5x`6#>?i3k)UEg*IJ&@TAb
z+-C`WoM`1_Cc-vo?j|}`VhN9hRP0-YUqQLdv^j->RhdvmsOMyIo40H?E7w2$_VDWO
zwtas7sfQof@Zc?fe(}>GP|hZ|h#b-Zt|JE-VPHU2pkoldmi=1tUq%jX3YJ%r3&;Ti
z{AA8+(;$l!l?O#yf7jNH_$sA@H^+Y_lgS{i=aJdwgZWvExO^}uYMbv{DRE)ajv>K4
zbLToEl@V<~)#o6e;h~NB`mkwl?dJF;_geaP!Kf>Ms>5*83d?7ejW#qvuuu8kDDmNA
z-F-P@lf)N7$_Fw&N)FAZGB!GHO${m5n6s130J%}J-FaZg!QGs~{w!P0F@Y1s-hZej
zew-7guNR$Qh2C?8=}^b{q?1rVtz&1Dyo1|MyG!QpUp~YqRaezTs5xMlMUlFPG*@EI
zLw5<tb;)<|1gO4BuQq0I1GhW6hzmT#QN+@{d-nAmUfQ#-Z~5L`OII#iwPM-9{S?pn
zk#a%5v=05+=iH3QKR|u3sKmYW97G?kd%$Ei$y*`$g)X$p@zafC7@Z3WVUnUY*#%C=
zc!DTfC|LVAic+hg9D|;}%tSe`Mr|ht2*}CGhsD%M;d$g-pdp+A{qibuEJ&8A?E|yy
zXQQ*Z1kE+%SxC+u-a(5pfE@iUNOYU_z^s0<B{(sqbs%xd+!~mc&cvhLC*Ev3zGM;7
za@Qi}Iu2kO(|Un7^2gMLvY}omFL<Lo0lCjQrX2g>-2P|2dFbL$`qk&Ae!F(>g`YoK
zc=i<G`(N(wd4ketJ1GWVK#}(HS92wA5%Ln+DJFwDhG6VLyti-!q7#IN(Ppe8p`>l*
zy@iMX`rApa>H75VFCO`1){kpveEt67wQYUd_S}5OyU%~wdv4q7uigI6;~!72r!5sX
zRlKDdmo1fagGv#Wco<UR9jTRI3DaV{Bc&NU-jSMkM@o7S??@{hc`Kl6xE-m~u|_*m
zZ@23R*fE;Pk{aVY@9>h6ELFOh-pM%fk|D7?fSn3Z9@V9%e(BP)aC7jtdTjBh1kZ|`
zLrFYt7XPn=fwxssOTS_@twrtbSo}GM3AQ{vQ#tsD1R9PG3B<g}-G^jXgTn&Y@Y$*Y
zT*P8g^`%)+3zL{t11eL~TbSbAC{)ul`*w<jP~D$+hJjMiQae6VW;u*HYmW~i8s{LQ
z7Sn`3V2pii5nl`7W9j%>01q&g|J3+e02kET_vk)H_dSX=zS#cfS7fMHofNx-FccTO
z+7nMt+#d1tWY48p81hrbIeAwzos)}rbR+FvrFF$u=#oj)mjg*H#@L9qz}NsfzT%UV
zlw!<}=+xuUNBop-mS;07f$n4vU3MtL)>g@Jw-zH8JD2b-<bL_LBr{wIM;@GQ4KLyG
z<*vWjj5xL-5v>P6%O53&ODB4{E6*i7T*RyR5*}rpA5^0n;i70!+mBQ)Al&q}ACiII
zDpIV<R>W3U{xY4|-~mEjLg@q;E<$oX#J7taiD)PEFxsq=;WnBUQo>`xyj-CA)a)F?
zYYbg>>-t@>#z#VT&N1Sb3*{b0#49i9vYz%;IuuB59*S39Rv`cD%FAn$`U=LjZENGN
zN8>>ts=~Oj-%Hh((ogWxgn8<x%W!-udG6hkn^Cm#2_$~Jtsck91g;xB14&Bx>eNaS
z$+6O9ds^yO-3Q0?XiYRj)+8t=Lt5}inD>#Re2r0+BoJJ3KH32kI}OVF%n{*`w69Ym
zerfS3cIa3&0#ONh-5AkHI^7~EMrv#B6uM#iDl(#rJa!Ux>6l+q={Dt8yaCC;FQ?Ll
zn{(-kl+*6Ng<q;nIy_$nq|2mB3tjJ=oY%$r2tLBKy<KJNVgkZdwXiv@BrF;Y;Thlr
z2YqQNjfIYht}&rrspv33^@`2mR-e(%@nc(-#n`u2#2juVSNd|A(yQh*g4zXAKgNx{
z{gmZJ{C6GFq(JfCb=ZHdVUaY*-*r^s4^$itsFoMUg0hhHvP7)iILL?bwiqbCr0}a#
o3xJf)Lrr3>Z=^qVkrs-d(Rr$xFIcDV>U3n%GoXA$mpeKC0T2%d<p2Nx
literal 0
HcmV?d00001
new file mode 100644
new file mode 100644
GIT binary patch
literal 1553
zcmb<-^>JfjWK@8F|4<r1IWRx~LIlYA|Np-L14M)cC=Fr>fEZ9VL<T}KGT{)1sfFv4
zUU)AQVivOgk-<g|cVzZp@;xxpL4YbwB4i4>JUX8$ju<rrO9()6D<mHh!)664a$sa&
zU<1<5{z0w`Xl5eE95NeC848yfYVm&sNSOdFA{Z>7;vhRg07Vl897w_@)^+$TB4i4>
TJctkTAH-MG^A~=X;*bRZ0NBqd
literal 0
HcmV?d00001
new file mode 100644
GIT binary patch
literal 1233
zcmb<-^>JfjWK_Tf7#Sb{Ro;R@j6vZ)5TFXvi#KpK)60jW_Kb!A{ty6VOppp_{$x;q
U@IXR1zy$|x8Hg$z3WkL+07HkLIsgCw
literal 0
HcmV?d00001
new file mode 100644
GIT binary patch
literal 4872
zcmeHJUrSU$6hE42VVcHLra{*S=^y*YEb$@YMy(<UEk=+Kv}Ir$W{aEPoAwa&G1hOe
z&q3u!@DubL^wML{!*<Wi?{}RUE!ylw+<|+~pE<vK&YU@O&ukRuraL=2griGt%dR96
zbHbsqOvzcuU7!QU9Rr8m>2m~!RUZZ$K^cu~eR=2@41f=);*6^T<_iIipV$Xy{1MmR
zI&Np_m`EwW1%3pw#@Vg0#QI7``R{Qi&XR>mG}e1z1H2OYD|K3><Im)!Y}Hb|<l~^0
zMrIGr_#-a5wLh+ItWy7JjS#mT?~h}=PMn^<od7qEKntJ_PV?Chwa6XcAMHs4oNNPF
z2ykWSNgbStGr~&i_k4e_OZUUU+4=;o5#ZoXWbghNe+A;EeSgGlf^qzLxOm3L{UJ_U
zpYT^|5my4P+#;?FT=h(*>D4v!L2B2j)@FUx<m~C#9`<pu(e9ozCog6n8o<ejkBfjK
z1x_)#H1&J;{(Mobdi90j^3*N89h6V!MM$X+Y5jDlX-$stuZtdKytN=>(u2=6wu*iY
zKtI%DYya|s#SejEN2G~ybKL%`CV)#CgyHD-8ualy`@J8)LH%1oKbqtB$)h{N9Lqdl
z-LYZ5CX@Owr=*LkPirq=sw9^;n#fTdh}GCOlV^5j_5ow#o-_UfIrs;##uO*c^}I5s
z(eyjEu6fLxKfis}DRZ`!!Nj2Q$#`yw$-T0%>ATH7bH);R3iIky2iMNp68r~G*y;3r
z5*%xkINd`Xrz|mhsw}SsoacX?@;TU(B*)8)g~zsbhat1}FGBvlVdr_&DzL|NN_2fM
zlh}%Lv(wBebI6<t?<C<JgK})oNm>_>c}HMusnh?>@GereaisnrOV#SJ1(Mz+!n*-w
z^!_o%$-4l0dzA}iuSf6xKz-WF?SCQFvsa_{exyBnYS<$wH*622xj>eJ?Kz{2lRXbT
z><ablY3NZ`q0hg0RkgnjX^CB{t>%|2&+_Y2lTRjZWS1)|YwOvil{Hl^X0PWa#&fmT
hlK0IROPjVc(9Xco%Rq8BVsAToi*K*Eoq@xVfnU&q=l%cy
literal 0
HcmV?d00001
new file mode 100644
@@ -0,0 +1,58 @@
+#include <assert.h>
+#include <config.h>
+#include <stdlib.h>
+#include ELFUTILS_HEADER(dwfl)
+#include "fuzz.h"
+#include "system.h"
+
+/* This fuzz target was initially used to fuzz systemd and
+ there elfutils is hidden behind functions receiving file
+ names and file descriptors. To cover that code the fuzz
+ target converts bytes it receives into temporary files
+ and passes their file descriptors to elf_begin instead of calling
+ something like elf_memory (which can process bytes directly).
+ New fuzzers covering elfutils should avoid this pattern. */
+
+static const Dwfl_Callbacks core_callbacks =
+ {
+ .find_elf = dwfl_build_id_find_elf,
+ .find_debuginfo = dwfl_standard_find_debuginfo,
+ };
+
+int
+LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
+{
+ char name[] = "/tmp/fuzz-dwfl-core.XXXXXX";
+ int fd = -1;
+ off_t offset;
+ ssize_t n;
+ Elf *core = NULL;
+ Dwfl *dwfl = NULL;
+
+ fd = mkstemp (name);
+ assert (fd >= 0);
+
+ n = write_retry (fd, data, size);
+ assert (n >= 0);
+
+ offset = lseek (fd, 0, SEEK_SET);
+ assert (offset == 0);
+
+ elf_version (EV_CURRENT);
+ core = elf_begin (fd, ELF_C_READ_MMAP, NULL);
+ if (core == NULL)
+ goto cleanup;
+ dwfl = dwfl_begin (&core_callbacks);
+ assert(dwfl != NULL);
+ if (dwfl_core_file_report (dwfl, core, NULL) < 0)
+ goto cleanup;
+ if (dwfl_report_end (dwfl, NULL, NULL) != 0)
+ goto cleanup;
+
+cleanup:
+ dwfl_end (dwfl);
+ elf_end (core);
+ close (fd);
+ unlink (name);
+ return 0;
+}
new file mode 100644
@@ -0,0 +1,43 @@
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include "fuzz.h"
+
+int
+main (int argc, char **argv)
+{
+ for (int i = 1; i < argc; i++)
+ {
+ fprintf (stderr, "Running: %s\n", argv[i]);
+
+ FILE *f = fopen (argv[i], "r");
+ assert (f);
+
+ int p = fseek (f, 0, SEEK_END);
+ assert (p >= 0);
+
+ long len = ftell (f);
+ assert (len >= 0);
+
+ p = fseek (f, 0, SEEK_SET);
+ assert (p >= 0);
+
+ void *buf = malloc (len);
+ assert (buf != NULL || len == 0);
+
+ size_t n_read = fread (buf, 1, len, f);
+ assert (n_read == (size_t) len);
+
+ (void) fclose (f);
+
+ int r = LLVMFuzzerTestOneInput (buf, len);
+
+ /* Non-zero return values are reserved by LibFuzzer for future use
+ https://llvm.org/docs/LibFuzzer.html#fuzz-target */
+ assert (r == 0);
+
+ free (buf);
+
+ fprintf (stderr, "Done: %s: (%zd bytes)\n", argv[i], n_read);
+ }
+}
new file mode 100644
@@ -0,0 +1,9 @@
+#ifndef _FUZZ_H
+#define _FUZZ_H 1
+
+#include <stddef.h>
+#include <stdint.h>
+
+int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size);
+
+#endif /* fuzz.h */
new file mode 100755
@@ -0,0 +1,102 @@
+#!/bin/sh
+
+. $srcdir/test-subr.sh
+
+# Valgrind is turned off because hongfuzz and AFL keep track of
+# processes and signals they receive and valgrind shouldn't
+# interfer with that. Apart from that it reports memory leaks
+# in timeout we aren't interested in:
+#==53620== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
+#==53620== at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
+#==53620== by 0x4860959: timer_create@@GLIBC_2.3.3 (timer_create.c:59)
+#==53620== by 0x10AFCD: ??? (in /usr/bin/timeout)
+#==53620== by 0x10AC18: ??? (in /usr/bin/timeout)
+#==53620== by 0x48B00B2: (below main) (libc-start.c:308)
+#==53620==
+unset VALGRIND_CMD
+
+# honggfuzz sets ASAN and UBSAN options compatible with it
+# so they are reset early to prevent the environment from
+# affecting the test
+unset ASAN_OPTIONS
+unset UBSAN_OPTIONS
+
+fuzz_time=${FUZZ_TIME:-180}
+timeout=30
+
+# run_one is used to process files without honggfuzz
+# to get backtraces that otherwise can be borked in honggfuzz runs
+# so it has to set ASAN and UBSAN options itself
+run_one()
+{
+ testrun timeout -s9 $timeout env \
+ ASAN_OPTIONS=allocator_may_return_null=1 \
+ UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1 \
+ ${abs_builddir}/fuzz-dwfl-core "$1"
+}
+
+# Here the fuzz target processes files one by one to be able
+# to catch memory leaks and other issues that can't be discovered
+# with honggfuzz.
+find ${abs_srcdir}/fuzz-dwfl-core-crashes/ -type f | while read file; do
+ run_one $file || { echo "*** failure in $file"; printf "$file\n" >>CRASHES; }
+done
+
+if [ -n "$honggfuzz" ]; then
+ tempfiles log
+
+ testrun $honggfuzz --run_time $fuzz_time -n 1 -v --exit_upon_crash \
+ -i ${abs_srcdir}/fuzz-dwfl-core-crashes/ \
+ -t $timeout --tmout_sigvtalrm \
+ -o OUT \
+ --logfile log \
+ -- ${abs_builddir}/fuzz-dwfl-core ___FILE___
+
+ rm -rf OUT
+
+ # hongfuzz always exits successfully so to tell "success" and "failure" apart
+ # it's necessary to look for reports it leaves when processes it monitors crash.
+ # Eventually it will be possible to pass --exit_code_upon_crash, which combined
+ # with --exit_upon_crash can be used to get honggfuzz to fail, but it hasn't been
+ # released yet. Initially it was used but on machines with the latest stable release
+ # tests that should have failed passed, which led to https://github.com/google/honggfuzz/pull/432
+ if [ -f HONGGFUZZ.REPORT.TXT ]; then
+ tail -n 25 log
+ cat HF.sanitizer.log* || true
+ cat HONGGFUZZ.REPORT.TXT
+ for crash in $(sed -n 's/^FUZZ_FNAME: *//p' HONGGFUZZ.REPORT.TXT); do
+ run_one $crash || { printf "$crash\n" >>CRASHES; }
+ done
+ fi
+fi
+
+if [ -n "$afl_fuzz" ]; then
+ # ASAN_OPTIONS and UBSAN_OPTIONS are compatible with both AFL and AFL++. They were borrowed from
+ # https://github.com/AFLplusplus/AFLplusplus/blob/74a8f145e09d0361d8f576eb3f2e8881b6116f18/src/afl-forkserver.c#L523
+ common_san_opts="abort_on_error=1:malloc_context_size=0:symbolize=0:allocator_may_return_null=1"
+ handle_san_opts="handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigfpe=0:handle_sigill=0"
+
+ testrun timeout --preserve-status $fuzz_time \
+ env AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 \
+ ASAN_OPTIONS="$common_san_opts:$handle_san_opts:detect_leaks=0:detect_odr_violation=0" \
+ UBSAN_OPTIONS="$common_san_opts:$handle_san_opts:halt_on_error=1" \
+ $afl_fuzz -i ${abs_srcdir}/fuzz-dwfl-core-crashes/ \
+ -t $(expr $timeout '*' 1000) \
+ -m none \
+ -o OUT \
+ -- ${abs_builddir}/fuzz-dwfl-core @@
+
+ find OUT/crashes OUT/hangs -type f | while read file; do
+ run_one $file || { printf "$file\n" >>CRASHES; }
+ done
+
+ [ -f CRASHES ] || rm -rf OUT
+fi
+
+if [ -f CRASHES ]; then
+ printf "Files triggering various crashes:\n"
+ cat CRASHES
+ exit 1
+fi
+
+exit 0
@@ -22,10 +22,13 @@
# debug sections and so there should not be a copy in the debug file
# except for a NOBITS one.
-tempfiles a.out strip.out debug.out readelf.out
+tmpfile=main.c
+
+tempfiles $tmpfile a.out strip.out debug.out readelf.out
echo Create debug a.out.
-echo "int main() { return 1; }" | ${CC} -g -xc -
+echo "int main() { return 1; }" >$tmpfile
+${CC} -g $tmpfile
echo strip -g to file with debug file
testrun ${abs_top_builddir}/src/strip -g -o strip.out -f debug.out ||
@@ -20,10 +20,13 @@
# If there is nothing to strip then -o output should be identical to input.
# And there should not be an (empty) -f debug file.
-tempfiles a.out strip.out debug.out
+tmpfile=main.c
+
+tempfiles $tmpfile a.out strip.out debug.out
# Create no-debug a.out.
-echo "int main() { return 1; }" | ${CC} -s -xc -
+echo "int main() { return 1; }" >$tmpfile
+${CC} -s $tmpfile
# strip to file
testrun ${abs_top_builddir}/src/strip -g -o strip.out ||