Initial commit of structured fuzzing support using libprotobuf-mutator.

Author: cmeister2

CMakeLists.txt

@@ -8,6 +8,44 @@ else()
 endif()
 
 include(ExternalProject)
+find_package(Protobuf REQUIRED)
+
+set(CURL_FUZZER_PROTO ${CMAKE_CURRENT_SOURCE_DIR}/schemas/curl_fuzzer.proto)
+protobuf_generate_cpp(CURL_FUZZER_PROTO_SRCS CURL_FUZZER_PROTO_HDRS
+    ${CURL_FUZZER_PROTO})
+
+add_library(curl_fuzzer_proto STATIC ${CURL_FUZZER_PROTO_SRCS})
+target_include_directories(curl_fuzzer_proto PUBLIC
+    ${CMAKE_CURRENT_BINARY_DIR}
+    ${PROTOBUF_INCLUDE_DIRS})
+target_link_libraries(curl_fuzzer_proto PUBLIC ${PROTOBUF_LIBRARIES})
+
+# Install libprotobuf-mutator
+#
+# renovate: datasource=github-tags depName=google/libprotobuf-mutator
+set(LIB_PROTO_MUTATOR_TAG master)
+set(LIB_PROTO_MUTATOR_INSTALL_DIR ${CMAKE_BINARY_DIR}/libprotobuf-mutator-install)
+set(LIB_PROTO_MUTATOR_INCLUDE_DIR ${LIB_PROTO_MUTATOR_INSTALL_DIR}/include)
+set(LIB_PROTO_MUTATOR_STATIC_LIB ${LIB_PROTO_MUTATOR_INSTALL_DIR}/lib/libprotobuf-mutator.a)
+set(LIB_PROTO_MUTATOR_FUZZER_LIB ${LIB_PROTO_MUTATOR_INSTALL_DIR}/lib/libprotobuf-mutator-libfuzzer.a)
+
+ExternalProject_Add(libprotobuf_mutator_external
+    GIT_REPOSITORY https://github.com/google/libprotobuf-mutator.git
+    GIT_TAG ${LIB_PROTO_MUTATOR_TAG}
+    PREFIX ${CMAKE_BINARY_DIR}/libprotobuf-mutator
+    CMAKE_ARGS
+        -DCMAKE_INSTALL_PREFIX=${LIB_PROTO_MUTATOR_INSTALL_DIR}
+        -DBUILD_SHARED_LIBS=OFF
+        -DLIB_PROTO_MUTATOR_DOWNLOAD_PROTOBUF=OFF
+        -DLIB_PROTO_MUTATOR_WITH_LIBFUZZER=ON
+        -DLIB_PROTO_MUTATOR_EXAMPLES=OFF
+        -DLIB_PROTO_MUTATOR_TESTING=OFF
+        -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+    BUILD_BYPRODUCTS ${LIB_PROTO_MUTATOR_STATIC_LIB} ${LIB_PROTO_MUTATOR_FUZZER_LIB}
+    INSTALL_COMMAND ${CMAKE_COMMAND} --build . --target install
+    DOWNLOAD_EXTRACT_TIMESTAMP TRUE
+    DOWNLOAD_NO_PROGRESS 1
+)
 
 # Install zlib
 #
@@ -223,7 +261,8 @@ add_custom_target(deps
         zstd_external
         libidn2_external
         ${GDB_DEP}
-        openldap_external
+    openldap_external
+    libprotobuf_mutator_external
 )
 
 # Now for the main dependencies!
@@ -336,7 +375,11 @@ else()
 endif()
 
 # Common sources and flags
-set(COMMON_SOURCES curl_fuzzer.cc curl_fuzzer_tlv.cc curl_fuzzer_callback.cc)
+set(COMMON_SOURCES
+    curl_fuzzer.cc
+    curl_fuzzer_tlv.cc
+    curl_fuzzer_callback.cc
+    curl_fuzzer_scenario.cc)
 set(COMMON_FLAGS -g -DCURL_DISABLE_DEPRECATION)
 set(COMMON_LINK_LIBS
     ${CURL_LIB_DIR}/libcurl.a
@@ -348,19 +391,22 @@ set(COMMON_LINK_LIBS
     ${OPENLDAP_STATIC_LIB_LDAP}
     ${OPENLDAP_STATIC_LIB_LBER}
     ${LIB_FUZZING_ENGINE}
+    ${LIB_PROTO_MUTATOR_FUZZER_LIB}
+    ${LIB_PROTO_MUTATOR_STATIC_LIB}
+    curl_fuzzer_proto
     pthread
     m
 )
 set(COMMON_LINK_OPTIONS ${LIB_FUZZING_ENGINE_FLAG})
 
 # Ensure that curl and its dependencies are built before the fuzzers
-set(FUZZ_DEPS curl_external ${CURL_DEPS} ${LIB_FUZZING_ENGINE_DEP})
+set(FUZZ_DEPS curl_external ${CURL_DEPS} ${LIB_FUZZING_ENGINE_DEP} curl_fuzzer_proto libprotobuf_mutator_external)
 
 # Helper macro to define a fuzzer target
 macro(curl_add_fuzzer _name _proto)
     add_executable(${_name} ${COMMON_SOURCES})
     target_compile_options(${_name} PRIVATE ${COMMON_FLAGS} -DFUZZ_PROTOCOLS_${_proto})
-    target_include_directories(${_name} PRIVATE ${CURL_INCLUDE_DIRS})
+    target_include_directories(${_name} PRIVATE ${CURL_INCLUDE_DIRS} ${LIB_PROTO_MUTATOR_INCLUDE_DIR} ${LIB_PROTO_MUTATOR_INCLUDE_DIR}/libprotobuf-mutator)
     target_link_libraries(${_name} PRIVATE ${COMMON_LINK_LIBS})
     target_link_options(${_name} PRIVATE ${COMMON_LINK_OPTIONS})
     add_dependencies(${_name} ${FUZZ_DEPS})
@@ -387,7 +433,7 @@ curl_add_fuzzer(curl_fuzzer_ws        WS)
 # BUFQ fuzzer
 add_executable(curl_fuzzer_bufq fuzz_bufq.cc)
 target_compile_options(curl_fuzzer_bufq PRIVATE ${COMMON_FLAGS})
-target_include_directories(curl_fuzzer_bufq PRIVATE ${CURL_INCLUDE_DIRS})
+target_include_directories(curl_fuzzer_bufq PRIVATE ${CURL_INCLUDE_DIRS} ${LIB_PROTO_MUTATOR_INCLUDE_DIR} ${LIB_PROTO_MUTATOR_INCLUDE_DIR}/libprotobuf-mutator)
 target_link_libraries(curl_fuzzer_bufq PRIVATE ${COMMON_LINK_LIBS})
 target_link_options(curl_fuzzer_bufq PRIVATE ${COMMON_LINK_OPTIONS})
 add_dependencies(curl_fuzzer_bufq ${FUZZ_DEPS})

curl_fuzzer.cc

@@ -26,56 +26,40 @@
 #include <unistd.h>
 #include <curl/curl.h>
 #include "curl_fuzzer.h"
+#include "curl_fuzzer_scenario.h"
 
-/**
- * Fuzzing entry point. This function is passed a buffer containing a test
- * case.  This test case should drive the CURL API into making a request.
- */
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+#include <libprotobuf-mutator/src/libfuzzer/libfuzzer_macro.h>
+
+DEFINE_PROTO_FUZZER(const curl::fuzzer::proto::Scenario &scenario)
+{
+  CurlFuzzerRunScenario(scenario);
+}
+
+int CurlFuzzerRunScenario(const curl::fuzzer::proto::Scenario &scenario)
 {
   int rc = 0;
-  int tlv_rc;
   FUZZ_DATA fuzz;
-  TLV tlv;
 
   /* Ignore SIGPIPE errors. We'll handle the errors ourselves. */
   signal(SIGPIPE, SIG_IGN);
 
   /* Have to set all fields to zero before getting to the terminate function */
   memset(&fuzz, 0, sizeof(FUZZ_DATA));
 
-  if(size < sizeof(TLV_RAW)) {
-    /* Not enough data for a single TLV - don't continue */
-    goto EXIT_LABEL;
-  }
-
   /* Try to initialize the fuzz data */
-  FTRY(fuzz_initialize_fuzz_data(&fuzz, data, size));
+  FTRY(fuzz_initialize_fuzz_data(&fuzz));
 
-  for(tlv_rc = fuzz_get_first_tlv(&fuzz, &tlv);
-      tlv_rc == 0;
-      tlv_rc = fuzz_get_next_tlv(&fuzz, &tlv)) {
-
-    /* Have the TLV in hand. Parse the TLV. */
-    rc = fuzz_parse_tlv(&fuzz, &tlv);
-
-    if(rc != 0) {
-      /* Failed to parse the TLV. Can't continue. */
-      goto EXIT_LABEL;
-    }
-  }
-
-  if(tlv_rc != TLV_RC_NO_MORE_TLVS) {
-    /* A TLV call failed. Can't continue. */
+  rc = curl_fuzzer::ApplyScenario(scenario, &fuzz);
+  if(rc != 0) {
     goto EXIT_LABEL;
   }
 
   /* Set up the standard easy options. */
   FTRY(fuzz_set_easy_options(&fuzz));
 
   /**
-   * Add in more curl options that have been accumulated over possibly
-   * multiple TLVs.
+   * Add in more curl options that have been accumulated over the scenario
+   * execution.
    */
   if(fuzz.header_list != NULL) {
     curl_easy_setopt(fuzz.easy, CURLOPT_HTTPHEADER, fuzz.header_list);
@@ -104,6 +88,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
   return 0;
 }
 
+
 /**
  * Utility function to convert 4 bytes to a u32 predictably.
  */
@@ -127,24 +112,25 @@ uint16_t to_u16(const uint8_t b[2])
 /**
  * Initialize the local fuzz data structure.
  */
-int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz,
-                              const uint8_t *data,
-                              size_t data_len)
+int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz)
 {
   int rc = 0;
   int ii;
 
   /* Initialize the fuzz data. */
   memset(fuzz, 0, sizeof(FUZZ_DATA));
+  fuzz->scenario_state = NULL;
+  fuzz->scenario_state_destructor = NULL;
 
   /* Create an easy handle. This will have all of the settings configured on
      it. */
   fuzz->easy = curl_easy_init();
   FCHECK(fuzz->easy != NULL);
 
   /* Set up the state parser */
-  fuzz->state.data = data;
-  fuzz->state.data_len = data_len;
+  fuzz->state.data = NULL;
+  fuzz->state.data_len = 0;
+  fuzz->state.data_pos = 0;
 
   /* Set up the state of the server sockets. */
   for(ii = 0; ii < FUZZ_NUM_CONNECTIONS; ii++) {
@@ -275,6 +261,12 @@ void fuzz_terminate_fuzz_data(FUZZ_DATA *fuzz)
     fuzz->easy = NULL;
   }
 
+  if(fuzz->scenario_state_destructor != NULL && fuzz->scenario_state != NULL) {
+    fuzz->scenario_state_destructor(fuzz->scenario_state);
+    fuzz->scenario_state = NULL;
+    fuzz->scenario_state_destructor = NULL;
+  }
+
   /* When you have passed the struct curl_httppost pointer to curl_easy_setopt
    * (using the CURLOPT_HTTPPOST option), you must not free the list until after
    *  you have called curl_easy_cleanup for the curl handle.

curl_fuzzer.h

@@ -1,3 +1,6 @@
+#ifndef CURL_FUZZER_H
+#define CURL_FUZZER_H
+
 /***************************************************************************
  *                                  _   _ ____  _
  *  Project                     ___| | | |  _ \| |
@@ -23,6 +26,14 @@
 #include <curl/curl.h>
 #include "testinput.h"
 
+namespace curl {
+namespace fuzzer {
+namespace proto {
+class Scenario;
+}  // namespace proto
+}  // namespace fuzzer
+}  // namespace curl
+
 /**
  * TLV types.
  */
@@ -433,14 +444,16 @@ typedef struct fuzz_data
   /* Verbose mode. */
   int verbose;
 
+  /* Optional structured scenario ownership hook. */
+  void *scenario_state;
+  void (*scenario_state_destructor)(void *state);
+
 } FUZZ_DATA;
 
 /* Function prototypes */
 uint32_t to_u32(const uint8_t b[4]);
 uint16_t to_u16(const uint8_t b[2]);
-int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz,
-                              const uint8_t *data,
-                              size_t data_len);
+int fuzz_initialize_fuzz_data(FUZZ_DATA *fuzz);
 int fuzz_set_easy_options(FUZZ_DATA *fuzz);
 void fuzz_terminate_fuzz_data(FUZZ_DATA *fuzz);
 void fuzz_free(void **ptr);
@@ -474,6 +487,7 @@ int fuzz_select(int nfds,
                 fd_set *exceptfds,
                 struct timeval *timeout);
 int fuzz_set_allowed_protocols(FUZZ_DATA *fuzz);
+int CurlFuzzerRunScenario(const curl::fuzzer::proto::Scenario &scenario);
 
 /* Macros */
 #define FTRY(FUNC)                                                            \
@@ -532,3 +546,5 @@ int fuzz_set_allowed_protocols(FUZZ_DATA *fuzz);
         }
 
 #define FUZZ_MAX(A, B) ((A) > (B) ? (A) : (B))
+
+#endif /* CURL_FUZZER_H */