diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2020-10-29 22:41:37 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2020-10-29 22:41:37 +0800 |
| commit | 6aa065b1b45610e7adc5b9760482d9d5f0c8211c (patch) | |
| tree | 5b2a33f0680778df55f48b658040c96416cee454 | |
| parent | 6cf29061c2513ac9bff5c68da8b98744cde25f40 (diff) | |
Use SSH packet mutator for preauth too
Get rid of separate client mutator.
Have 0.1% chance of llvm random mutation
Add comments
| -rw-r--r-- | Makefile.in | 9 | ||||
| -rw-r--r-- | fuzz/fuzz-sshpacketmutator.c | 36 | ||||
| -rw-r--r-- | fuzz/fuzzer-client_mutator.c | 6 | ||||
| -rw-r--r-- | fuzz/fuzzer-client_mutator_nomaths.c | 6 |
4 files changed, 30 insertions, 27 deletions
diff --git a/Makefile.in b/Makefile.in index 682419a..0476124 100644 --- a/Makefile.in +++ b/Makefile.in @@ -269,8 +269,7 @@ lint: # list of fuzz targets FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \ - fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths \ - fuzzer-client_mutator fuzzer-client_mutator_nomaths + fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS)) FUZZ_OBJS = $(addprefix fuzz/,$(addsuffix .o,$(FUZZ_TARGETS))) \ @@ -293,8 +292,10 @@ fuzz-targets: $(FUZZ_TARGETS) $(FUZZER_OPTIONS) $(FUZZ_TARGETS): $(FUZZ_OBJS) $(allobjs) $(LIBTOM_DEPS) $(CXX) $(CXXFLAGS) fuzz/$@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) -lcrypt -# fuzzers that use the custom mutator -fuzzer-client_mutator fuzzer-client_mutator_nomaths: allobjs += fuzz/fuzz-sshpacketmutator.o +# fuzzers that use the custom mutator - these expect a SSH network stream +MUTATOR_FUZZERS=fuzzer-client fuzzer-client_nomaths \ + fuzzer-preauth fuzzer-preauth_nomaths +$(MUTATOR_FUZZERS): allobjs += fuzz/fuzz-sshpacketmutator.o fuzzer-%.options: Makefile echo "[libfuzzer]" > $@ diff --git a/fuzz/fuzz-sshpacketmutator.c b/fuzz/fuzz-sshpacketmutator.c index d26089d..3a513b0 100644 --- a/fuzz/fuzz-sshpacketmutator.c +++ b/fuzz/fuzz-sshpacketmutator.c @@ -1,8 +1,28 @@ +/* A mutator/crossover for SSH protocol streams. + Attempts to mutate each SSH packet individually, keeping + lengths intact. + It will prepend a SSH-2.0-dbfuzz\r\n version string. + + Linking this file to a binary will make libfuzzer pick up the custom mutator. + + Care is taken to avoid memory allocation which would otherwise + slow exec/s substantially */ + #include "fuzz.h" #include "dbutil.h" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); +static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; +static const size_t MAX_FUZZ_PACKETS = 500; +/* XXX This might need tuning */ +static const size_t MAX_OUT_SIZE = 50000; + +/* Splits packets from an input stream buffer "inp". +The initial SSH version identifier is discarded. +If packets are not recognised it will increment until an uint32 of valid +packet length is found. */ + /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) { /* Skip any existing banner. Format is @@ -52,8 +72,8 @@ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *nu } } -/* Mutate in-place */ -void buf_llvm_mutate(buffer *buf) { +/* Mutate a packet buffer in-place */ +static void buf_llvm_mutate(buffer *buf) { /* Position it after packet_length and padding_length */ const unsigned int offset = 5; if (buf->len < offset) { @@ -69,11 +89,6 @@ void buf_llvm_mutate(buffer *buf) { } -static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; -static const size_t MAX_FUZZ_PACKETS = 500; -/* XXX This might need tuning */ -static const size_t MAX_OUT_SIZE = 50000; - /* Persistent buffers to avoid constant allocations */ static buffer *oup; static buffer *alloc_packetA; @@ -111,12 +126,11 @@ size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, memcpy(randstate, &Seed, sizeof(Seed)); // printhex("mutator input", Data, Size); - #if 0 - /* 1% chance straight llvm mutate */ - if (nrand48(randstate) % 100 == 0) { + + /* 0.1% chance straight llvm mutate */ + if (nrand48(randstate) % 1000 == 0) { return LLVMFuzzerMutate(Data, Size, MaxSize); } - #endif buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0}; buffer *inp = &inp_buf; diff --git a/fuzz/fuzzer-client_mutator.c b/fuzz/fuzzer-client_mutator.c deleted file mode 100644 index eb59f46..0000000 --- a/fuzz/fuzzer-client_mutator.c +++ /dev/null @@ -1,6 +0,0 @@ -#include "fuzz.h" - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_client(Data, Size, 0); -} - diff --git a/fuzz/fuzzer-client_mutator_nomaths.c b/fuzz/fuzzer-client_mutator_nomaths.c deleted file mode 100644 index eb59f46..0000000 --- a/fuzz/fuzzer-client_mutator_nomaths.c +++ /dev/null @@ -1,6 +0,0 @@ -#include "fuzz.h" - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_client(Data, Size, 0); -} - |