diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2020-11-13 23:18:05 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2020-11-13 23:18:05 +0800 |
| commit | 8ec9016585b8bfd026e408567bf246cdad6cee69 (patch) | |
| tree | b1b6c9cfc089c6f26a02107b4f61c7aed6e53332 /fuzz | |
| parent | 15ea6d1106c08deafc1a16788c03155c2efff524 (diff) | |
Add server postauth fuzzer, wrap connect_remote()
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/fuzz-common.c | 34 | ||||
| -rw-r--r-- | fuzz/fuzz-wrapfd.c | 25 | ||||
| -rw-r--r-- | fuzz/fuzzer-postauth_nomaths.c | 6 | ||||
| -rw-r--r-- | fuzz/fuzzer-preauth.c | 2 | ||||
| -rw-r--r-- | fuzz/fuzzer-preauth_nomaths.c | 2 | ||||
| -rw-r--r-- | fuzz/fuzzer-pubkey.c | 2 |
6 files changed, 59 insertions, 12 deletions
diff --git a/fuzz/fuzz-common.c b/fuzz/fuzz-common.c index 18e8a29..d1ada9a 100644 --- a/fuzz/fuzz-common.c +++ b/fuzz/fuzz-common.c @@ -217,16 +217,31 @@ void fuzz_fake_send_kexdh_reply(void) { /* fake version of spawn_command() */ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t *ret_pid) { - *ret_writefd = wrapfd_new(); - *ret_readfd = wrapfd_new(); + *ret_writefd = wrapfd_new_dummy(); + *ret_readfd = wrapfd_new_dummy(); if (ret_errfd) { - *ret_errfd = wrapfd_new(); + *ret_errfd = wrapfd_new_dummy(); } *ret_pid = 999; return DROPBEAR_SUCCESS; } -int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { + +struct dropbear_progress_connection *fuzz_connect_remote(const char* UNUSED(remotehost), const char* UNUSED(remoteport), + connect_callback cb, void* cb_data, + const char* UNUSED(bind_address), const char* UNUSED(bind_port)) { + char r; + genrandom((void*)&r, 1); + if (r & 1) { + int sock = wrapfd_new_dummy(); + cb(DROPBEAR_SUCCESS, sock, cb_data, NULL); + } else { + cb(DROPBEAR_FAILURE, -1, cb_data, "errorstring"); + } + return NULL; +} + +int fuzz_run_server(const uint8_t *Data, size_t Size, int skip_kexmaths, int authdone) { static int once = 0; if (!once) { fuzz_svr_setup(); @@ -242,7 +257,13 @@ int fuzz_run_preauth(const uint8_t *Data, size_t Size, int skip_kexmaths) { genrandom((void*)&wrapseed, sizeof(wrapseed)); wrapfd_setseed(wrapseed); - int fakesock = wrapfd_new(); + int fakesock = wrapfd_new_fuzzinput(); + + if (authdone) { + ses.authstate.authdone = 1; + char *me = getpwuid(getuid())->pw_name; + fill_passwd(me); + } m_malloc_set_epoch(1); fuzz.do_jmp = 1; @@ -273,12 +294,13 @@ int fuzz_run_client(const uint8_t *Data, size_t Size, int skip_kexmaths) { // Allow to proceed sooner ses.kexstate.donefirstkex = 1; + ses.kexstate.authdone = 1; uint32_t wrapseed; genrandom((void*)&wrapseed, sizeof(wrapseed)); wrapfd_setseed(wrapseed); - int fakesock = wrapfd_new(); + int fakesock = wrapfd_new_fuzzinput(); m_malloc_set_epoch(1); fuzz.do_jmp = 1; diff --git a/fuzz/fuzz-wrapfd.c b/fuzz/fuzz-wrapfd.c index c6d59fc..02f293d 100644 --- a/fuzz/fuzz-wrapfd.c +++ b/fuzz/fuzz-wrapfd.c @@ -35,7 +35,7 @@ void wrapfd_setup(buffer *buf) { // clean old ones int i; for (i = 0; i <= wrapfd_maxfd; i++) { - if (wrap_fds[i].mode == COMMONBUF) { + if (wrap_fds[i].mode != UNUSED) { wrapfd_remove(i); } } @@ -51,7 +51,7 @@ void wrapfd_setseed(uint32_t seed) { nrand48(rand_state); } -int wrapfd_new() { +int wrapfd_new_fuzzinput() { if (devnull_fd == -1) { devnull_fd = open("/dev/null", O_RDONLY); assert(devnull_fd != -1); @@ -68,6 +68,24 @@ int wrapfd_new() { return fd; } +int wrapfd_new_dummy() { + if (devnull_fd == -1) { + devnull_fd = open("/dev/null", O_RDONLY); + assert(devnull_fd != -1); + } + + int fd = dup(devnull_fd); + assert(fd != -1); + assert(wrap_fds[fd].mode == UNUSED); + wrap_fds[fd].mode = DUMMY; + wrap_fds[fd].closein = 0; + wrap_fds[fd].closeout = 0; + wrapfd_maxfd = MAX(fd, wrapfd_maxfd); + + return fd; +} + + static void wrapfd_remove(int fd) { TRACE(("wrapfd_remove %d", fd)) assert(fd >= 0); @@ -113,7 +131,7 @@ int wrapfd_read(int fd, void *out, size_t count) { return -1; } - if (input_buf) { + if (input_buf && wrap_fds[fd].mode == COMMONBUF) { maxread = MIN(input_buf->len - input_buf->pos, count); /* returns 0 if buf is EOF, as intended */ if (maxread > 0) { @@ -124,6 +142,7 @@ int wrapfd_read(int fd, void *out, size_t count) { return maxread; } + // return fixed output, of random length maxread = MIN(MAX_RANDOM_IN, count); maxread = nrand48(rand_state) % maxread + 1; memset(out, 0xef, maxread); diff --git a/fuzz/fuzzer-postauth_nomaths.c b/fuzz/fuzzer-postauth_nomaths.c new file mode 100644 index 0000000..b8b7c6b --- /dev/null +++ b/fuzz/fuzzer-postauth_nomaths.c @@ -0,0 +1,6 @@ +#include "fuzz.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + return fuzz_run_server(Data, Size, 1, 1); +} + diff --git a/fuzz/fuzzer-preauth.c b/fuzz/fuzzer-preauth.c index 3ac49f4..f3cbdcb 100644 --- a/fuzz/fuzzer-preauth.c +++ b/fuzz/fuzzer-preauth.c @@ -1,6 +1,6 @@ #include "fuzz.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_preauth(Data, Size, 0); + return fuzz_run_server(Data, Size, 0, 0); } diff --git a/fuzz/fuzzer-preauth_nomaths.c b/fuzz/fuzzer-preauth_nomaths.c index efdc2c3..bab5f2b 100644 --- a/fuzz/fuzzer-preauth_nomaths.c +++ b/fuzz/fuzzer-preauth_nomaths.c @@ -1,6 +1,6 @@ #include "fuzz.h" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_preauth(Data, Size, 1); + return fuzz_run_server(Data, Size, 1, 0); } diff --git a/fuzz/fuzzer-pubkey.c b/fuzz/fuzzer-pubkey.c index 7c12cdc..3b00478 100644 --- a/fuzz/fuzzer-pubkey.c +++ b/fuzz/fuzzer-pubkey.c @@ -27,7 +27,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { unsigned int algolen; char* algoname = buf_getstring(keyblob, &algolen); - if (signature_type_from_name(algoname, algolen) == DROPBEAR_SIGNKEY_NONE) { + if (signature_type_from_name(algoname, algolen) == DROPBEAR_SIGNATURE_NONE) { dropbear_exit("fuzzer imagined a bogus algorithm"); } |