From 282fc81981c57e53b6aaa6d3189b66b4a229f0a8 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 18 Oct 2020 12:17:39 +0800 Subject: Get client fuzzer building and starting (fails straight away) --HG-- branch : fuzz --- cli-session.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) (limited to 'cli-session.c') diff --git a/cli-session.c b/cli-session.c index f42ea90..bc83564 100644 --- a/cli-session.c +++ b/cli-session.c @@ -407,3 +407,62 @@ static void recv_msg_global_request_cli(void) { /* Send a proper rejection */ send_msg_request_failure(); } + +void cli_dropbear_exit(int exitcode, const char* format, va_list param) { + char exitmsg[150]; + char fullmsg[300]; + + /* Note that exit message must be rendered before session cleanup */ + + /* Render the formatted exit message */ + vsnprintf(exitmsg, sizeof(exitmsg), format, param); + TRACE(("Exited, cleaning up: %s", exitmsg)) + + /* Add the prefix depending on session/auth state */ + if (!ses.init_done) { + snprintf(fullmsg, sizeof(fullmsg), "Exited: %s", exitmsg); + } else { + snprintf(fullmsg, sizeof(fullmsg), + "Connection to %s@%s:%s exited: %s", + cli_opts.username, cli_opts.remotehost, + cli_opts.remoteport, exitmsg); + } + + /* Do the cleanup first, since then the terminal will be reset */ + session_cleanup(); + /* Avoid printing onwards from terminal cruft */ + fprintf(stderr, "\n"); + + dropbear_log(LOG_INFO, "%s", fullmsg); + +#if DROPBEAR_FUZZ + if (fuzz.do_jmp) { + longjmp(fuzz.jmp, 1); + } +#endif + + exit(exitcode); +} + +void cli_dropbear_log(int priority, const char* format, va_list param) { + + char printbuf[1024]; + const char *name; + + name = cli_opts.progname; + if (!name) { + name = "dbclient"; + } + + vsnprintf(printbuf, sizeof(printbuf), format, param); + +#ifndef DISABLE_SYSLOG + if (opts.usingsyslog) { + syslog(priority, "%s", printbuf); + } +#endif + + fprintf(stderr, "%s: %s\n", name, printbuf); + fflush(stderr); +} + -- cgit v1.2.3 From 33eba22966a897cb4fca2395912176e2713b050d Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 18 Oct 2020 15:08:54 +0800 Subject: Add fuzzer-client_nomaths, fix client fuzzer --HG-- branch : fuzz --- Makefile.in | 5 ++++- cli-kex.c | 13 +++++++++++++ cli-session.c | 16 +++++++++++----- fuzz-common.c | 5 ++++- fuzzer-client_nomaths.c | 6 ++++++ 5 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 fuzzer-client_nomaths.c (limited to 'cli-session.c') diff --git a/Makefile.in b/Makefile.in index 894925b..fae4cf3 100644 --- a/Makefile.in +++ b/Makefile.in @@ -269,7 +269,7 @@ lint: # list of fuzz targets FUZZ_TARGETS=fuzzer-preauth fuzzer-pubkey fuzzer-verify fuzzer-preauth_nomaths \ - fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client + fuzzer-kexdh fuzzer-kexecdh fuzzer-kexcurve25519 fuzzer-client fuzzer-client_nomaths FUZZER_OPTIONS = $(addsuffix .options, $(FUZZ_TARGETS)) @@ -311,6 +311,9 @@ fuzzer-kexcurve25519: fuzzer-kexcurve25519.o fuzz-harness.o fuzzer-client: fuzzer-client.o fuzz-harness.o $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ +fuzzer-client_nomaths: fuzzer-client_nomaths.o fuzz-harness.o + $(CXX) $(CXXFLAGS) $@.o $(LDFLAGS) $(allobjs) -o $@$(EXEEXT) $(LIBTOM_LIBS) $(LIBS) $(FUZZLIB) @CRYPTLIB@ + fuzzer-%.options: Makefile echo "[libfuzzer]" > $@ echo "max_len = 50000" >> $@ diff --git a/cli-kex.c b/cli-kex.c index af1cfcf..4f2a884 100644 --- a/cli-kex.c +++ b/cli-kex.c @@ -46,6 +46,13 @@ void send_msg_kexdh_init() { TRACE(("send_msg_kexdh_init()")) CHECKCLEARTOWRITE(); + +#if DROPBEAR_FUZZ + if (fuzz.fuzzing && fuzz.skip_kexmaths) { + return; + } +#endif + buf_putbyte(ses.writepayload, SSH_MSG_KEXDH_INIT); switch (ses.newkeys->algo_kex->mode) { #if DROPBEAR_NORMAL_DH @@ -98,6 +105,12 @@ void recv_msg_kexdh_reply() { unsigned char* keyblob = NULL; TRACE(("enter recv_msg_kexdh_reply")) + +#if DROPBEAR_FUZZ + if (fuzz.fuzzing && fuzz.skip_kexmaths) { + return; + } +#endif if (cli_ses.kex_state != KEXDH_INIT_SENT) { dropbear_exit("Received out-of-order kexdhreply"); diff --git a/cli-session.c b/cli-session.c index bc83564..5e5af22 100644 --- a/cli-session.c +++ b/cli-session.c @@ -352,6 +352,11 @@ static void cli_session_cleanup(void) { (void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags); (void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags); + /* Don't leak */ + m_close(cli_ses.stdincopy); + m_close(cli_ses.stdoutcopy); + m_close(cli_ses.stderrcopy); + cli_tty_cleanup(); if (cli_ses.server_sig_algs) { buf_free(cli_ses.server_sig_algs); @@ -430,17 +435,18 @@ void cli_dropbear_exit(int exitcode, const char* format, va_list param) { /* Do the cleanup first, since then the terminal will be reset */ session_cleanup(); - /* Avoid printing onwards from terminal cruft */ - fprintf(stderr, "\n"); - - dropbear_log(LOG_INFO, "%s", fullmsg); - + #if DROPBEAR_FUZZ if (fuzz.do_jmp) { longjmp(fuzz.jmp, 1); } #endif + /* Avoid printing onwards from terminal cruft */ + fprintf(stderr, "\n"); + + dropbear_log(LOG_INFO, "%s", fullmsg); + exit(exitcode); } diff --git a/fuzz-common.c b/fuzz-common.c index 742e606..95b3937 100644 --- a/fuzz-common.c +++ b/fuzz-common.c @@ -37,6 +37,7 @@ int fuzz_set_input(const uint8_t *Data, size_t Size) { memset(&ses, 0x0, sizeof(ses)); memset(&svr_ses, 0x0, sizeof(svr_ses)); + memset(&cli_ses, 0x0, sizeof(cli_ses)); wrapfd_setup(fuzz.input); fuzz_seed(); @@ -64,6 +65,7 @@ void fuzz_svr_setup(void) { _dropbear_exit = svr_dropbear_exit; char *argv[] = { + "dropbear", "-E", }; @@ -80,6 +82,7 @@ void fuzz_cli_setup(void) { _dropbear_log = cli_dropbear_log; char *argv[] = { + "dbclient", "-y", "localhost", }; @@ -168,7 +171,7 @@ int fuzz_spawn_command(int *ret_writefd, int *ret_readfd, int *ret_errfd, pid_t if (ret_errfd) { *ret_errfd = wrapfd_new(); } - ret_pid = 999; + *ret_pid = 999; return DROPBEAR_SUCCESS; } diff --git a/fuzzer-client_nomaths.c b/fuzzer-client_nomaths.c new file mode 100644 index 0000000..e0910a7 --- /dev/null +++ b/fuzzer-client_nomaths.c @@ -0,0 +1,6 @@ +#include "fuzz.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + return fuzz_run_client(Data, Size, 1); +} + -- cgit v1.2.3