From 6aa065b1b45610e7adc5b9760482d9d5f0c8211c Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 29 Oct 2020 22:41:37 +0800 Subject: Use SSH packet mutator for preauth too Get rid of separate client mutator. Have 0.1% chance of llvm random mutation Add comments --- fuzz/fuzz-sshpacketmutator.c | 36 +++++++++++++++++++++++++----------- fuzz/fuzzer-client_mutator.c | 6 ------ fuzz/fuzzer-client_mutator_nomaths.c | 6 ------ 3 files changed, 25 insertions(+), 23 deletions(-) delete mode 100644 fuzz/fuzzer-client_mutator.c delete mode 100644 fuzz/fuzzer-client_mutator_nomaths.c (limited to 'fuzz') diff --git a/fuzz/fuzz-sshpacketmutator.c b/fuzz/fuzz-sshpacketmutator.c index d26089d..3a513b0 100644 --- a/fuzz/fuzz-sshpacketmutator.c +++ b/fuzz/fuzz-sshpacketmutator.c @@ -1,8 +1,28 @@ +/* A mutator/crossover for SSH protocol streams. + Attempts to mutate each SSH packet individually, keeping + lengths intact. + It will prepend a SSH-2.0-dbfuzz\r\n version string. + + Linking this file to a binary will make libfuzzer pick up the custom mutator. + + Care is taken to avoid memory allocation which would otherwise + slow exec/s substantially */ + #include "fuzz.h" #include "dbutil.h" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); +static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; +static const size_t MAX_FUZZ_PACKETS = 500; +/* XXX This might need tuning */ +static const size_t MAX_OUT_SIZE = 50000; + +/* Splits packets from an input stream buffer "inp". +The initial SSH version identifier is discarded. +If packets are not recognised it will increment until an uint32 of valid +packet length is found. */ + /* out_packets an array of num_out_packets*buffer, each of size RECV_MAX_PACKET_LEN */ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *num_out_packets) { /* Skip any existing banner. Format is @@ -52,8 +72,8 @@ static void fuzz_get_packets(buffer *inp, buffer **out_packets, unsigned int *nu } } -/* Mutate in-place */ -void buf_llvm_mutate(buffer *buf) { +/* Mutate a packet buffer in-place */ +static void buf_llvm_mutate(buffer *buf) { /* Position it after packet_length and padding_length */ const unsigned int offset = 5; if (buf->len < offset) { @@ -69,11 +89,6 @@ void buf_llvm_mutate(buffer *buf) { } -static const char* FIXED_VERSION = "SSH-2.0-dbfuzz\r\n"; -static const size_t MAX_FUZZ_PACKETS = 500; -/* XXX This might need tuning */ -static const size_t MAX_OUT_SIZE = 50000; - /* Persistent buffers to avoid constant allocations */ static buffer *oup; static buffer *alloc_packetA; @@ -111,12 +126,11 @@ size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, memcpy(randstate, &Seed, sizeof(Seed)); // printhex("mutator input", Data, Size); - #if 0 - /* 1% chance straight llvm mutate */ - if (nrand48(randstate) % 100 == 0) { + + /* 0.1% chance straight llvm mutate */ + if (nrand48(randstate) % 1000 == 0) { return LLVMFuzzerMutate(Data, Size, MaxSize); } - #endif buffer inp_buf = {.data = Data, .size = Size, .len = Size, .pos = 0}; buffer *inp = &inp_buf; diff --git a/fuzz/fuzzer-client_mutator.c b/fuzz/fuzzer-client_mutator.c deleted file mode 100644 index eb59f46..0000000 --- a/fuzz/fuzzer-client_mutator.c +++ /dev/null @@ -1,6 +0,0 @@ -#include "fuzz.h" - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_client(Data, Size, 0); -} - diff --git a/fuzz/fuzzer-client_mutator_nomaths.c b/fuzz/fuzzer-client_mutator_nomaths.c deleted file mode 100644 index eb59f46..0000000 --- a/fuzz/fuzzer-client_mutator_nomaths.c +++ /dev/null @@ -1,6 +0,0 @@ -#include "fuzz.h" - -int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - return fuzz_run_client(Data, Size, 0); -} - -- cgit v1.2.3