Commit graph

4 commits

Author SHA1 Message Date
Petr Štetiar
478597b9f9 blob: fix OOB access in blob_check_type
Found by fuzzer:

 ERROR: AddressSanitizer: SEGV on unknown address 0x602100000455
 The signal is caused by a READ memory access.
     #0 in blob_check_type blob.c:214:43
     #1 in blob_parse_attr blob.c:234:9
     #2 in blob_parse_untrusted blob.c:272:12
     #3 in fuzz_blob_parse tests/fuzzer/test-blob-parse-fuzzer.c:34:2
     #4 in LLVMFuzzerTestOneInput tests/fuzzer/test-blob-parse-fuzzer.c:39:2

Caused by following line:

	if (type == BLOB_ATTR_STRING && data[len - 1] != 0)

where len was pointing outside of the data buffer.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Petr Štetiar
325418a7a3 tests: use blob_parse_untrusted variant
In order to be able to use invalid input for testing as well.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Petr Štetiar
833d25797b test: fuzz: add blob_parse crashes
==5872==ERROR: AddressSanitizer: SEGV on unknown address 0x6020004100b4
==5872==The signal is caused by a READ memory access.
    #0 blob_data blob.h
    #1 blob_parse blob.c:228:2

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00
Petr Štetiar
436d6363a1 tests: add libFuzzer based tests
LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine.

LibFuzzer is linked with the library under test, and feeds fuzzed inputs
to the library via a specific fuzzing entrypoint (aka "target
function"); the fuzzer then tracks which areas of the code are reached,
and generates mutations on the corpus of input data in order to maximize
the code coverage.

Lets use libFuzzer to fuzz blob and blobmsg parsing for the start.

Ref: https://llvm.org/docs/LibFuzzer.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-25 10:31:58 +01:00