From fa966b9609a6acdde4f10e08e39faba4770cba08 Mon Sep 17 00:00:00 2001
From: Philippe Antoine
Date: Tue, 7 Feb 2023 16:16:24 +0100
Subject: [PATCH] Nalloc sanitizer: to test allocations failures
---
docs/advanced-topics/reproducing.md | 2 ++
docs/getting-started/new_project_guide.md | 7 +++++
docs/index.md | 2 +-
infra/base-images/base-builder/Dockerfile | 9 +++++-
infra/base-images/base-builder/compile | 4 +++
.../base-builder/precompile_nallocfuzz | 31 +++++++++++++++++++
infra/base-images/base-runner/reproduce | 1 +
infra/constants.py | 1 +
projects/flac/project.yaml | 5 +++
projects/fluent-bit/project.yaml | 4 +++
projects/libpng/project.yaml | 1 +
projects/libwebp/project.yaml | 1 +
projects/ndpi/project.yaml | 5 +++
projects/suricata/project.yaml | 1 +
projects/systemd/project.yaml | 1 +
15 files changed, 73 insertions(+), 2 deletions(-)
create mode 100755 infra/base-images/base-builder/precompile_nallocfuzz
diff --git a/docs/advanced-topics/reproducing.md b/docs/advanced-topics/reproducing.md
index 1160f8bbb2de..241c871c5f83 100644
--- a/docs/advanced-topics/reproducing.md
+++ b/docs/advanced-topics/reproducing.md
@@ -138,6 +138,8 @@ Once you reproduce the bug, you can do the following:
- **Improve fuzzing support:** Consider
[improving your integration with OSS-Fuzz]({{ site.baseurl }}/advanced-topics/ideal-integration/).
+For `nalloc` sanitizer, if you launch the target yourself, without the python wrapper, be sure to use `-runs=2` or more.
+
## Reproducing build failures
Our infrastructure runs some sanity tests to make sure that your build was
diff --git a/docs/getting-started/new_project_guide.md b/docs/getting-started/new_project_guide.md
index 69ee9c85c135..367b9ebbfa71 100644
--- a/docs/getting-started/new_project_guide.md
+++ b/docs/getting-started/new_project_guide.md
@@ -140,12 +140,19 @@ UndefinedBehaviourSanitizer build, just specify all supported sanitizers except
If you want to test a particular sanitizer to see what crashes it generates without filing
them in the issue tracker, you can set an `experimental` flag. For example, if you want to test "memory", set `experimental: True` like this:
+[Nalloc](https://github.com/catenacyber/nallocfuzz) ("nalloc") is also supported
+but is not enabled by default due to the likelihood of bugs in the targets rather
+than in the software itself.
+
+Nalloc sanitizer injects allocation failures, and uses in addition address sanitizer.
+
```
sanitizers:
- address
- memory:
experimental: True
- undefined
+ - nalloc
```
Crashes can be accessed on the [ClusterFuzz
diff --git a/docs/index.md b/docs/index.md
index d3ba114f195c..bb27633abf29 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -42,7 +42,7 @@ execution environment and reporting tool.
[ClusterFuzz]: https://github.com/google/clusterfuzz
[ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/
-Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other
+Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Swift and Java/JVM code. Other
languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64
and i386 builds.
diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile
index 73117d75086f..168ebd41d042 100644
--- a/infra/base-images/base-builder/Dockerfile
+++ b/infra/base-images/base-builder/Dockerfile
@@ -72,6 +72,8 @@ ENV SANITIZER_FLAGS_thread "-fsanitize=thread"
ENV SANITIZER_FLAGS_introspector "-O0 -flto -fno-inline-functions -fuse-ld=gold -Wno-unused-command-line-argument"
+ENV SANITIZER_FLAGS_nalloc "-DLLVMFuzzerTestOneInput=NaloFuzzerTestOneInput -DLLVMFuzzerInitialize=NaloFuzzerInitialize $SANITIZER_FLAGS_address"
+
# Do not use any sanitizers in the coverage build.
ENV SANITIZER_FLAGS_coverage ""
@@ -109,6 +111,11 @@ ENV FUZZER_LDFLAGS ""
WORKDIR $SRC
+RUN git clone --depth 1 https://github.com/catenacyber/nallocfuzz.git
+RUN git clone --depth 1 https://github.com/ianlancetaylor/libbacktrace.git $SRC/nallocfuzz/libbacktrace
+COPY precompile_nallocfuzz /usr/local/bin/
+RUN precompile_nallocfuzz
+
RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
cd aflplusplus && \
git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 && \
@@ -172,4 +179,4 @@ COPY llvmsymbol.diff $SRC
COPY detect_repo.py /opt/cifuzz/
COPY bazel.bazelrc /root/.bazelrc
-CMD ["compile"]
\ No newline at end of file
+CMD ["compile"]
diff --git a/infra/base-images/base-builder/compile b/infra/base-images/base-builder/compile
index c1f134c5de51..3cf60afcfdd0 100755
--- a/infra/base-images/base-builder/compile
+++ b/infra/base-images/base-builder/compile
@@ -175,6 +175,10 @@ EOF
export CXXFLAGS="$CXXFLAGS -fno-sanitize=leak"
fi
+if [ "$SANITIZER" = "nalloc" ]; then
+ export LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE $SRC/nallocfuzz/nallocsan.a"
+fi
+
if [ "$SANITIZER" = "introspector" ]; then
export AR=llvm-ar
export NM=llvm-nm
diff --git a/infra/base-images/base-builder/precompile_nallocfuzz b/infra/base-images/base-builder/precompile_nallocfuzz
new file mode 100755
index 000000000000..bf1c98f0f5fb
--- /dev/null
+++ b/infra/base-images/base-builder/precompile_nallocfuzz
@@ -0,0 +1,31 @@
+#!/bin/bash -eu
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "Precompiling nallocfuzz"
+
+pushd $SRC/nallocfuzz/ > /dev/null
+pushd libbacktrace > /dev/null
+./configure
+make -j$(nproc)
+popd > /dev/null
+clang -fPIE -I. -c nallocsan.c -o nallocsan.o
+ar -x libbacktrace/.libs/libbacktrace.a
+ar rcs nallocsan.a *.o
+rm *.o
+popd > /dev/null
+
+echo "Done."
diff --git a/infra/base-images/base-runner/reproduce b/infra/base-images/base-runner/reproduce
index 2c074d05e51b..d85429242461 100755
--- a/infra/base-images/base-runner/reproduce
+++ b/infra/base-images/base-runner/reproduce
@@ -30,5 +30,6 @@ fi
export RUN_FUZZER_MODE="interactive"
export FUZZING_ENGINE="libfuzzer"
export SKIP_SEED_CORPUS="1"
+export FUZZ_REPRODUCE_VERBOSE="1"
run_fuzzer $FUZZER $@ $TESTCASE
diff --git a/infra/constants.py b/infra/constants.py
index e085700c9b25..4a724f85530b 100644
--- a/infra/constants.py
+++ b/infra/constants.py
@@ -43,6 +43,7 @@
'coverage',
'introspector',
'hwaddress',
+ 'nalloc',
]
ARCHITECTURES = ['i386', 'x86_64', 'aarch64']
ENGINES = ['libfuzzer', 'afl', 'honggfuzz', 'centipede', 'none', 'wycheproof']
diff --git a/projects/flac/project.yaml b/projects/flac/project.yaml
index be7bd1973eb3..05eb5f68e1f0 100644
--- a/projects/flac/project.yaml
+++ b/projects/flac/project.yaml
@@ -9,8 +9,13 @@ sanitizers:
- address
- undefined
- memory
+ - nalloc
architectures:
- x86_64
- i386
+fuzzing_engines:
+ - afl
+ - honggfuzz
+ - libfuzzer
coverage_extra_args: -ignore-filename-regex=/usr/lib/jvm/.*
main_repo: 'https://github.com/xiph/flac.git'
diff --git a/projects/fluent-bit/project.yaml b/projects/fluent-bit/project.yaml
index 094ece0e950d..0a114f0ca561 100755
--- a/projects/fluent-bit/project.yaml
+++ b/projects/fluent-bit/project.yaml
@@ -10,3 +10,7 @@ fuzzing_engines:
- afl
- honggfuzz
- libfuzzer
+sanitizers:
+ - address
+ - undefined
+ - nalloc
diff --git a/projects/libpng/project.yaml b/projects/libpng/project.yaml
index 61b40a76054f..40c54fb21e14 100644
--- a/projects/libpng/project.yaml
+++ b/projects/libpng/project.yaml
@@ -12,6 +12,7 @@ sanitizers:
- address
- memory
- undefined
+ - nalloc
architectures:
- x86_64
main_repo: 'https://github.com/pnggroup/libpng.git'
diff --git a/projects/libwebp/project.yaml b/projects/libwebp/project.yaml
index 0283bae537f2..d93e27d64636 100644
--- a/projects/libwebp/project.yaml
+++ b/projects/libwebp/project.yaml
@@ -9,6 +9,7 @@ sanitizers:
- address
- undefined
- memory
+ - nalloc
auto_ccs:
- pascal.massimino@gmail.com
- vrabaud@google.com
diff --git a/projects/ndpi/project.yaml b/projects/ndpi/project.yaml
index ce7c22d36363..3e496021dab9 100644
--- a/projects/ndpi/project.yaml
+++ b/projects/ndpi/project.yaml
@@ -8,4 +8,9 @@ sanitizers:
- address
- undefined
- memory
+ - nalloc
+fuzzing_engines:
+ - afl
+ - honggfuzz
+ - libfuzzer
main_repo: 'https://github.com/ntop/nDPI.git'
diff --git a/projects/suricata/project.yaml b/projects/suricata/project.yaml
index e1ad51cf194c..fd1c6d721778 100644
--- a/projects/suricata/project.yaml
+++ b/projects/suricata/project.yaml
@@ -8,6 +8,7 @@ sanitizers:
- address
- memory
- undefined
+ - nalloc
fuzzing_engines:
- afl
- honggfuzz
diff --git a/projects/systemd/project.yaml b/projects/systemd/project.yaml
index 087093f75e51..4867157aeb61 100644
--- a/projects/systemd/project.yaml
+++ b/projects/systemd/project.yaml
@@ -6,6 +6,7 @@ sanitizers:
- address
- undefined
- memory
+ - nalloc
fuzzing_engines:
- afl
- honggfuzz