bind9/fuzz/Makefile.am

include $(top_srcdir)/Makefile.top

AM_CFLAGS +=				\
	$(TEST_CFLAGS)

AM_CPPFLAGS +=				\
	$(LIBISC_CFLAGS)		\
	$(LIBDNS_CFLAGS)		\
	$(LIBUV_CFLAGS)		\
	-DFUZZDIR=\"$(abs_srcdir)\"

AM_LDFLAGS +=				\
	$(FUZZ_LDFLAGS)

LDADD +=				\
	libfuzzmain.la			\
	$(LIBDNS_LIBS)			\
	$(LIBISC_LIBS)

check_LTLIBRARIES = libfuzzmain.la
libfuzzmain_la_SOURCES =		\
	fuzz.h				\
	main.c

check_PROGRAMS =			\
	dns_master_load			\
	dns_message_checksig		\
	dns_message_parse		\
	dns_name_fromtext_target	\
	dns_name_fromwire		\
	dns_rdata_fromtext		\
	dns_rdata_fromwire_text		\
	isc_lex_getmastertoken		\
	isc_lex_gettoken

EXTRA_DIST =				\
	dns_master_load.in		\
	dns_message_checksig.in		\
	dns_message_parse.in		\
	dns_name_fromtext_target.in	\
	dns_name_fromwire.in		\
	dns_qp.in			\
	dns_qpkey_name.in		\
	dns_rdata_fromtext.in		\
	dns_rdata_fromwire_text.in	\
	isc_lex_getmastertoken.in	\
	isc_lex_gettoken.in

dns_name_fromwire_SOURCES =		\
	dns_name_fromwire.c		\
	old.c				\
	old.h

if HAVE_CMOCKA

check_PROGRAMS +=			\
	dns_qp				\
	dns_qpkey_name

AM_CPPFLAGS +=				\
	-I$(top_srcdir)/lib/dns		\
	-I$(top_srcdir)/lib/isc		\
	-I$(top_srcdir)/tests/include

# libisc needs to appear after libtest
LDADD +=						\
	$(top_builddir)/tests/libtest/libtest.la	\
	$(LIBISC_LIBS)

endif HAVE_CMOCKA

TESTS = $(check_PROGRAMS)

if HAVE_FUZZ_LOG_COMPILER
LOG_COMPILER = $(srcdir)/$(FUZZ_LOG_COMPILER)
AM_LOG_FLAGS = $(srcdir)
endif HAVE_FUZZ_LOG_COMPILER

unit-local: check
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`include $(top_srcdir)/Makefile.top`

Avoid using C99 variable length arrays From an attacker's point of view, a VLA declaration is essentially a primitive for performing arbitrary arithmetic on the stack pointer. If the attacker can control the size of a VLA they have a very powerful tool for causing memory corruption. To mitigate this kind of attack, and the more general class of stack clash vulnerabilities, C compilers insert extra code when allocating a VLA to probe the growing stack one page at a time. If these probes hit the stack guard page, the program will crash. From the point of view of a C programmer, there are a few things to consider about VLAs: * If it is important to handle allocation failures in a controlled manner, don't use VLAs. You can use VLAs if it is OK for unreasonable inputs to cause an uncontrolled crash. * If the VLA is known to be smaller than some known fixed size, use a fixed size array and a run-time check to ensure it is large enough. This will be more efficient than the compiler's stack probes that need to cope with arbitrary-size VLAs. * If the VLA might be large, allocate it on the heap. The heap allocator can allocate multiple pages in one shot, whereas the stack clash probes work one page at a time. Most of the existing uses of VLAs in BIND are in test code where they are benign, but there was one instance in `named`, in the GSS-TSIG verification code, which has now been removed. This commit adjusts the style guide and the C compiler flags to allow VLAs in test code but not elsewhere. 2022-03-18 10:50:36 -04:00			`AM_CFLAGS += \`
			`$(TEST_CFLAGS)`

Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`AM_CPPFLAGS += \`
			`$(LIBISC_CFLAGS) \`
			`$(LIBDNS_CFLAGS) \`
Refactor qp-trie to use QSBR The first working multi-threaded qp-trie was stuck with an unpleasant trade-off: * Use `isc_rwlock`, which has acceptable write performance, but terrible read scalability because the qp-trie made all accesses through a single lock. * Use `liburcu`, which has great read scalability, but terrible write performance, because I was relying on `rcu_synchronize()` which is rather slow. And `liburcu` is LGPL. To get the best of both worlds, we need our own scalable read side, which we now have with `isc_qsbr`. And we need to modify the write side so that it is not blocked by readers. Better write performance requires an async cleanup function like `call_rcu()`, instead of the blocking `rcu_synchronize()`. (There is no blocking cleanup in `isc_qsbr`, because I have concluded that it would be an attractive nuisance.) Until now, all my multithreading qp-trie designs have been based around two versions, read-only and mutable. This is too few to work with asynchronous cleanup. The bare minimum (as in epoch based reclamation) is three, but it makes more sense to support an arbitrary number. Doing multi-version support "properly" makes fewer assumptions about how safe memory reclamation works, and it makes snapshots and rollbacks simpler. To avoid making the memory management even more complicated, I have introduced a new kind of "packed reader node" to anchor the root of a version of the trie. This is simpler because it re-uses the existing chunk lifetime logic - see the discussion under "packed reader nodes" in `qp_p.h`. I have also made the chunk lifetime logic simpler. The idea of a "generation" is gone; instead, chunks are either mutable or immutable. And the QSBR phase number is used to indicate when a chunk can be reclaimed. Instead of the `shared_base` flag (which was basically a one-bit reference count, with a two version limit) the base array now has a refcount, which replaces the confusing ad-hoc lifetime logic with something more familiar and systematic. 2022-12-22 09:55:14 -05:00			`$(LIBUV_CFLAGS) \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`-DFUZZDIR=\"$(abs_srcdir)\"`

Fix function overrides in unit tests on macOS Since Mac OS X 10.1, Mach-O object files are by default built with a so-called two-level namespace which prevents symbol lookups in BIND unit tests that attempt to override the implementations of certain library functions from working as intended. This feature can be disabled by passing the "-flat_namespace" flag to the linker. Fix unit tests affected by this issue on macOS by adding "-flat_namespace" to LDFLAGS used for building all object files on that operating system (it is not enough to only set that flag for the unit test executables). 2020-09-28 03:09:21 -04:00			`AM_LDFLAGS += \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`$(FUZZ_LDFLAGS)`

Move the include Makefile.tests to the bottom of Makefile.am(s) The Makefile.tests was modifying global AM_CFLAGS and LDADD and could accidentally pull /usr/include to be listed before the internal libraries, which is known to cause problems if the headers from the previous version of BIND 9 has been installed on the build machine. 2021-04-21 08:22:18 -04:00			`LDADD += \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`libfuzzmain.la \`
Fuzz testing the qp-trie Ensure dns_qpkey_fromname() and dns_qpkey_toname() are inverses. Excercise a single-threaded dns_qp_t with a fixed set of random keys and a small chunk size. Use the table of names to ensure that the trie is behaving as expected. This is (in effect) randomized testing like the `qpmulti` unit test, but making use of coverage-guided fuzzing and (in principle) test case minimization. 2022-06-12 10:52:35 -04:00			`$(LIBDNS_LIBS) \`
			`$(LIBISC_LIBS)`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00
			`check_LTLIBRARIES = libfuzzmain.la`
			`libfuzzmain_la_SOURCES = \`
Include fuzz/fuzz.h in source tarballs 2020-08-06 03:10:06 -04:00			`fuzz.h \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`main.c`

			`check_PROGRAMS = \`
Add dns_master_loadbuffer() fuzzer Corpus focuses on "extra" things in master files like $GENERATE etc. Text encoding for RRs is thoroughly tested in dns_rdata_fromtext fuzzer. 2021-02-19 12:08:36 -05:00			`dns_master_load \`
Add dns_message_checksig() fuzzer dns_message_checksig is called in a number of scenarios * on requests and responses * on multiple opcodes * with and without signatures * with TSIG signatures * with SIG(0) signatures * with and without configured TSIG keys * with and without KEY records being present * signing performed now, in the future and in the past we use the first two octets of the seed to configure the calling environment with the remainder of the seed being the rdata of the TSIG/SIG(0) record. 2022-03-02 05:48:26 -05:00			`dns_message_checksig \`
Add dns_message_parse() fuzzer Previously, the bin/system/wire_test.c was optionally used as a fuzzer, this commit extracts the parts relevant to the fuzzing into a specialized fuzzer that can be used in oss-fuzz project. The fuzzer parses the input as UDP DNS message, then prints parsed DNS message, then renders the DNS message and then prints the rendered DNS message. No part of the code should cause a assertion failure. 2020-08-25 03:51:40 -04:00			`dns_message_parse \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_name_fromtext_target \`
Fuzzing and benchmarking for dns_name_fromwire() Since this is very sensitive code which has often had security problems in many DNS implementations, it needs a decent amount of validation. This fuzzer ensures that the new code has the same output as the old code, and that it doesn't take longer than a second. The benchmark uses the fuzzer's copy of the old dns_name_fromwire() code to compare a number of scenarios: many compression pointers, many labels, long labels, random data, with/without downcasing. 2022-11-07 11:22:48 -05:00			`dns_name_fromwire \`
Add dns_rdata_fromtext() fuzzer ... along with dns_rdataclass_fromtext and dns_rdatatype_fromtext Most of the test binary is modified named-rrchecker. Main differences: - reads single RR and exists - does not refuse meta classes and rr types We actually do have some fromtext code for meta-things so erroring out in named-rrchecker would prevent us from testing this code. Corpus has examples of all currently supported RR types. I did not do any minimization. In future use command diff -U0 \ <(sed -n -e 's/^.fromtext_\(.\)(.*$/\1/p' lib/dns/code.h \| \ sort) \ <(ls fuzz/dns_rdata_fromtext.in/) to check for missing RR types. 2021-02-18 15:29:33 -05:00			`dns_rdata_fromtext \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_rdata_fromwire_text \`
			`isc_lex_getmastertoken \`
			`isc_lex_gettoken`

			`EXTRA_DIST = \`
Add dns_master_loadbuffer() fuzzer Corpus focuses on "extra" things in master files like $GENERATE etc. Text encoding for RRs is thoroughly tested in dns_rdata_fromtext fuzzer. 2021-02-19 12:08:36 -05:00			`dns_master_load.in \`
Add dns_message_checksig() fuzzer dns_message_checksig is called in a number of scenarios * on requests and responses * on multiple opcodes * with and without signatures * with TSIG signatures * with SIG(0) signatures * with and without configured TSIG keys * with and without KEY records being present * signing performed now, in the future and in the past we use the first two octets of the seed to configure the calling environment with the remainder of the seed being the rdata of the TSIG/SIG(0) record. 2022-03-02 05:48:26 -05:00			`dns_message_checksig.in \`
Add dns_message_parse() fuzzer Previously, the bin/system/wire_test.c was optionally used as a fuzzer, this commit extracts the parts relevant to the fuzzing into a specialized fuzzer that can be used in oss-fuzz project. The fuzzer parses the input as UDP DNS message, then prints parsed DNS message, then renders the DNS message and then prints the rendered DNS message. No part of the code should cause a assertion failure. 2020-08-25 03:51:40 -04:00			`dns_message_parse.in \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_name_fromtext_target.in \`
Fuzzing and benchmarking for dns_name_fromwire() Since this is very sensitive code which has often had security problems in many DNS implementations, it needs a decent amount of validation. This fuzzer ensures that the new code has the same output as the old code, and that it doesn't take longer than a second. The benchmark uses the fuzzer's copy of the old dns_name_fromwire() code to compare a number of scenarios: many compression pointers, many labels, long labels, random data, with/without downcasing. 2022-11-07 11:22:48 -05:00			`dns_name_fromwire.in \`
Fuzz testing the qp-trie Ensure dns_qpkey_fromname() and dns_qpkey_toname() are inverses. Excercise a single-threaded dns_qp_t with a fixed set of random keys and a small chunk size. Use the table of names to ensure that the trie is behaving as expected. This is (in effect) randomized testing like the `qpmulti` unit test, but making use of coverage-guided fuzzing and (in principle) test case minimization. 2022-06-12 10:52:35 -04:00			`dns_qp.in \`
			`dns_qpkey_name.in \`
Add dns_rdata_fromtext() fuzzer ... along with dns_rdataclass_fromtext and dns_rdatatype_fromtext Most of the test binary is modified named-rrchecker. Main differences: - reads single RR and exists - does not refuse meta classes and rr types We actually do have some fromtext code for meta-things so erroring out in named-rrchecker would prevent us from testing this code. Corpus has examples of all currently supported RR types. I did not do any minimization. In future use command diff -U0 \ <(sed -n -e 's/^.fromtext_\(.\)(.*$/\1/p' lib/dns/code.h \| \ sort) \ <(ls fuzz/dns_rdata_fromtext.in/) to check for missing RR types. 2021-02-18 15:29:33 -05:00			`dns_rdata_fromtext.in \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_rdata_fromwire_text.in \`
			`isc_lex_getmastertoken.in \`
			`isc_lex_gettoken.in`

Fuzzing and benchmarking for dns_name_fromwire() Since this is very sensitive code which has often had security problems in many DNS implementations, it needs a decent amount of validation. This fuzzer ensures that the new code has the same output as the old code, and that it doesn't take longer than a second. The benchmark uses the fuzzer's copy of the old dns_name_fromwire() code to compare a number of scenarios: many compression pointers, many labels, long labels, random data, with/without downcasing. 2022-11-07 11:22:48 -05:00			`dns_name_fromwire_SOURCES = \`
			`dns_name_fromwire.c \`
			`old.c \`
			`old.h`

Fuzz testing the qp-trie Ensure dns_qpkey_fromname() and dns_qpkey_toname() are inverses. Excercise a single-threaded dns_qp_t with a fixed set of random keys and a small chunk size. Use the table of names to ensure that the trie is behaving as expected. This is (in effect) randomized testing like the `qpmulti` unit test, but making use of coverage-guided fuzzing and (in principle) test case minimization. 2022-06-12 10:52:35 -04:00			`if HAVE_CMOCKA`

			`check_PROGRAMS += \`
			`dns_qp \`
			`dns_qpkey_name`

			`AM_CPPFLAGS += \`
			`-I$(top_srcdir)/lib/dns \`
			`-I$(top_srcdir)/lib/isc \`
			`-I$(top_srcdir)/tests/include`

			`# libisc needs to appear after libtest`
			`LDADD += \`
			`$(top_builddir)/tests/libtest/libtest.la \`
			`$(LIBISC_LIBS)`

			`endif HAVE_CMOCKA`

Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`TESTS = $(check_PROGRAMS)`

			`if HAVE_FUZZ_LOG_COMPILER`
			`LOG_COMPILER = $(srcdir)/$(FUZZ_LOG_COMPILER)`
			`AM_LOG_FLAGS = $(srcdir)`
			`endif HAVE_FUZZ_LOG_COMPILER`

			`unit-local: check`