From 35c5853f8ac5525b515be9de2dedbdf63dec4614 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 10:32:34 +0200 Subject: [PATCH 1/3] Detect errors in fuzzer initialization Incomplete initialization typically causes mysterious failures later on, so let's err out early. (cherry picked from commit d102c59b96f8859d1f354380d8cf3d7932553956) --- fuzz/main.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fuzz/main.c b/fuzz/main.c index ddddfe8fe3..4bfc66e1c6 100644 --- a/fuzz/main.c +++ b/fuzz/main.c @@ -94,10 +94,15 @@ test_all_from(const char *dirname) { int main(int argc, char **argv) { + int ret; char corpusdir[PATH_MAX]; const char *target = strrchr(argv[0], '/'); - (void)LLVMFuzzerInitialize(&argc, &argv); + ret = LLVMFuzzerInitialize(&argc, &argv); + if (ret != 0) { + fprintf(stderr, "LLVMFuzzerInitialize failure: %d\n", ret); + return 1; + } if (argv[1] != NULL && strcmp(argv[1], "-d") == 0) { debug = true; @@ -134,7 +139,11 @@ main(int argc, char **argv) { int ret; unsigned char buf[64 * 1024]; - (void)LLVMFuzzerInitialize(&argc, &argv); + LLVMFuzzerInitialize(&argc, &argv); + if (ret != 0) { + fprintf(stderr, "LLVMFuzzerInitialize failure: %d\n", ret); + return 1; + } #ifdef __AFL_LOOP while (__AFL_LOOP(10000)) { /* only works with afl-clang-fast */ From a24ced44ab5aecd7f36a27d23c63bb14adc0d628 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 10:39:51 +0200 Subject: [PATCH 2/3] Fix dns_message_checksig in out-of-tree setup Hardcoded path was missing FUZZDIR prefix. Related: !5923 (cherry picked from commit 4108d79c9a3bc7a617d7ca24adc1180043ee9919) --- fuzz/dns_message_checksig.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 21429dd718..70da0f9d5a 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -119,6 +119,7 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)), 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; dns_zone_t *zone = NULL; + char pathbuf[PATH_MAX]; atexit(cleanup); @@ -174,13 +175,16 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)), dns_zone_setclass(zone, view->rdclass); dns_zone_settype(zone, dns_zone_primary); - result = dns_zone_setkeydirectory(zone, "dns_message_checksig.data"); + snprintf(pathbuf, sizeof(pathbuf), FUZZDIR "/%s", + "dns_message_checksig.data"); + result = dns_zone_setkeydirectory(zone, pathbuf); if (result != ISC_R_SUCCESS) { return (1); } - result = dns_zone_setfile(zone, "dns_message_checksig.data/sig0key.db", - dns_masterformat_text, + snprintf(pathbuf, sizeof(pathbuf), FUZZDIR "/%s", + "dns_message_checksig.data/sig0key.db"); + result = dns_zone_setfile(zone, pathbuf, dns_masterformat_text, &dns_master_style_default); if (result != ISC_R_SUCCESS) { return (1); From 6a349d5c295df032d40eeb9959562e788046e332 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 27 Sep 2022 13:00:09 +0200 Subject: [PATCH 3/3] Fix stack-use-after-scope in dns_message_checksig test Previously stack with buffer for test dns message went out of scope before the message was processed. For fuzz testing its better to avoid allocation, so let's avoid allocations completely and use simplest possible static buffer. Fixes: #3565 (cherry picked from commit 16377100ae145f2994e6e18f4dfc586403f31ec8) --- fuzz/dns_message_checksig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 70da0f9d5a..af01b9ad57 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -213,7 +213,7 @@ create_message(dns_message_t **messagep, const uint8_t *data, size_t size, isc_result_t result; dns_message_t *message = NULL; isc_buffer_t b; - unsigned char buf[65535]; + static unsigned char buf[65535]; isc_buffer_init(&b, buf, sizeof(buf));