From d102c59b96f8859d1f354380d8cf3d7932553956 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 10:32:34 +0200 Subject: [PATCH 1/3] Detect errors in fuzzer initialization Incomplete initialization typically causes mysterious failures later on, so let's err out early. --- fuzz/main.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/fuzz/main.c b/fuzz/main.c index ddddfe8fe3..4bfc66e1c6 100644 --- a/fuzz/main.c +++ b/fuzz/main.c @@ -94,10 +94,15 @@ test_all_from(const char *dirname) { int main(int argc, char **argv) { + int ret; char corpusdir[PATH_MAX]; const char *target = strrchr(argv[0], '/'); - (void)LLVMFuzzerInitialize(&argc, &argv); + ret = LLVMFuzzerInitialize(&argc, &argv); + if (ret != 0) { + fprintf(stderr, "LLVMFuzzerInitialize failure: %d\n", ret); + return 1; + } if (argv[1] != NULL && strcmp(argv[1], "-d") == 0) { debug = true; @@ -134,7 +139,11 @@ main(int argc, char **argv) { int ret; unsigned char buf[64 * 1024]; - (void)LLVMFuzzerInitialize(&argc, &argv); + LLVMFuzzerInitialize(&argc, &argv); + if (ret != 0) { + fprintf(stderr, "LLVMFuzzerInitialize failure: %d\n", ret); + return 1; + } #ifdef __AFL_LOOP while (__AFL_LOOP(10000)) { /* only works with afl-clang-fast */ From 4108d79c9a3bc7a617d7ca24adc1180043ee9919 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Tue, 27 Sep 2022 10:39:51 +0200 Subject: [PATCH 2/3] Fix dns_message_checksig in out-of-tree setup Hardcoded path was missing FUZZDIR prefix. Related: !5923 --- fuzz/dns_message_checksig.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 81a55d70e6..4f248fc2e6 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -119,6 +119,7 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)), 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; dns_zone_t *zone = NULL; + char pathbuf[PATH_MAX]; atexit(cleanup); @@ -174,13 +175,16 @@ LLVMFuzzerInitialize(int *argc __attribute__((unused)), dns_zone_setclass(zone, view->rdclass); dns_zone_settype(zone, dns_zone_primary); - result = dns_zone_setkeydirectory(zone, "dns_message_checksig.data"); + snprintf(pathbuf, sizeof(pathbuf), FUZZDIR "/%s", + "dns_message_checksig.data"); + result = dns_zone_setkeydirectory(zone, pathbuf); if (result != ISC_R_SUCCESS) { return (1); } - result = dns_zone_setfile(zone, "dns_message_checksig.data/sig0key.db", - dns_masterformat_text, + snprintf(pathbuf, sizeof(pathbuf), FUZZDIR "/%s", + "dns_message_checksig.data/sig0key.db"); + result = dns_zone_setfile(zone, pathbuf, dns_masterformat_text, &dns_master_style_default); if (result != ISC_R_SUCCESS) { return (1); From 16377100ae145f2994e6e18f4dfc586403f31ec8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 27 Sep 2022 13:00:09 +0200 Subject: [PATCH 3/3] Fix stack-use-after-scope in dns_message_checksig test Previously stack with buffer for test dns message went out of scope before the message was processed. For fuzz testing its better to avoid allocation, so let's avoid allocations completely and use simplest possible static buffer. Fixes: #3565 --- fuzz/dns_message_checksig.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 4f248fc2e6..bead6be995 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -213,7 +213,7 @@ create_message(dns_message_t **messagep, const uint8_t *data, size_t size, isc_result_t result; dns_message_t *message = NULL; isc_buffer_t b; - unsigned char buf[65535]; + static unsigned char buf[65535]; isc_buffer_init(&b, buf, sizeof(buf));