+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/common.sh
-BUILD=$SCRIPT_DIR/$1/build.sh
-TEST=$SCRIPT_DIR/$1/test.sh
-
-[ ! -e $BUILD ] && echo "NO SUCH FILE: $BUILD" && exit 1
-[ ! -e $TEST ] && echo "NO SUCH FILE: $TEST" && exit 1
-
-RUNDIR="RUNDIR-$1"
-mkdir -p $RUNDIR
-cd $RUNDIR
-$BUILD && $TEST
-
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-build_lib() {
- rm -rf BUILD
- cp -rf SRC BUILD
- (cd BUILD && ./buildconf && ./configure CC="clang $FUZZ_CXXFLAGS" && make -j)
-}
-get_git_revision https://github.com/c-ares/c-ares.git 51fbb479f7948fca2ace3ff34a15ff27e796afdd SRC
-build_lib
-build_libfuzzer
-clang++ -g $SCRIPT_DIR/target.cc -I BUILD BUILD/.libs/libcares.a libFuzzer.a $FUZZ_CXXFLAGS -o $EXECUTABLE_NAME_BASE
+++ /dev/null
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <arpa/nameser.h>
-#include <iostream>
-
-#include <ares.h>
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
- unsigned char* buf;
- int buflen;
- char* inp = (char*)malloc(size+1);
- inp[size]=0;
- memcpy(inp, data, size);
-
- ares_create_query((const char*)inp, ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0);
-
- free(buf);
- free(inp);
- return 0;
-}
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-set -x
-[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_total_time=10 2>&1 | tee log
-grep -Pzo "(?s)ERROR: AddressSanitizer: heap-buffer-overflow.*WRITE of size 1.*ares_create_query.*is located 0 bytes to the right of" log
+++ /dev/null
-#!/bin/bash
-
-# Don't allow to call these scripts from their directories.
-[ -e $(basename $0) ] && echo "PLEASE USE THIS SCRIPT FROM ANOTHER DIR" && exit 1
-SCRIPT_DIR=$(dirname $0)
-EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)
-LIBFUZZER_SRC=$(dirname $(dirname $SCRIPT_DIR))
-FUZZ_CXXFLAGS="-O2 -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div"
-CORPUS=CORPUS-$EXECUTABLE_NAME_BASE
-JOBS=8
-
-get_git_revision() {
- GIT_REPO="$1"
- GIT_REVISION="$2"
- TO_DIR="$3"
- [ ! -e $TO_DIR ] && git clone $GIT_REPO $TO_DIR && (cd $TO_DIR && git reset --hard $GIT_REVISION)
-}
-
-get_git_tag() {
- GIT_REPO="$1"
- GIT_TAG="$2"
- TO_DIR="$3"
- [ ! -e $TO_DIR ] && git clone $GIT_REPO $TO_DIR && (cd $TO_DIR && git checkout $GIT_TAG)
-}
-
-
-build_libfuzzer() {
- $LIBFUZZER_SRC/build.sh
-}
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-
-build_lib() {
- rm -rf BUILD
- cp -rf SRC BUILD
- (cd BUILD && ./autogen.sh && CXX="clang++ $FUZZ_CXXFLAGS" CC="clang $FUZZ_CXXFLAGS" CCLD="clang++ $FUZZ_CXXFLAGS" ./configure && make -j $JOBS)
-}
-
-get_git_tag git://git.gnome.org/libxml2 v2.9.2 SRC
-build_lib
-build_libfuzzer
-clang++ -std=c++11 $SCRIPT_DIR/target.cc $FUZZ_CXXFLAGS -I BUILD/include BUILD/.libs/libxml2.a libFuzzer.a -lz -o $EXECUTABLE_NAME_BASE
+++ /dev/null
-#include <string>
-#include <vector>
-#include "libxml/xmlversion.h"
-#include "libxml/parser.h"
-#include "libxml/HTMLparser.h"
-#include "libxml/tree.h"
-
-void ignore (void * ctx, const char * msg, ...) {}
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
- xmlSetGenericErrorFunc(NULL, &ignore);
- if (auto doc = xmlReadMemory(reinterpret_cast<const char *>(data), size,
- "noname.xml", NULL, 0))
- xmlFreeDoc(doc);
- return 0;
-}
+++ /dev/null
-#!/bin/bash
-set -x
-. $(dirname $0)/../common.sh
-
-get_git_revision https://github.com/mcarpenter/afl be3e88d639da5350603f6c0fee06970128504342 afl
-rm -rf $CORPUS
-mkdir $CORPUS
-[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -jobs=$JOBS -dict=afl/dictionaries/xml.dict -workers=$JOBS $CORPUS
-grep "AddressSanitizer: heap-buffer-overflow" fuzz-0.log
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-
-build_lib() {
- rm -rf BUILD
- cp -rf SRC BUILD
- (cd BUILD && ./config && make clean && make CC="clang $FUZZ_CXXFLAGS" -j $JOBS)
-}
-
-get_git_tag https://github.com/openssl/openssl.git OpenSSL_1_0_1f SRC
-build_lib
-build_libfuzzer
-clang++ -g $SCRIPT_DIR/target.cc -DCERT_PATH=\"$SCRIPT_DIR/\" $FUZZ_CXXFLAGS BUILD/libssl.a BUILD/libcrypto.a libFuzzer.a -o $EXECUTABLE_NAME_BASE -I BUILD/include
+++ /dev/null
------BEGIN PRIVATE KEY-----
-MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA1AdZNDVOA9cXm97f
-erp1bukz2kohjToJS6Ma8fOb36VV9lQGmDNsJanXFiqafOgV+kh1HXqZ3l1I0JmZ
-71b+QQIDAQABAkAHGfPn5r0lLcgRpWZQwvv56f+dmQwEoeP7z4uwfNtEo0JcRD66
-1WRCvx3LE0VbNeaEdNmSPiRXhlwIggjfrBi9AiEA9UusPBcEp/QcPGs96nQQdQzE
-fw4x0HL/eSV3qHimT6MCIQDdSAiX4Ouxoiwn/9KhDMcZXRYX/OPzj6w8u1YIH7BI
-ywIgSozbJdAhHCJ2ym4VfUIVFl3xAmSAA0hQGLOocE1qzl0CIQDRicOxZmhqBiKA
-IgznOn1StEYWov+MhRFZVSBLgw5gbwIgJzOlSlu0Y22hEUsLCKyHBrCAZZHcZ020
-20pfogmQYn0=
------END PRIVATE KEY-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIBYTCCAQugAwIBAgIJAMPQQtUHkx+KMA0GCSqGSIb3DQEBCwUAMAwxCjAIBgNV
-BAMMAWEwHhcNMTYwOTI0MjIyMDUyWhcNNDQwMjA5MjIyMDUyWjAMMQowCAYDVQQD
-DAFhMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQHWTQ1TgPXF5ve33q6dW7pM9pK
-IY06CUujGvHzm9+lVfZUBpgzbCWp1xYqmnzoFfpIdR16md5dSNCZme9W/kECAwEA
-AaNQME4wHQYDVR0OBBYEFCXtEo9rkLuKGSlm0mFE4Yk/HDJVMB8GA1UdIwQYMBaA
-FCXtEo9rkLuKGSlm0mFE4Yk/HDJVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
-BQADQQCnldOnbdNJZxBO/J+979Urg8qDp8MnlN0979AmK1P5/YzPnAF4BU7QTOTE
-imS5qZ0MvziBa81nVlnnFRkIezcD
------END CERTIFICATE-----
+++ /dev/null
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <assert.h>
-#include <stdint.h>
-#include <stddef.h>
-
-#ifndef CERT_PATH
-# define CERT_PATH
-#endif
-
-SSL_CTX *Init() {
- SSL_library_init();
- SSL_load_error_strings();
- ERR_load_BIO_strings();
- OpenSSL_add_all_algorithms();
- SSL_CTX *sctx;
- assert (sctx = SSL_CTX_new(TLSv1_method()));
- /* These two file were created with this command:
- openssl req -x509 -newkey rsa:512 -keyout server.key \
- -out server.pem -days 9999 -nodes -subj /CN=a/
- */
- assert(SSL_CTX_use_certificate_file(sctx, CERT_PATH "server.pem",
- SSL_FILETYPE_PEM));
- assert(SSL_CTX_use_PrivateKey_file(sctx, CERT_PATH "server.key",
- SSL_FILETYPE_PEM));
- return sctx;
-}
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
- static SSL_CTX *sctx = Init();
- SSL *server = SSL_new(sctx);
- BIO *sinbio = BIO_new(BIO_s_mem());
- BIO *soutbio = BIO_new(BIO_s_mem());
- SSL_set_bio(server, sinbio, soutbio);
- SSL_set_accept_state(server);
- BIO_write(sinbio, Data, Size);
- SSL_do_handshake(server);
- SSL_free(server);
- return 0;
-}
+++ /dev/null
-#!/bin/bash
-# Find heartbleed.
-set -x
-[ -e openssl-1.0.1f ] && ./openssl-1.0.1f -max_total_time=300 2>&1 | tee log
-grep -Pzo "(?s)ERROR: AddressSanitizer: heap-buffer-overflow.*READ of size.*#1 0x.* in tls1_process_heartbeat .*ssl/t1_lib.c:2586" log
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-
-build_lib() {
- rm -rf BUILD
- cp -rf SRC BUILD
- (cd BUILD && ./config && make clean && make CC="clang $FUZZ_CXXFLAGS" -j $JOBS)
-}
-
-get_git_tag https://github.com/openssl/openssl.git OpenSSL_1_0_2d SRC
-build_lib
-build_libfuzzer
-clang++ -g $SCRIPT_DIR/target.cc -DCERT_PATH=\"$SCRIPT_DIR/\" $FUZZ_CXXFLAGS BUILD/libssl.a BUILD/libcrypto.a libFuzzer.a -lgcrypt -o $EXECUTABLE_NAME_BASE -I BUILD/include
+++ /dev/null
-// Find CVE-2015-3193. Derived from
-// https://github.com/hannob/bignum-fuzz/blob/master/CVE-2015-3193-openssl-vs-gcrypt-modexp.c
-/* Fuzz-compare the OpenSSL function BN_mod_exp() and the libgcrypt function gcry_mpi_powm().
- *
- * To use this you should compile both libgcrypt and openssl with american fuzzy lop and then statically link everything together, e.g.:
- * afl-clang-fast -o [output] [input] libgcrypt.a libcrypto.a -lgpg-error
- *
- * Input is a binary file, the first bytes will decide how the rest of the file will be split into three bignums.
- *
- * by Hanno Böck, license CC0 (public domain)
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include <openssl/bn.h>
-#include <gcrypt.h>
-
-#define MAXBUF 1000000
-
-
-struct big_results {
- char *name;
- char *a;
- char *b;
- char *c;
- char *exptmod;
-};
-
-void printres(struct big_results *res) {
- printf("\n%s:\n", res->name);
- printf("a: %s\n", res->a);
- printf("b: %s\n", res->b);
- printf("c: %s\n", res->c);
- printf("b^c mod a: %s\n", res->exptmod);
-}
-
-void freeres(struct big_results *res) {
- free(res->a);
- free(res->b);
- free(res->c);
- free(res->exptmod);
-}
-
-
-char *gcrytostring(gcry_mpi_t in) {
- char *a, *b;
- size_t i;
- size_t j=0;
- gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char**) &a, &i, in);
- while(a[j]=='0' && j<(i-2)) j++;
- if ((j%2)==1) j--;
- if (strncmp(&a[j],"00",2)==0) j++;
- b=(char*)malloc(i-j);
- strcpy(b, &a[j]);
- free(a);
- return b;
-}
-
-/* test gcry functions from libgcrypt */
-void gcrytest(unsigned char* a_raw, int a_len, unsigned char* b_raw, int b_len, unsigned char* c_raw, int c_len, struct big_results *res) {
- gcry_mpi_t a, b, c, res1, res2;
-
- /* unknown leak here */
- gcry_mpi_scan(&a, GCRYMPI_FMT_USG, a_raw, a_len, NULL);
- res->a = gcrytostring(a);
-
- gcry_mpi_scan(&b, GCRYMPI_FMT_USG, b_raw, b_len, NULL);
- res->b = gcrytostring(b);
-
- gcry_mpi_scan(&c, GCRYMPI_FMT_USG, c_raw, c_len, NULL);
- res->c = gcrytostring(c);
-
- res1=gcry_mpi_new(0);
-
- gcry_mpi_powm(res1, b, c, a);
- res->exptmod=gcrytostring(res1);
-
- gcry_mpi_release(a);
- gcry_mpi_release(b);
- gcry_mpi_release(c);
- gcry_mpi_release(res1);
-}
-
-/* test bn functions from openssl/libcrypto */
-void bntest(unsigned char* a_raw, int a_len, unsigned char* b_raw, int b_len, unsigned char* c_raw, int c_len, struct big_results *res) {
- BN_CTX *bctx = BN_CTX_new();
- BIGNUM *a = BN_new();
- BIGNUM *b = BN_new();
- BIGNUM *c = BN_new();
- BIGNUM *res1 = BN_new();
-
- BN_bin2bn(a_raw, a_len, a);
- BN_bin2bn(b_raw, b_len, b);
- BN_bin2bn(c_raw, c_len, c);
-
- res->a = BN_bn2hex(a);
- res->b = BN_bn2hex(b);
- res->c = BN_bn2hex(c);
-
- BN_mod_exp(res1, b, c, a, bctx);
- res->exptmod = BN_bn2hex(res1);
-
- BN_free(a);
- BN_free(b);
- BN_free(c);
- BN_free(res1);
- BN_CTX_free(bctx);
-}
-
-extern "C" int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size) {
- size_t len, l1, l2,l3;
- unsigned int divi1, divi2;
- unsigned char *a, *b, *c;
- struct big_results openssl_results= {"openssl",0,0,0,0};
- struct big_results gcrypt_results= {"libgcrypt",0,0,0,0};
-
- len = Size;
- if (len<5) return 0;
-
- divi1=Data[0];
- divi2=Data[1];
- divi1++;divi2++;
- l1 = (len-2)*divi1/256;
- l2 = (len-2-l1)*divi2/256;
- l3 = (len-2-l1-l2);
- assert(l1+l2+l3==len-2);
- //printf("div1 div2 %i %i\n", divi1, divi2);
- //printf("len l1 l2 l3 %i %i %i %i\n", (int)len,(int)l1,(int)l2,(int)l3);
- a=const_cast<unsigned char*>(Data)+2;
- b=const_cast<unsigned char*>(Data)+2+l1;
- c=const_cast<unsigned char*>(Data)+2+l1+l2;
-
-
- bntest(a, l1, b, l2, c, l3, &openssl_results);
- //printres(&openssl_results);
- if ((strcmp(openssl_results.a,"0")==0) || (strcmp(openssl_results.c,"0")==0)) goto END;
-
- gcrytest(a, l1, b, l2, c, l3, &gcrypt_results);
- //printres(&gcrypt_results);
-
- assert(strcmp(openssl_results.exptmod, gcrypt_results.exptmod)==0);
-
-END:
- freeres(&openssl_results);
- freeres(&gcrypt_results);
- return 0;
-}
+++ /dev/null
-#!/bin/bash
-set -x
-. $(dirname $0)/../common.sh
-rm -rf $CORPUS
-mkdir $CORPUS
-[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -max_len=512 -jobs=$JOBS -workers=$JOBS $CORPUS
-grep 'Assertion `strcmp(openssl_results.exptmod, gcrypt_results.exptmod)==0. failed.' fuzz-0.log
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-
-build_lib() {
- rm -rf BUILD
- cp -rf SRC BUILD
- (cd BUILD && make clean && CXX=clang++ CXXFLAGS="$FUZZ_CXXFLAGS" make -j)
-}
-
-get_git_revision https://github.com/google/re2.git 499ef7eff7455ce9c9fae86111d4a77b6ac335de SRC
-build_lib
-build_libfuzzer
-clang++ -g $SCRIPT_DIR/target.cc -I BUILD BUILD/obj/libre2.a libFuzzer.a $FUZZ_CXXFLAGS -o $EXECUTABLE_NAME_BASE
+++ /dev/null
-#include <string>
-#include "re2/re2.h"
-
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
- if (size < 3) return 0;
- uint16_t f = (data[0] << 16) + data[1];
- RE2::Options opt;
- opt.set_log_errors(false);
- if (f & 1) opt.set_encoding(RE2::Options::EncodingLatin1);
- opt.set_posix_syntax(f & 2);
- opt.set_longest_match(f & 4);
- opt.set_literal(f & 8);
- opt.set_never_nl(f & 16);
- opt.set_dot_nl(f & 32);
- opt.set_never_capture(f & 64);
- opt.set_case_sensitive(f & 128);
- opt.set_perl_classes(f & 256);
- opt.set_word_boundary(f & 512);
- opt.set_one_line(f & 1024);
- const char *b = reinterpret_cast<const char*>(data) + 2;
- const char *e = reinterpret_cast<const char*>(data) + size;
- std::string s1(b, e);
- RE2 re(s1, opt);
- if (re.ok())
- RE2::FullMatch(s1, re);
- return 0;
-}
+++ /dev/null
-#!/bin/bash
-. $(dirname $0)/../common.sh
-set -x
-rm -rf $CORPUS
-mkdir $CORPUS
-[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -exit_on_src_pos=re2/dfa.cc:474 -exit_on_src_pos=re2/dfa.cc:474 -runs=1000000 -jobs=$JOBS -workers=$JOBS $CORPUS
-grep "INFO: found line matching 're2/dfa.cc:474', exiting." fuzz-0.log