You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by ph...@apache.org on 2017/06/09 00:29:39 UTC

svn commit: r1798156 - in /subversion/trunk: build.conf subversion/tests/afl/ subversion/tests/afl/README subversion/tests/afl/afl-x509-testcase/ subversion/tests/afl/afl-x509-testcase/test1 subversion/tests/afl/afl-x509.c

Author: philip
Date: Fri Jun  9 00:29:38 2017
New Revision: 1798156

URL: http://svn.apache.org/viewvc?rev=1798156&view=rev
Log:
Add an American Fuzzy Lop fuzzer test for the x509 parser.  This is
not part of the main regression tests and needs to be run manually,
see README for details.  One SEGV found so far (to be fixed in an
upcoming commit).

* build.conf (afl-x509): New.

* subversion/tests/afl: New.

* subversion/tests/afl/README: New.

* subversion/tests/afl/afl-x509-testcase: New.

* subversion/tests/afl/afl-x509-testcase/test1: New.

* subversion/tests/afl/afl-x509.c: New.

Added:
    subversion/trunk/subversion/tests/afl/   (with props)
    subversion/trunk/subversion/tests/afl/README   (with props)
    subversion/trunk/subversion/tests/afl/afl-x509-testcase/
    subversion/trunk/subversion/tests/afl/afl-x509-testcase/test1   (with props)
    subversion/trunk/subversion/tests/afl/afl-x509.c   (with props)
Modified:
    subversion/trunk/build.conf

Modified: subversion/trunk/build.conf
URL: http://svn.apache.org/viewvc/subversion/trunk/build.conf?rev=1798156&r1=1798155&r2=1798156&view=diff
==============================================================================
--- subversion/trunk/build.conf (original)
+++ subversion/trunk/build.conf Fri Jun  9 00:29:38 2017
@@ -1714,3 +1714,11 @@ type = exe
 path = tools/client-side/svnconflict
 install = tools
 libs = libsvn_client libsvn_wc libsvn_ra libsvn_subr apriconv apr
+
+[afl-x509]
+description = AFL fuzzer for x509 parser
+type = exe
+path = subversion/tests/afl
+sources = afl-x509.c
+install = test
+libs = libsvn_subr apr

Propchange: subversion/trunk/subversion/tests/afl/
------------------------------------------------------------------------------
--- svn:ignore (added)
+++ svn:ignore Fri Jun  9 00:29:38 2017
@@ -0,0 +1,3 @@
+*.lo
+.libs
+afl-x509

Added: subversion/trunk/subversion/tests/afl/README
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/afl/README?rev=1798156&view=auto
==============================================================================
--- subversion/trunk/subversion/tests/afl/README (added)
+++ subversion/trunk/subversion/tests/afl/README Fri Jun  9 00:29:38 2017
@@ -0,0 +1,31 @@
+American Fuzzy Lop (AFL) is available from all good distros, or from
+the upstream site: http://lcamtuf.coredump.cx/afl/
+
+Configure to build the instumented binary:
+
+  CC=afl-gcc ../src/configure --disable-shared --enable-static
+
+Build the binary:
+
+   make clean
+   make afl-x509
+
+Run the fuzzer (you may need root to change the CPU governor):
+
+   mkdir afl-findings
+   afl-fuzz -i ../src/subversion/tests/afl/afl-x509-testcase \
+            -o afl-findings -M fuzzer01 \
+            subversion/tests/afl/afl-x509
+   afl-fuzz -i ../src/subversion/tests/afl/afl-x509-testcase \
+            -o afl-findings -S fuzzer02 \
+            subversion/tests/afl/afl-x509
+   afl-fuzz -i ../src/subversion/tests/afl/afl-x509-testcase \
+            -o afl-findings -S fuzzer03 \
+            subversion/tests/afl/afl-x509
+
+Wait, burning CPU...
+
+Testcases that cause SEGVs are easier to debug using a separate build
+without AFL instrumentation:
+
+   gdb --args subversion/tests/afl/afl-x509 afl-findings/fuzzer01/crashes/some-test-case

Propchange: subversion/trunk/subversion/tests/afl/README
------------------------------------------------------------------------------
    svn:eol-style = native

Added: subversion/trunk/subversion/tests/afl/afl-x509-testcase/test1
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/afl/afl-x509-testcase/test1?rev=1798156&view=auto
==============================================================================
Binary file - no diff available.

Propchange: subversion/trunk/subversion/tests/afl/afl-x509-testcase/test1
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: subversion/trunk/subversion/tests/afl/afl-x509.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/tests/afl/afl-x509.c?rev=1798156&view=auto
==============================================================================
--- subversion/trunk/subversion/tests/afl/afl-x509.c (added)
+++ subversion/trunk/subversion/tests/afl/afl-x509.c Fri Jun  9 00:29:38 2017
@@ -0,0 +1,75 @@
+/*
+ * afl-x509.c an American Fuzz Lop test
+ *
+ * ====================================================================
+ *    Licensed to the Apache Software Foundation (ASF) under one
+ *    or more contributor license agreements.  See the NOTICE file
+ *    distributed with this work for additional information
+ *    regarding copyright ownership.  The ASF licenses this file
+ *    to you under the Apache License, Version 2.0 (the
+ *    "License"); you may not use this file except in compliance
+ *    with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing,
+ *    software distributed under the License is distributed on an
+ *    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *    KIND, either express or implied.  See the License for the
+ *    specific language governing permissions and limitations
+ *    under the License.
+ * ====================================================================
+ *
+ */
+
+/*  The input data can either be a file on disk or provided via stdin:
+
+       afl-x509 some-file
+       afl-x509 < some-file
+
+    In practice the file simply contains random binary data. The data
+    are interpreted as a (base64 decoded) x509 cert and a parse is
+    attempted. */
+
+#include "svn_x509.h"
+#include "svn_cmdline.h"
+#include "svn_pools.h"
+#include "svn_io.h"
+
+#include <stdlib.h>
+
+static svn_error_t *
+parse(const char *filename, apr_pool_t *pool)
+{
+  svn_stringbuf_t *buf;
+  svn_x509_certinfo_t *certinfo;
+
+  SVN_ERR(svn_stringbuf_from_file2(&buf, filename, pool));
+  SVN_ERR(svn_x509_parse_cert(&certinfo, buf->data, buf->len, pool, pool));
+
+  return SVN_NO_ERROR;
+}
+
+int main(int argc, char **argv)
+{
+  apr_pool_t *pool;
+  int exit_code = EXIT_SUCCESS;
+  svn_error_t *err;
+  const char *filename;
+
+  if (argc == 2)
+    filename = argv[1];
+  else
+    filename = "-";
+
+  if (svn_cmdline_init("afl-x509", stderr) != EXIT_SUCCESS)
+    return EXIT_FAILURE;
+  pool = apr_allocator_owner_get(svn_pool_create_allocator(FALSE));
+
+  err = parse(filename, pool);
+  if (err)
+    exit_code = EXIT_FAILURE;
+  svn_error_clear(err);
+  svn_pool_destroy(pool);
+  return exit_code;
+}

Propchange: subversion/trunk/subversion/tests/afl/afl-x509.c
------------------------------------------------------------------------------
    svn:eol-style = native