From 1f078cb3c6b539ee8cf3b82fb6297af6826358fc Mon Sep 17 00:00:00 2001 From: Arjun <36335769+0x34d@users.noreply.github.com> Date: Fri, 5 May 2023 13:50:11 +0530 Subject: [PATCH] [Fuzzing] oss-fuzz support for fuzzing (#2283) * [Fuzzing] oss-fuzz support for fuzzing Signed-off-by: Arjun Singh * [Fuzzing] fix error 2284 Signed-off-by: Arjun Singh --------- Signed-off-by: Arjun Singh --- meson.build | 5 ++ meson_options.txt | 2 + tests/fuzzing/fuzzing.h | 34 ++++++++++ tests/fuzzing/gtp-message-fuzz.c | 58 ++++++++++++++++++ .../fuzzing/gtp_message_fuzz_seed_corpus.zip | Bin 0 -> 677 bytes tests/fuzzing/meson.build | 41 +++++++++++++ tests/fuzzing/nas-message-fuzz.c | 57 +++++++++++++++++ .../fuzzing/nas_message_fuzz_seed_corpus.zip | Bin 0 -> 1192 bytes 8 files changed, 197 insertions(+) create mode 100644 meson_options.txt create mode 100644 tests/fuzzing/fuzzing.h create mode 100644 tests/fuzzing/gtp-message-fuzz.c create mode 100644 tests/fuzzing/gtp_message_fuzz_seed_corpus.zip create mode 100644 tests/fuzzing/meson.build create mode 100644 tests/fuzzing/nas-message-fuzz.c create mode 100644 tests/fuzzing/nas_message_fuzz_seed_corpus.zip diff --git a/meson.build b/meson.build index e37c00305..fa21c03b4 100644 --- a/meson.build +++ b/meson.build @@ -131,6 +131,11 @@ if build_tests subdir('tests') endif +# Check if the 'fuzzing' option is defined +if get_option('fuzzing') + subdir('tests/fuzzing') +endif + message('\n'.join([ '', ' prefix: ' + prefix, diff --git a/meson_options.txt b/meson_options.txt new file mode 100644 index 000000000..2acd9beab --- /dev/null +++ b/meson_options.txt @@ -0,0 +1,2 @@ +option('fuzzing', type: 'boolean', value: false, description: 'Enable fuzzing tests') +option('lib_fuzzing_engine', type : 'string', value : '', description : 'Path to the libFuzzer engine library') diff --git a/tests/fuzzing/fuzzing.h b/tests/fuzzing/fuzzing.h new file mode 100644 index 000000000..cf6ee9d4f --- /dev/null +++ b/tests/fuzzing/fuzzing.h @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2019-2023 by Sukchan Lee + * + * This file is part of Open5GS. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +#include "ogs-core.h" +#include "core/abts.h" + +static int initialized = 0; + +void initialize(void) { + + ogs_pkbuf_config_t config; + + ogs_core_initialize(); + + ogs_pkbuf_default_init(&config); + ogs_pkbuf_default_create(&config); + + initialized = 1; +} diff --git a/tests/fuzzing/gtp-message-fuzz.c b/tests/fuzzing/gtp-message-fuzz.c new file mode 100644 index 000000000..38f6c0272 --- /dev/null +++ b/tests/fuzzing/gtp-message-fuzz.c @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2019-2023 by Sukchan Lee + * + * This file is part of Open5GS. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include + +#include "fuzzing.h" +#include "ogs-gtp.h" + +#define kMinInputLength 5 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) +{ /* open5gs/tests/unit/gtp-message-test.c */ + + if (Size < kMinInputLength || Size > kMaxInputLength) { + return 1; + } + + if (!initialized) { + initialize(); + ogs_log_install_domain(&__ogs_gtp_domain, "gtp", OGS_LOG_NONE); + ogs_log_install_domain(&__ogs_tlv_domain, "tlv", OGS_LOG_NONE); + } + + int result; + ogs_pkbuf_t *pkbuf; + ogs_gtp2_create_session_request_t req; + + pkbuf = ogs_pkbuf_alloc(NULL, OGS_MAX_SDU_LEN); + if (pkbuf == NULL) { + return 1; + } + + ogs_pkbuf_put_data(pkbuf, Data, Size); + + ogs_tlv_parse_msg(&req, &ogs_gtp2_tlv_desc_create_session_request, pkbuf, OGS_TLV_MODE_T1_L2_I1); + + ogs_pkbuf_free(pkbuf); + + return 0; +} diff --git a/tests/fuzzing/gtp_message_fuzz_seed_corpus.zip b/tests/fuzzing/gtp_message_fuzz_seed_corpus.zip new file mode 100644 index 0000000000000000000000000000000000000000..1ddaad2759a347e4945e5b2d242beff1cca11ef5 GIT binary patch literal 677 zcmWIWW@Zs#0D(o-i^9MRC?U(Bz>r>25TBb`T%4Gm8lP5LRTW>Hnwk=yoL^K>TC5)$ z!pp$^@?Jm+43}1LGcdBeU}j(d69HhOIT$z?YLJZn#>l{6NXTfQy}D3)bwO6@6(yE~ zty==L4unBgqFI-m@*sgj)KtJEQQ*g;!v~HTEHzlsbMT_HhSZ!D2MjhYYE|rMobIUf zMSF3B(1e79Ij1Gg95};}!e(e-w4v3wz^KI3z+g*(@wCc+%WCw z^C?S=o-dW&_~hBrX&atCQvy{Z1SyQVPXjIX6FdVn7rXMFe*Ud72wUtB*Kh4nqblP))B;_Fw!7a!J-Y> i8K7u`fhCR6gsdVb5(B(h*+5n>0pTkky%gws1_l7P$<*Kg literal 0 HcmV?d00001 diff --git a/tests/fuzzing/meson.build b/tests/fuzzing/meson.build new file mode 100644 index 000000000..325570209 --- /dev/null +++ b/tests/fuzzing/meson.build @@ -0,0 +1,41 @@ +# Copyright (C) 2019 by Sukchan Lee + +# This file is part of Open5GS. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +# Get the lib_fuzzing_engine build option. +lib_fuzzing_engine = get_option('lib_fuzzing_engine') + +# All fuzzer sources. +gtp_message_source = files('gtp-message-fuzz.c') +nas_message_source = files('nas-message-fuzz.c') + +# Build all executable +executable( + 'gtp_message_fuzz', + sources : gtp_message_source, + c_args : [testunit_core_cc_flags, sbi_cc_flags], + dependencies : [libgtp_dep], + link_args: lib_fuzzing_engine +) + +executable( + 'nas_message_fuzz', + sources : nas_message_source, + c_args : [testunit_core_cc_flags, sbi_cc_flags], + dependencies : [libnas_eps_dep], + link_args: lib_fuzzing_engine +) diff --git a/tests/fuzzing/nas-message-fuzz.c b/tests/fuzzing/nas-message-fuzz.c new file mode 100644 index 000000000..58fcc4d40 --- /dev/null +++ b/tests/fuzzing/nas-message-fuzz.c @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2019-2023 by Sukchan Lee + * + * This file is part of Open5GS. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +#include +#include + +#include "fuzzing.h" +#include "ogs-nas-eps.h" + +#define kMinInputLength 5 +#define kMaxInputLength 1024 + +extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) +{ /* open5gs/tests/unit/nas-message-test.c */ + + if (Size < kMinInputLength || Size > kMaxInputLength) { + return 1; + } + + if (!initialized) { + initialize(); + ogs_log_install_domain(&__ogs_nas_domain, "nas", OGS_LOG_NONE); + } + + int result; + ogs_pkbuf_t *pkbuf; + ogs_nas_eps_message_t message; + + pkbuf = ogs_pkbuf_alloc(NULL, OGS_MAX_SDU_LEN); + if (pkbuf == NULL) { + return 1; + } + + ogs_pkbuf_put_data(pkbuf, Data, Size); + + result = ogs_nas_emm_decode(&message, pkbuf); + + ogs_pkbuf_free(pkbuf); + + return result; +} diff --git a/tests/fuzzing/nas_message_fuzz_seed_corpus.zip b/tests/fuzzing/nas_message_fuzz_seed_corpus.zip new file mode 100644 index 0000000000000000000000000000000000000000..679bf804630b5c25ecde0589ff8d0499b842142f GIT binary patch literal 1192 zcmWIWW@Zs#0D)!Ii^9MRC?U(Bz>t?%9G{z7T%4Gm8lP5LRTW>Hnwk=yoL^K>TC5)$ z!pp$^@m@d*43}1LGcdBeU}j(d69HhOIT$z?+>ngU0vc~j$Y`Lwx=?#{L00M+>J=rH zgDtcLTIde76wSiq@{~vaj(rGhXzZLgv+<|o>vkqKHb%BEwTs+M;>`_@*rplA@U)%r zm!IJykiyp=A$I!2hX)GGmJAF5-s~Kzf>%SWfQ|z>5aIMlB&Y8n%jrgNrzZoQor%lo zNkM7J0zd68ADDDdqvNB3vbwr^TAXKAU|bfbw(@mnHoel9ZEUWLYHDnaZrhl(!wk%t zJ=x;K1Vj(~x!|tvB>!(KUH?T?BHR;fbGY-xW&sDsUTOI>+KFA9Q z&!r)GE`==58N)qS0rVIMgAxN;yl^MkoH%jvj{sc9U#U?z^@n%ASxvyI{=hEkRt-s0iQ{B Y08yzWz?+o~6wE9@_zq~r5+)E203fktRR910 literal 0 HcmV?d00001