fuzz: add libFuzzer harness suite for SCAP parsing#2365
Conversation
Five harnesses (scap_parse, xccdf_policy, validate, arf, xccdf_tailoring), a parallel driver script (run-all.sh), a cleaned-up README, and 27 curated regression inputs — one per bug found during the fuzzing campaign. Reproducers are minimized to the smallest document that faithfully triggers each bug: 12–545 bytes, hand-crafted or auto-minimized via libFuzzer's -minimize_crash where the multi-bug branch didn't cause drift. Includes ENABLE_FUZZING CMake option that instruments the library with -fsanitize=fuzzer-no-link,address,undefined (Clang only).
Mab879
left a comment
Mab879
left a comment
There was a problem hiding this comment.
Thanks for the PR, just one minor finding.
| export UBSAN_OPTIONS="halt_on_error=0:print_stacktrace=1:${UBSAN_OPTIONS:-}" | ||
|
|
||
| PIDS=() | ||
| cleanup() { echo; echo "[run-all] stopping…"; kill "${PIDS[@]}" 2>/dev/null; } |
There was a problem hiding this comment.
Please add return statement to this function.
Extends the SCAP harness suite (OpenSCAP#2365) to the parsers that OVAL probes run over data collected from the scanned host, rather than the SCAP XML configuration. Each harness #includes the probe's .c and drives its static parser directly (same approach as tests/probes/xinetd). - New harnesses: xinetd (xiconf_parse), routingtable (process_line_ip4/ip6), shadow (parse_enc_mth), textfilecontent54 and textfilecontent (process_file), inetlisteningservers (read_tcp/udp/raw) and iflisteners (read_packet). - probe_fuzz_common.h: shared helpers (per-PID /dev/shm temp file for path-based parsers, cstr buffer helper, fresh icache per input). - cov_driver.c: single-process corpus replay for llvm-cov runs. - CMakeLists.txt: add_fuzzer_probe()/add_fuzzer_probe_full(), guarded by ENABLE_PROBES; README.md and run-all.sh register the probe harnesses. - iflisteners_probe.c: read_packet() takes the /proc/net/packet path as a parameter so the harness can feed a temp file (mirrors read_tcp in inetlisteningservers); probe_main passes the real path. No behavior change in production. - Seed corpora under fuzz/corpus_probe_<name>/.
|
|
thanks for the review @Mab879 ! Sorry for dumping all these on you, I definitely understand it's a lot to review 😓 I'll address your feedback on the return function early next week. Thanks a lot, again, for your time. |
2 participants
(more context in #2361)
This is the last, sort of "extra" PR of the series 😅.
Sorry if it's larger than the other ones but it contains all the fuzz tests in there, with the minified reproducers, build steps, readme...
I've validated that the reproducers are findings the expected bugs (because this branch doesn't contains the fixes, minifying the inputs caused it to trigger other bugs, most notably the null pointers deref)
I'm not exactly sure on if or what you want to keep these as is, but this is what discovered the ~30 bugs.
I've put some instruction, in the readme, on how to:
These fuzzers ran for 24h on a dedicated machine, (with 4 core each I believe), and reported 0 new findings.
There's likely some improvements to be made to increase their coverage, and increasing the number of fuzz test as well.
This PR does not introduce any CI-level integration, but if interested, it may be possible for you to use OSS-Fuzz infrastructure to run these for you.