1 /* Fuzz testing for the nanopb core.
2 * Attempts to verify all the properties defined in the security model document.
3 *
4 * This program can run in three configurations:
5 * - Standalone fuzzer, generating its own inputs and testing against them.
6 * - Fuzzing target, reading input on stdin.
7 * - LLVM libFuzzer target, taking input as a function argument.
8 */
9
10 #include <pb_decode.h>
11 #include <pb_encode.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <assert.h>
16 #include <malloc_wrappers.h>
17 #include "random_data.h"
18 #include "validation.h"
19 #include "flakystream.h"
20 #include "test_helpers.h"
21 #include "alltypes_static.pb.h"
22 #include "alltypes_pointer.pb.h"
23 #include "alltypes_callback.pb.h"
24 #include "alltypes_proto3_static.pb.h"
25 #include "alltypes_proto3_pointer.pb.h"
26
27 /* Longer buffer size allows hitting more branches, but lowers performance. */
28 #ifndef FUZZTEST_BUFSIZE
29 #define FUZZTEST_BUFSIZE 256*1024
30 #endif
31 #ifndef FUZZTEST_MAX_STANDALONE_BUFSIZE
32 #define FUZZTEST_MAX_STANDALONE_BUFSIZE 16384
33 #endif
34 static size_t g_bufsize = FUZZTEST_BUFSIZE;
35
36 /* Focusing on a single test case at a time improves fuzzing performance.
37 * If no test case is specified, enable all tests.
38 */
39 #if !defined(FUZZTEST_PROTO2_STATIC) && \
40 !defined(FUZZTEST_PROTO3_STATIC) && \
41 !defined(FUZZTEST_PROTO2_POINTER) && \
42 !defined(FUZZTEST_PROTO3_POINTER) && \
43 !defined(FUZZTEST_IO_ERRORS)
44 #define FUZZTEST_PROTO2_STATIC
45 #define FUZZTEST_PROTO3_STATIC
46 #define FUZZTEST_PROTO2_POINTER
47 #define FUZZTEST_PROTO3_POINTER
48 #define FUZZTEST_IO_ERRORS
49 #endif
50
xor32_checksum(const void * data,size_t len)51 static uint32_t xor32_checksum(const void *data, size_t len)
52 {
53 const uint8_t *buf = (const uint8_t*)data;
54 uint32_t checksum = 1234;
55 for (; len > 0; len--)
56 {
57 checksum ^= checksum << 13;
58 checksum ^= checksum >> 17;
59 checksum ^= checksum << 5;
60 checksum += *buf++;
61 }
62 return checksum;
63 }
64
do_decode(const uint8_t * buffer,size_t msglen,size_t structsize,const pb_msgdesc_t * msgtype,unsigned flags,bool assert_success)65 static bool do_decode(const uint8_t *buffer, size_t msglen, size_t structsize, const pb_msgdesc_t *msgtype, unsigned flags, bool assert_success)
66 {
67 bool status;
68 pb_istream_t stream;
69 size_t initial_alloc_count = get_alloc_count();
70 uint8_t *buf2 = malloc_with_check(g_bufsize); /* This is just to match the amount of memory allocations in do_roundtrips(). */
71 void *msg = malloc_with_check(structsize);
72 alltypes_static_TestExtension extmsg = alltypes_static_TestExtension_init_zero;
73 pb_extension_t ext = pb_extension_init_zero;
74 assert(msg);
75
76 memset(msg, 0, structsize);
77 ext.type = &alltypes_static_TestExtension_testextension;
78 ext.dest = &extmsg;
79 ext.next = NULL;
80
81 if (msgtype == alltypes_static_AllTypes_fields)
82 {
83 ((alltypes_static_AllTypes*)msg)->extensions = &ext;
84 }
85 else if (msgtype == alltypes_pointer_AllTypes_fields)
86 {
87 ((alltypes_pointer_AllTypes*)msg)->extensions = &ext;
88 }
89
90 stream = pb_istream_from_buffer(buffer, msglen);
91 status = pb_decode_ex(&stream, msgtype, msg, flags);
92
93 if (status)
94 {
95 validate_message(msg, structsize, msgtype);
96 }
97
98 if (assert_success)
99 {
100 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
101 assert(status);
102 }
103
104 pb_release(msgtype, msg);
105 free_with_check(msg);
106 free_with_check(buf2);
107 assert(get_alloc_count() == initial_alloc_count);
108
109 return status;
110 }
111
do_stream_decode(const uint8_t * buffer,size_t msglen,size_t fail_after,size_t structsize,const pb_msgdesc_t * msgtype,bool assert_success)112 static bool do_stream_decode(const uint8_t *buffer, size_t msglen, size_t fail_after, size_t structsize, const pb_msgdesc_t *msgtype, bool assert_success)
113 {
114 bool status;
115 flakystream_t stream;
116 size_t initial_alloc_count = get_alloc_count();
117 void *msg = malloc_with_check(structsize);
118 assert(msg);
119
120 memset(msg, 0, structsize);
121 flakystream_init(&stream, buffer, msglen, fail_after);
122 status = pb_decode(&stream.stream, msgtype, msg);
123
124 if (status)
125 {
126 validate_message(msg, structsize, msgtype);
127 }
128
129 if (assert_success)
130 {
131 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream.stream));
132 assert(status);
133 }
134
135 pb_release(msgtype, msg);
136 free_with_check(msg);
137 assert(get_alloc_count() == initial_alloc_count);
138
139 return status;
140 }
141
142 static int g_sentinel;
143
field_callback(pb_istream_t * stream,const pb_field_t * field,void ** arg)144 static bool field_callback(pb_istream_t *stream, const pb_field_t *field, void **arg)
145 {
146 assert(stream);
147 assert(field);
148 assert(*arg == &g_sentinel);
149 return pb_read(stream, NULL, stream->bytes_left);
150 }
151
submsg_callback(pb_istream_t * stream,const pb_field_t * field,void ** arg)152 static bool submsg_callback(pb_istream_t *stream, const pb_field_t *field, void **arg)
153 {
154 assert(stream);
155 assert(field);
156 assert(*arg == &g_sentinel);
157 return true;
158 }
159
do_callback_decode(const uint8_t * buffer,size_t msglen,bool assert_success)160 bool do_callback_decode(const uint8_t *buffer, size_t msglen, bool assert_success)
161 {
162 bool status;
163 pb_istream_t stream;
164 size_t initial_alloc_count = get_alloc_count();
165 alltypes_callback_AllTypes *msg = malloc_with_check(sizeof(alltypes_callback_AllTypes));
166 assert(msg);
167
168 memset(msg, 0, sizeof(alltypes_callback_AllTypes));
169 stream = pb_istream_from_buffer(buffer, msglen);
170
171 msg->rep_int32.funcs.decode = &field_callback;
172 msg->rep_int32.arg = &g_sentinel;
173 msg->rep_string.funcs.decode = &field_callback;
174 msg->rep_string.arg = &g_sentinel;
175 msg->rep_farray.funcs.decode = &field_callback;
176 msg->rep_farray.arg = &g_sentinel;
177 msg->req_limits.int64_min.funcs.decode = &field_callback;
178 msg->req_limits.int64_min.arg = &g_sentinel;
179 msg->cb_oneof.funcs.decode = &submsg_callback;
180 msg->cb_oneof.arg = &g_sentinel;
181
182 status = pb_decode(&stream, alltypes_callback_AllTypes_fields, msg);
183
184 if (assert_success)
185 {
186 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
187 assert(status);
188 }
189
190 pb_release(alltypes_callback_AllTypes_fields, msg);
191 free_with_check(msg);
192 assert(get_alloc_count() == initial_alloc_count);
193
194 return status;
195 }
196
197 /* Do a decode -> encode -> decode -> encode roundtrip */
do_roundtrip(const uint8_t * buffer,size_t msglen,size_t structsize,const pb_msgdesc_t * msgtype)198 void do_roundtrip(const uint8_t *buffer, size_t msglen, size_t structsize, const pb_msgdesc_t *msgtype)
199 {
200 bool status;
201 uint32_t checksum2, checksum3;
202 size_t msglen2, msglen3;
203 uint8_t *buf2 = malloc_with_check(g_bufsize);
204 void *msg = malloc_with_check(structsize);
205
206 /* For proto2 types, we also test extension fields */
207 alltypes_static_TestExtension extmsg = alltypes_static_TestExtension_init_zero;
208 pb_extension_t ext = pb_extension_init_zero;
209 pb_extension_t **ext_field = NULL;
210 ext.type = &alltypes_static_TestExtension_testextension;
211 ext.dest = &extmsg;
212 ext.next = NULL;
213
214 assert(buf2 && msg);
215
216 if (msgtype == alltypes_static_AllTypes_fields)
217 {
218 ext_field = &((alltypes_static_AllTypes*)msg)->extensions;
219 }
220 else if (msgtype == alltypes_pointer_AllTypes_fields)
221 {
222 ext_field = &((alltypes_pointer_AllTypes*)msg)->extensions;
223 }
224
225 /* Decode and encode the input data.
226 * This will bring it into canonical format.
227 */
228 {
229 pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
230 memset(msg, 0, structsize);
231 if (ext_field) *ext_field = &ext;
232 status = pb_decode(&stream, msgtype, msg);
233 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
234 assert(status);
235
236 validate_message(msg, structsize, msgtype);
237 }
238
239 {
240 pb_ostream_t stream = pb_ostream_from_buffer(buf2, g_bufsize);
241 status = pb_encode(&stream, msgtype, msg);
242
243 /* Some messages expand when re-encoding and might no longer fit
244 * in the buffer. */
245 if (!status && strcmp(PB_GET_ERROR(&stream), "stream full") != 0)
246 {
247 fprintf(stderr, "pb_encode: %s\n", PB_GET_ERROR(&stream));
248 assert(status);
249 }
250
251 msglen2 = stream.bytes_written;
252 checksum2 = xor32_checksum(buf2, msglen2);
253 }
254
255 pb_release(msgtype, msg);
256
257 /* Then decode from canonical format and re-encode. Result should remain the same. */
258 if (status)
259 {
260 pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
261 memset(msg, 0, structsize);
262 if (ext_field) *ext_field = &ext;
263 status = pb_decode(&stream, msgtype, msg);
264 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
265 assert(status);
266
267 validate_message(msg, structsize, msgtype);
268 }
269
270 if (status)
271 {
272 pb_ostream_t stream = pb_ostream_from_buffer(buf2, g_bufsize);
273 status = pb_encode(&stream, msgtype, msg);
274 if (!status) fprintf(stderr, "pb_encode: %s\n", PB_GET_ERROR(&stream));
275 assert(status);
276 msglen3 = stream.bytes_written;
277 checksum3 = xor32_checksum(buf2, msglen3);
278
279 assert(msglen2 == msglen3);
280 assert(checksum2 == checksum3);
281 }
282
283 pb_release(msgtype, msg);
284 free_with_check(msg);
285 free_with_check(buf2);
286 }
287
288 /* Run all enabled test cases for a given input */
do_roundtrips(const uint8_t * data,size_t size,bool expect_valid)289 void do_roundtrips(const uint8_t *data, size_t size, bool expect_valid)
290 {
291 size_t initial_alloc_count = get_alloc_count();
292 PB_UNUSED(expect_valid); /* Potentially unused depending on configuration */
293
294 #ifdef FUZZTEST_PROTO2_STATIC
295 if (do_decode(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, 0, expect_valid))
296 {
297 do_roundtrip(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields);
298 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, true);
299 do_callback_decode(data, size, true);
300 }
301 #endif
302
303 #ifdef FUZZTEST_PROTO3_STATIC
304 if (do_decode(data, size, sizeof(alltypes_proto3_static_AllTypes), alltypes_proto3_static_AllTypes_fields, 0, expect_valid))
305 {
306 do_roundtrip(data, size, sizeof(alltypes_proto3_static_AllTypes), alltypes_proto3_static_AllTypes_fields);
307 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_proto3_static_AllTypes), alltypes_proto3_static_AllTypes_fields, true);
308 }
309 #endif
310
311 #ifdef FUZZTEST_PROTO2_POINTER
312 if (do_decode(data, size, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, 0, expect_valid))
313 {
314 do_roundtrip(data, size, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields);
315 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, true);
316 }
317 #endif
318
319 #ifdef FUZZTEST_PROTO3_POINTER
320 if (do_decode(data, size, sizeof(alltypes_proto3_pointer_AllTypes), alltypes_proto3_pointer_AllTypes_fields, 0, expect_valid))
321 {
322 do_roundtrip(data, size, sizeof(alltypes_proto3_pointer_AllTypes), alltypes_proto3_pointer_AllTypes_fields);
323 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_proto3_pointer_AllTypes), alltypes_proto3_pointer_AllTypes_fields, true);
324 }
325 #endif
326
327 #ifdef FUZZTEST_IO_ERRORS
328 {
329 size_t orig_max_alloc_bytes = get_max_alloc_bytes();
330 /* Test decoding when error conditions occur.
331 * The decoding will end either when running out of memory or when stream returns IO error.
332 * Testing proto2 is enough for good coverage here, as it has a superset of the field types of proto3.
333 */
334 set_max_alloc_bytes(get_alloc_bytes() + 4096);
335 do_stream_decode(data, size, size - 16, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, false);
336 do_stream_decode(data, size, size - 16, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, false);
337 set_max_alloc_bytes(orig_max_alloc_bytes);
338 }
339
340 /* Test pb_decode_ex() modes */
341 do_decode(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, PB_DECODE_NOINIT | PB_DECODE_DELIMITED, false);
342 do_decode(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, PB_DECODE_NULLTERMINATED, false);
343
344 /* Test callbacks also when message is not valid */
345 do_callback_decode(data, size, false);
346 #endif
347
348 assert(get_alloc_count() == initial_alloc_count);
349 }
350
351 /* Fuzzer stub for Google OSSFuzz integration */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)352 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
353 {
354 if (size > g_bufsize)
355 return 0;
356
357 do_roundtrips(data, size, false);
358
359 return 0;
360 }
361
362 #ifndef LLVMFUZZER
363
generate_base_message(uint8_t * buffer,size_t * msglen)364 static bool generate_base_message(uint8_t *buffer, size_t *msglen)
365 {
366 pb_ostream_t stream;
367 bool status;
368 static const alltypes_static_AllTypes initval = alltypes_static_AllTypes_init_default;
369
370 /* Allocate a message and fill it with defaults */
371 alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
372 memcpy(msg, &initval, sizeof(initval));
373
374 /* Apply randomness to the data before encoding */
375 while (rand_int(0, 7))
376 rand_mess((uint8_t*)msg, sizeof(alltypes_static_AllTypes));
377
378 msg->extensions = NULL;
379
380 stream = pb_ostream_from_buffer(buffer, g_bufsize);
381 status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg);
382 assert(stream.bytes_written <= g_bufsize);
383 assert(stream.bytes_written <= alltypes_static_AllTypes_size);
384
385 *msglen = stream.bytes_written;
386 pb_release(alltypes_static_AllTypes_fields, msg);
387 free_with_check(msg);
388
389 return status;
390 }
391
392 /* Stand-alone fuzzer iteration, generates random data itself */
run_iteration()393 static void run_iteration()
394 {
395 uint8_t *buffer = malloc_with_check(g_bufsize);
396 size_t msglen;
397
398 /* Fill the whole buffer with noise, to prepare for length modifications */
399 rand_fill(buffer, g_bufsize);
400
401 if (generate_base_message(buffer, &msglen))
402 {
403 rand_protobuf_noise(buffer, g_bufsize, &msglen);
404
405 /* At this point the message should always be valid */
406 do_roundtrips(buffer, msglen, true);
407
408 /* Apply randomness to the encoded data */
409 while (rand_bool())
410 rand_mess(buffer, g_bufsize);
411
412 /* Apply randomness to encoded data length */
413 if (rand_bool())
414 msglen = rand_int(0, g_bufsize);
415
416 /* In this step the message may be valid or invalid */
417 do_roundtrips(buffer, msglen, false);
418 }
419
420 free_with_check(buffer);
421 assert(get_alloc_count() == 0);
422 }
423
main(int argc,char ** argv)424 int main(int argc, char **argv)
425 {
426 int i;
427 int iterations;
428
429 if (argc >= 2)
430 {
431 /* Run in stand-alone mode */
432 if (g_bufsize > FUZZTEST_MAX_STANDALONE_BUFSIZE)
433 g_bufsize = FUZZTEST_MAX_STANDALONE_BUFSIZE;
434
435 random_set_seed(strtoul(argv[1], NULL, 0));
436 iterations = (argc >= 3) ? atol(argv[2]) : 10000;
437
438 for (i = 0; i < iterations; i++)
439 {
440 printf("Iteration %d/%d, seed %lu\n", i, iterations, (unsigned long)random_get_seed());
441 run_iteration();
442 }
443 }
444 else
445 {
446 /* Run as a stub for afl-fuzz and similar */
447 uint8_t *buffer;
448 size_t msglen;
449
450 buffer = malloc_with_check(g_bufsize);
451
452 SET_BINARY_MODE(stdin);
453 msglen = fread(buffer, 1, g_bufsize, stdin);
454 LLVMFuzzerTestOneInput(buffer, msglen);
455
456 if (!feof(stdin))
457 {
458 /* Read any leftover input data if our buffer is smaller than
459 * message size. */
460 fprintf(stderr, "Warning: input message too long\n");
461 while (fread(buffer, 1, g_bufsize, stdin) == g_bufsize);
462 }
463
464 free_with_check(buffer);
465 }
466
467 return 0;
468 }
469 #endif
470
