1 /* Fuzz testing for the nanopb core.
2 * Attempts to verify all the properties defined in the security model document.
3 *
4 * This program can run in three configurations:
5 * - Standalone fuzzer, generating its own inputs and testing against them.
6 * - Fuzzing target, reading input on stdin.
7 * - LLVM libFuzzer target, taking input as a function argument.
8 */
9
10 #include <pb_decode.h>
11 #include <pb_encode.h>
12 #include <stdio.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <assert.h>
16 #include <malloc_wrappers.h>
17 #include "random_data.h"
18 #include "validation.h"
19 #include "flakystream.h"
20 #include "test_helpers.h"
21 #include "alltypes_static.pb.h"
22 #include "alltypes_pointer.pb.h"
23 #include "alltypes_callback.pb.h"
24 #include "alltypes_proto3_static.pb.h"
25 #include "alltypes_proto3_pointer.pb.h"
26
27 /* Longer buffer size allows hitting more branches, but lowers performance. */
28 #ifndef FUZZTEST_BUFSIZE
29 #define FUZZTEST_BUFSIZE 256*1024
30 #endif
31 #ifndef FUZZTEST_MAX_STANDALONE_BUFSIZE
32 #define FUZZTEST_MAX_STANDALONE_BUFSIZE 16384
33 #endif
34 static size_t g_bufsize = FUZZTEST_BUFSIZE;
35
36 /* Focusing on a single test case at a time improves fuzzing performance.
37 * If no test case is specified, enable all tests.
38 */
39 #if !defined(FUZZTEST_PROTO2_STATIC) && \
40 !defined(FUZZTEST_PROTO3_STATIC) && \
41 !defined(FUZZTEST_PROTO2_POINTER) && \
42 !defined(FUZZTEST_PROTO3_POINTER) && \
43 !defined(FUZZTEST_IO_ERRORS)
44 #define FUZZTEST_PROTO2_STATIC
45 #define FUZZTEST_PROTO3_STATIC
46 #define FUZZTEST_PROTO2_POINTER
47 #define FUZZTEST_PROTO3_POINTER
48 #define FUZZTEST_IO_ERRORS
49 #endif
50
xor32_checksum(const void * data,size_t len)51 static uint32_t xor32_checksum(const void *data, size_t len)
52 {
53 const uint8_t *buf = (const uint8_t*)data;
54 uint32_t checksum = 1234;
55 for (; len > 0; len--)
56 {
57 checksum ^= checksum << 13;
58 checksum ^= checksum >> 17;
59 checksum ^= checksum << 5;
60 checksum += *buf++;
61 }
62 return checksum;
63 }
64
do_decode(const uint8_t * buffer,size_t msglen,size_t structsize,const pb_msgdesc_t * msgtype,unsigned flags,bool assert_success)65 static bool do_decode(const uint8_t *buffer, size_t msglen, size_t structsize, const pb_msgdesc_t *msgtype, unsigned flags, bool assert_success)
66 {
67 bool status;
68 pb_istream_t stream;
69 size_t initial_alloc_count = get_alloc_count();
70 uint8_t *buf2 = malloc_with_check(g_bufsize); /* This is just to match the amount of memory allocations in do_roundtrips(). */
71 void *msg = malloc_with_check(structsize);
72 alltypes_static_TestExtension extmsg = alltypes_static_TestExtension_init_zero;
73 pb_extension_t ext = pb_extension_init_zero;
74 assert(msg);
75
76 memset(msg, 0, structsize);
77 ext.type = &alltypes_static_TestExtension_testextension;
78 ext.dest = &extmsg;
79 ext.next = NULL;
80
81 if (msgtype == alltypes_static_AllTypes_fields)
82 {
83 ((alltypes_static_AllTypes*)msg)->extensions = &ext;
84 }
85 else if (msgtype == alltypes_pointer_AllTypes_fields)
86 {
87 ((alltypes_pointer_AllTypes*)msg)->extensions = &ext;
88 }
89
90 stream = pb_istream_from_buffer(buffer, msglen);
91 status = pb_decode_ex(&stream, msgtype, msg, flags);
92
93 if (status)
94 {
95 validate_message(msg, structsize, msgtype);
96 }
97
98 if (assert_success)
99 {
100 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
101 assert(status);
102 }
103
104 if (status)
105 {
106 /* On error return, pb_release() should be called automatically. */
107 pb_release(msgtype, msg);
108 }
109
110 free_with_check(msg);
111 free_with_check(buf2);
112 assert(get_alloc_count() == initial_alloc_count);
113
114 return status;
115 }
116
do_stream_decode(const uint8_t * buffer,size_t msglen,size_t fail_after,size_t structsize,const pb_msgdesc_t * msgtype,unsigned flags,bool assert_success)117 static bool do_stream_decode(const uint8_t *buffer, size_t msglen, size_t fail_after, size_t structsize, const pb_msgdesc_t *msgtype, unsigned flags, bool assert_success)
118 {
119 bool status;
120 flakystream_t stream;
121 size_t initial_alloc_count = get_alloc_count();
122 void *msg = malloc_with_check(structsize);
123 assert(msg);
124
125 memset(msg, 0, structsize);
126 flakystream_init(&stream, buffer, msglen, fail_after);
127 status = pb_decode_ex(&stream.stream, msgtype, msg, flags);
128
129 if (status)
130 {
131 validate_message(msg, structsize, msgtype);
132 }
133
134 if (assert_success)
135 {
136 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream.stream));
137 assert(status);
138 }
139
140 if (status)
141 {
142 /* On error return, pb_release() should be called automatically. */
143 pb_release(msgtype, msg);
144 }
145
146 free_with_check(msg);
147 assert(get_alloc_count() == initial_alloc_count);
148
149 return status;
150 }
151
152 static int g_sentinel;
153
field_callback(pb_istream_t * stream,const pb_field_t * field,void ** arg)154 static bool field_callback(pb_istream_t *stream, const pb_field_t *field, void **arg)
155 {
156 assert(stream);
157 assert(field);
158 assert(*arg == &g_sentinel);
159 return pb_read(stream, NULL, stream->bytes_left);
160 }
161
submsg_callback(pb_istream_t * stream,const pb_field_t * field,void ** arg)162 static bool submsg_callback(pb_istream_t *stream, const pb_field_t *field, void **arg)
163 {
164 assert(stream);
165 assert(field);
166 assert(*arg == &g_sentinel);
167 return true;
168 }
169
do_callback_decode(const uint8_t * buffer,size_t msglen,bool assert_success)170 bool do_callback_decode(const uint8_t *buffer, size_t msglen, bool assert_success)
171 {
172 bool status;
173 pb_istream_t stream;
174 size_t initial_alloc_count = get_alloc_count();
175 alltypes_callback_AllTypes *msg = malloc_with_check(sizeof(alltypes_callback_AllTypes));
176 assert(msg);
177
178 memset(msg, 0, sizeof(alltypes_callback_AllTypes));
179 stream = pb_istream_from_buffer(buffer, msglen);
180
181 msg->rep_int32.funcs.decode = &field_callback;
182 msg->rep_int32.arg = &g_sentinel;
183 msg->rep_string.funcs.decode = &field_callback;
184 msg->rep_string.arg = &g_sentinel;
185 msg->rep_farray.funcs.decode = &field_callback;
186 msg->rep_farray.arg = &g_sentinel;
187 msg->req_limits.int64_min.funcs.decode = &field_callback;
188 msg->req_limits.int64_min.arg = &g_sentinel;
189 msg->cb_oneof.funcs.decode = &submsg_callback;
190 msg->cb_oneof.arg = &g_sentinel;
191
192 status = pb_decode(&stream, alltypes_callback_AllTypes_fields, msg);
193
194 if (assert_success)
195 {
196 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
197 assert(status);
198 }
199
200 pb_release(alltypes_callback_AllTypes_fields, msg);
201 free_with_check(msg);
202 assert(get_alloc_count() == initial_alloc_count);
203
204 return status;
205 }
206
207 /* Do a decode -> encode -> decode -> encode roundtrip */
do_roundtrip(const uint8_t * buffer,size_t msglen,size_t structsize,const pb_msgdesc_t * msgtype)208 void do_roundtrip(const uint8_t *buffer, size_t msglen, size_t structsize, const pb_msgdesc_t *msgtype)
209 {
210 bool status;
211 uint32_t checksum2, checksum3;
212 size_t msglen2, msglen3;
213 uint8_t *buf2 = malloc_with_check(g_bufsize);
214 void *msg = malloc_with_check(structsize);
215
216 /* For proto2 types, we also test extension fields */
217 alltypes_static_TestExtension extmsg = alltypes_static_TestExtension_init_zero;
218 pb_extension_t ext = pb_extension_init_zero;
219 pb_extension_t **ext_field = NULL;
220 ext.type = &alltypes_static_TestExtension_testextension;
221 ext.dest = &extmsg;
222 ext.next = NULL;
223
224 assert(buf2 && msg);
225
226 if (msgtype == alltypes_static_AllTypes_fields)
227 {
228 ext_field = &((alltypes_static_AllTypes*)msg)->extensions;
229 }
230 else if (msgtype == alltypes_pointer_AllTypes_fields)
231 {
232 ext_field = &((alltypes_pointer_AllTypes*)msg)->extensions;
233 }
234
235 /* Decode and encode the input data.
236 * This will bring it into canonical format.
237 */
238 {
239 pb_istream_t stream = pb_istream_from_buffer(buffer, msglen);
240 memset(msg, 0, structsize);
241 if (ext_field) *ext_field = &ext;
242 status = pb_decode(&stream, msgtype, msg);
243 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
244 assert(status);
245
246 validate_message(msg, structsize, msgtype);
247 }
248
249 {
250 pb_ostream_t stream = pb_ostream_from_buffer(buf2, g_bufsize);
251 status = pb_encode(&stream, msgtype, msg);
252
253 /* Some messages expand when re-encoding and might no longer fit
254 * in the buffer. */
255 if (!status && strcmp(PB_GET_ERROR(&stream), "stream full") != 0)
256 {
257 fprintf(stderr, "pb_encode: %s\n", PB_GET_ERROR(&stream));
258 assert(status);
259 }
260
261 msglen2 = stream.bytes_written;
262 checksum2 = xor32_checksum(buf2, msglen2);
263 }
264
265 pb_release(msgtype, msg);
266
267 /* Then decode from canonical format and re-encode. Result should remain the same. */
268 if (status)
269 {
270 pb_istream_t stream = pb_istream_from_buffer(buf2, msglen2);
271 memset(msg, 0, structsize);
272 if (ext_field) *ext_field = &ext;
273 status = pb_decode(&stream, msgtype, msg);
274 if (!status) fprintf(stderr, "pb_decode: %s\n", PB_GET_ERROR(&stream));
275 assert(status);
276
277 validate_message(msg, structsize, msgtype);
278 }
279
280 if (status)
281 {
282 pb_ostream_t stream = pb_ostream_from_buffer(buf2, g_bufsize);
283 status = pb_encode(&stream, msgtype, msg);
284 if (!status) fprintf(stderr, "pb_encode: %s\n", PB_GET_ERROR(&stream));
285 assert(status);
286 msglen3 = stream.bytes_written;
287 checksum3 = xor32_checksum(buf2, msglen3);
288
289 assert(msglen2 == msglen3);
290 assert(checksum2 == checksum3);
291 }
292
293 pb_release(msgtype, msg);
294 free_with_check(msg);
295 free_with_check(buf2);
296 }
297
298 /* Run all enabled test cases for a given input */
do_roundtrips(const uint8_t * data,size_t size,bool expect_valid)299 void do_roundtrips(const uint8_t *data, size_t size, bool expect_valid)
300 {
301 size_t initial_alloc_count = get_alloc_count();
302 PB_UNUSED(expect_valid); /* Potentially unused depending on configuration */
303
304 #ifdef FUZZTEST_PROTO2_STATIC
305 if (do_decode(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, 0, expect_valid))
306 {
307 do_roundtrip(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields);
308 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, 0, true);
309 do_callback_decode(data, size, true);
310 }
311 #endif
312
313 #ifdef FUZZTEST_PROTO3_STATIC
314 if (do_decode(data, size, sizeof(alltypes_proto3_static_AllTypes), alltypes_proto3_static_AllTypes_fields, 0, expect_valid))
315 {
316 do_roundtrip(data, size, sizeof(alltypes_proto3_static_AllTypes), alltypes_proto3_static_AllTypes_fields);
317 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_proto3_static_AllTypes), alltypes_proto3_static_AllTypes_fields, 0, true);
318 }
319 #endif
320
321 #ifdef FUZZTEST_PROTO2_POINTER
322 if (do_decode(data, size, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, 0, expect_valid))
323 {
324 do_roundtrip(data, size, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields);
325 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, 0, true);
326 }
327 #endif
328
329 #ifdef FUZZTEST_PROTO3_POINTER
330 if (do_decode(data, size, sizeof(alltypes_proto3_pointer_AllTypes), alltypes_proto3_pointer_AllTypes_fields, 0, expect_valid))
331 {
332 do_roundtrip(data, size, sizeof(alltypes_proto3_pointer_AllTypes), alltypes_proto3_pointer_AllTypes_fields);
333 do_stream_decode(data, size, SIZE_MAX, sizeof(alltypes_proto3_pointer_AllTypes), alltypes_proto3_pointer_AllTypes_fields, 0, true);
334 }
335 #endif
336
337 #ifdef FUZZTEST_IO_ERRORS
338 {
339 size_t orig_max_alloc_bytes = get_max_alloc_bytes();
340 /* Test decoding when error conditions occur.
341 * The decoding will end either when running out of memory or when stream returns IO error.
342 * Testing proto2 is enough for good coverage here, as it has a superset of the field types of proto3.
343 */
344 set_max_alloc_bytes(get_alloc_bytes() + 4096);
345 do_stream_decode(data, size, size - 16, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, 0, false);
346 do_stream_decode(data, size, size - 16, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, 0, false);
347 do_stream_decode(data, size, size - 16, sizeof(alltypes_pointer_AllTypes), alltypes_pointer_AllTypes_fields, PB_DECODE_DELIMITED, false);
348 set_max_alloc_bytes(orig_max_alloc_bytes);
349 }
350
351 /* Test pb_decode_ex() modes */
352 do_decode(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, PB_DECODE_NOINIT | PB_DECODE_DELIMITED, false);
353 do_decode(data, size, sizeof(alltypes_static_AllTypes), alltypes_static_AllTypes_fields, PB_DECODE_NULLTERMINATED, false);
354
355 /* Test callbacks also when message is not valid */
356 do_callback_decode(data, size, false);
357 #endif
358
359 assert(get_alloc_count() == initial_alloc_count);
360 }
361
362 /* Fuzzer stub for Google OSSFuzz integration */
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)363 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
364 {
365 if (size > g_bufsize)
366 return 0;
367
368 do_roundtrips(data, size, false);
369
370 return 0;
371 }
372
373 #ifndef LLVMFUZZER
374
generate_base_message(uint8_t * buffer,size_t * msglen)375 static bool generate_base_message(uint8_t *buffer, size_t *msglen)
376 {
377 pb_ostream_t stream;
378 bool status;
379 static const alltypes_static_AllTypes initval = alltypes_static_AllTypes_init_default;
380
381 /* Allocate a message and fill it with defaults */
382 alltypes_static_AllTypes *msg = malloc_with_check(sizeof(alltypes_static_AllTypes));
383 memcpy(msg, &initval, sizeof(initval));
384
385 /* Apply randomness to the data before encoding */
386 while (rand_int(0, 7))
387 rand_mess((uint8_t*)msg, sizeof(alltypes_static_AllTypes));
388
389 msg->extensions = NULL;
390
391 stream = pb_ostream_from_buffer(buffer, g_bufsize);
392 status = pb_encode(&stream, alltypes_static_AllTypes_fields, msg);
393 assert(stream.bytes_written <= g_bufsize);
394 assert(stream.bytes_written <= alltypes_static_AllTypes_size);
395
396 *msglen = stream.bytes_written;
397 pb_release(alltypes_static_AllTypes_fields, msg);
398 free_with_check(msg);
399
400 return status;
401 }
402
403 /* Stand-alone fuzzer iteration, generates random data itself */
run_iteration()404 static void run_iteration()
405 {
406 uint8_t *buffer = malloc_with_check(g_bufsize);
407 size_t msglen;
408
409 /* Fill the whole buffer with noise, to prepare for length modifications */
410 rand_fill(buffer, g_bufsize);
411
412 if (generate_base_message(buffer, &msglen))
413 {
414 rand_protobuf_noise(buffer, g_bufsize, &msglen);
415
416 /* At this point the message should always be valid */
417 do_roundtrips(buffer, msglen, true);
418
419 /* Apply randomness to the encoded data */
420 while (rand_bool())
421 rand_mess(buffer, g_bufsize);
422
423 /* Apply randomness to encoded data length */
424 if (rand_bool())
425 msglen = rand_int(0, g_bufsize);
426
427 /* In this step the message may be valid or invalid */
428 do_roundtrips(buffer, msglen, false);
429 }
430
431 free_with_check(buffer);
432 assert(get_alloc_count() == 0);
433 }
434
main(int argc,char ** argv)435 int main(int argc, char **argv)
436 {
437 int i;
438 int iterations;
439
440 if (argc >= 2)
441 {
442 /* Run in stand-alone mode */
443 if (g_bufsize > FUZZTEST_MAX_STANDALONE_BUFSIZE)
444 g_bufsize = FUZZTEST_MAX_STANDALONE_BUFSIZE;
445
446 random_set_seed(strtoul(argv[1], NULL, 0));
447 iterations = (argc >= 3) ? atol(argv[2]) : 10000;
448
449 for (i = 0; i < iterations; i++)
450 {
451 printf("Iteration %d/%d, seed %lu\n", i, iterations, (unsigned long)random_get_seed());
452 run_iteration();
453 }
454 }
455 else
456 {
457 /* Run as a stub for afl-fuzz and similar */
458 uint8_t *buffer;
459 size_t msglen;
460
461 buffer = malloc_with_check(g_bufsize);
462
463 SET_BINARY_MODE(stdin);
464 msglen = fread(buffer, 1, g_bufsize, stdin);
465 LLVMFuzzerTestOneInput(buffer, msglen);
466
467 if (!feof(stdin))
468 {
469 /* Read any leftover input data if our buffer is smaller than
470 * message size. */
471 fprintf(stderr, "Warning: input message too long\n");
472 while (fread(buffer, 1, g_bufsize, stdin) == g_bufsize);
473 }
474
475 free_with_check(buffer);
476 }
477
478 return 0;
479 }
480 #endif
481
