Fuzzing

[polachok]

https://github.com/rust-fuzz/cargo-fuzz just arrived and I tried to use it on libpnet

2 seconds into cargo fuzz --fuzz-target fuzzer_script_1 and here we go:

INFO: Seed: 849846349
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0      READ units: 2
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/plhk/src/libpnet/fuzz/target/debug/build/pnet-470ff5253a202a9d/out/ipv4.rs:1209
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==30801== ERROR: libFuzzer: deadly signal
    #0 0x7f76dc157b39  (/home/plhk/src/libpnet/fuzz/target/debug/fuzzer_script_1+0x1dbb39)
    #1 0x7f76dbfb0bc6  (/home/plhk/src/libpnet/fuzz/target/debug/fuzzer_script_1+0x34bc6)
    #2 0x7f76db43932f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1032f)
    #3 0x7f76dae84c36  (/lib/x86_64-linux-gnu/libc.so.6+0x36c36)
    #4 0x7f76dae88027  (/lib/x86_64-linux-gnu/libc.so.6+0x3a027)
    #5 0x7f76dc08c1d8  (/home/plhk/src/libpnet/fuzz/target/debug/fuzzer_script_1+0x1101d8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xa,
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a
artifact_prefix='./'; Test unit written to ./crash-f7c2d3e118e956163283f66c387fdb6455aceef4
Base64: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACg==

#141

[mrmonday]

This is awesome, I've wanted to fuzz libpnet for quite some time!

I see you've marked this as WIP - I'll hold off merging for now. I'm excited to see where this leads.

[polachok]

I just wanted to start a discussion about this.
I think it would be great to have fuzzing scripts generation automated somehow.
It's kinda tiresome to write them by hand.
Alternatively, we could write scripts for all existing packet types and not accept PRs without fuzzing scripts :)

[Manishearth]

cc @pnkfelix

[mrmonday]

I'm not sure we need fuzzing scripts for all packet types - ideally pnet_macros should generate "perfect" packet parsers which always pass fuzzing. With that said, yes, we could auto-generate these (they wouldn't be as sophisticated as what you've provided until we have an answer to #140).

[polachok]

ipv4:

INFO: Seed: 377758501
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 7
thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/build/pnet-470ff5253a202a9d/out/ipv4.rs:1209
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==28165== ERROR: libFuzzer: deadly signal
    #0 0x55b81f18abe9  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x1f2be9)
    #1 0x55b81efe6f4b  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x4ef4b)
    #2 0x55b81efe6e95  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x4ee95)
    #3 0x55b81efddde3  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x45de3)
    #4 0x7ff3af89e5bf  (/lib64/libpthread.so.0+0x115bf)
    #5 0x7ff3af2e591e  (/lib64/libc.so.6+0x3591e)
    #6 0x7ff3af2e7519  (/lib64/libc.so.6+0x37519)
    #7 0x55b81f0bf1a8  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/ipv4+0x1271a8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0xff,0xff,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0xff,0xff,0xff,0xa,
\x00\xff\xff)\xfb\xff\xff\xff\xff\xff\x00)\xfb\xff\xff\xff\xff\xff\x00\xff\xff\xff\x0a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-0aea91efc06d5d4f0dc074cd0d00b340e8ddf6ed
Base64: AP//Kfv//////wAp+///////AP///wo=

tcp

INFO: Seed: 2225802277
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 7
thread '<unnamed>' panicked at 'slice index starts at 60 but ends at 23', /checkout/src/libcore/slice.rs:584
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==28270== ERROR: libFuzzer: deadly signal
    #0 0x5618dba9fc29  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x1f2c29)
    #1 0x5618db8fbf4b  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x4ef4b)
    #2 0x5618db8fbe95  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x4ee95)
    #3 0x5618db8f2de3  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x45de3)
    #4 0x7fcb3fbbe5bf  (/lib64/libpthread.so.0+0x115bf)
    #5 0x7fcb3f60591e  (/lib64/libc.so.6+0x3591e)
    #6 0x7fcb3f607519  (/lib64/libc.so.6+0x37519)
    #7 0x5618db9d41e8  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x1271e8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x0,0xff,0xff,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0x29,0xfb,0xff,0xff,0xff,0xff,0xff,0x0,0xff,0xff,0xff,0xa,
\x00\xff\xff)\xfb\xff\xff\xff\xff\xff\x00)\xfb\xff\xff\xff\xff\xff\x00\xff\xff\xff\x0a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-0aea91efc06d5d4f0dc074cd0d00b340e8ddf6ed
Base64: AP//Kfv//////wAp+///////AP///wo=

gre

INFO: Seed: 4282533105
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: corpus
INFO: -max_len is not provided, using 64
#0	READ units: 7
#7	INITED cov: 206 corp: 2/21b exec/s: 0 rss: 16Mb
thread '<unnamed>' panicked at 'Source routed GRE packets not supported', /home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/build/pnet-470ff5253a202a9d/out/gre.rs:1286
note: Run with `RUST_BACKTRACE=1` for a backtrace.
==28429== ERROR: libFuzzer: deadly signal
    #0 0x5624f62bed39  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x1f3d39)
    #1 0x5624f611bb8b  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x50b8b)
    #2 0x5624f611bad5  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x50ad5)
    #3 0x5624f6112a23  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x47a23)
    #4 0x7f6e7a52e5bf  (/lib64/libpthread.so.0+0x115bf)
    #5 0x7f6e79f7591e  (/lib64/libc.so.6+0x3591e)
    #6 0x7f6e79f77519  (/lib64/libc.so.6+0x37519)
    #7 0x5624f61f32f8  (/home/plhk/src/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/gre+0x1282f8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 EraseBytes-; base unit: b06cd6c26e6815ad21073fe628c591e19f824293
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0xff,0xa,
\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\xff\x0a
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-9b609f50c71bf3a519c326a505eb20e4519a9bf3
Base64: //////////8AAAD/Cg==

[polachok]

I rebased branch. Tcp seems fixed, ipv4 still failing.

[polachok]

Ok, I broke tcp again

cargo fuzz run tcp -- -max_len=512                                                                                                                                                                                    
       Fresh pnet_macros_support v0.1.1 (file:///home/plhk/libpnet/pnet_macros_support)
       Fresh winapi v0.2.8
       Fresh rustc-serialize v0.3.23
       Fresh ipnetwork v0.12.3
       Fresh gcc v0.3.45
       Fresh void v1.0.2
       Fresh term v0.4.5
       Fresh winapi-build v0.1.1
       Fresh utf8-ranges v1.0.0
       Fresh log v0.3.7
       Fresh unicode-xid v0.0.3
       Fresh bitflags v0.5.0
       Fresh libc v0.2.21
       Fresh regex-syntax v0.4.0
       Fresh syntex_pos v0.42.0
       Fresh unreachable v0.1.1
       Fresh thread-id v3.0.0
       Fresh memchr v1.0.1
       Fresh syntex_errors v0.42.0
       Fresh thread_local v0.3.3
       Fresh aho-corasick v0.6.3
       Fresh syntex_syntax v0.42.0
       Fresh libfuzzer-sys v0.1.0 (https://github.com/rust-fuzz/libfuzzer-sys.git#36a3928e)
       Fresh ws2_32-sys v0.2.1
       Fresh regex v0.2.1
       Fresh syntex v0.42.2
       Fresh pnet_macros v0.13.1 (file:///home/plhk/libpnet/pnet_macros)
       Fresh pnet v0.17.0 (file:///home/plhk/libpnet)
       Fresh pnet-fuzz v0.0.1 (file:///home/plhk/libpnet/fuzz)
    Finished dev [unoptimized + debuginfo] target(s) in 0.0 secs
     Running `fuzz/target/x86_64-unknown-linux-gnu/debug/tcp -artifact_prefix=/home/plhk/libpnet/fuzz/artifacts/tcp/ -max_len=512 /home/plhk/libpnet/fuzz/corpus/tcp`
INFO: Seed: 1109823738
INFO: Loaded 0 modules (0 guards): 
Loading corpus dir: /home/plhk/libpnet/fuzz/corpus/tcp
#0      READ units: 3
thread '<unnamed>' panicked at 'index 98 out of range for slice of length 3', /checkout/src/libcore/slice/mod.rs:672
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
stack backtrace:
   0: core::slice::slice_index_len_fail
             at /checkout/src/libcore/slice/mod.rs:672
   1: <core::ops::Range<usize> as core::slice::SliceIndex<[T]>>::index
             at /checkout/src/libcore/slice/mod.rs:803
   2: core::slice::<impl core::ops::Index<I> for [T]>::index
             at /checkout/src/libcore/slice/mod.rs:654
   3: <pnet::packet::PacketData<'p> as core::ops::Index<core::ops::Range<usize>>>::index
             at ./src/packet/mod.rs:67
   4: <pnet::packet::tcp::TcpOptionPacket<'a> as pnet::packet::Packet>::payload
             at ./fuzz/target/x86_64-unknown-linux-gnu/debug/build/pnet-c83bfb2e5ea3cb12/out/tcp.rs:1211
   5: rust_fuzzer_test_input
             at ./fuzz/fuzzers/tcp.rs:13
   6: libfuzzer_sys::test_input_wrap::{{closure}}
             at /home/plhk/.multirust/toolchains/nightly/cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
==25073== ERROR: libFuzzer: deadly signal
    #0 0x559c8f50da53  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x133a53)
    #1 0x559c8f4326b7  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x586b7)
    #2 0x559c8f432605  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x58605)
    #3 0x559c8f43039a  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x5639a)
    #4 0x7f43f2e3833f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1033f)
    #5 0x7f43f2883cc8  (/lib/x86_64-linux-gnu/libc.so.6+0x36cc8)
    #6 0x7f43f28870d7  (/lib/x86_64-linux-gnu/libc.so.6+0x3a0d7)
    #7 0x559c8f5fbdf8  (/home/plhk/libpnet/fuzz/target/x86_64-unknown-linux-gnu/debug/tcp+0x221df8)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 0 ; base unit: 0000000000000000000000000000000000000000
0x2a,0x28,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,0x62,
*(bbbbbbbbbbbbbbbbbbbbb
artifact_prefix='/home/plhk/libpnet/fuzz/artifacts/tcp/'; Test unit written to /home/plhk/libpnet/fuzz/artifacts/tcp/crash-d070951eea8297d7bdf4aa9968825515e7bba656
Base64: KihiYmJiYmJiYmJiYmJiYmJiYmJiYmI=

[daniellockyer]

I've pulled a copy of this PR and will work on it 😄

[mrmonday]

@neosilky Thank you for picking this up! Let us know how you get on, or if you need any assistance.

[polachok]

@neosilky any progress? I made some commits to https://github.com/polachok/libpnet/commits/syncookied, but they need to be rebased

[mrmonday]

Going to do a release later this week, would be great to get some of the fixes in if they're ready.

[mrmonday]

I've merged the fuzzing stuff in so other people can play around with it. I'll check out the syncookied branch and cherry pick fixes across and get them merged in too.