[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] fuzz tests
From: |
Tim Rühsen |
Subject: |
Re: [Bug-wget] fuzz tests |
Date: |
Tue, 19 Feb 2019 17:21:27 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 |
Hi Nam,
latest git master should have the tests in fuzz/ being fixed. Please
give it a try and report back if anything doesn't work on OpenBSD.
Regards, Tim
On 2/19/19 3:36 PM, Tim Rühsen wrote:
> Hi Nam,
>
> your stderr related code in the fuzzers is missing a close. IMO, it
> should be
>
> bak = dup(STDERR_FILENO);
> fd = open("/dev/null", O_WRONLY);
> dup2(fd, STDERR_FILENO);
> close(fd);
>
> Regards, Tim
>
> On 2/18/19 9:39 AM, Nam Nguyen wrote:
>> I am trying to version bump wget to 1.20.1. While installation works, I
>> am trying to get `make check' to work on OpenBSD.
>>
>> I need some help understanding the fuzz tests and their expected
>> behavior. Are fuzzing tests supposed to try to crash the program with
>> random inputs to uncover programming errors?
>>
>> I am getting a signal 6 (ENXIO?) and mostly signal 5 (EIO?). Signal 6
>> seems to be related to the stack smash protector feature of OpenBSD.
>> All eight tests dump core files because they receive these signals.
>>
>> I attached `ports', `config.log' and `fuzz/test-suite.log'. `ports' is
>> the log produced by the OpenBSD ports system when I run `make test'
>> which should run all check targets. Note that `ports' reports a failure
>> because it cannot find the fuzz tests, which are not included with the
>> tarball. I had to clone the git repo and copy fuzz/*.in and fuzz/*.repro
>> directories over before running `make check'.
>>
>> I am including some sample diffs that I needed to get `make test' to
>> run.
>>
>> patch-fuzz_Makefile_am: -ldl doesn't exist on OpenBSD; libc handles it.
>> patch-fuzz_wget_cookie_fuzzer_c: close stderr differently to avoid
>> assigning to lvalue
>> patch-lib_Makefile_am: add unknown symbols to libgnu
>>
>> Sorry for the long e-mail; I mainly want to understand the regression
>> tests available for wget. Thank you.
>>
>> Best Regards,
>> Nam
>>
>> wget_css_fuzzer.c
>> --8<---------------cut here---------------start------------->8---
>> exit status:134
>> Program terminated with signal 6, Aborted.
>>
>> $ doas -u _pbuild gdb fuzz/wget_css_fuzzer fuzz/wget_css*.core
>> GNU gdb 6.3
>>
>> Core was generated by `wget_css_fuzzer'.
>> ...
>> #0 thrkill () at -:3
>> 3 -: No such file or directory.
>> in -
>> (gdb) bt
>> #0 thrkill () at -:3
>> #1 0x00000a67fdad341c in __stack_smash_handler (func=Variable "func" is
>> not available.
>> )
>> at /usr/src/lib/libc/sys/stack_protector.c:79
>> #2 0x00000a65d1b8a49b in LLVMFuzzerTestOneInput ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_css_fuzzer
>> #3 0x00000a65d1b58ac0 in ?? ()
>> --8<---------------cut here---------------end--------------->8---
>>
>> wget_html_fuzzer.c
>> --8<---------------cut here---------------start------------->8---
>> exit status: 133
>> Program terminated with signal 5, Trace/breakpoint trap.
>>
>> $ doas -u _pbuild gdb fuzz/wget_html_fuzzer fuzz/wget_html*.core
>> GNU gdb 6.3
>> Core was generated by `wget_html_fuzzer'.
>> Program terminated with signal 5, Trace/breakpoint trap.
>> Reading symbols from /usr/lib/libpthread.so.26.1...done.
>> ...
>> #0 0x00000552f4f68375 in exit ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_html_fuzzer
>> (gdb) bt
>> #0 0x00000552f4f68375 in exit ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_html_fuzzer
>> #1 0x00000552f4f68133 in ___start ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_html_fuzzer
>> #2 0x0000000000000000 in ?? ()
>> --8<---------------cut here---------------end--------------->8---
>>
>> wget_cookie_fuzzer.c
>> --8<---------------cut here---------------start------------->8---
>>
>> Trace/BPT trap
>> exit status: 133
>> Program terminated with signal 5, Trace/breakpoint trap
>>
>> $ doas -u _pbuild gdb fuzz/wget_cookie_fuzzer fuzz/wget_cookie*.core
>> GNU gdb 6.3
>> ...
>> Core was generated by `wget_cookie_fuzz'.
>> Program terminated with signal 5, Trace/breakpoint trap.
>> Reading symbols from /usr/lib/libpthread.so.26.1...done.
>> ...
>> #0 0x00000c4a97be1385 in exit ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_cookie_fuzzer
>> (gdb) bt
>> #0 0x00000c4a97be1385 in exit ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_cookie_fuzzer
>> #1 0x00000c4a97be1133 in ___start ()
>> from
>> /mnt/playground/ports/pobj/wget-1.20.1/wget-1.20.1/fuzz/wget_cookie_fuzzer
>> #2 0x0000000000000000 in ?? ()
>> --8<---------------cut here---------------end--------------->8---
>>
>> patch-fuzz_Makefile_am
>> --8<---------------cut here---------------start------------->8---
>> $OpenBSD$
>>
>> Index: fuzz/Makefile.am
>> --- fuzz/Makefile.am.orig
>> +++ fuzz/Makefile.am
>> @@ -5,8 +5,7 @@ LDADD = ../lib/libgnu.a \
>> $(GETADDRINFO_LIB) $(HOSTENT_LIB) $(INET_NTOP_LIB) $(INET_PTON_LIB) \
>> $(LIBSOCKET) $(LIB_CLOCK_GETTIME) $(LIB_CRYPTO) $(LIB_GETLOGIN)
>> $(LIB_NANOSLEEP) $(LIB_POLL) \
>> $(LIB_POSIX_SPAWN) $(LIB_PTHREAD_SIGMASK) $(LIB_SELECT) $(LIBICONV)
>> $(LIBINTL) \
>> - $(LIBMULTITHREAD) $(LIBTHREAD) $(SERVENT_LIB) @INTL_MACOSX_LIBS@ \
>> - -ldl
>> + $(LIBMULTITHREAD) $(LIBTHREAD) $(SERVENT_LIB) @INTL_MACOSX_LIBS@
>>
>> WGET_TESTS = \
>> wget_css_fuzzer$(EXEEXT) \
>> --8<---------------cut here---------------end--------------->8---
>>
>> patch-fuzz_wget_cookie_fuzzer_c
>> --8<---------------cut here---------------start------------->8---
>> $OpenBSD$
>>
>> Index: fuzz/wget_cookie_fuzzer.c
>> --- fuzz/wget_cookie_fuzzer.c.orig
>> +++ fuzz/wget_cookie_fuzzer.c
>> @@ -25,6 +25,8 @@
>> #include <stdio.h> // fmemopen
>> #include <string.h> // strncmp
>> #include <stdlib.h> // free
>> +#include <fcntl.h> // open
>> +#include <unistd.h> // close, dup, dup2
>>
>> #include "wget.h"
>> #undef fopen_wgetrc
>> @@ -68,7 +70,7 @@ void exit(int status)
>>
>> int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
>> {
>> - FILE *bak;
>> + int bak, fd;
>> struct cookie_jar *cookie_jar;
>> char *set_cookie;
>>
>> @@ -79,8 +81,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
>> memcpy(set_cookie, data, size);
>> set_cookie[size] = 0;
>>
>> - bak = stderr;
>> - stderr = fopen("/dev/null", "w");
>> + bak = dup(STDERR_FILENO);
>> + fd = open("/dev/null", O_WRONLY);
>> + dup2(fd, STDERR_FILENO);
>>
>> cookie_jar = cookie_jar_new();
>> cookie_handle_set_cookie(cookie_jar, "x", 81, "p", set_cookie);
>> @@ -88,8 +91,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t
>> cookie_handle_set_cookie(cookie_jar, "x", 80, "p/d/", set_cookie);
>> cookie_jar_delete(cookie_jar);
>>
>> - fclose(stderr);
>> - stderr = bak;
>> + dup2(bak, STDERR_FILENO);
>> + close(bak);
>>
>> free(set_cookie);
>> --8<---------------cut here---------------end--------------->8---
>>
>> patch-lib_Makefile_am
>> --8<---------------cut here---------------start------------->8---
>> $OpenBSD$
>>
>> Index: lib/Makefile.am
>> --- lib/Makefile.am.orig
>> +++ lib/Makefile.am
>> @@ -3114,17 +3114,13 @@ EXTRA_DIST += unicase/cased.h unicase/caseprop.h
>> unict
>>
>> ## begin gnulib module unicase/empty-prefix-context
>>
>> -if LIBUNISTRING_COMPILE_UNICASE_EMPTY_PREFIX_CONTEXT
>> libgnu_a_SOURCES += unicase/empty-prefix-context.c
>> -endif
>>
>> ## end gnulib module unicase/empty-prefix-context
>>
>> ## begin gnulib module unicase/empty-suffix-context
>>
>> -if LIBUNISTRING_COMPILE_UNICASE_EMPTY_SUFFIX_CONTEXT
>> libgnu_a_SOURCES += unicase/empty-suffix-context.c
>> -endif
>>
>> ## end gnulib module unicase/empty-suffix-context
>>
>> @@ -3447,9 +3443,7 @@ EXTRA_DIST += unistr.in.h
>>
>> ## begin gnulib module unistr/u8-cpy
>>
>> -if LIBUNISTRING_COMPILE_UNISTR_U8_CPY
>> libgnu_a_SOURCES += unistr/u8-cpy.c
>> -endif
>>
>> EXTRA_DIST += unistr/u-cpy.h
>>
>> @@ -3457,9 +3451,7 @@ EXTRA_DIST += unistr/u-cpy.h
>>
>> ## begin gnulib module unistr/u8-mbtouc-unsafe
>>
>> -if LIBUNISTRING_COMPILE_UNISTR_U8_MBTOUC_UNSAFE
>> libgnu_a_SOURCES += unistr/u8-mbtouc-unsafe.c unistr/u8-mbtouc-unsafe-aux.c
>> -endif
>>
>> ## end gnulib module unistr/u8-mbtouc-unsafe
>>
>> @@ -3473,9 +3465,7 @@ endif
>>
>> ## begin gnulib module unistr/u8-uctomb
>>
>> -if LIBUNISTRING_COMPILE_UNISTR_U8_UCTOMB
>> libgnu_a_SOURCES += unistr/u8-uctomb.c unistr/u8-uctomb-aux.c
>> -endif
>>
>> ## end gnulib module unistr/u8-uctomb
>> --8<---------------cut here---------------end--------------->8---
>>
>
signature.asc
Description: OpenPGP digital signature