lib/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2025-12-08 03:42:12 +03:00
Code Activity

tests: Rewrite all fuzzers to LLVMFuzzerInitialize and nalloc

Browse Source 
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen
2025-08-12 11:30:54 +02:00
parent 59a502ede6
commit a3c5d3b256
10 changed files with 252 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tests/fuzz/CMakeLists.txt
View File

@@ -10,6 +10,9 @@ macro(fuzzer name)
LINK_FLAGS "-fsanitize=fuzzer") LINK_FLAGS "-fsanitize=fuzzer")
# Run the fuzzer to make sure it works # Run the fuzzer to make sure it works
add_test(${name} ${CMAKE_CURRENT_BINARY_DIR}/${name} -runs=1) add_test(${name} ${CMAKE_CURRENT_BINARY_DIR}/${name} -runs=1)
# Run the fuzzer with nalloc to make sure it works
add_test(${name}_nalloc ${CMAKE_CURRENT_BINARY_DIR}/${name} -runs=1)
set_property(TEST ${name}_nalloc PROPERTY ENVIRONMENT NALLOC_FREQ 32)
else() else()
target_sources(${name} PRIVATE fuzzer.c) target_sources(${name} PRIVATE fuzzer.c)
# Run the fuzzer to make sure it works # Run the fuzzer to make sure it works

2
tests/fuzz/nallocinc.c
View File

@@ -157,7 +157,7 @@ static int nalloc_start(const uint8_t *data, size_t size)
} }
} else if (nalloc_bitmask == 0) { } else if (nalloc_bitmask == 0) {
// nalloc disabled // nalloc disabled
return 0; return 2;
} }
nalloc_random_state = 0; nalloc_random_state = 0;
for (size_t i = 0; i < size; i++) { for (size_t i = 0; i < size; i++) {

29
tests/fuzz/ssh_bind_config_fuzzer.c
View File

@@ -24,6 +24,26 @@
#include "libssh/server.h" #include "libssh/server.h"
#include "libssh/bind_config.h" #include "libssh/bind_config.h"
#include "nallocinc.c"
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
ssh_bind bind = NULL; ssh_bind bind = NULL;
@@ -36,17 +56,20 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
strncpy(input, (const char *)data, size); strncpy(input, (const char *)data, size);
input[size] = '\0'; input[size] = '\0';
ssh_init(); assert(nalloc_start(data, size) > 0);
bind = ssh_bind_new(); bind = ssh_bind_new();
assert(bind != NULL); if (bind == NULL) {
goto out;
}
ssh_bind_config_parse_string(bind, input); ssh_bind_config_parse_string(bind, input);
ssh_bind_free(bind); ssh_bind_free(bind);
ssh_finalize();
out:
free(input); free(input);
nalloc_end();
return 0; return 0;
} }

29
tests/fuzz/ssh_client_config_fuzzer.c
View File

@@ -23,6 +23,26 @@
#include "libssh/libssh.h" #include "libssh/libssh.h"
#include "libssh/options.h" #include "libssh/options.h"
#include "nallocinc.c"
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
ssh_session session = NULL; ssh_session session = NULL;
@@ -35,10 +55,12 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
strncpy(input, (const char *)data, size); strncpy(input, (const char *)data, size);
input[size] = '\0'; input[size] = '\0';
ssh_init(); assert(nalloc_start(data, size) > 0);
session = ssh_new(); session = ssh_new();
assert(session != NULL); if (session == NULL) {
goto out;
}
/* Make sure we have default options set */ /* Make sure we have default options set */
ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL); ssh_options_set(session, SSH_OPTIONS_SSH_DIR, NULL);
@@ -47,9 +69,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
ssh_config_parse_string(session, input); ssh_config_parse_string(session, input);
ssh_free(session); ssh_free(session);
ssh_finalize();
out:
free(input); free(input);
nalloc_end();
return 0; return 0;
} }

70
tests/fuzz/ssh_client_fuzzer.c
View File

@@ -26,6 +26,24 @@
#include "nallocinc.c" #include "nallocinc.c"
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
static int auth_callback(const char *prompt, static int auth_callback(const char *prompt,
char *buf, char *buf,
size_t len, size_t len,
@@ -86,13 +104,6 @@ static void select_loop(ssh_session session, ssh_channel channel)
ssh_event_free(event); ssh_event_free(event);
} }
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
ssh_session session = NULL; ssh_session session = NULL;
@@ -122,35 +133,54 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
rc = shutdown(socket_fds[1], SHUT_WR); rc = shutdown(socket_fds[1], SHUT_WR);
assert(rc == 0); assert(rc == 0);
ssh_init(); assert(nalloc_start(data, size) > 0);
session = ssh_new(); session = ssh_new();
assert(session != NULL); if (session == NULL) {
goto out;
}
env = getenv("LIBSSH_VERBOSITY"); env = getenv("LIBSSH_VERBOSITY");
if (env != NULL && strlen(env) > 0) { if (env != NULL && strlen(env) > 0) {
ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY_STR, env); ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY_STR, env);
} }
rc = ssh_options_set(session, SSH_OPTIONS_FD, &socket_fds[0]); rc = ssh_options_set(session, SSH_OPTIONS_FD, &socket_fds[0]);
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.0.0.1"); rc = ssh_options_set(session, SSH_OPTIONS_HOST, "127.0.0.1");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_USER, "alice"); rc = ssh_options_set(session, SSH_OPTIONS_USER, "alice");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "none"); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_C_S, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_S_C, "none"); rc = ssh_options_set(session, SSH_OPTIONS_CIPHERS_S_C, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, "none"); rc = ssh_options_set(session, SSH_OPTIONS_HMAC_C_S, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "none"); rc = ssh_options_set(session, SSH_OPTIONS_HMAC_S_C, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &no); rc = ssh_options_set(session, SSH_OPTIONS_PROCESS_CONFIG, &no);
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &timeout); rc = ssh_options_set(session, SSH_OPTIONS_TIMEOUT, &timeout);
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
nalloc_start(data, size);
ssh_callbacks_init(&cb); ssh_callbacks_init(&cb);
ssh_set_callbacks(session, &cb); ssh_set_callbacks(session, &cb);
@@ -186,8 +216,6 @@ out:
ssh_disconnect(session); ssh_disconnect(session);
ssh_free(session); ssh_free(session);
ssh_finalize();
close(socket_fds[0]); close(socket_fds[0]);
close(socket_fds[1]); close(socket_fds[1]);

23
tests/fuzz/ssh_known_hosts_fuzzer.c
View File

@@ -23,6 +23,26 @@
#include "libssh/libssh.h" #include "libssh/libssh.h"
#include "knownhosts.c" #include "knownhosts.c"
#include "nallocinc.c"
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
char *hostname = NULL; char *hostname = NULL;
@@ -59,7 +79,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
fwrite(data + hostname_len, size - hostname_len, 1, fp); fwrite(data + hostname_len, size - hostname_len, 1, fp);
fclose(fp); fclose(fp);
ssh_init(); assert(nalloc_start(data, size) > 0);
ssh_known_hosts_read_entries(hostname, filename, &entries); ssh_known_hosts_read_entries(hostname, filename, &entries);
for (it = ssh_list_get_iterator(entries); for (it = ssh_list_get_iterator(entries);
@@ -78,5 +98,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
free(hostname); free(hostname);
unlink(filename); unlink(filename);
nalloc_end();
return 0; return 0;
} }

32
tests/fuzz/ssh_privkey_fuzzer.c
View File

@@ -25,28 +25,48 @@
#include "libssh/libssh.h" #include "libssh/libssh.h"
#include "libssh/priv.h" #include "libssh/priv.h"
#include "nallocinc.c"
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
ssh_key pkey = NULL; ssh_key pkey = NULL;
uint8_t *input = NULL; uint8_t *input = NULL;
int rc; int rc;
assert(nalloc_start(data, size) > 0);
input = bin_to_base64(data, size); input = bin_to_base64(data, size);
if (input == NULL) { if (input == NULL) {
return 1; goto out;
} }
ssh_init();
rc = ssh_pki_import_privkey_base64((char *)input, NULL, NULL, NULL, &pkey); rc = ssh_pki_import_privkey_base64((char *)input, NULL, NULL, NULL, &pkey);
free(input); free(input);
if (rc != SSH_OK) { if (rc != SSH_OK) {
return 1; goto out;
} }
ssh_key_free(pkey); ssh_key_free(pkey);
ssh_finalize(); out:
nalloc_end();
return 0; return 0;
} }

35
tests/fuzz/ssh_pubkey_fuzzer.c
View File

@@ -15,6 +15,7 @@
*/ */
#include "config.h" #include "config.h"
#include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
@@ -23,6 +24,26 @@
#include "libssh/libssh.h" #include "libssh/libssh.h"
#include "libssh/misc.h" #include "libssh/misc.h"
#include "nallocinc.c"
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
ssh_key pkey = NULL; ssh_key pkey = NULL;
@@ -31,8 +52,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
int rc; int rc;
ssize_t sz; ssize_t sz;
ssh_init();
filename = strdup("/tmp/libssh_pubkey_XXXXXX"); filename = strdup("/tmp/libssh_pubkey_XXXXXX");
if (filename == NULL) { if (filename == NULL) {
return -1; return -1;
@@ -51,18 +70,18 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
return -1; return -1;
} }
assert(nalloc_start(data, size) > 0);
rc = ssh_pki_import_pubkey_file(filename, &pkey); rc = ssh_pki_import_pubkey_file(filename, &pkey);
if (rc != SSH_OK) { if (rc != SSH_OK) {
unlink(filename); goto out;
free(filename);
return 1;
} }
ssh_key_free(pkey); ssh_key_free(pkey);
out:
unlink(filename); unlink(filename);
free(filename); free(filename);
nalloc_end();
ssh_finalize();
return 0; return 0;
} }

84
tests/fuzz/ssh_server_fuzzer.c
View File

@@ -70,6 +70,24 @@ struct session_data_struct {
bool authenticated; bool authenticated;
}; };
static void _fuzz_finalize(void)
{
ssh_finalize();
}
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
ssh_init();
atexit(_fuzz_finalize);
return 0;
}
static int auth_none(ssh_session session, const char *user, void *userdata) static int auth_none(ssh_session session, const char *user, void *userdata)
{ {
struct session_data_struct *sdata = struct session_data_struct *sdata =
@@ -120,13 +138,6 @@ static int write_rsa_hostkey(const char *rsakey_path)
return 0; return 0;
} }
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
(void)argc;
nalloc_init(*argv[0]);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{ {
int socket_fds[2] = {-1, -1}; int socket_fds[2] = {-1, -1};
@@ -134,6 +145,9 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
bool no = false; bool no = false;
const char *env = NULL; const char *env = NULL;
int rc; int rc;
ssh_bind sshbind = NULL;
ssh_session session = NULL;
ssh_event event = NULL;
/* Our struct holding information about the session. */ /* Our struct holding information about the session. */
struct session_data_struct sdata = { struct session_data_struct sdata = {
@@ -170,35 +184,54 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
rc = shutdown(socket_fds[1], SHUT_WR); rc = shutdown(socket_fds[1], SHUT_WR);
assert(rc == 0); assert(rc == 0);
assert(nalloc_start(data, size) > 0);
/* Set up the libssh server */ /* Set up the libssh server */
ssh_bind sshbind = ssh_bind_new(); sshbind = ssh_bind_new();
assert(sshbind != NULL); if (sshbind == NULL) {
goto out;
ssh_session session = ssh_new(); }
assert(session != NULL);
session = ssh_new();
if (session == NULL) {
goto out;
}
env = getenv("LIBSSH_VERBOSITY"); env = getenv("LIBSSH_VERBOSITY");
if (env != NULL && strlen(env) > 0) { if (env != NULL && strlen(env) > 0) {
rc = ssh_bind_options_set(sshbind, rc = ssh_bind_options_set(sshbind,
SSH_BIND_OPTIONS_LOG_VERBOSITY_STR, SSH_BIND_OPTIONS_LOG_VERBOSITY_STR,
env); env);
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
} }
rc = ssh_bind_options_set(sshbind, rc = ssh_bind_options_set(sshbind,
SSH_BIND_OPTIONS_HOSTKEY, SSH_BIND_OPTIONS_HOSTKEY,
"/tmp/libssh_fuzzer_private_key"); "/tmp/libssh_fuzzer_private_key");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_CIPHERS_C_S, "none"); rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_CIPHERS_C_S, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_CIPHERS_S_C, "none"); rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_CIPHERS_S_C, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HMAC_C_S, "none"); rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HMAC_C_S, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HMAC_S_C, "none"); rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_HMAC_S_C, "none");
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_PROCESS_CONFIG, &no); rc = ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_PROCESS_CONFIG, &no);
assert(rc == 0); if (rc != SSH_OK) {
goto out;
}
ssh_set_auth_methods(session, SSH_AUTH_METHOD_NONE); ssh_set_auth_methods(session, SSH_AUTH_METHOD_NONE);
@@ -206,12 +239,15 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
ssh_set_server_callbacks(session, &server_cb); ssh_set_server_callbacks(session, &server_cb);
rc = ssh_bind_accept_fd(sshbind, session, socket_fds[0]); rc = ssh_bind_accept_fd(sshbind, session, socket_fds[0]);
assert(rc == SSH_OK); if (rc != SSH_OK) {
goto out;
}
ssh_event event = ssh_event_new(); event = ssh_event_new();
assert(event != NULL); if (event == NULL) {
goto out;
}
nalloc_start(data, size);
if (ssh_handle_key_exchange(session) == SSH_OK) { if (ssh_handle_key_exchange(session) == SSH_OK) {
ssh_event_add_session(event, session); ssh_event_add_session(event, session);
@@ -228,6 +264,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
n++; n++;
} }
} }
out:
nalloc_end(); nalloc_end();
ssh_event_free(event); ssh_event_free(event);

14
tests/fuzz/ssh_sshsig_fuzzer.c
View File

@@ -14,6 +14,7 @@
* limitations under the License. * limitations under the License.
*/ */
#include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
@@ -21,6 +22,8 @@
#define LIBSSH_STATIC 1 #define LIBSSH_STATIC 1
#include "libssh/libssh.h" #include "libssh/libssh.h"
#include "nallocinc.c"
static void _fuzz_finalize(void) static void _fuzz_finalize(void)
{ {
ssh_finalize(); ssh_finalize();
@@ -29,7 +32,8 @@ static void _fuzz_finalize(void)
int LLVMFuzzerInitialize(int *argc, char ***argv) int LLVMFuzzerInitialize(int *argc, char ***argv)
{ {
(void)argc; (void)argc;
(void)argv;
nalloc_init(*argv[0]);
ssh_init(); ssh_init();
@@ -46,9 +50,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
char *signature = NULL; char *signature = NULL;
int rc; int rc;
assert(nalloc_start(data, size) > 0);
signature = (char *)malloc(size + 1); signature = (char *)malloc(size + 1);
if (signature == NULL) { if (signature == NULL) {
return 1; goto out;
} }
strncpy(signature, (const char *)data, size); strncpy(signature, (const char *)data, size);
signature[size] = '\0'; signature[size] = '\0';
@@ -56,9 +62,11 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
rc = sshsig_verify(input, sizeof(input), signature, namespace, &pkey); rc = sshsig_verify(input, sizeof(input), signature, namespace, &pkey);
free(signature); free(signature);
if (rc != SSH_OK) { if (rc != SSH_OK) {
return 1; goto out;
} }
ssh_key_free(pkey); ssh_key_free(pkey);
out:
nalloc_end();
return 0; return 0;
} }