Skip to content

Fuzzer for configuration file #2417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 11 commits into from
Nov 3, 2021
Merged

Fuzzer for configuration file #2417

Jakuje merged 11 commits into from
Nov 3, 2021

Conversation

@xhanulik
Copy link
Member

@xhanulik xhanulik commented Oct 6, 2021

This PR adds simple fuzzer with basic corpus for parsing configuration file using function scconf_parse_string().
When no --enable-fuzzing option, fuzzers are built with fuzzer.c as simple programs which take file as source for buffer, that is then passed to LLVMFuzzerTestOneInput(). stdout in fuzzers will be closed, when fuzzing is enabled.

Fixes #2402

Checklist
  • New files have a LGPL 2.1 license statement

Jakuje
Jakuje approved these changes Oct 20, 2021
View reviewed changes
@Jakuje
Copy link
Member

Jakuje commented Oct 20, 2021

@frankmorgner what do you think?

frankmorgner
frankmorgner reviewed Oct 25, 2021
View reviewed changes
xhanulik added 10 commits November 2, 2021 14:33
@xhanulik
fuzzing: Build test programs for fuzz targets when fuzzing is not ena…
030b28f 
…bled

For testing purposes, fuzzers take files as input which feed
LLVMFuzzerTestOneInput function.
@xhanulik
fuzzing: Define FUZZING_ENABLED for closing stdout while fuzzing
acdccff 
In case that called function print out some data
@xhanulik
fuzz_pkcs15_reader.c: Fix type
4449d1b
@xhanulik
fuzzing: Add fuzzer for scconf_parse_string function
06ad3ab
@xhanulik
fuzzing: Add corpus for fuzz_scconf_parse_string.c
4b6330e
@xhanulik
fuzzing: Fix flags for enabling fuzzing
0731c7b
@xhanulik
fuzz_scconf_parse_string: Fix buffer ending and max input size
e92efb4
@xhanulik
scconf: Fix check for buffer size
7feefa8 
buf_addch() store values on bp->bufcur and bp->bufcur + 1
but check size of the buffer only for bp->bufcur.
@xhanulik
scconf: Avoid adding list into non-list item
dc7b1f6 
Issue found by calling scconf_string_parse()
with "name =\n\n\nvalue,value;" as an input string.

scconf_parse_token() interprets more newline characters as item
with type SCCONF_ITEM_TYPE_COMMENT. After that when parsing
TOKEN_TYPE_STRING, if parser->state is STATE_VALUE,
scconf_list_add() adds list into that item.
During freeing scconf_context structure, above described
item is freed as SCCONF_ITEM_TYPE_COMMENT and created list
causes memory leak.
To fix this, scconf_parse_token() checks type of item before
adding into list.

When parsing is done, scconf_parse_reset_state() frees values
in parser->name and parser->key.
@xhanulik
fuzzing: fix description of fuzzer.c file
44f220d
@frankmorgner
Copy link
Member

frankmorgner commented Nov 3, 2021

looks good, thank you

@Jakuje Jakuje merged commit 9f4eae6 into OpenSC:master Nov 3, 2021
@xhanulik xhanulik deleted the config_fuzz branch January 19, 2022 20:40
@xhanulik xhanulik mentioned this pull request Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@frankmorgner frankmorgner frankmorgner approved these changes

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Idea: Fuzzer for configuration file

3 participants

@xhanulik @Jakuje @frankmorgner