Skip to content

Fuzzing of encoding/decoding functions #2520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 12 commits into from
Apr 12, 2022
Merged

Fuzzing of encoding/decoding functions #2520

Jakuje merged 12 commits into from
Apr 12, 2022

Conversation

@xhanulik
Copy link
Member

@xhanulik xhanulik commented Mar 9, 2022

This PR adds fuzzers for encoding functions for PKCS#15 objects and generic sc_*() functions.

  • fuzz_pkcs15_encode iterates over objects on p15card and calls corresponding sc_pkcs15_encode_*_entry().
  • fuzz_card calls some functions from libopensc/sec.c and libopensc/card.c that are not covered according to OSS-Fuzz coverage reports.

Also, there are some changes in the fuzz_pkcs15_decode. The setting of algorithms for the sc_pkcs15_decode_pubkey() in a cycle extends testing to other algorithms besides RSA. Some of the sc_pkcs15_decode_*_entry() internally use p15card->app - these paths were not covered, since p15card was not initialized via sc_pkcs15_bind(). That is fixed with the usage of the reader from fuzz_pkcs15_reader.

After local run, fuzz_card encounter asserts in muscle.c - these are exchanged for explicit checking the arguments.

Checklist
  • New files have a LGPL 2.1 license statement

Jakuje
Jakuje reviewed Mar 9, 2022
View reviewed changes
@xhanulik xhanulik force-pushed the fuzzer branch 4 times, most recently from 76464ed to ad9cec5 Compare March 11, 2022 20:42
Jakuje
Jakuje reviewed Mar 15, 2022
View reviewed changes
@Jakuje
Copy link
Member

Jakuje commented Mar 21, 2022

@frankmorgner can you check this PR if there is something you would like to do differently before I will merge it (after resolving the conflict indeed)?

xhanulik added 2 commits March 21, 2022 10:39
@xhanulik
Add more algos for pubkey decode in fuzz_pkcs15_decode
fb6fa0b 
`sc_pkcs15_decode_pubkey()` uses `key->algorithm` to decide next steps.
@xhanulik
Add reader into fuzz_pkcs15_decode
688e4a5 
Binding with p15card can lead to new paths
in code during fuzzing (decode functions use p15card->app).
Each decoding function gets its own data buffer - data generation
 adapts to each function.
frankmorgner
frankmorgner requested changes Mar 21, 2022
View reviewed changes
Copy link
Member

@frankmorgner frankmorgner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the ideas for integrating the encoding/decoding functions with the fuzzing input, good job!

Some minor things could be improved, though - please see the inline comments.

@xhanulik
fuzz_pkcs15_decode: Use one buffer to all tested operations
65fda2b 
Fuzz target uses the first two bytes of fuzzing input as the length
for a buffer that is supplied to the tested function.
The rest is set as data for the reader.
@xhanulik
Copy link
Member Author

xhanulik commented Mar 22, 2022

With the change mentioned in #2520 (comment), the structure of fuzzing input has changed. I will create and add some suitable corpus for fuzz_pkcs15_decode (at least some that can cover connecting of the card) as soon as possible.

@Jakuje Jakuje requested a review from frankmorgner March 29, 2022 11:50
@Jakuje
Copy link
Member

Jakuje commented Apr 5, 2022

I like the ideas for integrating the encoding/decoding functions with the fuzzing input, good job!

Some minor things could be improved, though - please see the inline comments.

@frankmorgner can you check this PR if there is something to fix from your point of view or are we ready to merge this?

@Jakuje Jakuje merged commit b35993d into OpenSC:master Apr 12, 2022
@xhanulik xhanulik mentioned this pull request Jul 12, 2022
Closed
@xhanulik xhanulik deleted the fuzzer branch August 10, 2022 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

@frankmorgner frankmorgner Awaiting requested review from frankmorgner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xhanulik @Jakuje @frankmorgner