Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 1 | // Copyright 2019 The Pigweed Authors |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| 4 | // use this file except in compliance with the License. You may obtain a copy of |
| 5 | // the License at |
| 6 | // |
| 7 | // https://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 11 | // WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 12 | // License for the specific language governing permissions and limitations under |
| 13 | // the License. |
| 14 | |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 15 | #include <cstddef> |
| 16 | #include <cstdint> |
| 17 | #include <cstring> |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 18 | #include <span> |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 19 | #include <vector> |
| 20 | |
Wyatt Hepler | b93749b | 2021-05-11 09:38:22 -0700 | [diff] [blame] | 21 | #include "pw_fuzzer/asan_interface.h" |
| 22 | #include "pw_fuzzer/fuzzed_data_provider.h" |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 23 | #include "pw_protobuf/encoder.h" |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 24 | |
| 25 | namespace { |
| 26 | |
| 27 | // Encodable values. The fuzzer will iteratively choose different field types to |
| 28 | // generate and encode. |
| 29 | enum FieldType : uint8_t { |
| 30 | kEncodeAndClear = 0, |
| 31 | kUint32, |
| 32 | kPackedUint32, |
| 33 | kUint64, |
| 34 | kPackedUint64, |
| 35 | kInt32, |
| 36 | kPackedInt32, |
| 37 | kInt64, |
| 38 | kPackedInt64, |
| 39 | kSint32, |
| 40 | kPackedSint32, |
| 41 | kSint64, |
| 42 | kPackedSint64, |
| 43 | kBool, |
| 44 | kFixed32, |
| 45 | kPackedFixed32, |
| 46 | kFixed64, |
| 47 | kPackedFixed64, |
| 48 | kSfixed32, |
| 49 | kPackedSfixed32, |
| 50 | kSfixed64, |
| 51 | kPackedSfixed64, |
| 52 | kFloat, |
| 53 | kPackedFloat, |
| 54 | kDouble, |
| 55 | kPackedDouble, |
| 56 | kBytes, |
| 57 | kString, |
| 58 | kPush, |
| 59 | kPop, |
| 60 | kMaxValue = kPop, |
| 61 | }; |
| 62 | |
| 63 | // TODO(pwbug/181): Move this to pw_fuzzer/fuzzed_data_provider.h |
| 64 | |
| 65 | // Uses the given |provider| to pick and return a number between 0 and the |
| 66 | // maximum numbers of T that can be generated from the remaining input data. |
| 67 | template <typename T> |
| 68 | size_t ConsumeSize(FuzzedDataProvider* provider) { |
| 69 | size_t max = provider->remaining_bytes() / sizeof(T); |
| 70 | return provider->ConsumeIntegralInRange<size_t>(0, max); |
| 71 | } |
| 72 | |
| 73 | // Uses the given |provider| to generate several instances of T, store them in |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 74 | // |data|, and then return a std::span to them. It is the caller's responsbility |
| 75 | // to ensure |data| remains in scope as long as the returned std::span. |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 76 | template <typename T> |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 77 | std::span<const T> ConsumeSpan(FuzzedDataProvider* provider, |
| 78 | std::vector<T>* data) { |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 79 | size_t num = ConsumeSize<T>(provider); |
| 80 | size_t off = data->size(); |
| 81 | data->reserve(off + num); |
| 82 | for (size_t i = 0; i < num; ++i) { |
| 83 | if constexpr (std::is_floating_point<T>::value) { |
| 84 | data->push_back(provider->ConsumeFloatingPoint<T>()); |
| 85 | } else { |
| 86 | data->push_back(provider->ConsumeIntegral<T>()); |
| 87 | } |
| 88 | } |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 89 | return std::span(&((*data)[off]), num); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 90 | } |
| 91 | |
| 92 | // Uses the given |provider| to generate a string, store it in |data|, and |
| 93 | // return a C-style representation. It is the caller's responsbility to |
| 94 | // ensure |data| remains in scope as long as the returned char*. |
| 95 | const char* ConsumeString(FuzzedDataProvider* provider, |
| 96 | std::vector<std::string>* data) { |
| 97 | size_t off = data->size(); |
Aaron Green | b3ae1dc | 2020-04-13 11:37:05 -0700 | [diff] [blame] | 98 | // OSS-Fuzz's clang doesn't have the zero-parameter version of |
| 99 | // ConsumeRandomLengthString yet. |
| 100 | size_t max_length = std::numeric_limits<size_t>::max(); |
| 101 | data->push_back(provider->ConsumeRandomLengthString(max_length)); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 102 | return (*data)[off].c_str(); |
| 103 | } |
| 104 | |
| 105 | // Uses the given |provider| to generate non-arithmetic bytes, store them in |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 106 | // |data|, and return a std::span to them. It is the caller's responsbility to |
| 107 | // ensure |data| remains in scope as long as the returned std::span. |
| 108 | std::span<const std::byte> ConsumeBytes(FuzzedDataProvider* provider, |
| 109 | std::vector<std::byte>* data) { |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 110 | size_t num = ConsumeSize<std::byte>(provider); |
| 111 | auto added = provider->ConsumeBytes<std::byte>(num); |
| 112 | size_t off = data->size(); |
| 113 | num = added.size(); |
| 114 | data->insert(data->end(), added.begin(), added.end()); |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 115 | return std::span(&((*data)[off]), num); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 116 | } |
| 117 | |
| 118 | } // namespace |
| 119 | |
| 120 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { |
| 121 | static std::byte buffer[65536]; |
| 122 | |
| 123 | FuzzedDataProvider provider(data, size); |
| 124 | |
| 125 | // Pick a subset of the buffer that the fuzzer is allowed to use, and poison |
| 126 | // the rest. |
| 127 | size_t unpoisoned_length = |
| 128 | provider.ConsumeIntegralInRange<size_t>(0, sizeof(buffer)); |
Wyatt Hepler | e2cbadf | 2020-06-22 11:21:45 -0700 | [diff] [blame] | 129 | std::span<std::byte> unpoisoned(buffer, unpoisoned_length); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 130 | void* poisoned = &buffer[unpoisoned_length]; |
| 131 | size_t poisoned_length = sizeof(buffer) - unpoisoned_length; |
| 132 | ASAN_POISON_MEMORY_REGION(poisoned, poisoned_length); |
| 133 | |
| 134 | pw::protobuf::NestedEncoder encoder(unpoisoned); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 135 | |
| 136 | // Storage for generated spans |
| 137 | std::vector<uint32_t> u32s; |
| 138 | std::vector<uint64_t> u64s; |
| 139 | std::vector<int32_t> s32s; |
| 140 | std::vector<int64_t> s64s; |
| 141 | std::vector<float> floats; |
| 142 | std::vector<double> doubles; |
| 143 | std::vector<std::string> strings; |
| 144 | std::vector<std::byte> bytes; |
| 145 | |
| 146 | // Consume the fuzzing input, using it to generate a sequence of fields to |
| 147 | // encode. Both the uint32_t field IDs and the fields values are generated. |
| 148 | // Don't try to detect errors, ensures pushes and pops are balanced, or |
| 149 | // otherwise hold the interface correctly. Instead, fuzz the widest possbile |
| 150 | // set of inputs to the encoder to ensure it doesn't misbehave. |
| 151 | while (provider.remaining_bytes() != 0) { |
| 152 | switch (provider.ConsumeEnum<FieldType>()) { |
| 153 | case kEncodeAndClear: |
| 154 | // Special "field". Encode all the fields so far and reset the encoder. |
Wyatt Hepler | 86ec882 | 2021-05-21 15:15:24 -0700 | [diff] [blame] | 155 | encoder.Encode().IgnoreError(); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 156 | encoder.Clear(); |
| 157 | break; |
| 158 | case kUint32: |
| 159 | encoder.WriteUint32(provider.ConsumeIntegral<uint32_t>(), |
| 160 | provider.ConsumeIntegral<uint32_t>()); |
| 161 | break; |
| 162 | case kPackedUint32: |
| 163 | encoder.WritePackedUint32(provider.ConsumeIntegral<uint32_t>(), |
| 164 | ConsumeSpan<uint32_t>(&provider, &u32s)); |
| 165 | break; |
| 166 | case kUint64: |
| 167 | encoder.WriteUint64(provider.ConsumeIntegral<uint32_t>(), |
| 168 | provider.ConsumeIntegral<uint64_t>()); |
| 169 | break; |
| 170 | case kPackedUint64: |
| 171 | encoder.WritePackedUint64(provider.ConsumeIntegral<uint32_t>(), |
| 172 | ConsumeSpan<uint64_t>(&provider, &u64s)); |
| 173 | break; |
| 174 | case kInt32: |
| 175 | encoder.WriteInt32(provider.ConsumeIntegral<uint32_t>(), |
| 176 | provider.ConsumeIntegral<int32_t>()); |
| 177 | break; |
| 178 | case kPackedInt32: |
| 179 | encoder.WritePackedInt32(provider.ConsumeIntegral<uint32_t>(), |
| 180 | ConsumeSpan<int32_t>(&provider, &s32s)); |
| 181 | break; |
| 182 | case kInt64: |
| 183 | encoder.WriteInt64(provider.ConsumeIntegral<uint32_t>(), |
| 184 | provider.ConsumeIntegral<int64_t>()); |
| 185 | break; |
| 186 | case kPackedInt64: |
| 187 | encoder.WritePackedInt64(provider.ConsumeIntegral<uint32_t>(), |
| 188 | ConsumeSpan<int64_t>(&provider, &s64s)); |
| 189 | break; |
| 190 | case kSint32: |
| 191 | encoder.WriteSint32(provider.ConsumeIntegral<uint32_t>(), |
| 192 | provider.ConsumeIntegral<int32_t>()); |
| 193 | break; |
| 194 | case kPackedSint32: |
| 195 | encoder.WritePackedSint32(provider.ConsumeIntegral<uint32_t>(), |
| 196 | ConsumeSpan<int32_t>(&provider, &s32s)); |
| 197 | break; |
| 198 | case kSint64: |
| 199 | encoder.WriteSint64(provider.ConsumeIntegral<uint32_t>(), |
| 200 | provider.ConsumeIntegral<int64_t>()); |
| 201 | break; |
| 202 | case kPackedSint64: |
| 203 | encoder.WritePackedSint64(provider.ConsumeIntegral<uint32_t>(), |
| 204 | ConsumeSpan<int64_t>(&provider, &s64s)); |
| 205 | break; |
| 206 | case kBool: |
| 207 | encoder.WriteBool(provider.ConsumeIntegral<uint32_t>(), |
| 208 | provider.ConsumeBool()); |
| 209 | break; |
| 210 | case kFixed32: |
| 211 | encoder.WriteFixed32(provider.ConsumeIntegral<uint32_t>(), |
| 212 | provider.ConsumeIntegral<uint32_t>()); |
| 213 | break; |
| 214 | case kPackedFixed32: |
| 215 | encoder.WritePackedFixed32(provider.ConsumeIntegral<uint32_t>(), |
| 216 | ConsumeSpan<uint32_t>(&provider, &u32s)); |
| 217 | break; |
| 218 | case kFixed64: |
| 219 | encoder.WriteFixed64(provider.ConsumeIntegral<uint32_t>(), |
| 220 | provider.ConsumeIntegral<uint64_t>()); |
| 221 | break; |
| 222 | case kPackedFixed64: |
| 223 | encoder.WritePackedFixed64(provider.ConsumeIntegral<uint32_t>(), |
| 224 | ConsumeSpan<uint64_t>(&provider, &u64s)); |
| 225 | break; |
| 226 | case kSfixed32: |
| 227 | encoder.WriteSfixed32(provider.ConsumeIntegral<uint32_t>(), |
| 228 | provider.ConsumeIntegral<int32_t>()); |
| 229 | break; |
| 230 | case kPackedSfixed32: |
| 231 | encoder.WritePackedSfixed32(provider.ConsumeIntegral<uint32_t>(), |
| 232 | ConsumeSpan<int32_t>(&provider, &s32s)); |
| 233 | break; |
| 234 | case kSfixed64: |
| 235 | encoder.WriteSfixed64(provider.ConsumeIntegral<uint32_t>(), |
| 236 | provider.ConsumeIntegral<int64_t>()); |
| 237 | break; |
| 238 | case kPackedSfixed64: |
| 239 | encoder.WritePackedSfixed64(provider.ConsumeIntegral<uint32_t>(), |
| 240 | ConsumeSpan<int64_t>(&provider, &s64s)); |
| 241 | break; |
| 242 | case kFloat: |
| 243 | encoder.WriteFloat(provider.ConsumeIntegral<uint32_t>(), |
| 244 | provider.ConsumeFloatingPoint<float>()); |
| 245 | break; |
| 246 | case kPackedFloat: |
| 247 | encoder.WritePackedFloat(provider.ConsumeIntegral<uint32_t>(), |
| 248 | ConsumeSpan<float>(&provider, &floats)); |
| 249 | break; |
| 250 | case kDouble: |
| 251 | encoder.WriteDouble(provider.ConsumeIntegral<uint32_t>(), |
| 252 | provider.ConsumeFloatingPoint<double>()); |
| 253 | break; |
| 254 | case kPackedDouble: |
| 255 | encoder.WritePackedDouble(provider.ConsumeIntegral<uint32_t>(), |
| 256 | ConsumeSpan<double>(&provider, &doubles)); |
| 257 | break; |
| 258 | case kBytes: |
| 259 | encoder.WriteBytes(provider.ConsumeIntegral<uint32_t>(), |
| 260 | ConsumeBytes(&provider, &bytes)); |
| 261 | break; |
| 262 | case kString: |
| 263 | encoder.WriteString(provider.ConsumeIntegral<uint32_t>(), |
| 264 | ConsumeString(&provider, &strings)); |
| 265 | break; |
| 266 | case kPush: |
| 267 | // Special "field". The marks the start of a nested message. |
| 268 | encoder.Push(provider.ConsumeIntegral<uint32_t>()); |
| 269 | break; |
| 270 | case kPop: |
| 271 | // Special "field". this marks the end of a nested message. No attempt |
| 272 | // is made to match pushes to pops, in order to test that the encoder |
| 273 | // behaves correctly when they are mismatched. |
| 274 | encoder.Pop(); |
| 275 | break; |
| 276 | } |
| 277 | } |
| 278 | // Ensure we call `Encode` at least once. |
Wyatt Hepler | 86ec882 | 2021-05-21 15:15:24 -0700 | [diff] [blame] | 279 | encoder.Encode().IgnoreError(); |
Aaron Green | 0ce7f41 | 2020-04-06 13:39:40 -0700 | [diff] [blame] | 280 | |
| 281 | // Don't forget to unpoison for the next iteration! |
| 282 | ASAN_UNPOISON_MEMORY_REGION(poisoned, poisoned_length); |
| 283 | return 0; |
| 284 | } |