linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC PATCH] iw: add clang-based fuzzer for scan IEs
@ 2020-02-11 11:45 Markus Theil
  2020-02-11 13:47 ` Julian Calaby
  2020-02-13 20:19 ` Johannes Berg
  0 siblings, 2 replies; 4+ messages in thread
From: Markus Theil @ 2020-02-11 11:45 UTC (permalink / raw)
  To: johannes; +Cc: linux-wireless, Markus Theil

This patch is not ready for inclusion into the repo, but only useful for
testing purposes.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
---
 Makefile    | 24 ++++++++++++++++++++----
 fuzz.sh     |  5 +++++
 fuzz_scan.c |  6 ++++++
 iw.c        |  4 ++++
 4 files changed, 35 insertions(+), 4 deletions(-)
 create mode 100755 fuzz.sh
 create mode 100644 fuzz_scan.c

diff --git a/Makefile b/Makefile
index 90f2251..4ba2daf 100644
--- a/Makefile
+++ b/Makefile
@@ -16,9 +16,9 @@ CFLAGS_EVAL := $(call cc-option,-Wstringop-overflow=4)
 CFLAGS ?= -O2 -g
 CFLAGS += -Wall -Wextra -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common \
 	  -Werror-implicit-function-declaration -Wsign-compare -Wno-unused-parameter \
-	  $(CFLAGS_EVAL)
+	  $(CFLAGS_EVAL) $(EXTRA_CFLAGS)
 
-_OBJS := $(sort $(patsubst %.c,%.o,$(wildcard *.c)))
+_OBJS := $(filter-out iw.o fuzz_scan.o, $(sort $(patsubst %.c,%.o,$(wildcard *.c))))
 VERSION_OBJS := $(filter-out version.o, $(_OBJS))
 OBJS := $(VERSION_OBJS) version.o
 
@@ -102,12 +102,28 @@ nl80211-commands.inc: nl80211.h
 	@$(NQ) ' CC  ' $@
 	$(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
 
+iw_main.o: iw.c iw.h nl80211.h nl80211-commands.inc
+	@$(NQ) ' CC  ' $@
+	$(Q)$(CC) $(CFLAGS) -DIW_MAIN=1 $(CPPFLAGS) -c -o $@ $<
+
+iw_no_main.o: iw.c iw.h nl80211.h nl80211-commands.inc
+	@$(NQ) ' CC  ' $@
+	$(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
+
 ifeq ($(IW_ANDROID_BUILD),)
-iw:	$(OBJS)
+iw:	$(OBJS) iw_main.o
 	@$(NQ) ' CC  ' iw
-	$(Q)$(CC) $(LDFLAGS) $(OBJS) $(LIBS) -o iw
+	$(Q)$(CC) $(LDFLAGS) $(OBJS) iw_main.o $(LIBS) -o iw
 endif
 
+fuzz_scan.o: fuzz_scan.c iw.h
+	@$(NQ) ' CC  ' $@
+	$(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
+
+fuzz_scan: fuzz_scan.o $(OBJS) iw_no_main.o
+	@$(NQ) ' CC  ' fuzz_scan
+	$(Q)$(CC) $(LDFLAGS) $(OBJS) iw_no_main.o fuzz_scan.o $(LIBS) -o fuzz_scan
+
 check:
 	$(Q)$(MAKE) all CC="REAL_CC=$(CC) CHECK=\"sparse -Wall\" cgcc"
 
diff --git a/fuzz.sh b/fuzz.sh
new file mode 100755
index 0000000..b98fecb
--- /dev/null
+++ b/fuzz.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+make V=1 CC=clang EXTRA_CFLAGS="-fsanitize=address,undefined,fuzzer" LDFLAGS="-fsanitize=fuzzer,address,undefined" fuzz_scan
+mkdir -p fuzz_corpus
+./fuzz_scan fuzz_corpus/ -max_len=512 -timeout=5 > /dev/null
diff --git a/fuzz_scan.c b/fuzz_scan.c
new file mode 100644
index 0000000..ed9da4f
--- /dev/null
+++ b/fuzz_scan.c
@@ -0,0 +1,6 @@
+#include "iw.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+	print_ies((unsigned char *)data, size, size % 2, PRINT_SCAN);
+	return 0;
+}
\ No newline at end of file
diff --git a/iw.c b/iw.c
index da71617..1563543 100644
--- a/iw.c
+++ b/iw.c
@@ -562,6 +562,8 @@ int handle_cmd(struct nl80211_state *state, enum id_input idby,
 static struct cmd sizer1 __attribute__((section("__sizer"))) = {};
 static struct cmd sizer2 __attribute__((section("__sizer"))) = {};
 
+#ifdef IW_MAIN
+
 int main(int argc, char **argv)
 {
 	struct nl80211_state nlstate;
@@ -638,3 +640,5 @@ int main(int argc, char **argv)
 
 	return err;
 }
+
+#endif
\ No newline at end of file
-- 
2.25.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [RFC PATCH] iw: add clang-based fuzzer for scan IEs
  2020-02-11 11:45 [RFC PATCH] iw: add clang-based fuzzer for scan IEs Markus Theil
@ 2020-02-11 13:47 ` Julian Calaby
  2020-02-13 20:19 ` Johannes Berg
  1 sibling, 0 replies; 4+ messages in thread
From: Julian Calaby @ 2020-02-11 13:47 UTC (permalink / raw)
  To: Markus Theil; +Cc: Johannes Berg, linux-wireless

Hi Markus,

On Tue, Feb 11, 2020 at 11:42 PM Markus Theil
<markus.theil@tu-ilmenau.de> wrote:
>
> This patch is not ready for inclusion into the repo, but only useful for
> testing purposes.
>
> Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>

A couple of minor comments:

> ---
>  Makefile    | 24 ++++++++++++++++++++----
>  fuzz.sh     |  5 +++++
>  fuzz_scan.c |  6 ++++++
>  iw.c        |  4 ++++
>  4 files changed, 35 insertions(+), 4 deletions(-)
>  create mode 100755 fuzz.sh
>  create mode 100644 fuzz_scan.c
>
> diff --git a/Makefile b/Makefile
> index 90f2251..4ba2daf 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -16,9 +16,9 @@ CFLAGS_EVAL := $(call cc-option,-Wstringop-overflow=4)
>  CFLAGS ?= -O2 -g
>  CFLAGS += -Wall -Wextra -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common \
>           -Werror-implicit-function-declaration -Wsign-compare -Wno-unused-parameter \
> -         $(CFLAGS_EVAL)
> +         $(CFLAGS_EVAL) $(EXTRA_CFLAGS)
>
> -_OBJS := $(sort $(patsubst %.c,%.o,$(wildcard *.c)))
> +_OBJS := $(filter-out iw.o fuzz_scan.o, $(sort $(patsubst %.c,%.o,$(wildcard *.c))))
>  VERSION_OBJS := $(filter-out version.o, $(_OBJS))
>  OBJS := $(VERSION_OBJS) version.o
>
> @@ -102,12 +102,28 @@ nl80211-commands.inc: nl80211.h
>         @$(NQ) ' CC  ' $@
>         $(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
>
> +iw_main.o: iw.c iw.h nl80211.h nl80211-commands.inc
> +       @$(NQ) ' CC  ' $@
> +       $(Q)$(CC) $(CFLAGS) -DIW_MAIN=1 $(CPPFLAGS) -c -o $@ $<
> +
> +iw_no_main.o: iw.c iw.h nl80211.h nl80211-commands.inc
> +       @$(NQ) ' CC  ' $@
> +       $(Q)$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $<
> +
>  ifeq ($(IW_ANDROID_BUILD),)
> -iw:    $(OBJS)
> +iw:    $(OBJS) iw_main.o
>         @$(NQ) ' CC  ' iw
> -       $(Q)$(CC) $(LDFLAGS) $(OBJS) $(LIBS) -o iw
> +       $(Q)$(CC) $(LDFLAGS) $(OBJS) iw_main.o $(LIBS) -o iw

You can use "$^" to get the full list of prerequisites instead of
spelling it out in both the rule definition and command.

I.e.

$(Q)$(CC) $(LDFLAGS) $^ $(LIBS) -o iw


There's a tool I'm aware of: https://github.com/google/AFL

Which does fuzzing by instrumenting the code under test and iterating
on input data. I'm not sure if it'll get you anything that LLVM's
built-in one won't, but it might be worth a try.

Thanks,

-- 
Julian Calaby

Email: julian.calaby@gmail.com
Profile: http://www.google.com/profiles/julian.calaby/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [RFC PATCH] iw: add clang-based fuzzer for scan IEs
  2020-02-11 11:45 [RFC PATCH] iw: add clang-based fuzzer for scan IEs Markus Theil
  2020-02-11 13:47 ` Julian Calaby
@ 2020-02-13 20:19 ` Johannes Berg
  2020-02-13 21:42   ` Markus Theil
  1 sibling, 1 reply; 4+ messages in thread
From: Johannes Berg @ 2020-02-13 20:19 UTC (permalink / raw)
  To: Markus Theil; +Cc: linux-wireless

FWIW, I applied most of your patches, though some I squashed since you
just introduced the bugs in a previous non-applied patch ... :)

Regarding the fuzzing ... how long did you run this?

I adjusted this to afl-clang-fast (afl++, not the original) and it's not
finding much easily...

I guess making it realloc each element into a separate buffer so that
it's checking out-of-bounds for each element separately will help
somewhat, let's see...

johannes



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [RFC PATCH] iw: add clang-based fuzzer for scan IEs
  2020-02-13 20:19 ` Johannes Berg
@ 2020-02-13 21:42   ` Markus Theil
  0 siblings, 0 replies; 4+ messages in thread
From: Markus Theil @ 2020-02-13 21:42 UTC (permalink / raw)
  To: Johannes Berg; +Cc: linux-wireless

On 2/13/20 9:19 PM, Johannes Berg wrote:
> FWIW, I applied most of your patches, though some I squashed since you
> just introduced the bugs in a previous non-applied patch ... :)
;)
> Regarding the fuzzing ... how long did you run this?
The first bugs were found nearly instantly, the last ones after several 
minutes (<= 20).
> I adjusted this to afl-clang-fast (afl++, not the original) and it's not
> finding much easily...
>
> I guess making it realloc each element into a separate buffer so that
> it's checking out-of-bounds for each element separately will help
> somewhat, let's see...
>
> johannes
>
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-13 21:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-11 11:45 [RFC PATCH] iw: add clang-based fuzzer for scan IEs Markus Theil
2020-02-11 13:47 ` Julian Calaby
2020-02-13 20:19 ` Johannes Berg
2020-02-13 21:42   ` Markus Theil

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).