├── AUTHORS ├── CONTRIBUTING ├── LICENSE ├── README.md ├── boringssl-2016-02-12 ├── README.md ├── build.sh ├── crash-ffb22c3101db1e53e38fdf630efd3dfd19cbeb84 └── test-libfuzzer.sh ├── build-and-test.sh ├── c-ares-CVE-2016-5180 ├── README.md ├── build.sh ├── target.cc └── test-libfuzzer.sh ├── common.sh ├── custom-build.sh ├── examples └── example-hooks.cc ├── freetype2-2017 ├── README.md ├── build.sh └── test-libfuzzer.sh ├── guetzli-2017-3-30 ├── README.md ├── build.sh ├── crash-5737651426557952 ├── jpeg.dict ├── seeds │ ├── not_kitty.jpg │ └── semiseed └── test-libfuzzer.sh ├── harfbuzz-1.3.2 ├── README.md ├── build.sh ├── crash-ac7c48dc90984a43c1424106d7046c101ada4bf3 └── test-libfuzzer.sh ├── json-2017-02-12 ├── README.md ├── build.sh ├── crash-1bd4fa4c5ddced4506c67dbe92e14ea7aa1bd47d ├── seeds │ └── seed └── test-libfuzzer.sh ├── lcms-2017-03-21 ├── README.md ├── build.sh ├── cms_transform_fuzzer.c ├── crash-6a7f7b35fc6de5b19080b1c32588c727caf5d396 ├── seeds │ └── seed └── test-libfuzzer.sh ├── libarchive-2017-01-04 ├── README.md ├── build.sh ├── clusterfuzz-testcase-minimized-6117891166437376 ├── libarchive_fuzzer.cc ├── seeds │ └── seed └── test-libfuzzer.sh ├── libjpeg-turbo-07-2017 ├── README.md ├── build.sh ├── libjpeg_turbo_fuzzer.cc ├── seeds │ └── seed.jpg └── test-libfuzzer.sh ├── libpng-1.2.56 ├── README.md ├── build.sh ├── oom-63efa8b5a2adf76dc225d62939db3337ff6774f1 ├── png_mutator.h ├── seeds │ └── seed.png ├── target.cc └── test-libfuzzer.sh ├── libssh-2017-1272 ├── README.md ├── build.sh ├── clusterfuzz-testcase-minimized-5180149127446528 ├── libssh_server_fuzzer.cc └── test-libfuzzer.sh ├── libxml2-v2.9.2 ├── README.md ├── build.sh ├── crash-50b12d37d6968a2cd9eb3665d158d9a2fb1f6e28 ├── crash-d8960e21ca40ea5dc60ad655000842376d4178a1 ├── leak-bdbb2857b7a086f003db1c418e1d124181341fb1 ├── target.cc ├── test-libfuzzer.sh └── uaf-1153fbf466b9474e6e3c48c72e86a4726b449ef7 ├── llvm-libcxxabi-2017-01-27 ├── README.md ├── build.sh ├── crash-37806028c307468801496b647ad8eb6d1f5c612e ├── crash-3edc48212829c58f0e19e2f0ef7eec46ffd6bca9 └── test-libfuzzer.sh ├── openssl-1.0.1f ├── README.md ├── build.sh ├── leak-268f0e85f4bc45cbaf4d257222b830eac18977f3 ├── runtime │ ├── server.key │ └── server.pem ├── target.cc └── test-libfuzzer.sh ├── openssl-1.0.2d ├── README.md ├── build.sh ├── crash-12ae1af0c82252420b5f780bc9ed48d3ba05109e ├── target.cc └── test-libfuzzer.sh ├── openssl-1.1.0c ├── README.md ├── build.sh ├── crash-4fce1eeb339d851b72fedba895163ec1daab51f3 ├── crash-ab3eea077a07a1353f86eea4b6075df2e6319a75 └── crash-c2a2dd95058258979548c016bbe04720ca1ea422 ├── openthread-2018-02-27 ├── README.md ├── build.sh ├── repro1 ├── repro10 ├── repro11 ├── repro12 ├── repro2 ├── repro3 ├── repro4 ├── repro5 ├── repro6 ├── repro7 ├── repro8 └── repro9 ├── pcre2-10.00 ├── README.md ├── build.sh ├── target.cc └── test-libfuzzer.sh ├── proj4-2017-08-14 ├── README.md ├── build.sh ├── leak-7c19589a27e15f3432d245c7685bd518693e70d3 └── test-libfuzzer.sh ├── re2-2014-12-09 ├── README.md ├── build.sh ├── crash-a23ed2a04358b9c070c603a5af6ae2b34598664a ├── target.cc └── test-libfuzzer.sh ├── sqlite-2016-11-14 ├── README.md ├── build.sh ├── crash-0adc497ccfcc1a4d5e031b735c599df0cae3f4eb ├── crash-1066e42866aad3a04e6851dc494ad54bc31b9f78 ├── leak-b0276985af5aa23c98d9abf33856ce069ef600e2 ├── ossfuzz.c ├── sql.dict ├── sqlite3.c ├── sqlite3.h └── test-libfuzzer.sh ├── test-everything.sh ├── tutorial ├── libFuzzerTutorial.md └── structure-aware-fuzzing.md ├── vorbis-2017-12-11 ├── README.md ├── build.sh ├── crash-23c2d78e497bf4aebe5859e3092657cb0af4c299 ├── crash-8c5dea6410b0fb0b21ff968a9966a0bd7956405f ├── crash-e86e0482b8d66f924e50e62f5d7cc36a0acb03a7 ├── seeds │ └── sound.ogg └── test-libfuzzer.sh ├── woff2-2016-05-06 ├── README.md ├── build.sh ├── crash-696cb49b6d7f63e153a6605f00aceb0d7738971a ├── oom-9d24534a23b3ce397f21f62fb23ba9c5e9213107 ├── target.cc └── test-libfuzzer.sh └── wpantund-2018-02-27 ├── README.md └── build.sh /AUTHORS: -------------------------------------------------------------------------------- 1 | # This is the official list of the fuzzer-test-suite project authors for copyright purposes. 2 | # This file is distinct from the CONTRIBUTORS file. See the latter for an explanation. 3 | 4 | # Names should be added to this file as 5 | # Name or Organization 6 | # Email addresses for individuals are tracked elsewhere to avoid spam. 7 | 8 | Google Inc. 9 | 10 | -------------------------------------------------------------------------------- /CONTRIBUTING: -------------------------------------------------------------------------------- 1 | Want to contribute? Great! First, read this page (including the small print at the end). 2 | 3 | ### Before you contribute 4 | Before we can use your code, you must sign the 5 | [Google Individual Contributor License Agreement] 6 | (https://cla.developers.google.com/about/google-individual) 7 | (CLA), which you can do online. The CLA is necessary mainly because you own the 8 | copyright to your changes, even after your contribution becomes part of our 9 | codebase, so we need your permission to use and distribute your code. We also 10 | need to be sure of various other things—for instance that you'll tell us if you 11 | know that your code infringes on other people's patents. You don't have to sign 12 | the CLA until after you've submitted your code for review and a member has 13 | approved it, but you must do it before we can put your code into our codebase. 14 | Before you start working on a larger contribution, you should get in touch with 15 | us first through the issue tracker with your idea so that we can help out and 16 | possibly guide you. Coordinating up front makes it much easier to avoid 17 | frustration later on. 18 | 19 | ### Code reviews 20 | All submissions, including submissions by project members, require review. We 21 | use Github pull requests for this purpose. 22 | 23 | ### The small print 24 | Contributions made by corporations are covered by a different agreement than 25 | the one above, the 26 | [Software Grant and Corporate Contributor License Agreement] 27 | (https://cla.developers.google.com/about/google-corporate). 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fuzzer-test-suite 2 | 3 | :zap: **NOTE: For most use cases, fuzzer-test-suite is superseded by [FuzzBench](https://github.com/google/fuzzbench). 4 | We recommend using FuzzBench for all future fuzzer benchmarking. 5 | FuzzBench is based on many of the same ideas as FTS, such as realistic benchmarks (it actually uses some benchmarks from FTS) but has many improvements such as a free service and a design that makes adding new fuzzers and new benchmarks easier.** 6 | 7 | This is a set of tests (benchmarks) for fuzzing engines (fuzzers). 8 | 9 | The goal of this project is to have a set of fuzzing benchmarks derived from real-life 10 | libraries that have interesting bugs, hard-to-find code paths, or other 11 | challenges for bug finding tools. 12 | 13 | The current version supports [libFuzzer](http://libFuzzer.info) and 14 | [AFL](http://lcamtuf.coredump.cx/afl/). In future versions we may support 15 | other fuzzing engines. 16 | 17 | # See also 18 | 19 | * [AddressSanitizer](http://clang.llvm.org/docs/AddressSanitizer.html) 20 | 21 | # Contributing 22 | See [CONTRIBUTING](CONTRIBUTING) first. 23 | If you want to add one more benchmark to the test suite, 24 | simply mimic one of the existing benchmarks and send the pull request. 25 | 26 | # Disclaimer 27 | This is not an official Google product. 28 | -------------------------------------------------------------------------------- /boringssl-2016-02-12/README.md: -------------------------------------------------------------------------------- 1 | Find a [8-byte-read-heap-use-after-free bug](https://bugs.chromium.org/p/chromium/issues/detail?id=586798) 2 | in [Boringssl](https://boringssl.googlesource.com/boringssl/), reproducer 3 | provided. 4 | 5 | Time to find: 1 hour or more. 6 | ``` 7 | ==4514==ERROR: AddressSanitizer: heap-use-after-free 8 | READ of size 8 at 0x6030000002b8 thread T0 9 | #0 0x5a4501 in ASN1_STRING_free crypto/asn1/asn1_lib.c:459:12 10 | #1 0x5b32dd in ASN1_primitive_free crypto/asn1/tasn_fre.c:241:9 11 | #2 0x5b31e7 in ASN1_primitive_free crypto/asn1/tasn_fre.c:236:9 12 | #3 0x5b21e4 in ASN1_item_free crypto/asn1/tasn_fre.c:69:5 13 | #4 0x515b59 in sk_pop_free crypto/stack/stack.c:142:7 14 | #5 0x4f81b9 in dsa_priv_decode crypto/evp/p_dsa_asn1.c:288:3 15 | #6 0x50a5ed in EVP_PKCS82PKEY crypto/pkcs8/pkcs8.c:616:10 16 | #7 0x4f3f0b in d2i_AutoPrivateKey crypto/evp/evp_asn1.c:151:11 17 | #8 0x4f0624 in LLVMFuzzerTestOneInput 18 | ``` 19 | -------------------------------------------------------------------------------- /boringssl-2016-02-12/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && cmake -DBUILD_SHARED_LIBS=OFF -DCMAKE_C_COMPILER="$CC" -DCMAKE_C_FLAGS="$CFLAGS -Wno-deprecated-declarations" -DCMAKE_CXX_COMPILER="$CXX" -DCMAKE_CXX_FLAGS="$CXXFLAGS -Wno-error=main" && make -j $JOBS) 11 | } 12 | 13 | get_git_revision https://github.com/google/boringssl.git 894a47df2423f0d2b6be57e6d90f2bea88213382 SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ ! -d seeds ]]; then 18 | mkdir seeds 19 | cp BUILD/fuzz/privkey_corpus/* seeds/ 20 | fi 21 | 22 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 23 | # Link ASan runtime so we can hook memcmp et al. 24 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 25 | fi 26 | set -x 27 | $CXX $CXXFLAGS -I BUILD/include BUILD/fuzz/privkey.cc ./BUILD/ssl/libssl.a ./BUILD/crypto/libcrypto.a -lpthread $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 28 | -------------------------------------------------------------------------------- /boringssl-2016-02-12/crash-ffb22c3101db1e53e38fdf630efd3dfd19cbeb84: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/boringssl-2016-02-12/crash-ffb22c3101db1e53e38fdf630efd3dfd19cbeb84 -------------------------------------------------------------------------------- /boringssl-2016-02-12/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | 6 | # Note: this target contains unbalanced malloc/free (malloc is called 7 | # in one invocation, free is called in another invocation). 8 | # and so libFuzzer's -detect_leaks should be disabled for better speed. 9 | export ASAN_OPTIONS=detect_leaks=0:quarantine_size_mb=50 10 | 11 | set -x 12 | rm -rf $CORPUS fuzz-*.log 13 | mkdir $CORPUS 14 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -use_value_profile=1 -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS seeds 15 | grep "AddressSanitizer: heap-use-after-free" fuzz-0.log || exit 1 16 | -------------------------------------------------------------------------------- /build-and-test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/common.sh 5 | BUILD=$SCRIPT_DIR/$1/build.sh 6 | TEST=$SCRIPT_DIR/$1/test-libfuzzer.sh 7 | 8 | [ ! -e $BUILD ] && echo "NO SUCH FILE: $BUILD" && exit 1 9 | [ ! -e $TEST ] && echo "NO SUCH FILE: $TEST" && exit 1 10 | 11 | RUNDIR="RUNDIR-$1" 12 | mkdir -p $RUNDIR 13 | cd $RUNDIR 14 | $BUILD && $TEST 15 | 16 | -------------------------------------------------------------------------------- /c-ares-CVE-2016-5180/README.md: -------------------------------------------------------------------------------- 1 | Finds [CVE-2016-5180](https://c-ares.haxx.se/adv_20160929.html), 2 | 1-byte-write-heap-buffer-overflow in c-ares (https://c-ares.haxx.se/). 3 | This bug was one of out a chain of two bugs that made a ChromeOS exploit possible: 4 | [code execution in guest mode across reboots](https://googlechromereleases.blogspot.com/2016/09/stable-channel-updates-for-chrome-os.html). 5 | 6 | 7 | Time to find: < 1 second. 8 | ``` 9 | ERROR: AddressSanitizer: heap-buffer-overflow 10 | WRITE of size 1 at 0x6040000d643b thread T0 11 | #0 0x4ef2b7 in ares_create_query ares_create_query.c:196:3 12 | ``` 13 | 14 | 15 | -------------------------------------------------------------------------------- /c-ares-CVE-2016-5180/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && ./buildconf && ./configure --disable-shared && make -j $JOBS) 11 | } 12 | get_git_revision https://github.com/c-ares/c-ares.git 51fbb479f7948fca2ace3ff34a15ff27e796afdd SRC 13 | build_lib 14 | build_fuzzer 15 | 16 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 17 | # Link ASan runtime so we can hook memcmp et al. 18 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 19 | fi 20 | $CXX $CXXFLAGS $SCRIPT_DIR/target.cc -I BUILD BUILD/.libs/libcares.a $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 21 | -------------------------------------------------------------------------------- /c-ares-CVE-2016-5180/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include 9 | 10 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 11 | unsigned char *buf; 12 | int buflen; 13 | std::string s(reinterpret_cast(Data), Size); 14 | ares_create_query(s.c_str(), ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0); 15 | free(buf); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /c-ares-CVE-2016-5180/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | 7 | rm -f fuzz-*.log 8 | 9 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_total_time=100 $LIBFUZZER_FLAGS 2>&1 | tee log 10 | grep -Pzo "(?s)ERROR: AddressSanitizer:.*ares_create_query" log 11 | -------------------------------------------------------------------------------- /common.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | 5 | # Don't allow to call these scripts from their directories. 6 | [ -e $(basename $0) ] && echo "PLEASE USE THIS SCRIPT FROM ANOTHER DIR" && exit 1 7 | 8 | # Ensure that fuzzing engine, if defined, is valid 9 | FUZZING_ENGINE=${FUZZING_ENGINE:-"fsanitize_fuzzer"} 10 | POSSIBLE_FUZZING_ENGINE="libfuzzer afl honggfuzz coverage fsanitize_fuzzer hooks" 11 | !(echo "$POSSIBLE_FUZZING_ENGINE" | grep -w "$FUZZING_ENGINE" > /dev/null) && \ 12 | echo "USAGE: Error: If defined, FUZZING_ENGINE should be one of the following: 13 | $POSSIBLE_FUZZING_ENGINE. However, it was defined as $FUZZING_ENGINE" && exit 1 14 | 15 | SCRIPT_DIR=$(dirname $0) 16 | EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)-${FUZZING_ENGINE} 17 | LIBFUZZER_SRC=${LIBFUZZER_SRC:-$(dirname $(dirname $SCRIPT_DIR))/Fuzzer} 18 | STANDALONE_TARGET=0 19 | AFL_SRC=${AFL_SRC:-$(dirname $(dirname $SCRIPT_DIR))/AFL} 20 | HONGGFUZZ_SRC=${HONGGFUZZ_SRC:-$(dirname $(dirname $SCRIPT_DIR))/honggfuzz} 21 | COVERAGE_FLAGS="-O0 -fsanitize-coverage=trace-pc-guard" 22 | FUZZ_CXXFLAGS="-O2 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div" 23 | CORPUS=CORPUS-$EXECUTABLE_NAME_BASE 24 | JOBS=${JOBS:-"8"} 25 | 26 | 27 | export CC=${CC:-"clang"} 28 | export CXX=${CXX:-"clang++"} 29 | export CPPFLAGS=${CPPFLAGS:-"-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"} 30 | export LIB_FUZZING_ENGINE="libFuzzingEngine-${FUZZING_ENGINE}.a" 31 | 32 | if [[ $FUZZING_ENGINE == "fsanitize_fuzzer" ]]; then 33 | FSANITIZE_FUZZER_FLAGS="-O2 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address,fuzzer-no-link -fsanitize-address-use-after-scope" 34 | export CFLAGS=${CFLAGS:-$FSANITIZE_FUZZER_FLAGS} 35 | export CXXFLAGS=${CXXFLAGS:-$FSANITIZE_FUZZER_FLAGS} 36 | elif [[ $FUZZING_ENGINE == "honggfuzz" ]]; then 37 | export CC=$(realpath -s "$HONGGFUZZ_SRC/hfuzz_cc/hfuzz-clang") 38 | export CXX=$(realpath -s "$HONGGFUZZ_SRC/hfuzz_cc/hfuzz-clang++") 39 | elif [[ $FUZZING_ENGINE == "coverage" ]]; then 40 | export CFLAGS=${CFLAGS:-$COVERAGE_FLAGS} 41 | export CXXFLAGS=${CXXFLAGS:-$COVERAGE_FLAGS} 42 | else 43 | export CFLAGS=${CFLAGS:-"$FUZZ_CXXFLAGS"} 44 | export CXXFLAGS=${CXXFLAGS:-"$FUZZ_CXXFLAGS"} 45 | fi 46 | 47 | get_git_revision() { 48 | GIT_REPO="$1" 49 | GIT_REVISION="$2" 50 | TO_DIR="$3" 51 | [ ! -e $TO_DIR ] && git clone $GIT_REPO $TO_DIR && (cd $TO_DIR && git reset --hard $GIT_REVISION) 52 | } 53 | 54 | get_git_tag() { 55 | GIT_REPO="$1" 56 | GIT_TAG="$2" 57 | TO_DIR="$3" 58 | [ ! -e $TO_DIR ] && git clone $GIT_REPO $TO_DIR && (cd $TO_DIR && git checkout $GIT_TAG) 59 | } 60 | 61 | get_svn_revision() { 62 | SVN_REPO="$1" 63 | SVN_REVISION="$2" 64 | TO_DIR="$3" 65 | [ ! -e $TO_DIR ] && svn co -r$SVN_REVISION $SVN_REPO $TO_DIR 66 | } 67 | 68 | build_afl() { 69 | $CC $CFLAGS -c -w $AFL_SRC/llvm_mode/afl-llvm-rt.o.c 70 | $CXX $CXXFLAGS -std=c++11 -O2 -c ${LIBFUZZER_SRC}/afl/afl_driver.cpp -I$LIBFUZZER_SRC 71 | ar r $LIB_FUZZING_ENGINE afl_driver.o afl-llvm-rt.o.o 72 | rm *.o 73 | } 74 | 75 | build_libfuzzer() { 76 | $LIBFUZZER_SRC/build.sh 77 | mv libFuzzer.a $LIB_FUZZING_ENGINE 78 | } 79 | 80 | build_honggfuzz() { 81 | cp "$HONGGFUZZ_SRC/libhfuzz/persistent.o" $LIB_FUZZING_ENGINE 82 | } 83 | 84 | # Uses the capability for "fsanitize=fuzzer" in the current clang 85 | build_fsanitize_fuzzer() { 86 | LIB_FUZZING_ENGINE="-fsanitize=fuzzer" 87 | } 88 | 89 | # This provides a build with no fuzzing engine, just to measure coverage 90 | build_coverage () { 91 | STANDALONE_TARGET=1 92 | $CC -O2 -c $LIBFUZZER_SRC/standalone/StandaloneFuzzTargetMain.c 93 | ar rc $LIB_FUZZING_ENGINE StandaloneFuzzTargetMain.o 94 | rm *.o 95 | } 96 | 97 | # Build with user-defined main and hooks. 98 | build_hooks() { 99 | LIB_FUZZING_ENGINE=libFuzzingEngine-hooks.o 100 | $CXX -c $HOOKS_FILE -o $LIB_FUZZING_ENGINE 101 | } 102 | 103 | build_fuzzer() { 104 | echo "Building with $FUZZING_ENGINE" 105 | build_${FUZZING_ENGINE} 106 | } 107 | 108 | -------------------------------------------------------------------------------- /custom-build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2018 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | 5 | MODE=$1 6 | HOOKS_FILE=$2 7 | 8 | if [[ -n "${MODE}" ]]; then 9 | case "${MODE}" in 10 | asan) 11 | export FUZZING_ENGINE=libfuzzer 12 | export CFLAGS="-O2 -fno-omit-frame-pointer -gline-tables-only -fsanitize=address -fsanitize-address-use-after-scope -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div" 13 | export CXXFLAGS="${CFLAGS}" 14 | ;; 15 | ubsan) 16 | export FUZZING_ENGINE=libfuzzer 17 | export CFLAGS="-O2 -fno-omit-frame-pointer -gline-tables-only -fsanitize=undefined -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div" 18 | export CXXFLAGS="${CFLAGS}" 19 | ;; 20 | hooks) 21 | if [[ ! -f "${HOOKS_FILE}" ]]; then 22 | echo "Error: Missing hooks file" 23 | exit 1 24 | fi 25 | export FUZZING_ENGINE=hooks 26 | export CFLAGS="-O0 -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div" 27 | export CXXFLAGS="${CFLAGS}" 28 | export HOOKS_FILE 29 | ;; 30 | *) 31 | echo "Error: Unknown mode: ${MODE}" 32 | exit 1 33 | ;; 34 | esac 35 | fi 36 | 37 | -------------------------------------------------------------------------------- /examples/example-hooks.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int print(const char *format, ...) { 8 | static FILE *f = NULL; 9 | if (!f) { 10 | f = fopen("hooks.log", "w"); 11 | assert(f); 12 | } 13 | va_list args; 14 | va_start(args, format); 15 | int ret = vfprintf(f, format, args); 16 | va_end(args); 17 | return ret; 18 | } 19 | 20 | extern "C" { 21 | void __sanitizer_cov_trace_pc_guard_init(uint32_t *Start, uint32_t *Stop) { 22 | } 23 | 24 | void __sanitizer_cov_trace_pc_guard(uint32_t *Guard) { 25 | print("%p\n", __builtin_return_address(0)); 26 | } 27 | 28 | void __sanitizer_cov_trace_cmp8(uint64_t Arg1, uint64_t Arg2) { 29 | print("%p: cmp8(%lu, %lu)\n", __builtin_return_address(0), Arg1, Arg2); 30 | } 31 | 32 | void __sanitizer_cov_trace_const_cmp8(uint64_t Arg1, uint64_t Arg2) { 33 | print("%p: ccmp8(%lu, %lu)\n", __builtin_return_address(0), Arg1, Arg2); 34 | } 35 | 36 | void __sanitizer_cov_trace_cmp4(uint32_t Arg1, uint32_t Arg2) { 37 | print("%p: cmp4(%u, %u)\n", __builtin_return_address(0), Arg1, Arg2); 38 | } 39 | 40 | void __sanitizer_cov_trace_const_cmp4(uint32_t Arg1, uint32_t Arg2) { 41 | print("%p: ccmp4(%u, %u)\n", __builtin_return_address(0), Arg1, Arg2); 42 | } 43 | 44 | void __sanitizer_cov_trace_cmp2(uint16_t Arg1, uint16_t Arg2) { 45 | print("%p: cmp2(%u, %u)\n", __builtin_return_address(0), Arg1, Arg2); 46 | } 47 | 48 | void __sanitizer_cov_trace_const_cmp2(uint16_t Arg1, uint16_t Arg2) { 49 | print("%p: ccmp2(%u, %u)\n", __builtin_return_address(0), Arg1, Arg2); 50 | } 51 | 52 | void __sanitizer_cov_trace_cmp1(uint8_t Arg1, uint8_t Arg2) { 53 | print("%p: cmp1(%u, %u)\n", __builtin_return_address(0), Arg1, Arg2); 54 | } 55 | 56 | void __sanitizer_cov_trace_const_cmp1(uint8_t Arg1, uint8_t Arg2) { 57 | print("%p: ccmp1(%u, %u)\n", __builtin_return_address(0), Arg1, Arg2); 58 | } 59 | 60 | void __sanitizer_cov_trace_switch(uint64_t Val, uint64_t *Cases) { 61 | // TODO: Print which case is taken. 62 | print("%p: switch(%lu)\n", __builtin_return_address(0), Val); 63 | } 64 | 65 | void __sanitizer_cov_trace_div4(uint32_t Val) { 66 | print("%p: div4(X, %u)\n", __builtin_return_address(0), Val); 67 | } 68 | 69 | void __sanitizer_cov_trace_div8(uint64_t Val) { 70 | print("%p: div8(X, %lu)\n", __builtin_return_address(0), Val); 71 | } 72 | 73 | void __sanitizer_cov_trace_gep(uintptr_t Idx) { 74 | print("%p: gep(%lu)\n", __builtin_return_address(0), Idx); 75 | } 76 | 77 | void __sanitizer_weak_hook_memcmp(void *caller_pc, const void *s1, 78 | const void *s2, size_t n, int result) { 79 | print("%p: memcmp(%p, %p, %lu) -> %u\n", caller_pc, s1, s2, n, result); 80 | } 81 | 82 | void __sanitizer_weak_hook_strncmp(void *caller_pc, const char *s1, 83 | const char *s2, size_t n, int result) { 84 | print("%p: strncmp(%p, %p, %lu) -> %u\n", caller_pc, s1, s2, n, result); 85 | } 86 | 87 | void __sanitizer_weak_hook_strcmp(void *caller_pc, const char *s1, 88 | const char *s2, int result) { 89 | print("%p: strcmp(%p, %p) -> %u\n", caller_pc, s1, s2, result); 90 | } 91 | 92 | void __sanitizer_weak_hook_strncasecmp(void *caller_pc, const char *s1, 93 | const char *s2, size_t n, int result) { 94 | print("%p: strncasecmp(%p, %p, %lu) -> %u\n", caller_pc, s1, s2, n, 95 | result); 96 | } 97 | 98 | void __sanitizer_weak_hook_strcasecmp(void *caller_pc, const char *s1, 99 | const char *s2, int result) { 100 | print("%p: strcasecmp(%p, %p) -> %u\n", caller_pc, s1, s2, result); 101 | } 102 | 103 | void __sanitizer_weak_hook_strstr(void *caller_pc, const char *s1, 104 | const char *s2, char *result) { 105 | print("%p: strstr(%p, %p) -> %p\n", caller_pc, s1, s2, result); 106 | } 107 | 108 | void __sanitizer_weak_hook_strcasestr(void *caller_pc, const char *s1, 109 | const char *s2, char *result) { 110 | print("%p: strcasecmp(%p, %p) -> %p\n", caller_pc, s1, s2, result); 111 | } 112 | 113 | void __sanitizer_weak_hook_memmem(void *caller_pc, const void *s1, 114 | size_t len1, const void *s2, size_t len2, 115 | void *result) { 116 | print("%p: memcmp(%p, %lu, %p, %lu) -> %p\n", caller_pc, s1, len1, s2, 117 | len2, result); 118 | } 119 | 120 | extern int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size); 121 | __attribute__((weak)) extern int LLVMFuzzerInitialize(int *argc, char ***argv); 122 | 123 | int main(int argc, char **argv) { 124 | if (LLVMFuzzerInitialize) 125 | LLVMFuzzerInitialize(&argc, &argv); 126 | for (int i = 1; i < argc; i++) { 127 | fprintf(stderr, "Running: %s\n", argv[i]); 128 | std::ifstream f(argv[i]); 129 | assert(f); 130 | f.seekg(0, f.end); 131 | size_t len = f.tellg(); 132 | f.seekg(0, f.beg); 133 | char *buf = new char[len]; 134 | f.read(buf, len); 135 | LLVMFuzzerTestOneInput(reinterpret_cast(buf), len); 136 | delete[] buf; 137 | fprintf(stderr, "Done: %s: (%zd bytes)\n", argv[i], len); 138 | } 139 | } 140 | } // extern "C" 141 | -------------------------------------------------------------------------------- /freetype2-2017/README.md: -------------------------------------------------------------------------------- 1 | This is a coverage benchmark for [freetype2](https://freetype.org/freetype2/docs/index.html). 2 | Instead of searching for a bug, this benchmark attempts to reach a particular line of code which is known to be difficult to reach. 3 | 4 | As of September 6, 2017, this benchmark takes about 5 minutes using the provided seeds. 5 | 6 | This version of freetype also contains an [integer overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2027), and it takes a long time to find by fuzzing. 7 | -------------------------------------------------------------------------------- /freetype2-2017/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && ./autogen.sh && ./configure --disable-shared --with-harfbuzz=no --with-bzip2=no --with-png=no && make clean && make all -j $JOBS) 11 | } 12 | 13 | get_git_revision git://git.sv.nongnu.org/freetype/freetype2.git cd02d359a6d0455e9d16b87bf9665961c4699538 SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ ! -d seeds ]]; then 18 | mkdir seeds 19 | git clone https://github.com/unicode-org/text-rendering-tests.git TRT 20 | # TRT/fonts is the full seed folder, but they're too big 21 | cp TRT/fonts/TestKERNOne.otf seeds/ 22 | cp TRT/fonts/TestGLYFOne.ttf seeds/ 23 | rm -fr TRT 24 | fi 25 | 26 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 27 | # Link ASan runtime so we can hook memcmp et al. 28 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 29 | fi 30 | set -x 31 | $CXX $CXXFLAGS -std=c++11 -I BUILD/include -I BUILD/ BUILD/src/tools/ftfuzzer/ftfuzzer.cc BUILD/objs/.libs/libfreetype.a $LIB_FUZZING_ENGINE -larchive -lz -o $EXECUTABLE_NAME_BASE 32 | 33 | -------------------------------------------------------------------------------- /freetype2-2017/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | 6 | set -x 7 | rm -rf $CORPUS fuzz-*.log 8 | mkdir $CORPUS 9 | 10 | test_source_location() { 11 | SRC_LOC="$1" 12 | echo "test_source_location: $SRC_LOC" 13 | [ -e $EXECUTABLE_NAME_BASE ] && \ 14 | ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -exit_on_src_pos=$SRC_LOC -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS seeds 15 | grep "INFO: found line matching '$SRC_LOC'" fuzz-*.log || (date && exit 1) 16 | } 17 | 18 | # test_source_location ttinterp.c:2186 19 | test_source_location ttgload.c:1710:7 20 | -------------------------------------------------------------------------------- /guetzli-2017-3-30/README.md: -------------------------------------------------------------------------------- 1 | Finds an assertion failure in [guetzli](https://github.com/google/guetzli). 2 | 3 | Can be found in up to an hour, sometimes much faster, using the provided seeds and fuzzer flags. 4 | 5 | ``` 6 | guetzli/output_image.cc:398: void guetzli::OutputImage::SaveToJpegData(guetzli::JPEGData*) const: Assertion `coeff % quant == 0' failed. 7 | ==34794== ERROR: libFuzzer: deadly signal 8 | #0 0x4c4597 in __sanitizer_print_stack_trace 9 | #1 0x526741 in fuzzer::Fuzzer::CrashCallback() 10 | #2 0x52670d in fuzzer::Fuzzer::StaticCrashSignalCallback() 11 | ... 12 | #7 0x7f2f8fe71ca1 in __assert_fail 13 | #8 0x509909 in guetzli::OutputImage::SaveToJpegData(guetzli::JPEGData*) const 14 | #9 0x4f5f65 in guetzli::(anonymous namespace)::Processor::TryQuantMatrix(guetzli::JPEGData const&, float, int (*) [64], guetzli::OutputImage*) 15 | #10 0x4f830a in SelectQuantMatrix 16 | #11 0x4f830a in guetzli::(anonymous namespace)::Processor::ProcessJpegData(guetzli::Params const&, guetzli::JPEGData const&, guetzli::Comparator*, guetzli::GuetzliOutput*, guetzli::ProcessStats*) 17 | #12 0x4fa196 in ProcessJpegData 18 | #13 0x4fa196 in guetzli::Process(guetzli::Params const&, guetzli::ProcessStats*, std::string const&, std::string*) 19 | #14 0x4ea17a in LLVMFuzzerTestOneInput 20 | ``` 21 | 22 | 23 | -------------------------------------------------------------------------------- /guetzli-2017-3-30/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && make guetzli_static -j $JOBS) 11 | } 12 | 13 | get_git_tag https://github.com/google/guetzli.git 9afd0bbb7db0bd3a50226845f0f6c36f14933b6b SRC 14 | build_lib 15 | build_fuzzer 16 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 17 | # Link ASan runtime so we can hook memcmp et al. 18 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 19 | fi 20 | set -x 21 | $CXX $CXXFLAGS -std=c++11 BUILD/fuzz_target.cc -I BUILD/ BUILD/bin/Release/libguetzli_static.a $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 22 | -------------------------------------------------------------------------------- /guetzli-2017-3-30/crash-5737651426557952: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/guetzli-2017-3-30/crash-5737651426557952 -------------------------------------------------------------------------------- /guetzli-2017-3-30/jpeg.dict: -------------------------------------------------------------------------------- 1 | # 2 | # AFL dictionary for JPEG images 3 | # ------------------------------ 4 | # 5 | # Created by Michal Zalewski 6 | # 7 | 8 | header_jfif="JFIF\x00" 9 | header_jfxx="JFXX\x00" 10 | 11 | section_ffc0="\xff\xc0" 12 | section_ffc2="\xff\xc2" 13 | section_ffc4="\xff\xc4" 14 | section_ffd0="\xff\xd0" 15 | section_ffd8="\xff\xd8" 16 | section_ffd9="\xff\xd9" 17 | section_ffda="\xff\xda" 18 | section_ffdb="\xff\xdb" 19 | section_ffdd="\xff\xdd" 20 | section_ffe0="\xff\xe0" 21 | section_ffe1="\xff\xe1" 22 | section_fffe="\xff\xfe" 23 | -------------------------------------------------------------------------------- /guetzli-2017-3-30/seeds/not_kitty.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/guetzli-2017-3-30/seeds/not_kitty.jpg -------------------------------------------------------------------------------- /guetzli-2017-3-30/seeds/semiseed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/guetzli-2017-3-30/seeds/semiseed -------------------------------------------------------------------------------- /guetzli-2017-3-30/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | 8 | mkdir $CORPUS 9 | 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_len=180 -use_value_profile=1 -close_fd_mask=3 -dict=$SCRIPT_DIR/jpeg.dict -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS $SCRIPT_DIR/seeds 11 | grep "ERROR: libFuzzer: deadly signal" fuzz-0.log || exit 1 12 | -------------------------------------------------------------------------------- /harfbuzz-1.3.2/README.md: -------------------------------------------------------------------------------- 1 | Finds assertion failure in [Harfbuzz](https://github.com/behdad/harfbuzz) 2 | 3 | Time to find: several hours. Sample crash file attached. 4 | 5 | ``` 6 | harfbuzz-1.3.2: hb-buffer.cc:419: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed. 7 | ``` 8 | 9 | 10 | -------------------------------------------------------------------------------- /harfbuzz-1.3.2/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | get_git_revision https://github.com/behdad/harfbuzz.git f73a87d9a8c76a181794b74b527ea268048f78e3 SRC 8 | 9 | build_lib() { 10 | rm -rf BUILD 11 | cp -rf SRC BUILD 12 | (cd BUILD && ./autogen.sh && CCLD="$CXX $CXXFLAGS" ./configure --enable-static --disable-shared && 13 | make -j $JOBS -C src fuzzing) 14 | } 15 | 16 | build_lib 17 | build_fuzzer 18 | 19 | if [[ ! -d seeds ]]; then 20 | mkdir seeds 21 | cp BUILD/test/shaping/fonts/sha1sum/* seeds/ 22 | fi 23 | 24 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 25 | # Link ASan runtime so we can hook memcmp et al. 26 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 27 | fi 28 | set -x 29 | $CXX $CXXFLAGS -std=c++11 -I BUILD/src/ BUILD/test/fuzzing/hb-fuzzer.cc BUILD/src/.libs/libharfbuzz-fuzzing.a $LIB_FUZZING_ENGINE -lglib-2.0 -o $EXECUTABLE_NAME_BASE 30 | -------------------------------------------------------------------------------- /harfbuzz-1.3.2/crash-ac7c48dc90984a43c1424106d7046c101ada4bf3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/harfbuzz-1.3.2/crash-ac7c48dc90984a43c1424106d7046c101ada4bf3 -------------------------------------------------------------------------------- /harfbuzz-1.3.2/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -max_total_time=1800 -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS seeds 9 | grep "hb-buffer.cc:419: bool hb_buffer_t::move_to(unsigned int): Assertion `i <= out_len + (len - idx)' failed" fuzz-0.log 10 | -------------------------------------------------------------------------------- /json-2017-02-12/README.md: -------------------------------------------------------------------------------- 1 | This benchmark finds an [assertion failure](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=641) in [json](https://github.com/nlohmann/json). 2 | 3 | As of August 31, 2017, it's usually found in about 5 minutes using the provided 4 | seed. 5 | 6 | ``` 7 | json-2017-02-12-libfuzzer: BUILD/test/src/fuzzer-parse_json.cpp:50: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `s1 == s2' failed. 8 | ==...== ERROR: libFuzzer: deadly signal 9 | ``` 10 | -------------------------------------------------------------------------------- /json-2017-02-12/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && make fuzzers -Ctest -j $JOBS) 11 | } 12 | 13 | get_git_revision https://github.com/nlohmann/json.git b04543ecc58188a593f8729db38c2c87abd90dc3 SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | cp -r $SCRIPT_DIR/seeds . 18 | 19 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 20 | # Link ASan runtime so we can hook memcmp et al. 21 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 22 | fi 23 | $CXX $CXXFLAGS -std=c++11 -I BUILD/src BUILD/test/src/fuzzer-parse_json.cpp $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 24 | -------------------------------------------------------------------------------- /json-2017-02-12/crash-1bd4fa4c5ddced4506c67dbe92e14ea7aa1bd47d: -------------------------------------------------------------------------------- 1 | 1000000000000000009E5 2 | -------------------------------------------------------------------------------- /json-2017-02-12/seeds/seed: -------------------------------------------------------------------------------- 1 | 10000000010E5 2 | -------------------------------------------------------------------------------- /json-2017-02-12/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir -p $CORPUS 8 | 9 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS seeds 10 | grep "ERROR: libFuzzer: deadly signal" fuzz-0.log || exit 1 11 | -------------------------------------------------------------------------------- /lcms-2017-03-21/README.md: -------------------------------------------------------------------------------- 1 | This is a benchmark for finding a 2 | [heap-buffer-overflow bug](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=925) in 3 | [Little-CMS](https://github.com/mm2/Little-CMS). 4 | 5 | Note that, in OSS-Fuzz, this bug was first found with [AFL](http://lcamtuf.coredump.cx/afl/). 6 | 7 | The following error can be found within 30 minutes of fuzzing, from the provided seed. 8 | 9 | ``` 10 | ==27232==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800011b68c at pc 0x00000057c11a bp 0x7ffd7544b130 sp 0x7ffd7544b128 11 | READ of size 4 at 0x60800011b68c thread T0 12 | #0 0x57c119 in TetrahedralInterpFloat BUILD/src/cmsintrp.c:642:22 13 | #1 0x599c56 in _LUTeval16 BUILD/src/cmslut.c:1330:14 14 | #2 0x51a13a in CachedXFORM BUILD/src/cmsxform.c:525:17 15 | #3 0x512b8d in cmsDoTransform BUILD/src/cmsxform.c:189:5 16 | #4 0x4ea37c in LLVMFuzzerTestOneInput cms_transform_fuzzer.c 17 | ``` 18 | 19 | Generally, the above error is found. However, the [following error](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=931) is also present. 20 | 21 | ``` 22 | ==96256==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000048c at pc 0x00000057bfea bp 0x7ffd1790c010 sp 0x7ffd1790c008 23 | READ of size 4 at 0x60800000048c thread T0 24 | #0 0x57bfe9 in TetrahedralInterpFloat BUILD/src/cmsintrp.c:642:22 25 | #1 0x59a1f1 in _LUTevalFloat /usr/local BUILD/src/cmslut.c:1356:15 26 | #2 0x54e591 in XFormSampler16 BUILD/src/cmsopt.c:423:5 27 | #3 0x593e77 in cmsStageSampleCLut16bit BUILD/src/cmslut.c:797:14 28 | #4 0x54cdbf in OptimizeByResampling BUILD/src/cmsopt.c:734:10 29 | #5 0x54a74f in _cmsOptimizePipeline BUILD/src/cmsopt.c:1942:17 30 | #6 0x51521f in AllocEmptyTransform BUILD/src/cmsxform.c:819:15 31 | #7 0x5140a0 in cmsCreateExtendedTransform BUILD/src/cmsxform.c:1075:13 32 | #8 0x516ce2 in cmsCreateMultiprofileTransformTHR BUILD/src/cmsxform.c:1175:12 33 | #9 0x516ce2 in cmsCreateTransformTHR BUILD/src/cmsxform.c:1216 34 | #10 0x516ce2 in cmsCreateTransform BUILD/src/cmsxform.c:1226 35 | #11 0x4ea02c in LLVMFuzzerTestOneInput cms_transform_fuzzer.c:31:30 36 | ``` 37 | -------------------------------------------------------------------------------- /lcms-2017-03-21/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && ./autogen.sh && ./configure --disable-shared && make -j $JOBS) 11 | } 12 | 13 | get_git_revision https://github.com/mm2/Little-CMS.git f9d75ccef0b54c9f4167d95088d4727985133c52 SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 18 | # Link ASan runtime so we can hook memcmp et al. 19 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 20 | fi 21 | set -x 22 | $CXX $CXXFLAGS ${SCRIPT_DIR}/cms_transform_fuzzer.c -I BUILD/include/ BUILD/src/.libs/liblcms2.a $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 23 | -------------------------------------------------------------------------------- /lcms-2017-03-21/cms_transform_fuzzer.c: -------------------------------------------------------------------------------- 1 | // Copyright 2016 The PDFium Authors. All rights reserved. 2 | // Use of this source code is governed by a BSD-style license that can be 3 | // found in the LICENSE file. 4 | #include 5 | 6 | #include "lcms2.h" 7 | 8 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 9 | cmsHPROFILE srcProfile = cmsOpenProfileFromMem(data, size); 10 | if (!srcProfile) return 0; 11 | 12 | cmsHPROFILE dstProfile = cmsCreate_sRGBProfile(); 13 | if (!dstProfile) { 14 | cmsCloseProfile(srcProfile); 15 | return 0; 16 | } 17 | 18 | cmsColorSpaceSignature srcCS = cmsGetColorSpace(srcProfile); 19 | cmsUInt32Number nSrcComponents = cmsChannelsOf(srcCS); 20 | cmsUInt32Number srcFormat; 21 | if (srcCS == cmsSigLabData) { 22 | srcFormat = 23 | COLORSPACE_SH(PT_Lab) | CHANNELS_SH(nSrcComponents) | BYTES_SH(0); 24 | } else { 25 | srcFormat = 26 | COLORSPACE_SH(PT_ANY) | CHANNELS_SH(nSrcComponents) | BYTES_SH(1); 27 | } 28 | 29 | cmsUInt32Number intent = 0; 30 | cmsUInt32Number flags = 0; 31 | cmsHTRANSFORM hTransform = cmsCreateTransform( 32 | srcProfile, srcFormat, dstProfile, TYPE_BGR_8, intent, flags); 33 | cmsCloseProfile(srcProfile); 34 | cmsCloseProfile(dstProfile); 35 | if (!hTransform) return 0; 36 | 37 | uint8_t output[4]; 38 | if (T_BYTES(srcFormat) == 0) { // 0 means double 39 | double input[nSrcComponents]; 40 | for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 0.5f; 41 | cmsDoTransform(hTransform, input, output, 1); 42 | } else { 43 | uint8_t input[nSrcComponents]; 44 | for (uint32_t i = 0; i < nSrcComponents; i++) input[i] = 128; 45 | cmsDoTransform(hTransform, input, output, 1); 46 | } 47 | cmsDeleteTransform(hTransform); 48 | 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /lcms-2017-03-21/crash-6a7f7b35fc6de5b19080b1c32588c727caf5d396: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/lcms-2017-03-21/crash-6a7f7b35fc6de5b19080b1c32588c727caf5d396 -------------------------------------------------------------------------------- /lcms-2017-03-21/seeds/seed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/lcms-2017-03-21/seeds/seed -------------------------------------------------------------------------------- /lcms-2017-03-21/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | set -x 5 | . $(dirname $0)/../common.sh 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | 9 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS $SCRIPT_DIR/seeds 10 | grep 'ERROR: AddressSanitizer: heap-buffer-overflow' fuzz-0.log || exit 1 11 | 12 | -------------------------------------------------------------------------------- /libarchive-2017-01-04/README.md: -------------------------------------------------------------------------------- 1 | This is a benchmark for finding a 2 | [heap-buffer-overflow bug](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=382) in 3 | [libarchive](https://github.com/libarchive/libarchive). 4 | 5 | The bug can be found in under 1 hour, when starting from the provided seed. 6 | ``` 7 | ==115561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000000bc8 at pc 0x00000059259b bp 0x7ffde8169f10 sp 0x7ffde8169f08 8 | READ of size 1 at 0x616000000bc8 thread T0 9 | #0 0x59259a in xstrpisotime libarchive/archive_read_support_format_warc.c:537:9 10 | #1 0x58f7e6 in _warc_rdrtm libarchive/archive_read_support_format_warc.c:757:8 11 | #2 0x58f7e6 in _warc_rdhdr libarchive/archive_read_support_format_warc.c:273 12 | #3 0x4f46c1 in _archive_read_next_header2 libarchive/archive_read.c:648:7 13 | #4 0x4f43dd in _archive_read_next_header libarchive/archive_read.c:686:8 14 | #5 0x4eb0e8 in LLVMFuzzerTestOneInput libarchive-2017-01-04/libarchive_fuzzer.cc:48:10 15 | 16 | ``` 17 | -------------------------------------------------------------------------------- /libarchive-2017-01-04/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD/build && ./autogen.sh && cd .. && ./configure --disable-shared --without-nettle && make -j $JOBS) 11 | } 12 | 13 | get_git_revision https://github.com/libarchive/libarchive.git 51d7afd3644fdad725dd8faa7606b864fd125f88 SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 18 | # Link ASan runtime so we can hook memcmp et al. 19 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 20 | fi 21 | set -x 22 | $CXX $CXXFLAGS -std=c++11 $SCRIPT_DIR/libarchive_fuzzer.cc -I BUILD/libarchive BUILD/.libs/libarchive.a $LIB_FUZZING_ENGINE -lz -lbz2 -lxml2 -lcrypto -lssl -llzma -o $EXECUTABLE_NAME_BASE 23 | -------------------------------------------------------------------------------- /libarchive-2017-01-04/clusterfuzz-testcase-minimized-6117891166437376: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libarchive-2017-01-04/clusterfuzz-testcase-minimized-6117891166437376 -------------------------------------------------------------------------------- /libarchive-2017-01-04/libarchive_fuzzer.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | // 15 | //////////////////////////////////////////////////////////////////////////////// 16 | #include 17 | #include 18 | #include 19 | 20 | #include "archive.h" 21 | 22 | struct Buffer { 23 | const uint8_t *buf; 24 | size_t len; 25 | }; 26 | 27 | ssize_t reader_callback(struct archive *a, void *client_data, 28 | const void **block) { 29 | Buffer *buffer = reinterpret_cast(client_data); 30 | *block = buffer->buf; 31 | ssize_t len = buffer->len; 32 | buffer->len = 0; 33 | return len; 34 | } 35 | 36 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { 37 | ssize_t r; 38 | struct archive *a = archive_read_new(); 39 | 40 | archive_read_support_filter_all(a); 41 | archive_read_support_format_all(a); 42 | 43 | Buffer buffer = {buf, len}; 44 | archive_read_open(a, &buffer, NULL, reader_callback, NULL); 45 | 46 | std::vector data_buffer(getpagesize(), 0); 47 | struct archive_entry *entry; 48 | while (archive_read_next_header(a, &entry) == ARCHIVE_OK) { 49 | while ((r = archive_read_data(a, data_buffer.data(), 50 | data_buffer.size())) > 0) 51 | ; 52 | if (r == ARCHIVE_FATAL) 53 | break; 54 | } 55 | 56 | archive_read_free(a); 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /libarchive-2017-01-04/seeds/seed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libarchive-2017-01-04/seeds/seed -------------------------------------------------------------------------------- /libarchive-2017-01-04/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | 5 | set -x 6 | . $(dirname $0)/../common.sh 7 | rm -rf $CORPUS fuzz-*.log 8 | mkdir $CORPUS 9 | 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS -max_len=1000 $LIBFUZZER_FLAGS $CORPUS $SCRIPT_DIR/seeds 11 | grep 'ERROR: AddressSanitizer: heap-buffer-overflow' fuzz-0.log || exit 1 12 | 13 | -------------------------------------------------------------------------------- /libjpeg-turbo-07-2017/README.md: -------------------------------------------------------------------------------- 1 | This is a fuzzing benchmark for [libjpeg-turbo](https://github.com/libjpeg-turbo/libjpeg-turbo). 2 | Instead of searching for a bug, this benchmark attempts to reach a particular line of code which is known to be difficult to reach. 3 | 4 | As of July 11, 2017, this benchmark can be completed in about an hour when using libFuzzer and the provided seed. 5 | 6 | -------------------------------------------------------------------------------- /libjpeg-turbo-07-2017/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && autoreconf -fiv && ./configure --disable-shared && make -j $JOBS) 11 | } 12 | 13 | get_git_revision https://github.com/libjpeg-turbo/libjpeg-turbo.git b0971e47d76fdb81270e93bbf11ff5558073350d SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 18 | # Link ASan runtime so we can hook memcmp et al. 19 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 20 | fi 21 | set -x 22 | $CXX $CXXFLAGS -std=c++11 $SCRIPT_DIR/libjpeg_turbo_fuzzer.cc -I BUILD BUILD/.libs/libturbojpeg.a $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 23 | -------------------------------------------------------------------------------- /libjpeg-turbo-07-2017/libjpeg_turbo_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | # Copyright 2016 Google Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | ################################################################################ 17 | */ 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | 24 | #include 25 | 26 | 27 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 28 | tjhandle jpegDecompressor = tjInitDecompress(); 29 | 30 | int width, height, subsamp, colorspace; 31 | int res = tjDecompressHeader3( 32 | jpegDecompressor, data, size, &width, &height, &subsamp, &colorspace); 33 | 34 | // Bail out if decompressing the headers failed, the width or height is 0, 35 | // or the image is too large (avoids slowing down too much). Cast to size_t to 36 | // avoid overflows on the multiplication 37 | if (res != 0 || width == 0 || height == 0 || ((size_t)width * height > (1024 * 1024))) { 38 | tjDestroy(jpegDecompressor); 39 | return 0; 40 | } 41 | 42 | std::unique_ptr buf(new unsigned char[width * height * 3]); 43 | tjDecompress2( 44 | jpegDecompressor, data, size, buf.get(), width, 0, height, TJPF_RGB, 0); 45 | 46 | tjDestroy(jpegDecompressor); 47 | 48 | return 0; 49 | } 50 | -------------------------------------------------------------------------------- /libjpeg-turbo-07-2017/seeds/seed.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libjpeg-turbo-07-2017/seeds/seed.jpg -------------------------------------------------------------------------------- /libjpeg-turbo-07-2017/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | 9 | test_source_location() { 10 | SRC_LOC="$1" 11 | echo "test_source_location: $SRC_LOC" 12 | rm -f *.log 13 | [ -e $EXECUTABLE_NAME_BASE ] && \ 14 | ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -exit_on_src_pos=$SRC_LOC -jobs=$JOBS -workers=$JOBS -print_pcs=1 $LIBFUZZER_FLAGS $CORPUS $SCRIPT_DIR/seeds 15 | grep "INFO: found line matching '$SRC_LOC'" fuzz-*.log || exit 1 16 | } 17 | 18 | test_source_location jdmarker.c:659 19 | 20 | -------------------------------------------------------------------------------- /libpng-1.2.56/README.md: -------------------------------------------------------------------------------- 1 | Bechmark for [libpng](http://www.libpng.org/pub/png/libpng.html)-1.2.56. 2 | 3 | This code may call `malloc(2147483648)` (repro attached). 4 | 5 | We use this benchmark to verify that the fuzzer can reach a set of known source 6 | locations. 7 | -------------------------------------------------------------------------------- /libpng-1.2.56/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | [ ! -e libpng-1.2.56.tar.gz ] && wget https://downloads.sourceforge.net/project/libpng/libpng12/older-releases/1.2.56/libpng-1.2.56.tar.gz 8 | [ ! -e libpng-1.2.56 ] && tar xf libpng-1.2.56.tar.gz 9 | 10 | build_lib() { 11 | rm -rf BUILD 12 | cp -rf libpng-1.2.56 BUILD 13 | (cd BUILD && ./configure --disable-shared && make -j $JOBS) 14 | } 15 | 16 | build_lib || exit 1 17 | build_fuzzer || exit 1 18 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 19 | # Link ASan runtime so we can hook memcmp et al. 20 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 21 | fi 22 | set -x 23 | $CXX $CXXFLAGS -std=c++11 $SCRIPT_DIR/target.cc BUILD/.libs/libpng12.a $LIB_FUZZING_ENGINE -I BUILD/ -I BUILD -lz -o $EXECUTABLE_NAME_BASE 24 | $CXX $CXXFLAGS -std=c++11 $SCRIPT_DIR/target.cc BUILD/.libs/libpng12.a $LIB_FUZZING_ENGINE -I BUILD/ -I BUILD -lz -o $EXECUTABLE_NAME_BASE-structure-aware \ 25 | -include $SCRIPT_DIR/png_mutator.h -DPNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR -DSTANDALONE_TARGET=$STANDALONE_TARGET 26 | -------------------------------------------------------------------------------- /libpng-1.2.56/oom-63efa8b5a2adf76dc225d62939db3337ff6774f1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libpng-1.2.56/oom-63efa8b5a2adf76dc225d62939db3337ff6774f1 -------------------------------------------------------------------------------- /libpng-1.2.56/png_mutator.h: -------------------------------------------------------------------------------- 1 | // Copyright 2019 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | 14 | // A simple class for parsing, serializing, and mutating an PNG file. 15 | // https://en.wikipedia.org/wiki/Portable_Network_Graphics 16 | // It is an example of a custom mutator for libFuzzer 17 | // (https://llvm.org/docs/LibFuzzer.html) used for 18 | // "structure-aware coverage-guided fuzzing". 19 | // 20 | // If you have a non structure-aware fuzz target for any API that handles 21 | // PNG inputs, you can turn that fuzz target into a structure-aware one 22 | // by defining PNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR and then 23 | // including this file. 24 | class PngMutator { 25 | using V = std::vector; 26 | 27 | public: 28 | 29 | // Parse the input stream as a PNG file, 30 | // put every chunk into its own vector, 31 | // uncompress chunk data when needed, 32 | // merge the IDAT chunks into one vector. 33 | PngMutator(std::istream &in) { 34 | ihdr_.resize(13); 35 | Read4(in); 36 | Read4(in); // Skip the 8-byte magic value. 37 | // read IHDR. 38 | if (ReadInteger(in) != 13) return; 39 | if (Read4(in) != Type("IHDR")) return; 40 | // Read 13 values. 41 | in.read((char*)ihdr_.data(), ihdr_.size()); 42 | Read4(in); // ignore CRC 43 | ssize_t idat_idx = -1; 44 | 45 | while (in) { 46 | uint32_t len = ReadInteger(in); 47 | uint32_t type = Read4(in); 48 | if (type == Type("IEND")) break; // do nothing 49 | char chunk_name[5]; 50 | memcpy(chunk_name, &type, 4); 51 | chunk_name[4] = 0; 52 | if (len > (1 << 20)) return; 53 | V v(len); 54 | in.read((char *)v.data(), len); 55 | Read4(in); // ignore CRC 56 | 57 | if (type == Type("IDAT")) { 58 | if (idat_idx != -1) 59 | Append(&chunks_[idat_idx].v, v); 60 | else { 61 | idat_idx = chunks_.size(); 62 | chunks_.push_back({type, v}); 63 | } 64 | } else if (type == Type("iCCP")) { 65 | auto it = v.begin(); 66 | while (it < v.end() && isprint(*it)) it++; 67 | if (it < v.end() && !*it) it++; 68 | if (it < v.end() && !*it) it++; 69 | v = V(it, v.end()); 70 | auto uncompressed = Uncompress(v); 71 | chunks_.push_back({type, uncompressed}); 72 | auto compressed = Compress(uncompressed); 73 | } else { 74 | chunks_.push_back({type, v}); 75 | } 76 | // std::cerr << "CHUNK: " << chunk_name << std::endl; 77 | } 78 | if (idat_idx != -1) 79 | chunks_[idat_idx].v = Uncompress(chunks_[idat_idx].v); 80 | } 81 | 82 | // Write back the PNG file. 83 | void Serialize(std::ostream &out) { 84 | const unsigned char header[] = {0x89, 0x50, 0x4e, 0x47, 85 | 0x0d, 0x0a, 0x1a, 0x0a}; 86 | out.write((const char*)header, sizeof(header)); 87 | WriteChunk(out, "IHDR", ihdr_); 88 | for (auto &ch : chunks_) { 89 | if (ch.type == Type("iCCP")) { 90 | V v; 91 | v.push_back('x'); // assuming the iCCP name doesn't matter. 92 | v.push_back(0); 93 | v.push_back(0); 94 | auto compressed = Compress(ch.v); 95 | Append(&v, compressed); 96 | WriteChunk(out, ch.type, v); 97 | } else { 98 | WriteChunk(out, ch.type, ch.v); 99 | } 100 | } 101 | 102 | WriteChunk(out, "IEND", {}); 103 | } 104 | 105 | // Raw byte array mutator, like that provided by libFuzzer. 106 | using Mutator = size_t (*)(uint8_t *Data, size_t Size, size_t MaxSize); 107 | 108 | // Mutate the in-memory representation of a PNG file. 109 | // Given the same Seed, the same mutation is performed. 110 | void Mutate(Mutator m, unsigned int Seed) { 111 | std::minstd_rand rnd(Seed); 112 | auto M = [&](V *v) { 113 | if (v->empty()) 114 | v->resize(v->size() + 1 + rnd() % 256); 115 | v->resize(m(v->data(), v->size(), v->size())); 116 | }; 117 | switch (rnd() % 6) { 118 | // Mutate IHDR. 119 | case 0: 120 | m(ihdr_.data(), ihdr_.size(), ihdr_.size()); 121 | break; 122 | // Mutate some other chunk. 123 | case 1: 124 | if (!chunks_.empty()) M(&chunks_[rnd() % chunks_.size()].v); 125 | break; 126 | // Shuffle the chunks. 127 | case 2: 128 | std::shuffle(chunks_.begin(), chunks_.end(), rnd); 129 | break; 130 | // Delete a random chunk. 131 | case 3: 132 | if (!chunks_.empty()) 133 | chunks_.erase(chunks_.begin() + rnd() % chunks_.size()); 134 | break; 135 | // Insert a random chunk with one of the known types, or a random type. 136 | case 4: { 137 | static const char *types[] = { 138 | "IATx", "sTER", "hIST", "sPLT", "mkBF", "mkBS", "mkTS", "prVW", 139 | "oFFs", "iDOT", "zTXt", "mkBT", "acTL", "iTXt", "sBIT", "tIME", 140 | "iCCP", "vpAg", "tRNS", "cHRM", "PLTE", "bKGD", "gAMA", "sRGB", 141 | "pHYs", "fdAT", "fcTL", "tEXt", "IDAT", 142 | "pCAL", "sCAL", "eXIf", 143 | "fUZz", // special chunk for extra fuzzing hints. 144 | }; 145 | static const size_t n_types = sizeof(types) / sizeof(types[0]); 146 | uint32_t type = 147 | (rnd() % 10 <= 8) ? Type(types[rnd() % n_types]) : (uint32_t)rnd(); 148 | size_t len = rnd() % 256; 149 | if (type == Type("fUZz")) 150 | len = 16; 151 | V v(len); 152 | for (auto &b : v) b = rnd(); 153 | size_t pos = rnd() % (chunks_.size() + 1); 154 | chunks_.insert(chunks_.begin() + pos, {type, v}); 155 | } break; 156 | // Any more interesting mutations with a PNG file? 157 | case 5: { 158 | auto it = std::find_if( 159 | chunks_.begin(), chunks_.end(), 160 | [](const Chunk &ch) { return ch.type == Type("fUZz"); }); 161 | if (it != chunks_.end()) 162 | m(it->v.data(), it->v.size(), it->v.size()); 163 | } 164 | 165 | } 166 | } 167 | 168 | // Takes a random chunk from p and inserts into *this. 169 | void CrossOver(const PngMutator &p, unsigned int Seed) { 170 | if (p.chunks_.empty()) return; 171 | std::minstd_rand rnd(Seed); 172 | size_t idx = rnd() % p.chunks_.size(); 173 | auto &ch = p.chunks_[idx]; 174 | size_t pos = rnd() % (chunks_.size() + 1); 175 | chunks_.insert(chunks_.begin() + pos, ch); 176 | } 177 | 178 | private: 179 | void Append(V *to, const V &from) { 180 | to->insert(to->end(), from.begin(), from.end()); 181 | } 182 | 183 | uint32_t Read4(std::istream &in) { 184 | uint32_t res = 0; 185 | in.read((char *)&res, sizeof(res)); 186 | return res; 187 | } 188 | uint32_t ReadInteger(std::istream &in) { 189 | return __builtin_bswap32(Read4(in)); 190 | } 191 | static uint32_t Type(const char *tagname) { 192 | uint32_t res; 193 | assert(strlen(tagname) == 4); 194 | memcpy(&res, tagname, 4); 195 | return res; 196 | } 197 | 198 | void WriteInt(std::ostream &out, uint32_t x) { 199 | x = __builtin_bswap32(x); 200 | out.write((char *)&x, sizeof(x)); 201 | } 202 | 203 | // Chunk is written as: 204 | // * 4-byte length 205 | // * 4-byte type 206 | // * the data itself 207 | // * 4-byte crc (of type and data) 208 | void WriteChunk(std::ostream &out, const char *type, const V &chunk, 209 | bool compress = false) { 210 | V compressed; 211 | const V *v = &chunk; 212 | if (compress) { 213 | compressed = Compress(chunk); 214 | v = &compressed; 215 | } 216 | uint32_t len = v->size(); 217 | uint32_t crc = crc32(0, (const unsigned char *)type, 4); 218 | if (v->size()) 219 | crc = crc32(crc, (const unsigned char *)v->data(), v->size()); 220 | WriteInt(out, len); 221 | out.write(type, 4); 222 | out.write((const char*)v->data(), v->size()); 223 | WriteInt(out, crc); 224 | } 225 | 226 | void WriteChunk(std::ostream &out, uint32_t type, const V &chunk) { 227 | char type_s[5]; 228 | memcpy(type_s, &type, 4); 229 | type_s[4] = 0; 230 | WriteChunk(out, type_s, chunk); 231 | } 232 | 233 | V Uncompress(const V &compressed) { 234 | V v; 235 | static const size_t kMaxBuffer = 1 << 28; 236 | for (size_t sz = compressed.size() * 4; sz < kMaxBuffer; sz *= 2) { 237 | v.resize(sz); 238 | unsigned long len = sz; 239 | auto res = 240 | uncompress(v.data(), &len, compressed.data(), compressed.size()); 241 | if (res == Z_BUF_ERROR) continue; 242 | if (res != Z_OK) return {}; 243 | v.resize(len); 244 | break; 245 | } 246 | return v; 247 | } 248 | 249 | V Compress(const V &uncompressed) { 250 | V v; 251 | static const size_t kMaxBuffer = 1 << 28; 252 | for (size_t sz = uncompressed.size(); sz < kMaxBuffer; sz *= 2) { 253 | v.resize(sz); 254 | unsigned long len = sz; 255 | auto res = 256 | compress(v.data(), &len, uncompressed.data(), uncompressed.size()); 257 | if (res == Z_BUF_ERROR) continue; 258 | if (res != Z_OK) return {}; 259 | v.resize(len); 260 | break; 261 | } 262 | return v; 263 | } 264 | 265 | void PrintHex(const V &v, size_t max_n) { 266 | for (size_t i = 0; i < max_n && i < v.size(); i++) { 267 | std::cerr << "0x" << std::hex << (unsigned)v[i] << " " << std::dec; 268 | } 269 | std::cerr << std::endl; 270 | } 271 | 272 | V ihdr_; 273 | 274 | struct Chunk { 275 | uint32_t type; 276 | V v; 277 | }; 278 | std::vector chunks_; 279 | }; 280 | 281 | 282 | #ifdef PNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR 283 | 284 | extern "C" size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize); 285 | 286 | #if STANDALONE_TARGET 287 | size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) { 288 | assert(false && "LLVMFuzzerMutate should not be called from StandaloneFuzzTargetMain"); 289 | return 0; 290 | } 291 | #endif 292 | 293 | extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *Data, size_t Size, 294 | size_t MaxSize, unsigned int Seed) { 295 | std::string s(reinterpret_cast(Data), Size); 296 | std::stringstream in(s); 297 | std::stringstream out; 298 | PngMutator p(in); 299 | p.Mutate(LLVMFuzzerMutate, Seed); 300 | p.Serialize(out); 301 | const auto &str = out.str(); 302 | if (str.size() > MaxSize) return Size; 303 | memcpy(Data, str.data(), str.size()); 304 | return str.size(); 305 | } 306 | 307 | extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *Data1, size_t Size1, 308 | const uint8_t *Data2, size_t Size2, 309 | uint8_t *Out, size_t MaxOutSize, 310 | unsigned int Seed) { 311 | std::stringstream in1( 312 | std::string(reinterpret_cast(Data1), Size1)); 313 | std::stringstream in2( 314 | std::string(reinterpret_cast(Data2), Size2)); 315 | PngMutator p1(in1); 316 | PngMutator p2(in2); 317 | p1.CrossOver(p2, Seed); 318 | std::stringstream out; 319 | p1.Serialize(out); 320 | const auto &str = out.str(); 321 | if (str.size() > MaxOutSize) return 0; 322 | memcpy(Out, str.data(), str.size()); 323 | return str.size(); 324 | } 325 | 326 | #endif // PNG_MUTATOR_DEFINE_LIBFUZZER_CUSTOM_MUTATOR 327 | -------------------------------------------------------------------------------- /libpng-1.2.56/seeds/seed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libpng-1.2.56/seeds/seed.png -------------------------------------------------------------------------------- /libpng-1.2.56/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define PNG_INTERNAL // For PNG_FLAG_CRC_CRITICAL_MASK, etc. 9 | #include "png.h" 10 | 11 | struct BufState { 12 | const uint8_t* data; 13 | size_t bytes_left; 14 | }; 15 | 16 | void user_read_data(png_structp png_ptr, png_bytep data, png_size_t length) { 17 | BufState* buf_state = static_cast(png_get_io_ptr(png_ptr)); 18 | if (length > buf_state->bytes_left) { 19 | png_error(png_ptr, "read error"); 20 | } 21 | memcpy(data, buf_state->data, length); 22 | buf_state->bytes_left -= length; 23 | buf_state->data += length; 24 | } 25 | 26 | static const int kPngHeaderSize = 8; 27 | 28 | struct ScopedPngObject { 29 | ~ScopedPngObject() { 30 | if (row && png_ptr) { 31 | png_free(png_ptr, row); 32 | } 33 | if (png_ptr && info_ptr) { 34 | png_destroy_read_struct(&png_ptr, &info_ptr, nullptr); 35 | } 36 | delete buf_state; 37 | } 38 | png_infop info_ptr = nullptr; 39 | png_voidp row = 0; 40 | png_structp png_ptr = nullptr; 41 | BufState *buf_state = nullptr; 42 | }; 43 | 44 | bool DetectLargeSize(const uint8_t *data, size_t size) { 45 | uint8_t *ihdr = reinterpret_cast(memmem(data, size, "IHDR", 4)); 46 | if (!ihdr) return false; 47 | if (ihdr + 12 > data + size) return false; 48 | uint32_t W = *(uint32_t*)(ihdr + 4); 49 | uint32_t H = *(uint32_t*)(ihdr + 8); 50 | W = __builtin_bswap32(W); 51 | H = __builtin_bswap32(H); 52 | uint64_t WxH = static_cast(W) * H; 53 | if (WxH > 100000ULL) { 54 | // fprintf(stderr, "ZZZ %zu %u %u\n", WxH, W, H); 55 | return true; 56 | } 57 | return false; 58 | } 59 | 60 | // Fuzzing entry point. Roughly follows the libpng book example: 61 | // http://www.libpng.org/pub/png/book/chapter13.html 62 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 63 | if (size < kPngHeaderSize) { 64 | return 0; 65 | } 66 | ScopedPngObject O; 67 | if (png_sig_cmp(const_cast(data), 0, kPngHeaderSize)) { 68 | // not a PNG. 69 | return 0; 70 | } 71 | 72 | // if (DetectLargeSize(data, size)) return 0; 73 | 74 | auto &png_ptr = O.png_ptr; 75 | png_ptr = png_create_read_struct 76 | (PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr); 77 | assert(png_ptr); 78 | 79 | png_ptr->flags &= ~PNG_FLAG_CRC_CRITICAL_MASK; 80 | png_ptr->flags |= PNG_FLAG_CRC_CRITICAL_IGNORE; 81 | 82 | png_ptr->flags &= ~PNG_FLAG_CRC_ANCILLARY_MASK; 83 | png_ptr->flags |= PNG_FLAG_CRC_ANCILLARY_NOWARN; 84 | 85 | auto &info_ptr = O.info_ptr; 86 | info_ptr = png_create_info_struct(png_ptr); 87 | assert(info_ptr); 88 | 89 | // Setting up reading from buffer. 90 | auto &buf_state = O.buf_state; 91 | buf_state = new BufState(); 92 | buf_state->data = data + kPngHeaderSize; 93 | buf_state->bytes_left = size - kPngHeaderSize; 94 | png_set_read_fn(png_ptr, buf_state, user_read_data); 95 | png_set_sig_bytes(png_ptr, kPngHeaderSize); 96 | int passes = 0; 97 | 98 | // libpng error handling. 99 | if (setjmp(png_ptr->jmpbuf)) { 100 | return 0; 101 | } 102 | 103 | // png_ptr->mode & PNG_HAVE_IDAT 104 | // Reading 105 | png_read_info(png_ptr, info_ptr); 106 | 107 | png_uint_32 width, height; 108 | int bit_depth, color_type, interlace_type, compression_type; 109 | int filter_type; 110 | 111 | if (!png_get_IHDR(png_ptr, info_ptr, &width, &height, 112 | &bit_depth, &color_type, &interlace_type, 113 | &compression_type, &filter_type)) { 114 | return 0; 115 | } 116 | 117 | if (height * width > 2000000) return 0; // This is going to be too slow. 118 | 119 | 120 | passes = png_set_interlace_handling(png_ptr); 121 | png_start_read_image(png_ptr); 122 | 123 | O.row = png_malloc(png_ptr, png_get_rowbytes(png_ptr, info_ptr)); 124 | 125 | for (int pass = 0; pass < passes; ++pass) { 126 | for (png_uint_32 y = 0; y < height; ++y) { 127 | png_read_row(png_ptr, static_cast(O.row), NULL); 128 | } 129 | } 130 | return 0; 131 | } 132 | -------------------------------------------------------------------------------- /libpng-1.2.56/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | 9 | # seed.png was generated by this command: 10 | # onvert -background white -size 80x label:"X" -trim +repage seed.png 11 | 12 | test_source_location() { 13 | SRC_LOC="$1" 14 | echo "test_source_location: $SRC_LOC" 15 | rm -f *.log 16 | # This target has a 2Gb malloc oom, so we have to use rss_limit_mb=3000 17 | [ -e $EXECUTABLE_NAME_BASE ] && \ 18 | ./$EXECUTABLE_NAME_BASE -close_fd_mask=3 -artifact_prefix=$CORPUS/ -exit_on_src_pos=$SRC_LOC -runs=100000000 -jobs=$JOBS -workers=$JOBS $CORPUS $SCRIPT_DIR/seeds -rss_limit_mb=3000 $LIBFUZZER_FLAGS 19 | grep "INFO: found line matching '$SRC_LOC'" fuzz-*.log || exit 1 20 | } 21 | 22 | test_source_location png.c:1035 23 | test_source_location png_handle_sRGB 24 | test_source_location pngread.c:757 25 | # The following currently require too much time to find. 26 | #test_source_location pngrutil.c:1393 27 | #test_source_location pngread.c:738 28 | #test_source_location pngrutil.c:3182 29 | #test_source_location pngrutil.c:139 30 | -------------------------------------------------------------------------------- /libssh-2017-1272/README.md: -------------------------------------------------------------------------------- 1 | This is a benchmark for finding a 2 | [memory leak bug](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1272) in 3 | [libssh](https://www.libssh.org). 4 | 5 | The following error can be found in about 2 minutes of fuzzing. 6 | 7 | ``` 8 | ERROR: LeakSanitizer: detected memory leaks 9 | 10 | Direct leak of 1 byte(s) in 1 object(s) allocated from: 11 | #0 0x4bf8ea in calloc 12 | #1 0x5048f7 in ssh_packet_userauth_info_response src/messages.c:1001:30 13 | #2 0x51237d in ssh_packet_process src/packet.c:451:5 14 | #3 0x511c40 in ssh_packet_socket_callback src/packet.c:332:13 15 | #4 0x5263ad in ssh_socket_pollcallback src/socket.c:298:25 16 | #5 0x5c93c0 in ssh_poll_ctx_dopoll src/poll.c:632:27 17 | #6 0x524a62 in ssh_handle_packets src/session.c:634:10 18 | #7 0x52452b in ssh_handle_packets_termination src/session.c:696:15 19 | #8 0x55810d in ssh_handle_key_exchange src/server.c:589:10 20 | #9 0x4ed2cd in LLVMFuzzerTestOneInput 21 | ``` 22 | -------------------------------------------------------------------------------- /libssh-2017-1272/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | ( 11 | set -e 12 | cd BUILD 13 | mkdir build 14 | cd build 15 | cmake -DCMAKE_C_COMPILER="$CC" \ 16 | -DCMAKE_CXX_COMPILER="$CXX" \ 17 | -DCMAKE_C_FLAGS="$CFLAGS -fcommon" \ 18 | -DCMAKE_CXX_FLAGS="$CXXFLAGS -fcommon" \ 19 | -DWITH_STATIC_LIB=ON .. 20 | make -j $JOBS 21 | ) 22 | } 23 | 24 | get_git_revision git://git.libssh.org/projects/libssh.git 7c79b5c154ce2788cf5254a62468fee5112f7640 SRC 25 | build_lib 26 | build_fuzzer 27 | 28 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 29 | # Link ASan runtime so we can hook memcmp et al. 30 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 31 | fi 32 | set -x 33 | $CXX $CXXFLAGS -std=c++11 "$SCRIPT_DIR/libssh_server_fuzzer.cc" -I BUILD/include/ BUILD/build/src/libssh.a $LIB_FUZZING_ENGINE -lcrypto -lgss -lz -o $EXECUTABLE_NAME_BASE 34 | 35 | -------------------------------------------------------------------------------- /libssh-2017-1272/clusterfuzz-testcase-minimized-5180149127446528: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libssh-2017-1272/clusterfuzz-testcase-minimized-5180149127446528 -------------------------------------------------------------------------------- /libssh-2017-1272/libssh_server_fuzzer.cc: -------------------------------------------------------------------------------- 1 | /* 2 | # Copyright 2016 Google Inc. 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | ################################################################################ 17 | */ 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | 27 | #define LIBSSH_STATIC 1 28 | #include 29 | #include 30 | 31 | static const char kRSAPrivateKeyPEM[] = 32 | "-----BEGIN RSA PRIVATE KEY-----\n" 33 | "MIIEowIBAAKCAQEArAOREUWlBXJAKZ5hABYyxnRayDZP1bJeLbPVK+npxemrhHyZ\n" 34 | "gjdbY3ADot+JRyWjvll2w2GI+3blt0j+x/ZWwjMKu/QYcycYp5HL01goxOxuusZb\n" 35 | "i+KiHRGB6z0EMdXM7U82U7lA/j//HyZppyDjUDniWabXQJge8ksGXGTiFeAJ/687\n" 36 | "uV+JJcjGPxAGFQxzyjitf/FrL9S0WGKZbyqeGDzyeBZ1NLIuaiOORyLGSW4duHLD\n" 37 | "N78EmsJnwqg2gJQmRSaD4BNZMjtbfiFcSL9Uw4XQFTsWugUDEY1AU4c5g11nhzHz\n" 38 | "Bi9qMOt5DzrZQpD4j0gA2LOHpHhoOdg1ZuHrGQIDAQABAoIBAFJTaqy/jllq8vZ4\n" 39 | "TKiD900wBvrns5HtSlHJTe80hqQoT+Sa1cWSxPR0eekL32Hjy9igbMzZ83uWzh7I\n" 40 | "mtgNODy9vRdznfgO8CfTCaBfAzQsjFpr8QikMT6EUI/LpiRL1UaGsNOlSEvnSS0Z\n" 41 | "b1uDzAdrjL+nsEHEDJud+K9jwSkCRifVMy7fLfaum+YKpdeEz7K2Mgm5pJ/Vg+9s\n" 42 | "vI2V1q7HAOI4eUVTgJNHXy5ediRJlajQHf/lNUzHKqn7iH+JRl01gt62X8roG62b\n" 43 | "TbFylbheqMm9awuSF2ucOcx+guuwhkPir8BEMb08j3hiK+TfwPdY0F6QH4OhiKK7\n" 44 | "MTqTVgECgYEA0vmmu5GOBtwRmq6gVNCHhdLDQWaxAZqQRmRbzxVhFpbv0GjbQEF7\n" 45 | "tttq3fjDrzDf6CE9RtZWw2BUSXVq+IXB/bXb1kgWU2xWywm+OFDk9OXQs8ui+MY7\n" 46 | "FiP3yuq3YJob2g5CCsVQWl2CHvWGmTLhE1ODll39t7Y1uwdcDobJN+ECgYEA0LlR\n" 47 | "hfMjydWmwqooU9TDjXNBmwufyYlNFTH351amYgFUDpNf35SMCP4hDosUw/zCTDpc\n" 48 | "+1w04BJJfkH1SNvXSOilpdaYRTYuryDvGmWC66K2KX1nLErhlhs17CwzV997nYgD\n" 49 | "H3OOU4HfqIKmdGbjvWlkmY+mLHyG10bbpOTbujkCgYAc68xHejSWDCT9p2KjPdLW\n" 50 | "LYZGuOUa6y1L+QX85Vlh118Ymsczj8Z90qZbt3Zb1b9b+vKDe255agMj7syzNOLa\n" 51 | "/MseHNOyq+9Z9gP1hGFekQKDIy88GzCOYG/fiT2KKJYY1kuHXnUdbiQgSlghODBS\n" 52 | "jehD/K6DOJ80/FVKSH/dAQKBgQDJ+apTzpZhJ2f5k6L2jDq3VEK2ACedZEm9Kt9T\n" 53 | "c1wKFnL6r83kkuB3i0L9ycRMavixvwBfFDjuY4POs5Dh8ip/mPFCa0hqISZHvbzi\n" 54 | "dDyePJO9zmXaTJPDJ42kfpkofVAnfohXFQEy+cguTk848J+MmMIKfyE0h0QMabr9\n" 55 | "86BUsQKBgEVgoi4RXwmtGovtMew01ORPV9MOX3v+VnsCgD4/56URKOAngiS70xEP\n" 56 | "ONwNbTCWuuv43HGzJoVFiAMGnQP1BAJ7gkHkjSegOGKkiw12EPUWhFcMg+GkgPhc\n" 57 | "pOqNt/VMBPjJ/ysHJqmLfQK9A35JV6Cmdphe+OIl28bcKhAOz8Dw\n" 58 | "-----END RSA PRIVATE KEY-----\n"; 59 | 60 | 61 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 62 | int socket_fds[2]; 63 | int res = socketpair(AF_UNIX, SOCK_STREAM, 0, socket_fds); 64 | assert(res >= 0); 65 | ssize_t send_res = send(socket_fds[1], data, size, 0); 66 | assert(send_res == size); 67 | res = shutdown(socket_fds[1], SHUT_WR); 68 | assert(res == 0); 69 | 70 | int fd = open("/tmp/libssh_fuzzer_private_key", O_WRONLY | O_CREAT, S_IRWXU); 71 | assert(fd >= 0); 72 | ssize_t write_res = write(fd, kRSAPrivateKeyPEM, strlen(kRSAPrivateKeyPEM)); 73 | assert(write_res == strlen(kRSAPrivateKeyPEM)); 74 | close(fd); 75 | 76 | ssh_bind sshbind = ssh_bind_new(); 77 | ssh_session session = ssh_new(); 78 | 79 | ssh_bind_options_set(sshbind, SSH_BIND_OPTIONS_RSAKEY, "/tmp/libssh_fuzzer_private_key"); 80 | 81 | res = ssh_bind_accept_fd(sshbind, session, socket_fds[0]); 82 | assert(res == SSH_OK); 83 | 84 | if (ssh_handle_key_exchange(session) == SSH_OK) { 85 | while (true) { 86 | ssh_message message = ssh_message_get(session); 87 | if (!message) { 88 | break; 89 | } 90 | ssh_message_free(message); 91 | } 92 | } 93 | 94 | close(socket_fds[0]); 95 | close(socket_fds[1]); 96 | 97 | ssh_disconnect(session); 98 | ssh_free(session); 99 | ssh_bind_free(sshbind); 100 | 101 | return 0; 102 | } 103 | -------------------------------------------------------------------------------- /libssh-2017-1272/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | 7 | rm -rf $CORPUS fuzz-*.log 8 | mkdir $CORPUS 9 | 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_len=60 -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS 11 | grep "ERROR: LeakSanitizer: detected memory leaks" fuzz-0.log || exit 1 12 | 13 | 14 | -------------------------------------------------------------------------------- /libxml2-v2.9.2/README.md: -------------------------------------------------------------------------------- 1 | Finds [CVE-2015-8317](https://access.redhat.com/security/cve/cve-2015-8317), 2 | 1-byte-read-heap-buffer-overflow and a memory leak in [libxml2](http://xmlsoft.org/). 3 | 4 | Time to find: < 1 minute, reproducer provided. 5 | ``` 6 | ==26806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100161f900 7 | READ of size 1 at 0x62100161f900 thread T0 8 | #0 0x55d208 in xmlParseXMLDecl parser.c:10666:2 9 | #1 0x55eaa7 in xmlParseDocument parser.c:10771:2 10 | #2 0x57cb18 in xmlDoRead parser.c:15298:5 11 | ``` 12 | 13 | Time to find: probably > 1 hour (the above shallow bug hides this one), reproducer provided. 14 | 15 | ``` 16 | Indirect leak of 48 byte(s) in 1 object(s) allocated from: 17 | #0 0x4c250c in __interceptor_malloc 18 | #1 0x5ef0fd in xmlNewDocElementContent valid.c:952:34 19 | #2 0x532c2b in xmlParseElementMixedContentDecl parser.c:6200:16 20 | #3 0x5367cd in xmlParseElementContentDecl parser.c:6624:16 21 | #4 0x537843 in xmlParseElementDecl parser.c:6691:12 22 | #5 0x538b84 in xmlParseMarkupDecl parser.c:6934:4 23 | #6 0x562fd7 in xmlParseInternalSubset parser.c:8401:6 24 | #7 0x56166e in xmlParseDocument parser.c:10809:6 25 | #8 0x57fe49 in xmlDoRead parser.c:15298:5 26 | #9 0x4f0f87 in LLVMFuzzerTestOneInput 27 | ``` 28 | 29 | Also finds [bug 756528](https://bugzilla.gnome.org/show_bug.cgi?id=756528) 30 | (fixed 31 | [here](https://git.gnome.org/browse/libxml2/commit/?id=6360a31a84efe69d155ed96306b9a931a40beab9)): 32 | 33 | ``` 34 | ERROR: AddressSanitizer: heap-buffer-overflow ... 35 | READ of size 1 at 0x61900000007b thread T0 36 | #0 0x7712a5 in xmlDictComputeFastQKey dict.c:489:18 37 | #1 0x76f037 in xmlDictQLookup dict.c:1093:12 38 | #2 0x77bab5 in xmlSAX2StartElementNs SAX2.c:2238:17 39 | #3 0x543e73 in xmlParseStartTag2 parser.c:9707:6 40 | #4 0x53aecb in xmlParseElement parser.c:10069:16 41 | ``` 42 | 43 | A use-after-free bug also exists. 44 | 45 | ``` 46 | ==235609==ERROR: AddressSanitizer: heap-use-after-free ... 47 | READ of size 1 at 0x625000002908 thread T0 48 | #0 0x77503e in xmlDictComputeFastKey dict.c:448:13 49 | #1 0x77503e in xmlDictLookup dict.c:848 50 | #2 0x573b6f in xmlParseNCNameComplex parser.c:3506:12 51 | #3 0x573b6f in xmlParseNCName parser.c:3565 52 | #4 0x57283c in xmlParseQName parser.c:8815:9 53 | #5 0x548877 in xmlParseStartTag2 parser.c:9336:17 54 | #6 0x544bd0 in xmlParseElement parser.c:10069:16 55 | #7 0x543a85 in xmlParseContent parser.c:9982:6 56 | #8 0x5457bb in xmlParseElement parser.c:10155:5 57 | #9 0x55540b in xmlParseDocument parser.c:10841:2 58 | #10 0x5706c1 in xmlDoRead parser.c:15298:5 59 | #11 0x4f7997 in LLVMFuzzerTestOneInput 60 | ``` 61 | -------------------------------------------------------------------------------- /libxml2-v2.9.2/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && ./autogen.sh && CCLD="$CXX $CXXFLAGS" ./configure --disable-shared && make -j $JOBS) 11 | } 12 | 13 | get_git_tag https://gitlab.gnome.org/GNOME/libxml2.git v2.9.2 SRC 14 | get_git_revision https://github.com/google/afl e9be6bce2282e8db95221c9a17fd10aba9e901bc afl 15 | build_lib 16 | build_fuzzer 17 | 18 | cp afl/dictionaries/xml.dict . 19 | 20 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 21 | # Link ASan runtime so we can hook memcmp et al. 22 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 23 | fi 24 | set -x 25 | $CXX $CXXFLAGS -std=c++11 $SCRIPT_DIR/target.cc -I BUILD/include BUILD/.libs/libxml2.a $LIB_FUZZING_ENGINE -lz -o $EXECUTABLE_NAME_BASE 26 | -------------------------------------------------------------------------------- /libxml2-v2.9.2/crash-50b12d37d6968a2cd9eb3665d158d9a2fb1f6e28: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libxml2-v2.9.2/crash-50b12d37d6968a2cd9eb3665d158d9a2fb1f6e28 -------------------------------------------------------------------------------- /libxml2-v2.9.2/crash-d8960e21ca40ea5dc60ad655000842376d4178a1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libxml2-v2.9.2/crash-d8960e21ca40ea5dc60ad655000842376d4178a1 -------------------------------------------------------------------------------- /libxml2-v2.9.2/leak-bdbb2857b7a086f003db1c418e1d124181341fb1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libxml2-v2.9.2/leak-bdbb2857b7a086f003db1c418e1d124181341fb1 -------------------------------------------------------------------------------- /libxml2-v2.9.2/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include 5 | #include "libxml/xmlversion.h" 6 | #include "libxml/parser.h" 7 | #include "libxml/HTMLparser.h" 8 | #include "libxml/tree.h" 9 | 10 | void ignore (void * ctx, const char * msg, ...) {} 11 | 12 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 13 | xmlSetGenericErrorFunc(NULL, &ignore); 14 | if (auto doc = xmlReadMemory(reinterpret_cast(data), size, 15 | "noname.xml", NULL, 0)) 16 | xmlFreeDoc(doc); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /libxml2-v2.9.2/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | set -x 5 | . $(dirname $0)/../common.sh 6 | 7 | get_git_revision https://github.com/mcarpenter/afl be3e88d639da5350603f6c0fee06970128504342 afl 8 | rm -rf $CORPUS fuzz-*.log 9 | mkdir $CORPUS 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -jobs=$JOBS -dict=afl/dictionaries/xml.dict -workers=$JOBS $CORPUS -max_len=64 $LIBFUZZER_FLAGS 11 | grep "AddressSanitizer: heap-buffer-overflow\|ERROR: LeakSanitizer: detected memory leaks" fuzz-0.log 12 | -------------------------------------------------------------------------------- /libxml2-v2.9.2/uaf-1153fbf466b9474e6e3c48c72e86a4726b449ef7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/libxml2-v2.9.2/uaf-1153fbf466b9474e6e3c48c72e86a4726b449ef7 -------------------------------------------------------------------------------- /llvm-libcxxabi-2017-01-27/README.md: -------------------------------------------------------------------------------- 1 | Finds [oss-fuzz/370](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=370), 2 | a crash in [LLVM](http://llvm.org) C++ demanger. 3 | The crash is caused by a pop-back from an empty std::vector object 4 | and manifests in different ways (NULL deref, stack overflow, run-time error 5 | message, etc) depending on the standard C++ library implementation used. 6 | Fixed [here](http://llvm.org/viewvc/llvm-project?view=revision&revision=293330). 7 | 8 | Also finds 9 | [oss-fuzz/582](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=582), 10 | out-of-range access in std::string. 11 | ``` 12 | terminate called after throwing an instance of 'std::out_of_range' 13 | what(): basic_string::replace 14 | ``` 15 | 16 | This first bug took OSS-Fuzz several weeks to discover, the second took several 17 | months. Both reproducers attached. 18 | -------------------------------------------------------------------------------- /llvm-libcxxabi-2017-01-27/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | get_svn_revision http://llvm.org/svn/llvm-project/libcxxabi/trunk 293329 SRC 8 | build_fuzzer 9 | 10 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 11 | # Link ASan runtime so we can hook memcmp et al. 12 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 13 | fi 14 | $CXX $CXXFLAGS -std=c++11 SRC/fuzz/cxa_demangle_fuzzer.cpp SRC/src/cxa_demangle.cpp -I SRC/include \ 15 | $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 16 | -------------------------------------------------------------------------------- /llvm-libcxxabi-2017-01-27/crash-37806028c307468801496b647ad8eb6d1f5c612e: -------------------------------------------------------------------------------- 1 | _ZcvCiIJEEDvT__FFFFT_vT_v -------------------------------------------------------------------------------- /llvm-libcxxabi-2017-01-27/crash-3edc48212829c58f0e19e2f0ef7eec46ffd6bca9: -------------------------------------------------------------------------------- 1 | ZUlSaIJT_1_EET_E5 -------------------------------------------------------------------------------- /llvm-libcxxabi-2017-01-27/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | set -x 5 | . $(dirname $0)/../common.sh 6 | 7 | rm -rf $CORPUS fuzz-*.log 8 | mkdir $CORPUS 9 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $CORPUS $LIBFUZZER_FLAGS 10 | grep "terminate called after throwing an instance of 'std::out_of_range'" fuzz-0.log || exit 1 11 | -------------------------------------------------------------------------------- /openssl-1.0.1f/README.md: -------------------------------------------------------------------------------- 1 | Finds [HeartBleed (CVE-2014-0160)](https://en.wikipedia.org/wiki/Heartbleed), 2 | multi-byte-read-heap-buffer-overflow in [openssl](https://www.openssl.org/). 3 | 4 | Time to find: < 10 seconds. 5 | ``` 6 | =20302==ERROR: AddressSanitizer: heap-buffer-overflow 7 | READ of size 53713 at 0x629000009748 thread T0 8 | #0 0x4a97b6 in __asan_memcpy 9 | #1 0x4fd102 in tls1_process_heartbeat ssl/t1_lib.c:2586:3 10 | #2 0x57cca2 in ssl3_read_bytes ssl/s3_pkt.c:1092:4 11 | #3 0x581c7d in ssl3_get_message ssl/s3_both.c:457:7 12 | #4 0x545184 in ssl3_get_client_hello ssl/s3_srvr.c:941:4 13 | #5 0x5411de in ssl3_accept ssl/s3_srvr.c:357:9 14 | ``` 15 | 16 | Also finds a memory leak, [CVE-2014-3513](https://www.openssl.org/news/secadv/20141015.txt), repro attached: 17 | ``` 18 | Direct leak of 32 byte(s) in 1 object(s) allocated from: 19 | #0 0x514f18 in __interceptor_malloc 20 | #1 0x5fd25b in CRYPTO_malloc crypto/mem.c:308:8 21 | #2 0x6539c1 in sk_new crypto/stack/stack.c:125:11 22 | #3 0x6539c1 in sk_new_null crypto/stack/stack.c:117 23 | #4 0x564bf3 in ssl_parse_clienthello_use_srtp_ext ssl/d1_srtp.c:345:7 24 | #5 0x55574a in ssl_parse_clienthello_tlsext ssl/t1_lib.c:1419:7 25 | #6 0x5997c2 in ssl3_get_client_hello ssl/s3_srvr.c:1180:8 26 | #7 0x594a36 in ssl3_accept ssl/s3_srvr.c:357:9 27 | ``` 28 | -------------------------------------------------------------------------------- /openssl-1.0.1f/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | # This version of openssl has unstable parallel make => Don't use `make -j `. 11 | (cd BUILD && CC="$CC $CFLAGS" ./config && make clean && make) 12 | } 13 | 14 | get_git_tag https://github.com/openssl/openssl.git OpenSSL_1_0_1f SRC 15 | build_lib 16 | build_fuzzer 17 | 18 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 19 | # Link ASan runtime so we can hook memcmp et al. 20 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 21 | fi 22 | $CXX $CXXFLAGS $SCRIPT_DIR/target.cc -DCERT_PATH=\"$SCRIPT_DIR/\" BUILD/libssl.a BUILD/libcrypto.a $LIB_FUZZING_ENGINE -I BUILD/include -o $EXECUTABLE_NAME_BASE 23 | rm -rf runtime 24 | cp -rf $SCRIPT_DIR/runtime . 25 | -------------------------------------------------------------------------------- /openssl-1.0.1f/leak-268f0e85f4bc45cbaf4d257222b830eac18977f3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openssl-1.0.1f/leak-268f0e85f4bc45cbaf4d257222b830eac18977f3 -------------------------------------------------------------------------------- /openssl-1.0.1f/runtime/server.key: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA1AdZNDVOA9cXm97f 3 | erp1bukz2kohjToJS6Ma8fOb36VV9lQGmDNsJanXFiqafOgV+kh1HXqZ3l1I0JmZ 4 | 71b+QQIDAQABAkAHGfPn5r0lLcgRpWZQwvv56f+dmQwEoeP7z4uwfNtEo0JcRD66 5 | 1WRCvx3LE0VbNeaEdNmSPiRXhlwIggjfrBi9AiEA9UusPBcEp/QcPGs96nQQdQzE 6 | fw4x0HL/eSV3qHimT6MCIQDdSAiX4Ouxoiwn/9KhDMcZXRYX/OPzj6w8u1YIH7BI 7 | ywIgSozbJdAhHCJ2ym4VfUIVFl3xAmSAA0hQGLOocE1qzl0CIQDRicOxZmhqBiKA 8 | IgznOn1StEYWov+MhRFZVSBLgw5gbwIgJzOlSlu0Y22hEUsLCKyHBrCAZZHcZ020 9 | 20pfogmQYn0= 10 | -----END PRIVATE KEY----- 11 | -------------------------------------------------------------------------------- /openssl-1.0.1f/runtime/server.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIBYTCCAQugAwIBAgIJAMPQQtUHkx+KMA0GCSqGSIb3DQEBCwUAMAwxCjAIBgNV 3 | BAMMAWEwHhcNMTYwOTI0MjIyMDUyWhcNNDQwMjA5MjIyMDUyWjAMMQowCAYDVQQD 4 | DAFhMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQHWTQ1TgPXF5ve33q6dW7pM9pK 5 | IY06CUujGvHzm9+lVfZUBpgzbCWp1xYqmnzoFfpIdR16md5dSNCZme9W/kECAwEA 6 | AaNQME4wHQYDVR0OBBYEFCXtEo9rkLuKGSlm0mFE4Yk/HDJVMB8GA1UdIwQYMBaA 7 | FCXtEo9rkLuKGSlm0mFE4Yk/HDJVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL 8 | BQADQQCnldOnbdNJZxBO/J+979Urg8qDp8MnlN0979AmK1P5/YzPnAF4BU7QTOTE 9 | imS5qZ0MvziBa81nVlnnFRkIezcD 10 | -----END CERTIFICATE----- 11 | -------------------------------------------------------------------------------- /openssl-1.0.1f/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | SSL_CTX *Init() { 10 | SSL_library_init(); 11 | SSL_load_error_strings(); 12 | ERR_load_BIO_strings(); 13 | OpenSSL_add_all_algorithms(); 14 | SSL_CTX *sctx; 15 | assert (sctx = SSL_CTX_new(TLSv1_method())); 16 | /* These two file were created with this command: 17 | openssl req -x509 -newkey rsa:512 -keyout server.key \ 18 | -out server.pem -days 9999 -nodes -subj /CN=a/ 19 | */ 20 | assert(SSL_CTX_use_certificate_file(sctx, "runtime/server.pem", 21 | SSL_FILETYPE_PEM)); 22 | assert(SSL_CTX_use_PrivateKey_file(sctx, "runtime/server.key", 23 | SSL_FILETYPE_PEM)); 24 | return sctx; 25 | } 26 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { 27 | static SSL_CTX *sctx = Init(); 28 | SSL *server = SSL_new(sctx); 29 | BIO *sinbio = BIO_new(BIO_s_mem()); 30 | BIO *soutbio = BIO_new(BIO_s_mem()); 31 | SSL_set_bio(server, sinbio, soutbio); 32 | SSL_set_accept_state(server); 33 | BIO_write(sinbio, Data, Size); 34 | SSL_do_handshake(server); 35 | SSL_free(server); 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /openssl-1.0.1f/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # Find heartbleed. 5 | . $(dirname $0)/../common.sh 6 | set -x 7 | 8 | rm -f fuzz-*.log 9 | 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_total_time=300 -detect_leaks=0 $LIBFUZZER_FLAGS 2>&1 | tee log 11 | grep -Pzo "(?s)ERROR: AddressSanitizer: heap-buffer-overflow.*READ of size.*#1 0x.* in tls1_process_heartbeat .*ssl/t1_lib.c:2586" log 12 | -------------------------------------------------------------------------------- /openssl-1.0.2d/README.md: -------------------------------------------------------------------------------- 1 | Finds 2 | [CVE-2015-3193](https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html), 3 | a miscalculation in [OpenSSL](https://www.openssl.org/)'s BN_mod_exp. 4 | 5 | Time to find: < 1 minute. Crash reproducer included. 6 | ``` 7 | Assertion `strcmp(openssl_results.exptmod, gcrypt_results.exptmod)==0' failed. 8 | ``` 9 | 10 | 11 | -------------------------------------------------------------------------------- /openssl-1.0.2d/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && CC="$CC $CFLAGS" ./config && make clean && make -j $JOBS) 11 | } 12 | 13 | get_git_tag https://github.com/openssl/openssl.git OpenSSL_1_0_2d SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 18 | # Link ASan runtime so we can hook memcmp et al. 19 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 20 | fi 21 | set -x 22 | $CXX $CXXFLAGS $SCRIPT_DIR/target.cc -DCERT_PATH=\"$SCRIPT_DIR/\" BUILD/libssl.a BUILD/libcrypto.a $LIB_FUZZING_ENGINE -lgcrypt -I BUILD/include -o $EXECUTABLE_NAME_BASE 23 | -------------------------------------------------------------------------------- /openssl-1.0.2d/crash-12ae1af0c82252420b5f780bc9ed48d3ba05109e: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openssl-1.0.2d/crash-12ae1af0c82252420b5f780bc9ed48d3ba05109e -------------------------------------------------------------------------------- /openssl-1.0.2d/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | // Find CVE-2015-3193. Derived from 4 | // https://github.com/hannob/bignum-fuzz/blob/master/CVE-2015-3193-openssl-vs-gcrypt-modexp.c 5 | /* Fuzz-compare the OpenSSL function BN_mod_exp() and the libgcrypt function gcry_mpi_powm(). 6 | * 7 | * To use this you should compile both libgcrypt and openssl with american fuzzy lop and then statically link everything together, e.g.: 8 | * afl-clang-fast -o [output] [input] libgcrypt.a libcrypto.a -lgpg-error 9 | * 10 | * Input is a binary file, the first bytes will decide how the rest of the file will be split into three bignums. 11 | * 12 | * by Hanno Böck, license CC0 (public domain) 13 | */ 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #define MAXBUF 1000000 23 | 24 | 25 | struct big_results { 26 | char *name; 27 | char *a; 28 | char *b; 29 | char *c; 30 | char *exptmod; 31 | }; 32 | 33 | void printres(struct big_results *res) { 34 | printf("\n%s:\n", res->name); 35 | printf("a: %s\n", res->a); 36 | printf("b: %s\n", res->b); 37 | printf("c: %s\n", res->c); 38 | printf("b^c mod a: %s\n", res->exptmod); 39 | } 40 | 41 | void freeres(struct big_results *res) { 42 | free(res->a); 43 | free(res->b); 44 | free(res->c); 45 | free(res->exptmod); 46 | } 47 | 48 | 49 | char *gcrytostring(gcry_mpi_t in) { 50 | char *a, *b; 51 | size_t i; 52 | size_t j=0; 53 | gcry_mpi_aprint(GCRYMPI_FMT_HEX, (unsigned char**) &a, &i, in); 54 | while(a[j]=='0' && j<(i-2)) j++; 55 | if ((j%2)==1) j--; 56 | if (strncmp(&a[j],"00",2)==0) j++; 57 | b=(char*)malloc(i-j); 58 | strcpy(b, &a[j]); 59 | free(a); 60 | return b; 61 | } 62 | 63 | /* test gcry functions from libgcrypt */ 64 | void gcrytest(unsigned char* a_raw, int a_len, unsigned char* b_raw, int b_len, unsigned char* c_raw, int c_len, struct big_results *res) { 65 | gcry_mpi_t a, b, c, res1, res2; 66 | 67 | /* unknown leak here */ 68 | gcry_mpi_scan(&a, GCRYMPI_FMT_USG, a_raw, a_len, NULL); 69 | res->a = gcrytostring(a); 70 | 71 | gcry_mpi_scan(&b, GCRYMPI_FMT_USG, b_raw, b_len, NULL); 72 | res->b = gcrytostring(b); 73 | 74 | gcry_mpi_scan(&c, GCRYMPI_FMT_USG, c_raw, c_len, NULL); 75 | res->c = gcrytostring(c); 76 | 77 | res1=gcry_mpi_new(0); 78 | 79 | gcry_mpi_powm(res1, b, c, a); 80 | res->exptmod=gcrytostring(res1); 81 | 82 | gcry_mpi_release(a); 83 | gcry_mpi_release(b); 84 | gcry_mpi_release(c); 85 | gcry_mpi_release(res1); 86 | } 87 | 88 | /* test bn functions from openssl/libcrypto */ 89 | void bntest(unsigned char* a_raw, int a_len, unsigned char* b_raw, int b_len, unsigned char* c_raw, int c_len, struct big_results *res) { 90 | BN_CTX *bctx = BN_CTX_new(); 91 | BIGNUM *a = BN_new(); 92 | BIGNUM *b = BN_new(); 93 | BIGNUM *c = BN_new(); 94 | BIGNUM *res1 = BN_new(); 95 | 96 | BN_bin2bn(a_raw, a_len, a); 97 | BN_bin2bn(b_raw, b_len, b); 98 | BN_bin2bn(c_raw, c_len, c); 99 | 100 | res->a = BN_bn2hex(a); 101 | res->b = BN_bn2hex(b); 102 | res->c = BN_bn2hex(c); 103 | 104 | BN_mod_exp(res1, b, c, a, bctx); 105 | res->exptmod = BN_bn2hex(res1); 106 | 107 | BN_free(a); 108 | BN_free(b); 109 | BN_free(c); 110 | BN_free(res1); 111 | BN_CTX_free(bctx); 112 | } 113 | 114 | extern "C" int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size) { 115 | size_t len, l1, l2,l3; 116 | unsigned int divi1, divi2; 117 | unsigned char *a, *b, *c; 118 | struct big_results openssl_results= {"openssl",0,0,0,0}; 119 | struct big_results gcrypt_results= {"libgcrypt",0,0,0,0}; 120 | 121 | len = Size; 122 | if (len<5) return 0; 123 | 124 | divi1=Data[0]; 125 | divi2=Data[1]; 126 | divi1++;divi2++; 127 | l1 = (len-2)*divi1/256; 128 | l2 = (len-2-l1)*divi2/256; 129 | l3 = (len-2-l1-l2); 130 | assert(l1+l2+l3==len-2); 131 | //printf("div1 div2 %i %i\n", divi1, divi2); 132 | //printf("len l1 l2 l3 %i %i %i %i\n", (int)len,(int)l1,(int)l2,(int)l3); 133 | a=const_cast(Data)+2; 134 | b=const_cast(Data)+2+l1; 135 | c=const_cast(Data)+2+l1+l2; 136 | 137 | 138 | bntest(a, l1, b, l2, c, l3, &openssl_results); 139 | //printres(&openssl_results); 140 | if ((strcmp(openssl_results.a,"0")==0) || (strcmp(openssl_results.c,"0")==0)) goto END; 141 | 142 | gcrytest(a, l1, b, l2, c, l3, &gcrypt_results); 143 | //printres(&gcrypt_results); 144 | 145 | assert(strcmp(openssl_results.exptmod, gcrypt_results.exptmod)==0); 146 | 147 | END: 148 | freeres(&openssl_results); 149 | freeres(&gcrypt_results); 150 | return 0; 151 | } 152 | -------------------------------------------------------------------------------- /openssl-1.0.2d/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | set -x 5 | . $(dirname $0)/../common.sh 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -max_len=512 -jobs=$JOBS -workers=$JOBS $CORPUS 9 | grep 'Assertion `strcmp(openssl_results.exptmod, gcrypt_results.exptmod)==0. failed.' fuzz-0.log || exit 1 10 | 11 | 12 | # Test -minimize_crash=1. 13 | # We know that this crasher minimizes to 132 bytes. 14 | # If we manage to minimize it further the test will fail, 15 | # but we will learn something new. 16 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE $SCRIPT_DIR/crash-12ae1af0c82252420b5f780bc9ed48d3ba05109e -minimize_crash=1 -runs=1000000 $LIBFUZZER_FLAGS 2> min.log 17 | grep CRASH_MIN min.log 18 | grep "CRASH_MIN: failed to minimize beyond ./minimized-from-.* (1.. bytes), exiting" min.log || exit 1 19 | -------------------------------------------------------------------------------- /openssl-1.1.0c/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## bignum 3 | ### CVE-2017-3732 4 | [CVE-2017-3732](https://www.openssl.org/news/secadv/20170126.txt), 5 | a carry propagating bug in [OpenSSL](https://www.openssl.org/)'s `BN_mod_exp`. 6 | This was originally 7 | [discovered](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=407) 8 | by [OSS-Fuzz](https://github.com/google/oss-fuzz) 9 | using the in-tree 10 | [bignum fuzz target](https://github.com/openssl/openssl/blob/OpenSSL_1_1_0-stable/fuzz/bignum.c). 11 | Fixed in openssl 12 | [here](https://github.com/openssl/openssl/commit/3f4bcf5bb664b47ed369a70b99fac4e0ad141bb3) 13 | and in boringssl 14 | [here](https://github.com/google/boringssl/commit/d103616db14ca9587f074efaf9f09a48b8ca80cb). 15 | 16 | This is similar to 17 | [CVE-2015-3193](https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html) 18 | but is a different bug. 19 | 20 | It took at least one CPU year to find this bug for the first time. 21 | Reproducer provided in this directory (`crash-ab3eea077a07a1353f86eea4b6075df2e6319a75`). 22 | 23 | ``` 24 | bignum.c:91: OpenSSL internal error: assertion failed: success 25 | ``` 26 | 27 | ### CVE-2017-3736 28 | 29 | A very similar bug was found later: 30 | [bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)](https://www.openssl.org/news/secadv/20171102.txt). 31 | It was a bug in assembly implementation targeted at processors with the BMI1, BMI2 and ADX extensions. 32 | It won't reproduce on other hardware. See also: 33 | [fix](https://github.com/openssl/openssl/commit/668a709a8d7ea374ee72ad2d43ac72ec60a80eee), 34 | [regression test](https://github.com/openssl/openssl/commit/420b88cec8c6f7c67fad07bf508dcccab094f134), 35 | [original report](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2905). 36 | On proper CPU libFuzzer finds this bug in < 1 day. 37 | 38 | ## x509 39 | 40 | Finds [CVE-2017-3735](https://www.openssl.org/news/secadv/20170828.txt), a heap buffer overflow in `X509v3_addr_get_afi`. 41 | It took OSS-Fuzz ~9 months (and ~5 CPU years) to discover this bug initially. 42 | Reproducer provided in this directory (`crash-4fce1eeb339d851b72fedba895163ec1daab51f3`). 43 | 44 | ``` 45 | ==5860==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000631 at pc 0x0000005217ee bp 0x7ffe60472ac0 sp 0x7ffe60472ab8 46 | READ of size 1 at 0x602000000631 thread T0 47 | #0 0x5217ed in X509v3_addr_get_afi crypto/x509v3/v3_addr.c:89:52 48 | #1 0x5217ed in i2r_IPAddrBlocks crypto/x509v3/v3_addr.c:203 49 | #2 0x535b42 in X509V3_EXT_print crypto/x509v3/v3_prn.c:123:14 50 | #3 0x535f31 in X509V3_extensions_print crypto/x509v3/v3_prn.c:163:14 51 | #4 0x509e70 in X509_print_ex crypto/x509/t_x509.c:190:9 52 | #5 0x4ec889 in LLVMFuzzerTestOneInput fuzz/x509.c:27:9 53 | 54 | 0x602000000631 is located 0 bytes to the right of 1-byte region [0x602000000630,0x602000000631) 55 | allocated by thread T0 here: 56 | #0 0x4bf71c in __interceptor_malloc 57 | #1 0x55d2e7 in ASN1_STRING_set crypto/asn1/asn1_lib.c:277:21 58 | #2 0x564da9 in asn1_ex_c2i crypto/asn1/tasn_dec.c:869:18 59 | #3 0x564da9 in asn1_d2i_ex_primitive crypto/asn1/tasn_dec.c:743 60 | #4 0x5624ec in asn1_item_embed_d2i crypto/asn1/tasn_dec.c 61 | #5 0x566396 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:606:15 62 | #6 0x563148 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:482:16 63 | #7 0x562042 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:347:19 64 | #8 0x566848 in asn1_template_noexp_d2i crypto/asn1/tasn_dec.c:575:18 65 | #9 0x563148 in asn1_template_ex_d2i crypto/asn1/tasn_dec.c:482:16 66 | #10 0x5615c1 in asn1_item_embed_d2i crypto/asn1/tasn_dec.c:162:20 67 | #11 0x561154 in ASN1_item_ex_d2i crypto/asn1/tasn_dec.c:114:10 68 | #12 0x561154 in ASN1_item_d2i crypto/asn1/tasn_dec.c:104 69 | #13 0x535898 in X509V3_EXT_print crypto/x509v3/v3_prn.c:88:19 70 | #14 0x535f31 in X509V3_extensions_print crypto/x509v3/v3_prn.c:163:14 71 | #15 0x509e70 in X509_print_ex crypto/x509/t_x509.c:190:9 72 | #16 0x4ec889 in LLVMFuzzerTestOneInput fuzz/x509.c:27:9 73 | ``` 74 | -------------------------------------------------------------------------------- /openssl-1.1.0c/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && CC="$CC $CFLAGS" ./config && make clean && make -j $JOBS) 11 | } 12 | 13 | get_git_tag https://github.com/openssl/openssl.git OpenSSL_1_1_0c SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 18 | # Link ASan runtime so we can hook memcmp et al. 19 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 20 | fi 21 | set -x 22 | for f in bignum x509; do 23 | $CC $CFLAGS -DFuzzerTestOneInput=LLVMFuzzerTestOneInput -c -g BUILD/fuzz/$f.c -I BUILD/include 24 | $CXX $CXXFLAGS $f.o BUILD/libssl.a BUILD/libcrypto.a $LIB_FUZZING_ENGINE -lgcrypt -o $EXECUTABLE_NAME_BASE-$f 25 | done 26 | -------------------------------------------------------------------------------- /openssl-1.1.0c/crash-4fce1eeb339d851b72fedba895163ec1daab51f3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openssl-1.1.0c/crash-4fce1eeb339d851b72fedba895163ec1daab51f3 -------------------------------------------------------------------------------- /openssl-1.1.0c/crash-ab3eea077a07a1353f86eea4b6075df2e6319a75: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openssl-1.1.0c/crash-ab3eea077a07a1353f86eea4b6075df2e6319a75 -------------------------------------------------------------------------------- /openssl-1.1.0c/crash-c2a2dd95058258979548c016bbe04720ca1ea422: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openssl-1.1.0c/crash-c2a2dd95058258979548c016bbe04720ca1ea422 -------------------------------------------------------------------------------- /openthread-2018-02-27/README.md: -------------------------------------------------------------------------------- 1 | Fuzzing benchmark for [OpenThread](https://github.com/openthread/openthread). 2 | 3 | Two fuzz targets are included: `ip6_send_fuzzer` and 4 | `radio_receive_done_fuzzer`. 5 | 6 | Reproducers for 12 historical OpenThread bugs are provided. To reproduce the 7 | crashes or find them by fuzzing, make sure you build the appropriate revision of 8 | OpenThread. For example, to reproduce the first crash below, we would do the 9 | following: 10 | ```shell 11 | $ REVISION=94436b6f5f882f918e97ac74fb9a041375ab86b7 ${FTS}/openthread-2018-02-27/build.sh 12 | $ ./openthread-2018-02-27-fsanitize_fuzzer-radio ${FTS}/openthread-2018-02-27/repro1 13 | ``` 14 | 15 | Bug | Fuzzer | Revision | Reproducer Input 16 | --- | ------ | -------- | ---------------- 17 | [heap-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2757&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | radio | 94436b6f5f882f918e97ac74fb9a041375ab86b7 | repro1 18 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2855&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | radio | 49c80937be5de63c1c7b7652eacb22e1adc459b6 | repro2 19 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3252&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | radio | 71d40a5c838d345248fbc130c74182dda99d85f1 | repro3 20 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3256&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | radio | 71d40a5c838d345248fbc130c74182dda99d85f1 | repro4 21 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3285&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | ab4073980f120bbd4eb9f6d58950f2f03f88dac3 | repro5 22 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3322&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | ab4073980f120bbd4eb9f6d58950f2f03f88dac3 | repro6 23 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4637&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | radio | 7b706a9aa673042fa4586e19ab72c52769b493af | repro7 24 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5864&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | 68a605f22e579ae45ab1d8221faa2d45e8668e05 | repro8 25 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5874&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | 68a605f22e579ae45ab1d8221faa2d45e8668e05 | repro9 26 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5935&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | 68a605f22e579ae45ab1d8221faa2d45e8668e05 | repro10 27 | [stack-buffer-overflow](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7766&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | bf52ed706facbbbd12b2d86c902c0f71b2b72bb0 | repro11 28 | [null-dereference](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8230&can=1&q=label%3AProj-openthread&colspec=ID%20Type%20Component%20Status%20Proj%20Reported%20Owner%20Summary) | ip6 | 585080e3a0a1ee4287b9cb5745e470e6ac4c5c7b | repro12 29 | -------------------------------------------------------------------------------- /openthread-2018-02-27/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2018 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | # workaround https://github.com/google/fuzzer-test-suite/issues/131 11 | sed -i 's/-Wshadow//g' BUILD/configure.ac BUILD/third_party/mbedtls/repo.patched/CMakeLists.txt 12 | [[ -f $LIB_FUZZING_ENGINE ]] && cp $LIB_FUZZING_ENGINE BUILD/tests/fuzz/ 13 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 14 | # Link ASan runtime so we can hook memcmp et al. 15 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 16 | fi 17 | (cd BUILD && ./bootstrap && ./configure \ 18 | --disable-shared \ 19 | --enable-fuzz-targets \ 20 | --enable-application-coap \ 21 | --enable-border-router \ 22 | --enable-cert-log \ 23 | --enable-channel-monitor \ 24 | --enable-child-supervision \ 25 | --enable-commissioner \ 26 | --enable-dhcp6-client \ 27 | --enable-dhcp6-server \ 28 | --enable-dns-client \ 29 | --enable-diag \ 30 | --enable-dns-client \ 31 | --enable-jam-detection \ 32 | --enable-joiner \ 33 | --enable-legacy \ 34 | --enable-mac-filter \ 35 | --enable-mtd-network-diagnostic \ 36 | --enable-raw-link-api \ 37 | --enable-service \ 38 | --enable-tmf-proxy \ 39 | --disable-docs \ 40 | && make V=1 -j $JOBS) 41 | } 42 | 43 | rm -rf SRC 44 | [[ -z "${REVISION}" ]] && REVISION="79c4830c3c17369909e0906d8f455ecf2be4b6aa" 45 | get_git_revision https://github.com/openthread/openthread.git "${REVISION}" SRC 46 | build_fuzzer || exit 1 47 | build_lib || exit 1 48 | 49 | if [[ ! -d seeds-radio ]]; then 50 | cp -r BUILD/tests/fuzz/corpora/radio-receive-done seeds-radio 51 | fi 52 | cp BUILD/tests/fuzz/ip6-send-fuzzer $EXECUTABLE_NAME_BASE-ip6 53 | cp BUILD/tests/fuzz/radio-receive-done-fuzzer $EXECUTABLE_NAME_BASE-radio 54 | -------------------------------------------------------------------------------- /openthread-2018-02-27/repro1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro1 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro10 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro11: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro11 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro12 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro2 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro3 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro4 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro5 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro6 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro7 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro8 -------------------------------------------------------------------------------- /openthread-2018-02-27/repro9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/openthread-2018-02-27/repro9 -------------------------------------------------------------------------------- /pcre2-10.00/README.md: -------------------------------------------------------------------------------- 1 | Finds several bugs in [PCRE2](http://www.pcre.org/) version 10.00 (Jan 2015). 2 | 3 | Time to find: < 1 minute. 4 | 5 | ``` 6 | ==28520==ERROR: AddressSanitizer: heap-buffer-overflow 7 | READ of size 1 at 0x6040000a2a4f thread T0 8 | #0 0x585630 in match src/pcre2_match.c:5968:11 9 | #1 0x5496d1 in pcre2_match_8 src/pcre2_match.c:6876:8 10 | #2 0x59b498 in regexec src/pcre2posix.c:291:6 11 | #3 0x4f0359 in LLVMFuzzerTestOneInput 12 | 13 | ==28522==ERROR: AddressSanitizer: heap-use-after-free 14 | READ of size 1 at 0x61100009144b thread T0 15 | #0 0x58550a in match src/pcre2_match.c:1426:16 16 | #1 0x574752 in match src/pcre2_match.c:5145:11 17 | #2 0x573efc in match src/pcre2_match.c:3607:11 18 | #3 0x5496d1 in pcre2_match_8 src/pcre2_match.c:6876:8 19 | #4 0x59b498 in regexec src/pcre2posix.c:291:6 20 | #5 0x4f0359 in LLVMFuzzerTestOneInput 21 | ``` 22 | -------------------------------------------------------------------------------- /pcre2-10.00/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && 11 | ./autogen.sh && 12 | CCLD="$CXX $CXXFLAGS" ./configure --disable-shared --enable-never-backslash-C --with-match-limit=1000 --with-match-limit-recursion=1000 && 13 | make -j 14 | ) 15 | } 16 | 17 | get_svn_revision svn://vcs.exim.org/pcre2/code/trunk 183 SRC 18 | build_lib 19 | build_fuzzer 20 | 21 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 22 | # Link ASan runtime so we can hook memcmp et al. 23 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 24 | fi 25 | set -x 26 | $CXX $CXXFLAGS $SCRIPT_DIR/target.cc -I BUILD/src -Wl,--whole-archive BUILD/.libs/*.a -Wl,-no-whole-archive $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 27 | -------------------------------------------------------------------------------- /pcre2-10.00/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | 4 | #include 5 | #include "pcre2posix.h" 6 | 7 | using std::string; 8 | 9 | extern "C" int LLVMFuzzerTestOneInput(const unsigned char *data, size_t size) { 10 | if (size < 1) return 0; 11 | regex_t preg; 12 | string str(reinterpret_cast(data), size); 13 | string pat(str); 14 | int flags = data[size/2] - 'a'; // Make it 0 when the byte is 'a'. 15 | if (0 == regcomp(&preg, pat.c_str(), flags)) { 16 | regmatch_t pmatch[5]; 17 | regexec(&preg, str.c_str(), 5, pmatch, 0); 18 | regfree(&preg); 19 | } 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /pcre2-10.00/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*log 7 | mkdir $CORPUS 8 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -max_total_time=300 -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS 9 | grep "ERROR: AddressSanitizer" fuzz-0.log 10 | -------------------------------------------------------------------------------- /proj4-2017-08-14/README.md: -------------------------------------------------------------------------------- 1 | This is a fuzzing benchmark for [proj.4](https://github.com/OSGeo/proj.4). 2 | 3 | This benchmark finds a direct and an indirect leak as follows: 4 | 5 | ``` 6 | ==17769==ERROR: LeakSanitizer: detected memory leaks 7 | 8 | Direct leak of 640 byte(s) in 1 object(s) allocated from: 9 | #0 0x4c386c in __interceptor_malloc llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 10 | #1 0x4fa32e in pj_malloc src/pj_malloc.c:57:21 11 | #2 0x4fa32e in pj_calloc src/pj_malloc.c:80 12 | #3 0x5ab711 in pj_urm5 src/PJ_urm5.c:39:5 13 | #4 0x4f55d3 in pj_init_ctx src/pj_init.c:502:17 14 | #5 0x4f4a7f in pj_init_plus_ctx src/pj_init.c:409:14 15 | #6 0x4f37cf in LLVMFuzzerTestOneInput test/fuzzers/standard_fuzzer.cpp:89:21 16 | 17 | Indirect leak of 32 byte(s) in 1 object(s) allocated from: 18 | #0 0x4c386c in __interceptor_malloc llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:66:3 19 | #1 0x4fa32e in pj_malloc src/pj_malloc.c:57:21 20 | #2 0x4fa32e in pj_callocsrc/pj_malloc.c:80 21 | #3 0x5ab7e0 in pj_projection_specific_setup_urm5 src/PJ_urm5.c:41:27 22 | #4 0x4f7579 in pj_init_ctx src/pj_init.c:726:21 23 | #5 0x4f4a7f in pj_init_plus_ctx src/pj_init.c:409:14 24 | #6 0x4f37cf in LLVMFuzzerTestOneInput test/fuzzers/standard_fuzzer.cpp:89:21 25 | 26 | SUMMARY: AddressSanitizer: 672 byte(s) leaked in 2 allocation(s). 27 | 28 | ``` 29 | 30 | These leaks are intertwined, and can be found with the same single reproducer, which is included in this directory. 31 | 32 | As of August 18, 2017, this benchmark generally takes anywhere between 2 and 10 minutes to complete 33 | when using libFuzzer and the provided seed. 34 | 35 | -------------------------------------------------------------------------------- /proj4-2017-08-14/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | (cd BUILD && ./autogen.sh && ./configure --disable-shared && make clean && make -j $JOBS ) 11 | } 12 | 13 | get_git_revision https://github.com/OSGeo/proj.4.git d00501750b210a73f9fb107ac97a683d4e3d8e7a SRC 14 | build_lib 15 | build_fuzzer 16 | 17 | if [[ ! -d seeds ]]; then 18 | mkdir seeds 19 | cp BUILD/nad/* seeds 20 | fi 21 | 22 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 23 | # Link ASan runtime so we can hook memcmp et al. 24 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 25 | fi 26 | $CXX $CXXFLAGS -std=c++11 -I BUILD/src BUILD/test/fuzzers/standard_fuzzer.cpp BUILD/src/.libs/libproj.a $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE -lpthread 27 | -------------------------------------------------------------------------------- /proj4-2017-08-14/leak-7c19589a27e15f3432d245c7685bd518693e70d3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/proj4-2017-08-14/leak-7c19589a27e15f3432d245c7685bd518693e70d3 -------------------------------------------------------------------------------- /proj4-2017-08-14/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | 5 | . $(dirname $0)/../common.sh 6 | 7 | rm -rf $CORPUS fuzz-*.log 8 | mkdir $CORPUS 9 | 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS seeds 11 | grep "ERROR: LeakSanitizer" fuzz-0.log || exit 1 12 | 13 | -------------------------------------------------------------------------------- /re2-2014-12-09/README.md: -------------------------------------------------------------------------------- 1 | Finds a debug print and a 8-byte-write-heap-buffer-overflow in [RE2](https://github.com/google/re2). 2 | 3 | Time to find: < 10 seconds. 4 | ``` 5 | re2/dfa.cc:459: DFA out of memory: prog size 61280 mem 2550862 6 | ``` 7 | 8 | Time to find: < 1 hour. 9 | ``` 10 | ==19481==ERROR: AddressSanitizer: heap-buffer-overflow 11 | WRITE of size 8 at 0x60200146a188 thread T0 12 | #0 0x568f9a in re2::NFA::Search(re2::StringPiece const&, re2::StringPiece const&, bool, bool, re2::StringPiece*, int) re2/nfa.cc:532:31 13 | #1 0x5695cb in re2::Prog::SearchNFA(re2::StringPiece const&, re2::StringPiece const&, re2::Prog::Anchor, re2::Prog::MatchKind, re2::StringPiece*, int) re2/nfa.cc:701:12 14 | #2 0x4fde7a in re2::RE2::Match(re2::StringPiece const&, int, int, re2::RE2::Anchor, re2::StringPiece*, int) const re2/re2.cc:768:19 15 | #3 0x4f9110 in re2::RE2::DoMatch(re2::StringPiece const&, re2::RE2::Anchor, int*, re2::RE2::Arg const* const*, int) const re2/re2.cc:817:8 16 | #4 0x4ef56a in re2::VariadicFunction2::operator()(re2::StringPiece const&, re2::RE2 const&) const re2/variadic_function.h:15:12 17 | ``` 18 | 19 | 20 | -------------------------------------------------------------------------------- /re2-2014-12-09/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | CXXFLAGS="${CXXFLAGS} -std=gnu++98" 8 | 9 | build_lib() { 10 | rm -rf BUILD 11 | cp -rf SRC BUILD 12 | (cd BUILD && make clean && make -j $JOBS obj/libre2.a) 13 | } 14 | 15 | get_git_revision https://github.com/google/re2.git 499ef7eff7455ce9c9fae86111d4a77b6ac335de SRC 16 | build_lib 17 | build_fuzzer 18 | 19 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 20 | # Link ASan runtime so we can hook memcmp et al. 21 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 22 | fi 23 | set -x 24 | $CXX $CXXFLAGS ${SCRIPT_DIR}/target.cc -I BUILD/ BUILD/obj/libre2.a -lpthread $LIB_FUZZING_ENGINE -o $EXECUTABLE_NAME_BASE 25 | -------------------------------------------------------------------------------- /re2-2014-12-09/crash-a23ed2a04358b9c070c603a5af6ae2b34598664a: -------------------------------------------------------------------------------- 1 | '(.*|.{816}{21}) -------------------------------------------------------------------------------- /re2-2014-12-09/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include "re2/re2.h" 5 | 6 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { 7 | if (size < 3 || size > 64) return 0; 8 | uint16_t f = (data[0] << 16) + data[1]; 9 | RE2::Options opt; 10 | opt.set_log_errors(false); 11 | if (f & 1) opt.set_encoding(RE2::Options::EncodingLatin1); 12 | opt.set_posix_syntax(f & 2); 13 | opt.set_longest_match(f & 4); 14 | opt.set_literal(f & 8); 15 | opt.set_never_nl(f & 16); 16 | opt.set_dot_nl(f & 32); 17 | opt.set_never_capture(f & 64); 18 | opt.set_case_sensitive(f & 128); 19 | opt.set_perl_classes(f & 256); 20 | opt.set_word_boundary(f & 512); 21 | opt.set_one_line(f & 1024); 22 | const char *b = reinterpret_cast(data) + 2; 23 | const char *e = reinterpret_cast(data) + size; 24 | std::string s1(b, e); 25 | RE2 re(s1, opt); 26 | if (re.ok()) 27 | RE2::FullMatch(s1, re); 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /re2-2014-12-09/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -exit_on_src_pos=re2/dfa.cc:474 -exit_on_src_pos=re2/dfa.cc:474 -runs=10000000 -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS 9 | grep "INFO: found line matching 're2/dfa.cc:474', exiting." fuzz-0.log || exit 1 10 | 11 | # Also test merging here 12 | rm -rf $CORPUS-2 fuzz-*.log 13 | mkdir $CORPUS-2 14 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE $CORPUS-2 $CORPUS -merge=1 2> log 15 | grep -v DFA log 16 | grep "MERGE-OUTER: succesfull in" log || exit 1 17 | 18 | 19 | -------------------------------------------------------------------------------- /sqlite-2016-11-14/README.md: -------------------------------------------------------------------------------- 1 | Finds two heap-buffer-overflows in 2 | [SQLite](https://www.sqlite.org): 3 | [1](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199), 4 | [2](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171), 5 | and a [memory leak](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=397). 6 | 7 | Both buffer overflows require lots of CPU time to find (with libFuzzer, at the time of 8 | writing), the leak is more shallow. 9 | -------------------------------------------------------------------------------- /sqlite-2016-11-14/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | set -x 8 | build_fuzzer 9 | $CC $CFLAGS -c $SCRIPT_DIR/sqlite3.c 10 | $CC $CFLAGS -c $SCRIPT_DIR/ossfuzz.c 11 | 12 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 13 | # Link ASan runtime so we can hook memcmp et al. 14 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 15 | fi 16 | $CXX $CXXFLAGS -ldl -pthread sqlite3.o ossfuzz.o $LIB_FUZZING_ENGINE \ 17 | -o $EXECUTABLE_NAME_BASE 18 | -------------------------------------------------------------------------------- /sqlite-2016-11-14/crash-0adc497ccfcc1a4d5e031b735c599df0cae3f4eb: -------------------------------------------------------------------------------- 1 | SELECT(2,5)IN(SELECT 2,9)""""""WHERE""AND""""""AND""AND""""""AND""""""AND""""""AND"""""" -------------------------------------------------------------------------------- /sqlite-2016-11-14/crash-1066e42866aad3a04e6851dc494ad54bc31b9f78: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/sqlite-2016-11-14/crash-1066e42866aad3a04e6851dc494ad54bc31b9f78 -------------------------------------------------------------------------------- /sqlite-2016-11-14/leak-b0276985af5aa23c98d9abf33856ce069ef600e2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/sqlite-2016-11-14/leak-b0276985af5aa23c98d9abf33856ce069ef600e2 -------------------------------------------------------------------------------- /sqlite-2016-11-14/ossfuzz.c: -------------------------------------------------------------------------------- 1 | /* Copyright 2016 Google Inc. All Rights Reserved. 2 | ** Licensed under the Apache License, Version 2.0 (the "License"); 3 | ** 4 | ** Derived from the public domain SQLite (https://sqlite.org) sources. 5 | */ 6 | /* 7 | ** This module interfaces SQLite to the Google OSS-Fuzz, fuzzer as a service. 8 | ** (https://github.com/google/oss-fuzz) 9 | */ 10 | #include 11 | #include 12 | #include "sqlite3.h" 13 | 14 | /* 15 | ** Progress handler callback 16 | */ 17 | static int progress_handler(void *pReturn) { 18 | return *(int*)pReturn; 19 | } 20 | 21 | /* 22 | ** Callback for sqlite3_exec(). 23 | */ 24 | static int exec_handler(void *pCnt, int argc, char **argv, char **namev){ 25 | int i; 26 | for(i=0; i>= 1; 65 | progressArg = uSelector & 1; uSelector >>= 1; 66 | 67 | /* Bit 2 of the selector enables foreign key constraints */ 68 | sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_FKEY, uSelector&1, &rc); 69 | uSelector >>= 1; 70 | 71 | /* Remaining bits of the selector determine a limit on the number of 72 | ** output rows */ 73 | execCnt = uSelector + 1; 74 | 75 | /* Run the SQL. The sqlite_exec() interface expects a zero-terminated 76 | ** string, so make a copy. */ 77 | zSql = sqlite3_mprintf("%.*s", (int)size, data); 78 | sqlite3_exec(db, zSql, exec_handler, (void*)&execCnt, &zErrMsg); 79 | 80 | /* Cleanup and return */ 81 | sqlite3_free(zErrMsg); 82 | sqlite3_free(zSql); 83 | sqlite3_close(db); 84 | return 0; 85 | } 86 | -------------------------------------------------------------------------------- /sqlite-2016-11-14/sql.dict: -------------------------------------------------------------------------------- 1 | # Copyright 2016 Google Inc. All Rights Reserved. 2 | # Licensed under the Apache License, Version 2.0 (the "License"); 3 | # 4 | # AFL dictionary for SQL 5 | # ---------------------- 6 | # 7 | # Modeled based on SQLite documentation, contains some number of SQLite 8 | # extensions. Other dialects of SQL may benefit from customized dictionaries. 9 | # 10 | # If you append @1 to the file name when loading this dictionary, afl-fuzz 11 | # will also additionally load a selection of pragma keywords that are very 12 | # specific to SQLite (and are probably less interesting from the security 13 | # standpoint, because they are usually not allowed in non-privileged 14 | # contexts). 15 | # 16 | # Created by Michal Zalewski 17 | # 18 | 19 | function_abs=" abs(1)" 20 | function_avg=" avg(1)" 21 | function_changes=" changes()" 22 | function_char=" char(1)" 23 | function_coalesce=" coalesce(1,1)" 24 | function_count=" count(1)" 25 | function_date=" date(1,1,1)" 26 | function_datetime=" datetime(1,1,1)" 27 | function_decimal=" decimal(1,1)" 28 | function_glob=" glob(1,1)" 29 | function_group_concat=" group_concat(1,1)" 30 | function_hex=" hex(1)" 31 | function_ifnull=" ifnull(1,1)" 32 | function_instr=" instr(1,1)" 33 | function_julianday=" julianday(1,1,1)" 34 | function_last_insert_rowid=" last_insert_rowid()" 35 | function_length=" length(1)" 36 | function_like=" like(1,1)" 37 | function_likelihood=" likelihood(1,1)" 38 | function_likely=" likely(1)" 39 | function_load_extension=" load_extension(1,1)" 40 | function_lower=" lower(1)" 41 | function_ltrim=" ltrim(1,1)" 42 | function_max=" max(1,1)" 43 | function_min=" min(1,1)" 44 | function_nullif=" nullif(1,1)" 45 | function_printf=" printf(1,1)" 46 | function_quote=" quote(1)" 47 | function_random=" random()" 48 | function_randomblob=" randomblob(1)" 49 | function_replace=" replace(1,1,1)" 50 | function_round=" round(1,1)" 51 | function_rtrim=" rtrim(1,1)" 52 | function_soundex=" soundex(1)" 53 | function_sqlite_compileoption_get=" sqlite_compileoption_get(1)" 54 | function_sqlite_compileoption_used=" sqlite_compileoption_used(1)" 55 | function_sqlite_source_id=" sqlite_source_id()" 56 | function_sqlite_version=" sqlite_version()" 57 | function_strftime=" strftime(1,1,1,1)" 58 | function_substr=" substr(1,1,1)" 59 | function_sum=" sum(1)" 60 | function_time=" time(1,1,1)" 61 | function_total=" total(1)" 62 | function_total_changes=" total_changes()" 63 | function_trim=" trim(1,1)" 64 | function_typeof=" typeof(1)" 65 | function_unicode=" unicode(1)" 66 | function_unlikely=" unlikely(1)" 67 | function_upper=" upper(1)" 68 | function_varchar=" varchar(1)" 69 | function_zeroblob=" zeroblob(1)" 70 | 71 | keyword_ABORT="ABORT" 72 | keyword_ACTION="ACTION" 73 | keyword_ADD="ADD" 74 | keyword_AFTER="AFTER" 75 | keyword_ALL="ALL" 76 | keyword_ALTER="ALTER" 77 | keyword_ANALYZE="ANALYZE" 78 | keyword_AND="AND" 79 | keyword_AS="AS" 80 | keyword_ASC="ASC" 81 | keyword_ATTACH="ATTACH" 82 | keyword_AUTOINCREMENT="AUTOINCREMENT" 83 | keyword_BEFORE="BEFORE" 84 | keyword_BEGIN="BEGIN" 85 | keyword_BETWEEN="BETWEEN" 86 | keyword_BY="BY" 87 | keyword_CASCADE="CASCADE" 88 | keyword_CASE="CASE" 89 | keyword_CAST="CAST" 90 | keyword_CHECK="CHECK" 91 | keyword_COLLATE="COLLATE" 92 | keyword_COLUMN="COLUMN" 93 | keyword_COMMIT="COMMIT" 94 | keyword_CONFLICT="CONFLICT" 95 | keyword_CONSTRAINT="CONSTRAINT" 96 | keyword_CREATE="CREATE" 97 | keyword_CROSS="CROSS" 98 | keyword_CURRENT_DATE="CURRENT_DATE" 99 | keyword_CURRENT_TIME="CURRENT_TIME" 100 | keyword_CURRENT_TIMESTAMP="CURRENT_TIMESTAMP" 101 | keyword_DATABASE="DATABASE" 102 | keyword_DEFAULT="DEFAULT" 103 | keyword_DEFERRABLE="DEFERRABLE" 104 | keyword_DEFERRED="DEFERRED" 105 | keyword_DELETE="DELETE" 106 | keyword_DESC="DESC" 107 | keyword_DETACH="DETACH" 108 | keyword_DISTINCT="DISTINCT" 109 | keyword_DROP="DROP" 110 | keyword_EACH="EACH" 111 | keyword_ELSE="ELSE" 112 | keyword_END="END" 113 | keyword_ESCAPE="ESCAPE" 114 | keyword_EXCEPT="EXCEPT" 115 | keyword_EXCLUSIVE="EXCLUSIVE" 116 | keyword_EXISTS="EXISTS" 117 | keyword_EXPLAIN="EXPLAIN" 118 | keyword_FAIL="FAIL" 119 | keyword_FOR="FOR" 120 | keyword_FOREIGN="FOREIGN" 121 | keyword_FROM="FROM" 122 | keyword_FULL="FULL" 123 | keyword_GLOB="GLOB" 124 | keyword_GROUP="GROUP" 125 | keyword_HAVING="HAVING" 126 | keyword_IF="IF" 127 | keyword_IGNORE="IGNORE" 128 | keyword_IMMEDIATE="IMMEDIATE" 129 | keyword_IN="IN" 130 | keyword_INDEX="INDEX" 131 | keyword_INDEXED="INDEXED" 132 | keyword_INITIALLY="INITIALLY" 133 | keyword_INNER="INNER" 134 | keyword_INSERT="INSERT" 135 | keyword_INSTEAD="INSTEAD" 136 | keyword_INTERSECT="INTERSECT" 137 | keyword_INTO="INTO" 138 | keyword_IS="IS" 139 | keyword_ISNULL="ISNULL" 140 | keyword_JOIN="JOIN" 141 | keyword_KEY="KEY" 142 | keyword_LEFT="LEFT" 143 | keyword_LIKE="LIKE" 144 | keyword_LIMIT="LIMIT" 145 | keyword_MATCH="MATCH" 146 | keyword_NATURAL="NATURAL" 147 | keyword_NO="NO" 148 | keyword_NOT="NOT" 149 | keyword_NOTNULL="NOTNULL" 150 | keyword_NULL="NULL" 151 | keyword_OF="OF" 152 | keyword_OFFSET="OFFSET" 153 | keyword_ON="ON" 154 | keyword_OR="OR" 155 | keyword_ORDER="ORDER" 156 | keyword_OUTER="OUTER" 157 | keyword_PLAN="PLAN" 158 | keyword_PRAGMA="PRAGMA" 159 | keyword_PRIMARY="PRIMARY" 160 | keyword_QUERY="QUERY" 161 | keyword_RAISE="RAISE" 162 | keyword_RECURSIVE="RECURSIVE" 163 | keyword_REFERENCES="REFERENCES" 164 | #keyword_REGEXP="REGEXP" 165 | keyword_REINDEX="REINDEX" 166 | keyword_RELEASE="RELEASE" 167 | keyword_RENAME="RENAME" 168 | keyword_REPLACE="REPLACE" 169 | keyword_RESTRICT="RESTRICT" 170 | keyword_RIGHT="RIGHT" 171 | keyword_ROLLBACK="ROLLBACK" 172 | keyword_ROW="ROW" 173 | keyword_SAVEPOINT="SAVEPOINT" 174 | keyword_SELECT="SELECT" 175 | keyword_SET="SET" 176 | keyword_TABLE="TABLE" 177 | keyword_TEMP="TEMP" 178 | keyword_TEMPORARY="TEMPORARY" 179 | keyword_THEN="THEN" 180 | keyword_TO="TO" 181 | keyword_TRANSACTION="TRANSACTION" 182 | keyword_TRIGGER="TRIGGER" 183 | keyword_UNION="UNION" 184 | keyword_UNIQUE="UNIQUE" 185 | keyword_UPDATE="UPDATE" 186 | keyword_USING="USING" 187 | keyword_VACUUM="VACUUM" 188 | keyword_VALUES="VALUES" 189 | keyword_VIEW="VIEW" 190 | keyword_VIRTUAL="VIRTUAL" 191 | keyword_WHEN="WHEN" 192 | keyword_WHERE="WHERE" 193 | keyword_WITH="WITH" 194 | keyword_WITHOUT="WITHOUT" 195 | 196 | operator_concat=" || " 197 | operator_ebove_eq=" >=" 198 | 199 | snippet_1eq1=" 1=1" 200 | snippet_at=" @1" 201 | snippet_backticks=" `a`" 202 | snippet_blob=" blob" 203 | snippet_brackets=" [a]" 204 | snippet_colon=" :1" 205 | snippet_comment=" /* */" 206 | snippet_date="2001-01-01" 207 | snippet_dollar=" $1" 208 | snippet_dotref=" a.b" 209 | snippet_fmtY="%Y" 210 | snippet_int=" int" 211 | snippet_neg1=" -1" 212 | snippet_pair=" a,b" 213 | snippet_parentheses=" (1)" 214 | snippet_plus2days="+2 days" 215 | snippet_qmark=" ?1" 216 | snippet_semicolon=" ;" 217 | snippet_star=" *" 218 | snippet_string_pair=" \"a\",\"b\"" 219 | 220 | string_dbl_q=" \"a\"" 221 | string_escaped_q=" 'a''b'" 222 | string_single_q=" 'a'" 223 | 224 | pragma_application_id@1=" application_id" 225 | pragma_auto_vacuum@1=" auto_vacuum" 226 | pragma_automatic_index@1=" automatic_index" 227 | pragma_busy_timeout@1=" busy_timeout" 228 | pragma_cache_size@1=" cache_size" 229 | pragma_cache_spill@1=" cache_spill" 230 | pragma_case_sensitive_like@1=" case_sensitive_like" 231 | pragma_checkpoint_fullfsync@1=" checkpoint_fullfsync" 232 | pragma_collation_list@1=" collation_list" 233 | pragma_compile_options@1=" compile_options" 234 | pragma_count_changes@1=" count_changes" 235 | pragma_data_store_directory@1=" data_store_directory" 236 | pragma_database_list@1=" database_list" 237 | pragma_default_cache_size@1=" default_cache_size" 238 | pragma_defer_foreign_keys@1=" defer_foreign_keys" 239 | pragma_empty_result_callbacks@1=" empty_result_callbacks" 240 | pragma_encoding@1=" encoding" 241 | pragma_foreign_key_check@1=" foreign_key_check" 242 | pragma_foreign_key_list@1=" foreign_key_list" 243 | pragma_foreign_keys@1=" foreign_keys" 244 | pragma_freelist_count@1=" freelist_count" 245 | pragma_full_column_names@1=" full_column_names" 246 | pragma_fullfsync@1=" fullfsync" 247 | pragma_ignore_check_constraints@1=" ignore_check_constraints" 248 | pragma_incremental_vacuum@1=" incremental_vacuum" 249 | pragma_index_info@1=" index_info" 250 | pragma_index_list@1=" index_list" 251 | pragma_integrity_check@1=" integrity_check" 252 | pragma_journal_mode@1=" journal_mode" 253 | pragma_journal_size_limit@1=" journal_size_limit" 254 | pragma_legacy_file_format@1=" legacy_file_format" 255 | pragma_locking_mode@1=" locking_mode" 256 | pragma_max_page_count@1=" max_page_count" 257 | pragma_mmap_size@1=" mmap_size" 258 | pragma_page_count@1=" page_count" 259 | pragma_page_size@1=" page_size" 260 | pragma_parser_trace@1=" parser_trace" 261 | pragma_query_only@1=" query_only" 262 | pragma_quick_check@1=" quick_check" 263 | pragma_read_uncommitted@1=" read_uncommitted" 264 | pragma_recursive_triggers@1=" recursive_triggers" 265 | pragma_reverse_unordered_selects@1=" reverse_unordered_selects" 266 | pragma_schema_version@1=" schema_version" 267 | pragma_secure_delete@1=" secure_delete" 268 | pragma_short_column_names@1=" short_column_names" 269 | pragma_shrink_memory@1=" shrink_memory" 270 | pragma_soft_heap_limit@1=" soft_heap_limit" 271 | pragma_stats@1=" stats" 272 | pragma_synchronous@1=" synchronous" 273 | pragma_table_info@1=" table_info" 274 | pragma_temp_store@1=" temp_store" 275 | pragma_temp_store_directory@1=" temp_store_directory" 276 | pragma_threads@1=" threads" 277 | pragma_user_version@1=" user_version" 278 | pragma_vdbe_addoptrace@1=" vdbe_addoptrace" 279 | pragma_vdbe_debug@1=" vdbe_debug" 280 | pragma_vdbe_listing@1=" vdbe_listing" 281 | pragma_vdbe_trace@1=" vdbe_trace" 282 | pragma_wal_autocheckpoint@1=" wal_autocheckpoint" 283 | pragma_wal_checkpoint@1=" wal_checkpoint" 284 | pragma_writable_schema@1=" writable_schema" 285 | -------------------------------------------------------------------------------- /sqlite-2016-11-14/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | rm -rf $CORPUS fuzz-*.log 7 | mkdir $CORPUS 8 | 9 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -dict=$SCRIPT_DIR/sql.dict -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS 10 | grep "AddressSanitizer: heap-use-after-free\|LeakSanitizer: detect memory leaks" fuzz-0.log || exit 1 11 | -------------------------------------------------------------------------------- /test-everything.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | 5 | . $(dirname $0)/common.sh 6 | 7 | PARENT_DIR="RUN_EVERY_BENCHMARK" 8 | #[[ -e "$PARENT_DIR" ]] && echo "Rename folder $PARENT_DIR to avoid deletion" && exit 1 9 | rm -rf $PARENT_DIR 10 | mkdir $PARENT_DIR 11 | echo "Created top directory $PARENT_DIR" 12 | 13 | ABS_SCRIPT_DIR=$(readlink -f $SCRIPT_DIR) 14 | BENCHMARKS=${ABS_SCRIPT_DIR}/*/ 15 | 16 | for f in $BENCHMARKS 17 | do 18 | file_name="$(basename $f)" 19 | [[ ! -d $f ]] && continue # echo "${file_name} isn't a directory" && continue 20 | [[ ! -e ${f}build.sh ]] && continue # echo "${file_name} has no build script" && continue 21 | echo "Running build_and_test $file_name" 22 | (cd $PARENT_DIR && ${ABS_SCRIPT_DIR}/build-and-test.sh "${file_name}" > from-${file_name}.out 2>&1 &) # && sleep 10 23 | done 24 | 25 | -------------------------------------------------------------------------------- /tutorial/libFuzzerTutorial.md: -------------------------------------------------------------------------------- 1 | This document has moved. New link is [here](https://github.com/google/fuzzing/blob/master/tutorial/libFuzzerTutorial.md). 2 | -------------------------------------------------------------------------------- /tutorial/structure-aware-fuzzing.md: -------------------------------------------------------------------------------- 1 | This document has moved. New link is [here](https://github.com/google/fuzzing/blob/master/docs/structure-aware-fuzzing.md). 2 | -------------------------------------------------------------------------------- /vorbis-2017-12-11/README.md: -------------------------------------------------------------------------------- 1 | Fuzzing benchmark for [Vorbis](https://github.com/xiph/vorbis). 2 | Contains CVE-2018-5146 (pwn2own 2018), a buffer overflow. Reproducer provided 3 | (`crash-e86e0482b8d66f924e50e62f5d7cc36a0acb03a7`). 4 | As of 2018-04 libFuzzer finds this bug in several hundred CPU hours 5 | (a bit faster with `-use_value_profile=1`). 6 | 7 | ``` 8 | ==108564==ERROR: AddressSanitizer: heap-buffer-overflow on ... 9 | READ of size 4 at 0x619000000480 thread T0 10 | #0 0x56b301 in vorbis_book_decodevv_add lib/codebook.c:479:24 11 | #1 0x5ae876 in res2_inverse lib/res0.c:843:18 12 | #2 0x5b4031 in mapping0_inverse lib/mapping0.c:748:5 13 | #3 0x528b57 in _fetch_and_process_packet lib/vorbisfile.c:705:15 14 | #4 0x52aa17 in ov_read_filter lib/vorbisfile.c:1976:15 15 | #5 0x52b715 in ov_read lib/vorbisfile.c:2096:10 16 | #6 0x4fab0d in LLVMFuzzerTestOneInput 17 | ``` 18 | 19 | A second buffer overflow is also present and is found by libFuzzer after several 20 | hundred CPU hours. Reproducer provided 21 | (`crash-8c5dea6410b0fb0b21ff968a9966a0bd7956405f`). This bug no longer 22 | reproduces after the [fix for CVE-2018-5146]( 23 | https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f). 24 | 25 | ``` 26 | ==848==ERROR: AddressSanitizer: heap-buffer-overflow on ... 27 | READ of size 16 at 0x61d000006280 thread T0 28 | #0 0x5bb227 in vorbis_book_decodev_add lib/codebook.c:407:17 29 | #1 0x5f0dc9 in _01inverse lib/res0.c:693:20 30 | #2 0x5f45c9 in res1_inverse lib/res0.c:757:12 31 | #3 0x5fbc1b in mapping0_inverse lib/mapping0.c:748:5 32 | #4 0x57f8aa in _fetch_and_process_packet lib/vorbisfile.c:705:15 33 | #5 0x581594 in ov_read_filter lib/vorbisfile.c:1976:15 34 | #6 0x5822a4 in ov_read lib/vorbisfile.c:2096:10 35 | #7 0x577c4a in LLVMFuzzerTestOneInput 36 | ``` 37 | 38 | Also contains a null-dereference, which libFuzzer found after several hundred 39 | CPU hours with `-use_value_profile=1`. Reproducer provided 40 | (`crash-23c2d78e497bf4aebe5859e3092657cb0af4c299`). This bug also no longer 41 | reproduces after the [fix for CVE-2018-5146]( 42 | https://github.com/xiph/vorbis/commit/667ceb4aab60c1f74060143bb24e5f427b3cce5f). 43 | ``` 44 | ==18193==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 ... 45 | ==18193==The signal is caused by a READ memory access. 46 | ==18193==Hint: address points to the zero page. 47 | #0 0x5f0ccf in _01inverse lib/res0.c:690:35 48 | #1 0x5f45c9 in res1_inverse lib/res0.c:757:12 49 | #2 0x5fbc1b in mapping0_inverse lib/mapping0.c:748:5 50 | #3 0x57f8aa in _fetch_and_process_packet lib/vorbisfile.c:705:15 51 | #4 0x581594 in ov_read_filter lib/vorbisfile.c:1976:15 52 | #5 0x5822a4 in ov_read lib/vorbisfile.c:2096:10 53 | #6 0x577c4a in LLVMFuzzerTestOneInput 54 | ``` 55 | 56 | See also: 57 | * http://blogs.360.cn/blog/how-to-kill-a-firefox-en/ 58 | * https://www.thezdi.com/blog/2018/4/5/quickly-pwned-quickly-patched-details-of-the-mozilla-pwn2own-exploit 59 | -------------------------------------------------------------------------------- /vorbis-2017-12-11/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2017 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | readonly INSTALL_DIR="$PWD/INSTALL" 8 | 9 | build_ogg() { 10 | rm -rf BUILD/ogg 11 | mkdir -p BUILD/ogg $INSTALL_DIR 12 | cp -r SRC/ogg/* BUILD/ogg/ 13 | (cd BUILD/ogg && ./autogen.sh && ./configure \ 14 | --prefix="$INSTALL_DIR" \ 15 | --enable-static \ 16 | --disable-shared \ 17 | --disable-crc \ 18 | && make clean && make -j $JOBS && make install) 19 | } 20 | 21 | build_vorbis() { 22 | rm -rf BUILD/vorbis 23 | mkdir -p BUILD/vorbis $INSTALL_DIR 24 | cp -r SRC/vorbis/* BUILD/vorbis/ 25 | (cd BUILD/vorbis && ./autogen.sh && ./configure \ 26 | --prefix="$INSTALL_DIR" \ 27 | --enable-static \ 28 | --disable-shared \ 29 | && make clean && make -j $JOBS && make install) 30 | } 31 | 32 | download_fuzz_target() { 33 | [[ ! -e SRC/oss-fuzz ]] && \ 34 | git clone -n https://github.com/google/oss-fuzz.git SRC/oss-fuzz 35 | (cd SRC/oss-fuzz && git checkout 688aadaf44499ddada755562109e5ca5eb3c5662 \ 36 | projects/vorbis/decode_fuzzer.cc) 37 | } 38 | 39 | get_git_revision https://github.com/xiph/ogg.git \ 40 | c8391c2b267a7faf9a09df66b1f7d324e9eb7766 SRC/ogg 41 | get_git_revision https://github.com/xiph/vorbis.git \ 42 | c1c2831fc7306d5fbd7bc800324efd12b28d327f SRC/vorbis 43 | download_fuzz_target 44 | 45 | build_ogg 46 | build_vorbis 47 | build_fuzzer 48 | 49 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 50 | # Link ASan runtime so we can hook memcmp et al. 51 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 52 | fi 53 | 54 | $CXX $CXXFLAGS SRC/oss-fuzz/projects/vorbis/decode_fuzzer.cc \ 55 | -o $EXECUTABLE_NAME_BASE -L"$INSTALL_DIR/lib" -I"$INSTALL_DIR/include" \ 56 | $LIB_FUZZING_ENGINE -lvorbisfile -lvorbis -logg 57 | -------------------------------------------------------------------------------- /vorbis-2017-12-11/crash-23c2d78e497bf4aebe5859e3092657cb0af4c299: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/vorbis-2017-12-11/crash-23c2d78e497bf4aebe5859e3092657cb0af4c299 -------------------------------------------------------------------------------- /vorbis-2017-12-11/crash-8c5dea6410b0fb0b21ff968a9966a0bd7956405f: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/vorbis-2017-12-11/crash-8c5dea6410b0fb0b21ff968a9966a0bd7956405f -------------------------------------------------------------------------------- /vorbis-2017-12-11/crash-e86e0482b8d66f924e50e62f5d7cc36a0acb03a7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/vorbis-2017-12-11/crash-e86e0482b8d66f924e50e62f5d7cc36a0acb03a7 -------------------------------------------------------------------------------- /vorbis-2017-12-11/seeds/sound.ogg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/vorbis-2017-12-11/seeds/sound.ogg -------------------------------------------------------------------------------- /vorbis-2017-12-11/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | 7 | rm -rf $CORPUS fuzz-*.log 8 | mkdir $CORPUS 9 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -use_value_profile=1 -artifact_prefix=$CORPUS/ -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS $SCRIPT_DIR/seeds 10 | grep "AddressSanitizer: heap-buffer-overflow\|AddressSanitizer: SEGV on unknown address" fuzz-0.log || exit 1 11 | -------------------------------------------------------------------------------- /woff2-2016-05-06/README.md: -------------------------------------------------------------------------------- 1 | Finds a multi-byte-write-heap-buffer-overflow 2 | [bug](https://bugs.chromium.org/p/chromium/issues/detail?id=609042) 3 | in [Woff2](https://github.com/google/woff2) 4 | 5 | Time to find: < 20 minutes, requires the seed corpus (downloaded as `seeds` dir). 6 | Reproducer provided. 7 | 8 | ``` 9 | ERROR: AddressSanitizer: heap-buffer-overflow 10 | WRITE of size 6707 at 0x62300000534d thread T0 11 | #0 0x4a95d3 in __asan_memcpy 12 | #1 0x62fa5c in woff2::Buffer::Read(unsigned char*, unsigned long) src/./buffer.h:86:7 13 | #2 0x62fa5c in woff2::(anonymous namespace)::ReconstructGlyf src/woff2_dec.cc:500 14 | #3 0x62fa5c in woff2::(anonymous namespace)::ReconstructFont src/woff2_dec.cc:917 15 | #4 0x62fa5c in woff2::ConvertWOFF2ToTTF src/woff2_dec.cc:1282 16 | ``` 17 | 18 | Also hits OOMs. Time to find < 1 minute, with an empty corpus. 19 | Reproducer provided. 20 | 21 | 22 | ``` 23 | ==30135== ERROR: libFuzzer: out-of-memory (used: 2349Mb; limit: 2048Mb) 24 | To change the out-of-memory limit use -rss_limit_mb= 25 | 26 | Live Heap Allocations: 3749936468 bytes from 2254 allocations; showing top 95% 27 | 3747609600 byte(s) (99%) in 1 allocation(s) 28 | ... 29 | #6 0x62e8f6 in woff2::ConvertWOFF2ToTTF src/woff2_dec.cc:1274 30 | #7 0x660731 in LLVMFuzzerTestOneInput FTS/woff2-2016-05-06/target.cc:13:3 31 | ``` 32 | 33 | -------------------------------------------------------------------------------- /woff2-2016-05-06/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | get_git_revision https://github.com/google/woff2.git 9476664fd6931ea6ec532c94b816d8fbbe3aed90 SRC 8 | get_git_revision https://github.com/google/brotli.git 3a9032ba8733532a6cd6727970bade7f7c0e2f52 BROTLI 9 | get_git_revision https://github.com/FontFaceKit/roboto.git 0e41bf923e2599d651084eece345701e55a8bfde seeds 10 | 11 | rm -f *.o 12 | build_fuzzer 13 | for f in font.cc normalize.cc transform.cc woff2_common.cc woff2_dec.cc woff2_enc.cc glyph.cc table_tags.cc variable_length.cc woff2_out.cc; do 14 | $CXX $CXXFLAGS -std=c++11 -I BROTLI/dec -I BROTLI/enc -c SRC/src/$f & 15 | done 16 | for f in BROTLI/dec/*.c BROTLI/enc/*.cc; do 17 | $CXX $CXXFLAGS -c $f & 18 | done 19 | wait 20 | 21 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 22 | # Link ASan runtime so we can hook memcmp et al. 23 | LIB_FUZZING_ENGINE="-fsanitize=address" 24 | fi 25 | set -x 26 | $CXX $CXXFLAGS *.o $LIB_FUZZING_ENGINE $SCRIPT_DIR/target.cc -I SRC/src -o $EXECUTABLE_NAME_BASE 27 | -------------------------------------------------------------------------------- /woff2-2016-05-06/crash-696cb49b6d7f63e153a6605f00aceb0d7738971a: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/woff2-2016-05-06/crash-696cb49b6d7f63e153a6605f00aceb0d7738971a -------------------------------------------------------------------------------- /woff2-2016-05-06/oom-9d24534a23b3ce397f21f62fb23ba9c5e9213107: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/google/fuzzer-test-suite/6955fc97efedfda7dcc0979658b169d7eeb5ccd6/woff2-2016-05-06/oom-9d24534a23b3ce397f21f62fb23ba9c5e9213107 -------------------------------------------------------------------------------- /woff2-2016-05-06/target.cc: -------------------------------------------------------------------------------- 1 | // Copyright 2016 Google Inc. All Rights Reserved. 2 | // Licensed under the Apache License, Version 2.0 (the "License"); 3 | #include 4 | #include 5 | 6 | #include "woff2_dec.h" 7 | 8 | // Entry point for LibFuzzer. 9 | extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 10 | std::string buf; 11 | woff2::WOFF2StringOut out(&buf); 12 | out.SetMaxSize(30 * 1024 * 1024); 13 | woff2::ConvertWOFF2ToTTF(data, size, &out); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /woff2-2016-05-06/test-libfuzzer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2016 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../common.sh 5 | set -x 6 | 7 | # Find the buffer overflow (or OOM) with a seed corpus. 8 | rm -rf $CORPUS fuzz-*.log 9 | mkdir $CORPUS 10 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS/ -max_total_time=1800 -jobs=$JOBS -workers=$JOBS $LIBFUZZER_FLAGS $CORPUS seeds 11 | grep "AddressSanitizer: heap-buffer-overflow\|ERROR: libFuzzer: out-of-memory" fuzz-0.log || exit 1 12 | 13 | # Find OOM bug with an empty seed corpus. 14 | rm -rf $CORPUS-1 fuzz-*.log 15 | mkdir $CORPUS-1 16 | [ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -artifact_prefix=$CORPUS-1/ -max_total_time=600 -jobs=$JOBS -workers=$JOBS $CORPUS-1 17 | grep "ERROR: libFuzzer: out-of-memory" fuzz-0.log || exit 1 18 | -------------------------------------------------------------------------------- /wpantund-2018-02-27/README.md: -------------------------------------------------------------------------------- 1 | Fuzzing benchmark for [wpantund](https://github.com/openthread/wpantund). 2 | As of February 27. 2018, there are no known bugs in this benchmark. This 3 | benchmark is primarily used to compare coverage between fuzzers. 4 | -------------------------------------------------------------------------------- /wpantund-2018-02-27/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright 2018 Google Inc. All Rights Reserved. 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | . $(dirname $0)/../custom-build.sh $1 $2 5 | . $(dirname $0)/../common.sh 6 | 7 | build_lib() { 8 | rm -rf BUILD 9 | cp -rf SRC BUILD 10 | if [[ -f $LIB_FUZZING_ENGINE ]]; then 11 | cp $LIB_FUZZING_ENGINE BUILD/src/wpantund/ 12 | cp $LIB_FUZZING_ENGINE BUILD/src/ncp-spinel/ 13 | fi 14 | if [[ $FUZZING_ENGINE == "hooks" ]]; then 15 | # Link ASan runtime so we can hook memcmp et al. 16 | LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE -fsanitize=address" 17 | fi 18 | (cd BUILD && ./bootstrap.sh && ./configure \ 19 | --enable-fuzz-targets \ 20 | --disable-shared \ 21 | --enable-static \ 22 | CC="${CC}" \ 23 | CXX="${CXX}" \ 24 | FUZZ_LIBS="${LIB_FUZZING_ENGINE}" \ 25 | FUZZ_CFLAGS="${CFLAGS}" \ 26 | FUZZ_CXXFLAGS="${CXXFLAGS}" \ 27 | LDFLAGS="-lpthread" \ 28 | && make -j $JOBS) 29 | } 30 | 31 | get_git_revision https://github.com/openthread/wpantund.git \ 32 | 7fea6d7a24a52f6a61545610acb0ab8a6fddf503 SRC 33 | build_fuzzer || exit 1 34 | build_lib || exit 1 35 | 36 | if [[ ! -d seeds ]]; then 37 | cp -r BUILD/etc/fuzz-corpus/wpantund-fuzz seeds 38 | fi 39 | cp BUILD/src/wpantund/wpantund-fuzz $EXECUTABLE_NAME_BASE 40 | --------------------------------------------------------------------------------