| #include <errno.h> |
| #include <fcntl.h> |
| #include <inttypes.h> |
| #include <libgen.h> |
| #include <limits.h> |
| #include <stdbool.h> |
| #include <stddef.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/stat.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #include "honggfuzz.h" |
| #include "libhfcommon/common.h" |
| #include "libhfcommon/files.h" |
| #include "libhfcommon/log.h" |
| #include "libhfcommon/util.h" |
| |
| #define ARGS_MAX 4096 |
| |
| static bool isCXX = false; |
| static bool isGCC = false; |
| |
| /* Embed libhfuzz.a inside this binary */ |
| __asm__("\n" |
| " .global lhfuzz_start\n" |
| " .global lhfuzz_end\n" |
| "lhfuzz_start:\n" |
| " .incbin \"libhfuzz/libhfuzz.a\"\n" |
| "lhfuzz_end:\n" |
| "\n" |
| " .global lhfnetdriver_start\n" |
| " .global lhfnetdriver_end\n" |
| "lhfnetdriver_start:\n" |
| " .incbin \"libhfnetdriver/libhfnetdriver.a\"\n" |
| "lhfnetdriver_end:\n" |
| "\n"); |
| |
| static const char* _basename(const char* path) { |
| static __thread char fname[PATH_MAX]; |
| /* basename() can modify the argument (sic!) */ |
| snprintf(fname, sizeof(fname), "%s", path); |
| return basename(fname); |
| } |
| |
| static bool useASAN() { |
| if (getenv("HFUZZ_CC_ASAN")) { |
| return true; |
| } |
| return false; |
| } |
| |
| static bool useMSAN() { |
| if (getenv("HFUZZ_CC_MSAN")) { |
| return true; |
| } |
| return false; |
| } |
| |
| static bool useUBSAN() { |
| if (getenv("HFUZZ_CC_UBSAN")) { |
| return true; |
| } |
| return false; |
| } |
| |
| static bool useM32() { |
| if (getenv("HFUZZ_FORCE_M32")) { |
| return true; |
| } |
| return false; |
| } |
| |
| static bool useGccGE8() { |
| if (getenv("HFUZZ_CC_USE_GCC_GE_8")) { |
| return true; |
| } |
| return false; |
| } |
| |
| static bool isLDMode(int argc, char** argv) { |
| for (int i = 1; i < argc; i++) { |
| if (strcmp(argv[i], "--version") == 0) { |
| return false; |
| } |
| if (strcmp(argv[i], "-c") == 0) { |
| return false; |
| } |
| if (strcmp(argv[i], "-E") == 0) { |
| return false; |
| } |
| if (strcmp(argv[i], "-S") == 0) { |
| return false; |
| } |
| if (strcmp(argv[i], "-shared") == 0) { |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| static bool isFSanitizeFuzzer(int argc, char** argv) { |
| for (int i = 1; i < argc; i++) { |
| if (strcmp(argv[i], "-fsanitize=fuzzer") == 0) { |
| return true; |
| } |
| } |
| return false; |
| } |
| |
| static int hf_execvp(const char* file, char** argv) { |
| argv[0] = (char*)file; |
| return execvp(file, argv); |
| } |
| |
| static int execCC(int argc, char** argv) { |
| if (useASAN()) { |
| argv[argc++] = "-fsanitize=address"; |
| } |
| if (useMSAN()) { |
| argv[argc++] = "-fsanitize=memory"; |
| } |
| if (useUBSAN()) { |
| argv[argc++] = "-fsanitize=undefined"; |
| } |
| argv[argc] = NULL; |
| |
| if (isCXX) { |
| const char* cxx_path = getenv("HFUZZ_CXX_PATH"); |
| if (cxx_path != NULL) { |
| hf_execvp(cxx_path, argv); |
| PLOG_E("execvp('%s')", cxx_path); |
| return EXIT_FAILURE; |
| } |
| } else { |
| const char* cc_path = getenv("HFUZZ_CC_PATH"); |
| if (cc_path != NULL) { |
| hf_execvp(cc_path, argv); |
| PLOG_E("execvp('%s')", cc_path); |
| return EXIT_FAILURE; |
| } |
| } |
| |
| if (isGCC) { |
| if (isCXX) { |
| hf_execvp("g++", argv); |
| hf_execvp("gcc", argv); |
| } else { |
| hf_execvp("gcc", argv); |
| } |
| } else { |
| if (isCXX) { |
| /* Try the default one, then newest ones (hopefully) first */ |
| hf_execvp("clang++", argv); |
| hf_execvp("clang++-devel", argv); |
| hf_execvp("clang++-10.0", argv); |
| hf_execvp("clang++-10", argv); |
| hf_execvp("clang++-9.0", argv); |
| hf_execvp("clang++-9", argv); |
| hf_execvp("clang++-8.0", argv); |
| hf_execvp("clang++-8", argv); |
| hf_execvp("clang++-7.0", argv); |
| hf_execvp("clang++-7", argv); |
| hf_execvp("clang++-6.0", argv); |
| hf_execvp("clang++-6", argv); |
| hf_execvp("clang++-5.0", argv); |
| hf_execvp("clang++-5", argv); |
| hf_execvp("clang", argv); |
| } else { |
| /* Try the default one, then newest ones (hopefully) first */ |
| hf_execvp("clang", argv); |
| hf_execvp("clang-devel", argv); |
| hf_execvp("clang-10.0", argv); |
| hf_execvp("clang-10", argv); |
| hf_execvp("clang-9.0", argv); |
| hf_execvp("clang-9", argv); |
| hf_execvp("clang-8.0", argv); |
| hf_execvp("clang-8", argv); |
| hf_execvp("clang-7.0", argv); |
| hf_execvp("clang-7", argv); |
| hf_execvp("clang-6.0", argv); |
| hf_execvp("clang-6", argv); |
| hf_execvp("clang-5.0", argv); |
| hf_execvp("clang-5", argv); |
| } |
| } |
| |
| PLOG_F("execvp('%s')", argv[0]); |
| return EXIT_FAILURE; |
| } |
| |
| /* It'll point back to the libhfuzz's source tree */ |
| char* getIncPaths(void) { |
| #if !defined(_HFUZZ_INC_PATH) |
| #error \ |
| "You need to define _HFUZZ_INC_PATH to a directory with the directory called 'includes', containing honggfuzz's lib* includes. Typically it'd be the build/sources dir" |
| #endif |
| |
| static char path[PATH_MAX]; |
| snprintf(path, sizeof(path), "-I%s/includes/", HF_XSTR(_HFUZZ_INC_PATH)); |
| return path; |
| } |
| |
| static bool getLibPath( |
| const char* name, const char* env, const uint8_t* start, const uint8_t* end, char* path) { |
| const char* libEnvLoc = getenv(env); |
| if (libEnvLoc) { |
| snprintf(path, PATH_MAX, "%s", libEnvLoc); |
| return true; |
| } |
| |
| ptrdiff_t len = (uintptr_t)end - (uintptr_t)start; |
| uint64_t crc64 = util_CRC64(start, len); |
| snprintf(path, PATH_MAX, "/tmp/%s.%d.%" PRIx64 ".a", name, geteuid(), crc64); |
| |
| /* Does the library exist, belongs to the user, and is of expected size? */ |
| struct stat st; |
| if (stat(path, &st) != -1 && st.st_size == len && st.st_uid == geteuid()) { |
| return true; |
| } |
| |
| /* If not, create it with atomic rename() */ |
| char template[] = "/tmp/lib.honggfuzz.a.XXXXXX"; |
| int fd = TEMP_FAILURE_RETRY(mkostemp(template, O_CLOEXEC)); |
| if (fd == -1) { |
| PLOG_E("mkostemp('%s')", template); |
| return false; |
| } |
| defer { |
| close(fd); |
| }; |
| |
| if (!files_writeToFd(fd, start, len)) { |
| PLOG_E("Couldn't write to '%s'", template); |
| unlink(template); |
| return false; |
| } |
| |
| if (TEMP_FAILURE_RETRY(rename(template, path)) == -1) { |
| PLOG_E("Couldn't rename('%s', '%s')", template, path); |
| unlink(template); |
| return false; |
| } |
| |
| return true; |
| } |
| |
| static char* getLibHfuzzPath() { |
| extern uint8_t lhfuzz_start __asm__("lhfuzz_start"); |
| extern uint8_t lhfuzz_end __asm__("lhfuzz_end"); |
| |
| static char path[PATH_MAX] = {}; |
| if (path[0]) { |
| return path; |
| } |
| if (!getLibPath("libhfuzz", "HFUZZ_LHFUZZ_PATH", &lhfuzz_start, &lhfuzz_end, path)) { |
| LOG_F("Couldn't create the temporary libhfuzz.a"); |
| } |
| return path; |
| } |
| |
| static char* getLibHFNetDriverPath() { |
| extern uint8_t lhfnetdriver_start __asm__("lhfnetdriver_start"); |
| extern uint8_t lhfnetdriver_end __asm__("lhfnetdriver_end"); |
| |
| static char path[PATH_MAX] = {}; |
| if (path[0]) { |
| return path; |
| } |
| if (!getLibPath("libhfnetdriver", "HFUZZ_LHFNETDRIVER_PATH", &lhfnetdriver_start, |
| &lhfnetdriver_end, path)) { |
| LOG_F("Couldn't create the temporary libhfnetdriver.a"); |
| } |
| return path; |
| } |
| |
| static void commonOpts(int* j, char** args) { |
| args[(*j)++] = getIncPaths(); |
| if (isGCC) { |
| if (useGccGE8()) { |
| /* gcc-8 offers trace-cmp as well, but it's not that widely used yet */ |
| args[(*j)++] = "-fsanitize-coverage=trace-pc,trace-cmp"; |
| } else { |
| /* trace-pc is the best that gcc-6/7 currently offers */ |
| args[(*j)++] = "-fsanitize-coverage=trace-pc"; |
| } |
| } else { |
| args[(*j)++] = "-Wno-unused-command-line-argument"; |
| args[(*j)++] = "-fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls"; |
| args[(*j)++] = "-mllvm"; |
| args[(*j)++] = "-sanitizer-coverage-prune-blocks=0"; |
| args[(*j)++] = "-mllvm"; |
| args[(*j)++] = "-sanitizer-coverage-level=3"; |
| } |
| |
| /* |
| * Make the execution flow more explicit, allowing for more code blocks |
| * (and better code coverage estimates) |
| */ |
| args[(*j)++] = "-fno-inline"; |
| args[(*j)++] = "-fno-builtin"; |
| args[(*j)++] = "-fno-omit-frame-pointer"; |
| args[(*j)++] = "-D__NO_STRING_INLINES"; |
| |
| /* Make it possible to use the libhfnetdriver */ |
| args[(*j)++] = "-DHFND_FUZZING_ENTRY_FUNCTION_CXX(x,y)=" |
| "extern \"C\" int HonggfuzzNetDriver_main(x,y);" |
| "extern const char* LIBHFNETDRIVER_module_netdriver;" |
| "const char** LIBHFNETDRIVER_module_main = &LIBHFNETDRIVER_module_netdriver;" |
| "int HonggfuzzNetDriver_main(x,y)"; |
| args[(*j)++] = "-DHFND_FUZZING_ENTRY_FUNCTION(x,y)=" |
| "int HonggfuzzNetDriver_main(x,y);" |
| "extern const char* LIBHFNETDRIVER_module_netdriver;" |
| "const char** LIBHFNETDRIVER_module_main = &LIBHFNETDRIVER_module_netdriver;" |
| "int HonggfuzzNetDriver_main(x,y)"; |
| |
| if (useM32()) { |
| args[(*j)++] = "-m32"; |
| } |
| } |
| |
| static int ccMode(int argc, char** argv) { |
| char* args[ARGS_MAX]; |
| |
| int j = 0; |
| if (isCXX) { |
| args[j++] = "c++"; |
| } else { |
| args[j++] = "cc"; |
| } |
| |
| commonOpts(&j, args); |
| |
| for (int i = 1; i < argc; i++) { |
| args[j++] = argv[i]; |
| } |
| |
| return execCC(j, args); |
| } |
| |
| static int ldMode(int argc, char** argv) { |
| char* args[ARGS_MAX]; |
| |
| int j = 0; |
| if (isCXX) { |
| args[j++] = "c++"; |
| } else { |
| args[j++] = "cc"; |
| } |
| |
| commonOpts(&j, args); |
| |
| /* MacOS X linker doesn't like those */ |
| #ifndef _HF_ARCH_DARWIN |
| /* Intercept common *cmp functions */ |
| args[j++] = "-Wl,--wrap=strcmp"; |
| args[j++] = "-Wl,--wrap=strcasecmp"; |
| args[j++] = "-Wl,--wrap=strncmp"; |
| args[j++] = "-Wl,--wrap=strncasecmp"; |
| args[j++] = "-Wl,--wrap=strstr"; |
| args[j++] = "-Wl,--wrap=strcasestr"; |
| args[j++] = "-Wl,--wrap=memcmp"; |
| args[j++] = "-Wl,--wrap=bcmp"; |
| args[j++] = "-Wl,--wrap=memmem"; |
| args[j++] = "-Wl,--wrap=strcpy"; |
| /* Apache's httpd mem/str cmp functions */ |
| args[j++] = "-Wl,--wrap=ap_cstr_casecmp"; |
| args[j++] = "-Wl,--wrap=ap_cstr_casecmpn"; |
| args[j++] = "-Wl,--wrap=ap_strcasestr"; |
| args[j++] = "-Wl,--wrap=apr_cstr_casecmp"; |
| args[j++] = "-Wl,--wrap=apr_cstr_casecmpn"; |
| /* Frequently used time-constant *SSL functions */ |
| args[j++] = "-Wl,--wrap=CRYPTO_memcmp"; |
| args[j++] = "-Wl,--wrap=OPENSSL_memcmp"; |
| args[j++] = "-Wl,--wrap=OPENSSL_strcasecmp"; |
| args[j++] = "-Wl,--wrap=OPENSSL_strncasecmp"; |
| /* Frequently used libXML2 functions */ |
| args[j++] = "-Wl,--wrap=xmlStrncmp"; |
| args[j++] = "-Wl,--wrap=xmlStrcmp"; |
| args[j++] = "-Wl,--wrap=xmlStrEqual"; |
| args[j++] = "-Wl,--wrap=xmlStrcasecmp"; |
| args[j++] = "-Wl,--wrap=xmlStrncasecmp"; |
| args[j++] = "-Wl,--wrap=xmlStrstr"; |
| args[j++] = "-Wl,--wrap=xmlStrcasestr"; |
| /* Some Samba functions */ |
| args[j++] = "-Wl,--wrap=memcmp_const_time"; |
| args[j++] = "-Wl,--wrap=strcsequal"; |
| #endif /* _HF_ARCH_DARWIN */ |
| |
| for (int i = 1; i < argc; i++) { |
| args[j++] = argv[i]; |
| } |
| |
| /* Reference standard honggfuzz libraries (libhfuzz and libhfnetdriver) */ |
| args[j++] = getLibHFNetDriverPath(); |
| args[j++] = getLibHfuzzPath(); |
| args[j++] = getLibHFNetDriverPath(); |
| |
| /* Pull modules defining the following symbols (if they exist) */ |
| #ifdef _HF_ARCH_DARWIN |
| args[j++] = "-Wl,-U,_LIBHFNETDRIVER_module_main", |
| args[j++] = "-Wl,-U,_LIBHFUZZ_module_instrument"; |
| args[j++] = "-Wl,-U,_LIBHFUZZ_module_memorycmp"; |
| #else /* _HF_ARCH_DARWIN */ |
| args[j++] = "-Wl,-u,LIBHFNETDRIVER_module_main", |
| args[j++] = "-Wl,-u,LIBHFUZZ_module_instrument"; |
| args[j++] = "-Wl,-u,LIBHFUZZ_module_memorycmp"; |
| #endif /* _HF_ARCH_DARWIN */ |
| |
| /* Needed by the libhfcommon */ |
| args[j++] = "-pthread"; |
| |
| /* Disable -fsanitize=fuzzer */ |
| if (isFSanitizeFuzzer(argc, argv)) { |
| args[j++] = "-fno-sanitize=fuzzer"; |
| } |
| |
| return execCC(j, args); |
| } |
| |
| static bool baseNameContains(const char* path, const char* str) { |
| if (strstr(_basename(path), str)) { |
| return true; |
| } |
| return false; |
| } |
| |
| int main(int argc, char** argv) { |
| if (baseNameContains(argv[0], "++")) { |
| isCXX = true; |
| } |
| if (baseNameContains(argv[0], "-gcc")) { |
| isGCC = true; |
| } |
| if (baseNameContains(argv[0], "-g++")) { |
| isGCC = true; |
| } |
| if (argc <= 1) { |
| return execCC(argc, argv); |
| } |
| if (argc > (ARGS_MAX - 128)) { |
| LOG_F("'%s': Too many positional arguments: %d", argv[0], argc); |
| return EXIT_FAILURE; |
| } |
| |
| if (isLDMode(argc, argv)) { |
| return ldMode(argc, argv); |
| } |
| return ccMode(argc, argv); |
| } |