projects/nginx/fuzz/http_request_fuzzer.cc - platform/external/oss-fuzz - Git at Google

 // Copyright 2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //
 ////////////////////////////////////////////////////////////////////////////////
 extern "C" {
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_event.h>
 #include <ngx_http.h>
 }
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/stat.h>
 #include <time.h>
 #include <unistd.h>

 #include "http_request_proto.pb.h"
 #include "libprotobuf-mutator/src/libfuzzer/libfuzzer_macro.h"

 static char configuration[] =
 "error_log stderr emerg;\n"
 "events {\n"
 "    use epoll;\n"
 "    worker_connections 2;\n"
 "    multi_accept off;\n"
 "    accept_mutex off;\n"
 "}\n"
 "http {\n"
 "    server_tokens off;\n"
 "    default_type application/octet-stream;\n"
 "    map $http_upgrade $connection_upgrade {\n"
 "      default upgrade;\n"
 "      '' close;\n"
 "    }\n"
 "    error_log stderr emerg;\n"
 "    access_log off;\n"
 "    map $subdomain $nss {\n"
 "      default local_upstream;\n"
 "    }\n"
 "    upstream local_upstream {\n"
 "      server 127.0.0.1:1010 max_fails=0;\n"
 "      server 127.0.0.1:1011 max_fails=0;\n"
 "      server 127.0.0.1:1012 max_fails=0;\n"
 "      server 127.0.0.1:1013 max_fails=0;\n"
 "      server 127.0.0.1:1014 max_fails=0;\n"
 "      server 127.0.0.1:1015 max_fails=0;\n"
 "      server 127.0.0.1:1016 max_fails=0;\n"
 "      server 127.0.0.1:1017 max_fails=0;\n"
 "      server 127.0.0.1:1018 max_fails=0;\n"
 "      server 127.0.0.1:1019 max_fails=0;\n"
 "    }\n"
 "    client_max_body_size 256M;\n"
 "    client_body_temp_path /tmp/;\n"
 "    proxy_temp_path /tmp/;\n"
 "    proxy_buffer_size 24K;\n"
 "    proxy_max_temp_file_size 0;\n"
 "    proxy_buffers 8 4K;\n"
 "    proxy_busy_buffers_size 28K;\n"
 "    proxy_buffering off;\n"
 "    server {\n"
 "      listen unix:nginx.sock;\n"
 "      server_name ~^(?<subdomain>.+)\\.url.com$;\n"
 "      proxy_next_upstream off;\n"
 "      proxy_read_timeout 5m;\n"
 "      proxy_http_version 1.1;\n"
 "      proxy_set_header Host $http_host;\n"
 "      proxy_set_header X-Real-IP $remote_addr;\n"
 "      proxy_set_header X-Real-Port $remote_port;\n"
 "      location / {\n"
 "        proxy_pass http://$nss;\n"
 "        proxy_set_header Host $http_host;\n"
 "        proxy_set_header X-Real-IP $remote_addr;\n"
 "        proxy_set_header X-Real-Port $remote_port;\n"
 "        proxy_set_header Connection '';\n"
 "        chunked_transfer_encoding off;\n"
 "        proxy_buffering off;\n"
 "        proxy_cache off;\n"
 "      }\n"
 "    }\n"
 "}\n"
 "\n";


 static ngx_cycle_t *cycle;
 static ngx_log_t ngx_log;
 static ngx_open_file_t ngx_log_file;
 static char *my_argv[2];
 static char arg1[] = {0, 0xA, 0};

 extern char **environ;

 static const char *config_file = "/tmp/http_config.conf";

 struct fuzzing_data {
   const uint8_t *data;
   size_t data_len;
 };

 static struct fuzzing_data request;
 static struct fuzzing_data reply;

 static ngx_http_upstream_t *upstream;
 static ngx_http_request_t *req_reply;
 static ngx_http_cleanup_t cln_new = {};
 static int cln_added;

 // Called when finalizing the request to upstream
 // Do not need to clean the request pool
 static void cleanup_reply(void *data) { req_reply = NULL; }

 // Called by the http parser to read the buffer
 static ssize_t request_recv_handler(ngx_connection_t *c, u_char *buf,
                                     size_t size) {
   if (request.data_len < size)
     size = request.data_len;
   memcpy(buf, request.data, size);
   request.data += size;
   request.data_len -= size;
   return size;
 }

 // Feed fuzzing input for the reply from upstream
 static ssize_t reply_recv_handler(ngx_connection_t *c, u_char *buf,
                                   size_t size) {
   req_reply = (ngx_http_request_t *)(c->data);
   if (!cln_added) { // add cleanup so that we know whether everything is cleanup
                     // correctly
     cln_added = 1;
     cln_new.handler = cleanup_reply;
     cln_new.next = req_reply->cleanup;
     cln_new.data = NULL;
     req_reply->cleanup = &cln_new;
   }
   upstream = req_reply->upstream;

   if (reply.data_len < size)
     size = reply.data_len;
   memcpy(buf, reply.data, size);
   reply.data += size;
   reply.data_len -= size;
   if (size == 0)
     c->read->ready = 0;
   return size;
 }

 static ngx_int_t add_event(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags) {
   return NGX_OK;
 }

 static ngx_int_t init_event(ngx_cycle_t *cycle, ngx_msec_t timer) {
   return NGX_OK;
 }

 // Used when sending data, do nothing
 static ngx_chain_t *send_chain(ngx_connection_t *c, ngx_chain_t *in,
                                off_t limit) {
   c->read->ready = 1;
   c->recv = reply_recv_handler;
   return in->next;
 }

 // Create a base state for Nginx without starting the server
 extern "C" int InitializeNginx(void) {
   ngx_log_t *log;
   ngx_cycle_t init_cycle;

   if (access("nginx.sock", F_OK) != -1) {
     remove("nginx.sock");
   }

   ngx_debug_init();
   ngx_strerror_init();
   ngx_time_init();
   ngx_regex_init();

   // Just output logs to stderr
   ngx_log.file = &ngx_log_file;
   ngx_log.log_level = NGX_LOG_EMERG;
   ngx_log_file.fd = ngx_stderr;
   log = &ngx_log;

   ngx_memzero(&init_cycle, sizeof(ngx_cycle_t));
   init_cycle.log = log;
   ngx_cycle = &init_cycle;

   init_cycle.pool = ngx_create_pool(1024, log);

   // Set custom argv/argc
   my_argv[0] = arg1;
   my_argv[1] = NULL;
   ngx_argv = ngx_os_argv = my_argv;
   ngx_argc = 0;

   // Weird trick to free a leaking buffer always caught by ASAN
   // We basically let ngx overwrite the environment variable, free the leak and
   // restore the environment as before.
   char *env_before = environ[0];
   environ[0] = my_argv[0] + 1;
   ngx_os_init(log);
   free(environ[0]);
   environ[0] = env_before;

   ngx_crc32_table_init();
   ngx_preinit_modules();

   FILE *fptr = fopen(config_file, "w");
   fprintf(fptr, "%s", configuration);
   fclose(fptr);
   init_cycle.conf_file.len = strlen(config_file);
   init_cycle.conf_file.data = (unsigned char *) config_file;

   cycle = ngx_init_cycle(&init_cycle);

   ngx_os_status(cycle->log);
   ngx_cycle = cycle;

   ngx_event_actions.add = add_event;
   ngx_event_actions.init = init_event;
   ngx_io.send_chain = send_chain;
   ngx_event_flags = 1;
   ngx_event_timer_init(cycle->log);
   return 0;
 }

 extern "C" long int invalid_call(ngx_connection_s *a, ngx_chain_s *b,
                                  long int c) {
   return 0;
 }

 DEFINE_PROTO_FUZZER(const HttpProto &input) {
   static int init = InitializeNginx();
   assert(init == 0);

   // have two free connections, one for client, one for upstream
   ngx_event_t read_event1 = {};
   ngx_event_t write_event1 = {};
   ngx_connection_t local1 = {};
   ngx_event_t read_event2 = {};
   ngx_event_t write_event2 = {};
   ngx_connection_t local2 = {};
   ngx_connection_t *c;
   ngx_listening_t *ls;

   req_reply = NULL;
   upstream = NULL;
   cln_added = 0;

   const char *req_string = input.request().c_str();
   size_t req_len = strlen(req_string);
   const char *rep_string = input.reply().c_str();
   size_t rep_len = strlen(rep_string);
   request.data = (const uint8_t *)req_string;
   request.data_len = req_len;
   reply.data = (const uint8_t *)rep_string;
   reply.data_len = rep_len;

   // Use listening entry created from configuration
   ls = (ngx_listening_t *)ngx_cycle->listening.elts;

   // Fake event ready for dispatch on read
   local1.read = &read_event1;
   local1.write = &write_event1;
   local2.read = &read_event2;
   local2.write = &write_event2;
   local2.send_chain = send_chain;

   // Create fake free connection to feed the http handler
   ngx_cycle->free_connections = &local1;
   local1.data = &local2;
   ngx_cycle->free_connection_n = 2;

   // Initialize connection
   c = ngx_get_connection(
       255, &ngx_log); // 255 - (hopefully unused) socket descriptor

   c->shared = 1;
   c->type = SOCK_STREAM;
   c->pool = ngx_create_pool(256, ngx_cycle->log);
   c->sockaddr = ls->sockaddr;
   c->listening = ls;
   c->recv = request_recv_handler; // Where the input will be read
   c->send_chain = send_chain;
   c->send = (ngx_send_pt)invalid_call;
   c->recv_chain = (ngx_recv_chain_pt)invalid_call;
   c->log = &ngx_log;
   c->pool->log = &ngx_log;
   c->read->log = &ngx_log;
   c->write->log = &ngx_log;
   c->socklen = ls->socklen;
   c->local_sockaddr = ls->sockaddr;
   c->local_socklen = ls->socklen;

   read_event1.ready = 1;
   write_event1.ready = write_event1.delayed = 1;

   // Will redirect to http parser
   ngx_http_init_connection(c);
 }
	// Copyright 2020 Google LLC
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	//
	////////////////////////////////////////////////////////////////////////////////
	extern "C" {
	#include <ngx_config.h>
	#include <ngx_core.h>
	#include <ngx_event.h>
	#include <ngx_http.h>
	}
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/stat.h>
	#include <time.h>
	#include <unistd.h>

	#include "http_request_proto.pb.h"
	#include "libprotobuf-mutator/src/libfuzzer/libfuzzer_macro.h"

	static char configuration[] =
	"error_log stderr emerg;\n"
	"events {\n"
	" use epoll;\n"
	" worker_connections 2;\n"
	" multi_accept off;\n"
	" accept_mutex off;\n"
	"}\n"
	"http {\n"
	" server_tokens off;\n"
	" default_type application/octet-stream;\n"
	" map $http_upgrade $connection_upgrade {\n"
	" default upgrade;\n"
	" '' close;\n"
	" }\n"
	" error_log stderr emerg;\n"
	" access_log off;\n"
	" map $subdomain $nss {\n"
	" default local_upstream;\n"
	" }\n"
	" upstream local_upstream {\n"
	" server 127.0.0.1:1010 max_fails=0;\n"
	" server 127.0.0.1:1011 max_fails=0;\n"
	" server 127.0.0.1:1012 max_fails=0;\n"
	" server 127.0.0.1:1013 max_fails=0;\n"
	" server 127.0.0.1:1014 max_fails=0;\n"
	" server 127.0.0.1:1015 max_fails=0;\n"
	" server 127.0.0.1:1016 max_fails=0;\n"
	" server 127.0.0.1:1017 max_fails=0;\n"
	" server 127.0.0.1:1018 max_fails=0;\n"
	" server 127.0.0.1:1019 max_fails=0;\n"
	" }\n"
	" client_max_body_size 256M;\n"
	" client_body_temp_path /tmp/;\n"
	" proxy_temp_path /tmp/;\n"
	" proxy_buffer_size 24K;\n"
	" proxy_max_temp_file_size 0;\n"
	" proxy_buffers 8 4K;\n"
	" proxy_busy_buffers_size 28K;\n"
	" proxy_buffering off;\n"
	" server {\n"
	" listen unix:nginx.sock;\n"
	" server_name ~^(?<subdomain>.+)\\.url.com$;\n"
	" proxy_next_upstream off;\n"
	" proxy_read_timeout 5m;\n"
	" proxy_http_version 1.1;\n"
	" proxy_set_header Host $http_host;\n"
	" proxy_set_header X-Real-IP $remote_addr;\n"
	" proxy_set_header X-Real-Port $remote_port;\n"
	" location / {\n"
	" proxy_pass http://$nss;\n"
	" proxy_set_header Host $http_host;\n"
	" proxy_set_header X-Real-IP $remote_addr;\n"
	" proxy_set_header X-Real-Port $remote_port;\n"
	" proxy_set_header Connection '';\n"
	" chunked_transfer_encoding off;\n"
	" proxy_buffering off;\n"
	" proxy_cache off;\n"
	" }\n"
	" }\n"
	"}\n"
	"\n";


	static ngx_cycle_t *cycle;
	static ngx_log_t ngx_log;
	static ngx_open_file_t ngx_log_file;
	static char *my_argv[2];
	static char arg1[] = {0, 0xA, 0};

	extern char **environ;

	static const char *config_file = "/tmp/http_config.conf";

	struct fuzzing_data {
	const uint8_t *data;
	size_t data_len;
	};

	static struct fuzzing_data request;
	static struct fuzzing_data reply;

	static ngx_http_upstream_t *upstream;
	static ngx_http_request_t *req_reply;
	static ngx_http_cleanup_t cln_new = {};
	static int cln_added;

	// Called when finalizing the request to upstream
	// Do not need to clean the request pool
	static void cleanup_reply(void *data) { req_reply = NULL; }

	// Called by the http parser to read the buffer
	static ssize_t request_recv_handler(ngx_connection_t c, u_char buf,
	size_t size) {
	if (request.data_len < size)
	size = request.data_len;
	memcpy(buf, request.data, size);
	request.data += size;
	request.data_len -= size;
	return size;
	}

	// Feed fuzzing input for the reply from upstream
	static ssize_t reply_recv_handler(ngx_connection_t c, u_char buf,
	size_t size) {
	req_reply = (ngx_http_request_t *)(c->data);
	if (!cln_added) { // add cleanup so that we know whether everything is cleanup
	// correctly
	cln_added = 1;
	cln_new.handler = cleanup_reply;
	cln_new.next = req_reply->cleanup;
	cln_new.data = NULL;
	req_reply->cleanup = &cln_new;
	}
	upstream = req_reply->upstream;

	if (reply.data_len < size)
	size = reply.data_len;
	memcpy(buf, reply.data, size);
	reply.data += size;
	reply.data_len -= size;
	if (size == 0)
	c->read->ready = 0;
	return size;
	}

	static ngx_int_t add_event(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags) {
	return NGX_OK;
	}

	static ngx_int_t init_event(ngx_cycle_t *cycle, ngx_msec_t timer) {
	return NGX_OK;
	}

	// Used when sending data, do nothing
	static ngx_chain_t send_chain(ngx_connection_t c, ngx_chain_t *in,
	off_t limit) {
	c->read->ready = 1;
	c->recv = reply_recv_handler;
	return in->next;
	}

	// Create a base state for Nginx without starting the server
	extern "C" int InitializeNginx(void) {
	ngx_log_t *log;
	ngx_cycle_t init_cycle;

	if (access("nginx.sock", F_OK) != -1) {
	remove("nginx.sock");
	}

	ngx_debug_init();
	ngx_strerror_init();
	ngx_time_init();
	ngx_regex_init();

	// Just output logs to stderr
	ngx_log.file = &ngx_log_file;
	ngx_log.log_level = NGX_LOG_EMERG;
	ngx_log_file.fd = ngx_stderr;
	log = &ngx_log;

	ngx_memzero(&init_cycle, sizeof(ngx_cycle_t));
	init_cycle.log = log;
	ngx_cycle = &init_cycle;

	init_cycle.pool = ngx_create_pool(1024, log);

	// Set custom argv/argc
	my_argv[0] = arg1;
	my_argv[1] = NULL;
	ngx_argv = ngx_os_argv = my_argv;
	ngx_argc = 0;

	// Weird trick to free a leaking buffer always caught by ASAN
	// We basically let ngx overwrite the environment variable, free the leak and
	// restore the environment as before.
	char *env_before = environ[0];
	environ[0] = my_argv[0] + 1;
	ngx_os_init(log);
	free(environ[0]);
	environ[0] = env_before;

	ngx_crc32_table_init();
	ngx_preinit_modules();

	FILE *fptr = fopen(config_file, "w");
	fprintf(fptr, "%s", configuration);
	fclose(fptr);
	init_cycle.conf_file.len = strlen(config_file);
	init_cycle.conf_file.data = (unsigned char *) config_file;

	cycle = ngx_init_cycle(&init_cycle);

	ngx_os_status(cycle->log);
	ngx_cycle = cycle;

	ngx_event_actions.add = add_event;
	ngx_event_actions.init = init_event;
	ngx_io.send_chain = send_chain;
	ngx_event_flags = 1;
	ngx_event_timer_init(cycle->log);
	return 0;
	}

	extern "C" long int invalid_call(ngx_connection_s a, ngx_chain_s b,
	long int c) {
	return 0;
	}

	DEFINE_PROTO_FUZZER(const HttpProto &input) {
	static int init = InitializeNginx();
	assert(init == 0);

	// have two free connections, one for client, one for upstream
	ngx_event_t read_event1 = {};
	ngx_event_t write_event1 = {};
	ngx_connection_t local1 = {};
	ngx_event_t read_event2 = {};
	ngx_event_t write_event2 = {};
	ngx_connection_t local2 = {};
	ngx_connection_t *c;
	ngx_listening_t *ls;

	req_reply = NULL;
	upstream = NULL;
	cln_added = 0;

	const char *req_string = input.request().c_str();
	size_t req_len = strlen(req_string);
	const char *rep_string = input.reply().c_str();
	size_t rep_len = strlen(rep_string);
	request.data = (const uint8_t *)req_string;
	request.data_len = req_len;
	reply.data = (const uint8_t *)rep_string;
	reply.data_len = rep_len;

	// Use listening entry created from configuration
	ls = (ngx_listening_t *)ngx_cycle->listening.elts;

	// Fake event ready for dispatch on read
	local1.read = &read_event1;
	local1.write = &write_event1;
	local2.read = &read_event2;
	local2.write = &write_event2;
	local2.send_chain = send_chain;

	// Create fake free connection to feed the http handler
	ngx_cycle->free_connections = &local1;
	local1.data = &local2;
	ngx_cycle->free_connection_n = 2;

	// Initialize connection
	c = ngx_get_connection(
	255, &ngx_log); // 255 - (hopefully unused) socket descriptor

	c->shared = 1;
	c->type = SOCK_STREAM;
	c->pool = ngx_create_pool(256, ngx_cycle->log);
	c->sockaddr = ls->sockaddr;
	c->listening = ls;
	c->recv = request_recv_handler; // Where the input will be read
	c->send_chain = send_chain;
	c->send = (ngx_send_pt)invalid_call;
	c->recv_chain = (ngx_recv_chain_pt)invalid_call;
	c->log = &ngx_log;
	c->pool->log = &ngx_log;
	c->read->log = &ngx_log;
	c->write->log = &ngx_log;
	c->socklen = ls->socklen;
	c->local_sockaddr = ls->sockaddr;
	c->local_socklen = ls->socklen;

	read_event1.ready = 1;
	write_event1.ready = write_event1.delayed = 1;

	// Will redirect to http parser
	ngx_http_init_connection(c);
	}