Merge pull request #3930 from bluca/fuzzers

Problem: MSAN fuzzers cannot run
2025-03-12 17:12:46 +00:00 · 2020-05-24 17:23:59 +03:00 · 2020-05-24 17:23:59 +03:00 · b5a8825542
commit b5a8825542
parent c1d195641d 38349198a6
4 changed files with 30 additions and 6 deletions
--- a/src/curve_client_tools.hpp
+++ b/src/curve_client_tools.hpp
@ -161,6 +161,7 @@ struct curve_client_tools_t
        memcpy (&vouch_plaintext[crypto_box_ZEROBYTES], cn_public_, 32);
        memcpy (&vouch_plaintext[crypto_box_ZEROBYTES + 32], server_key_, 32);

+        memset (vouch_nonce, 0, crypto_box_NONCEBYTES);
        memcpy (vouch_nonce, "VOUCH---", 8);
        randombytes (vouch_nonce + 8, 16);

@ -246,6 +247,8 @@ struct curve_client_tools_t
        memcpy (server_key, curve_server_key_, crypto_box_PUBLICKEYBYTES);

        //  Generate short-term key pair
+        memset (cn_secret, 0, crypto_box_SECRETKEYBYTES);
+        memset (cn_public, 0, crypto_box_PUBLICKEYBYTES);
        rc = crypto_box_keypair (cn_public, cn_secret);
        zmq_assert (rc == 0);
    }
--- a/src/curve_server.cpp
+++ b/src/curve_server.cpp
@ -57,6 +57,8 @@ zmq::curve_server_t::curve_server_t (session_base_t *session_,
    memcpy (_secret_key, options_.curve_secret_key, crypto_box_SECRETKEYBYTES);

    //  Generate short-term key pair
+    memset (_cn_secret, 0, crypto_box_SECRETKEYBYTES);
+    memset (_cn_public, 0, crypto_box_PUBLICKEYBYTES);
    rc = crypto_box_keypair (_cn_public, _cn_secret);
    zmq_assert (rc == 0);
 }
@ -214,6 +216,7 @@ int zmq::curve_server_t::produce_welcome (msg_t *msg_)

    //  Create full nonce for encryption
    //  8-byte prefix plus 16-byte random nonce
+    memset (cookie_nonce, 0, crypto_secretbox_NONCEBYTES);
    memcpy (cookie_nonce, "COOKIE--", 8);
    randombytes (cookie_nonce + 8, 16);

@ -224,6 +227,7 @@ int zmq::curve_server_t::produce_welcome (msg_t *msg_)
    memcpy (&cookie_plaintext[crypto_secretbox_ZEROBYTES + 32], _cn_secret, 32);

    //  Generate fresh cookie key
+    memset (_cookie_key, 0, crypto_secretbox_KEYBYTES);
    randombytes (_cookie_key, crypto_secretbox_KEYBYTES);

    //  Encrypt using symmetric cookie key
@ -239,6 +243,7 @@ int zmq::curve_server_t::produce_welcome (msg_t *msg_)

    //  Create full nonce for encryption
    //  8-byte prefix plus 16-byte random nonce
+    memset (welcome_nonce, 0, crypto_box_NONCEBYTES);
    memcpy (welcome_nonce, "WELCOME-", 8);
    randombytes (welcome_nonce + 8, crypto_box_NONCEBYTES - 8);

@ -373,6 +378,7 @@ int zmq::curve_server_t::process_initiate (msg_t *msg_)
    memcpy (vouch_box + crypto_box_BOXZEROBYTES,
            &initiate_plaintext[crypto_box_ZEROBYTES + 48], 80);

+    memset (vouch_nonce, 0, crypto_box_NONCEBYTES);
    memcpy (vouch_nonce, "VOUCH---", 8);
    memcpy (vouch_nonce + 8, &initiate_plaintext[crypto_box_ZEROBYTES + 32],
            16);
--- a/tests/fuzzer_corpora/test_z85_decode_fuzzer.txt
+++ b/tests/fuzzer_corpora/test_z85_decode_fuzzer.txt
@ -0,0 +1 @@
+46555a5a2d54414746555a5ad6514147ec
--- a/tests/test_z85_decode_fuzzer.cpp
+++ b/tests/test_z85_decode_fuzzer.cpp
@ -41,13 +41,16 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 {
    uint8_t *secret_key;

+    if (size < 5)
+        return 0;
+
    // As per API definition, input must be divisible by 5, so truncate it if it's not
    size -= size % 5;
    // As per API definition, the destination must be at least 0.8 times the input data
    TEST_ASSERT_NOT_NULL (secret_key = (uint8_t *) malloc (size * 4 / 5));

    std::string z85_secret_key (reinterpret_cast<const char *> (data), size);
-    TEST_ASSERT_NOT_NULL (zmq_z85_decode (secret_key, z85_secret_key.c_str ()));
+    zmq_z85_decode (secret_key, z85_secret_key.c_str ());

    free (secret_key);

@ -55,12 +58,23 @@ extern "C" int LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
 }

 #ifndef ZMQ_USE_FUZZING_ENGINE
-void test_bind_null_fuzzer ()
+void test_z85_decode_fuzzer ()
 {
-    uint8_t buffer[32] = {0};
+    uint8_t **data;
+    size_t *len, num_cases = 0;
+    if (fuzzer_corpus_encode ("tests/fuzzer_corpora/test_z85_decode_fuzzer.txt",
+                              &data, &len, &num_cases)
+        != 0)
+        exit (77);

-    TEST_ASSERT_SUCCESS_ERRNO (
-      LLVMFuzzerTestOneInput (buffer, sizeof (buffer)));
+    while (num_cases-- > 0) {
+        TEST_ASSERT_SUCCESS_ERRNO (
+          LLVMFuzzerTestOneInput (data[num_cases], len[num_cases]));
+        free (data[num_cases]);
+    }
+
+    free (data);
+    free (len);
 }

 int main (int argc, char **argv)
@ -68,7 +82,7 @@ int main (int argc, char **argv)
    setup_test_environment ();

    UNITY_BEGIN ();
-    RUN_TEST (test_bind_null_fuzzer);
+    RUN_TEST (test_z85_decode_fuzzer);

    return UNITY_END ();
 }