diff options
Diffstat (limited to 'src/isa-l/tests/fuzz')
-rw-r--r-- | src/isa-l/tests/fuzz/Makefile.am | 52 | ||||
-rw-r--r-- | src/isa-l/tests/fuzz/Makefile.unx | 12 | ||||
-rw-r--r-- | src/isa-l/tests/fuzz/igzip_checked_inflate_fuzz_test.c | 72 | ||||
-rw-r--r-- | src/isa-l/tests/fuzz/igzip_dump_inflate_corpus.c | 40 | ||||
-rw-r--r-- | src/isa-l/tests/fuzz/igzip_fuzz_inflate.c | 41 | ||||
-rw-r--r-- | src/isa-l/tests/fuzz/igzip_simple_inflate_fuzz_test.c | 22 | ||||
-rw-r--r-- | src/isa-l/tests/fuzz/igzip_simple_round_trip_fuzz_test.c | 130 |
7 files changed, 369 insertions, 0 deletions
diff --git a/src/isa-l/tests/fuzz/Makefile.am b/src/isa-l/tests/fuzz/Makefile.am new file mode 100644 index 000000000..424a028e5 --- /dev/null +++ b/src/isa-l/tests/fuzz/Makefile.am @@ -0,0 +1,52 @@ +######################################################################## +# Copyright(c) 2011-2017 Intel Corporation All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +######################################################################## + +src_include += -I $(srcdir)/tests/fuzz + +# AFL fuzz tests +other_tests += tests/fuzz/igzip_fuzz_inflate +igzip_fuzz_inflate: igzip_checked_inflate_fuzz_test.o +igzip_fuzz_inflate: LDLIBS += -lz +tests_fuzz_igzip_fuzz_inflate_LDADD = tests/fuzz/igzip_checked_inflate_fuzz_test.o libisal.la +tests_fuzz_igzip_fuzz_inflate_LDFLAGS = -lz + +other_tests += tests/fuzz/igzip_dump_inflate_corpus +tests_fuzz_igzip_dump_inflate_corpus_LDADD = libisal.la + +# LLVM fuzz tests +llvm_fuzz_tests = tests/fuzz/igzip_simple_inflate_fuzz_test +other_src += tests/fuzz/igzip_simple_inflate_fuzz_test.c + +llvm_fuzz_tests += tests/fuzz/igzip_checked_inflate_fuzz_test +other_src += tests/fuzz/igzip_checked_inflate_fuzz_test.c + +llvm_fuzz_tests += tests/fuzz/igzip_simple_round_trip_fuzz_test +other_src += tests/fuzz/igzip_simple_round_trip_fuzz_test.c + +igzip_checked_inflate_fuzz_test: LDLIBS += -lz diff --git a/src/isa-l/tests/fuzz/Makefile.unx b/src/isa-l/tests/fuzz/Makefile.unx new file mode 100644 index 000000000..afa20a36d --- /dev/null +++ b/src/isa-l/tests/fuzz/Makefile.unx @@ -0,0 +1,12 @@ + +default: llvm_fuzz_tests + +include ../../igzip/Makefile.am +include Makefile.am +include ../../make.inc + +CC = clang +CXX = clang++ +CXXFLAGS += $(DEFINES) + +VPATH = . ../../igzip ../../include diff --git a/src/isa-l/tests/fuzz/igzip_checked_inflate_fuzz_test.c b/src/isa-l/tests/fuzz/igzip_checked_inflate_fuzz_test.c new file mode 100644 index 000000000..557433d6b --- /dev/null +++ b/src/isa-l/tests/fuzz/igzip_checked_inflate_fuzz_test.c @@ -0,0 +1,72 @@ +#include <string.h> +#include <stdlib.h> +#include <stdint.h> +#include <stddef.h> +#include <zlib.h> +#include <assert.h> +#include "igzip_lib.h" + +int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) +{ + struct inflate_state state; + z_stream zstate; + size_t out_buf_size = 2 * size; + int zret, iret; + char z_msg_invalid_code_set[] = "invalid code lengths set"; + char z_msg_invalid_dist_set[] = "invalid distances set"; + char z_msg_invalid_lit_len_set[] = "invalid literal/lengths set"; + + uint8_t *isal_out_buf = (uint8_t *) malloc(size * 2); + uint8_t *zlib_out_buf = (uint8_t *) malloc(size * 2); + + assert(NULL != isal_out_buf && NULL != zlib_out_buf); + + /* Inflate data with isal_inflate */ + memset(&state, 0xff, sizeof(struct inflate_state)); + + isal_inflate_init(&state); + state.next_in = (uint8_t *) data; + state.avail_in = size; + state.next_out = isal_out_buf; + state.avail_out = out_buf_size; + + iret = isal_inflate_stateless(&state); + + /* Inflate data with zlib */ + zstate.zalloc = Z_NULL; + zstate.zfree = Z_NULL; + zstate.opaque = Z_NULL; + zstate.avail_in = size; + zstate.next_in = (Bytef *) data; + zstate.avail_out = out_buf_size; + zstate.next_out = zlib_out_buf; + inflateInit2(&zstate, -15); + + zret = inflate(&zstate, Z_FINISH); + + if (zret == Z_STREAM_END) { + /* If zlib finished, assert isal finished with the same answer */ + assert(state.block_state == ISAL_BLOCK_FINISH); + assert(zstate.total_out == state.total_out); + assert(memcmp(isal_out_buf, zlib_out_buf, state.total_out) == 0); + } else if (zret < 0) { + if (zret != Z_BUF_ERROR) + /* If zlib errors, assert isal errors, excluding a few + * cases where zlib is overzealous and when zlib notices + * an error faster than isal */ + assert(iret < 0 || strcmp(zstate.msg, z_msg_invalid_code_set) == 0 + || strcmp(zstate.msg, z_msg_invalid_dist_set) == 0 + || strcmp(zstate.msg, z_msg_invalid_lit_len_set) == 0 + || (iret == ISAL_END_INPUT && zstate.avail_in < 3)); + + } else + /* If zlib did not finish or error, assert isal did not finish + * or that isal found an invalid header since isal notices the + * error faster than zlib */ + assert(iret > 0 || iret == ISAL_INVALID_BLOCK); + + inflateEnd(&zstate); + free(isal_out_buf); + free(zlib_out_buf); + return 0; +} diff --git a/src/isa-l/tests/fuzz/igzip_dump_inflate_corpus.c b/src/isa-l/tests/fuzz/igzip_dump_inflate_corpus.c new file mode 100644 index 000000000..36771b3df --- /dev/null +++ b/src/isa-l/tests/fuzz/igzip_dump_inflate_corpus.c @@ -0,0 +1,40 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include "inflate_std_vects.h" + +#define DNAME_MAX 256 +#define FNAME_MAX (DNAME_MAX + 81) + +int main(int argc, char *argv[]) +{ + uint8_t *buf; + int i, len, err; + FILE *fout = NULL; + char fname[FNAME_MAX]; + char dname[DNAME_MAX]; + + if (argc != 2) { + fprintf(stderr, "Usage: %s <outdir>\n", argv[0]); + exit(1); + } + strncpy(dname, argv[1], DNAME_MAX - 1); + + for (i = 0; i < sizeof(std_vect_array) / sizeof(struct vect_result); i++) { + buf = std_vect_array[i].vector; + len = std_vect_array[i].vector_length; + err = std_vect_array[i].expected_error; + + snprintf(fname, FNAME_MAX, "%s/inflate_corp_n%04d_e%04d", dname, i, err); + printf(" writing %s\n", fname); + fout = fopen(fname, "w+"); + if (!fout) { + fprintf(stderr, "Can't open %s for writing\n", fname); + exit(1); + } + fwrite(buf, len, 1, fout); + fclose(fout); + } + + return 0; +} diff --git a/src/isa-l/tests/fuzz/igzip_fuzz_inflate.c b/src/isa-l/tests/fuzz/igzip_fuzz_inflate.c new file mode 100644 index 000000000..b28739d3b --- /dev/null +++ b/src/isa-l/tests/fuzz/igzip_fuzz_inflate.c @@ -0,0 +1,41 @@ +#define _FILE_OFFSET_BITS 64 +#include <stdio.h> +#include <stdlib.h> +#include <assert.h> +#include <zlib.h> +#include "huff_codes.h" +#include "igzip_lib.h" +#include "test.h" + +extern int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size); + +int main(int argc, char *argv[]) +{ + FILE *in = NULL; + unsigned char *in_buf = NULL; + uint64_t in_file_size; + + if (argc != 2) { + fprintf(stderr, "Usage: isal_fuzz_inflate <infile>\n"); + exit(1); + } + in = fopen(argv[1], "rb"); + if (!in) { + fprintf(stderr, "Can't open %s for reading\n", argv[1]); + exit(1); + } + in_file_size = get_filesize(in); + in_buf = malloc(in_file_size); + + if (in_buf == NULL) { + fprintf(stderr, "Failed to malloc input and outputs buffers\n"); + exit(1); + } + + if (fread(in_buf, 1, in_file_size, in) != in_file_size) { + fprintf(stderr, "Failed to read from %s\n", argv[1]); + exit(1); + } + + return LLVMFuzzerTestOneInput(in_buf, in_file_size); +} diff --git a/src/isa-l/tests/fuzz/igzip_simple_inflate_fuzz_test.c b/src/isa-l/tests/fuzz/igzip_simple_inflate_fuzz_test.c new file mode 100644 index 000000000..b5f22e845 --- /dev/null +++ b/src/isa-l/tests/fuzz/igzip_simple_inflate_fuzz_test.c @@ -0,0 +1,22 @@ +#include <stdlib.h> +#include <stdint.h> +#include <stddef.h> +#include "igzip_lib.h" + +int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) +{ + struct inflate_state state; + uint8_t *isal_out_buf = (uint8_t *) (malloc(size * 2)); + size_t out_buf_size = 2 * size; + + isal_inflate_init(&state); + state.next_in = (uint8_t *) data; + state.avail_in = size; + state.next_out = isal_out_buf; + state.avail_out = out_buf_size; + + isal_inflate_stateless(&state); + + free(isal_out_buf); + return 0; +} diff --git a/src/isa-l/tests/fuzz/igzip_simple_round_trip_fuzz_test.c b/src/isa-l/tests/fuzz/igzip_simple_round_trip_fuzz_test.c new file mode 100644 index 000000000..381969156 --- /dev/null +++ b/src/isa-l/tests/fuzz/igzip_simple_round_trip_fuzz_test.c @@ -0,0 +1,130 @@ +#include <stdlib.h> +#include <stdint.h> +#include <stddef.h> +#include <string.h> +#include <assert.h> +#include <byteswap.h> +#include "igzip_lib.h" +#include "unaligned.h" + +#define LEVEL_BITS 2 +#define HEADER_BITS 3 +#define LVL_BUF_BITS 3 + +#define LEVEL_BIT_MASK ((1<<LEVEL_BITS) - 1) +#define HEADER_BIT_MASK ((1<<HEADER_BITS) - 1) +#define TYPE0_HDR_SIZE 5 +#define TYPE0_MAX_SIZE 65535 + +#define MIN(x,y) (((x) > (y)) ? y : x ) + +const int header_size[] = { + 0, //IGZIP_DEFLATE + 10, //IGZIP_GZIP + 0, //IGZIP_GZIP_NO_HDR + 2, //IGZIP_ZLIB + 0, //IGZIP_ZLIB_NO_HDR +}; + +const int trailer_size[] = { + 0, //IGZIP_DEFLATE + 8, //IGZIP_GZIP + 8, //IGZIP_GZIP_NO_HDR + 4, //IGZIP_ZLIB + 4, //IGZIP_ZLIB_NO_HDR +}; + +int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) +{ + struct inflate_state istate; + struct isal_zstream cstate; + uint8_t *in_data = (uint8_t *) data; + int ret = 1; + + // Parameter default + int level = 1; + int lev_buf_size = ISAL_DEF_LVL1_DEFAULT; + int wrapper_type = 0; + size_t cmp_buf_size = size + ISAL_DEF_MAX_HDR_SIZE; + + // Parameters are set by one byte of data input + if (size > 1) { + uint8_t in_param = in_data[--size]; + level = MIN(in_param & LEVEL_BIT_MASK, ISAL_DEF_MAX_LEVEL); + in_param >>= LEVEL_BITS; + + wrapper_type = (in_param & HEADER_BIT_MASK) % (IGZIP_ZLIB_NO_HDR + 1); + in_param >>= HEADER_BITS; + + switch (level) { + case 0: + lev_buf_size = ISAL_DEF_LVL0_MIN + (in_param) * + (ISAL_DEF_LVL0_EXTRA_LARGE / LEVEL_BIT_MASK); + break; + case 1: + lev_buf_size = ISAL_DEF_LVL1_MIN + (in_param) * + (ISAL_DEF_LVL1_EXTRA_LARGE / LEVEL_BIT_MASK); + break; +#ifdef ISAL_DEF_LVL2_MIN + case 2: + lev_buf_size = ISAL_DEF_LVL2_MIN + (in_param) * + (ISAL_DEF_LVL2_EXTRA_LARGE / LEVEL_BIT_MASK); + break; +#endif +#ifdef ISAL_DEF_LVL3_MIN + case 3: + lev_buf_size = ISAL_DEF_LVL3_MIN + (in_param) * + (ISAL_DEF_LVL3_EXTRA_LARGE / LEVEL_BIT_MASK); + break; +#endif + } + if (0 == level) + cmp_buf_size = 2 * size + ISAL_DEF_MAX_HDR_SIZE; + else + cmp_buf_size = size + 8 + (TYPE0_HDR_SIZE * (size / TYPE0_MAX_SIZE)); + + cmp_buf_size += header_size[wrapper_type] + trailer_size[wrapper_type]; + } + + uint8_t *isal_cmp_buf = (uint8_t *) malloc(cmp_buf_size); + uint8_t *isal_out_buf = (uint8_t *) malloc(size); + uint8_t *isal_lev_buf = (uint8_t *) malloc(lev_buf_size); + assert(NULL != isal_cmp_buf || NULL != isal_out_buf || NULL != isal_lev_buf); + + isal_deflate_init(&cstate); + cstate.end_of_stream = 1; + cstate.flush = NO_FLUSH; + cstate.next_in = in_data; + cstate.avail_in = size; + cstate.next_out = isal_cmp_buf; + cstate.avail_out = cmp_buf_size; + cstate.level = level; + cstate.level_buf = isal_lev_buf; + cstate.level_buf_size = lev_buf_size; + cstate.gzip_flag = wrapper_type; + ret = isal_deflate_stateless(&cstate); + + isal_inflate_init(&istate); + istate.next_in = isal_cmp_buf; + istate.avail_in = cstate.total_out; + istate.next_out = isal_out_buf; + istate.avail_out = size; + istate.crc_flag = wrapper_type; + ret |= isal_inflate_stateless(&istate); + ret |= memcmp(isal_out_buf, in_data, size); + + // Check trailer + uint32_t crc = 0; + int trailer_idx = cstate.total_out - trailer_size[wrapper_type]; + + if (wrapper_type == IGZIP_GZIP || wrapper_type == IGZIP_GZIP_NO_HDR) + crc = load_u32(&isal_cmp_buf[trailer_idx]); + else if (wrapper_type == IGZIP_ZLIB || wrapper_type == IGZIP_ZLIB_NO_HDR) + crc = bswap_32(load_u32(&isal_cmp_buf[trailer_idx])); + + assert(istate.crc == crc); + free(isal_cmp_buf); + free(isal_out_buf); + free(isal_lev_buf); + return ret; +} |