Merge pull request #3802 from evverx/build-system-fuzzers

oss-fuzz: switch to --enable-fuzzers

Merge pull request #3802 from evverx/build-system-fuzzers
94363265 · Christian Brauner · GitHub · 8f7b7b8d · a10327e7 · 94363265
Unverified Commit 94363265 authored Apr 28, 2021 by Christian Brauner Committed by GitHub Apr 28, 2021
10 changed files
--- a/.github/workflows/sanitizers.sh
+++ b/.github/workflows/sanitizers.sh
@@ -20,8 +20,13 @@ apt-get install --yes --no-install-recommends \
    python3-setuptools rsync squashfs-tools uidmap unzip uuid-runtime \
    wget xz-utils
+ARGS="--enable-sanitizers --enable-tests --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --disable-no-undefined"
+case "$CC" in clang*)
+	ARGS="$ARGS --enable-fuzzers"
+esac
 ./autogen.sh
-CFLAGS="-Wall -Werror" ./configure --enable-sanitizers --enable-tests --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --disable-no-undefined
+CFLAGS="-Wall -Werror" ./configure $ARGS
 make
 make install

--- a/.github/workflows/sanitizers.yml
+++ b/.github/workflows/sanitizers.yml
@@ -17,4 +17,4 @@ jobs:
      - name: Build
        run: |
-          sudo CC=${{ matrix.compiler }} .github/workflows/sanitizers.sh
+          sudo CC=${{ matrix.compiler }} CXX=${{ matrix.compiler }}++ .github/workflows/sanitizers.sh
--- a/configure.ac
+++ b/configure.ac
@@ -62,6 +62,7 @@ if test "x$valid_compiler" = "xno"; then
 fi
 AC_PROG_GCC_TRADITIONAL
+AC_PROG_CXX
 AC_ENABLE_SHARED
 AC_ENABLE_STATIC
 # Check binaries
@@ -205,6 +206,13 @@ AC_ARG_ENABLE([no_undefined],
 	[enable_no_undefined=$enableval], [enable_no_undefined=yes])
 AM_CONDITIONAL([ENABLE_NO_UNDEFINED], [test "x$enable_no_undefined" = "xyes"])
+AC_ARG_ENABLE([fuzzers],
+	[AS_HELP_STRING([--enable-fuzzers], [compile with fuzzers])],
+	[enable_fuzzers=$enableval], [enable_fuzzers=no])
+AM_CONDITIONAL([ENABLE_FUZZERS], [test "x$enable_fuzzers" = "xyes"])
+AM_CONDITIONAL([OSS_FUZZ], [test "x$LIB_FUZZING_ENGINE" != x])
 # Allow disabling rpath
 AC_ARG_ENABLE([rpath],
 	[AS_HELP_STRING([--enable-rpath], [set rpath in executables [default=no]])],
@@ -476,6 +484,17 @@ else
 	AC_MSG_RESULT([no])
 fi
+if test "x$enable_fuzzers" = "xyes"; then
+	if test "x$LIB_FUZZING_ENGINE" = x; then
+		CC_CHECK_FLAGS_APPEND([AM_CFLAGS],[CFLAGS],[ \
+			-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
+			-fsanitize=fuzzer-no-link])
+	fi
+else
+	CC_CHECK_FLAGS_APPEND([AM_CFLAGS],[CFLAGS],[-flto=thin])
+fi
+AC_SUBST(AM_CFLAGS)
 # Optional test binaries
 AC_ARG_ENABLE([tests],
 	[AS_HELP_STRING([--enable-tests], [build test/example binaries [default=no]])],
@@ -800,7 +819,6 @@ CC_CHECK_FLAGS_APPEND([AM_CFLAGS],[CFLAGS],[ \
 	-Warray-bounds \
 	-Wrestrict \
 	-Wreturn-local-addr \
-	-flto=thin \
 	-fsanitize=cfi \
 	-Wstringop-overflow])
 AC_SUBST(AM_CFLAGS)
@@ -1124,6 +1142,7 @@ Debugging:
 - Coverity: $enable_coverity_build
 - mutex debugging: $enable_mutex_debugging
 - tests: $enable_tests
+ - fuzzers: $enable_fuzzers
 Paths:
 - Logs in configpath: $enable_configpath_log

--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -1932,6 +1932,9 @@ init_lxc_static_CFLAGS = $(AM_CFLAGS) -DNO_LXC_CONF
 if ENABLE_SANITIZERS
 init_lxc_static_CFLAGS += -fno-sanitize=address,undefined
 endif
+if ENABLE_FUZZERS
+init_lxc_static_CFLAGS += -fno-sanitize=fuzzer-no-link
+endif
 endif
 endif

--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -508,7 +508,10 @@ static int build_dir(const char *name)
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 		ret = lxc_unpriv(mkdir(n, 0755));
 #else
-		ret = errno = EEXIST;
+		if (is_in_comm("fuzz-lxc-") > 0)
+			ret = errno = EEXIST;
+		else
+			ret = lxc_unpriv(mkdir(n, 0755));
 #endif /*!FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 		*p = '/';
 		if (ret && errno != EEXIST)
@@ -521,10 +524,14 @@ static int build_dir(const char *name)
 static int log_open(const char *name)
 {
 	int newfd = -EBADF;
-#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	__do_close int fd = -EBADF;
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 	fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0660));
+#else
+	if (is_in_comm("fuzz-lxc-") <= 0)
+		fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0660));
+#endif /* !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 	if (fd < 0)
 		return log_error_errno(-errno, errno, "Failed to open log file \"%s\"", name);
@@ -534,7 +541,6 @@ static int log_open(const char *name)
 	newfd = fcntl(fd, F_DUPFD_CLOEXEC, STDERR_FILENO);
 	if (newfd < 0)
 		return log_error_errno(-errno, errno, "Failed to dup log fd %d", fd);
-#endif /* !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 	return newfd;
 }

--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -12,6 +12,7 @@
 #include <stdarg.h>
 #include <stdbool.h>
 #include <stdio.h>
+#include <string.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <sys/vfs.h>
@@ -271,4 +272,28 @@ static inline __u32 copy_struct_to_client(__u32 client_size, void *dst,
 	return size;
 }
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+static inline int is_in_comm(const char *s)
+{
+	__do_free char *buf = NULL;
+	__do_free char *comm = NULL;
+	size_t buf_size;
+	buf = file_to_buf("/proc/self/comm", &buf_size);
+	if (!buf)
+		return -1;
+	if (buf_size == 0)
+		return -1;
+	comm = malloc(buf_size + 1);
+	if (!comm)
+		return -1;
+	memcpy(comm, buf, buf_size);
+	comm[buf_size] = '\0';
+	return strstr(comm, s) != NULL;
+}
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 #endif /* __LXC_UTILS_H */
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -791,6 +791,29 @@ bin_SCRIPTS += lxc-test-lxc-attach \
 endif
 endif
+if ENABLE_FUZZERS
+LIB_FUZZING_ENGINE ?= -fsanitize=fuzzer
+# https://google.github.io/oss-fuzz/getting-started/new-project-guide/#Requirements
+nodist_EXTRA_fuzz_lxc_config_read_SOURCES = dummy.cxx
+fuzz_lxc_config_read_SOURCES = fuzz-lxc-config-read.c
+fuzz_lxc_config_read_CFLAGS = $(AM_CFLAGS)
+fuzz_lxc_config_read_CXXFLAGS = $(AM_CFLAGS)
+fuzz_lxc_config_read_LDFLAGS = $(AM_LDFLAGS) -static
+fuzz_lxc_config_read_LDADD = $(LDADD) $(LIB_FUZZING_ENGINE)
+nodist_EXTRA_fuzz_lxc_define_load_SOURCES = dummy.cxx
+fuzz_lxc_define_load_SOURCES = fuzz-lxc-define-load.c
+fuzz_lxc_define_load_CFLAGS = $(AM_CFLAGS)
+fuzz_lxc_define_load_CXXFLAGS = $(AM_CFLAGS)
+fuzz_lxc_define_load_LDFLAGS = $(AM_LDFLAGS) -static
+fuzz_lxc_define_load_LDADD = $(LDADD) $(LIB_FUZZING_ENGINE)
+bin_PROGRAMS += fuzz-lxc-config-read \
+	        fuzz-lxc-define-load
+bin_SCRIPTS += lxc-test-fuzzers
+endif
 endif
 EXTRA_DIST = basic.c \

--- a/src/tests/lxc-test-fuzzers
+++ b/src/tests/lxc-test-fuzzers
+#!/bin/bash
+set -eux
+set -o pipefail
+TMP_DIR=`mktemp -d`
+export ASAN_OPTIONS=${ASAN_OPTIONS:-detect_stack_use_after_return=1:check_initialization_order=1:strict_init_order=1:strict_string_checks=1}
+export UBSAN_OPTIONS=${UBSAN_OPTIONS:-print_stacktrace=1:print_summary=1:halt_on_error=1}
+cleanup() {
+    rm -rf "$TMP_DIR"
+}
+trap cleanup exit
+for fuzzer in /usr/bin/fuzz-lxc-*; do
+    name=$(basename "$fuzzer")
+    corpus_dir="$TMP_DIR/$name"
+    mkdir -p "$corpus_dir"
+    if wget --directory-prefix="$TMP_DIR" https://storage.googleapis.com/lxc-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/lxc_$name/public.zip; then
+        unzip -q -d "$corpus_dir" "$TMP_DIR/public.zip"
+    fi
+    "$fuzzer" -max_total_time=120 "$corpus_dir"
+done
--- a/src/tests/lxc-test-utils.c
+++ b/src/tests/lxc-test-utils.c
@@ -594,6 +594,15 @@ void test_task_blocks_signal(void)
 	return;
 }
+void test_is_in_comm(void)
+{
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+	lxc_test_assert_abort(is_in_comm("fuzz-lxc-") == 0);
+	lxc_test_assert_abort(is_in_comm("lxc-test") == 1);
+	lxc_test_assert_abort(is_in_comm("") == 1);
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+}
 int main(int argc, char *argv[])
 {
 	test_lxc_string_replace();
@@ -606,6 +615,7 @@ int main(int argc, char *argv[])
 	test_parse_byte_size_string();
 	test_lxc_config_net_is_hwaddr();
 	test_task_blocks_signal();
+	test_is_in_comm();
 	exit(EXIT_SUCCESS);
 }
--- a/src/tests/oss-fuzz.sh
+++ b/src/tests/oss-fuzz.sh
@@ -24,9 +24,6 @@ mkdir -p $OUT
 export LIB_FUZZING_ENGINE=${LIB_FUZZING_ENGINE:--fsanitize=fuzzer}
-# AFL++ and hoggfuzz are both incompatible with lto=thin apparently
-sed -i '/-flto=thin/d' configure.ac
 # turn off the libutil dependency
 sed -i 's/^AC_CHECK_LIB(util/#/' configure.ac
@@ -39,14 +36,15 @@ sed -i 's/^AC_CHECK_LIB(util/#/' configure.ac
    --disable-selinux \
    --disable-seccomp \
    --disable-capabilities \
-    --disable-no-undefined
+    --disable-no-undefined \
+    --enable-tests \
+    --enable-fuzzers
 make -j$(nproc)
 for fuzz_target_source in src/tests/fuzz-lxc*.c; do
    fuzz_target_name=$(basename "$fuzz_target_source" ".c")
-    $CC -c -o "$fuzz_target_name.o" $CFLAGS -Isrc -Isrc/lxc "$fuzz_target_source"
+    cp "src/tests/$fuzz_target_name" "$OUT"
-    $CXX $CXXFLAGS $LIB_FUZZING_ENGINE "$fuzz_target_name.o" src/lxc/.libs/liblxc.a -o "$OUT/$fuzz_target_name"
 done
 perl -lne 'if (/config_jump_table\[\]\s*=/../^}/) { /"([^"]+)"/ && print "$1=" }' src/lxc/confile.c >doc/examples/keys.conf