diff options
| author | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2022-06-23 16:32:27 +0200 |
|---|---|---|
| committer | Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> | 2022-09-07 18:13:39 +0200 |
| commit | 0a33b35bc9e700ed8764c7b8c4b8fda7c8fce44e (patch) | |
| tree | a25d591e7a073f4c5fa2636a31bfb692476276ba | |
| parent | 2e34d3a813f3187a60a0e12deeda23448e175530 (diff) | |
| download | hardware_replicant_libsamsung-ipc-patches-todo/sms-test.tar.gz hardware_replicant_libsamsung-ipc-patches-todo/sms-test.tar.bz2 hardware_replicant_libsamsung-ipc-patches-todo/sms-test.zip | |
tools: ipc-modem: tests: Add persistent mode fuzzing toolpatches-todo/sms-test
This tool requires afl++ to be compiled. We can build it with the
following commands:
$ export AFL_USE_ASAN=1
$ export AFL_USE_UBSAN=1
$ export AFL_USE_CFISAN=1
$ export AFL_USE_LSAN=1
$ ./configure --enable-shared=no \
CC=afl-lto LD=afl-ld-lto CFLAGS='-O0 -ggdb3' [...]
$ make
$ make install DESTDIR=$(realpath /tmp/libsamsung-ipc/...)
However the speed gains are huge. With a signle core on an Athlon X4
740 on an F2A85M-PRO running Coreboot and Parabola x86_64, with the
compilation settings above, we get around 600 tests per seconds with
ipc-modem-sms-fuzz, whereas with ipc-modem-sms-fuzz-persistent, we get
around 20k or 30k tests per seconds.
In addition with ipc-modem-sms-fuzz, very quickly (in seconds), it
finds 9 crashes, but when running ipc-modem-sms-fuzz recompiled with
CC=afl-lto and LD=afl-ld-lto, we found out that they are all false
positive:
$ for f in id\:00000* ; do ./ipc-modem-sms-fuzz read-sms $f ; done
[E] ipc_modem_parse_sms_pdu:
(raw_pdu_size - offset) > IPC_MODEM_MAX_SMS_MSG_SIZE
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
TP-UDL(128) > IPC_MODEM_MAX_SMS_MSG_SIZE (7)
[I] ipc_modem_parse_sms_pdu: Skipping an SMS whose size is too big
[I] ipc_modem_parse_sms_pdu: Try to send a smaller test SMS
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
TP-UDL(137) > IPC_MODEM_MAX_SMS_MSG_SIZE (7)
[I] ipc_modem_parse_sms_pdu: Skipping an SMS whose size is too big
[I] ipc_modem_parse_sms_pdu: Try to send a smaller test SMS
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
raw_pdu_size (12) < min_header_size + tp_oa_len (129)
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
(raw_pdu_size - offset) > IPC_MODEM_MAX_SMS_MSG_SIZE
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
(raw_pdu_size - offset) > IPC_MODEM_MAX_SMS_MSG_SIZE
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
(raw_pdu_size - offset) > IPC_MODEM_MAX_SMS_MSG_SIZE
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
(raw_pdu_size - offset) > IPC_MODEM_MAX_SMS_MSG_SIZE
[ !! ] check_data: fuzz: test failed with error -22
[E] ipc_modem_parse_sms_pdu:
raw_pdu_size (14) < min_header_size + tp_oa_len (19)
[ !! ] check_data: fuzz: test failed with error -22
That doesn't happen with ipc-modem-sms-fuzz as we test the SMS parsing
code directly.
Signed-off-by: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
| -rw-r--r-- | configure.ac | 9 | ||||
| -rw-r--r-- | tools/ipc-modem/tests/Makefile.am | 12 | ||||
| -rw-r--r-- | tools/ipc-modem/tests/ipc-modem-sms-fuzz-persistent.c | 81 |
3 files changed, 102 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index ae8abe2..98684bb 100644 --- a/configure.ac +++ b/configure.ac @@ -58,6 +58,15 @@ AC_ARG_ENABLE(debug, AM_CONDITIONAL( [WANT_DEBUG], [test x"$debug" = x"yes"]) #------------------------------------------------------------------------------ +AC_ARG_ENABLE(afl-persistent-mode, + [AS_HELP_STRING([--enable-afl-persistent-mode], + [Build extra fuzzing tool(s) that require afl/afl++ + compilers (default=disabled)])], + [afl_persistent_mode=$enableval], + [afl_persistent_mode="no"]) +AM_CONDITIONAL( [WANT_AFL_PERSISTENT_MODE], + [test x"afl_persistent_mode" = x"yes"]) +#------------------------------------------------------------------------------ AC_ARG_ENABLE(strict-cflags, [AS_HELP_STRING([--enable-strict-cflags], [Build with strict cflags (default=disabled)])], diff --git a/tools/ipc-modem/tests/Makefile.am b/tools/ipc-modem/tests/Makefile.am index 1be4952..c69adec 100644 --- a/tools/ipc-modem/tests/Makefile.am +++ b/tools/ipc-modem/tests/Makefile.am @@ -9,6 +9,10 @@ bin_PROGRAMS = \ ipc-modem-sms-test \ $(NULL) +if WANT_AFL_PERSISTENT_MODE +bin_PROGRAMS += ipc-modem-sms-fuzz-persistent +endif + # TODO: Find a way to make test more modular and represent each run of the # ipc-modem in TEST while having it implemented in a single python file PY_LOG_COMPILER = $(PYTHON) @@ -28,3 +32,11 @@ ipc_modem_sms_fuzz_SOURCES = \ ipc-modem-sms-fuzz.c ipc_modem_sms_fuzz_LDADD = $(top_builddir)/samsung-ipc/libsamsung-ipc.la ipc_modem_sms_fuzz_LDFLAGS = -lpthread + +ipc_modem_sms_fuzz_persistent_SOURCES = \ + ../ipc-modem-log.c \ + ../ipc-modem-sms.c \ + ipc-modem-sms-fuzz-persistent.c +ipc_modem_sms_fuzz_persistent_LDADD = \ + $(top_builddir)/samsung-ipc/libsamsung-ipc.la +ipc_modem_sms_fuzz_persistent_LDFLAGS = -lpthread diff --git a/tools/ipc-modem/tests/ipc-modem-sms-fuzz-persistent.c b/tools/ipc-modem/tests/ipc-modem-sms-fuzz-persistent.c new file mode 100644 index 0000000..a4f5efe --- /dev/null +++ b/tools/ipc-modem/tests/ipc-modem-sms-fuzz-persistent.c @@ -0,0 +1,81 @@ +/* + * This file is part of libsamsung-ipc. + * + * Copyright (C) 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> + * + * libsamsung-ipc is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 2 of the License, or + * (at your option) any later version. + * + * libsamsung-ipc is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with libsamsung-ipc. If not, see <http://www.gnu.org/licenses/>. + */ + +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sysexits.h> +#include <unistd.h> + +#include <samsung-ipc.h> + +#include "../ipc-modem-log.h" +#include "../ipc-modem-sms.h" + +__AFL_FUZZ_INIT(); + +static int run_test(struct ipc_modem_data *data) +{ + struct sms_header *sms_header = NULL; + char *sms_text = NULL; + + unsigned char *sms_pdu = __AFL_FUZZ_TESTCASE_BUF; + int rc; + int sms_pdu_size; + + while (__AFL_LOOP(10000)) { + sms_pdu_size = __AFL_FUZZ_TESTCASE_LEN; + + rc = ipc_modem_parse_sms_pdu(data, sms_pdu, sms_pdu_size, + &sms_header, &sms_text); + if (rc == 0) { + free(sms_header); + free(sms_text); + } + } + + return 0; +} + +int main(int argc, char *argv[]) +{ + struct ipc_modem_data data; + int rc; + + bzero((void *)&data, sizeof(data)); + + data.client = ipc_client_create(IPC_CLIENT_TYPE_DUMMY); + + data.debug = true; + if (data.debug == 0) + ipc_client_log_callback_register(data.client, + modem_log_handler_quiet, + NULL); + else + ipc_client_log_callback_register(data.client, + modem_log_handler, + NULL); + rc = run_test(&data); + + ipc_client_destroy(data.client); + + return rc; +} |