Add fuzzing support for some libpurple features

Review Request #760 — Created June 17, 2021 and submitted

Information

pidgin/pidgin
release-2.x.y
f76508a3cd3c

Reviewers

Add fuzzing support for some libpurple features

Hi!

I built and tested all of these fuzzers for libpurple.

You can build them by first building pidgin/libpurple with --enable-fuzzing then going into libpurple/tests and run make check. After that you can run these fuzzers. With a dictionary if you want :)

for example:

$ ./fuzz_markup_strip_html -dict=dictionaries/html.dict
Dictionary: 465 entries
INFO: Seed: 2274862685
INFO: Loaded 1 modules   (3 inline 8-bit counters): 3 [0x5a4ec0, 0x5a4ec3),
INFO: Loaded 1 PC tables (3 PCs): 3 [0x568ee8,0x568f18),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2      INITED cov: 2 ft: 2 corp: 1/1b exec/s: 0 rss: 30Mb
#1048576        pulse  cov: 2 ft: 2 corp: 1/1b lim: 4096 exec/s: 524288 rss: 789Mb
#2097152        pulse  cov: 2 ft: 2 corp: 1/1b lim: 4096 exec/s: 524288 rss: 792Mb

Best Regards,

Jordy Zomer

Description From Last Updated

My comment apply to all the new source files, I believe.

QuLogicQuLogic

I tested this as a patch before landing it and have some issues.. There's a compiler warnings per fuzzer because …

grimgrim

Probably should sort these.

QuLogicQuLogic

Add license header comment.

QuLogicQuLogic

I assume that data is not NULL-terminated, which is why you need this copy? Should use GLib functions for consistency; …

QuLogicQuLogic

Default should be NULL.

QuLogicQuLogic

I'm still confused on how this works? I assume we need clang for this but there's no check of clang?

grimgrim

Instead of just setting this, we should be checking if it's set to clang and if not then erroring out.

grimgrim

g_new aborts on failure, and only returns NULL for 0 count, so you don't need to check this.

QuLogicQuLogic
JO
JO
JO
QuLogic
  1. 
      
  2. My comment apply to all the new source files, I believe.

    1. Thanks for the feedback! Should be fixed now! Let me know if it's good :)

  3. libpurple/tests/Makefile.am (Diff revision 3)
     
     
     
     
     
     
     

    Probably should sort these.

  4. libpurple/tests/fuzz_html_to_xhtml.c (Diff revision 3)
     
     

    Add license header comment.

  5. libpurple/tests/fuzz_html_to_xhtml.c (Diff revision 3)
     
     

    I assume that data is not NULL-terminated, which is why you need this copy?

    Should use GLib functions for consistency; g_new or similar.

  6. libpurple/tests/fuzz_html_to_xhtml.c (Diff revision 3)
     
     

    Default should be NULL.

  7. 
      
JO
JO
grim
  1. 
      
  2. libpurple/tests/fuzz_html_to_xhtml.c (Diff revision 5)
     
     

    I'm still confused on how this works? I assume we need clang for this but there's no check of clang?

    1. Yeah this needs clang, I added a --enable-fuzzing flag which will set CC to clang and only on that conditions the fuzzers will be built :)

  3. 
      
JO
grim
  1. 
      
  2. configure.ac (Diff revision 6)
     
     

    Instead of just setting this, we should be checking if it's set to clang and if not then erroring out.

    1. Should be fixed now :D

  3. 
      
JO
QuLogic
  1. 
      
  2. libpurple/tests/fuzz_html_to_xhtml.c (Diff revision 7)
     
     
     
     

    g_new aborts on failure, and only returns NULL for 0 count, so you don't need to check this.

    1. Thanks, should be fixed now :)

  3. 
      
JO
QuLogic
  1. Ship It!
  2. 
      
grim
  1. 
      
  2. I tested this as a patch before landing it and have some issues..

    There's a compiler warnings per fuzzer because LLVMFuzzerTestOneInput doesn't have a prototype. This isn't in a header file anywhere even as an extern, so I'm not sure what we want to do here.

    Also the first line of every fuzzer's LLVMFuzzerTestOneInput implementation has 8 spaces instead of a tab.

    fuzz_jabber_caps and fuzz_xmlnode just spam g_assert messages.

    These aren't tied into make check itself and have to be manually run. That's probably fine as it looks like the intent is to run these until their default 20 minute time out kicks in?

    1. Hey Gary, these things should be fixed by now. I added the prototypes, changed the first lines to tabs and added some checks to get rid of the assert messages. The fact that make check doesn't run these was intentional because if you'd have to wait for a fuzzer to find a crash for every test run you do that'll take a lot of time :)

    2. ```$ ./fuzz_jabber_caps |& head -n 10
      INFO: Seed: 2984133111
      INFO: Loaded 1 modules (4 inline 8-bit counters): 4 [0x5abf00, 0x5abf04),
      INFO: Loaded 1 PC tables (4 PCs): 4 [0x56f5e8,0x56f628),
      INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
      INFO: A corpus is not provided, starting from an empty corpus

      (process:3659727): CRITICAL : 02:17:06.272: purple_dbus_register_pointer: assertion 'map_node_id' failed

      (process:3659727): GLib-CRITICAL **: 02:17:06.272: g_hash_table_lookup: assertion 'hash_table != NULL' failed
      ```

    3. Seems to be an issue when you have --enable-dbus, without you don't get this error. Do I have to fix this to configure.ac? Or should people just:
      CC=clang ./configure --enable-fuzzing --disable-cyrus-sasl --disable-gtkui --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-avahi --disable-libgadu --disable-dbus --disable-libsecret --disable-gnome-keyring --disable-kwallet --disable-plugin

    4. Whether or not it's part of configure, this needs to be documented regardless...

    5. Added some documentation :D

  3. 
      
JO
JO
grim
  1. Ship It!
  2. Thanks for adding the docs!

  3. 
      
grim
Review request changed

Status: Closed (submitted)

Loading...