From: Kostya Serebryany <kcc@google.com>
Date: Tue, 27 Sep 2016 00:27:40 +0000 (+0000)
Subject: [libFuzzer] add a test based on openssl-1.0.1f (finds heartbleed)
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fb4808fb9eacbd7414c01e3c7ee15b9fd1cb4e7c;p=llvm

[libFuzzer] add a test based on openssl-1.0.1f (finds heartbleed)

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@282460 91177308-0d34-0410-b5e6-96231b3b80d8
---

diff --git a/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/build.sh b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/build.sh
new file mode 100755
index 00000000000..33e77a00c91
--- /dev/null
+++ b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/build.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+[ -e $(basename $0) ] && echo "PLEASE USE THIS SCRIPT FROM ANOTHER DIR" && exit 1
+SCRIPT_DIR=$(dirname $0)
+EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)
+LIBFUZZER_SRC=$(dirname $(dirname $SCRIPT_DIR))
+JOBS=20
+
+# FUZZ_CXXFLAGS=" -g -fsanitize=address -fsanitize-coverage=edge"
+FUZZ_CXXFLAGS=" -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div"
+
+get() {
+  [ ! -e SRC ] && git clone https://github.com/openssl/openssl.git SRC && (cd SRC && git checkout OpenSSL_1_0_1f)
+#  [ ! -e SRC ] && wget https://www.openssl.org/source/openssl-1.0.1f.tar.gz && tar xf openssl-1.0.1f.tar.gz && mv openssl-1.0.1f SRC
+}
+build_lib() {
+  rm -rf BUILD
+  cp -rf SRC BUILD
+  (cd BUILD && ./config && make clean && make CC="clang $FUZZ_CXXFLAGS"  -j $JOBS)
+}
+
+get
+build_lib
+$LIBFUZZER_SRC/build.sh
+clang++ -g $SCRIPT_DIR/target.cc -DCERT_PATH=\"$SCRIPT_DIR/\"  $FUZZ_CXXFLAGS BUILD/libssl.a BUILD/libcrypto.a libFuzzer.a -o $EXECUTABLE_NAME_BASE
diff --git a/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/server.key b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/server.key
new file mode 100644
index 00000000000..4e887edb0e1
--- /dev/null
+++ b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/server.key
@@ -0,0 +1,10 @@
+-----BEGIN PRIVATE KEY-----
+MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEA1AdZNDVOA9cXm97f
+erp1bukz2kohjToJS6Ma8fOb36VV9lQGmDNsJanXFiqafOgV+kh1HXqZ3l1I0JmZ
+71b+QQIDAQABAkAHGfPn5r0lLcgRpWZQwvv56f+dmQwEoeP7z4uwfNtEo0JcRD66
+1WRCvx3LE0VbNeaEdNmSPiRXhlwIggjfrBi9AiEA9UusPBcEp/QcPGs96nQQdQzE
+fw4x0HL/eSV3qHimT6MCIQDdSAiX4Ouxoiwn/9KhDMcZXRYX/OPzj6w8u1YIH7BI
+ywIgSozbJdAhHCJ2ym4VfUIVFl3xAmSAA0hQGLOocE1qzl0CIQDRicOxZmhqBiKA
+IgznOn1StEYWov+MhRFZVSBLgw5gbwIgJzOlSlu0Y22hEUsLCKyHBrCAZZHcZ020
+20pfogmQYn0=
+-----END PRIVATE KEY-----
diff --git a/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/server.pem b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/server.pem
new file mode 100644
index 00000000000..a7962debc37
--- /dev/null
+++ b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/server.pem
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBYTCCAQugAwIBAgIJAMPQQtUHkx+KMA0GCSqGSIb3DQEBCwUAMAwxCjAIBgNV
+BAMMAWEwHhcNMTYwOTI0MjIyMDUyWhcNNDQwMjA5MjIyMDUyWjAMMQowCAYDVQQD
+DAFhMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQHWTQ1TgPXF5ve33q6dW7pM9pK
+IY06CUujGvHzm9+lVfZUBpgzbCWp1xYqmnzoFfpIdR16md5dSNCZme9W/kECAwEA
+AaNQME4wHQYDVR0OBBYEFCXtEo9rkLuKGSlm0mFE4Yk/HDJVMB8GA1UdIwQYMBaA
+FCXtEo9rkLuKGSlm0mFE4Yk/HDJVMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL
+BQADQQCnldOnbdNJZxBO/J+979Urg8qDp8MnlN0979AmK1P5/YzPnAF4BU7QTOTE
+imS5qZ0MvziBa81nVlnnFRkIezcD
+-----END CERTIFICATE-----
diff --git a/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/target.cc b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/target.cc
new file mode 100644
index 00000000000..9dc2d5dc21b
--- /dev/null
+++ b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/target.cc
@@ -0,0 +1,39 @@
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <assert.h>
+#include <stdint.h>
+#include <stddef.h>
+
+#ifndef CERT_PATH
+# define CERT_PATH
+#endif
+
+SSL_CTX *Init() {
+  SSL_library_init();
+  SSL_load_error_strings();
+  ERR_load_BIO_strings();
+  OpenSSL_add_all_algorithms();
+  SSL_CTX *sctx;
+  assert (sctx = SSL_CTX_new(TLSv1_method()));
+  /* These two file were created with this command:
+      openssl req -x509 -newkey rsa:512 -keyout server.key \
+     -out server.pem -days 9999 -nodes -subj /CN=a/
+  */
+  assert(SSL_CTX_use_certificate_file(sctx, CERT_PATH "server.pem",
+                                      SSL_FILETYPE_PEM));
+  assert(SSL_CTX_use_PrivateKey_file(sctx, CERT_PATH "server.key",
+                                     SSL_FILETYPE_PEM));
+  return sctx;
+}
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  static SSL_CTX *sctx = Init();
+  SSL *server = SSL_new(sctx);
+  BIO *sinbio = BIO_new(BIO_s_mem());
+  BIO *soutbio = BIO_new(BIO_s_mem());
+  SSL_set_bio(server, sinbio, soutbio);
+  SSL_set_accept_state(server);
+  BIO_write(sinbio, Data, Size);
+  SSL_do_handshake(server);
+  SSL_free(server);
+  return 0;
+}
diff --git a/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/test.sh b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/test.sh
new file mode 100755
index 00000000000..34132e5b300
--- /dev/null
+++ b/lib/Fuzzer/fuzzer-test-suite/openssl-1.0.1f/test.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Find heartbleed.
+set -x
+[ -e openssl-1.0.1f ]  && ./openssl-1.0.1f -max_total_time=300 2>&1 | tee log
+grep -Pzo "(?s)ERROR: AddressSanitizer: heap-buffer-overflow.*READ of size.*#1 0x.* in tls1_process_heartbeat .*ssl/t1_lib.c:2586" log