1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
// Copyright 2024 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifdef UNSAFE_BUFFERS_BUILD
// TODO(crbug.com/351564777): Remove this and convert code to safer constructs.
#pragma allow_unsafe_buffers
#endif
#include <algorithm>
#include "base/containers/span.h"
#include "base/files/file.h"
#include "base/logging.h"
#include "base/threading/thread_restrictions.h"
#include "v8/src/fuzzilli/cov.h"
#define WEAK_SANCOV_DEF(return_type, name, ...) \
extern "C" __attribute__((visibility("default"))) __attribute__((weak)) \
return_type \
name(__VA_ARGS__)
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_cmp, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_cmp1, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_cmp2, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_cmp4, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_cmp8, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_const_cmp1, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_const_cmp2, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_const_cmp4, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_const_cmp8, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_switch, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_div4, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_div8, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_gep, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_pc_indir, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_8bit_counters_init, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_bool_flag_init, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_pcs_init, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_cfs_init, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_pc_guard, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_trace_pc_guard_init, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_load1, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_load2, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_load4, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_load8, void) {}
WEAK_SANCOV_DEF(void, __sanitizer_cov_load16, void) {}
// File descriptors used for communication with Fuzzilli.
constexpr base::PlatformFile kControlReadFd = 100;
constexpr base::PlatformFile kControlWriteFd = 101;
constexpr base::PlatformFile kDataReadFd = 102;
int LLVMFuzzerRunDriverImpl(int* argc,
char*** argv,
int (*UserCb)(const uint8_t* Data, size_t Size)) {
// Allow blocking for the whole fuzzing session.
base::ScopedAllowBlockingForTesting allow_blocking;
// Open files for communication with Fuzzilli.
auto ctrl_read_file = base::File(base::ScopedPlatformFile(kControlReadFd));
auto ctrl_write_file = base::File(base::ScopedPlatformFile(kControlWriteFd));
auto data_read_file = base::File(base::ScopedPlatformFile(kDataReadFd));
// Send the "HELO" message to Fuzzilli to establish communication.
constexpr auto kHelloMessage = base::span_from_cstring("HELO");
constexpr size_t kExpectedSize = kHelloMessage.size();
static_assert(kExpectedSize == 4);
ctrl_write_file.WriteAtCurrentPosAndCheck(base::as_bytes(kHelloMessage));
char actual_magic[kExpectedSize] = {};
ctrl_read_file.ReadAtCurrentPosAndCheck(
base::as_writable_byte_span(actual_magic));
CHECK(std::ranges::equal(kHelloMessage, actual_magic));
while (true) {
// Read the action message ("exec") from Fuzzilli.
constexpr auto kExpectedAction = base::span_from_cstring("exec");
uint8_t action_msg[kExpectedAction.size()];
if (!ctrl_read_file.ReadAtCurrentPosAndCheck(base::span(action_msg)) ||
!std::ranges::equal(kExpectedAction, action_msg)) {
LOG(WARNING) << "Unexpected message from Fuzzilli: " << action_msg;
return 0;
}
// Read the size of the JavaScript script from Fuzzilli.
uint64_t script_size = 0;
ctrl_read_file.ReadAtCurrentPosAndCheck(
base::as_writable_bytes(base::span_from_ref(script_size)));
// Read the JavaScript script from Fuzzilli.
std::vector<uint8_t> buffer(script_size + 1);
data_read_file.ReadAtCurrentPosAndCheck(
base::span(buffer.data(), script_size));
buffer[script_size] = 0;
// Run the script:
int status = UserCb(buffer.data(), script_size) ? 1 << 8 : 0;
// Fuzzilli status is similar to the Linux return status. Lower 8 bits are
// used for signals, and higher 8 bits for return code.
ctrl_write_file.WriteAtCurrentPosAndCheck(base::byte_span_from_ref(status));
// After every iteration, we reset the coverage edges so that we can mark
// which edges are hit in the next iteration. This is needed by Fuzzilli
// instrumentation.
sanitizer_cov_reset_edgeguards();
}
}
extern "C" int LLVMFuzzerRunDriver(int* argc,
char*** argv,
int (*UserCb)(const uint8_t* Data,
size_t Size)) {
return LLVMFuzzerRunDriverImpl(argc, argv, UserCb);
}
|
