From: Josh Steadmon <steadmon@google.com>
To: "Ævar Arnfjörð Bjarmason" <avarab@gmail.com>
Cc: git@vger.kernel.org, stolee@gmail.com
Subject: Re: [PATCH 1/2] commit-graph, fuzz: Add fuzzer for commit-graph
Date: Wed, 5 Dec 2018 17:00:18 -0800 [thread overview]
Message-ID: <20181206010018.GE9703@google.com> (raw)
In-Reply-To: <874lbrzj2d.fsf@evledraar.gmail.com>
On 2018.12.05 23:48, Ævar Arnfjörð Bjarmason wrote:
>
> On Wed, Dec 05 2018, Josh Steadmon wrote:
>
> > Breaks load_commit_graph_one() into a new function,
> > parse_commit_graph(). The latter function operates on arbitrary buffers,
> > which makes it suitable as a fuzzing target.
> >
> > Adds fuzz-commit-graph.c, which provides a fuzzing entry point
> > compatible with libFuzzer (and possibly other fuzzing engines).
> >
> > Signed-off-by: Josh Steadmon <steadmon@google.com>
> > ---
> > .gitignore | 1 +
> > Makefile | 1 +
> > commit-graph.c | 63 +++++++++++++++++++++++++++++++++------------
> > fuzz-commit-graph.c | 18 +++++++++++++
> > 4 files changed, 66 insertions(+), 17 deletions(-)
> > create mode 100644 fuzz-commit-graph.c
> >
> > diff --git a/.gitignore b/.gitignore
> > index 0d77ea5894..8bcf153ed9 100644
> > --- a/.gitignore
> > +++ b/.gitignore
> > @@ -1,3 +1,4 @@
> > +/fuzz-commit-graph
> > /fuzz_corpora
> > /fuzz-pack-headers
> > /fuzz-pack-idx
> > diff --git a/Makefile b/Makefile
> > index 1a44c811aa..6b72f37c29 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -684,6 +684,7 @@ SCRIPTS = $(SCRIPT_SH_INS) \
> >
> > ETAGS_TARGET = TAGS
> >
> > +FUZZ_OBJS += fuzz-commit-graph.o
> > FUZZ_OBJS += fuzz-pack-headers.o
> > FUZZ_OBJS += fuzz-pack-idx.o
> >
> > diff --git a/commit-graph.c b/commit-graph.c
> > index 40c855f185..0755359b1a 100644
> > --- a/commit-graph.c
> > +++ b/commit-graph.c
> > @@ -46,6 +46,10 @@
> > #define GRAPH_MIN_SIZE (GRAPH_HEADER_SIZE + 4 * GRAPH_CHUNKLOOKUP_WIDTH \
> > + GRAPH_FANOUT_SIZE + GRAPH_OID_LEN)
> >
> > +struct commit_graph *parse_commit_graph(void *graph_map, int fd,
> > + size_t graph_size);
> > +
> > +
> > char *get_commit_graph_filename(const char *obj_dir)
> > {
> > return xstrfmt("%s/info/commit-graph", obj_dir);
> > @@ -84,16 +88,10 @@ static int commit_graph_compatible(struct repository *r)
> > struct commit_graph *load_commit_graph_one(const char *graph_file)
> > {
> > void *graph_map;
> > - const unsigned char *data, *chunk_lookup;
> > size_t graph_size;
> > struct stat st;
> > - uint32_t i;
> > - struct commit_graph *graph;
> > + struct commit_graph *ret;
> > int fd = git_open(graph_file);
> > - uint64_t last_chunk_offset;
> > - uint32_t last_chunk_id;
> > - uint32_t graph_signature;
> > - unsigned char graph_version, hash_version;
> >
> > if (fd < 0)
> > return NULL;
> > @@ -108,27 +106,61 @@ struct commit_graph *load_commit_graph_one(const char *graph_file)
> > die(_("graph file %s is too small"), graph_file);
> > }
> > graph_map = xmmap(NULL, graph_size, PROT_READ, MAP_PRIVATE, fd, 0);
> > + ret = parse_commit_graph(graph_map, fd, graph_size);
> > +
> > + if (ret == NULL) {
>
> Code in git usually uses just !ret.
Will fix in V2, thanks.
> > + munmap(graph_map, graph_size);
> > + close(fd);
> > + exit(1);
>
> Ouch, exit(1) from load_commit_graph_one()? Can't we return NULL here
> instead? Nasty to exit from a library routine, but then I see later...
>
> > @@ -201,11 +235,6 @@ struct commit_graph *load_commit_graph_one(const char *graph_file)
> > }
> >
> > return graph;
> > -
> > -cleanup_fail:
> > - munmap(graph_map, graph_size);
> > - close(fd);
> > - exit(1);
> > }
>
> ... ah, I see this is where you got the exit(1) from. So it was there
> already.
>
> > static void prepare_commit_graph_one(struct repository *r, const char *obj_dir)
> > diff --git a/fuzz-commit-graph.c b/fuzz-commit-graph.c
> > new file mode 100644
> > index 0000000000..420851d0d2
> > --- /dev/null
> > +++ b/fuzz-commit-graph.c
> > @@ -0,0 +1,18 @@
> > +#include "object-store.h"
> > +#include "commit-graph.h"
> > +
> > +struct commit_graph *parse_commit_graph(void *graph_map, int fd,
> > + size_t graph_size);
> > +
> > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
> > +
> > +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
> > +{
> > + struct commit_graph *g;
> > +
> > + g = parse_commit_graph((void *) data, -1, size);
> > + if (g)
> > + free(g);
> > +
> > + return 0;
> > +}
>
> I hadn't looked at this before, but see your 5e47215080 ("fuzz: add
> basic fuzz testing target.", 2018-10-12) for some prior art.
>
> There's instructions there for a very long "make" invocation. Would be
> nice if this were friendlier and we could just do "make test-fuzz" or
> something...
Yeah, the problem is that there are too many combinations of fuzzing
engine, sanitizer, and compiler to make any reasonable default here.
Even if you just stick with libFuzzer, address sanitizer, and clang, the
flags change radically depending on which version of clang you're using.
next prev parent reply other threads:[~2018-12-06 1:00 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-05 22:32 [PATCH 0/2] Add commit-graph fuzzer and fix buffer overflow Josh Steadmon
2018-12-05 22:32 ` [PATCH 1/2] commit-graph, fuzz: Add fuzzer for commit-graph Josh Steadmon
2018-12-05 22:48 ` Ævar Arnfjörð Bjarmason
2018-12-06 1:00 ` Josh Steadmon [this message]
2018-12-06 1:32 ` Junio C Hamano
2018-12-06 1:41 ` Junio C Hamano
2018-12-06 4:47 ` Junio C Hamano
2018-12-05 22:32 ` [PATCH 2/2] commit-graph: fix buffer read-overflow Josh Steadmon
2018-12-06 13:11 ` Derrick Stolee
2018-12-06 20:20 ` [PATCH v2 0/3] Add commit-graph fuzzer and fix buffer overflow Josh Steadmon
2018-12-06 20:20 ` [PATCH v2 1/3] commit-graph, fuzz: Add fuzzer for commit-graph Josh Steadmon
2018-12-06 20:20 ` [PATCH v2 2/3] commit-graph: fix buffer read-overflow Josh Steadmon
2018-12-07 9:07 ` Jeff King
2018-12-07 13:33 ` Derrick Stolee
2018-12-06 20:20 ` [PATCH v2 3/3] Makefile: correct example fuzz build Josh Steadmon
2018-12-07 22:27 ` [PATCH v3 0/3] Add commit-graph fuzzer and fix buffer overflow Josh Steadmon
2018-12-07 22:27 ` [PATCH v3 1/3] commit-graph, fuzz: Add fuzzer for commit-graph Josh Steadmon
2018-12-07 22:27 ` [PATCH v3 2/3] commit-graph: fix buffer read-overflow Josh Steadmon
2018-12-09 4:01 ` Junio C Hamano
2018-12-10 4:28 ` SZEDER Gábor
2018-12-10 21:58 ` Josh Steadmon
2018-12-10 21:56 ` Josh Steadmon
2018-12-11 9:50 ` Jeff King
2018-12-07 22:27 ` [PATCH v3 3/3] Makefile: correct example fuzz build Josh Steadmon
2018-12-13 19:43 ` [PATCH v4 0/3] Add commit-graph fuzzer and fix buffer overflow Josh Steadmon
2018-12-13 19:43 ` [PATCH v4 1/3] commit-graph, fuzz: Add fuzzer for commit-graph Josh Steadmon
2018-12-13 19:43 ` [PATCH v4 2/3] commit-graph: fix buffer read-overflow Josh Steadmon
2019-01-12 10:57 ` SZEDER Gábor
2019-01-15 19:58 ` Josh Steadmon
2018-12-13 19:43 ` [PATCH v4 3/3] Makefile: correct example fuzz build Josh Steadmon
2018-12-18 17:35 ` [PATCH v4 0/3] Add commit-graph fuzzer and fix buffer overflow Jeff King
2018-12-18 21:05 ` Josh Steadmon
2018-12-19 15:51 ` Jeff King
2018-12-20 19:35 ` Johannes Schindelin
2018-12-20 20:11 ` Jeff King
2018-12-26 22:29 ` Junio C Hamano
2019-01-15 19:59 ` [PATCH v5 " Josh Steadmon
2019-01-15 19:59 ` [PATCH v5 1/3] commit-graph, fuzz: Add fuzzer for commit-graph Josh Steadmon
2019-01-15 20:33 ` Junio C Hamano
2019-01-15 19:59 ` [PATCH v5 2/3] commit-graph: fix buffer read-overflow Josh Steadmon
2019-01-15 19:59 ` [PATCH v5 3/3] Makefile: correct example fuzz build Josh Steadmon
2019-01-15 20:39 ` Junio C Hamano
2019-01-15 21:59 ` Josh Steadmon
2019-01-15 22:34 ` Junio C Hamano
2019-01-15 22:25 ` [PATCH v6 0/3] Add commit-graph fuzzer and fix buffer overflow Josh Steadmon
2019-01-15 22:25 ` [PATCH v6 1/3] commit-graph, fuzz: Add fuzzer for commit-graph Josh Steadmon
2019-01-15 22:25 ` [PATCH v6 2/3] commit-graph: fix buffer read-overflow Josh Steadmon
2019-02-20 14:55 ` Ævar Arnfjörð Bjarmason
2019-02-20 16:50 ` SZEDER Gábor
2019-01-15 22:25 ` [PATCH v6 3/3] Makefile: correct example fuzz build Josh Steadmon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181206010018.GE9703@google.com \
--to=steadmon@google.com \
--cc=avarab@gmail.com \
--cc=git@vger.kernel.org \
--cc=stolee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).