/src/fuzz-libelf.c

Source
/* Copyright 2022 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#include <assert.h>
#include <fcntl.h>
#include <gelf.h>
#include <inttypes.h>
#include <libelf.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include "system.h"


void fuzz_logic_one(char *filename, int compression_type) {
  (void)elf_version(EV_CURRENT);
  int fd = open(filename, O_RDONLY);
  Elf *elf = elf_begin(fd, ELF_C_READ, NULL);
  if (elf != NULL) {
    size_t strndx;
    elf_getshdrstrndx(elf, &strndx);

    Elf_Scn *scn = NULL;
    // Iterate through sections
    while ((scn = elf_nextscn(elf, scn)) != NULL) {
      GElf_Shdr mem;
      GElf_Shdr *shdr = gelf_getshdr(scn, &mem);
      const char *name = elf_strptr(elf, strndx, shdr->sh_name);

      // Two options for reading sections. We keep the code structure
      // so it resembles the test code.
      // Compress and get data of the section
      if ((shdr->sh_flags & SHF_COMPRESSED) != 0) {
        if (elf_compress(scn, compression_type, 0) >= 0) {
          elf_getdata(scn, NULL);
        }
      } else if (name != NULL) {
        if (name[0] == '.' && name[1] == 'z') {
          if (elf_compress_gnu(scn, 0, 0) >= 0) {
            elf_getdata(scn, NULL);
          }
        }
      }
    }
    elf_end(elf);
  }
  close(fd);
}

void fuzz_logic_twice(char *filename, int open_flags, Elf_Cmd cmd) {
  (void)elf_version(EV_CURRENT);
  int fd = open(filename, open_flags);
  Elf *elf = elf_begin(fd, cmd, NULL);
  if (elf != NULL) {
    size_t elf_size = 0;
    elf_rawfile(elf, &elf_size);
    elf_end(elf);
  }
  close(fd);
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  char filename[] = "/tmp/fuzz-libelf.XXXXXX";
  int fd;
  ssize_t n;

  fd = mkstemp(filename);
  assert(fd >= 0);

  n = write_retry(fd, data, size);
  assert(n == (ssize_t) size);

  close(fd);

  fuzz_logic_one(filename, 0);
  fuzz_logic_one(filename, 1);
  fuzz_logic_twice(filename, O_RDONLY, ELF_C_READ);
  fuzz_logic_twice(filename, O_RDONLY | O_WRONLY, ELF_C_RDWR);
  fuzz_logic_twice(filename, O_RDONLY, ELF_C_READ_MMAP);
  fuzz_logic_twice(filename, O_RDONLY | O_WRONLY, ELF_C_RDWR_MMAP);

  unlink(filename);
  return 0;
}

Line	Count	Source
1		/* Copyright 2022 Google LLC
2		Licensed under the Apache License, Version 2.0 (the "License");
3		you may not use this file except in compliance with the License.
4		You may obtain a copy of the License at
5		http://www.apache.org/licenses/LICENSE-2.0
6		Unless required by applicable law or agreed to in writing, software
7		distributed under the License is distributed on an "AS IS" BASIS,
8		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
9		See the License for the specific language governing permissions and
10		limitations under the License.
11		*/
12
13		#include <assert.h>
14		#include <fcntl.h>
15		#include <gelf.h>
16		#include <inttypes.h>
17		#include <libelf.h>
18		#include <stdio.h>
19		#include <stdlib.h>
20		#include <string.h>
21		#include <sys/stat.h>
22		#include <sys/types.h>
23		#include <unistd.h>
24		#include "system.h"
25
26
27	12.7k	void fuzz_logic_one(char *filename, int compression_type) {
28	12.7k	(void)elf_version(EV_CURRENT);
29	12.7k	int fd = open(filename, O_RDONLY);
30	12.7k	Elf *elf = elf_begin(fd, ELF_C_READ, NULL);
31	12.7k	if (elf != NULL) {
32	12.6k	size_t strndx;
33	12.6k	elf_getshdrstrndx(elf, &strndx);
34
35	12.6k	Elf_Scn *scn = NULL;
36		// Iterate through sections
37	2.97M	while ((scn = elf_nextscn(elf, scn)) != NULL) {
38	2.96M	GElf_Shdr mem;
39	2.96M	GElf_Shdr *shdr = gelf_getshdr(scn, &mem);
40	2.96M	const char *name = elf_strptr(elf, strndx, shdr->sh_name);
41
42		// Two options for reading sections. We keep the code structure
43		// so it resembles the test code.
44		// Compress and get data of the section
45	2.96M	if ((shdr->sh_flags & SHF_COMPRESSED) != 0) {
46	1.03M	if (elf_compress(scn, compression_type, 0) >= 0) {
47	52.0k	elf_getdata(scn, NULL);
48	52.0k	}
49	1.92M	} else if (name != NULL) {
50	292k	if (name[0] == '.' && name[1] == 'z') {
51	217k	if (elf_compress_gnu(scn, 0, 0) >= 0) {
52	354	elf_getdata(scn, NULL);
53	354	}
54	217k	}
55	292k	}
56	2.96M	}
57	12.6k	elf_end(elf);
58	12.6k	}
59	12.7k	close(fd);
60	12.7k	}
61
62	25.5k	void fuzz_logic_twice(char *filename, int open_flags, Elf_Cmd cmd) {
63	25.5k	(void)elf_version(EV_CURRENT);
64	25.5k	int fd = open(filename, open_flags);
65	25.5k	Elf *elf = elf_begin(fd, cmd, NULL);
66	25.5k	if (elf != NULL) {
67	12.6k	size_t elf_size = 0;
68	12.6k	elf_rawfile(elf, &elf_size);
69	12.6k	elf_end(elf);
70	12.6k	}
71	25.5k	close(fd);
72	25.5k	}
73
74	6.47k	int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
75	6.47k	char filename[] = "/tmp/fuzz-libelf.XXXXXX";
76	6.47k	int fd;
77	6.47k	ssize_t n;
78
79	6.47k	fd = mkstemp(filename);
80	6.47k	assert(fd >= 0);
81
82	6.47k	n = write_retry(fd, data, size);
83	6.47k	assert(n == (ssize_t) size);
84
85	6.47k	close(fd);
86
87	6.47k	fuzz_logic_one(filename, 0);
88	6.47k	fuzz_logic_one(filename, 1);
89	6.47k	fuzz_logic_twice(filename, O_RDONLY, ELF_C_READ);
90	6.47k	fuzz_logic_twice(filename, O_RDONLY \| O_WRONLY, ELF_C_RDWR);
91	6.47k	fuzz_logic_twice(filename, O_RDONLY, ELF_C_READ_MMAP);
92	6.47k	fuzz_logic_twice(filename, O_RDONLY \| O_WRONLY, ELF_C_RDWR_MMAP);
93
94	6.47k	unlink(filename);
95	6.47k	return 0;
96	6.47k	}

Coverage Report

Created: 2023-11-19 06:10