Fuzz introspector: ssh_known_hosts_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 4 :

['ssh_threads_finalize', 'ssh_socket_cleanup', 'ssh_crypto_finalize', 'ssh_dh_finalize']

21 33 _ssh_finalize call site: 00362 /src/libssh/src/init.c:165
10 10 1 :

['ssh_pki_key_ecdsa_name']

10 140 pki_import_pubkey_buffer call site: 00282 /src/libssh/src/pki.c:1346
10 10 1 :

['ssh_dh_finalize']

10 10 ssh_dh_init call site: 00044 /src/libssh/src/dh.c:260
7 42 3 :

['ssh_strerror', '_ssh_log', '__errno_location']

7 42 ssh_known_hosts_read_entries call site: 00058 /src/libssh/src/knownhosts.c:236
6 6 1 :

['buffer_shift']

6 19 ssh_buffer_add_data call site: 00096 /src/libssh/src/buffer.c:318
6 6 1 :

['buffer_shift']

6 19 ssh_buffer_allocate_size call site: 00082 /src/libssh/src/buffer.c:347
6 6 2 :

['BN_cmp', 'EC_KEY_get0_private_key']

6 6 pki_key_compare call site: 00346 /src/libssh/src/pki_crypto.c:841
4 39 3 :

['_ssh_log', 'OpenSSL_version_num', 'OpenSSL_version']

4 39 ssh_crypto_init call site: 00016 /src/libssh/src/libcrypto.c:1381
4 4 1 :

['ssh_key_is_private']

6 70 ssh_key_cmp call site: 00330 /src/libssh/src/pki.c:686
4 4 2 :

['EVP_PKEY_free', 'RSA_free']

4 4 pki_pubkey_build_rsa call site: 00248 /src/libssh/src/pki_crypto.c:1272
2 2 1 :

['explicit_bzero']

2 28 ssh_key_clean call site: 00303 /src/libssh/src/pki.c:160
2 2 1 :

['abort']

2 2 ssh_buffer_unpack_va call site: 00232 /src/libssh/src/buffer.c:1258

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 memchr [call site] 00001
1 getpid [call site] 00002
1 fopen [call site] 00003
1 fwrite [call site] 00004
1 fclose [call site] 00005
1 ssh_init [function] [call site] 00006
2 _ssh_init [function] [call site] 00007
3 ssh_mutex_lock [function] [call site] 00008
4 exit [call site] 00009
4 pthread_mutex_lock [call site] 00010
4 exit [call site] 00011
3 ssh_threads_init [function] [call site] 00012
4 ssh_threads_get_default [function] [call site] 00013
4 crypto_thread_init [function] [call site] 00014
3 ssh_crypto_init [function] [call site] 00015
4 OpenSSL_version_num [call site] 00016
4 OpenSSL_version_num [call site] 00017
4 _ssh_log [function] [call site] 00018
5 ssh_get_log_level [function] [call site] 00019
5 ssh_vlog [function] [call site] 00020
6 vsnprintf [call site] 00021
6 ssh_log_function [function] [call site] 00022
7 ssh_get_log_callback [function] [call site] 00023
7 ssh_log_custom [function] [call site] 00024
8 snprintf [call site] 00025
8 ssh_get_log_userdata [function] [call site] 00026
7 ssh_log_stderr [function] [call site] 00027
8 current_timestring [function] [call site] 00028
9 gettimeofday [call site] 00029
9 localtime [call site] 00030
9 strftime [call site] 00031
9 snprintf [call site] 00032
9 strftime [call site] 00033
9 snprintf [call site] 00034
8 fprintf [call site] 00035
8 fprintf [call site] 00036
8 fprintf [call site] 00037
3 ssh_dh_init [function] [call site] 00038
4 BN_new [call site] 00039
4 BN_set_word [call site] 00040
4 BN_new [call site] 00041
4 BN_new [call site] 00042
4 BN_new [call site] 00043
4 BN_new [call site] 00044
4 ssh_dh_finalize [function] [call site] 00045
5 BN_clear_free [call site] 00046
5 BN_clear_free [call site] 00047
5 BN_clear_free [call site] 00048
5 BN_clear_free [call site] 00049
5 BN_clear_free [call site] 00050
3 ssh_socket_init [function] [call site] 00051
4 ssh_poll_init [function] [call site] 00052
3 ssh_mutex_unlock [function] [call site] 00053
4 exit [call site] 00054
4 pthread_mutex_unlock [call site] 00055
4 exit [call site] 00056
1 ssh_known_hosts_read_entries [function] [call site] 00057
2 fopen [call site] 00058
2 ssh_strerror [function] [call site] 00059
3 __xpg_strerror_r [call site] 00060
2 _ssh_log [function] [call site] 00061
2 ssh_list_new [function] [call site] 00062
2 known_hosts_read_line [function] [call site] 00063
3 fgets [call site] 00064
3 strlen [call site] 00065
3 feof [call site] 00066
3 __errno_location [call site] 00067
2 strcspn [call site] 00068
2 __ctype_b_loc [call site] 00069
2 ssh_known_hosts_parse_line [function] [call site] 00070
3 strdup [call site] 00071
3 strtok_r [call site] 00072
3 calloc [call site] 00073
3 match_hashed_hostname [function] [call site] 00074
4 strdup [call site] 00075
4 strchr [call site] 00076
4 base64_to_bin [function] [call site] 00077
5 get_equals [function] [call site] 00078
6 strchr [call site] 00079
5 ssh_buffer_new [function] [call site] 00080
6 calloc [call site] 00081
6 ssh_buffer_allocate_size [function] [call site] 00082
7 buffer_shift [function] [call site] 00083
8 explicit_bzero [call site] 00084
7 realloc_buffer [function] [call site] 00085
8 explicit_bzero [call site] 00086
8 realloc [call site] 00087
5 ssh_buffer_set_secure [function] [call site] 00088
5 strlen [call site] 00089
5 _base64_to_bin [function] [call site] 00090
6 to_block4 [function] [call site] 00091
7 strchr [call site] 00092
7 strchr [call site] 00093
7 strchr [call site] 00094
7 strchr [call site] 00095
5 ssh_buffer_add_data [function] [call site] 00096
6 buffer_shift [function] [call site] 00097
6 realloc_buffer [function] [call site] 00098
5 _base64_to_bin [function] [call site] 00099
5 ssh_buffer_add_data [function] [call site] 00100
5 _base64_to_bin [function] [call site] 00101
5 ssh_buffer_add_data [function] [call site] 00102
5 _base64_to_bin [function] [call site] 00103
5 ssh_buffer_add_data [function] [call site] 00104
5 ssh_buffer_free [function] [call site] 00105
6 explicit_bzero [call site] 00106
6 explicit_bzero [call site] 00107
4 base64_to_bin [function] [call site] 00108
4 ssh_buffer_get [function] [call site] 00109
4 ssh_buffer_get_len [function] [call site] 00110
4 hash_hostname [function] [call site] 00111
5 hmac_init [function] [call site] 00112
6 EVP_MD_CTX_new [call site] 00113
6 EVP_PKEY_new_mac_key [call site] 00114
6 EVP_sha1 [call site] 00115
6 EVP_sha256 [call site] 00116
6 EVP_sha512 [call site] 00117
6 EVP_md5 [call site] 00118
6 EVP_PKEY_free [call site] 00119
6 EVP_MD_CTX_free [call site] 00120
5 strlen [call site] 00121
5 hmac_update [function] [call site] 00122
6 EVP_DigestUpdate [call site] 00123
5 hmac_final [function] [call site] 00124
6 EVP_DigestSignFinal [call site] 00125
6 EVP_MD_CTX_free [call site] 00126
4 ssh_buffer_get_len [function] [call site] 00127
4 memcmp [call site] 00128
4 ssh_buffer_free [function] [call site] 00129
4 ssh_buffer_free [function] [call site] 00130
3 strtok_r [call site] 00131
3 ssh_hostport [function] [call site] 00132
4 snprintf [call site] 00133
3 strlen [call site] 00134
3 match_hostname [function] [call site] 00135
4 match_pattern_list [function] [call site] 00136
5 __ctype_b_loc [call site] 00137
5 tolower [call site] 00138
5 match_pattern [function] [call site] 00139
6 match_pattern [function] [call site] 00140
7 match_pattern [function] [call site] 00141
3 strlen [call site] 00142
3 match_hostname [function] [call site] 00143
3 strtok_r [call site] 00144
3 strdup [call site] 00145
3 strdup [call site] 00146
3 strtok_r [call site] 00147
3 strdup [call site] 00148
3 strtok_r [call site] 00149
3 ssh_key_type_from_name [function] [call site] 00150
4 strcmp [call site] 00151
4 strcmp [call site] 00152
4 strcmp [call site] 00153
4 strcmp [call site] 00154
4 strcmp [call site] 00155
4 strcmp [call site] 00156
4 strcmp [call site] 00157
4 strcmp [call site] 00158
4 strcmp [call site] 00159
4 strcmp [call site] 00160
4 strcmp [call site] 00161
4 strcmp [call site] 00162
4 strcmp [call site] 00163
4 strcmp [call site] 00164
4 strcmp [call site] 00165
4 strcmp [call site] 00166
4 strcmp [call site] 00167
3 _ssh_log [function] [call site] 00168
3 strtok_r [call site] 00169
3 ssh_pki_import_pubkey_base64 [function] [call site] 00170
4 base64_to_bin [function] [call site] 00171
4 ssh_buffer_get_ssh_string [function] [call site] 00172
5 ssh_buffer_get_u32 [function] [call site] 00173
6 ssh_buffer_get_data [function] [call site] 00174
7 ssh_buffer_validate_length [function] [call site] 00175
5 ntohl [call site] 00176
5 ssh_buffer_validate_length [function] [call site] 00177
5 ssh_string_new [function] [call site] 00178
6 __errno_location [call site] 00179
6 htonl [call site] 00180
5 ssh_string_data [function] [call site] 00181
5 ssh_buffer_get_data [function] [call site] 00182
4 ssh_buffer_free [function] [call site] 00183
4 ssh_string_free [function] [call site] 00184
4 pki_import_cert_buffer [function] [call site] 00185
5 ssh_buffer_new [function] [call site] 00186
5 ssh_key_type_to_char [function] [call site] 00187
5 ssh_string_from_char [function] [call site] 00188
6 __errno_location [call site] 00189
6 strlen [call site] 00190
6 ssh_string_new [function] [call site] 00191
5 ssh_buffer_add_ssh_string [function] [call site] 00192
6 ssh_string_len [function] [call site] 00193
7 ntohl [call site] 00194
6 ssh_buffer_add_data [function] [call site] 00195
5 ssh_string_free [function] [call site] 00196
5 ssh_buffer_add_buffer [function] [call site] 00197
6 ssh_buffer_get [function] [call site] 00198
6 ssh_buffer_get_len [function] [call site] 00199
6 ssh_buffer_add_data [function] [call site] 00200
5 ssh_buffer_get_ssh_string [function] [call site] 00201
5 ssh_string_free [function] [call site] 00202
5 pki_import_pubkey_buffer [function] [call site] 00203
6 ssh_key_new [function] [call site] 00204
6 ssh_key_type_to_char [function] [call site] 00205
6 _ssh_buffer_unpack [function] [call site] 00206
7 ssh_buffer_unpack_va [function] [call site] 00207
8 ssh_buffer_get_len [function] [call site] 00208
8 ssh_buffer_get_u8 [function] [call site] 00209
9 ssh_buffer_get_data [function] [call site] 00210
8 ssh_buffer_get_data [function] [call site] 00211
8 ntohs [call site] 00212
8 ssh_buffer_get_u32 [function] [call site] 00213
8 ntohl [call site] 00214
8 ssh_buffer_get_u64 [function] [call site] 00215
9 ssh_buffer_get_data [function] [call site] 00216
8 ntohl [call site] 00217
8 ssh_buffer_get_ssh_string [function] [call site] 00218
8 ssh_make_string_bn [function] [call site] 00219
9 ssh_string_len [function] [call site] 00220
8 ssh_string_burn [function] [call site] 00221
9 ssh_string_len [function] [call site] 00222
9 explicit_bzero [call site] 00223
8 ssh_string_free [function] [call site] 00224
8 ssh_buffer_get_ssh_string [function] [call site] 00225
8 ssh_buffer_get_u32 [function] [call site] 00226
8 ntohl [call site] 00227
8 ssh_buffer_validate_length [function] [call site] 00228
8 ssh_buffer_get_data [function] [call site] 00229
8 ssh_buffer_validate_length [function] [call site] 00230
8 ssh_buffer_get_data [function] [call site] 00231
8 _ssh_log [function] [call site] 00232
8 abort [call site] 00233
8 explicit_bzero [call site] 00234
8 explicit_bzero [call site] 00235
8 explicit_bzero [call site] 00236
8 explicit_bzero [call site] 00237
8 BN_clear_free [call site] 00238
8 ssh_string_burn [function] [call site] 00239
8 strlen [call site] 00240
8 explicit_bzero [call site] 00241
6 _ssh_log [function] [call site] 00242
6 pki_pubkey_build_rsa [function] [call site] 00243
7 RSA_new [call site] 00244
7 ssh_make_string_bn [function] [call site] 00245
7 ssh_make_string_bn [function] [call site] 00246
7 RSA_set0_key [call site] 00247
7 EVP_PKEY_new [call site] 00248
7 RSA_free [call site] 00249
6 ssh_string_burn [function] [call site] 00250
6 ssh_string_burn [function] [call site] 00251
6 ssh_string_free [function] [call site] 00252
6 _ssh_log [function] [call site] 00253
6 _ssh_buffer_unpack [function] [call site] 00254
6 _ssh_log [function] [call site] 00255
6 ssh_string_get_char [function] [call site] 00256
7 ssh_string_len [function] [call site] 00257
6 pki_key_ecdsa_nid_from_name [function] [call site] 00258
7 strcmp [call site] 00259
7 strcmp [call site] 00260
6 ssh_string_free [function] [call site] 00261
6 ssh_string_burn [function] [call site] 00262
6 ssh_string_free [function] [call site] 00263
6 pki_pubkey_build_ecdsa [function] [call site] 00264
7 pki_key_ecdsa_nid_to_name [function] [call site] 00265
7 EC_KEY_new_by_curve_name [call site] 00266
7 EC_KEY_get0_group [call site] 00267
7 EC_POINT_new [call site] 00268
7 EC_KEY_free [call site] 00269
7 ssh_string_data [function] [call site] 00270
7 ssh_string_len [function] [call site] 00271
7 EC_POINT_oct2point [call site] 00272
7 EC_KEY_free [call site] 00273
7 EC_POINT_free [call site] 00274
7 EC_KEY_set_public_key [call site] 00275
7 EC_POINT_free [call site] 00276
7 EC_KEY_free [call site] 00277
7 EC_KEY_free [call site] 00278
7 EC_KEY_free [call site] 00279
6 ssh_string_burn [function] [call site] 00280
6 ssh_string_free [function] [call site] 00281
6 _ssh_log [function] [call site] 00282
6 ssh_pki_key_ecdsa_name [function] [call site] 00283
7 pki_key_ecdsa_nid_to_name [function] [call site] 00284
6 ssh_buffer_get_ssh_string [function] [call site] 00285
6 _ssh_log [function] [call site] 00286
6 ssh_key_type_to_char [function] [call site] 00287
6 ssh_buffer_get_ssh_string [function] [call site] 00288
6 ssh_string_len [function] [call site] 00289
6 _ssh_log [function] [call site] 00290
6 ssh_string_burn [function] [call site] 00291
6 ssh_string_free [function] [call site] 00292
6 ssh_string_burn [function] [call site] 00293
6 ssh_string_free [function] [call site] 00294
6 ssh_string_data [function] [call site] 00295
6 ssh_string_burn [function] [call site] 00296
6 ssh_string_free [function] [call site] 00297
6 ssh_buffer_get_ssh_string [function] [call site] 00298
6 _ssh_log [function] [call site] 00299
6 _ssh_log [function] [call site] 00300
6 ssh_key_free [function] [call site] 00301
7 ssh_key_clean [function] [call site] 00302
8 pki_key_clean [function] [call site] 00303
8 explicit_bzero [call site] 00304
8 ssh_buffer_free [function] [call site] 00305
8 ssh_string_burn [function] [call site] 00306
8 ssh_string_free [function] [call site] 00307
5 pki_import_pubkey_buffer [function] [call site] 00308
5 pki_import_pubkey_buffer [function] [call site] 00309
5 pki_import_pubkey_buffer [function] [call site] 00310
5 pki_import_pubkey_buffer [function] [call site] 00311
5 pki_import_pubkey_buffer [function] [call site] 00312
5 pki_import_pubkey_buffer [function] [call site] 00313
5 ssh_key_new [function] [call site] 00314
5 ssh_key_free [function] [call site] 00315
5 ssh_buffer_free [function] [call site] 00316
4 pki_import_pubkey_buffer [function] [call site] 00317
4 ssh_buffer_free [function] [call site] 00318
3 ssh_key_type_to_char [function] [call site] 00319
3 _ssh_log [function] [call site] 00320
3 strtok_r [call site] 00321
3 strstr [call site] 00322
3 strdup [call site] 00323
3 ssh_knownhosts_entry_free [function] [call site] 00324
4 ssh_key_free [function] [call site] 00325
2 ssh_list_get_iterator [function] [call site] 00326
2 ssh_known_hosts_entries_compare [function] [call site] 00327
3 strcmp [call site] 00328
3 ssh_key_cmp [function] [call site] 00329
4 _ssh_log [function] [call site] 00330
4 ssh_key_is_private [function] [call site] 00331
4 ssh_key_is_private [function] [call site] 00332
4 ssh_string_get_char [function] [call site] 00333
4 ssh_string_get_char [function] [call site] 00334
4 ssh_string_len [function] [call site] 00335
4 pki_ed25519_key_cmp [function] [call site] 00336
5 memcmp [call site] 00337
4 pki_key_compare [function] [call site] 00338
5 EVP_PKEY_get0_EC_KEY [call site] 00339
5 EVP_PKEY_get0_EC_KEY [call site] 00340
5 EC_KEY_get0_public_key [call site] 00341
5 EC_KEY_get0_public_key [call site] 00342
5 EC_KEY_get0_group [call site] 00343
5 EC_KEY_get0_group [call site] 00344
5 EC_GROUP_cmp [call site] 00345
5 EC_POINT_cmp [call site] 00346
5 EC_KEY_get0_private_key [call site] 00347
5 EVP_PKEY_cmp [call site] 00348
2 ssh_knownhosts_entry_free [function] [call site] 00349
2 ssh_list_append [function] [call site] 00350
3 ssh_iterator_new [function] [call site] 00351
2 known_hosts_read_line [function] [call site] 00352
2 fclose [call site] 00353
2 fclose [call site] 00354
1 ssh_list_get_iterator [function] [call site] 00355
1 ssh_knownhosts_entry_free [function] [call site] 00356
1 ssh_list_remove [function] [call site] 00357
1 ssh_list_get_iterator [function] [call site] 00358
1 ssh_list_free [function] [call site] 00359
1 ssh_finalize [function] [call site] 00360
2 _ssh_finalize [function] [call site] 00361
3 ssh_mutex_lock [function] [call site] 00362
3 ssh_mutex_unlock [function] [call site] 00363
3 ssh_mutex_unlock [function] [call site] 00364
3 ssh_dh_finalize [function] [call site] 00365
3 ssh_crypto_finalize [function] [call site] 00366
3 ssh_socket_cleanup [function] [call site] 00367
4 ssh_poll_cleanup [function] [call site] 00368
3 ssh_threads_finalize [function] [call site] 00369
4 crypto_thread_finalize [function] [call site] 00370
3 ssh_mutex_unlock [function] [call site] 00371
1 unlink [call site] 00372