Fuzz introspector: pubkey_fuzz
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 95 8 :

['strlen', 'strnvis', 'syslog', '__errno_location', 'openlog', 'strlcpy', 'write', 'closelog']

95 95 do_log call site: 00028 /src/openssh/log.c:351
13 13 1 :

['rsa_hash_id_from_keyname']

21 697 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:508
7 7 1 :

['strlcpy']

7 118 sshlogv call site: 00024 /src/openssh/log.c:484
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/openssh/ssh-rsa.c:659
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/openssh/sshbuf-getput-crypto.c:48
2 2 1 :

['explicit_bzero']

2 2 sshkey_xmss_free_state call site: 00000 /src/openssh/sshkey-xmss.c:144
2 2 1 :

['SHA512']

2 2 core_hash_SHA2 call site: 00000 /src/openssh/xmss_hash.c:55
0 220 1 :

['cert_free']

0 220 cert_new call site: 00083 /src/openssh/sshkey.c:587
0 218 1 :

['sshkey_free']

0 218 sshkey_new call site: 00081 /src/openssh/sshkey.c:622
0 201 1 :

['sshbuf_free']

0 201 sshbuf_froms call site: 00000 /src/openssh/sshbuf-getput-basic.c:561
0 201 1 :

['sshbuf_free']

0 201 sshbuf_fromb call site: 00049 /src/openssh/sshbuf.c:151
0 0 None 14 14 sshkey_ec_validate_public call site: 00000 /src/openssh/sshkey.c:2639

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 sshkey_from_blob [function] [call site] 00001
2 sshbuf_from [function] [call site] 00002
3 calloc [call site] 00003
2 sshkey_from_blob_internal [function] [call site] 00004
3 sshbuf_fromb [function] [call site] 00005
4 sshbuf_check_sanity [function] [call site] 00006
5 ssh_signal [function] [call site] 00007
6 memset [call site] 00008
6 sigfillset [call site] 00009
6 sigaction [call site] 00010
6 strsignal [call site] 00011
6 sshlog [function] [call site] 00012
7 sshlogv [function] [call site] 00013
8 strrchr [call site] 00014
8 getpid [call site] 00015
8 snprintf [call site] 00016
8 match_pattern_list [function] [call site] 00017
9 strlen [call site] 00018
9 __ctype_b_loc [call site] 00019
9 tolower [call site] 00020
9 match_pattern [function] [call site] 00021
10 match_pattern [function] [call site] 00022
11 match_pattern [function] [call site] 00023
8 snprintf [call site] 00024
8 snprintf [call site] 00025
8 strlcpy [function] [call site] 00026
8 do_log [function] [call site] 00027
9 __errno_location [call site] 00028
9 snprintf [call site] 00029
9 vsnprintf [call site] 00030
9 vsnprintf [call site] 00031
9 snprintf [call site] 00032
9 strlcpy [function] [call site] 00033
9 strnvis [function] [call site] 00034
10 __ctype_b_loc [call site] 00035
10 vis [function] [call site] 00036
11 __ctype_b_loc [call site] 00037
11 __ctype_b_loc [call site] 00038
10 vis [function] [call site] 00039
9 snprintf [call site] 00040
9 strlen [call site] 00041
9 openlog [call site] 00042
9 syslog [call site] 00043
9 closelog [call site] 00044
9 __errno_location [call site] 00045
5 raise [call site] 00046
4 sshbuf_ptr [function] [call site] 00047
5 sshbuf_check_sanity [function] [call site] 00048
4 sshbuf_set_parent [function] [call site] 00049
5 sshbuf_check_sanity [function] [call site] 00050
5 sshbuf_check_sanity [function] [call site] 00051
4 sshbuf_free [function] [call site] 00052
5 sshbuf_check_sanity [function] [call site] 00053
5 sshbuf_free [function] [call site] 00054
6 explicit_bzero [call site] 00055
6 freezero [function] [call site] 00056
7 explicit_bzero [call site] 00057
3 sshbuf_get_cstring [function] [call site] 00058
4 sshbuf_peek_string_direct [function] [call site] 00059
5 sshbuf_ptr [function] [call site] 00060
5 sshbuf_len [function] [call site] 00061
6 sshbuf_check_sanity [function] [call site] 00062
5 sshbuf_len [function] [call site] 00063
4 memchr [call site] 00064
4 sshbuf_get_string_direct [function] [call site] 00065
5 sshbuf_peek_string_direct [function] [call site] 00066
5 sshbuf_consume [function] [call site] 00067
6 sshbuf_check_sanity [function] [call site] 00068
6 sshbuf_len [function] [call site] 00069
3 sshkey_type_from_name [function] [call site] 00070
4 strcmp [call site] 00071
4 strcasecmp [call site] 00072
3 sshkey_type_is_cert [function] [call site] 00073
4 sshkey_impl_from_type [function] [call site] 00074
3 sshkey_impl_from_type [function] [call site] 00075
3 sshkey_new [function] [call site] 00076
4 sshkey_impl_from_type [function] [call site] 00077
4 calloc [call site] 00078
4 sshkey_is_cert [function] [call site] 00079
5 sshkey_type_is_cert [function] [call site] 00080
4 cert_new [function] [call site] 00081
5 calloc [call site] 00082
5 sshbuf_new [function] [call site] 00083
6 calloc [call site] 00084
6 calloc [call site] 00085
5 sshbuf_new [function] [call site] 00086
5 sshbuf_new [function] [call site] 00087
5 cert_free [function] [call site] 00088
6 sshbuf_free [function] [call site] 00089
6 sshbuf_free [function] [call site] 00090
6 sshbuf_free [function] [call site] 00091
6 sshkey_free [function] [call site] 00092
7 sshkey_free_contents [function] [call site] 00093
8 sshkey_impl_from_type [function] [call site] 00094
8 sshkey_is_cert [function] [call site] 00095
8 cert_free [function] [call site] 00096
9 freezero [function] [call site] 00097
8 freezero [function] [call site] 00098
8 freezero [function] [call site] 00099
7 freezero [function] [call site] 00100
4 sshkey_free [function] [call site] 00101
3 sshkey_type_is_cert [function] [call site] 00102
3 sshbuf_get_string_direct [function] [call site] 00103
3 sshkey_is_cert [function] [call site] 00104
3 sshbuf_len [function] [call site] 00105
3 sshbuf_free [function] [call site] 00106
3 sshkey_free [function] [call site] 00107
2 sshbuf_free [function] [call site] 00108
1 sshkey_free [function] [call site] 00109