Fuzz introspector: sig_fuzz
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
446 446 2 :

['sshkey_free', 'cert_new']

446 446 sshkey_new call site: 00010 /src/openssh/sshkey.c:621
218 218 1 :

['sshkey_free']

218 218 sshkey_generate call site: 00007 /src/openssh/sshkey.c:1406
162 162 1 :

['_getentropy_fail']

166 227 _rs_stir call site: 00000 /src/openssh/openbsd-compat/arc4random.c:116
162 162 2 :

['sshfatal', 'ERR_get_error']

162 162 _ssh_compat_getentropy call site: 00000 /src/openssh/openbsd-compat/bsd-getentropy.c:45
95 95 8 :

['strlen', 'strnvis', 'syslog', '__errno_location', 'openlog', 'strlcpy', 'write', 'closelog']

95 95 do_log call site: 00043 /src/openssh/log.c:351
73 73 2 :

['ssh_err', 'abort']

73 73 generate_or_die(int,unsignedint) call site: 00000 /src/openssh/regress/misc/fuzz-harness/sig_fuzz.cc:18
13 13 1 :

['rsa_hash_id_from_keyname']

21 697 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:508
7 7 1 :

['strlcpy']

7 118 sshlogv call site: 00039 /src/openssh/log.c:484
4 4 1 :

['timingsafe_bcmp']

4 9 openssh_RSA_verify call site: 00000 /src/openssh/ssh-rsa.c:659
2 2 1 :

['_exit']

2 2 _rs_init call site: 00000 /src/openssh/openbsd-compat/arc4random.c:102
2 2 1 :

['memset']

2 2 _rs_forkdetect call site: 00000 /src/openssh/openbsd-compat/./arc4random.h:58
2 2 1 :

['munmap']

2 2 _rs_allocate call site: 00000 /src/openssh/openbsd-compat/./arc4random.h:71

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 __cxa_guard_acquire [call site] 00001
1 generate_or_die(int, unsigned int) [function] [call site] 00002
2 sshkey_generate [function] [call site] 00003
3 sshkey_type_is_cert [function] [call site] 00004
4 sshkey_impl_from_type [function] [call site] 00005
3 sshkey_impl_from_type [function] [call site] 00006
3 sshkey_new [function] [call site] 00007
4 sshkey_impl_from_type [function] [call site] 00008
4 calloc [call site] 00009
4 sshkey_is_cert [function] [call site] 00010
5 sshkey_type_is_cert [function] [call site] 00011
4 cert_new [function] [call site] 00012
5 calloc [call site] 00013
5 sshbuf_new [function] [call site] 00014
6 calloc [call site] 00015
6 calloc [call site] 00016
5 sshbuf_new [function] [call site] 00017
5 sshbuf_new [function] [call site] 00018
5 cert_free [function] [call site] 00019
6 sshbuf_free [function] [call site] 00020
7 sshbuf_check_sanity [function] [call site] 00021
8 ssh_signal [function] [call site] 00022
9 memset [call site] 00023
9 sigfillset [call site] 00024
9 sigaction [call site] 00025
9 strsignal [call site] 00026
9 sshlog [function] [call site] 00027
10 sshlogv [function] [call site] 00028
11 strrchr [call site] 00029
11 getpid [call site] 00030
11 snprintf [call site] 00031
11 match_pattern_list [function] [call site] 00032
12 strlen [call site] 00033
12 __ctype_b_loc [call site] 00034
12 tolower [call site] 00035
12 match_pattern [function] [call site] 00036
13 match_pattern [function] [call site] 00037
14 match_pattern [function] [call site] 00038
11 snprintf [call site] 00039
11 snprintf [call site] 00040
11 strlcpy [function] [call site] 00041
11 do_log [function] [call site] 00042
12 __errno_location [call site] 00043
12 snprintf [call site] 00044
12 vsnprintf [call site] 00045
12 vsnprintf [call site] 00046
12 snprintf [call site] 00047
12 strlcpy [function] [call site] 00048
12 strnvis [function] [call site] 00049
13 __ctype_b_loc [call site] 00050
13 vis [function] [call site] 00051
14 __ctype_b_loc [call site] 00052
14 __ctype_b_loc [call site] 00053
13 vis [function] [call site] 00054
12 snprintf [call site] 00055
12 strlen [call site] 00056
12 openlog [call site] 00057
12 syslog [call site] 00058
12 closelog [call site] 00059
12 __errno_location [call site] 00060
8 raise [call site] 00061
7 sshbuf_free [function] [call site] 00062
8 explicit_bzero [call site] 00063
8 freezero [function] [call site] 00064
9 explicit_bzero [call site] 00065
6 sshbuf_free [function] [call site] 00066
6 sshbuf_free [function] [call site] 00067
6 sshkey_free [function] [call site] 00068
7 sshkey_free_contents [function] [call site] 00069
8 sshkey_impl_from_type [function] [call site] 00070
8 sshkey_is_cert [function] [call site] 00071
8 cert_free [function] [call site] 00072
9 freezero [function] [call site] 00073
8 freezero [function] [call site] 00074
8 freezero [function] [call site] 00075
7 freezero [function] [call site] 00076
4 sshkey_free [function] [call site] 00077
3 sshkey_free [function] [call site] 00078
2 ssh_err [function] [call site] 00079
3 __errno_location [call site] 00080
2 fprintf [call site] 00081
2 abort [call site] 00082
1 generate_or_die(int, unsigned int) [function] [call site] 00083
1 __cxa_guard_acquire [call site] 00084
1 generate_or_die(int, unsigned int) [function] [call site] 00085
1 __cxa_guard_acquire [call site] 00086
1 generate_or_die(int, unsigned int) [function] [call site] 00087
1 __cxa_guard_acquire [call site] 00088
1 generate_or_die(int, unsigned int) [function] [call site] 00089
1 __cxa_guard_acquire [call site] 00090
1 generate_or_die(int, unsigned int) [function] [call site] 00091
1 __cxa_guard_acquire [call site] 00092
1 sshkey_verify [function] [call site] 00093
2 sshkey_impl_from_key [function] [call site] 00094
3 sshkey_impl_from_type_nid [function] [call site] 00095
1 sshkey_sig_details_free [function] [call site] 00096
2 freezero [function] [call site] 00097
1 sshkey_verify [function] [call site] 00098
1 sshkey_sig_details_free [function] [call site] 00099
1 sshkey_verify [function] [call site] 00100
1 sshkey_sig_details_free [function] [call site] 00101
1 sshkey_verify [function] [call site] 00102
1 sshkey_sig_details_free [function] [call site] 00103
1 sshkey_verify [function] [call site] 00104
1 sshkey_sig_details_free [function] [call site] 00105
1 sshkey_verify [function] [call site] 00106
1 sshkey_sig_details_free [function] [call site] 00107