Fuzz introspector: sig_fuzz
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
886 886 2 :

['sshkey_free', 'cert_new']

886 886 sshkey_new call site: 00010 /src/openssh/sshkey.c:722
440 440 1 :

['sshkey_free']

440 440 sshkey_generate call site: 00007 /src/openssh/sshkey.c:1525
165 165 1 :

['_getentropy_fail']

169 230 _rs_stir call site: 00000 /src/openssh/openbsd-compat/arc4random.c:116
165 165 2 :

['sshfatal', 'ERR_get_error']

165 165 _ssh_compat_getentropy call site: 00000 /src/openssh/openbsd-compat/bsd-getentropy.c:45
158 158 5 :

['do_log', 'getpid', 'strrchr', 'strlcpy', 'match_pattern_list']

158 158 sshlogv call site: 00030 /src/openssh/log.c:462
73 73 2 :

['ssh_err', 'abort']

73 73 generate_or_die(int,unsignedint) call site: 00000 /src/openssh/regress/misc/fuzz-harness/sig_fuzz.cc:18
13 13 1 :

['ssh_rsa_hash_id_from_keyname']

23 674 ssh_rsa_verify call site: 00000 /src/openssh/ssh-rsa.c:528
2 2 1 :

['_exit']

2 2 _rs_init call site: 00000 /src/openssh/openbsd-compat/arc4random.c:102
2 2 1 :

['memset']

2 2 _rs_forkdetect call site: 00000 /src/openssh/openbsd-compat/./arc4random.h:60
2 2 1 :

['munmap']

2 2 _rs_allocate call site: 00000 /src/openssh/openbsd-compat/./arc4random.h:73
2 2 1 :

['BN_clear_free']

2 2 sshbuf_get_bignum2 call site: 00000 /src/openssh/sshbuf-getput-crypto.c:48
0 199 1 :

['sshbuf_free']

0 199 sshbuf_froms call site: 00000 /src/openssh/sshbuf-getput-basic.c:561

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 __cxa_guard_acquire [call site] 00001
1 generate_or_die(int, unsigned int) [function] [call site] 00002
2 sshkey_generate [function] [call site] 00003
3 sshkey_type_is_cert [function] [call site] 00004
4 sshkey_impl_from_type [function] [call site] 00005
3 sshkey_impl_from_type [function] [call site] 00006
3 sshkey_new [function] [call site] 00007
4 sshkey_impl_from_type [function] [call site] 00008
4 calloc [call site] 00009
4 sshkey_is_cert [function] [call site] 00010
5 sshkey_type_is_cert [function] [call site] 00011
4 cert_new [function] [call site] 00012
5 calloc [call site] 00013
5 sshbuf_new [function] [call site] 00014
6 calloc [call site] 00015
6 calloc [call site] 00016
5 sshbuf_new [function] [call site] 00017
5 sshbuf_new [function] [call site] 00018
5 cert_free [function] [call site] 00019
6 sshbuf_free [function] [call site] 00020
7 sshbuf_check_sanity [function] [call site] 00021
8 ssh_signal [function] [call site] 00022
9 memset [call site] 00023
9 sigfillset [call site] 00024
9 sigaction [call site] 00025
9 strsignal [call site] 00026
9 __errno_location [call site] 00027
9 strerror [call site] 00028
9 sshlog [function] [call site] 00029
10 sshlogv [function] [call site] 00030
11 strrchr [call site] 00031
11 getpid [call site] 00032
11 snprintf [call site] 00033
11 match_pattern_list [function] [call site] 00034
12 strlen [call site] 00035
12 __ctype_b_loc [call site] 00036
12 tolower [call site] 00037
12 match_pattern [function] [call site] 00038
13 match_pattern [function] [call site] 00039
14 match_pattern [function] [call site] 00040
11 snprintf [call site] 00041
11 snprintf [call site] 00042
11 strlcpy [function] [call site] 00043
11 do_log [function] [call site] 00044
12 __errno_location [call site] 00045
12 snprintf [call site] 00046
12 vsnprintf [call site] 00047
12 vsnprintf [call site] 00048
12 snprintf [call site] 00049
12 strlcpy [function] [call site] 00050
12 strnvis [function] [call site] 00051
13 __ctype_b_loc [call site] 00052
13 vis [function] [call site] 00053
14 __ctype_b_loc [call site] 00054
14 __ctype_b_loc [call site] 00055
13 vis [function] [call site] 00056
12 snprintf [call site] 00057
12 strlen [call site] 00058
12 write [call site] 00059
12 openlog [call site] 00060
12 syslog [call site] 00061
12 closelog [call site] 00062
12 __errno_location [call site] 00063
8 raise [call site] 00064
7 sshbuf_free [function] [call site] 00065
8 freezero [function] [call site] 00066
9 explicit_bzero [call site] 00067
8 freezero [function] [call site] 00068
6 sshbuf_free [function] [call site] 00069
6 sshbuf_free [function] [call site] 00070
6 sshkey_free [function] [call site] 00071
7 sshkey_free_contents [function] [call site] 00072
8 pkcs11_key_free [function] [call site] 00073
9 sshkey_type [function] [call site] 00074
10 sshkey_impl_from_key [function] [call site] 00075
11 sshkey_impl_from_type_nid [function] [call site] 00076
9 sshlog [function] [call site] 00077
9 helper_by_key [function] [call site] 00078
10 sshbuf_new [function] [call site] 00079
10 sshfatal [function] [call site] 00080
11 sshlogv [function] [call site] 00081
11 cleanup_exit [function] [call site] 00082
12 _exit [call site] 00083
10 sshkey_putb [function] [call site] 00084
11 to_blob_buf [function] [call site] 00085
12 sshkey_type_plain [function] [call site] 00086
12 sshkey_type_is_cert [function] [call site] 00087
12 sshbuf_len [function] [call site] 00088
13 sshbuf_check_sanity [function] [call site] 00089
12 sshbuf_putb [function] [call site] 00090
13 sshbuf_ptr [function] [call site] 00091
14 sshbuf_check_sanity [function] [call site] 00092
13 sshbuf_len [function] [call site] 00093
13 sshbuf_put [function] [call site] 00094
14 sshbuf_reserve [function] [call site] 00095
15 sshbuf_allocate [function] [call site] 00096
16 sshbuf_check_reserve [function] [call site] 00097
17 sshbuf_check_sanity [function] [call site] 00098
16 sshbuf_maybe_pack [function] [call site] 00099
16 recallocarray [function] [call site] 00100
17 calloc [call site] 00101
17 __errno_location [call site] 00102
17 __errno_location [call site] 00103
17 getpagesize [call site] 00104
17 memset [call site] 00105
17 memset [call site] 00106
17 explicit_bzero [call site] 00107
16 sshbuf_check_reserve [function] [call site] 00108
12 sshkey_impl_from_type [function] [call site] 00109
12 sshkey_ssh_name_from_type_nid [function] [call site] 00110
13 sshkey_impl_from_type_nid [function] [call site] 00111
12 sshbuf_put_cstring [function] [call site] 00112
13 strlen [call site] 00113
13 sshbuf_put_string [function] [call site] 00114
14 sshbuf_reserve [function] [call site] 00115
10 ssh_err [function] [call site] 00116
11 __errno_location [call site] 00117
11 strerror [call site] 00118
10 sshfatal [function] [call site] 00119
10 sshbuf_equals [function] [call site] 00120
11 sshbuf_ptr [function] [call site] 00121
11 sshbuf_len [function] [call site] 00122
11 sshbuf_len [function] [call site] 00123
11 sshbuf_ptr [function] [call site] 00124
11 sshbuf_len [function] [call site] 00125
11 memcmp [call site] 00126
10 sshbuf_free [function] [call site] 00127
10 sshbuf_free [function] [call site] 00128
9 sshkey_type [function] [call site] 00129
9 sshfatal [function] [call site] 00130
9 sshbuf_new [function] [call site] 00131
9 sshfatal [function] [call site] 00132
9 sshkey_putb [function] [call site] 00133
9 ssh_err [function] [call site] 00134
9 sshfatal [function] [call site] 00135
9 sshbuf_equals [function] [call site] 00136
9 sshfatal [function] [call site] 00137
9 xrecallocarray [function] [call site] 00138
10 recallocarray [function] [call site] 00139
10 sshfatal [function] [call site] 00140
9 helper_terminate [function] [call site] 00141
10 sshfatal [function] [call site] 00142
10 sshlog [function] [call site] 00143
10 close [call site] 00144
10 sshfatal [function] [call site] 00145
10 xrecallocarray [function] [call site] 00146
10 sshbuf_free [function] [call site] 00147
8 sshkey_impl_from_type [function] [call site] 00148
8 sshkey_is_cert [function] [call site] 00149
8 cert_free [function] [call site] 00150
9 freezero [function] [call site] 00151
8 freezero [function] [call site] 00152
8 sshkey_prekey_free [function] [call site] 00153
9 munmap [call site] 00154
7 freezero [function] [call site] 00155
4 sshkey_free [function] [call site] 00156
3 sshkey_free [function] [call site] 00157
2 ssh_err [function] [call site] 00158
2 fprintf [call site] 00159
2 abort [call site] 00160
1 __cxa_guard_release [call site] 00161
1 __cxa_guard_acquire [call site] 00162
1 generate_or_die(int, unsigned int) [function] [call site] 00163
1 __cxa_guard_release [call site] 00164
1 __cxa_guard_acquire [call site] 00165
1 generate_or_die(int, unsigned int) [function] [call site] 00166
1 __cxa_guard_release [call site] 00167
1 __cxa_guard_acquire [call site] 00168
1 generate_or_die(int, unsigned int) [function] [call site] 00169
1 __cxa_guard_release [call site] 00170
1 __cxa_guard_acquire [call site] 00171
1 generate_or_die(int, unsigned int) [function] [call site] 00172
1 __cxa_guard_release [call site] 00173
1 __cxa_guard_acquire [call site] 00174
1 strlen [call site] 00175
1 __cxa_guard_release [call site] 00176
1 sshkey_verify [function] [call site] 00177
2 sshkey_impl_from_key [function] [call site] 00178
1 sshkey_sig_details_free [function] [call site] 00179
2 freezero [function] [call site] 00180
1 sshkey_verify [function] [call site] 00181
1 sshkey_sig_details_free [function] [call site] 00182
1 sshkey_verify [function] [call site] 00183
1 sshkey_sig_details_free [function] [call site] 00184
1 sshkey_verify [function] [call site] 00185
1 sshkey_sig_details_free [function] [call site] 00186
1 sshkey_verify [function] [call site] 00187
1 sshkey_sig_details_free [function] [call site] 00188
1 __cxa_guard_abort [call site] 00189
1 __cxa_guard_abort [call site] 00190
1 __cxa_guard_abort [call site] 00191
1 __cxa_guard_abort [call site] 00192
1 __cxa_guard_abort [call site] 00193