bind9/fuzz/Makefile.am

include $(top_srcdir)/Makefile.top

AM_CFLAGS +=				\
	$(TEST_CFLAGS)

AM_CPPFLAGS +=				\
	$(LIBISC_CFLAGS)		\
	$(LIBDNS_CFLAGS)		\
	$(LIBURCU_CFLAGS)		\
	$(LIBUV_CFLAGS)			\
	-DFUZZDIR=\"$(abs_srcdir)\"	\
	-I$(top_srcdir)/lib/dns		\
	-I$(top_srcdir)/lib/isc		\
	-I$(top_srcdir)/tests/include

AM_LDFLAGS +=				\
	$(FUZZ_LDFLAGS)

LDADD +=						\
	libfuzzmain.la					\
	$(top_builddir)/tests/libtest/libtest.la	\
	$(LIBDNS_LIBS)					\
	$(LIBISC_LIBS)

check_LTLIBRARIES = libfuzzmain.la
libfuzzmain_la_SOURCES =		\
	fuzz.h				\
	main.c

check_PROGRAMS =			\
	dns_master_load			\
	dns_message_checksig		\
	dns_message_parse		\
	dns_name_fromtext_target	\
	dns_name_fromwire		\
	dns_qp				\
	dns_qpkey_name			\
	dns_rdata_fromtext		\
	dns_rdata_fromwire_text		\
	isc_lex_getmastertoken		\
	isc_lex_gettoken

EXTRA_DIST =				\
	dns_master_load.in		\
	dns_message_checksig.in		\
	dns_message_parse.in		\
	dns_name_fromtext_target.in	\
	dns_name_fromwire.in		\
	dns_qp.in			\
	dns_qpkey_name.in		\
	dns_rdata_fromtext.in		\
	dns_rdata_fromwire_text.in	\
	isc_lex_getmastertoken.in	\
	isc_lex_gettoken.in

dns_name_fromwire_SOURCES =		\
	dns_name_fromwire.c		\
	old.c				\
	old.h

TESTS = $(check_PROGRAMS)

if HAVE_FUZZ_LOG_COMPILER
LOG_COMPILER = $(srcdir)/$(FUZZ_LOG_COMPILER)
AM_LOG_FLAGS = $(srcdir)
endif HAVE_FUZZ_LOG_COMPILER

unit-local: check
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`include $(top_srcdir)/Makefile.top`

Avoid using C99 variable length arrays From an attacker's point of view, a VLA declaration is essentially a primitive for performing arbitrary arithmetic on the stack pointer. If the attacker can control the size of a VLA they have a very powerful tool for causing memory corruption. To mitigate this kind of attack, and the more general class of stack clash vulnerabilities, C compilers insert extra code when allocating a VLA to probe the growing stack one page at a time. If these probes hit the stack guard page, the program will crash. From the point of view of a C programmer, there are a few things to consider about VLAs: * If it is important to handle allocation failures in a controlled manner, don't use VLAs. You can use VLAs if it is OK for unreasonable inputs to cause an uncontrolled crash. * If the VLA is known to be smaller than some known fixed size, use a fixed size array and a run-time check to ensure it is large enough. This will be more efficient than the compiler's stack probes that need to cope with arbitrary-size VLAs. * If the VLA might be large, allocate it on the heap. The heap allocator can allocate multiple pages in one shot, whereas the stack clash probes work one page at a time. Most of the existing uses of VLAs in BIND are in test code where they are benign, but there was one instance in `named`, in the GSS-TSIG verification code, which has now been removed. This commit adjusts the style guide and the C compiler flags to allow VLAs in test code but not elsewhere. 2022-03-18 10:50:36 -04:00			`AM_CFLAGS += \`
			`$(TEST_CFLAGS)`

Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`AM_CPPFLAGS += \`
			`$(LIBISC_CFLAGS) \`
			`$(LIBDNS_CFLAGS) \`
Get the tests working with liburcu Mostly a few qp-trie details to adjust. 2023-03-08 09:52:30 -05:00			`$(LIBURCU_CFLAGS) \`
Build libtest even if CMOCKA is not available Be more selective about what is not built when CMOCKA is not available so that fuzz/dns_qp and fuzz/dns_qpkey_name can link against it. 2023-03-08 23:53:42 -05:00			`$(LIBUV_CFLAGS) \`
			`-DFUZZDIR=\"$(abs_srcdir)\" \`
			`-I$(top_srcdir)/lib/dns \`
			`-I$(top_srcdir)/lib/isc \`
			`-I$(top_srcdir)/tests/include`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00
Fix function overrides in unit tests on macOS Since Mac OS X 10.1, Mach-O object files are by default built with a so-called two-level namespace which prevents symbol lookups in BIND unit tests that attempt to override the implementations of certain library functions from working as intended. This feature can be disabled by passing the "-flat_namespace" flag to the linker. Fix unit tests affected by this issue on macOS by adding "-flat_namespace" to LDFLAGS used for building all object files on that operating system (it is not enough to only set that flag for the unit test executables). 2020-09-28 03:09:21 -04:00			`AM_LDFLAGS += \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`$(FUZZ_LDFLAGS)`

Build libtest even if CMOCKA is not available Be more selective about what is not built when CMOCKA is not available so that fuzz/dns_qp and fuzz/dns_qpkey_name can link against it. 2023-03-08 23:53:42 -05:00			`LDADD += \`
			`libfuzzmain.la \`
			`$(top_builddir)/tests/libtest/libtest.la \`
			`$(LIBDNS_LIBS) \`
Fuzz testing the qp-trie Ensure dns_qpkey_fromname() and dns_qpkey_toname() are inverses. Excercise a single-threaded dns_qp_t with a fixed set of random keys and a small chunk size. Use the table of names to ensure that the trie is behaving as expected. This is (in effect) randomized testing like the `qpmulti` unit test, but making use of coverage-guided fuzzing and (in principle) test case minimization. 2022-06-12 10:52:35 -04:00			`$(LIBISC_LIBS)`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00
			`check_LTLIBRARIES = libfuzzmain.la`
			`libfuzzmain_la_SOURCES = \`
Include fuzz/fuzz.h in source tarballs 2020-08-06 03:10:06 -04:00			`fuzz.h \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`main.c`

			`check_PROGRAMS = \`
Add dns_master_loadbuffer() fuzzer Corpus focuses on "extra" things in master files like $GENERATE etc. Text encoding for RRs is thoroughly tested in dns_rdata_fromtext fuzzer. 2021-02-19 12:08:36 -05:00			`dns_master_load \`
Add dns_message_checksig() fuzzer dns_message_checksig is called in a number of scenarios * on requests and responses * on multiple opcodes * with and without signatures * with TSIG signatures * with SIG(0) signatures * with and without configured TSIG keys * with and without KEY records being present * signing performed now, in the future and in the past we use the first two octets of the seed to configure the calling environment with the remainder of the seed being the rdata of the TSIG/SIG(0) record. 2022-03-02 05:48:26 -05:00			`dns_message_checksig \`
Add dns_message_parse() fuzzer Previously, the bin/system/wire_test.c was optionally used as a fuzzer, this commit extracts the parts relevant to the fuzzing into a specialized fuzzer that can be used in oss-fuzz project. The fuzzer parses the input as UDP DNS message, then prints parsed DNS message, then renders the DNS message and then prints the rendered DNS message. No part of the code should cause a assertion failure. 2020-08-25 03:51:40 -04:00			`dns_message_parse \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_name_fromtext_target \`
Fuzzing and benchmarking for dns_name_fromwire() Since this is very sensitive code which has often had security problems in many DNS implementations, it needs a decent amount of validation. This fuzzer ensures that the new code has the same output as the old code, and that it doesn't take longer than a second. The benchmark uses the fuzzer's copy of the old dns_name_fromwire() code to compare a number of scenarios: many compression pointers, many labels, long labels, random data, with/without downcasing. 2022-11-07 11:22:48 -05:00			`dns_name_fromwire \`
Build libtest even if CMOCKA is not available Be more selective about what is not built when CMOCKA is not available so that fuzz/dns_qp and fuzz/dns_qpkey_name can link against it. 2023-03-08 23:53:42 -05:00			`dns_qp \`
			`dns_qpkey_name \`
Add dns_rdata_fromtext() fuzzer ... along with dns_rdataclass_fromtext and dns_rdatatype_fromtext Most of the test binary is modified named-rrchecker. Main differences: - reads single RR and exists - does not refuse meta classes and rr types We actually do have some fromtext code for meta-things so erroring out in named-rrchecker would prevent us from testing this code. Corpus has examples of all currently supported RR types. I did not do any minimization. In future use command diff -U0 \ <(sed -n -e 's/^.fromtext_\(.\)(.*$/\1/p' lib/dns/code.h \| \ sort) \ <(ls fuzz/dns_rdata_fromtext.in/) to check for missing RR types. 2021-02-18 15:29:33 -05:00			`dns_rdata_fromtext \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_rdata_fromwire_text \`
			`isc_lex_getmastertoken \`
			`isc_lex_gettoken`

			`EXTRA_DIST = \`
Add dns_master_loadbuffer() fuzzer Corpus focuses on "extra" things in master files like $GENERATE etc. Text encoding for RRs is thoroughly tested in dns_rdata_fromtext fuzzer. 2021-02-19 12:08:36 -05:00			`dns_master_load.in \`
Add dns_message_checksig() fuzzer dns_message_checksig is called in a number of scenarios * on requests and responses * on multiple opcodes * with and without signatures * with TSIG signatures * with SIG(0) signatures * with and without configured TSIG keys * with and without KEY records being present * signing performed now, in the future and in the past we use the first two octets of the seed to configure the calling environment with the remainder of the seed being the rdata of the TSIG/SIG(0) record. 2022-03-02 05:48:26 -05:00			`dns_message_checksig.in \`
Add dns_message_parse() fuzzer Previously, the bin/system/wire_test.c was optionally used as a fuzzer, this commit extracts the parts relevant to the fuzzing into a specialized fuzzer that can be used in oss-fuzz project. The fuzzer parses the input as UDP DNS message, then prints parsed DNS message, then renders the DNS message and then prints the rendered DNS message. No part of the code should cause a assertion failure. 2020-08-25 03:51:40 -04:00			`dns_message_parse.in \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_name_fromtext_target.in \`
Fuzzing and benchmarking for dns_name_fromwire() Since this is very sensitive code which has often had security problems in many DNS implementations, it needs a decent amount of validation. This fuzzer ensures that the new code has the same output as the old code, and that it doesn't take longer than a second. The benchmark uses the fuzzer's copy of the old dns_name_fromwire() code to compare a number of scenarios: many compression pointers, many labels, long labels, random data, with/without downcasing. 2022-11-07 11:22:48 -05:00			`dns_name_fromwire.in \`
Fuzz testing the qp-trie Ensure dns_qpkey_fromname() and dns_qpkey_toname() are inverses. Excercise a single-threaded dns_qp_t with a fixed set of random keys and a small chunk size. Use the table of names to ensure that the trie is behaving as expected. This is (in effect) randomized testing like the `qpmulti` unit test, but making use of coverage-guided fuzzing and (in principle) test case minimization. 2022-06-12 10:52:35 -04:00			`dns_qp.in \`
			`dns_qpkey_name.in \`
Add dns_rdata_fromtext() fuzzer ... along with dns_rdataclass_fromtext and dns_rdatatype_fromtext Most of the test binary is modified named-rrchecker. Main differences: - reads single RR and exists - does not refuse meta classes and rr types We actually do have some fromtext code for meta-things so erroring out in named-rrchecker would prevent us from testing this code. Corpus has examples of all currently supported RR types. I did not do any minimization. In future use command diff -U0 \ <(sed -n -e 's/^.fromtext_\(.\)(.*$/\1/p' lib/dns/code.h \| \ sort) \ <(ls fuzz/dns_rdata_fromtext.in/) to check for missing RR types. 2021-02-18 15:29:33 -05:00			`dns_rdata_fromtext.in \`
Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`dns_rdata_fromwire_text.in \`
			`isc_lex_getmastertoken.in \`
			`isc_lex_gettoken.in`

Fuzzing and benchmarking for dns_name_fromwire() Since this is very sensitive code which has often had security problems in many DNS implementations, it needs a decent amount of validation. This fuzzer ensures that the new code has the same output as the old code, and that it doesn't take longer than a second. The benchmark uses the fuzzer's copy of the old dns_name_fromwire() code to compare a number of scenarios: many compression pointers, many labels, long labels, random data, with/without downcasing. 2022-11-07 11:22:48 -05:00			`dns_name_fromwire_SOURCES = \`
			`dns_name_fromwire.c \`
			`old.c \`
			`old.h`

Re-enable the fuzzing tests The fuzzing tests were temporarily disabled when the build system has been converted to automake. This commit restores the functionality to run the fuzzing tests as part of the `make check`. When the afl or libfuzzer is enabled via ./configure, it uses a custom LOG_DRIVER (fuzz/<fuzzer.sh>). Currently only libfuzzer.sh has been implemented that runs each fuzz test for 5 seconds each. 2020-07-31 09:20:56 -04:00			`TESTS = $(check_PROGRAMS)`

			`if HAVE_FUZZ_LOG_COMPILER`
			`LOG_COMPILER = $(srcdir)/$(FUZZ_LOG_COMPILER)`
			`AM_LOG_FLAGS = $(srcdir)`
			`endif HAVE_FUZZ_LOG_COMPILER`

			`unit-local: check`