[PATCH] D12648: [libFuzzer]Add XFAIL test for defeating a hash sum.

Ivan Krasin via llvm-commits llvm-commits at lists.llvm.org
Tue Sep 8 14:17:27 PDT 2015 

krasin updated this revision to Diff 34264.
krasin added a comment.

Reenabling the now passing test.


http://reviews.llvm.org/D12648

Files:
  lib/Fuzzer/test/CMakeLists.txt
  lib/Fuzzer/test/SimpleHashTest.cpp
  lib/Fuzzer/test/fuzzer.test

Index: lib/Fuzzer/test/fuzzer.test
===================================================================
--- lib/Fuzzer/test/fuzzer.test
+++ lib/Fuzzer/test/fuzzer.test
@@ -40,3 +40,6 @@
 
 RUN: not LLVMFuzzer-SimpleDictionaryTest -dict=%S/dict1.txt -seed=1 -runs=1000000  2>&1 | FileCheck %s
 RUN:     LLVMFuzzer-SimpleDictionaryTest                    -seed=1 -runs=1000000  2>&1 | FileCheck %s --check-prefix=Done1000000
+
+RUN: not LLVMFuzzer-SimpleHashTest -use_traces=1 -seed=1 -runs=100000  2>&1 | FileCheck %s
+RUN:     LLVMFuzzer-SimpleHashTest               -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000
Index: lib/Fuzzer/test/SimpleHashTest.cpp
===================================================================
--- /dev/null
+++ lib/Fuzzer/test/SimpleHashTest.cpp
@@ -0,0 +1,36 @@
+// This test computes a checksum of the data (all but the last 4 bytes),
+// and then compares the last 4 bytes with the computed value.
+// A fuzzer with cmp traces is expected to defeat this check.
+#include <cstdint>
+#include <cstdlib>
+#include <cstring>
+#include <cstdio>
+
+// A modified jenkins_one_at_a_time_hash initialized by non-zero,
+// so that simple_hash(0) != 0. See also
+// https://en.wikipedia.org/wiki/Jenkins_hash_function
+static uint32_t simple_hash(const uint8_t *Data, size_t Size) {
+  uint32_t Hash = 0x12039854;
+  for (uint32_t i = 0; i < Size; i++) {
+    Hash += Data[i];
+    Hash += (Hash << 10);
+    Hash ^= (Hash >> 6);
+  }
+  Hash += (Hash << 3);
+  Hash ^= (Hash >> 11);
+  Hash += (Hash << 15);
+  return Hash;
+}
+
+extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  if (Size < 14)
+    return;
+
+  uint32_t Hash = simple_hash(&Data[0], Size - 4);
+  uint32_t Want = reinterpret_cast<const uint32_t *>(&Data[Size - 4])[0];
+  if (Hash != Want)
+    return;
+  fprintf(stderr, "BINGO; simple_hash defeated: %x == %x\n", (unsigned int)Hash,
+          (unsigned int)Want);
+  exit(1);
+}
Index: lib/Fuzzer/test/CMakeLists.txt
===================================================================
--- lib/Fuzzer/test/CMakeLists.txt
+++ lib/Fuzzer/test/CMakeLists.txt
@@ -22,6 +22,7 @@
   NullDerefTest
   SimpleCmpTest
   SimpleDictionaryTest
+  SimpleHashTest
   SimpleTest
   StrcmpTest
   StrncmpTest


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D12648.34264.patch
Type: text/x-patch
Size: 2286 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20150908/d9929212/attachment.bin>

More information about the llvm-commits mailing list