[llvm] r282839 - [libfuzzer] test for c-ares CVE-2016-5180
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Thu Sep 29 22:15:45 PDT 2016
Author: kcc
Date: Fri Sep 30 00:15:45 2016
New Revision: 282839
URL: http://llvm.org/viewvc/llvm-project?rev=282839&view=rev
Log:
[libfuzzer] test for c-ares CVE-2016-5180
Added:
llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/
llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh (with props)
llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc
llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh (with props)
Added: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh?rev=282839&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh (added)
+++ llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh Fri Sep 30 00:15:45 2016
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+[ -e $(basename $0) ] && echo "PLEASE USE THIS SCRIPT FROM ANOTHER DIR" && exit 1
+SCRIPT_DIR=$(dirname $0)
+EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)
+LIBFUZZER_SRC=$(dirname $(dirname $SCRIPT_DIR))
+
+FUZZ_CXXFLAGS="-O2 -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div"
+
+get() {
+ [ ! -e SRC ] && git clone https://github.com/c-ares/c-ares.git SRC && (cd SRC && git reset --hard 51fbb479f7948fca2ace3ff34a15ff27e796afdd)
+}
+build_lib() {
+ rm -rf BUILD
+ cp -rf SRC BUILD
+ (cd BUILD && ./buildconf && ./configure CC="clang $FUZZ_CXXFLAGS" && make -j)
+}
+
+get
+build_lib
+$LIBFUZZER_SRC/build.sh
+clang++ -g $SCRIPT_DIR/target.cc -I BUILD BUILD/.libs/libcares.a libFuzzer.a $FUZZ_CXXFLAGS -o $EXECUTABLE_NAME_BASE
Propchange: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh
------------------------------------------------------------------------------
svn:executable = *
Added: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc?rev=282839&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc (added)
+++ llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc Fri Sep 30 00:15:45 2016
@@ -0,0 +1,21 @@
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <arpa/nameser.h>
+#include <iostream>
+
+#include <ares.h>
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ unsigned char* buf;
+ int buflen;
+ char* inp = (char*)malloc(size+1);
+ inp[size]=0;
+ memcpy(inp, data, size);
+
+ ares_create_query((const char*)inp, ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0);
+
+ free(buf);
+ free(inp);
+ return 0;
+}
Added: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh?rev=282839&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh (added)
+++ llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh Fri Sep 30 00:15:45 2016
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -x
+SCRIPT_DIR=$(dirname $0)
+EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR)
+CORPUS=CORPUS-$EXECUTABLE_NAME_BASE
+[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_total_time=10 2>&1 | tee log
+grep -Pzo "(?s)ERROR: AddressSanitizer: heap-buffer-overflow.*WRITE of size 1.*ares_create_query.*is located 0 bytes to the right of" log
Propchange: llvm/trunk/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh
------------------------------------------------------------------------------
svn:executable = *
More information about the llvm-commits
mailing list