diff options
author | Robert Swiecki <robert@swiecki.net> | 2019-05-09 16:15:34 +0200 |
---|---|---|
committer | Robert Swiecki <robert@swiecki.net> | 2019-05-09 16:15:34 +0200 |
commit | 0731ac44ff79b6022e055fad1c395797c36aecc6 (patch) | |
tree | 703d9b3fc42a7ae6025ac087c8f24e9357362b67 | |
parent | 520d7d5118cac1b6a8e19de368aa142c61701fa1 (diff) | |
download | honggfuzz-0731ac44ff79b6022e055fad1c395797c36aecc6.tar.gz |
examples/bind: patch for 9.14.1
-rw-r--r-- | examples/bind/bind-9.14.1.patch | 462 |
1 files changed, 462 insertions, 0 deletions
diff --git a/examples/bind/bind-9.14.1.patch b/examples/bind/bind-9.14.1.patch new file mode 100644 index 00000000..3ab7b218 --- /dev/null +++ b/examples/bind/bind-9.14.1.patch @@ -0,0 +1,462 @@ +diff -Nur ORIG.bind-9.14.1/bin/named/fuzz.c bind-9.14.1/bin/named/fuzz.c +--- ORIG.bind-9.14.1/bin/named/fuzz.c 2019-04-06 22:09:59.000000000 +0200 ++++ bind-9.14.1/bin/named/fuzz.c 2019-05-09 16:09:56.131889311 +0200 +@@ -738,7 +738,7 @@ + */ + void + named_fuzz_notify(void) { +-#ifdef ENABLE_AFL ++#if 0 + if (getenv("AFL_CMIN")) { + named_server_flushonshutdown(named_g_server, false); + isc_app_shutdown(); +@@ -758,7 +758,7 @@ + + void + named_fuzz_setup(void) { +-#ifdef ENABLE_AFL ++#if 0 + if (getenv("__AFL_PERSISTENT") || getenv("AFL_CMIN")) { + pthread_t thread; + void *(fn) = NULL; +diff -Nur ORIG.bind-9.14.1/bin/named/main.c bind-9.14.1/bin/named/main.c +--- ORIG.bind-9.14.1/bin/named/main.c 2019-04-06 22:09:59.000000000 +0200 ++++ bind-9.14.1/bin/named/main.c 2019-05-09 16:09:56.131889311 +0200 +@@ -1347,13 +1347,262 @@ + } + #endif /* HAVE_LIBSCF */ + ++#include <named/globals.h> ++ ++#include <arpa/inet.h> ++#include <errno.h> ++#include <fcntl.h> ++#include <net/if.h> ++#include <net/route.h> ++#include <netinet/ip6.h> ++#include <netinet/tcp.h> ++#include <pthread.h> ++#include <sched.h> ++#include <sys/ioctl.h> ++#include <sys/resource.h> ++#include <sys/socket.h> ++#include <sys/stat.h> ++#include <sys/time.h> ++#include <sys/types.h> ++#include <sys/uio.h> ++#include <sys/wait.h> ++#include <unistd.h> ++ ++#include <libhfcommon/util.h> ++#include <libhfuzz/libhfuzz.h> ++ ++static void enter_namespaces(void) { ++ if (linuxEnterNs(CLONE_NEWUSER | CLONE_NEWNET | CLONE_NEWNS | CLONE_NEWIPC) == false) { ++ exit(1); ++ } ++ if (linuxIfaceUp("lo") == false) { ++ exit(1); ++ } ++ if (linuxMountTmpfs("/tmp") == false) { ++ exit(1); ++ } ++} ++ ++static size_t rlen = 0; ++static const uint8_t *rbuf = NULL; ++ ++__attribute__((no_sanitize("memory"))) __attribute__((no_sanitize("address"))) static void * ++bind_thr(void *unused __attribute__((unused))) { ++ while (!named_g_run_done) { ++ usleep(10000); ++ } ++ ++ int myfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); ++ if (myfd == -1) { ++ perror("socket"); ++ exit(1); ++ } ++ int val = 1; ++ if (setsockopt(myfd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) == -1) { ++ perror("setsockopt(SO_REUSEADDR)"); ++ } ++ ++ const struct sockaddr_in saddr = { ++ .sin_family = AF_INET, ++ .sin_port = htons(53), ++ .sin_addr.s_addr = inet_addr("127.0.0.2"), ++ }; ++ if (bind(myfd, &saddr, sizeof(saddr)) == -1) { ++ perror("bind"); ++ exit(1); ++ } ++ ++ if (listen(myfd, SOMAXCONN) == -1) { ++ perror("listen"); ++ exit(1); ++ } ++ ++ for (;;) { ++ struct sockaddr_in cli; ++ socklen_t cli_len = sizeof(cli); ++ ++ int nfd = accept(myfd, &cli, &cli_len); ++ if (nfd == -1) { ++ perror("accept"); ++ exit(1); ++ } ++ ++ static char b[1024 * 1024]; ++ ssize_t sz = recv(nfd, b, sizeof(b), 0); ++ if (sz <= 0) { ++ perror("recv"); ++ _exit(1); ++ } ++ if (sz < 4) { ++ close(nfd); ++ continue; ++ } ++ ++ /* It's a response, so set QR bit to 1 */ ++ uint8_t qr = rbuf[0] | 0x80; ++ ++ uint16_t t_l = htons(rlen + 2); ++ const struct iovec iov[] = { ++ { ++ .iov_base = &t_l, ++ .iov_len = sizeof(t_l), ++ }, ++ { ++ .iov_base = &b[2], ++ .iov_len = 2, ++ }, ++ { ++ .iov_base = &qr, ++ .iov_len = 1, ++ }, ++ { ++ .iov_base = (void *)&rbuf[1], ++ .iov_len = rlen - 1, ++ }, ++ }; ++ ++ if (writev(nfd, iov, 4) == -1) { ++ perror("writev() failed"); ++ } ++ ++ close(nfd); ++ } ++ ++ return NULL; ++} ++ ++static void rndloop(int sock) { ++ const struct sockaddr_in bsaddr = { ++ .sin_family = AF_INET, ++ .sin_port = htons(0), ++ .sin_addr.s_addr = htonl((((uint32_t)util_rnd64()) & 0x00FFFFFF) | 0x7F000000), ++ }; ++ if (bind(sock, (const struct sockaddr *)&bsaddr, sizeof(bsaddr)) == -1) { ++ perror("bind"); ++ } ++} ++ ++__attribute__((no_sanitize("memory"))) __attribute__((no_sanitize("address"))) static void * ++connect_thr(void *unused __attribute__((unused))) { ++ while (!named_g_run_done) { ++ usleep(10000); ++ } ++ usleep(100000); ++ ++ for (;;) { ++ int myfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); ++ if (myfd == -1) { ++ perror("socket"); ++ exit(1); ++ } ++ int val = 1; ++ if (setsockopt(myfd, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) == -1) { ++ perror("setsockopt(SO_REUSEADDR)"); ++ } ++ ++ rndloop(myfd); ++ ++ const struct sockaddr_in saddr = { ++ .sin_family = AF_INET, ++ .sin_port = htons(53), ++ .sin_addr.s_addr = htonl(INADDR_LOOPBACK), ++ }; ++ if (connect(myfd, &saddr, sizeof(saddr)) == -1) { ++ close(myfd); ++ continue; ++ } ++ ++ const uint8_t *buf; ++ size_t len; ++ HF_ITER(&buf, &len); ++ ++ rlen = 0; ++ rbuf = NULL; ++ ++ if (len < 32) { ++ close(myfd); ++ continue; ++ } ++ ++ uint32_t tmplen = *((const uint32_t *)buf); ++ ++ buf = &buf[sizeof(uint32_t)]; ++ len -= sizeof(uint32_t); ++ ++ tmplen %= len; ++ ++ rbuf = &buf[tmplen]; ++ rlen = len - tmplen; ++ len = tmplen; ++ ++ uint16_t t_l = htons(len); ++ const struct iovec iov[] = { ++ { ++ .iov_base = &t_l, ++ .iov_len = sizeof(t_l), ++ }, ++ { ++ .iov_base = (void *)buf, ++ .iov_len = len, ++ }, ++ }; ++ ++ if (writev(myfd, iov, 2) == -1) { ++ perror("write"); ++ close(myfd); ++ continue; ++ } ++ ++ if (shutdown(myfd, SHUT_WR) == -1) { ++ if (errno == ENOTCONN) { ++ close(myfd); ++ continue; ++ } ++ perror("shutdown"); ++ _exit(1); ++ } ++ ++ uint8_t b[1024 * 512]; ++ while (recv(myfd, b, sizeof(b), 0) > 0) ++ ; ++ close(myfd); ++ } ++} ++ ++static void launch_thr(void) { ++ pthread_attr_t attr; ++ pthread_attr_init(&attr); ++ pthread_attr_setstacksize(&attr, 1024 * 1024 * 4); ++ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); ++ ++ pthread_t t; ++ if (pthread_create(&t, &attr, bind_thr, NULL) < 0) { ++ perror("pthread_create(bind_thr)"); ++ exit(1); ++ } ++ ++ pthread_attr_init(&attr); ++ pthread_attr_setstacksize(&attr, 1024 * 1024 * 4); ++ pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); ++ if (pthread_create(&t, &attr, connect_thr, NULL) < 0) { ++ perror("pthread_create(connect_thr)"); ++ exit(1); ++ } ++} ++ + /* main entry point, possibly hooked */ + +-int +-main(int argc, char *argv[]) { +- isc_result_t result; ++int main(int argc, char *argv[]) { ++ if (!getenv("NO_FUZZ")) { ++ named_g_fuzz_addr = "127.0.0.1:53"; ++ named_g_fuzz_type = isc_fuzz_client; ++ enter_namespaces(); ++ launch_thr(); ++ } ++ ++ isc_result_t result; + #ifdef HAVE_LIBSCF +- char *instance = NULL; ++ char *instance = NULL; + #endif + + #ifdef HAVE_GPERFTOOLS_PROFILER +@@ -1399,17 +1648,17 @@ + + parse_command_line(argc, argv); + +-#ifdef ENABLE_AFL ++#if 0 + if (named_g_fuzz_type != isc_fuzz_none) { + named_fuzz_setup(); + } ++#endif + + if (named_g_fuzz_type == isc_fuzz_resolver) { + dns_resolver_setfuzzing(); + } else if (named_g_fuzz_type == isc_fuzz_http) { + isc_httpd_setfinishhook(named_fuzz_notify); + } +-#endif + /* + * Warn about common configuration error. + */ +diff -Nur ORIG.bind-9.14.1/compile.sh bind-9.14.1/compile.sh +--- ORIG.bind-9.14.1/compile.sh 1970-01-01 01:00:00.000000000 +0100 ++++ bind-9.14.1/compile.sh 2019-05-09 16:10:05.455881725 +0200 +@@ -0,0 +1,20 @@ ++#!/bin/sh ++ ++set -ex ++ ++export CC="$HOME"/src/honggfuzz/hfuzz_cc/hfuzz-clang ++export CXX="$HOME"/src/honggfuzz/hfuzz_cc/hfuzz-clang++ ++export CFLAGS="-fsanitize=address -Wno-shift-negative-value -Wno-logical-not-parentheses -g -ggdb -O0" ++./configure \ ++ --prefix="$HOME"/fuzz/bind/dist/ \ ++ --without-gssapi \ ++ --disable-chroot \ ++ --disable-linux-caps \ ++ --without-libtool \ ++ --enable-epoll \ ++ --enable-fuzzing=afl \ ++ --disable-backtrace \ ++ --with-openssl=yes ++ ++make clean ++make -j$(nproc) +diff -Nur ORIG.bind-9.14.1/configure bind-9.14.1/configure +--- ORIG.bind-9.14.1/configure 2019-04-06 22:09:59.000000000 +0200 ++++ bind-9.14.1/configure 2019-05-09 16:09:56.135889307 +0200 +@@ -11948,33 +11948,6 @@ + ;; + esac + +-if test "$enable_fuzzing" = "afl"; then : +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking \"for AFL enabled compiler\"" >&5 +-$as_echo_n "checking \"for AFL enabled compiler\"... " >&6; } +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +-#ifndef __AFL_COMPILER +- #error AFL compiler required +- #endif +- +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +-else +- as_fn_error $? "set CC=afl-<gcc|clang> when --enable-fuzzing=afl is used" "$LINENO" 5 +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- +-fi +- + # + # Make very sure that these are the first files processed by + # config.status, since we use the processed output as the input for +diff -Nur ORIG.bind-9.14.1/lib/dns/request.c bind-9.14.1/lib/dns/request.c +--- ORIG.bind-9.14.1/lib/dns/request.c 2019-04-06 22:09:59.000000000 +0200 ++++ bind-9.14.1/lib/dns/request.c 2019-05-09 16:09:56.135889307 +0200 +@@ -760,7 +760,7 @@ + goto cleanup; + } + +- if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length > 512) ++ if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length >= 0) + tcp = true; + share = (options & DNS_REQUESTOPT_SHARE); + +@@ -1042,6 +1042,8 @@ + req_render(dns_message_t *message, isc_buffer_t **bufferp, + unsigned int options, isc_mem_t *mctx) + { ++ options |= DNS_REQUESTOPT_TCP; ++ + isc_buffer_t *buf1 = NULL; + isc_buffer_t *buf2 = NULL; + isc_result_t result; +@@ -1100,7 +1102,7 @@ + isc_buffer_usedregion(buf1, &r); + if ((options & DNS_REQUESTOPT_TCP) != 0) { + tcp = true; +- } else if (r.length > 512) { ++ } else if (r.length >= 0) { + result = DNS_R_USETCP; + goto cleanup; + } +diff -Nur ORIG.bind-9.14.1/lib/dns/resolver.c bind-9.14.1/lib/dns/resolver.c +--- ORIG.bind-9.14.1/lib/dns/resolver.c 2019-04-06 22:09:59.000000000 +0200 ++++ bind-9.14.1/lib/dns/resolver.c 2019-05-09 16:09:56.135889307 +0200 +@@ -1952,6 +1952,7 @@ + } + query->mctx = fctx->mctx; + query->options = options; ++ query->options = options | DNS_FETCHOPT_TCP; + query->attributes = 0; + query->sends = 0; + query->connects = 0; +diff -Nur ORIG.bind-9.14.1/lib/isc/random.c bind-9.14.1/lib/isc/random.c +--- ORIG.bind-9.14.1/lib/isc/random.c 2019-04-06 22:09:59.000000000 +0200 ++++ bind-9.14.1/lib/isc/random.c 2019-05-09 16:09:56.135889307 +0200 +@@ -96,6 +96,7 @@ + isc_random8(void) { + RUNTIME_CHECK(isc_once_do(&isc_random_once, + isc_random_initialize) == ISC_R_SUCCESS); ++ return 1; + return (next() & 0xff); + } + +@@ -103,6 +104,7 @@ + isc_random16(void) { + RUNTIME_CHECK(isc_once_do(&isc_random_once, + isc_random_initialize) == ISC_R_SUCCESS); ++ return 1; + return (next() & 0xffff); + } + +@@ -110,6 +112,7 @@ + isc_random32(void) { + RUNTIME_CHECK(isc_once_do(&isc_random_once, + isc_random_initialize) == ISC_R_SUCCESS); ++ return 1; + return (next()); + } + +@@ -124,6 +127,12 @@ + RUNTIME_CHECK(isc_once_do(&isc_random_once, + isc_random_initialize) == ISC_R_SUCCESS); + ++ for (size_t z = 0; z < buflen; z++) { ++ char * b = (char*)buf; ++ b[z] = z + 1; ++ } ++ return; ++ + for (i = 0; i + sizeof(r) <= buflen; i += sizeof(r)) { + r = next(); + memmove((uint8_t *)buf + i, &r, sizeof(r)); +@@ -145,6 +154,8 @@ + return (0); + } + ++ return 1; ++ + #if (ULONG_MAX > 0xffffffffUL) + min = 0x100000000UL % upper_bound; + #else /* if (ULONG_MAX > 0xffffffffUL) */ |