tests: Verify that value profiling works in native libraries

4 files changed, 107 insertions, 0 deletions

diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel
index c32d0b6a..cc0814e9 100644
--- a/tests/BUILD.bazel
+++ b/tests/BUILD.bazel
@@ -1,3 +1,4 @@
+load("@fmeum_rules_jni//jni:defs.bzl", "java_jni_library")
 load("//bazel:compat.bzl", "SKIP_ON_MACOS", "SKIP_ON_WINDOWS")
 load("//bazel:fuzz_target.bzl", "java_fuzz_target_test")
 
@@ -237,3 +238,21 @@ java_fuzz_target_test(
     ],
     target_class = "com.example.NoSeedFuzzer",
 )
+
+java_jni_library(
+    name = "native_value_profile_fuzzer",
+    srcs = ["src/test/java/com/example/NativeValueProfileFuzzer.java"],
+    native_libs = ["//tests/src/test/native/com/example:native_value_profile_fuzzer"],
+    visibility = ["//tests/src/test/native/com/example:__pkg__"],
+    deps = ["//agent:jazzer_api_compile_only"],
+)
+
+java_fuzz_target_test(
+    name = "NativeValueProfileFuzzer",
+    expected_findings = ["com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow"],
+    fuzzer_args = ["-use_value_profile=1"],
+    sanitizer = "address",
+    target_class = "com.example.NativeValueProfileFuzzer",
+    verify_crash_reproducer = False,
+    runtime_deps = [":native_value_profile_fuzzer"],
+)
diff --git a/tests/src/test/java/com/example/NativeValueProfileFuzzer.java b/tests/src/test/java/com/example/NativeValueProfileFuzzer.java
new file mode 100644
index 00000000..1085a953
--- /dev/null
+++ b/tests/src/test/java/com/example/NativeValueProfileFuzzer.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2022 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow;
+import com.github.fmeum.rules_jni.RulesJni;
+
+public class NativeValueProfileFuzzer {
+  public static void fuzzerInitialize() {
+    RulesJni.loadLibrary("native_value_profile_fuzzer", NativeValueProfileFuzzer.class);
+  }
+
+  public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+    long[] blocks = data.consumeLongs(2);
+    if (blocks.length != 2)
+      return;
+    if (checkAccess(blocks[0], blocks[1])) {
+      throw new FuzzerSecurityIssueLow("Security breached");
+    }
+  }
+
+  private static native boolean checkAccess(long block1, long block2);
+}
diff --git a/tests/src/test/native/com/example/BUILD.bazel b/tests/src/test/native/com/example/BUILD.bazel
new file mode 100644
index 00000000..cce29a07
--- /dev/null
+++ b/tests/src/test/native/com/example/BUILD.bazel
@@ -0,0 +1,15 @@
+load("@fmeum_rules_jni//jni:defs.bzl", "cc_jni_library")
+
+cc_jni_library(
+    name = "native_value_profile_fuzzer",
+    srcs = ["native_value_profile_fuzzer.cpp"],
+    copts = [
+        "-fsanitize=fuzzer-no-link",
+    ],
+    linkopts = select({
+        "//:clang_on_linux": ["-fuse-ld=lld"],
+        "//conditions:default": [],
+    }),
+    visibility = ["//tests:__pkg__"],
+    deps = ["//tests:native_value_profile_fuzzer.hdrs"],
+)
diff --git a/tests/src/test/native/com/example/native_value_profile_fuzzer.cpp b/tests/src/test/native/com/example/native_value_profile_fuzzer.cpp
new file mode 100644
index 00000000..2edcc269
--- /dev/null
+++ b/tests/src/test/native/com/example/native_value_profile_fuzzer.cpp
@@ -0,0 +1,35 @@
+// Copyright 2022 Code Intelligence GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstdint>
+#include <cstring>
+
+#include "com_example_NativeValueProfileFuzzer.h"
+
+// Prevent the compiler from inlining the secret all the way into checkAccess,
+// which would make it trivial for the fuzzer to pass the checks.
+volatile uint64_t secret = 0xefe4eb93215cb6b0L;
+
+static uint64_t insecureEncrypt(uint64_t input) { return input ^ secret; }
+
+jboolean Java_com_example_NativeValueProfileFuzzer_checkAccess(JNIEnv *, jclass,
+                                                               jlong block1,
+                                                               jlong block2) {
+  if (insecureEncrypt(block1) == 0x9fc48ee64d3dc090L) {
+    if (insecureEncrypt(block2) == 0x888a82ff483ad9c2L) {
+      return true;
+    }
+  }
+  return false;
+}