]> git.ipfire.org Git - thirdparty/systemd.git/blob - tools/oss-fuzz.sh
projects / thirdparty / systemd.git / blob
? search:


419805de7a29462fb1571c408dfb1f9f4fb779bf
[thirdparty/systemd.git] / tools / oss-fuzz.sh
1 #!/usr/bin/env bash
2 # SPDX-License-Identifier: LGPL-2.1-or-later
3
4 set -ex
5
6 export LC_CTYPE=C.UTF-8
7
8 export CC=${CC:-clang}
9 export CXX=${CXX:-clang++}
10 clang_version="$($CC --version | sed -nr 's/.*version ([^ ]+?) .*/\1/p' | sed -r 's/-$//')"
11
12 SANITIZER=${SANITIZER:-address -fsanitize-address-use-after-scope}
13 flags="-O1 -fno-omit-frame-pointer -g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER"
14
15 clang_lib="/usr/lib64/clang/${clang_version}/lib/linux"
16 [ -d "$clang_lib" ] || clang_lib="/usr/lib/clang/${clang_version}/lib/linux"
17
18 export CFLAGS=${CFLAGS:-$flags}
19 export CXXFLAGS=${CXXFLAGS:-$flags}
20 export LDFLAGS=${LDFLAGS:--L${clang_lib}}
21
22 export WORK=${WORK:-$(pwd)}
23 export OUT=${OUT:-$(pwd)/out}
24 mkdir -p "$OUT"
25
26 build="$WORK/build"
27 rm -rf "$build"
28 mkdir -p "$build"
29
30 if [ -z "$FUZZING_ENGINE" ]; then
31 fuzzflag="llvm-fuzz=true"
32 else
33 fuzzflag="oss-fuzz=true"
34
35 apt-get update
36 apt-get install -y gperf m4 gettext python3-pip \
37 libcap-dev libmount-dev \
38 pkg-config wget python3-jinja2 zipmerge zstd
39
40 if [[ "$ARCHITECTURE" == i386 ]]; then
41 apt-get install -y pkg-config:i386 libcap-dev:i386 libmount-dev:i386
42 fi
43
44 pip3 install -r .github/workflows/requirements.txt --require-hashes
45
46 # https://github.com/google/oss-fuzz/issues/6868
47 ORIG_PYTHONPATH=$(python3 -c 'import sys;print(":".join(sys.path[1:]))')
48 export PYTHONPATH="$ORIG_PYTHONPATH:/usr/lib/python3/dist-packages/"
49
50 if [[ "$SANITIZER" == undefined ]]; then
51 additional_ubsan_checks=pointer-overflow,alignment
52 UBSAN_FLAGS="-fsanitize=$additional_ubsan_checks -fno-sanitize-recover=$additional_ubsan_checks"
53 CFLAGS="$CFLAGS $UBSAN_FLAGS"
54 CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
55 fi
56
57 if [[ "$SANITIZER" == introspector ]]; then
58 # fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
59 # https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
60 # https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
61 # It's possible to build systemd with duct tape there using something like
62 # https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
63 # apparently even with gold and lto some parts of systemd are missing from
64 # reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
65 # Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
66 exit 1
67 fi
68 fi
69
70 if ! meson setup "$build" "-D$fuzzflag" -Db_lundef=false; then
71 cat "$build/meson-logs/meson-log.txt"
72 exit 1
73 fi
74
75 ninja -v -C "$build" fuzzers
76
77 # Compressed BCD files are kept in test/test-bcd so let's unpack them
78 # and put them all in the seed corpus.
79 bcd=$(mktemp -d)
80 for i in test/test-bcd/*.zst; do
81 unzstd "$i" -o "$bcd/$(basename "${i%.zst}")";
82 done
83 zip -jqr "$OUT/fuzz-bcd_seed_corpus.zip" "$bcd"
84 rm -rf "$bcd"
85
86 hosts=$(mktemp)
87 wget -O "$hosts" https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
88 zip -jq "$OUT/fuzz-etc-hosts_seed_corpus.zip" "$hosts"
89 rm -rf "$hosts"
90
91 # The seed corpus is a separate flat archive for each fuzzer,
92 # with a fixed name ${fuzzer}_seed_corpus.zip.
93 for d in test/fuzz/fuzz-*; do
94 fuzzer="$(basename "$d")"
95 # Include the build-generated corpora if any as well
96 readarray -t generated < <(find "$build/test/fuzz" -maxdepth 1 -name "${fuzzer}*" -type f)
97 zip -jqr "$OUT/${fuzzer}_seed_corpus.zip" "$d" "${generated[@]}"
98 done
99
100 # get fuzz-dns-packet corpus
101 df="$build/dns-fuzzing"
102 git clone --depth 1 https://github.com/CZ-NIC/dns-fuzzing "$df"
103 zip -jqr "$OUT/fuzz-dns-packet_seed_corpus.zip" "$df/packet"
104
105 install -Dt "$OUT/src/shared/" \
106 "$build"/src/shared/libsystemd-shared-*.so \
107 "$build"/src/core/libsystemd-core-*.so
108
109 # Most i386 libraries have to be brought to the runtime environment somehow. Ideally they
110 # should be linked statically but since it isn't possible another way to keep them close
111 # to the fuzz targets is used here. The dependencies are copied to "$OUT/src/shared" and
112 # then 'rpath' is tweaked to make it possible for the linker to find them there. "$OUT/src/shared"
113 # is chosen because the runtime search path of all the fuzz targets already points to it
114 # to load "libsystemd-shared" and "libsystemd-core". Stuff like that should be avoided on
115 # x86_64 because it tends to break coverage reports, fuzz-introspector, CIFuzz and so on.
116 if [[ "$ARCHITECTURE" == i386 ]]; then
117 for lib_path in $(ldd "$OUT"/src/shared/libsystemd-shared-*.so | awk '/=> \/lib/ { print $3 }'); do
118 lib_name=$(basename "$lib_path")
119 cp "$lib_path" "$OUT/src/shared"
120 patchelf --set-rpath \$ORIGIN "$OUT/src/shared/$lib_name"
121 done
122 patchelf --set-rpath \$ORIGIN "$OUT"/src/shared/libsystemd-shared-*.so
123 fi
124
125 wget -O "$OUT/fuzz-json.dict" https://raw.githubusercontent.com/rc0r/afl-fuzz/master/dictionaries/json.dict
126
127 find "$build" -maxdepth 1 -type f -executable -name "fuzz-*" -exec mv {} "$OUT" \;
128 find src -type f -name "fuzz-*.dict" -exec cp {} "$OUT" \;
129 cp src/fuzz/*.options "$OUT"
130
131 if [[ "$MERGE_WITH_OSS_FUZZ_CORPORA" == "yes" ]]; then
132 for f in "$OUT/"fuzz-*; do
133 [[ -x "$f" ]] || continue
134 fuzzer=$(basename "$f")
135 t=$(mktemp)
136 if wget -O "$t" "https://storage.googleapis.com/systemd-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/systemd_${fuzzer}/public.zip"; then
137 zipmerge "$OUT/${fuzzer}_seed_corpus.zip" "$t"
138 fi
139 rm -rf "$t"
140 done
141 fi
Unnamed repository; edit this file 'description' to name the repository.