fuzz: add fuzzer for config parsing

Add a new fuzz target that exercises the parsing of git configs.
The existing git_config_from_mem function is a perfect entry point
for fuzzing as it exercises the same code paths as the rest of the
config parsing functions and offers an easily fuzzable interface.

Config parsing is a useful thing to fuzz because it operates on user
controlled data and is a central component of many git operations.

Signed-off-by: Brian C Tracy <brian.tracy33@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/Makefile b/Makefile
index 4e255c81f22386389c7460d8f5e59426673b5a5a..af32028b18f7f144fe005940d927f7da527fe843 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -757,6 +757,7 @@ ETAGS_TARGET = TAGS
 # runs in the future.
 FUZZ_OBJS += oss-fuzz/dummy-cmd-main.o
 FUZZ_OBJS += oss-fuzz/fuzz-commit-graph.o
+FUZZ_OBJS += oss-fuzz/fuzz-config.o
 FUZZ_OBJS += oss-fuzz/fuzz-date.o
 FUZZ_OBJS += oss-fuzz/fuzz-pack-headers.o
 FUZZ_OBJS += oss-fuzz/fuzz-pack-idx.o

diff --git a/ci/run-build-and-minimal-fuzzers.sh b/ci/run-build-and-minimal-fuzzers.sh
index 8ba486f6598880f0aeb69c1a36f410d08de8892d..a51076d18df1785c82ec71f8dd2a071056b9d6f4 100755 (executable)
--- a/ci/run-build-and-minimal-fuzzers.sh
+++ b/ci/run-build-and-minimal-fuzzers.sh
@@ -12,7 +12,7 @@ group "Build fuzzers" make \
        LIB_FUZZING_ENGINE="-fsanitize=fuzzer,address" \
        fuzz-all
 
-for fuzzer in commit-graph date pack-headers pack-idx ; do
+for fuzzer in commit-graph config date pack-headers pack-idx ; do
        begin_group "fuzz-$fuzzer"
        ./oss-fuzz/fuzz-$fuzzer -verbosity=0 -runs=1 || exit 1
        end_group "fuzz-$fuzzer"

diff --git a/oss-fuzz/.gitignore b/oss-fuzz/.gitignore
index 5b954088254b21a6cbc90b41d0dac415a552d6b7..a877c11f42b2d25550457b55c2c021985adacd1f 100644 (file)
--- a/oss-fuzz/.gitignore
+++ b/oss-fuzz/.gitignore
@@ -1,4 +1,5 @@
 fuzz-commit-graph
+fuzz-config
 fuzz-date
 fuzz-pack-headers
 fuzz-pack-idx

diff --git a/oss-fuzz/fuzz-config.c b/oss-fuzz/fuzz-config.c
new file mode 100644 (file)
index 0000000..94027f5
--- /dev/null
+++ b/oss-fuzz/fuzz-config.c
@@ -0,0 +1,33 @@
+#include "git-compat-util.h"
+#include "config.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *, size_t);
+static int config_parser_callback(const char *, const char *,
+                                       const struct config_context *, void *);
+
+static int config_parser_callback(const char *key, const char *value,
+                                       const struct config_context *ctx UNUSED,
+                                       void *data UNUSED)
+{
+       /*
+        * Visit every byte of memory we are given to make sure the parser
+        * gave it to us appropriately. We need to unconditionally return 0,
+        * but we also want to prevent the strlen from being optimized away.
+        */
+       size_t c = strlen(key);
+
+       if (value)
+               c += strlen(value);
+       return c == SIZE_MAX;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, const size_t size)
+{
+       struct config_options config_opts = { 0 };
+
+       config_opts.error_action = CONFIG_ERROR_SILENT;
+       git_config_from_mem(config_parser_callback, CONFIG_ORIGIN_BLOB,
+                               "fuzztest-config", (const char *)data, size, NULL,
+                               CONFIG_SCOPE_UNKNOWN, &config_opts);
+       return 0;
+}