Mayhem support

.github/workflows/s2_fuzzer-mayhem.yml

@@ -0,0 +1,55 @@
+name: Mayhem
+on:
+ push:
+ pull_request:
+ workflow_dispatch:
+ workflow_call:
+env:
+ REGISTRY: ghcr.io
+ IMAGE_NAME: ${{ github.repository }}
+jobs:
+ build:
+ name: ${{ matrix.os }} shared=${{ matrix.shared }} ${{ matrix.build_type }}
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ os: [ubuntu-latest]
+ shared: [false]
+ build_type: [Release]
+ include:
+ - os: ubuntu-latest
+ triplet: x64-linux
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ submodules: recursive
+ - name: Log in to the Container registry
+ uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+ - name: Extract metadata (tags, labels) for Docker
+ id: meta
+ uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+ with:
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+ - name: Build and push Docker image
+ uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+ with:
+ context: .
+ file: mayhem/Dockerfile
+ push: true
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ - name: Start analysis
+ uses: forallsecure/mcode-action@v1
+ with:
+ mayhem-token: ${{ secrets.MAYHEM_TOKEN }}
+ args: --image ${{ steps.meta.outputs.tags }} --cmd /out/s2_fuzzer --target
+ s2_fuzzer --file mayhem/s2_fuzzer.mayhemfile
+ sarif-output: sarif
+ - name: Upload SARIF file(s)
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: sarif

mayhem/Dockerfile

@@ -0,0 +1,32 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+RUN apt-get update && apt-get -y install libgflags-dev libgoogle-glog-dev libgtest-dev libssl-dev make curl pkg-config
+
+# OpenSSL
+ARG OPENSSL_VERSION=1.1.1g
+ARG OPENSSL_HASH=ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46
+RUN set -ex && curl -s -O https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz && echo "${OPENSSL_HASH} openssl-${OPENSSL_VERSION}.tar.gz" | sha256sum -c && tar -xzf openssl-${OPENSSL_VERSION}.tar.gz && cd openssl-${OPENSSL_VERSION} && ./Configure linux-x86_64 no-shared --static "$CFLAGS" && make build_generated && make libcrypto.a && make install
+
+COPY . s2geometry
+RUN rm -rf s2geometry/mayhem
+WORKDIR $SRC/s2geometry
+COPY mayhem/build.sh mayhem/s2_fuzzer.cc $SRC/
+COPY mayhem/project.patch $SRC/
+
+ENV FUZZING_LANGUAGE=c++ SANITIZER=address
+RUN compile

mayhem/build.sh

@@ -0,0 +1,33 @@
+#!/bin/bash -eu
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+cp $SRC/s2_fuzzer.cc $SRC/s2geometry/src/
+
+cd $SRC/
+git clone --depth=1 https://github.com/abseil/abseil-cpp
+cd abseil-cpp
+mkdir build && cd build
+cmake -DCMAKE_POSITION_INDEPENDENT_CODE=ON ../ && make && make install
+
+cd $SRC/s2geometry
+git apply --ignore-space-change --ignore-whitespace $SRC/project.patch
+mkdir build && cd build
+
+cmake -DBUILD_SHARED_LIBS=OFF \
+ -DABSL_MIN_LOG_LEVEL=4 ..
+make -j$(nproc)
+find . -name "s2fuzzer" -exec cp {} $OUT/s2_fuzzer \;

mayhem/project.patch

@@ -0,0 +1,27 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 2d2b233..6b52d22 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -418,6 +418,22 @@ install(TARGETS s2 s2testing
+ ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}"
+ LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}")
+
++add_executable(s2fuzzer src/s2_fuzzer.cc)
++set_target_properties(s2fuzzer PROPERTIES LINK_FLAGS $ENV{LIB_FUZZING_ENGINE})
++target_link_libraries(
++ s2fuzzer
++ s2
++ absl::base
++ absl::btree
++ absl::core_headers
++ absl::flags_reflection
++ absl::memory
++ absl::span
++ absl::str_format
++ absl::strings
++ absl::utility
++ absl::synchronization)
++
+ message("GTEST_ROOT: ${GTEST_ROOT}")
+ if (GTEST_ROOT)
+ add_subdirectory(${GTEST_ROOT} build_gtest)

mayhem/s2_fuzzer.cc

@@ -0,0 +1,100 @@
+/*
+# Copyright 2020 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http:https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "s2/s2shapeutil_range_iterator.h"
+#include "absl/strings/str_split.h"
+#include "absl/strings/string_view.h"
+
+#include "s2/mutable_s2shape_index.h"
+#include "s2/s2text_format.h"
+
+// A string-splitter used to help validate the string
+// passed to s2
+static std::vector<absl::string_view> SplitString(absl::string_view str,
+ char separator) {
+ std::vector<absl::string_view> result =
+ absl::StrSplit(str, separator, absl::SkipWhitespace());
+ for (auto &e : result) {
+ e = absl::StripAsciiWhitespace(e);
+ }
+ return result;
+}
+
+// Null-terminates the fuzzers input test case
+char *null_terminated(const uint8_t *data, size_t size) {
+ char *new_str = (char *)malloc(size + 1);
+ if (new_str == NULL) {
+ return 0;
+ }
+ memcpy(new_str, data, size);
+ new_str[size] = '\0';
+ return new_str;
+}
+
+// Do a bit of validation that is also done by s2
+// We do them here since s2 would terminate if they
+// would return false inside s2.
+bool isValidFormat(char *nt_string, size_t size) {
+ int hash_count = 0;
+ for (int i = 0; i < size; i++) {
+ if (nt_string[i] == 35) {
+ hash_count++;
+ }
+ }
+ if (hash_count != 2) {
+ return false;
+ }
+
+ std::vector<absl::string_view> strs = SplitString(nt_string, '#');
+ size_t strs_size = strs.size();
+ if (strs.size() != 3) {
+ return false;
+ }
+
+ auto index1 = absl::make_unique<MutableS2ShapeIndex>();
+ if (s2textformat::MakeIndex(nt_string, &index1) == false) {
+ return false;
+ }
+ return true;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+
+ if (size < 5) {
+ return 0;
+ }
+
+ char *nt_string = null_terminated(data, size);
+ if (nt_string == NULL) {
+ return 0;
+ }
+ if (isValidFormat(nt_string, size)) {
+ auto index = absl::make_unique<MutableS2ShapeIndex>();
+ s2textformat::MakeIndex(nt_string, &index);
+ s2shapeutil::RangeIterator it(*index);
+ if (!it.done()) {
+ it.Next();
+ }
+ }
+ free(nt_string);
+ return 0;
+}

mayhem/s2_fuzzer.mayhemfile

@@ -0,0 +1,4 @@
+project: PROJECT
+target: s2_fuzzer
+cmds:
+- cmd: /out/s2_fuzzer