feat(fuzz): Adds net class fuzzer

Author: nathaniel-brough

.github/workflows/build_fuzzers.yml

@@ -19,6 +19,7 @@ jobs:
         fuzz_harness:
         - "device/cdc"
         - "device/msc"
+        - "device/net"
 
     steps:
     - name: Setup Python
@@ -28,6 +29,9 @@ jobs:
       uses: actions/checkout@v3
 
     - name: Fetch deps
-      run: sudo apt update && sudo apt install libc++abi-dev libc++-dev
+      run: | 
+       sudo apt update && sudo apt install libc++abi-dev libc++-dev
+       make CC=clang CXX=clang++ -C fuzz/${{ matrix.fuzz_harness }} get-deps
+
     - name: Build Fuzzer
       run: make CC=clang CXX=clang++ -C fuzz/${{ matrix.fuzz_harness }}

fuzz/dcd_fuzz.cc

@@ -172,7 +172,13 @@ bool dcd_edpt_xfer(uint8_t rhport, uint8_t ep_addr, uint8_t *buffer,
     std::copy(temp.begin(), temp.end(), buffer);
   }
   // Ignore output data as it's not useful for fuzzing without a more
-  // complex fuzzed backend.
+  // complex fuzzed backend. But we need to make sure it's not
+  // optimised out.
+  volatile uint8_t *dont_optimise0 = buffer;
+  volatile uint16_t dont_optimise1 = total_bytes;
+  UNUSED(dont_optimise0);
+  UNUSED(dont_optimise1);
+
 
   return _fuzz_data_provider->ConsumeBool();
 }

fuzz/device/cdc/src/fuzz.cc

@@ -142,33 +142,33 @@ void cdc_task(FuzzedDataProvider *provider) {
 
     // TODO: Fuzz interface number
     (void)tud_cdc_n_write(0, buffer.data(), buffer.size());
-    break;
-  }
-  case kCdcNWriteChar:
-    // TODO: Fuzz interface number
-    (void)tud_cdc_n_write_char(0, provider->ConsumeIntegral<char>());
-    break;
-  case kCdcNWriteStr: {
-    std::string str = provider->ConsumeRandomLengthString(kMaxBufferSize);
-    // TODO: Fuzz interface number
-    (void)tud_cdc_n_write_str(0, str.c_str());
-    break;
-  }
-  case kCdcNWriteFlush:
-    // TODO: Fuzz interface number
-    (void)tud_cdc_n_write_flush(0);
-    break;
-  case kCdcNWriteAvailable:
-    // TODO: Fuzz interface number
-    (void)tud_cdc_n_write_available(0);
-    break;
-  case kCdcNWriteClear:
-    // TODO: Fuzz interface number
-    (void)tud_cdc_n_write_clear(0);
-    break;
-  case kMaxValue:
-    // Noop.
-    break;
-  }
+  } break;
+  
+case kCdcNWriteChar:
+  // TODO: Fuzz interface number
+  (void)tud_cdc_n_write_char(0, provider->ConsumeIntegral<char>());
+  break;
+case kCdcNWriteStr: {
+  std::string str = provider->ConsumeRandomLengthString(kMaxBufferSize);
+  // TODO: Fuzz interface number
+  (void)tud_cdc_n_write_str(0, str.c_str());
+  break;
+}
+case kCdcNWriteFlush:
+  // TODO: Fuzz interface number
+  (void)tud_cdc_n_write_flush(0);
+  break;
+case kCdcNWriteAvailable:
+  // TODO: Fuzz interface number
+  (void)tud_cdc_n_write_available(0);
+  break;
+case kCdcNWriteClear:
+  // TODO: Fuzz interface number
+  (void)tud_cdc_n_write_clear(0);
+  break;
+case kMaxValue:
+  // Noop.
+  break;
+}
 }
 }

fuzz/device/net/CMakeLists.txt

@@ -0,0 +1,29 @@
+cmake_minimum_required(VERSION 3.5)
+
+include(${CMAKE_CURRENT_SOURCE_DIR}/../../../hw/bsp/family_support.cmake)
+
+# gets PROJECT name for the example (e.g. <BOARD>-<DIR_NAME>)
+family_get_project_name(PROJECT ${CMAKE_CURRENT_LIST_DIR})
+
+project(${PROJECT})
+
+# Checks this example is valid for the family and initializes the project
+family_initialize_project(${PROJECT} ${CMAKE_CURRENT_LIST_DIR})
+
+add_executable(${PROJECT})
+
+# Example source
+target_sources(${PROJECT} PUBLIC
+        ${CMAKE_CURRENT_SOURCE_DIR}/src/main.c
+        ${CMAKE_CURRENT_SOURCE_DIR}/src/msc_disk.c
+        ${CMAKE_CURRENT_SOURCE_DIR}/src/usb_descriptors.c
+        )
+
+# Example include
+target_include_directories(${PROJECT} PUBLIC
+        ${CMAKE_CURRENT_SOURCE_DIR}/src
+        )
+
+# Configure compilation flags and libraries for the example... see the corresponding function
+# in hw/bsp/FAMILY/family.cmake for details.
+family_configure_device_example(${PROJECT})

fuzz/device/net/Makefile

@@ -0,0 +1,71 @@
+DEPS_SUBMODULES += lib/lwip
+
+include ../../../tools/top.mk
+include ../../make.mk
+
+# suppress warning caused by lwip
+CFLAGS += \
+  -Wno-error=null-dereference \
+  -Wno-error=unused-parameter \
+  -Wno-error=unused-variable
+
+INC += \
+  src \
+  $(TOP)/hw \
+  $(TOP)/lib/lwip/src/include \
+  $(TOP)/lib/lwip/src/include/ipv4 \
+  $(TOP)/lib/lwip/src/include/lwip/apps \
+  $(TOP)/lib/networking
+
+# Example source
+SRC_C += $(addprefix $(CURRENT_PATH)/, $(wildcard src/*.c))
+SRC_CXX += $(addprefix $(CURRENT_PATH)/, $(wildcard src/*.cc))
+
+# lwip sources
+SRC_C += \
+  lib/lwip/src/core/altcp.c \
+  lib/lwip/src/core/altcp_alloc.c \
+  lib/lwip/src/core/altcp_tcp.c \
+  lib/lwip/src/core/def.c \
+  lib/lwip/src/core/dns.c \
+  lib/lwip/src/core/inet_chksum.c \
+  lib/lwip/src/core/init.c \
+  lib/lwip/src/core/ip.c \
+  lib/lwip/src/core/mem.c \
+  lib/lwip/src/core/memp.c \
+  lib/lwip/src/core/netif.c \
+  lib/lwip/src/core/pbuf.c \
+  lib/lwip/src/core/raw.c \
+  lib/lwip/src/core/stats.c \
+  lib/lwip/src/core/sys.c \
+  lib/lwip/src/core/tcp.c \
+  lib/lwip/src/core/tcp_in.c \
+  lib/lwip/src/core/tcp_out.c \
+  lib/lwip/src/core/timeouts.c \
+  lib/lwip/src/core/udp.c \
+  lib/lwip/src/core/ipv4/autoip.c \
+  lib/lwip/src/core/ipv4/dhcp.c \
+  lib/lwip/src/core/ipv4/etharp.c \
+  lib/lwip/src/core/ipv4/icmp.c \
+  lib/lwip/src/core/ipv4/igmp.c \
+  lib/lwip/src/core/ipv4/ip4.c \
+  lib/lwip/src/core/ipv4/ip4_addr.c \
+  lib/lwip/src/core/ipv4/ip4_frag.c \
+  lib/lwip/src/core/ipv6/dhcp6.c \
+  lib/lwip/src/core/ipv6/ethip6.c \
+  lib/lwip/src/core/ipv6/icmp6.c \
+  lib/lwip/src/core/ipv6/inet6.c \
+  lib/lwip/src/core/ipv6/ip6.c \
+  lib/lwip/src/core/ipv6/ip6_addr.c \
+  lib/lwip/src/core/ipv6/ip6_frag.c \
+  lib/lwip/src/core/ipv6/mld6.c \
+  lib/lwip/src/core/ipv6/nd6.c \
+  lib/lwip/src/netif/ethernet.c \
+  lib/lwip/src/netif/slipif.c \
+  lib/lwip/src/apps/http/httpd.c \
+  lib/lwip/src/apps/http/fs.c \
+  lib/networking/dhserver.c \
+  lib/networking/dnserver.c \
+  lib/networking/rndis_reports.c
+
+include ../../rules.mk

fuzz/device/net/skip.txt

@@ -0,0 +1 @@
+mcu:SAMD11

fuzz/device/net/src/arch/cc.h

@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2001-2003 Swedish Institute of Computer Science.
+ * All rights reserved. 
+ * 
+ * Redistribution and use in source and binary forms, with or without modification, 
+ * are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright notice,
+ *    this list of conditions and the following disclaimer in the documentation
+ *    and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED 
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
+ * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT 
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY 
+ * OF SUCH DAMAGE.
+ *
+ * This file is part of the lwIP TCP/IP stack.
+ * 
+ * Author: Adam Dunkels <[email protected]>
+ *
+ */
+#ifndef __CC_H__
+#define __CC_H__
+
+//#include "cpu.h"
+
+typedef int sys_prot_t;
+
+
+
+/* define compiler specific symbols */
+#if defined (__ICCARM__)
+
+#define PACK_STRUCT_BEGIN
+#define PACK_STRUCT_STRUCT 
+#define PACK_STRUCT_END
+#define PACK_STRUCT_FIELD(x) x
+#define PACK_STRUCT_USE_INCLUDES
+
+#elif defined (__CC_ARM)
+
+#define PACK_STRUCT_BEGIN __packed
+#define PACK_STRUCT_STRUCT 
+#define PACK_STRUCT_END
+#define PACK_STRUCT_FIELD(x) x
+
+#elif defined (__GNUC__)
+
+#define PACK_STRUCT_BEGIN
+#define PACK_STRUCT_STRUCT __attribute__ ((__packed__))
+#define PACK_STRUCT_END
+#define PACK_STRUCT_FIELD(x) x
+
+#elif defined (__TASKING__)
+
+#define PACK_STRUCT_BEGIN
+#define PACK_STRUCT_STRUCT
+#define PACK_STRUCT_END
+#define PACK_STRUCT_FIELD(x) x
+
+#endif
+
+#define LWIP_PLATFORM_ASSERT(x) do { if(!(x)) while(1); } while(0)
+
+#endif /* __CC_H__ */

fuzz/device/net/src/fuzz.cc

@@ -0,0 +1,99 @@
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2022 Nathaniel Brough
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ *
+ */
+
+#include <cassert>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "class/cdc/cdc_device.h"
+#include "class/net/net_device.h"
+#include "fuzz/fuzz.h"
+#include "tusb.h"
+#include <cstdint>
+#include <string>
+#include <vector>
+
+extern "C" {
+
+#define FUZZ_ITERATIONS 500
+
+//--------------------------------------------------------------------+
+// MACRO CONSTANT TYPEDEF PROTYPES
+//--------------------------------------------------------------------+
+
+void net_task(FuzzedDataProvider *provider);
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  FuzzedDataProvider provider(Data, Size);
+  std::vector<uint8_t> callback_data = provider.ConsumeBytes<uint8_t>(
+      provider.ConsumeIntegralInRange<size_t>(0, Size));
+  fuzz_init(callback_data.data(), callback_data.size());
+  // init device stack on configured roothub port
+  tud_init(BOARD_TUD_RHPORT);
+
+  for (int i = 0; i < FUZZ_ITERATIONS; i++) {
+    if (provider.remaining_bytes() == 0) {
+      return 0;
+    }
+    tud_int_handler(provider.ConsumeIntegral<uint8_t>());
+    tud_task(); // tinyusb device task
+    net_task(&provider);
+  }
+
+  return 0;
+}
+
+//--------------------------------------------------------------------+
+// USB CDC
+//--------------------------------------------------------------------+
+enum NetApiFuncs {
+  kNetworkRecvRenew,
+  kNetworkCanXmit,
+  kNetworkXmit,
+  kMaxValue,
+};
+
+void net_task(FuzzedDataProvider *provider) {
+
+  assert(provider != NULL);
+  switch (provider->ConsumeEnum<NetApiFuncs>()) {
+  
+  case kNetworkRecvRenew:
+    tud_network_recv_renew();
+    break;
+  case kNetworkCanXmit:
+ (void)tud_network_can_xmit(provider->ConsumeIntegral<uint16_t>());
+  case kNetworkXmit:
+    // TODO: Actuall pass real values here later.
+    tud_network_xmit(NULL, 0);
+
+  case kMaxValue:
+    // Noop.
+    break;
+  }
+}
+}