Initial fuzzer integration (#961)

DavidKorczynski · web-flow · commit b4017463a04b · 2021-04-05T16:31:22.000-07:00
Adds a set of fuzzers for various `linkerd` crates. 

The goal of this PR is to create an initial fuzzer infrastructure as well as
fuzzers that can be integrated with OSS-Fuzz for continuous fuzzing. 

The way I set it up was to place the fuzzers for a given crate within the
crate folder itself. I then put in a `fuzz_logic` module in the source code
that is to be fuzzed, thus following the low of how the existing tests are
written. The majority of additions in this PR are independent of the
linkerd2-proxy source code, but there are a few changes.

Signed-off-by: davkor &lt;david@adalogics.com&gt;
diff --git a/Cargo.toml b/Cargo.toml
@@ -63,4 +63,4 @@ debug = false
 debug = false
 
 [patch.crates-io]
-webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21", rev = "b2c3bb3" }
+webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21" }
diff --git a/linkerd/addr/fuzz/.gitignore b/linkerd/addr/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
diff --git a/linkerd/addr/fuzz/Cargo.toml b/linkerd/addr/fuzz/Cargo.toml
@@ -0,0 +1,27 @@
+[package]
+name = "linkerd-addr-fuzz"
+version = "0.0.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.linkerd-addr]
+path = ".."
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[features]
+fuzzing = []
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+required-features = ["fuzzing"]
diff --git a/linkerd/addr/fuzz/fuzz_targets/fuzz_target_1.rs b/linkerd/addr/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -0,0 +1,9 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+
+fuzz_target!(|data: &[u8]| {
+    if let Ok(s) = std::str::from_utf8(data) {
+        linkerd_addr::fuzz_logic::fuzz_addr_1(s);
+    }
+});
diff --git a/linkerd/addr/src/lib.rs b/linkerd/addr/src/lib.rs
@@ -258,3 +258,22 @@ mod tests {
         }
     }
 }
+
+#[cfg(fuzzing)]
+pub mod fuzz_logic {
+    use super::*;
+
+    pub fn fuzz_addr_1(fuzz_data: &str) {
+        if let Ok(addr) = Addr::from_str(fuzz_data) {
+            addr.is_loopback();
+            addr.to_http_authority();
+            addr.is_loopback();
+            addr.socket_addr();
+        }
+
+        if let Ok(name_addr) = NameAddr::from_str_and_port(fuzz_data, 1234) {
+            name_addr.port();
+            name_addr.as_http_authority();
+        }
+    }
+}
diff --git a/linkerd/dns/fuzz/.gitignore b/linkerd/dns/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
diff --git a/linkerd/dns/fuzz/Cargo.toml b/linkerd/dns/fuzz/Cargo.toml
@@ -0,0 +1,31 @@
+
+[package]
+name = "linkerd-dns-fuzz"
+version = "0.0.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+tokio = { version = "1", features = ["rt", "time", "io-util"] }
+
+[dependencies.linkerd-dns]
+path = ".."
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[features]
+fuzzing = []
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+test = false
+doc = false
+required-features = ["fuzzing"]
diff --git a/linkerd/dns/fuzz/fuzz_targets/fuzz_target_1.rs b/linkerd/dns/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -0,0 +1,9 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    if let Ok(s) = std::str::from_utf8(data) {
+        let rt = tokio::runtime::Runtime::new().unwrap();
+        rt.block_on(linkerd_dns::fuzz_logic::fuzz_entry(s))
+    }
+});
diff --git a/linkerd/dns/src/lib.rs b/linkerd/dns/src/lib.rs
@@ -246,3 +246,25 @@ mod tests {
         assert!(Suffix::from_str("").is_err(), "suffix must not be empty");
     }
 }
+
+#[cfg(fuzzing)]
+pub mod fuzz_logic {
+    use super::*;
+    use std::str::FromStr;
+    pub struct FuzzConfig {}
+
+    // Empty config resolver that we can use.
+    impl ConfigureResolver for FuzzConfig {
+        fn configure_resolver(&self, _opts: &mut ResolverOpts) {}
+    }
+
+    // Test the resolvers do not panic unexpectedly.
+    pub async fn fuzz_entry(fuzz_data: &str) {
+        if let Ok(name) = Name::from_str(fuzz_data) {
+            let fcon = FuzzConfig {};
+            let resolver = Resolver::from_system_config_with(&fcon).unwrap();
+            let _w = resolver.resolve_a(&name).await;
+            let _w2 = resolver.resolve_srv(&name).await;
+        }
+    }
+}
diff --git a/linkerd/proxy/http/Cargo.toml b/linkerd/proxy/http/Cargo.toml
@@ -39,6 +39,9 @@ tracing = "0.1.23"
 try-lock = "0.2"
 pin-project = "1"
 
+[target.'cfg(fuzzing)'.dependencies]
+tokio-test = "0.4"
+
 [dev-dependencies]
 tokio-test = "0.4"
 tracing-subscriber = "0.2.16"
diff --git a/linkerd/proxy/http/fuzz/.gitignore b/linkerd/proxy/http/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
diff --git a/linkerd/proxy/http/fuzz/Cargo.toml b/linkerd/proxy/http/fuzz/Cargo.toml
@@ -0,0 +1,31 @@
+
+[package]
+name = "linkerd-proxy-http-fuzz"
+version = "0.0.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+tokio = { version = "1", features = [ "full"] }
+
+[dependencies.linkerd-proxy-http]
+path = ".."
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[features]
+fuzzing = []
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+test = false
+doc = false
+required-features = ["fuzzing"]
diff --git a/linkerd/proxy/http/fuzz/fuzz_targets/fuzz_target_1.rs b/linkerd/proxy/http/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -0,0 +1,8 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let rt = tokio::runtime::Runtime::new().unwrap();
+    rt.block_on(linkerd_proxy_http::detect::fuzz_logic::fuzz_entry(data))
+});
+
diff --git a/linkerd/proxy/http/src/detect.rs b/linkerd/proxy/http/src/detect.rs
@@ -147,3 +147,16 @@ mod tests {
         assert_eq!(&buf[..], GARBAGE);
     }
 }
+
+#[cfg(fuzzing)]
+pub mod fuzz_logic {
+    use super::*;
+
+    pub async fn fuzz_entry(input: &[u8]) {
+        use tokio_test::io;
+
+        let mut buf = BytesMut::with_capacity(1024);
+        let mut io = io::Builder::new().read(&input).build();
+        let _kind = DetectHttp(()).detect(&mut io, &mut buf).await.unwrap();
+    }
+}
diff --git a/linkerd/proxy/http/src/lib.rs b/linkerd/proxy/http/src/lib.rs
@@ -7,7 +7,7 @@ use linkerd_identity as identity;
 pub mod balance;
 pub mod client;
 pub mod client_handle;
-mod detect;
+pub mod detect;
 mod glue;
 pub mod h1;
 pub mod h2;
diff --git a/linkerd/tls/fuzz/.gitignore b/linkerd/tls/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
diff --git a/linkerd/tls/fuzz/Cargo.toml b/linkerd/tls/fuzz/Cargo.toml
@@ -0,0 +1,33 @@
+
+[package]
+name = "linkerd-tls-fuzz"
+version = "0.0.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.linkerd-tls]
+path = ".."
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[features]
+fuzzing = []
+
+[[bin]]
+name = "fuzz_target_1"
+path = "fuzz_targets/fuzz_target_1.rs"
+test = false
+doc = false
+required-features = ["fuzzing"]
+
+[patch.crates-io]
+webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21"}
diff --git a/linkerd/tls/fuzz/fuzz_targets/fuzz_target_1.rs b/linkerd/tls/fuzz/fuzz_targets/fuzz_target_1.rs
@@ -0,0 +1,6 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    linkerd_tls::server::fuzz_logic::fuzz_entry(data);
+});
diff --git a/linkerd/tls/src/server/mod.rs b/linkerd/tls/src/server/mod.rs
@@ -399,3 +399,12 @@ mod tests {
         client_task.await.expect("Client must not fail");
     }
 }
+
+#[cfg(fuzzing)]
+pub mod fuzz_logic {
+    use super::*;
+
+    pub fn fuzz_entry(input: &[u8]) {
+        let _ = client_hello::parse_sni(input);
+    }
+}
diff --git a/linkerd/transport-header/fuzz/.gitignore b/linkerd/transport-header/fuzz/.gitignore
@@ -0,0 +1,4 @@
+
+target
+corpus
+artifacts
diff --git a/linkerd/transport-header/fuzz/Cargo.toml b/linkerd/transport-header/fuzz/Cargo.toml
@@ -0,0 +1,39 @@
+
+[package]
+name = "linkerd-transport-header-fuzz"
+version = "0.0.0"
+authors = [ "Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>" ]
+publish = false
+edition = "2018"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+arbitrary = { version = "1",  features = ["derive"] }
+libfuzzer-sys = { version = "0.4.0", features = ["arbitrary-derive"] }
+tokio = { version = "1", features = ["full"] }
+
+[dependencies.linkerd-transport-header]
+path = ".."
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[features]
+fuzzing = []
+
+[[bin]]
+name = "fuzz_target_structured"
+path = "fuzz_targets/fuzz_target_structured.rs"
+test = false
+doc = false
+required-features = ["fuzzing"]
+
+[[bin]]
+name = "fuzz_target_raw"
+path = "fuzz_targets/fuzz_target_raw.rs"
+test = false
+doc = false
+required-features = ["fuzzing"]
diff --git a/linkerd/transport-header/fuzz/fuzz_targets/fuzz_target_raw.rs b/linkerd/transport-header/fuzz/fuzz_targets/fuzz_target_raw.rs
@@ -0,0 +1,7 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let rt = tokio::runtime::Runtime::new().unwrap();
+    rt.block_on(linkerd_transport_header::fuzz_logic::fuzz_entry_raw(data));
+});
diff --git a/linkerd/transport-header/fuzz/fuzz_targets/fuzz_target_structured.rs b/linkerd/transport-header/fuzz/fuzz_targets/fuzz_target_structured.rs
@@ -0,0 +1,22 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use libfuzzer_sys::arbitrary::Arbitrary;
+
+#[derive(Debug, Arbitrary)]
+struct TransportHeaderSpec {
+    data: Vec<u8>,
+    port: u16,
+    protocol: bool,
+}
+
+fuzz_target!(|inp: TransportHeaderSpec| {
+    if let Ok(s) = std::str::from_utf8(&inp.data[..]) {
+        let rt = tokio::runtime::Runtime::new().unwrap();
+        let proto = if inp.protocol {
+            linkerd_transport_header::SessionProtocol::Http2
+        } else {
+            linkerd_transport_header::SessionProtocol::Http1
+        };
+        rt.block_on(linkerd_transport_header::fuzz_logic::fuzz_entry_structured(s, inp.port, proto));
+    }
+});
diff --git a/linkerd/transport-header/src/lib.rs b/linkerd/transport-header/src/lib.rs
@@ -269,3 +269,36 @@ mod tests {
         assert_eq!(&buf, b"12345");
     }
 }
+
+#[cfg(fuzzing)]
+pub mod fuzz_logic {
+    use super::*;
+    pub async fn fuzz_entry_structured(
+        fuzz_name: &str,
+        fuzz_port: u16,
+        fuzz_proto: SessionProtocol,
+    ) {
+        let header = TransportHeader {
+            port: fuzz_port,
+            name: Name::from_str(fuzz_name).ok(),
+            protocol: Some(fuzz_proto),
+        };
+        let mut rx = {
+            let mut buf = BytesMut::new();
+            header.encode_prefaced(&mut buf).expect("must encode");
+            std::io::Cursor::new(buf.freeze())
+        };
+        let mut buf = BytesMut::new();
+        let _h = TransportHeader::read_prefaced(&mut rx, &mut buf).await;
+    }
+
+    pub async fn fuzz_entry_raw(fuzz_data: &[u8]) {
+        let mut rx = {
+            let mut buf = BytesMut::new();
+            buf.put(fuzz_data);
+            std::io::Cursor::new(buf.freeze())
+        };
+        let mut buf = BytesMut::new();
+        let _h = TransportHeader::read_prefaced(&mut rx, &mut buf).await;
+    }
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
++
 +target
 +corpus
 +artifacts