Add initial fuzz target

Author: k0ekk0ek

CMakeLists.txt

@@ -44,8 +44,12 @@ endif()
 # Building the testing tree is enabled by including CTest, but as it is not
 # strictly required to build the product itself, switch to off by default.
 option(BUILD_TESTING "Build the testing tree." OFF)
+option(BUILD_FUZZING "Build the fuzz target." OFF)
 option(BUILD_DOCUMENTATION "Build documentation." OFF)
 
+#set(SANITIZE "" CACHE STRING "Sanitizers to enable for the build.")
+set(ANALYZER "" CACHE STRING "Analyzer to enable during build.")
+
 if(CMAKE_VERSION VERSION_LESS 3.20)
   # CMAKE_<LANG>_BYTE_ORDER was added in version 3.20. Mimic the option in
   # prior versions.
@@ -63,6 +67,27 @@ include(GenerateExportHeader)
 include(GNUInstallDirs)
 include(CTest)
 
+if(CMAKE_C_COMPILER_ID MATCHES "Clang" OR CMAKE_C_COMPILER_ID STREQUAL "GNU")
+  if(DEFINED SANITIZE)
+    string(REGEX REPLACE " " "" sanitizers "${SANITIZE}")
+    string(REGEX REPLACE "[,;]+" ";" sanitizers "${sanitizers}")
+    list(FILTER sanitizers INCLUDE REGEX "^(address|undefined|leak)$")
+  elseif(BUILD_FUZZING AND CMAKE_C_COMPILER_ID MATCHES "Clang")
+    set(sanitizers "address;undefined;leak")
+  endif()
+
+  if(sanitizers)
+    if("address" IN_LIST sanitizers)
+      add_compile_options(-fno-omit-frame-pointer)
+      add_link_options(-fno-omit-frame-pointer)
+    endif()
+    string(JOIN "," sanitize ${sanitizers})
+    add_compile_options(-fsanitize=${sanitize})
+    add_link_options(-fsanitize=${sanitize})
+    message(STATUS "Sanitizers: ${sanitize}")
+  endif()
+endif()
+
 if(CMAKE_C_COMPILER_ID MATCHES "Clang")
   add_compile_options(
     -Wall -Wextra -Wconversion -Wunused -Wmissing-prototypes
@@ -81,7 +106,6 @@ elseif(CMAKE_C_COMPILER_ID STREQUAL "MSVC")
   add_compile_options(/W3)
 endif()
 
-set(ANALYZER "" CACHE STRING "Analyzer to enable on the build.")
 if(ANALYZER)
   # GCC and Visual Studio offer builtin analyzers. Clang supports static
   # analysis through separate tools, e.g. Clang-Tidy, which can be used in
@@ -97,43 +121,23 @@ if(ANALYZER)
   if(ANALYZER STREQUAL "clang-tidy")
     # Clang-Tidy is an extensible tool that offers more than static analysis.
     # https://clang.llvm.org/extra/clang-tidy/checks/list.html
-    message(STATUS "Enabling analyzer: clang-tidy")
+    message(STATUS "Analyzer: clang-tidy")
     set(CMAKE_C_CLANG_TIDY "clang-tidy;-checks=-*,clang-analyzer-*,-clang-analyzer-security.insecureAPI.strcpy,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling")
     if(CMAKE_COMPILE_WARNING_AS_ERROR)
       set(CMAKE_C_CLANG_TIDY "${CMAKE_C_CLANG_TIDY};--warnings-as-errors=*")
     endif()
   elseif(ANALYZER STREQUAL "on")
     if(CMAKE_C_COMPILER_ID STREQUAL "GNU")
       if(CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "10")
-        message(STATUS "Enabling analyzer: GCC")
+        message(STATUS "Analyzer: GCC")
         # -Wanalyzer-malloc-leak generates lots of false positives
         add_compile_options(-fanalyzer -Wno-analyzer-malloc-leak)
       endif()
     endif()
   endif()
 endif()
 
-set(SANITIZER "" CACHE STRING "Sanitizers to enable on the build.")
-if(SANITIZER)
-  string(REGEX REPLACE " " "" SANITIZER "${SANITIZER}")
-  string(REGEX REPLACE "[,;]+" ";" SANITIZER "${SANITIZER}")
-  foreach(san ${SANITIZER})
-    if(san STREQUAL "address")
-      add_compile_options("-fno-omit-frame-pointer")
-      add_link_options("-fno-omit-frame-pointer")
-    endif()
-    if(san AND NOT san STREQUAL "none")
-      message(STATUS "Enabling sanitizer: ${san}")
-      add_compile_options("-fsanitize=${san}")
-      add_link_options("-fsanitize=${san}")
-    endif()
-  endforeach()
-endif()
-
 add_library(zone STATIC)
-if(WIN32)
-  target_link_libraries(zone INTERFACE ws2_32)
-endif()
 
 generate_export_header(
   zone BASE_NAME ZONE EXPORT_FILE_NAME include/zone/export.h)
@@ -233,6 +237,10 @@ if(BUILD_TESTING)
   add_subdirectory(tests)
 endif()
 
+if(BUILD_FUZZING)
+  add_subdirectory(fuzz)
+endif()
+
 if(BUILD_DOCUMENTATION)
   set(DOXYGEN_GENERATE_HTML YES)
   set(DOXYGEN_GENERATE_XML NO)

fuzz/CMakeLists.txt

@@ -0,0 +1,6 @@
+if(CMAKE_C_COMPILER_ID MATCHES "Clang")
+  add_executable(zone-fuzzer fuzzer.c)
+  target_compile_options(zone-fuzzer PUBLIC -fsanitize=fuzzer)
+  target_link_options(zone-fuzzer PUBLIC -fsanitize=fuzzer)
+  target_link_libraries(zone-fuzzer PRIVATE zone)
+endif()

fuzz/corpus/A

@@ -0,0 +1 @@
+example.com. A 192.168.0.1

fuzz/corpus/SOA

@@ -0,0 +1,8 @@
+$ORIGIN example.com.
+$TTL 86400
+@	IN	SOA	dns1.example.com.	hostmaster.example.com. (
+			2001062501 ; serial
+			21600      ; refresh after 6 hours
+			3600       ; retry after 1 hour
+			604800     ; expire after 1 week
+			86400 )    ; minimum TTL of 1 day

fuzz/corpus/relative-A

@@ -0,0 +1,2 @@
+$ORIGIN example.com.
+ A 192.168.0.1

fuzz/fuzzer.c

@@ -0,0 +1,44 @@
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "zone.h"
+
+static int32_t add_rr(zone_parser_t *parser, const zone_name_t *owner,
+                      uint16_t type, uint16_t class, uint32_t ttl,
+                      uint16_t rdlength, const uint8_t *rdata,
+                      void *user_data) {
+  (void)parser;
+  (void)owner;
+  (void)type;
+  (void)class;
+  (void)ttl;
+  (void)rdlength;
+  (void)rdata;
+  (void)user_data;
+  return ZONE_SUCCESS;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  size_t size_of_input = size + ZONE_BLOCK_SIZE + 1;
+  char *null_terminated = (char*)malloc(size_of_input);
+  memcpy(null_terminated, data, size);
+  null_terminated[size] = '\0';
+
+  zone_parser_t parser = {0};
+  zone_name_buffer_t name;
+  zone_rdata_buffer_t rdata;
+  zone_buffers_t buffers = {1, &name, &rdata};
+  zone_options_t options = {0};
+
+  options.accept.callback = add_rr;
+  options.origin = "example.com.";
+  options.default_ttl = 3600;
+  options.default_class = 1;
+
+  zone_parse_string(&parser, &options, &buffers, null_terminated, size,
+                    NULL);
+
+  free(null_terminated);
+  return 0;
+}

src/haswell/bits.h

@@ -21,6 +21,7 @@ static inline uint64_t count_ones(uint64_t bits) {
   return (uint64_t)_mm_popcnt_u64(bits);
 }
 
+__attribute__((no_sanitize("undefined")))
 static inline uint64_t trailing_zeroes(uint64_t bits) {
   return (uint64_t)__builtin_ctzll(bits);
 }

src/zone.c

@@ -104,20 +104,20 @@ static int parse_origin(const char *origin, uint8_t str[255], size_t *len)
 #include "isadetection.h"
 
 #if HAVE_HASWELL
-extern int32_t zone_haswell_parse(parser_t *, void *);
+extern int32_t zone_haswell_parse(parser_t *);
 #endif
 
 #if HAVE_WESTMERE
-extern int32_t zone_westmere_parse(parser_t *, void *);
+extern int32_t zone_westmere_parse(parser_t *);
 #endif
 
-extern int32_t zone_fallback_parse(parser_t *, void *);
+extern int32_t zone_fallback_parse(parser_t *);
 
 typedef struct kernel kernel_t;
 struct kernel {
   const char *name;
   uint32_t instruction_set;
-  int32_t (*parse)(parser_t *, void *);
+  int32_t (*parse)(parser_t *);
 };
 
 static const kernel_t kernels[] = {
@@ -165,7 +165,7 @@ static int32_t parse(parser_t *parser, void *user_data)
   kernel = select_kernel();
   assert(kernel);
   parser->user_data = user_data;
-  return kernel->parse(parser, user_data);
+  return kernel->parse(parser);
 }
 
 diagnostic_push()