diff options
Diffstat (limited to 'llvm/lib')
3 files changed, 50 insertions, 0 deletions
diff --git a/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh b/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh new file mode 100755 index 00000000000..d95eba3c94b --- /dev/null +++ b/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/build.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +[ -e $(basename $0) ] && echo "PLEASE USE THIS SCRIPT FROM ANOTHER DIR" && exit 1 +SCRIPT_DIR=$(dirname $0) +EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR) +LIBFUZZER_SRC=$(dirname $(dirname $SCRIPT_DIR)) + +FUZZ_CXXFLAGS="-O2 -g -fsanitize=address -fsanitize-coverage=trace-pc-guard,trace-cmp,trace-gep,trace-div" + +get() { + [ ! -e SRC ] && git clone https://github.com/c-ares/c-ares.git SRC && (cd SRC && git reset --hard 51fbb479f7948fca2ace3ff34a15ff27e796afdd) +} +build_lib() { + rm -rf BUILD + cp -rf SRC BUILD + (cd BUILD && ./buildconf && ./configure CC="clang $FUZZ_CXXFLAGS" && make -j) +} + +get +build_lib +$LIBFUZZER_SRC/build.sh +clang++ -g $SCRIPT_DIR/target.cc -I BUILD BUILD/.libs/libcares.a libFuzzer.a $FUZZ_CXXFLAGS -o $EXECUTABLE_NAME_BASE diff --git a/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc b/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc new file mode 100644 index 00000000000..8ec36123b7b --- /dev/null +++ b/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/target.cc @@ -0,0 +1,21 @@ +#include <stdint.h> +#include <stdlib.h> +#include <string.h> +#include <arpa/nameser.h> +#include <iostream> + +#include <ares.h> + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + unsigned char* buf; + int buflen; + char* inp = (char*)malloc(size+1); + inp[size]=0; + memcpy(inp, data, size); + + ares_create_query((const char*)inp, ns_c_in, ns_t_a, 0x1234, 0, &buf, &buflen, 0); + + free(buf); + free(inp); + return 0; +} diff --git a/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh b/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh new file mode 100755 index 00000000000..b40d4af20da --- /dev/null +++ b/llvm/lib/Fuzzer/fuzzer-test-suite/c-ares-CVE-2016-5180/test.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -x +SCRIPT_DIR=$(dirname $0) +EXECUTABLE_NAME_BASE=$(basename $SCRIPT_DIR) +CORPUS=CORPUS-$EXECUTABLE_NAME_BASE +[ -e $EXECUTABLE_NAME_BASE ] && ./$EXECUTABLE_NAME_BASE -max_total_time=10 2>&1 | tee log +grep -Pzo "(?s)ERROR: AddressSanitizer: heap-buffer-overflow.*WRITE of size 1.*ares_create_query.*is located 0 bytes to the right of" log |
