suricata
fuzz_sigpcap_aware.c
Go to the documentation of this file.
1 /**
2  * @file
3  * @author Philippe Antoine <contact@catenacyber.fr>
4  * fuzz target for AppLayerProtoDetectGetProto
5  */
6 
7 #include "suricata-common.h"
8 #include "source-pcap-file.h"
9 #include "detect-engine.h"
10 #include "util-classification-config.h"
11 #include "util-reference-config.h"
12 #include "app-layer.h"
13 #include "tm-queuehandlers.h"
14 #include "util-cidr.h"
15 #include "util-profiling.h"
16 #include "util-proto-name.h"
17 #include "detect-engine-tag.h"
18 #include "detect-engine-threshold.h"
19 #include "host-bit.h"
20 #include "ippair-bit.h"
21 #include "app-layer-htp.h"
22 #include "detect-fast-pattern.h"
23 #include "util-unittest-helper.h"
24 #include "conf-yaml-loader.h"
25 #include "pkt-var.h"
26 #include "flow-util.h"
27 #include "flow-worker.h"
28 #include "tm-modules.h"
29 #include "tmqh-packetpool.h"
30 #include "util-conf.h"
31 #include "packet.h"
32 #include "nallocinc.c"
33 
34 #include <fuzz_pcap.h>
35 
36 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
37 
38 static int initialized = 0;
39 ThreadVars tv;
40 DecodeThreadVars *dtv;
41 // FlowWorkerThreadData
42 void *fwd;
43 SCInstance surifuzz;
44 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
45 
46 extern const char *configNoChecksum;
47 
48 static void SigGenerateAware(const uint8_t *data, size_t size, char *r, size_t *len)
49 {
50  *len = snprintf(r, 511, "alert ip any any -> any any (");
51  for (size_t i = 0; i + 1 < size && *len < 511; i++) {
52  if (data[i] & 0x80) {
53  size_t off = (data[i] & 0x7F + ((data[i + 1] & 0xF) << 7)) % (DETECT_TBLSIZE);
54  if (sigmatch_table[off].flags & SIGMATCH_NOOPT ||
55  ((data[i + 1] & 0x80) && sigmatch_table[off].flags & SIGMATCH_OPTIONAL_OPT)) {
56  *len += snprintf(r + *len, 511 - *len, "; %s;", sigmatch_table[off].name);
57  } else {
58  *len += snprintf(r + *len, 511 - *len, "; %s:", sigmatch_table[off].name);
59  }
60  i++;
61  } else {
62  r[*len] = data[i];
63  *len = *len + 1;
64  }
65  }
66  if (*len < 511) {
67  *len += snprintf(r + *len, 511 - *len, ")");
68  } else {
69  r[511] = 0;
70  *len = 511;
71  }
72 }
73 
74 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
75 {
76  FPC_buffer_t pkts;
77  const u_char *pkt;
78  struct pcap_pkthdr header;
79  int r;
80  Packet *p;
81  size_t pos;
82  size_t pcap_cnt = 0;
83 
84  if (initialized == 0) {
85  // Redirects logs to /dev/null
86  setenv("SC_LOG_OP_IFACE", "file", 0);
87  setenv("SC_LOG_FILE", "/dev/null", 0);
88 
89  InitGlobal();
90 
91  GlobalsInitPreConfig();
92  SCRunmodeSet(RUNMODE_PCAP_FILE);
93  // redirect logs to /tmp
94  ConfigSetLogDirectory("/tmp/");
95  // disables checksums validation for fuzzing
96  if (SCConfYamlLoadString(configNoChecksum, strlen(configNoChecksum)) != 0) {
97  abort();
98  }
99  // do not load rules before reproducible DetectEngineReload
100  remove("/tmp/fuzz.rules");
101  surifuzz.sig_file = strdup("/tmp/fuzz.rules");
102  surifuzz.sig_file_exclusive = 1;
103  // loads rules after init
104  surifuzz.delayed_detect = 1;
105 
106  PostConfLoadedSetup(&surifuzz);
107  PreRunPostPrivsDropInit(SCRunmodeGet());
108  PostConfLoadedDetectSetup(&surifuzz);
109 
110  memset(&tv, 0, sizeof(tv));
111  tv.flow_queue = FlowQueueNew();
112  if (tv.flow_queue == NULL)
113  abort();
114  dtv = DecodeThreadVarsAlloc(&tv);
115  DecodeRegisterPerfCounters(dtv, &tv);
116  tmm_modules[TMM_FLOWWORKER].ThreadInit(&tv, NULL, &fwd);
117  StatsSetupPrivate(&tv.stats, NULL);
118 
119  extern uint32_t max_pending_packets;
120  max_pending_packets = 128;
121  PacketPoolInit();
122  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
123  nalloc_init(NULL);
124  nalloc_restrict_file_prefix(3);
125  initialized = 1;
126  }
127 
128  if (size < 1 + FPC0_HEADER_LEN) {
129  return 0;
130  }
131  for (pos = 0; pos < size - FPC0_HEADER_LEN; pos++) {
132  if (data[pos] == 0) {
133  break;
134  }
135  }
136  // initialize FPC with the buffer
137  if (FPC_init(&pkts, data + pos + 1, size - pos - 1) < 0) {
138  return 0;
139  }
140 
141  // dump signatures to a file so as to reuse SigLoadSignatures
142  char sigaware[512];
143  size_t len;
144  SigGenerateAware(data, pos + 1, sigaware, &len);
145  if (TestHelperBufferToFile(surifuzz.sig_file, (uint8_t *)sigaware, len) < 0) {
146  return 0;
147  }
148 
149  if (DetectEngineReload(&surifuzz) < 0) {
150  return 0;
151  }
152  DetectEngineThreadCtx *old_det_ctx = FlowWorkerGetDetectCtxPtr(fwd);
153 
154  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
155  de_ctx->ref_cnt--;
156  DetectEngineThreadCtx *new_det_ctx = DetectEngineThreadCtxInitForReload(&tv, de_ctx, 1);
157  FlowWorkerReplaceDetectCtx(fwd, new_det_ctx);
158 
159  DetectEngineThreadCtxDeinit(NULL, old_det_ctx);
160 
161  nalloc_start(data, size);
162  // loop over packets
163  r = FPC_next(&pkts, &header, &pkt);
164  p = PacketGetFromAlloc();
165  if (p == NULL || r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
166  goto bail;
167  }
168  p->pkt_src = PKT_SRC_WIRE;
169  p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
170  p->datalink = pkts.datalink;
171  while (r > 0) {
172  if (PacketCopyData(p, pkt, header.caplen) == 0) {
173  // DecodePcapFile
174  TmEcode ecode = tmm_modules[TMM_DECODEPCAPFILE].Func(&tv, p, dtv);
175  if (ecode == TM_ECODE_FAILED) {
176  break;
177  }
178  Packet *extra_p = PacketDequeueNoLock(&tv.decode_pq);
179  while (extra_p != NULL) {
180  PacketFreeOrRelease(extra_p);
181  extra_p = PacketDequeueNoLock(&tv.decode_pq);
182  }
183  tmm_modules[TMM_FLOWWORKER].Func(&tv, p, fwd);
184  extra_p = PacketDequeueNoLock(&tv.decode_pq);
185  while (extra_p != NULL) {
186  PacketFreeOrRelease(extra_p);
187  extra_p = PacketDequeueNoLock(&tv.decode_pq);
188  }
189  }
190  r = FPC_next(&pkts, &header, &pkt);
191  if (r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
192  goto bail;
193  }
194  PacketRecycle(p);
195  p->pkt_src = PKT_SRC_WIRE;
196  p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
197  p->datalink = pkts.datalink;
198  pcap_cnt++;
199  p->pcap_cnt = pcap_cnt;
200  }
201 bail:
202  PacketFree(p);
203  FlowReset();
204  nalloc_end();
205 
206  return 0;
207 }
SCConfYamlLoadString
int SCConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:535
ThreadVars_::flow_queue
struct FlowQueue_ * flow_queue
Definition: threadvars.h:131
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
DetectEngineThreadCtxInitForReload
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
Definition: detect-engine.c:3452
sigmatch_table
SigTableElmt * sigmatch_table
Definition: detect-parse.c:79
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:280
flow-util.h
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, engine_stage)
fwd
void * fwd
Definition: fuzz_sigpcap_aware.c:42
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:381
source-pcap-file.h
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:386
SigTableElmt_::flags
uint32_t flags
Definition: detect.h:1449
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:1057
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:626
name
const char * name
Definition: detect-engine-proto.c:48
ippair-bit.h
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:160
tv
ThreadVars tv
Definition: fuzz_sigpcap_aware.c:39
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:933
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3838
FlowReset
void FlowReset(void)
Definition: flow.c:675
tm-modules.h
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:386
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:82
tmqh-packetpool.h
nallocinc.c
util-unittest-helper.h
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:235
SCRunmodeSet
void SCRunmodeSet(SCRunMode run_mode)
Set the current run mode.
Definition: suricata.c:288
Packet_::datalink
int datalink
Definition: decode.h:639
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:632
util-cidr.h
app-layer-htp.h
configNoChecksum
const char * configNoChecksum
Definition: confyaml.c:1
SCRunmodeGet
SCRunMode SCRunmodeGet(void)
Get the current run mode.
Definition: suricata.c:283
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2330
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:52
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:19
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:101
DetectEngineThreadCtx_
Definition: detect.h:1245
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: fuzz_sigpcap_aware.c:74
Packet_::ts
SCTime_t ts
Definition: decode.h:555
PacketDequeueNoLock
Packet * PacketDequeueNoLock(PacketQueueNoLock *qnl)
Definition: packet-queue.c:208
flow-worker.h
util-reference-config.h
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:165
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
SCTIME_FROM_TIMEVAL
#define SCTIME_FROM_TIMEVAL(tv)
Definition: util-time.h:79
pkt-var.h
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *)
Definition: tm-modules.h:56
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:223
FlowQueueNew
FlowQueue * FlowQueueNew(void)
Definition: flow-queue.c:35
TestHelperBufferToFile
int TestHelperBufferToFile(const char *name, const uint8_t *data, size_t size)
writes the contents of a buffer into a file
Definition: util-unittest-helper.c:103
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2737
detect-engine-tag.h
util-profiling.h
Packet_
Definition: decode.h:501
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2646
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:29
conf-yaml-loader.h
TMM_DECODEPCAPFILE
@ TMM_DECODEPCAPFILE
Definition: tm-threads-common.h:41
TmEcode
TmEcode
Definition: tm-threads-common.h:80
util-proto-name.h
setenv
void setenv(const char *name, const char *value, int overwrite)
StatsSetupPrivate
int StatsSetupPrivate(StatsThreadContext *stats, const char *thread_name)
Definition: counters.c:1229
max_pending_packets
uint32_t max_pending_packets
Definition: suricata.c:187
TMM_FLOWWORKER
@ TMM_FLOWWORKER
Definition: tm-threads-common.h:34
tm-queuehandlers.h
nalloc_init
#define nalloc_init(x)
Definition: nallocinc.c:49
FlowWorkerGetDetectCtxPtr
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
Definition: flow-worker.c:749
detect-fast-pattern.h
util-conf.h
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
nalloc_start
#define nalloc_start(x, y)
Definition: nallocinc.c:51
packet.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *tv, void *data)
Definition: detect-engine.c:3601
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:51
util-classification-config.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_sigpcap_aware.c:40
nalloc_end
#define nalloc_end()
Definition: nallocinc.c:52
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:138
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1660
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:33
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:262
DETECT_TBLSIZE
int DETECT_TBLSIZE
Definition: detect-engine-register.c:288
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:611
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:963
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:816
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:111
nalloc_restrict_file_prefix
#define nalloc_restrict_file_prefix(x)
Definition: nallocinc.c:50
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1650
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4791
SCInstance_
Definition: suricata.h:133
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:2986
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:139
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
ThreadVars_::stats
StatsThreadContext stats
Definition: threadvars.h:121
surifuzz
SCInstance surifuzz
Definition: fuzz_sigpcap_aware.c:43
host-bit.h
detect-engine-threshold.h
FlowWorkerReplaceDetectCtx
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
Definition: flow-worker.c:742
app-layer.h