suricata
fuzz_sigpcap_aware.c
Go to the documentation of this file.
1 /**
2  * @file
3  * @author Philippe Antoine <contact@catenacyber.fr>
4  * fuzz target for AppLayerProtoDetectGetProto
5  */
6 
7 #include "suricata-common.h"
8 #include "source-pcap-file.h"
9 #include "detect-engine.h"
10 #include "util-classification-config.h"
11 #include "util-reference-config.h"
12 #include "app-layer.h"
13 #include "tm-queuehandlers.h"
14 #include "util-cidr.h"
15 #include "util-profiling.h"
16 #include "util-proto-name.h"
17 #include "detect-engine-tag.h"
18 #include "detect-engine-threshold.h"
19 #include "host-bit.h"
20 #include "ippair-bit.h"
21 #include "app-layer-htp.h"
22 #include "detect-fast-pattern.h"
23 #include "util-unittest-helper.h"
24 #include "conf-yaml-loader.h"
25 #include "pkt-var.h"
26 #include "flow-util.h"
27 #include "flow-worker.h"
28 #include "tm-modules.h"
29 #include "tmqh-packetpool.h"
30 #include "util-conf.h"
31 #include "packet.h"
32 
33 #include <fuzz_pcap.h>
34 
35 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
36 
37 static int initialized = 0;
38 ThreadVars tv;
39 DecodeThreadVars *dtv;
40 // FlowWorkerThreadData
41 void *fwd;
42 SCInstance surifuzz;
43 SC_ATOMIC_EXTERN(unsigned int, engine_stage);
44 
45 #include "confyaml.c"
46 
47 static void SigGenerateAware(const uint8_t *data, size_t size, char *r, size_t *len)
48 {
49  *len = snprintf(r, 511, "alert ip any any -> any any (");
50  for (size_t i = 0; i + 1 < size && *len < 511; i++) {
51  if (data[i] & 0x80) {
52  size_t off = (data[i] & 0x7F + ((data[i + 1] & 0xF) << 7)) %
53  (sizeof(sigmatch_table) / sizeof(SigTableElmt));
54  if (sigmatch_table[off].flags & SIGMATCH_NOOPT ||
55  ((data[i + 1] & 0x80) && sigmatch_table[off].flags & SIGMATCH_OPTIONAL_OPT)) {
56  *len += snprintf(r + *len, 511 - *len, "; %s;", sigmatch_table[off].name);
57  } else {
58  *len += snprintf(r + *len, 511 - *len, "; %s:", sigmatch_table[off].name);
59  }
60  i++;
61  } else {
62  r[*len] = data[i];
63  *len = *len + 1;
64  }
65  }
66  if (*len < 511) {
67  *len += snprintf(r + *len, 511 - *len, ")");
68  } else {
69  r[511] = 0;
70  *len = 511;
71  }
72 }
73 
74 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
75 {
76  FPC_buffer_t pkts;
77  const u_char *pkt;
78  struct pcap_pkthdr header;
79  int r;
80  Packet *p;
81  size_t pos;
82  size_t pcap_cnt = 0;
83 
84  if (initialized == 0) {
85  // Redirects logs to /dev/null
86  setenv("SC_LOG_OP_IFACE", "file", 0);
87  setenv("SC_LOG_FILE", "/dev/null", 0);
88 
89  InitGlobal();
90 
91  GlobalsInitPreConfig();
92  run_mode = RUNMODE_PCAP_FILE;
93  // redirect logs to /tmp
94  ConfigSetLogDirectory("/tmp/");
95  // disables checksums validation for fuzzing
96  if (ConfYamlLoadString(configNoChecksum, strlen(configNoChecksum)) != 0) {
97  abort();
98  }
99  // do not load rules before reproducible DetectEngineReload
100  remove("/tmp/fuzz.rules");
101  surifuzz.sig_file = strdup("/tmp/fuzz.rules");
102  surifuzz.sig_file_exclusive = 1;
103  // loads rules after init
104  surifuzz.delayed_detect = 1;
105 
106  PostConfLoadedSetup(&surifuzz);
107  PreRunPostPrivsDropInit(run_mode);
108  PostConfLoadedDetectSetup(&surifuzz);
109 
110  memset(&tv, 0, sizeof(tv));
111  tv.flow_queue = FlowQueueNew();
112  if (tv.flow_queue == NULL)
113  abort();
114  dtv = DecodeThreadVarsAlloc(&tv);
115  DecodeRegisterPerfCounters(dtv, &tv);
116  tmm_modules[TMM_FLOWWORKER].ThreadInit(&tv, NULL, &fwd);
117  StatsSetupPrivate(&tv);
118 
119  extern uint16_t max_pending_packets;
120  max_pending_packets = 128;
121  PacketPoolInit();
122  SC_ATOMIC_SET(engine_stage, SURICATA_RUNTIME);
123  initialized = 1;
124  }
125 
126  if (size < 1 + FPC0_HEADER_LEN) {
127  return 0;
128  }
129  for (pos = 0; pos < size - FPC0_HEADER_LEN; pos++) {
130  if (data[pos] == 0) {
131  break;
132  }
133  }
134  // initialize FPC with the buffer
135  if (FPC_init(&pkts, data + pos + 1, size - pos - 1) < 0) {
136  return 0;
137  }
138 
139  // dump signatures to a file so as to reuse SigLoadSignatures
140  char sigaware[512];
141  size_t len;
142  SigGenerateAware(data, pos + 1, sigaware, &len);
143  if (TestHelperBufferToFile(surifuzz.sig_file, (uint8_t *)sigaware, len) < 0) {
144  return 0;
145  }
146 
147  if (DetectEngineReload(&surifuzz) < 0) {
148  return 0;
149  }
150  DetectEngineThreadCtx *old_det_ctx = FlowWorkerGetDetectCtxPtr(fwd);
151 
152  DetectEngineCtx *de_ctx = DetectEngineGetCurrent();
153  de_ctx->ref_cnt--;
154  DetectEngineThreadCtx *new_det_ctx = DetectEngineThreadCtxInitForReload(&tv, de_ctx, 1);
155  FlowWorkerReplaceDetectCtx(fwd, new_det_ctx);
156 
157  DetectEngineThreadCtxDeinit(NULL, old_det_ctx);
158 
159  // loop over packets
160  r = FPC_next(&pkts, &header, &pkt);
161  p = PacketGetFromAlloc();
162  if (r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
163  goto bail;
164  }
165  p->pkt_src = PKT_SRC_WIRE;
166  p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
167  p->datalink = pkts.datalink;
168  while (r > 0) {
169  if (PacketCopyData(p, pkt, header.caplen) == 0) {
170  // DecodePcapFile
171  TmEcode ecode = tmm_modules[TMM_DECODEPCAPFILE].Func(&tv, p, dtv);
172  if (ecode == TM_ECODE_FAILED) {
173  break;
174  }
175  Packet *extra_p = PacketDequeueNoLock(&tv.decode_pq);
176  while (extra_p != NULL) {
177  PacketFreeOrRelease(extra_p);
178  extra_p = PacketDequeueNoLock(&tv.decode_pq);
179  }
180  tmm_modules[TMM_FLOWWORKER].Func(&tv, p, fwd);
181  extra_p = PacketDequeueNoLock(&tv.decode_pq);
182  while (extra_p != NULL) {
183  PacketFreeOrRelease(extra_p);
184  extra_p = PacketDequeueNoLock(&tv.decode_pq);
185  }
186  }
187  r = FPC_next(&pkts, &header, &pkt);
188  if (r <= 0 || header.ts.tv_sec >= INT_MAX - 3600) {
189  goto bail;
190  }
191  PacketRecycle(p);
192  p->pkt_src = PKT_SRC_WIRE;
193  p->ts = SCTIME_FROM_TIMEVAL(&header.ts);
194  p->datalink = pkts.datalink;
195  pcap_cnt++;
196  p->pcap_cnt = pcap_cnt;
197  }
198 bail:
199  PacketFree(p);
200  FlowReset();
201 
202  return 0;
203 }
ThreadVars_::flow_queue
struct FlowQueue_ * flow_queue
Definition: threadvars.h:134
len
uint8_t len
Definition: app-layer-dnp3.h:2
detect-engine.h
DetectEngineThreadCtxInitForReload
DetectEngineThreadCtx * DetectEngineThreadCtxInitForReload(ThreadVars *tv, DetectEngineCtx *new_de_ctx, int mt)
Definition: detect-engine.c:3356
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:191
flow-util.h
SC_ATOMIC_EXTERN
SC_ATOMIC_EXTERN(unsigned int, engine_stage)
fwd
void * fwd
Definition: fuzz_sigpcap_aware.c:41
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:292
source-pcap-file.h
SC_ATOMIC_SET
#define SC_ATOMIC_SET(name, val)
Set the value for the atomic variable.
Definition: util-atomic.h:387
DetectEngineCtx_::ref_cnt
uint32_t ref_cnt
Definition: detect.h:958
Packet_::pcap_cnt
uint64_t pcap_cnt
Definition: decode.h:598
ippair-bit.h
PacketRecycle
void PacketRecycle(Packet *p)
Definition: packet.c:168
tv
ThreadVars tv
Definition: fuzz_sigpcap_aware.c:38
SigTableElmt_::flags
uint16_t flags
Definition: detect.h:1275
DetectEngineCtx_
main detection engine ctx
Definition: detect.h:832
DetectEngineGetCurrent
DetectEngineCtx * DetectEngineGetCurrent(void)
Definition: detect-engine.c:3744
FlowReset
void FlowReset(void)
Definition: flow.c:679
StatsSetupPrivate
int StatsSetupPrivate(ThreadVars *tv)
Definition: counters.c:1224
tm-modules.h
GlobalsInitPreConfig
void GlobalsInitPreConfig(void)
Definition: suricata.c:353
TM_ECODE_FAILED
@ TM_ECODE_FAILED
Definition: tm-threads-common.h:85
tmqh-packetpool.h
util-unittest-helper.h
PacketPoolInit
void PacketPoolInit(void)
Definition: tmqh-packetpool.c:262
Packet_::datalink
int datalink
Definition: decode.h:611
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:525
util-cidr.h
app-layer-htp.h
PreRunPostPrivsDropInit
void PreRunPostPrivsDropInit(const int runmode)
Definition: suricata.c:2232
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:54
de_ctx
DetectEngineCtx * de_ctx
Definition: fuzz_siginit.c:17
DetectEngineThreadCtx_
Definition: detect.h:1080
LLVMFuzzerTestOneInput
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
Definition: fuzz_sigpcap_aware.c:74
Packet_::ts
SCTime_t ts
Definition: decode.h:475
PacketDequeueNoLock
Packet * PacketDequeueNoLock(PacketQueueNoLock *qnl)
Definition: packet-queue.c:208
flow-worker.h
util-reference-config.h
SCInstance_::delayed_detect
int delayed_detect
Definition: suricata.h:149
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
SCTIME_FROM_TIMEVAL
#define SCTIME_FROM_TIMEVAL(tv)
Definition: util-time.h:79
pkt-var.h
TmModule_::Func
TmEcode(* Func)(ThreadVars *, Packet *, void *)
Definition: tm-modules.h:52
SigTableElmt
struct SigTableElmt_ SigTableElmt
element in sigmatch type table.
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:134
FlowQueueNew
FlowQueue * FlowQueueNew(void)
Definition: flow-queue.c:35
TestHelperBufferToFile
int TestHelperBufferToFile(const char *name, const uint8_t *data, size_t size)
writes the contents of a buffer into a file
Definition: util-unittest-helper.c:103
ConfYamlLoadString
int ConfYamlLoadString(const char *string, size_t len)
Load configuration from a YAML string.
Definition: conf-yaml-loader.c:511
PostConfLoadedSetup
int PostConfLoadedSetup(SCInstance *suri)
Definition: suricata.c:2616
detect-engine-tag.h
util-profiling.h
Packet_
Definition: decode.h:430
PostConfLoadedDetectSetup
void PostConfLoadedDetectSetup(SCInstance *suri)
Definition: suricata.c:2525
tmm_modules
TmModule tmm_modules[TMM_SIZE]
Definition: tm-modules.c:33
conf-yaml-loader.h
TMM_DECODEPCAPFILE
@ TMM_DECODEPCAPFILE
Definition: tm-threads-common.h:41
confyaml.c
TmEcode
TmEcode
Definition: tm-threads-common.h:83
max_pending_packets
uint16_t max_pending_packets
Definition: suricata.c:186
util-proto-name.h
setenv
void setenv(const char *name, const char *value, int overwrite)
TMM_FLOWWORKER
@ TMM_FLOWWORKER
Definition: tm-threads-common.h:34
tm-queuehandlers.h
FlowWorkerGetDetectCtxPtr
void * FlowWorkerGetDetectCtxPtr(void *flow_worker)
Definition: flow-worker.c:678
detect-fast-pattern.h
util-conf.h
flags
uint8_t flags
Definition: decode-gre.h:0
suricata-common.h
DetectEngineThreadCtxDeinit
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
Definition: detect-engine.c:3502
configNoChecksum
const char configNoChecksum[]
Definition: confyaml.c:1
run_mode
int run_mode
Definition: suricata.c:175
packet.h
sigmatch_table
SigTableElmt sigmatch_table[DETECT_TBLSIZE]
Definition: detect-parse.c:129
TmModule_::ThreadInit
TmEcode(* ThreadInit)(ThreadVars *, const void *, void **)
Definition: tm-modules.h:47
util-classification-config.h
dtv
DecodeThreadVars * dtv
Definition: fuzz_sigpcap_aware.c:39
SCInstance_::sig_file
char * sig_file
Definition: suricata.h:128
SIGMATCH_OPTIONAL_OPT
#define SIGMATCH_OPTIONAL_OPT
Definition: detect.h:1472
ConfigSetLogDirectory
TmEcode ConfigSetLogDirectory(const char *name)
Definition: util-conf.c:33
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
Packet_::pkt_src
uint8_t pkt_src
Definition: decode.h:583
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:673
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:688
ThreadVars_::decode_pq
PacketQueueNoLock decode_pq
Definition: threadvars.h:111
SURICATA_RUNTIME
@ SURICATA_RUNTIME
Definition: suricata.h:96
SIGMATCH_NOOPT
#define SIGMATCH_NOOPT
Definition: detect.h:1463
DetectEngineReload
int DetectEngineReload(const SCInstance *suri)
Reload the detection engine.
Definition: detect-engine.c:4683
SCInstance_
Definition: suricata.h:123
InitGlobal
int InitGlobal(void)
Global initialization common to all runmodes.
Definition: suricata.c:2839
SCInstance_::sig_file_exclusive
bool sig_file_exclusive
Definition: suricata.h:129
RUNMODE_PCAP_FILE
@ RUNMODE_PCAP_FILE
Definition: runmodes.h:30
surifuzz
SCInstance surifuzz
Definition: fuzz_sigpcap_aware.c:42
host-bit.h
detect-engine-threshold.h
FlowWorkerReplaceDetectCtx
void FlowWorkerReplaceDetectCtx(void *flow_worker, void *detect_ctx)
Definition: flow-worker.c:671
app-layer.h