nallocinc.c

Go to the documentation of this file.

/*
 MIT License
 
 Copyright (c) 2025 Catena cyber
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
*/
 
/* Nalloc fuzz : framework to make allocations and IO fail while fuzzing */
 
/* Environment variables to control nalloc fuzz behavior :
 * NALLOC_VERBOSE: set it to log failed allocations with their stacktraces
 * NALLOC_FREQ: set it to control how frequently allocations fail
 *  value 0 disables nalloc (no allocations fail)
 *  value 1..31 : allocations fail always (1) or very rarely (31 -> 1 / 2^31)
 *  value 32 : allocations fail at a random rate between 5 and 20 for each run
 */
 
#ifndef NALLOC_INC_C_
#define NALLOC_INC_C_
 
// enable it on linux, and only if we do not have MSAN
#if defined(__linux__)
#define FUZZER_ENABLE_NALLOC 1
#if defined(__has_feature)
#if __has_feature(memory_sanitizer)
#undef FUZZER_ENABLE_NALLOC
#endif // memory_sanitizer
#endif // __has_feature
#endif // __linux__
 
#if !defined(FUZZER_ENABLE_NALLOC)
#define nalloc_init(x)
#define nalloc_restrict_file_prefix(x)
#define nalloc_start(x, y)
#define nalloc_end()
#else // defined(FUZZER_ENABLE_NALLOC)
 
#if defined(__clang__) && defined(__has_feature)
#if __has_feature(address_sanitizer)
#define NALLOC_ASAN 1
#endif
#endif
 
#include <errno.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
#ifdef __cplusplus
extern "C"
{
#endif
 
    static const uint32_t nalloc_crc32_table[] = { 0x00000000, 0x04c11db7, 0x09823b6e, 0x0d4326d9,
        0x130476dc, 0x17c56b6b, 0x1a864db2, 0x1e475005, 0x2608edb8, 0x22c9f00f, 0x2f8ad6d6,
        0x2b4bcb61, 0x350c9b64, 0x31cd86d3, 0x3c8ea00a, 0x384fbdbd, 0x4c11db70, 0x48d0c6c7,
        0x4593e01e, 0x4152fda9, 0x5f15adac, 0x5bd4b01b, 0x569796c2, 0x52568b75, 0x6a1936c8,
        0x6ed82b7f, 0x639b0da6, 0x675a1011, 0x791d4014, 0x7ddc5da3, 0x709f7b7a, 0x745e66cd,
        0x9823b6e0, 0x9ce2ab57, 0x91a18d8e, 0x95609039, 0x8b27c03c, 0x8fe6dd8b, 0x82a5fb52,
        0x8664e6e5, 0xbe2b5b58, 0xbaea46ef, 0xb7a96036, 0xb3687d81, 0xad2f2d84, 0xa9ee3033,
        0xa4ad16ea, 0xa06c0b5d, 0xd4326d90, 0xd0f37027, 0xddb056fe, 0xd9714b49, 0xc7361b4c,
        0xc3f706fb, 0xceb42022, 0xca753d95, 0xf23a8028, 0xf6fb9d9f, 0xfbb8bb46, 0xff79a6f1,
        0xe13ef6f4, 0xe5ffeb43, 0xe8bccd9a, 0xec7dd02d, 0x34867077, 0x30476dc0, 0x3d044b19,
        0x39c556ae, 0x278206ab, 0x23431b1c, 0x2e003dc5, 0x2ac12072, 0x128e9dcf, 0x164f8078,
        0x1b0ca6a1, 0x1fcdbb16, 0x018aeb13, 0x054bf6a4, 0x0808d07d, 0x0cc9cdca, 0x7897ab07,
        0x7c56b6b0, 0x71159069, 0x75d48dde, 0x6b93dddb, 0x6f52c06c, 0x6211e6b5, 0x66d0fb02,
        0x5e9f46bf, 0x5a5e5b08, 0x571d7dd1, 0x53dc6066, 0x4d9b3063, 0x495a2dd4, 0x44190b0d,
        0x40d816ba, 0xaca5c697, 0xa864db20, 0xa527fdf9, 0xa1e6e04e, 0xbfa1b04b, 0xbb60adfc,
        0xb6238b25, 0xb2e29692, 0x8aad2b2f, 0x8e6c3698, 0x832f1041, 0x87ee0df6, 0x99a95df3,
        0x9d684044, 0x902b669d, 0x94ea7b2a, 0xe0b41de7, 0xe4750050, 0xe9362689, 0xedf73b3e,
        0xf3b06b3b, 0xf771768c, 0xfa325055, 0xfef34de2, 0xc6bcf05f, 0xc27dede8, 0xcf3ecb31,
        0xcbffd686, 0xd5b88683, 0xd1799b34, 0xdc3abded, 0xd8fba05a, 0x690ce0ee, 0x6dcdfd59,
        0x608edb80, 0x644fc637, 0x7a089632, 0x7ec98b85, 0x738aad5c, 0x774bb0eb, 0x4f040d56,
        0x4bc510e1, 0x46863638, 0x42472b8f, 0x5c007b8a, 0x58c1663d, 0x558240e4, 0x51435d53,
        0x251d3b9e, 0x21dc2629, 0x2c9f00f0, 0x285e1d47, 0x36194d42, 0x32d850f5, 0x3f9b762c,
        0x3b5a6b9b, 0x0315d626, 0x07d4cb91, 0x0a97ed48, 0x0e56f0ff, 0x1011a0fa, 0x14d0bd4d,
        0x19939b94, 0x1d528623, 0xf12f560e, 0xf5ee4bb9, 0xf8ad6d60, 0xfc6c70d7, 0xe22b20d2,
        0xe6ea3d65, 0xeba91bbc, 0xef68060b, 0xd727bbb6, 0xd3e6a601, 0xdea580d8, 0xda649d6f,
        0xc423cd6a, 0xc0e2d0dd, 0xcda1f604, 0xc960ebb3, 0xbd3e8d7e, 0xb9ff90c9, 0xb4bcb610,
        0xb07daba7, 0xae3afba2, 0xaafbe615, 0xa7b8c0cc, 0xa379dd7b, 0x9b3660c6, 0x9ff77d71,
        0x92b45ba8, 0x9675461f, 0x8832161a, 0x8cf30bad, 0x81b02d74, 0x857130c3, 0x5d8a9099,
        0x594b8d2e, 0x5408abf7, 0x50c9b640, 0x4e8ee645, 0x4a4ffbf2, 0x470cdd2b, 0x43cdc09c,
        0x7b827d21, 0x7f436096, 0x7200464f, 0x76c15bf8, 0x68860bfd, 0x6c47164a, 0x61043093,
        0x65c52d24, 0x119b4be9, 0x155a565e, 0x18197087, 0x1cd86d30, 0x029f3d35, 0x065e2082,
        0x0b1d065b, 0x0fdc1bec, 0x3793a651, 0x3352bbe6, 0x3e119d3f, 0x3ad08088, 0x2497d08d,
        0x2056cd3a, 0x2d15ebe3, 0x29d4f654, 0xc5a92679, 0xc1683bce, 0xcc2b1d17, 0xc8ea00a0,
        0xd6ad50a5, 0xd26c4d12, 0xdf2f6bcb, 0xdbee767c, 0xe3a1cbc1, 0xe760d676, 0xea23f0af,
        0xeee2ed18, 0xf0a5bd1d, 0xf464a0aa, 0xf9278673, 0xfde69bc4, 0x89b8fd09, 0x8d79e0be,
        0x803ac667, 0x84fbdbd0, 0x9abc8bd5, 0x9e7d9662, 0x933eb0bb, 0x97ffad0c, 0xafb010b1,
        0xab710d06, 0xa6322bdf, 0xa2f33668, 0xbcb4666d, 0xb8757bda, 0xb5365d03, 0xb1f740b4 };
 
    // Nallocfuzz data to take a decision
    uint32_t nalloc_random_state = 0;
    __thread unsigned int nalloc_running = 0;
    bool nalloc_initialized = false;
    uint32_t nalloc_runs = 0;
 
    // Nalloc fuzz parameters
    uint32_t nalloc_bitmask = 0xFF;
    bool nalloc_random_bitmask = true;
    uint32_t nalloc_magic = 0x294cee63;
    bool nalloc_verbose = false;
    const char *nalloc_prefix = "";
    uint32_t nalloc_prefix_len = 0;
    char nalloc_prefix_dir[PATH_MAX];
 
#ifdef NALLOC_ASAN
    extern void __sanitizer_print_stack_trace(void);
    extern void __sanitizer_symbolize_pc(
            void *pc, const char *fmt, char *out_buf, size_t out_buf_size);
#endif
 
#define NALLOC_PREFIX_MAX 1024
 
    __attribute__((noinline)) static void nalloc_restrict_file_prefix(uint8_t levels_up)
    {
#ifdef NALLOC_ASAN
        void *pc = __builtin_return_address(0);
        __sanitizer_symbolize_pc(pc, "%s", nalloc_prefix_dir, sizeof(nalloc_prefix_dir) - 1);
        uint16_t slashes[levels_up];
        uint8_t slash_off = 0;
        // /src/suricata/src/test/fuzz/file.c -3 levels -> /src/suricata/src/
        for (uint16_t i = 0; i < PATH_MAX; i++) {
            if (nalloc_prefix_dir[i] == 0) {
                uint32_t cut = slashes[slash_off];
                nalloc_prefix_dir[cut] = 0;
                nalloc_prefix = nalloc_prefix_dir;
                nalloc_prefix_len = cut;
                return;
            }
            if (nalloc_prefix_dir[i] == '/') {
                slashes[slash_off] = i;
                slash_off = (slash_off + 1) % levels_up;
            }
        }
#endif
    }
 
    // Generic init, using env variables to get parameters
    static void nalloc_init(const char *prog)
    {
        if (nalloc_initialized) {
            return;
        }
        nalloc_initialized = true;
        char *bitmask = getenv("NALLOC_FREQ");
        if (bitmask) {
            long shift = strtol(bitmask, NULL, 10);
            if (shift > 0 && shift < 31) {
                nalloc_bitmask = 1 << shift;
                nalloc_random_bitmask = false;
            } else if (shift == 0) {
                nalloc_random_bitmask = false;
                nalloc_bitmask = 0;
            }
        } else if (prog == NULL || strstr(prog, "nalloc") == NULL) {
            nalloc_random_bitmask = false;
            nalloc_bitmask = 0;
            return;
        }
 
        char *verbose = getenv("NALLOC_VERBOSE");
        if (verbose) {
            nalloc_verbose = true;
        }
        char *rfp = getenv("NALLOC_RESTRICT_FILE_PREFIX");
        if (rfp) {
            nalloc_restrict_file_prefix((uint8_t)strtol(rfp, NULL, 10));
        }
    }
 
    // add one byte to the CRC
    static inline void nalloc_random_update(uint8_t b)
    {
        nalloc_random_state = ((uint32_t)((uint32_t)nalloc_random_state << 8)) ^
                              nalloc_crc32_table[((nalloc_random_state >> 24) ^ b) & 0xFF];
    }
 
    // Start the failure injections, using a buffer as seed
    static int nalloc_start(const uint8_t *data, size_t size)
    {
        if (nalloc_random_bitmask) {
            if (nalloc_random_state & 0x10) {
                nalloc_bitmask = 0xFFFFFFFF;
            } else {
                nalloc_bitmask = 1 << (5 + (nalloc_random_state & 0xF));
            }
        } else if (nalloc_bitmask == 0) {
            // nalloc disabled
            return 0;
        }
        nalloc_random_state = 0;
        for (size_t i = 0; i < size; i++) {
            nalloc_random_update(data[i]);
        }
        if (__sync_fetch_and_add(&nalloc_running, 1)) {
            __sync_fetch_and_sub(&nalloc_running, 1);
            return 0;
        }
        nalloc_runs++;
        return 1;
    }
 
#define nalloc_return_address() __builtin_return_address(1)
 
    // Stop the failure injections
    static void nalloc_end(void)
    {
        __sync_fetch_and_sub(&nalloc_running, 1);
    }
 
    __attribute__((noinline)) static bool nalloc_backtrace_exclude(
            size_t size, const char *op, void *pc)
    {
#ifdef NALLOC_ASAN
        if (nalloc_prefix_len > 0) {
            char data[NALLOC_PREFIX_MAX];
            __sanitizer_symbolize_pc(pc, "%s", data, sizeof(data) - 1);
            for (size_t i = 0; i < nalloc_prefix_len; i++) {
                if (data[i] != nalloc_prefix[i]) {
                    return true;
                }
            }
        }
#endif
        if (nalloc_verbose) {
            fprintf(stderr, "failed %s(%zu) \n", op, size);
#ifdef NALLOC_ASAN
            __sanitizer_print_stack_trace();
#endif
        }
 
        return false;
    }
 
    //
    static bool nalloc_fail(size_t size, const char *op)
    {
        // do not fail before thread init
        if (nalloc_runs == 0) {
            return false;
        }
        if (__sync_fetch_and_add(&nalloc_running, 1) != 1) {
            // do not fail allocations outside of fuzzer input
            // and do not fail inside of this function
            __sync_fetch_and_sub(&nalloc_running, 1);
            return false;
        }
        nalloc_random_update((uint8_t)size);
        if (size >= 0x100) {
            nalloc_random_update((uint8_t)(size >> 8));
            if (size >= 0x10000) {
                nalloc_random_update((uint8_t)(size >> 16));
                // bigger may already fail or oom
            }
        }
        if (((nalloc_random_state ^ nalloc_magic) & nalloc_bitmask) == 0) {
            void *pc = NULL;
#ifdef NALLOC_ASAN
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wframe-address"
            pc = nalloc_return_address();
#pragma clang diagnostic pop
#endif
            if (nalloc_backtrace_exclude(size, op, pc)) {
                __sync_fetch_and_sub(&nalloc_running, 1);
                return false;
            }
            __sync_fetch_and_sub(&nalloc_running, 1);
            return true;
        }
        __sync_fetch_and_sub(&nalloc_running, 1);
        return false;
    }
 
// ASAN interceptor for libc routines
#ifdef NALLOC_ASAN
    extern void *__interceptor_malloc(size_t);
    extern void *__interceptor_calloc(size_t, size_t);
    extern void *__interceptor_realloc(void *, size_t);
 
    extern ssize_t __interceptor_read(int, void *, size_t);
    extern ssize_t __interceptor_write(int, const void *, size_t);
    extern ssize_t __interceptor_recv(int, void *, size_t, int);
    extern ssize_t __interceptor_send(int, const void *, size_t, int);
 
#define nalloc_malloc(s)     __interceptor_malloc(s)
#define nalloc_calloc(s, n)  __interceptor_calloc(s, n)
#define nalloc_realloc(p, s) __interceptor_realloc(p, s)
 
#define nalloc_read(f, b, s)    __interceptor_read(f, b, s)
#define nalloc_write(f, b, s)   __interceptor_write(f, b, s)
#define nalloc_recv(f, b, s, x) __interceptor_recv(f, b, s, x)
#define nalloc_send(f, b, s, x) __interceptor_send(f, b, s, x)
 
#else
extern void *__libc_malloc(size_t);
extern void *__libc_calloc(size_t, size_t);
extern void *__libc_realloc(void *, size_t);
 
extern ssize_t __read(int, void *, size_t);
extern ssize_t __write(int, const void *, size_t);
extern ssize_t __recv(int, void *, size_t, int);
extern ssize_t __send(int, const void *, size_t, int);
 
#define nalloc_malloc(s)     __libc_malloc(s)
#define nalloc_calloc(s, n)  __libc_calloc(s, n)
#define nalloc_realloc(p, s) __libc_realloc(p, s)
 
#define nalloc_read(f, b, s)    __read(f, b, s)
#define nalloc_write(f, b, s)   __write(f, b, s)
#define nalloc_recv(f, b, s, x) __recv(f, b, s, x)
#define nalloc_send(f, b, s, x) __send(f, b, s, x)
#endif
 
    // nalloc standard function overwrites with pseudo-random failures
    ssize_t read(int fd, void *buf, size_t count)
    {
        if (nalloc_fail(count, "read")) {
            errno = EIO;
            return -1;
        }
        return nalloc_read(fd, buf, count);
    }
 
    ssize_t write(int fd, const void *buf, size_t count)
    {
        if (nalloc_fail(count, "write")) {
            errno = EIO;
            return -1;
        }
        return nalloc_write(fd, buf, count);
    }
 
    ssize_t recv(int fd, void *buf, size_t count, int flags)
    {
        if (nalloc_fail(count, "recv")) {
            errno = EIO;
            return -1;
        }
        return nalloc_recv(fd, buf, count, flags);
    }
 
    ssize_t send(int fd, const void *buf, size_t count, int flags)
    {
        if (nalloc_fail(count, "send")) {
            errno = EIO;
            return -1;
        }
        return nalloc_send(fd, buf, count, flags);
    }
 
    void *calloc(size_t nmemb, size_t size)
    {
        if (nalloc_fail(size, "calloc")) {
            errno = ENOMEM;
            return NULL;
        }
        return nalloc_calloc(nmemb, size);
    }
 
    void *malloc(size_t size)
    {
        if (nalloc_fail(size, "malloc")) {
            errno = ENOMEM;
            return NULL;
        }
        return nalloc_malloc(size);
    }
 
    void *realloc(void *ptr, size_t size)
    {
        if (nalloc_fail(size, "realloc")) {
            errno = ENOMEM;
            return NULL;
        }
        return nalloc_realloc(ptr, size);
    }
 
#ifdef __cplusplus
} // extern "C" {
#endif
 
#endif // defined(FUZZER_ENABLE_NALLOC)
 
#endif // NALLOC_INC_C_