From 92c14cc6213288b3a0e9cf9a45b06689f4399a55 Mon Sep 17 00:00:00 2001 From: TLINDEN Date: Fri, 14 Mar 2014 15:49:42 +0100 Subject: [PATCH] added fuzz unittests, trying to import invalid binary keys using mangle.c by Ilja van Sprundel --- include/pcp.h | 1 + tests/Makefile.am | 5 ++- tests/mangle.c | 105 ++++++++++++++++++++++++++++++++++++++++++++ tests/unittests.cfg | 41 +++++++++++++++-- 4 files changed, 147 insertions(+), 5 deletions(-) create mode 100644 tests/mangle.c diff --git a/include/pcp.h b/include/pcp.h index 8b16eae..fb0d6c6 100644 --- a/include/pcp.h +++ b/include/pcp.h @@ -8,6 +8,7 @@ extern "C" { #include "pcp/config.h" #include "pcp/base85.h" #include "pcp/buffer.h" +#include "pcp/config.h" #include "pcp/crypto.h" #include "pcp/defines.h" #include "pcp/digital_crc32.h" diff --git a/tests/Makefile.am b/tests/Makefile.am index 57bceee..0550c84 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -21,7 +21,7 @@ AM_CFLAGS = -I../include/pcp -I../src -I../libpcp/scrypt/crypto -Wall -g check_PROGRAMS = col invalidkeys gencheader statictest cpptest \ - buffertest sample streamtest pipetest decodertest + buffertest sample streamtest pipetest decodertest mangle gencheader_LDADD = ../libpcp/.libs/libpcp1.a gencheader_SOURCES = gencheader.c @@ -47,6 +47,9 @@ decodertest_SOURCES = decodertest.c col_LDADD = ../libpcp/.libs/libpcp1.a col_SOURCES = collisions.c ../src/compat_getopt.c +mangle_LDADD = +mangle_SOURCES = mangle.c + invalidkeys_LDADD = ../libpcp/.libs/libpcp1.a \ ../src/keyprint.o ../src/keymgmt.o ../src/readpass.o invalidkeys_SOURCES = invalidkeys.c diff --git a/tests/mangle.c b/tests/mangle.c new file mode 100644 index 0000000..93d5315 --- /dev/null +++ b/tests/mangle.c @@ -0,0 +1,105 @@ +/* + trivial binary file fuzzer by Ilja van Sprundel. + It's usage is very simple, it takes a filename and headersize + as input. it will then change approximatly between 0 and 10% of + the header with random bytes (biased towards the highest bit set) + + obviously you need a bash script or something as a wrapper ! + + so far this broke: - libmagic (used file) + - preview (osX pdf viewer) + - xpdf (hang, not a crash ...) + - mach-o loading (osX 10.3.7, seems to be fixed later) + - qnx elf loader (panics almost instantly, yikes !) + - FreeBSD elf loading + - openoffice + - amp + - osX image loading (.dmg) + - libbfd (used objdump) + - libtiff (used tiff2pdf) + - xine (division by 0, took 20 minutes of fuzzing) + - OpenBSD elf loading (3.7 on a sparc) + - unixware 713 elf loading + - DragonFlyBSD elf loading + - solaris 10 elf loading + - cistron-radiusd + - linux ext2fs (2.4.29) image loading (division by 0) + - linux reiserfs (2.4.29) image loading (instant panic !!!) + - linux jfs (2.4.29) image loading (long (uninteruptable) loop, 2 oopses) + - linux xfs (2.4.29) image loading (instant panic) + - windows macromedia flash .swf loading (obviously the windows version of mangle needs a few tweaks to work ...) + - Quicktime player 7.0.1 for MacOS X + - totem + - gnumeric + - vlc + - mplayer + - python bytecode interpreter + - realplayer 10.0.6.776 (GOLD) + - dvips + */ +#include +#include +#include +#include +#include +#include +#include + + +#define DEFAULT_HEADER_SIZE 1024 +#define DEFAULT_NAME "test2" + +int getseed(void) { + int fd = open("/dev/urandom", O_RDONLY); + int r; + if (fd < 0) { + perror("open"); + exit(0); + } + read(fd, &r, sizeof(r)); + close(fd); + return(r); +} + +int main(int argc, char **argv) { + + int fd; + char *p, *name; + unsigned char c; + unsigned int count, i, off, hsize; + + if (argc < 2) { + hsize = DEFAULT_HEADER_SIZE; + name = DEFAULT_NAME; + } else if (argc < 3) { + hsize = DEFAULT_HEADER_SIZE; + name = argv[1]; + } else { + hsize = atoi(argv[2]); + name = argv[1]; + } + fd = open(name, O_RDWR); + if (fd < 0) { + perror("open"); + exit(0); + } + p = mmap(0, hsize, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); + if (p == MAP_FAILED) { + perror("mmap"); + close(fd); + exit(0); + } + srand(getseed()); + count = (unsigned) rand() % (hsize / 10); + for (i = 0; i < count; i++) { + off = rand() % hsize; + c = rand() % 256; + /* we want the highest bit set more often, in case of signedness issues */ + if ( (rand() % 2) && c < 128) c |= 0x80; + p[off] = c; + } + close(fd); + munmap(p, hsize); + + return 0; +} diff --git a/tests/unittests.cfg b/tests/unittests.cfg index bc32d0d..7d30764 100644 --- a/tests/unittests.cfg +++ b/tests/unittests.cfg @@ -20,11 +20,12 @@ # You can contact me by mail: . # -pcp = ../src/pcp1 -vault = v1 +pcp = ../src/pcp1 +vault = v1 passwd = xxx -md5msg = 66b8c4ca9e5d2a7e3c0559c3cdea3d50 - +md5msg = 66b8c4ca9e5d2a7e3c0559c3cdea3d50 +mangle = ./mangle +verbose = 1 include keys.cfg @@ -523,6 +524,38 @@ temporarily disabled expect = /Generated new secret key/ +# +# fuzz tests + + prepare = (echo F; echo F) | $pcp -V vfz -k -x a; \ + $pcp -V vfz -p -O testfuzzP.orig -x a; \ + $pcp -V vfz -s -O testfuzzS.orig -x a; + + loop = 30 + prepare = while :; do \ + cp testfuzzP.orig testfuzzP.pub; \ + $mangle testfuzzP.pub; \ + if ! diff testfuzzP.* > /dev/null 2>&1; then \ + break; \ + fi; \ + done + cmd = echo no | $pcp -V vf -K -I testfuzzP.pub -x a + expect = !/added/ + + + loop = 30 + prepare = while :; do \ + cp testfuzzS.orig testfuzzS.sec; \ + $mangle testfuzzS.sec; \ + if ! diff testfuzzS.* > /dev/null 2>&1; then \ + break; \ + fi; \ + done + cmd = echo no | $pcp -V vf -K -I testfuzzS.sec -x a + expect = !/added/ + + + # # test the c++ api