1 files changed, 157 insertions, 0 deletions

diff --git a/fuzz/README b/fuzz/README
new file mode 100644
index 0000000..ecb02bb
--- /dev/null
+++ b/fuzz/README
@@ -0,0 +1,157 @@
+libfido2 can be fuzzed using AFL or libFuzzer, with or without
+ASAN/MSAN/UBSAN.
+
+AFL is more convenient when fuzzing the path from the authenticator to
+libfido2 in an existing application. To do so, use preload-snoop.c with a real
+authenticator to obtain an initial corpus, rebuild libfido2 with -DFUZZ=1
+-DAFL=1, and use preload-fuzz.c to read device data from stdin. Examples of
+this approach can be found in the harnesses under fuzz/harnesses/ that fuzz
+the standalone examples and tools bundled with libfido2.
+
+libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c,
+fuzz_assert.c, and fuzz_mgmt.c for examples. To build these harnesses,
+use -DFUZZ=1 -DLIBFUZZER=1.
+
+To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of
+libcbor and OpenSSL built with the respective sanitiser. In order to keep
+memory utilisation at a manageable level, you can either enforce limits at
+the OS level (e.g. cgroups on Linux) or, alternatively, patch libcbor with
+the diff at the bottom of this file.
+
+1. Using ASAN + UBSAN
+
+- Make sure you have libcbor built with -fsanitize=address;
+- Make sure you have OpenSSL built with -fsanitize=address;
+- Rebuild libfido2 with -DASAN=1 -DUBSAN=1.
+
+1.1 Decide where your workspace will live
+
+$ export FAKEROOT=/home/pedro/fakeroot
+$ mkdir -p ${FAKEROOT}/src
+
+1.2 Building libcbor with ASAN
+
+$ git clone https://github.com/pjk/libcbor ${FAKEROOT}/src/libcbor
+$ cd ${FAKEROOT}/src/libcbor
+
+Assuming libfido2 is under ${FAKEROOT}/src/libfido2:
+
+$ patch -p0 < ${FAKEROOT}/src/libfido2/fuzz/README
+$ mkdir build
+$ cd build
+$ cmake -DCMAKE_C_FLAGS_DEBUG="-g2 -fno-omit-frame-pointer" \
+        -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \
+        -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=ON \
+        -DCMAKE_INSTALL_LIBDIR=lib ..
+$ make
+$ make install
+
+1.3 Building OpenSSL with ASAN
+
+$ git clone https://github.com/openssl/openssl ${FAKEROOT}/src/openssl
+$ cd ${FAKEROOT}/src/openssl
+$ ./Configure linux-x86_64-clang enable-asan --prefix=${FAKEROOT} \
+        --openssldir=${FAKEROOT}/openssl
+$ make clean
+$ make
+$ make install_sw
+
+1.4 Building libfido2 with libFuzzer and ASAN + UBSAN
+
+$ cd ${FAKEROOT}/src/libfido2
+$ mkdir build
+$ cd build
+$ cmake -DFUZZ=1 -DLIBFUZZER=1 -DASAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \
+        -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCMAKE_BUILD_TYPE=Debug ..
+$ make
+
+2. Using MSAN + UBSAN
+
+- Make sure you have libcbor built with -fsanitize=memory;
+- Make sure you have OpenSSL built with -fsanitize=memory;
+- Rebuild libfido2 with -DMSAN=1 -DUBSAN=1.
+
+2.1 Decide where your workspace will live
+
+$ export FAKEROOT=/home/pedro/fakeroot
+$ mkdir -p ${FAKEROOT}/src
+
+2.2 Building libcbor with MSAN
+
+$ git clone https://github.com/pjk/libcbor ${FAKEROOT}/src/libcbor
+$ cd ${FAKEROOT}/src/libcbor
+
+Assuming libfido2 is under ${FAKEROOT}/src/libfido2:
+
+$ patch -p0 < ${FAKEROOT}/src/libfido2/fuzz/README
+$ mkdir build
+$ cd build
+$ cmake -DCMAKE_C_FLAGS_DEBUG="-fsanitize=memory,undefined -g2 -fno-omit-frame-pointer" \  
+        -DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \
+        -DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=OFF \
+        -DCMAKE_INSTALL_LIBDIR=lib ..
+$ make
+$ make install
+
+2.2 Building OpenSSL with MSAN
+
+$ mkdir -p ${FAKEROOT}/src
+$ git clone https://github.com/openssl/openssl ${FAKEROOT}/src/openssl
+$ cd ${FAKEROOT}/src/openssl
+$ ./Configure linux-x86_64-clang enable-msan --prefix=${FAKEROOT} \
+        --openssldir=${FAKEROOT}/openssl
+$ make clean
+$ make
+$ make install_sw
+
+2.3 Building libfido2 with libFuzzer and MSAN + UBSAN
+
+$ cd ${FAKEROOT}/src/libfido2
+$ mkdir build
+$ cd build
+$ cmake -DFUZZ=1 -DLIBFUZZER=1 -DMSAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \
+        -DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \
+        -DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \
+        -DCMAKE_BUILD_TYPE=Debug ..
+$ make
+
+3. Running the libFuzzer harnesses
+
+When running under ASAN, you may want to set ASAN_OPTIONS to
+'allocator_may_return_null=1:detect_stack_use_after_return=1'.
+
+The recommended way to run the harnesses is:
+
+$ fuzz_{assert,cred,credman,mgmt} -use_value_profile=1 -reload=30 \
+        -print_pcs=1 -print_funcs=30 -timeout=10 -max_len=17408 CORPUS_DIR
+
+You may want to use -jobs or -workers depending on the number of logical
+cores available for fuzzing.
+
+4. Auxiliary scripts
+
+A set of harnesses and auxiliary scripts can be found under harnesses/. To
+compile coverage reports, adjust the harnesses to your setup and run 'report'.
+
+diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c
+index aa049a2..e294b38 100644
+--- src/cbor/internal/memory_utils.c
++++ src/cbor/internal/memory_utils.c
+@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) {
+ 
+ void* _cbor_alloc_multiple(size_t item_size, size_t item_count) {
+   if (_cbor_safe_to_multiply(item_size, item_count)) {
+-    return _CBOR_MALLOC(item_size * item_count);
++    if (item_count > 1000) {
++      return NULL;
++    } else
++      return _CBOR_MALLOC(item_size * item_count);
+   } else {
+     return NULL;
+   }