summaryrefslogtreecommitdiffstats
path: root/security/nss/fuzz/nssfuzz.cc
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/fuzz/nssfuzz.cc')
-rw-r--r--security/nss/fuzz/nssfuzz.cc148
1 files changed, 148 insertions, 0 deletions
diff --git a/security/nss/fuzz/nssfuzz.cc b/security/nss/fuzz/nssfuzz.cc
new file mode 100644
index 000000000..d9769309a
--- /dev/null
+++ b/security/nss/fuzz/nssfuzz.cc
@@ -0,0 +1,148 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <iomanip>
+#include <iostream>
+#include <memory>
+
+#include "keyhi.h"
+#include "pk11pub.h"
+
+#include "FuzzerInternal.h"
+#include "registry.h"
+#include "shared.h"
+
+using namespace std;
+
+class Args {
+ public:
+ Args(int argc, char **argv) : args_(argv, argv + argc) {}
+
+ string &operator[](const int idx) { return args_[idx]; }
+
+ bool Has(const string &arg) {
+ return any_of(args_.begin(), args_.end(),
+ [&arg](string &a) { return a.find(arg) == 0; });
+ }
+
+ void Append(const string &arg) { args_.push_back(arg); }
+
+ void Remove(const int index) {
+ assert(index < count());
+ args_.erase(args_.begin() + index);
+ }
+
+ vector<char *> argv() {
+ vector<char *> out;
+ out.resize(count());
+
+ transform(args_.begin(), args_.end(), out.begin(),
+ [](string &a) { return const_cast<char *>(a.c_str()); });
+
+ return out;
+ }
+
+ size_t count() { return args_.size(); }
+
+ private:
+ vector<string> args_;
+};
+
+void printUsage(Args &args) {
+ size_t sep = args[0].rfind("/") + 1;
+ string progName = args[0].substr(sep);
+
+ cerr << progName << " - Various libFuzzer targets for NSS" << endl << endl;
+ cerr << "Usage: " << progName << " <target> <libFuzzer options>" << endl
+ << endl;
+ cerr << "Valid targets:" << endl;
+
+ vector<string> names = Registry::Names();
+
+ // Find length of the longest name.
+ size_t name_w =
+ max_element(names.begin(), names.end(), [](string &a, string &b) {
+ return a.size() < b.size();
+ })->size();
+
+ // Find length of the longest description.
+ auto max = max_element(names.begin(), names.end(), [](string &a, string &b) {
+ return Registry::Desc(a).size() < Registry::Desc(b).size();
+ });
+ size_t desc_w = Registry::Desc(*max).size();
+
+ // Print list of targets.
+ for (string name : names) {
+ cerr << " " << left << setw(name_w) << name << " - " << setw(desc_w)
+ << Registry::Desc(name)
+ << " [default max_len=" << Registry::MaxLen(name) << "]" << endl;
+ }
+
+ // Some usage examples.
+ cerr << endl << "Run fuzzer with a given corpus directory:" << endl;
+ cerr << " " << progName << " <target> /path/to/corpus" << endl;
+
+ cerr << endl << "Run fuzzer with a single test input:" << endl;
+ cerr << " " << progName
+ << " <target> ./crash-14d4355b971092e39572bc306a135ddf9f923e19" << endl;
+
+ cerr << endl
+ << "Specify the number of cores you wish to dedicate to fuzzing:"
+ << endl;
+ cerr << " " << progName << " <target> -jobs=8 -workers=8 /path/to/corpus"
+ << endl;
+
+ cerr << endl << "Override the maximum length of a test input:" << endl;
+ cerr << " " << progName << " <target> -max_len=2048 /path/to/corpus" << endl;
+
+ cerr << endl
+ << "Minimize a given corpus and put the result into 'new_corpus':"
+ << endl;
+ cerr << " " << progName
+ << " <target> -merge=1 -max_len=50000 ./new_corpus /path/to/corpus"
+ << endl;
+
+ cerr << endl << "Merge new test inputs into a corpus:" << endl;
+ cerr
+ << " " << progName
+ << " <target> -merge=1 -max_len=50000 /path/to/corpus ./inputs1 ./inputs2"
+ << endl;
+
+ cerr << endl << "Print libFuzzer usage information:" << endl;
+ cerr << " " << progName << " <target> -help=1" << endl << endl;
+
+ cerr << "Check out the docs at http://llvm.org/docs/LibFuzzer.html" << endl;
+}
+
+int main(int argc, char **argv) {
+ Args args(argc, argv);
+
+ if (args.count() < 2 || !Registry::Has(args[1])) {
+ printUsage(args);
+ return 1;
+ }
+
+ string targetName(args[1]);
+
+ // Remove the target argument when -workers=x or -jobs=y is NOT given.
+ // If both are given, libFuzzer will spawn multiple processes for the target.
+ if (!args.Has("-workers=") || !args.Has("-jobs=")) {
+ args.Remove(1);
+ }
+
+ // Set default max_len arg, if none given and we're not merging.
+ if (!args.Has("-max_len=") && !args.Has("-merge=1")) {
+ uint16_t maxLen = Registry::MaxLen(targetName);
+ args.Append("-max_len=" + to_string(maxLen));
+ }
+
+ // Hand control to the libFuzzer driver.
+ vector<char *> args_new(args.argv());
+ argc = args_new.size();
+ argv = args_new.data();
+
+ return fuzzer::FuzzerDriver(&argc, &argv, Registry::Func(targetName));
+}