/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "mozilla/ipc/Faulty.h" #include <cerrno> #include <prinrval.h> #include "nsXULAppAPI.h" #include "base/string_util.h" #include "chrome/common/ipc_message.h" #include "chrome/common/ipc_channel.h" #include "prenv.h" #include "mozilla/TypeTraits.h" #include <cmath> #include <climits> namespace mozilla { namespace ipc { const unsigned int Faulty::sDefaultProbability = Faulty::DefaultProbability(); const bool Faulty::sIsLoggingEnabled = Faulty::Logging(); /** * RandomNumericValue generates negative and positive integrals. */ template <typename T> T RandomIntegral() { static_assert(mozilla::IsIntegral<T>::value == true, "T must be an integral type"); double r = static_cast<double>(random() % ((sizeof(T) * CHAR_BIT) + 1)); T x = static_cast<T>(pow(2.0, r)) - 1; if (std::numeric_limits<T>::is_signed && random() % 2 == 0) { return (x * -1) - 1; } return x; } /** * RandomNumericLimit returns either the min or max limit of an arithmetic * data type. */ template <typename T> T RandomNumericLimit() { static_assert(mozilla::IsArithmetic<T>::value == true, "T must be an arithmetic type"); return random() % 2 == 0 ? std::numeric_limits<T>::min() : std::numeric_limits<T>::max(); } /** * RandomIntegerRange returns a random integral within a user defined range. */ template <typename T> T RandomIntegerRange(T min, T max) { static_assert(mozilla::IsIntegral<T>::value == true, "T must be an integral type"); MOZ_ASSERT(min < max); return static_cast<T>(random() % (max - min) + min); } /** * RandomFloatingPointRange returns a random floating-point number within a * user defined range. */ template <typename T> T RandomFloatingPointRange(T min, T max) { static_assert(mozilla::IsFloatingPoint<T>::value == true, "T must be a floating point type"); MOZ_ASSERT(min < max); T x = static_cast<T>(random()) / static_cast<T>(RAND_MAX); return min + x * (max - min); } /** * RandomFloatingPoint returns a random floating-point number. */ template <typename T> T RandomFloatingPoint() { static_assert(mozilla::IsFloatingPoint<T>::value == true, "T must be a floating point type"); int radix = RandomIntegerRange<int>(std::numeric_limits<T>::min_exponent, std::numeric_limits<T>::max_exponent); T x = static_cast<T>(pow(2.0, static_cast<double>(radix))); return x * RandomFloatingPointRange<T>(1.0, 2.0); } /** * FuzzIntegralType mutates an incercepted integral type of a pickled message. */ template <typename T> void FuzzIntegralType(T* v, bool largeValues) { static_assert(mozilla::IsIntegral<T>::value == true, "T must be an integral type"); switch (random() % 6) { case 0: if (largeValues) { (*v) = RandomIntegral<T>(); break; } // Fall through case 1: if (largeValues) { (*v) = RandomNumericLimit<T>(); break; } // Fall through case 2: if (largeValues) { (*v) = RandomIntegerRange<T>(std::numeric_limits<T>::min(), std::numeric_limits<T>::max()); break; } // Fall through default: switch(random() % 2) { case 0: // Prevent underflow if (*v != std::numeric_limits<T>::min()) { (*v)--; break; } // Fall through case 1: // Prevent overflow if (*v != std::numeric_limits<T>::max()) { (*v)++; break; } } } } /** * FuzzFloatingPointType mutates an incercepted floating-point type of a * pickled message. */ template <typename T> void FuzzFloatingPointType(T* v, bool largeValues) { static_assert(mozilla::IsFloatingPoint<T>::value == true, "T must be a floating point type"); switch (random() % 6) { case 0: if (largeValues) { (*v) = RandomNumericLimit<T>(); break; } // Fall through case 1: if (largeValues) { (*v) = RandomFloatingPointRange<T>(std::numeric_limits<T>::min(), std::numeric_limits<T>::max()); break; } // Fall through default: (*v) = RandomFloatingPoint<T>(); } } /** * FuzzStringType mutates an incercepted string type of a pickled message. */ template <typename T> void FuzzStringType(T& v, const T& literal1, const T& literal2) { switch (random() % 5) { case 4: v = v + v; // Fall through case 3: v = v + v; // Fall through case 2: v = v + v; break; case 1: v += literal1; break; case 0: v = literal2; break; } } Faulty::Faulty() // Enables the strategy for fuzzing pipes. : mFuzzPipes(!!PR_GetEnv("FAULTY_PIPE")) // Enables the strategy for fuzzing pickled messages. , mFuzzPickle(!!PR_GetEnv("FAULTY_PICKLE")) // Uses very large values while fuzzing pickled messages. // This may cause a high amount of malloc_abort() / NS_ABORT_OOM crashes. , mUseLargeValues(!!PR_GetEnv("FAULTY_LARGE_VALUES")) // Sets up our target process. , mIsValidProcessType(IsValidProcessType()) { FAULTY_LOG("Initializing."); const char* userSeed = PR_GetEnv("FAULTY_SEED"); unsigned long randomSeed = static_cast<unsigned long>(PR_IntervalNow()); if (userSeed) { long n = std::strtol(userSeed, nullptr, 10); if (n != 0) { randomSeed = static_cast<unsigned long>(n); } } srandom(randomSeed); FAULTY_LOG("Fuzz probability = %u", sDefaultProbability); FAULTY_LOG("Random seed = %lu", randomSeed); FAULTY_LOG("Strategy: pickle = %s", mFuzzPickle ? "enabled" : "disabled"); FAULTY_LOG("Strategy: pipe = %s", mFuzzPipes ? "enabled" : "disabled"); } // static bool Faulty::IsValidProcessType(void) { bool isValidProcessType; const bool targetChildren = !!PR_GetEnv("FAULTY_CHILDREN"); const bool targetParent = !!PR_GetEnv("FAULTY_PARENT"); if (targetChildren && !targetParent) { // Fuzz every process type but not the content process. isValidProcessType = XRE_GetProcessType() != GeckoProcessType_Content; } else if (targetChildren && targetParent) { // Fuzz every process type. isValidProcessType = true; } else { // Fuzz the content process only. isValidProcessType = XRE_GetProcessType() == GeckoProcessType_Content; } // Parent and children are different threads in the same process on // desktop builds. if (!isValidProcessType) { FAULTY_LOG("Invalid process type for pid=%d", getpid()); } return isValidProcessType; } // static unsigned int Faulty::DefaultProbability(void) { // Defines the likelihood of fuzzing a message. const char* probability = PR_GetEnv("FAULTY_PROBABILITY"); if (probability) { long n = std::strtol(probability, nullptr, 10); if (n != 0) { return n; } } return FAULTY_DEFAULT_PROBABILITY; } // static bool Faulty::Logging(void) { // Enables logging of sendmsg() calls even in optimized builds. return !!PR_GetEnv("FAULTY_ENABLE_LOGGING"); } unsigned int Faulty::Random(unsigned int aMax) { MOZ_ASSERT(aMax > 0); return static_cast<unsigned int>(random() % aMax); } bool Faulty::GetChance(unsigned int aProbability) { return Random(aProbability) == 0; } // // Strategy: Pipes // void Faulty::MaybeCollectAndClosePipe(int aPipe, unsigned int aProbability) { if (!mFuzzPipes) { return; } if (aPipe > -1) { FAULTY_LOG("collecting pipe %d to bucket of pipes (count: %ld)", aPipe, mFds.size()); mFds.insert(aPipe); } if (mFds.size() > 0 && GetChance(aProbability)) { std::set<int>::iterator it(mFds.begin()); std::advance(it, Random(mFds.size())); FAULTY_LOG("trying to close collected pipe: %d", *it); errno = 0; while ((close(*it) == -1 && (errno == EINTR))) { ; } FAULTY_LOG("pipe status after attempt to close: %d", errno); mFds.erase(it); } } // // Strategy: Pickle // void Faulty::MutateBool(bool* aValue) { *aValue = !(*aValue); } void Faulty::FuzzBool(bool* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { bool oldValue = *aValue; MutateBool(aValue); FAULTY_LOG("pickle field {bool} of value: %d changed to: %d", (int)oldValue, (int)*aValue); } } } void Faulty::MutateChar(char* aValue) { FuzzIntegralType<char>(aValue, true); } void Faulty::FuzzChar(char* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { char oldValue = *aValue; MutateChar(aValue); FAULTY_LOG("pickle field {char} of value: %c changed to: %c", oldValue, *aValue); } } } void Faulty::MutateUChar(unsigned char* aValue) { FuzzIntegralType<unsigned char>(aValue, true); } void Faulty::FuzzUChar(unsigned char* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { unsigned char oldValue = *aValue; MutateUChar(aValue); FAULTY_LOG("pickle field {unsigned char} of value: %u changed to: %u", oldValue, *aValue); } } } void Faulty::MutateInt16(int16_t* aValue) { FuzzIntegralType<int16_t>(aValue, true); } void Faulty::FuzzInt16(int16_t* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { int16_t oldValue = *aValue; MutateInt16(aValue); FAULTY_LOG("pickle field {Int16} of value: %d changed to: %d", oldValue, *aValue); } } } void Faulty::MutateUInt16(uint16_t* aValue) { FuzzIntegralType<uint16_t>(aValue, true); } void Faulty::FuzzUInt16(uint16_t* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { uint16_t oldValue = *aValue; MutateUInt16(aValue); FAULTY_LOG("pickle field {UInt16} of value: %d changed to: %d", oldValue, *aValue); } } } void Faulty::MutateInt(int* aValue) { FuzzIntegralType<int>(aValue, mUseLargeValues); } void Faulty::FuzzInt(int* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { int oldValue = *aValue; MutateInt(aValue); FAULTY_LOG("pickle field {int} of value: %d changed to: %d", oldValue, *aValue); } } } void Faulty::MutateUInt32(uint32_t* aValue) { FuzzIntegralType<uint32_t>(aValue, mUseLargeValues); } void Faulty::FuzzUInt32(uint32_t* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { uint32_t oldValue = *aValue; MutateUInt32(aValue); FAULTY_LOG("pickle field {UInt32} of value: %u changed to: %u", oldValue, *aValue); } } } void Faulty::MutateLong(long* aValue) { FuzzIntegralType<long>(aValue, mUseLargeValues); } void Faulty::FuzzLong(long* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { long oldValue = *aValue; MutateLong(aValue); FAULTY_LOG("pickle field {long} of value: %ld changed to: %ld", oldValue, *aValue); } } } void Faulty::MutateULong(unsigned long* aValue) { FuzzIntegralType<unsigned long>(aValue, mUseLargeValues); } void Faulty::FuzzULong(unsigned long* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { unsigned long oldValue = *aValue; MutateULong(aValue); FAULTY_LOG("pickle field {unsigned long} of value: %lu changed to: %lu", oldValue, *aValue); } } } void Faulty::MutateSize(size_t* aValue) { FuzzIntegralType<size_t>(aValue, mUseLargeValues); } void Faulty::FuzzSize(size_t* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { size_t oldValue = *aValue; MutateSize(aValue); FAULTY_LOG("pickle field {size_t} of value: %zu changed to: %zu", oldValue, *aValue); } } } void Faulty::MutateUInt64(uint64_t* aValue) { FuzzIntegralType<uint64_t>(aValue, mUseLargeValues); } void Faulty::FuzzUInt64(uint64_t* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { uint64_t oldValue = *aValue; MutateUInt64(aValue); FAULTY_LOG("pickle field {UInt64} of value: %llu changed to: %llu", oldValue, *aValue); } } } void Faulty::MutateInt64(int64_t* aValue) { FuzzIntegralType<int64_t>(aValue, mUseLargeValues); } void Faulty::FuzzInt64(int64_t* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { int64_t oldValue = *aValue; MutateInt64(aValue); FAULTY_LOG("pickle field {Int64} of value: %lld changed to: %lld", oldValue, *aValue); } } } void Faulty::MutateDouble(double* aValue) { FuzzFloatingPointType<double>(aValue, mUseLargeValues); } void Faulty::FuzzDouble(double* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { double oldValue = *aValue; MutateDouble(aValue); FAULTY_LOG("pickle field {double} of value: %f changed to: %f", oldValue, *aValue); } } } void Faulty::MutateFloat(float* aValue) { FuzzFloatingPointType<float>(aValue, mUseLargeValues); } void Faulty::FuzzFloat(float* aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { float oldValue = *aValue; MutateFloat(aValue); FAULTY_LOG("pickle field {float} of value: %f changed to: %f", oldValue, *aValue); } } } void Faulty::FuzzString(std::string& aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { std::string oldValue = aValue; FuzzStringType<std::string>(aValue, "xoferiF", std::string()); FAULTY_LOG("pickle field {string} of value: %s changed to: %s", oldValue.c_str(), aValue.c_str()); } } } void Faulty::FuzzWString(std::wstring& aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { std::wstring oldValue = aValue; FAULTY_LOG("pickle field {wstring}"); FuzzStringType<std::wstring>(aValue, L"xoferiF", std::wstring()); } } } void Faulty::FuzzString16(string16& aValue, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { string16 oldValue = aValue; FAULTY_LOG("pickle field {string16}"); FuzzStringType<string16>(aValue, string16(ASCIIToUTF16(std::string("xoferiF"))), string16(ASCIIToUTF16(std::string()))); } } } void Faulty::FuzzBytes(void* aData, int aLength, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { FAULTY_LOG("pickle field {bytes}"); // Too destructive. |WriteBytes| is used in many of the above data // types as base function. //FuzzData(static_cast<char*>(aData), aLength); } } } void Faulty::FuzzData(std::string& aValue, int aLength, unsigned int aProbability) { if (mIsValidProcessType) { if (mFuzzPickle && GetChance(aProbability)) { FAULTY_LOG("pickle field {data}"); for (int i = 0; i < aLength; ++i) { if (GetChance(aProbability)) { FuzzIntegralType<char>(&aValue[i], true); } } } } } } // namespace ipc } // namespace mozilla