1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Fuzz testing for EncodedProgram serialized format and assembly.
7 // We would like some assurance that if an EncodedProgram is malformed we will
8 // not crash. The EncodedProgram could be malformed either due to malicious
9 // attack to due to an error in patch generation.
11 // We try a lot of arbitrary modifications to the serialized form and make sure
12 // that the outcome is not a crash.
14 #include "base/test/test_suite.h"
16 #include "courgette/base_test_unittest.h"
17 #include "courgette/courgette.h"
18 #include "courgette/streams.h"
20 class DecodeFuzzTest
: public BaseTest
{
22 void FuzzExe(const char *) const;
25 void FuzzByte(const std::string
& buffer
, const std::string
& output
,
27 void FuzzBits(const std::string
& buffer
, const std::string
& output
,
28 size_t index
, int bits_to_flip
) const;
30 // Returns true if could assemble, false if rejected.
31 bool TryAssemble(const std::string
& buffer
, std::string
* output
) const;
34 // Loads an executable and does fuzz testing in the serialized format.
35 void DecodeFuzzTest::FuzzExe(const char* file_name
) const {
36 std::string file1
= FileContents(file_name
);
38 const void* original_buffer
= file1
.c_str();
39 size_t original_length
= file1
.length();
41 courgette::AssemblyProgram
* program
= NULL
;
42 const courgette::Status parse_status
=
43 courgette::ParseDetectedExecutable(original_buffer
, original_length
,
45 EXPECT_EQ(courgette::C_OK
, parse_status
);
47 courgette::EncodedProgram
* encoded
= NULL
;
49 const courgette::Status encode_status
= Encode(program
, &encoded
);
50 EXPECT_EQ(courgette::C_OK
, encode_status
);
52 DeleteAssemblyProgram(program
);
54 courgette::SinkStreamSet sinks
;
55 const courgette::Status write_status
= WriteEncodedProgram(encoded
, &sinks
);
56 EXPECT_EQ(courgette::C_OK
, write_status
);
58 DeleteEncodedProgram(encoded
);
60 courgette::SinkStream sink
;
61 bool can_collect
= sinks
.CopyTo(&sink
);
62 EXPECT_TRUE(can_collect
);
64 size_t length
= sink
.Length();
66 std::string
base_buffer(reinterpret_cast<const char*>(sink
.Buffer()), length
);
67 std::string base_output
;
68 bool ok
= TryAssemble(base_buffer
, &base_output
);
71 // Now we have a good serialized EncodedProgram in |base_buffer|. Time to
74 // More intense fuzzing on the first part because it contains more control
75 // information like substeam lengths.
77 for ( ; position
< 100 && position
< length
; position
+= 1) {
78 FuzzByte(base_buffer
, base_output
, position
);
80 // We would love to fuzz every position, but it takes too long.
81 for ( ; position
< length
; position
+= 900) {
82 FuzzByte(base_buffer
, base_output
, position
);
86 // FuzzByte tries to break the EncodedProgram deserializer and assembler. It
87 // takes a good serialization of and EncodedProgram, flips some bits, and checks
88 // that the behaviour is reasonable. It has testing checks for unreasonable
90 void DecodeFuzzTest::FuzzByte(const std::string
& base_buffer
,
91 const std::string
& base_output
,
93 printf("Fuzzing position %d\n", static_cast<int>(index
));
95 // The following 10 values are a compromize between run time and coverage of
96 // the 255 'wrong' values at this byte position.
98 // 0xFF flips all the bits.
99 FuzzBits(base_buffer
, base_output
, index
, 0xFF);
100 // 0x7F flips the most bits without changing Varint32 framing.
101 FuzzBits(base_buffer
, base_output
, index
, 0x7F);
102 // These all flip one bit.
103 FuzzBits(base_buffer
, base_output
, index
, 0x80);
104 FuzzBits(base_buffer
, base_output
, index
, 0x40);
105 FuzzBits(base_buffer
, base_output
, index
, 0x20);
106 FuzzBits(base_buffer
, base_output
, index
, 0x10);
107 FuzzBits(base_buffer
, base_output
, index
, 0x08);
108 FuzzBits(base_buffer
, base_output
, index
, 0x04);
109 FuzzBits(base_buffer
, base_output
, index
, 0x02);
110 FuzzBits(base_buffer
, base_output
, index
, 0x01);
113 // FuzzBits tries to break the EncodedProgram deserializer and assembler. It
114 // takes a good serialization of and EncodedProgram, flips some bits, and checks
115 // that the behaviour is reasonable.
117 // There are EXPECT calls to check for unreasonable behaviour. These are
118 // somewhat arbitrary in that the parameters cannot easily be derived from first
119 // principles. They may need updating as the serialized format evolves.
120 void DecodeFuzzTest::FuzzBits(const std::string
& base_buffer
,
121 const std::string
& base_output
,
122 size_t index
, int bits_to_flip
) const {
123 std::string modified_buffer
= base_buffer
;
124 std::string modified_output
;
125 modified_buffer
[index
] ^= bits_to_flip
;
127 bool ok
= TryAssemble(modified_buffer
, &modified_output
);
130 // We normally expect TryAssemble to fail. But sometimes it succeeds.
131 // What could have happened? We changed one byte in the serialized form:
133 // * If we changed one of the copied bytes, we would see a single byte
134 // change in the output.
135 // * If we changed an address table element, all the references to that
136 // address would be different.
137 // * If we changed a copy count, we would run out of data in some stream,
138 // or leave data remaining, so should not be here.
139 // * If we changed an origin address, it could affect all relocations based
140 // off that address. If no relocations were based off the address then
141 // there will be no changes.
142 // * If we changed an origin address, it could cause some abs32 relocs to
143 // shift from one page to the next, changing the number and layout of
144 // blocks in the base relocation table.
146 // Generated length could vary slightly due to base relocation table layout.
147 // In the worst case the number of base relocation blocks doubles, approx
148 // 12/4096 or 0.3% size of file.
149 size_t base_length
= base_output
.length();
150 size_t modified_length
= modified_output
.length();
151 ptrdiff_t diff
= base_length
- modified_length
;
152 if (diff
< -200 || diff
> 200) {
153 EXPECT_EQ(base_length
, modified_length
);
156 size_t changed_byte_count
= 0;
157 for (size_t i
= 0; i
< base_length
&& i
< modified_length
; ++i
) {
158 changed_byte_count
+= (base_output
[i
] != modified_output
[i
]);
161 if (index
> 60) { // Beyond the origin addresses ...
162 EXPECT_NE(0U, changed_byte_count
); // ... we expect some difference.
164 // Currently all changes are smaller than this number:
165 EXPECT_GE(45000U, changed_byte_count
);
169 bool DecodeFuzzTest::TryAssemble(const std::string
& buffer
,
170 std::string
* output
) const {
171 courgette::EncodedProgram
*encoded
= NULL
;
174 courgette::SourceStreamSet sources
;
175 bool can_get_source_streams
= sources
.Init(buffer
.c_str(), buffer
.length());
176 if (can_get_source_streams
) {
177 const courgette::Status read_status
=
178 ReadEncodedProgram(&sources
, &encoded
);
179 if (read_status
== courgette::C_OK
) {
180 courgette::SinkStream assembled
;
181 const courgette::Status assemble_status
= Assemble(encoded
, &assembled
);
183 if (assemble_status
== courgette::C_OK
) {
184 const void* assembled_buffer
= assembled
.Buffer();
185 size_t assembled_length
= assembled
.Length();
188 output
->assign(reinterpret_cast<const char*>(assembled_buffer
),
195 DeleteEncodedProgram(encoded
);
200 TEST_F(DecodeFuzzTest
, All
) {
201 FuzzExe("setup1.exe");
202 FuzzExe("elf-32-1.exe");
205 int main(int argc
, char** argv
) {
206 return base::TestSuite(argc
, argv
).Run();