…
libfido2 can be fuzzed using AFL or libFuzzer, with or without
ASAN/MSAN/UBSAN.
AFL is more convenient when fuzzing the path from the authenticator to
libfido2 in an existing application. To do so, use preload-snoop.c with a real
authenticator to obtain an initial corpus, rebuild libfido2 with -DFUZZ=1
-DAFL=1, and use preload-fuzz.c to read device data from stdin. Examples of
this approach can be found in the harnesses under fuzz/harnesses/ that fuzz
the standalone examples and tools bundled with libfido2.
libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c,
fuzz_assert.c, and fuzz_mgmt.c for examples. To build these harnesses,
use -DFUZZ=1 -DLIBFUZZER=1.
To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of
libcbor and OpenSSL built with the respective sanitiser. In order to keep
memory utilisation at a manageable level, you can either enforce limits at
the OS level (e.g. cgroups on Linux) or, alternatively, patch libcbor with
the diff at the bottom of this file.
1. Using ASAN + UBSAN
- Make sure you have libcbor built with -fsanitize=address;
- Make sure you have OpenSSL built with -fsanitize=address;
- Rebuild libfido2 with -DASAN=1 -DUBSAN=1.
1.1 Decide where your workspace will live
$ export FAKEROOT=/home/pedro/fakeroot
$ mkdir -p ${FAKEROOT}/src
1.2 Building libcbor with ASAN
$ git clone https://github.com/pjk/libcbor ${FAKEROOT}/src/libcbor
$ cd ${FAKEROOT}/src/libcbor
Assuming libfido2 is under ${FAKEROOT}/src/libfido2:
$ patch -p0 < ${FAKEROOT}/src/libfido2/fuzz/README
$ mkdir build
$ cd build
$ cmake -DCMAKE_C_FLAGS_DEBUG="-g2 -fno-omit-frame-pointer" \
-DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=ON \
-DCMAKE_INSTALL_LIBDIR=lib ..
$ make
$ make install
1.3 Building OpenSSL with ASAN
$ git clone https://github.com/openssl/openssl ${FAKEROOT}/src/openssl
$ cd ${FAKEROOT}/src/openssl
$ ./Configure linux-x86_64-clang enable-asan --prefix=${FAKEROOT} \
--openssldir=${FAKEROOT}/openssl
$ make clean
$ make
$ make install_sw
1.4 Building libfido2 with libFuzzer and ASAN + UBSAN
$ cd ${FAKEROOT}/src/libfido2
$ mkdir build
$ cd build
$ cmake -DFUZZ=1 -DLIBFUZZER=1 -DASAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \
-DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \
-DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \
-DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \
-DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \
-DCMAKE_BUILD_TYPE=Debug ..
$ make
2. Using MSAN + UBSAN
- Make sure you have libcbor built with -fsanitize=memory;
- Make sure you have OpenSSL built with -fsanitize=memory;
- Rebuild libfido2 with -DMSAN=1 -DUBSAN=1.
2.1 Decide where your workspace will live
$ export FAKEROOT=/home/pedro/fakeroot
$ mkdir -p ${FAKEROOT}/src
2.2 Building libcbor with MSAN
$ git clone https://github.com/pjk/libcbor ${FAKEROOT}/src/libcbor
$ cd ${FAKEROOT}/src/libcbor
Assuming libfido2 is under ${FAKEROOT}/src/libfido2:
$ patch -p0 < ${FAKEROOT}/src/libfido2/fuzz/README
$ mkdir build
$ cd build
$ cmake -DCMAKE_C_FLAGS_DEBUG="-fsanitize=memory,undefined -g2 -fno-omit-frame-pointer" \
-DCMAKE_C_COMPILER=clang -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_INSTALL_PREFIX=${FAKEROOT} -DSANITIZE=OFF \
-DCMAKE_INSTALL_LIBDIR=lib ..
$ make
$ make install
2.2 Building OpenSSL with MSAN
$ mkdir -p ${FAKEROOT}/src
$ git clone https://github.com/openssl/openssl ${FAKEROOT}/src/openssl
$ cd ${FAKEROOT}/src/openssl
$ ./Configure linux-x86_64-clang enable-msan --prefix=${FAKEROOT} \
--openssldir=${FAKEROOT}/openssl
$ make clean
$ make
$ make install_sw
2.3 Building libfido2 with libFuzzer and MSAN + UBSAN
$ cd ${FAKEROOT}/src/libfido2
$ mkdir build
$ cd build
$ cmake -DFUZZ=1 -DLIBFUZZER=1 -DMSAN=1 -DUBSAN=1 -DCMAKE_C_COMPILER=clang \
-DCRYPTO_INCLUDE_DIRS=${FAKEROOT}/include \
-DCRYPTO_LIBRARY_DIRS=${FAKEROOT}/lib \
-DCBOR_INCLUDE_DIRS=${FAKEROOT}/include \
-DCBOR_LIBRARY_DIRS=${FAKEROOT}/lib \
-DCMAKE_BUILD_TYPE=Debug ..
$ make
3. Running the libFuzzer harnesses
When running under ASAN, you may want to set ASAN_OPTIONS to
'allocator_may_return_null=1:detect_stack_use_after_return=1'.
The recommended way to run the harnesses is:
$ fuzz_{assert,cred,credman,mgmt} -use_value_profile=1 -reload=30 \
-print_pcs=1 -print_funcs=30 -timeout=10 CORPUS_DIR
You may want to use -jobs or -workers depending on the number of logical
cores available for fuzzing.
4. Auxiliary scripts
A set of harnesses and auxiliary scripts can be found under harnesses/. To
compile coverage reports, adjust the harnesses to your setup and run 'report'.
diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c
index aa049a2..e294b38 100644
--- src/cbor/internal/memory_utils.c
+++ src/cbor/internal/memory_utils.c
@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) {
void* _cbor_alloc_multiple(size_t item_size, size_t item_count) {
if (_cbor_safe_to_multiply(item_size, item_count)) {
- return _CBOR_MALLOC(item_size * item_count);
+ if (item_count > 1000) {
+ return NULL;
+ } else
+ return _CBOR_MALLOC(item_size * item_count);
} else {
return NULL;
}