git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Arthur Chan via GitGitGadget" <gitgitgadget@gmail.com>
To: git@vger.kernel.org
Cc: Jeff King <peff@peff.net>,
	Arthur Chan <arthur.chan@adalogics.com>,
	Arthur Chan <arthur.chan@adalogics.com>
Subject: [PATCH v3] fuzz: add new oss-fuzz fuzzer for date.c / date.h
Date: Tue, 14 Nov 2023 10:53:05 +0000	[thread overview]
Message-ID: <pull.1612.v3.git.1699959186146.gitgitgadget@gmail.com> (raw)
In-Reply-To: <pull.1612.v2.git.1699892568344.gitgitgadget@gmail.com>

From: Arthur Chan <arthur.chan@adalogics.com>

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
---
    fuzz: add new oss-fuzz fuzzer for date.c / date.h
    
    This patch is aimed to add a new oss-fuzz fuzzer to the oss-fuzz
    directory for fuzzing date.c / date.h in the base directory.
    
    The .gitignore of the oss-fuzz directory and the Makefile have been
    modified to accommodate the new fuzzer fuzz-date.c.
    
    Fixed the objects order in .gitignore and Makefiles and fixed some of
    the logic and formatting for the fuzz-date.c fuzzer in v2.
    
    Fixed the creation and memory allocation of the fuzzing str in v3. Also
    fixed the tz type and sign-extended the data before passing to the tz
    variable.
    
    Comment: Yes, indeed. It is quite annoying to have that twice. Yes, the
    tz should be considered as attacker controllable and thus negative
    values should be considered. But it is tricky to fuzz it because the
    date.c::gm_time_t() will call die() if the value is invalid and that
    exit the fuzzer directly. OSS-Fuzz may consider it as an issue (or bug)
    because the fuzzer exit "unexpectedly". I agree that if we consider the
    tz as "attacker controllable, we should include negative values, but
    since it will cause the fuzzer exit, I am not sure if it is the right
    approach from the fuzzing perspective. Also, it is something that date.c
    already take care of with the conditional checking, thus it may also be
    worth to do some checking and exclude some invalid values before calling
    date.c::show_date() but this may result in copying some conditional
    checking code from date.c.

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1612%2Farthurscchan%2Fnew-fuzzer-date-v3
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1612/arthurscchan/new-fuzzer-date-v3
Pull-Request: https://github.com/gitgitgadget/git/pull/1612

Range-diff vs v2:

 1:  2928e2b858d ! 1:  046bca32889 fuzz: add new oss-fuzz fuzzer for date.c / date.h
     @@ oss-fuzz/fuzz-date.c (new)
      +{
      +	int local;
      +	int num;
     -+	uint16_t tz;
     ++	int tz;
      +	char *str;
     ++	int8_t *tmp_data;
      +	timestamp_t ts;
      +	enum date_mode_type dmtype;
      +	struct date_mode *dm;
     @@ oss-fuzz/fuzz-date.c (new)
      +		return 0;
      +
      +	local = !!(*data & 0x10);
     -+	dmtype = (enum date_mode_type)(*data % DATE_UNIX);
     -+	if (dmtype == DATE_STRFTIME)
     -+		/*
     -+		 * Currently DATE_STRFTIME is not supported.
     -+		 */
     -+		return 0;
     ++	num = *data % DATE_UNIX;
     ++	if (num >= DATE_STRFTIME)
     ++		num++;
     ++	dmtype = (enum date_mode_type)num;
      +	data++;
      +	size--;
      +
     -+	tz = *data++;
     -+	tz = (tz << 8) | *data++;
     -+	tz = (tz << 8) | *data++;
     ++	tmp_data = (int8_t*)data;
     ++	tz = *tmp_data++;
     ++	tz = (tz << 8) | *tmp_data++;
     ++	tz = (tz << 8) | *tmp_data++;
     ++	data += 3;
      +	size -= 3;
      +
     -+	str = (char *)malloc(size + 1);
     -+	if (!str)
     -+		return 0;
     -+	memcpy(str, data, size);
     -+	str[size] = '\0';
     ++	str = xmemdupz(data, size);
      +
      +	ts = approxidate_careful(str, &num);
      +	free(str);
      +
      +	dm = date_mode_from_type(dmtype);
      +	dm->local = local;
     -+	show_date(ts, (int16_t)tz, dm);
     ++	show_date(ts, tz, dm);
      +
      +	date_mode_release(dm);
      +


 Makefile             |  1 +
 oss-fuzz/.gitignore  |  1 +
 oss-fuzz/fuzz-date.c | 53 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 oss-fuzz/fuzz-date.c

diff --git a/Makefile b/Makefile
index 03adcb5a480..4b875ef6ce1 100644
--- a/Makefile
+++ b/Makefile
@@ -750,6 +750,7 @@ SCRIPTS = $(SCRIPT_SH_GEN) \
 ETAGS_TARGET = TAGS
 
 FUZZ_OBJS += oss-fuzz/fuzz-commit-graph.o
+FUZZ_OBJS += oss-fuzz/fuzz-date.o
 FUZZ_OBJS += oss-fuzz/fuzz-pack-headers.o
 FUZZ_OBJS += oss-fuzz/fuzz-pack-idx.o
 .PHONY: fuzz-objs
diff --git a/oss-fuzz/.gitignore b/oss-fuzz/.gitignore
index 9acb74412ef..5b954088254 100644
--- a/oss-fuzz/.gitignore
+++ b/oss-fuzz/.gitignore
@@ -1,3 +1,4 @@
 fuzz-commit-graph
+fuzz-date
 fuzz-pack-headers
 fuzz-pack-idx
diff --git a/oss-fuzz/fuzz-date.c b/oss-fuzz/fuzz-date.c
new file mode 100644
index 00000000000..52bea5553a1
--- /dev/null
+++ b/oss-fuzz/fuzz-date.c
@@ -0,0 +1,53 @@
+#include "git-compat-util.h"
+#include "date.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	int local;
+	int num;
+	int tz;
+	char *str;
+	int8_t *tmp_data;
+	timestamp_t ts;
+	enum date_mode_type dmtype;
+	struct date_mode *dm;
+
+	if (size <= 4)
+		/*
+		 * we use the first byte to fuzz dmtype and local,
+		 * then the next three bytes to fuzz tz	offset,
+		 * and the remainder (at least one byte) is fed
+		 * as end-user input to approxidate_careful().
+		 */
+		return 0;
+
+	local = !!(*data & 0x10);
+	num = *data % DATE_UNIX;
+	if (num >= DATE_STRFTIME)
+		num++;
+	dmtype = (enum date_mode_type)num;
+	data++;
+	size--;
+
+	tmp_data = (int8_t*)data;
+	tz = *tmp_data++;
+	tz = (tz << 8) | *tmp_data++;
+	tz = (tz << 8) | *tmp_data++;
+	data += 3;
+	size -= 3;
+
+	str = xmemdupz(data, size);
+
+	ts = approxidate_careful(str, &num);
+	free(str);
+
+	dm = date_mode_from_type(dmtype);
+	dm->local = local;
+	show_date(ts, tz, dm);
+
+	date_mode_release(dm);
+
+	return 0;
+}

base-commit: dadef801b365989099a9929e995589e455c51fed
-- 
gitgitgadget

  parent reply	other threads:[~2023-11-14 10:53 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-11 17:39 [PATCH] fuzz: add new oss-fuzz fuzzer for date.c / date.h Arthur Chan via GitGitGadget
2023-11-12  5:59 ` Junio C Hamano
2023-11-12 12:39   ` Junio C Hamano
2023-11-13 16:22 ` [PATCH v2] " Arthur Chan via GitGitGadget
2023-11-13 18:35   ` Jeff King
2023-11-13 23:27     ` Junio C Hamano
2023-11-13 23:27   ` Junio C Hamano
2023-11-14 10:53   ` Arthur Chan via GitGitGadget [this message]
2023-11-14 17:03     ` [PATCH v3] " Junio C Hamano
2023-11-17 17:47     ` [PATCH v4] " Arthur Chan via GitGitGadget

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=pull.1612.v3.git.1699959186146.gitgitgadget@gmail.com \
    --to=gitgitgadget@gmail.com \
    --cc=arthur.chan@adalogics.com \
    --cc=git@vger.kernel.org \
    --cc=peff@peff.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).