xref: /freebsd/contrib/libfido2/fuzz/README (revision 2ccfa855b2fc331819953e3de1b1c15ce5b95a7e)
1libfido2 can be fuzzed using AFL or libFuzzer, with or without
2ASAN/MSAN/UBSAN.
3
4AFL is more convenient when fuzzing the path from the authenticator to
5libfido2 in an existing application. To do so, use preload-snoop.c with a real
6authenticator to obtain an initial corpus, rebuild libfido2 with -DFUZZ=ON, and
7use preload-fuzz.c to read device data from stdin.
8
9libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c,
10fuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these
11harnesses, use -DCMAKE_C_FLAGS=-fsanitize=fuzzer-no-link
12-DFUZZ_LDFLAGS=-fsanitize=fuzzer -DFUZZ=ON.
13
14If -DFUZZ=ON is enabled, symbols listed in wrapped.sym are wrapped in the
15resulting shared object. The wrapper functions simulate failure according to a
16deterministic RNG and probabilities defined in wrap.c. Harnesses wishing to
17use this functionality should call prng_init() with a seed obtained from the
18corpus. To mutate only the seed part of a libFuzzer harness's corpora,
19use '-reduce_inputs=0 --fido-mutate=seed'.
20
21To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of
22libcbor and OpenSSL built with the respective sanitiser. In order to keep
23memory utilisation at a manageable level, you can either enforce limits at
24the OS level (e.g. cgroups on Linux), or patch libcbor with the diff below.
25N.B., the patch below is relative to libcbor 0.10.1.
26
27diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c
28index bbea63c..3f7c9af 100644
29--- src/cbor/internal/memory_utils.c
30+++ src/cbor/internal/memory_utils.c
31@@ -41,7 +41,11 @@ size_t _cbor_safe_signaling_add(size_t a, size_t b) {
32
33 void* _cbor_alloc_multiple(size_t item_size, size_t item_count) {
34   if (_cbor_safe_to_multiply(item_size, item_count)) {
35-    return _cbor_malloc(item_size * item_count);
36+    if (item_count > 1000) {
37+      return NULL;
38+    } else {
39+      return _cbor_malloc(item_size * item_count);
40+    }
41   } else {
42     return NULL;
43   }
44