10afa8e06SEd Mastelibfido2 can be fuzzed using AFL or libFuzzer, with or without 20afa8e06SEd MasteASAN/MSAN/UBSAN. 30afa8e06SEd Maste 40afa8e06SEd MasteAFL is more convenient when fuzzing the path from the authenticator to 50afa8e06SEd Mastelibfido2 in an existing application. To do so, use preload-snoop.c with a real 60afa8e06SEd Masteauthenticator to obtain an initial corpus, rebuild libfido2 with -DFUZZ=ON, and 70afa8e06SEd Masteuse preload-fuzz.c to read device data from stdin. 80afa8e06SEd Maste 90afa8e06SEd MastelibFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c, 100afa8e06SEd Mastefuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these 11*2ccfa855SEd Masteharnesses, use -DCMAKE_C_FLAGS=-fsanitize=fuzzer-no-link 12*2ccfa855SEd Maste-DFUZZ_LDFLAGS=-fsanitize=fuzzer -DFUZZ=ON. 13*2ccfa855SEd Maste 14*2ccfa855SEd MasteIf -DFUZZ=ON is enabled, symbols listed in wrapped.sym are wrapped in the 15*2ccfa855SEd Masteresulting shared object. The wrapper functions simulate failure according to a 16*2ccfa855SEd Mastedeterministic RNG and probabilities defined in wrap.c. Harnesses wishing to 17*2ccfa855SEd Masteuse this functionality should call prng_init() with a seed obtained from the 18*2ccfa855SEd Mastecorpus. To mutate only the seed part of a libFuzzer harness's corpora, 19*2ccfa855SEd Masteuse '-reduce_inputs=0 --fido-mutate=seed'. 200afa8e06SEd Maste 210afa8e06SEd MasteTo run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of 220afa8e06SEd Mastelibcbor and OpenSSL built with the respective sanitiser. In order to keep 230afa8e06SEd Mastememory utilisation at a manageable level, you can either enforce limits at 240afa8e06SEd Mastethe OS level (e.g. cgroups on Linux), or patch libcbor with the diff below. 25*2ccfa855SEd MasteN.B., the patch below is relative to libcbor 0.10.1. 260afa8e06SEd Maste 270afa8e06SEd Mastediff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c 28*2ccfa855SEd Masteindex bbea63c..3f7c9af 100644 290afa8e06SEd Maste--- src/cbor/internal/memory_utils.c 300afa8e06SEd Maste+++ src/cbor/internal/memory_utils.c 31*2ccfa855SEd Maste@@ -41,7 +41,11 @@ size_t _cbor_safe_signaling_add(size_t a, size_t b) { 320afa8e06SEd Maste 330afa8e06SEd Maste void* _cbor_alloc_multiple(size_t item_size, size_t item_count) { 340afa8e06SEd Maste if (_cbor_safe_to_multiply(item_size, item_count)) { 35*2ccfa855SEd Maste- return _cbor_malloc(item_size * item_count); 360afa8e06SEd Maste+ if (item_count > 1000) { 370afa8e06SEd Maste+ return NULL; 38*2ccfa855SEd Maste+ } else { 39*2ccfa855SEd Maste+ return _cbor_malloc(item_size * item_count); 40*2ccfa855SEd Maste+ } 410afa8e06SEd Maste } else { 420afa8e06SEd Maste return NULL; 430afa8e06SEd Maste } 44