1libfido2 can be fuzzed using AFL or libFuzzer, with or without 2ASAN/MSAN/UBSAN. 3 4AFL is more convenient when fuzzing the path from the authenticator to 5libfido2 in an existing application. To do so, use preload-snoop.c with a real 6authenticator to obtain an initial corpus, rebuild libfido2 with -DFUZZ=ON, and 7use preload-fuzz.c to read device data from stdin. 8 9libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c, 10fuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these 11harnesses, use -DFUZZ=ON -DLIBFUZZER=ON. 12 13To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of 14libcbor and OpenSSL built with the respective sanitiser. In order to keep 15memory utilisation at a manageable level, you can either enforce limits at 16the OS level (e.g. cgroups on Linux), or patch libcbor with the diff below. 17 18diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c 19index aa049a2..e294b38 100644 20--- src/cbor/internal/memory_utils.c 21+++ src/cbor/internal/memory_utils.c 22@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) { 23 24 void* _cbor_alloc_multiple(size_t item_size, size_t item_count) { 25 if (_cbor_safe_to_multiply(item_size, item_count)) { 26- return _CBOR_MALLOC(item_size * item_count); 27+ if (item_count > 1000) { 28+ return NULL; 29+ } else 30+ return _CBOR_MALLOC(item_size * item_count); 31 } else { 32 return NULL; 33 } 34