Exemple #1
0
def test_for_reproducibility(fuzzer_name,
                             full_fuzzer_name,
                             testcase_path,
                             expected_state,
                             expected_security_flag,
                             test_timeout,
                             http_flag,
                             gestures,
                             arguments=None):
    """Test to see if a crash is fully reproducible or is a one-time crasher."""
    try:
        fuzz_target = data_handler.get_fuzz_target(full_fuzzer_name)
        if engine.get(fuzzer_name) and not fuzz_target:
            raise TargetNotFoundError

        runner = TestcaseRunner(fuzz_target,
                                testcase_path,
                                test_timeout,
                                gestures,
                                http_flag,
                                arguments=arguments)

        crash_retries = environment.get_value('CRASH_RETRIES')
        return runner.test_reproduce_reliability(crash_retries, expected_state,
                                                 expected_security_flag)
    except TargetNotFoundError:
        # If a target isn't found, treat it as not crashing.
        return False
Exemple #2
0
def test_for_crash_with_retries(testcase,
                                testcase_path,
                                test_timeout,
                                http_flag=False,
                                use_gestures=True,
                                compare_crash=True,
                                crash_retries=None):
    """Test for a crash and return crash parameters like crash type, crash state,
  crash stacktrace, etc."""
    gestures = testcase.gestures if use_gestures else None
    try:
        fuzz_target = testcase.get_fuzz_target()
        if engine.get(testcase.fuzzer_name) and not fuzz_target:
            raise TargetNotFoundError

        runner = TestcaseRunner(fuzz_target, testcase_path, test_timeout,
                                gestures, http_flag)

        if crash_retries is None:
            crash_retries = environment.get_value('CRASH_RETRIES')

        if compare_crash:
            expected_state = testcase.crash_state
            expected_security_flag = testcase.security_flag
        else:
            expected_state = None
            expected_security_flag = None

        return runner.reproduce_with_retries(crash_retries, expected_state,
                                             expected_security_flag,
                                             testcase.flaky_stack)
    except TargetNotFoundError:
        # If a target isn't found, treat it as not crashing.
        return CrashResult(return_code=0, crash_time=0, output='')
Exemple #3
0
def engine_fuzz(request, _):
    """Run engine fuzzer."""
    engine_impl = engine.get(request.engine)
    result, fuzzer_metadata, strategies = fuzz_task.run_engine_fuzzer(
        engine_impl, request.target_name, request.sync_corpus_directory,
        request.testcase_directory)

    crashes = [
        untrusted_runner_pb2.EngineCrash(input_path=crash.input_path,
                                         stacktrace=crash.stacktrace,
                                         reproduce_args=crash.reproduce_args,
                                         crash_time=crash.crash_time)
        for crash in result.crashes
    ]

    packed_stats = _pack_values(result.stats)
    packed_strategies = _pack_values(strategies)

    return untrusted_runner_pb2.EngineFuzzResponse(
        logs=result.logs,
        command=result.command,
        crashes=crashes,
        stats=packed_stats,
        time_executed=result.time_executed,
        fuzzer_metadata=fuzzer_metadata,
        strategies=packed_strategies)
Exemple #4
0
def engine_reproduce(request, _):
    """Run engine reproduce."""
    engine_impl = engine.get(request.engine)
    result = testcase_manager.engine_reproduce(engine_impl,
                                               request.target_name,
                                               request.testcase_path,
                                               request.arguments,
                                               request.timeout)
    return untrusted_runner_pb2.EngineReproduceResult(
        command=result.command,
        return_code=result.return_code,
        time_executed=result.time_executed,
        output=result.output)
Exemple #5
0
    def __init__(self,
                 fuzz_target,
                 cross_pollinate_fuzzers,
                 cross_pollination_method=Pollination.RANDOM,
                 tag=None):

        self.fuzz_target = fuzz_target
        self.cross_pollinate_fuzzers = cross_pollinate_fuzzers
        self.cross_pollination_method = cross_pollination_method
        self.tag = tag

        self.merge_tmp_dir = None
        self.engine = engine.get(self.fuzz_target.engine)
        if not self.engine:
            raise CorpusPruningException('Engine {} not found'.format(engine))

        self._created_directories = []

        # Set up temporary directories where corpora will be synced to.
        # Initial synced corpus.
        self.initial_corpus_path = self._create_temp_corpus_directory(
            '%s_initial_corpus' % self.fuzz_target.project_qualified_name())
        # Minimized corpus.
        self.minimized_corpus_path = self._create_temp_corpus_directory(
            '%s_minimized_corpus' % self.fuzz_target.project_qualified_name())
        # Synced quarantine corpus.
        self.quarantine_corpus_path = self._create_temp_corpus_directory(
            '%s_quarantine' % self.fuzz_target.project_qualified_name())
        # Synced shared corpus.
        self.shared_corpus_path = self._create_temp_corpus_directory(
            '%s_shared' % self.fuzz_target.project_qualified_name())
        # Bad units.
        self.bad_units_path = self._create_temp_corpus_directory(
            '%s_bad_units' % self.fuzz_target.project_qualified_name())
        self.merge_tmp_dir = self._create_temp_corpus_directory(
            'merge_workdir')

        self.corpus = corpus_manager.FuzzTargetCorpus(
            self.fuzz_target.engine,
            self.fuzz_target.project_qualified_name(),
            include_regressions=True)
        self.quarantine_corpus = corpus_manager.FuzzTargetCorpus(
            self.fuzz_target.engine,
            self.fuzz_target.project_qualified_name(),
            quarantine=True)

        shared_corpus_bucket = environment.get_value('SHARED_CORPUS_BUCKET')
        self.shared_corpus = corpus_manager.GcsCorpus(shared_corpus_bucket)
Exemple #6
0
    def __init__(self,
                 fuzz_target,
                 testcase_path,
                 test_timeout,
                 gestures,
                 needs_http=False,
                 arguments=None):
        self._testcase_path = testcase_path
        self._test_timeout = test_timeout
        self._gestures = gestures
        self._needs_http = needs_http

        if fuzz_target:
            engine_impl = engine.get(fuzz_target.engine)
        else:
            engine_impl = None

        # TODO(ochang): Make this hard fail once migration to new fuzzing pipeline
        # is complete.
        if fuzz_target and engine_impl:
            self._is_black_box = False
            self._engine_impl = engine_impl

            # Read target_name + args.
            if not arguments:
                arguments = get_command_line_flags(testcase_path)

            arguments = data_handler.filter_arguments(arguments,
                                                      fuzz_target.binary)
            self._arguments = arguments.split()

            self._fuzz_target = fuzz_target
        else:
            self._is_black_box = True
            self._command = get_command_line_for_application(
                testcase_path, needs_http=needs_http)