1/*- 2 * Copyright (c) 2003-2007 Tim Kientzle 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS OR 15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17 * IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, 18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25#include "test.h" 26__FBSDID("$FreeBSD$"); 27 28/* 29 * This was inspired by an ISO fuzz tester written by Michal Zalewski 30 * and posted to the "vulnwatch" mailing list on March 17, 2005: 31 * http://seclists.org/vulnwatch/2005/q1/0088.html 32 * 33 * This test simply reads each archive image into memory, pokes 34 * random values into it and runs it through libarchive. It tries 35 * to damage about 1% of each file and repeats the exercise 100 times 36 * with each file. 37 * 38 * Unlike most other tests, this test does not verify libarchive's 39 * responses other than to ensure that libarchive doesn't crash. 40 * 41 * Due to the deliberately random nature of this test, it may be hard 42 * to reproduce failures. Because this test deliberately attempts to 43 * induce crashes, there's little that can be done in the way of 44 * post-failure diagnostics. 45 */ 46 47/* Because this works for any archive, we can just re-use the archives 48 * developed for other tests. */ 49static struct { 50 int uncompress; /* If 1, decompress the file before fuzzing. */ 51 const char *name; 52} files[] = { 53 {0, "test_fuzz_1.iso.Z"}, /* Exercise compress decompressor. */ 54 {1, "test_fuzz_1.iso.Z"}, 55 {0, "test_compat_bzip2_1.tbz"}, /* Exercise bzip2 decompressor. */ 56 {1, "test_compat_bzip2_1.tbz"}, 57 {0, "test_compat_gtar_1.tar"}, 58 {0, "test_compat_gzip_1.tgz"}, /* Exercise gzip decompressor. */ 59 {0, "test_compat_gzip_2.tgz"}, /* Exercise gzip decompressor. */ 60 {0, "test_compat_tar_hardlink_1.tar"}, 61 {0, "test_compat_xz_1.txz"}, /* Exercise xz decompressor. */ 62 {0, "test_compat_zip_1.zip"}, 63 {0, "test_read_format_ar.ar"}, 64 {0, "test_read_format_cpio_bin_be.cpio"}, 65 {0, "test_read_format_cpio_svr4_gzip_rpm.rpm"}, /* Test RPM unwrapper */ 66 {0, "test_read_format_gtar_sparse_1_17_posix10_modified.tar"}, 67 {0, "test_read_format_mtree.mtree"}, 68 {0, "test_read_format_tar_empty_filename.tar"}, 69 {0, "test_read_format_zip.zip"}, 70 {1, NULL} 71}; 72 73DEFINE_TEST(test_fuzz) 74{ 75 const void *blk; 76 size_t blk_size; 77 off_t blk_offset; 78 int n; 79 80 for (n = 0; files[n].name != NULL; ++n) { 81 const size_t buffsize = 30000000; 82 const char *filename = files[n].name; 83 struct archive_entry *ae; 84 struct archive *a; 85 char *rawimage, *image; 86 size_t size; 87 int i; 88 89 extract_reference_file(filename); 90 if (files[n].uncompress) { 91 int r; 92 /* Use format_raw to decompress the data. */ 93 assert((a = archive_read_new()) != NULL); 94 assertEqualIntA(a, ARCHIVE_OK, 95 archive_read_support_compression_all(a)); 96 assertEqualIntA(a, ARCHIVE_OK, 97 archive_read_support_format_raw(a)); 98 r = archive_read_open_filename(a, filename, 16384); 99 if (r != ARCHIVE_OK) { 100 archive_read_finish(a); 101 skipping("Cannot uncompress %s", filename); 102 continue; 103 } 104 assertEqualIntA(a, ARCHIVE_OK, 105 archive_read_next_header(a, &ae)); 106 rawimage = malloc(buffsize); 107 size = archive_read_data(a, rawimage, buffsize); 108 assertEqualIntA(a, ARCHIVE_EOF, 109 archive_read_next_header(a, &ae)); 110 assertEqualInt(ARCHIVE_OK, 111 archive_read_finish(a)); 112 assert(size > 0); 113 failure("Internal buffer is not big enough for " 114 "uncompressed test file: %s", filename); 115 if (!assert(size < buffsize)) { 116 free(rawimage); 117 continue; 118 } 119 } else { 120 rawimage = slurpfile(&size, filename); 121 if (!assert(rawimage != NULL)) 122 continue; 123 } 124 image = malloc(size); 125 assert(image != NULL); 126 srand((unsigned)time(NULL)); 127 128 for (i = 0; i < 100; ++i) { 129 FILE *f; 130 int j, numbytes; 131 132 /* Fuzz < 1% of the bytes in the archive. */ 133 memcpy(image, rawimage, size); 134 numbytes = (int)(rand() % (size / 100)); 135 for (j = 0; j < numbytes; ++j) 136 image[rand() % size] = (char)rand(); 137 138 /* Save the messed-up image to a file. 139 * If we crash, that file will be useful. */ 140 f = fopen("after.test.failure.send.this.file." 141 "to.libarchive.maintainers.with.system.details", "wb"); 142 fwrite(image, 1, (size_t)size, f); 143 fclose(f); 144 145 assert((a = archive_read_new()) != NULL); 146 assertEqualIntA(a, ARCHIVE_OK, 147 archive_read_support_compression_all(a)); 148 assertEqualIntA(a, ARCHIVE_OK, 149 archive_read_support_format_all(a)); 150 151 if (0 == archive_read_open_memory(a, image, size)) { 152 while(0 == archive_read_next_header(a, &ae)) { 153 while (0 == archive_read_data_block(a, 154 &blk, &blk_size, &blk_offset)) 155 continue; 156 } 157 archive_read_close(a); 158 } 159 archive_read_finish(a); 160 } 161 free(image); 162 free(rawimage); 163 } 164} 165 166 167