Import fuzzing harnesses and helper code.

Co-Authored-By: f0rki <[email protected]>

Author: 2 people

.github/workflows/ci.yml

@@ -0,0 +1,52 @@
+name: CI
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+
+env:
+  RUST_BACKTRACE: 1
+  CARGO_FUZZ_REPO: https://github.com/rust-fuzz/cargo-fuzz
+
+jobs:
+
+  build-and-test:
+    name: Test building the fuzzers
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+
+      - name: Install Rust nightly
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: nightly
+          override: true
+          components: rust-src, rustfmt, llvm-tools-preview
+
+      - name: install cargo-fuzz from git
+        run: cargo +nightly install --force --git "$CARGO_FUZZ_REPO" 
+      
+      - name: install grcov
+        run: cargo install --force grcov
+
+      - name: Clone all dependencies
+        run: bash ./clone-deps.sh
+        env:
+          DEPTH: 1
+
+      - name: build all fuzzers
+        run: |
+          cargo fuzz build
+          cargo fuzz list
+
+      - name: do a quick run of all fuzzers
+        run: |
+          cd fuzz
+          ./run_all.sh
+        env:
+          USE_CARGO_LIBAFL: 0
+          TEST: 1

.gitignore

@@ -1,4 +1,3 @@
-# Generated by Cargo
 # will have compiled files and executables
 debug/
 target/

Cargo.toml

@@ -0,0 +1,55 @@
+[package]
+name = "hyperium-fuzz-utils"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+rand = "0.8"
+rand_pcg = "0.3"
+arbitrary = { version = "1",  features = ["derive"] }
+hpack = { git = "https://github.com/mlalic/hpack-rs.git", rev = "refs/pull/7/head" }
+bytes = "1"
+futures-util = { version = "0.3", default-features = false, features = ["alloc"] }
+pin-project-lite = "0.2.4"
+tokio = { version = "1", features = ["full"] }
+
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
+tracing = "*"
+
+serde = { version = "1", features = ["derive"] }
+# serde_bytes = "0.11.9"
+bincode = "1.3.3"
+
+# lain = { git = "https://github.com/landaire/lain.git", rev = "0fb4a5b" }
+
+
+# in-scope libraries
+h2 = { path = "../h2/" }
+h2-support = { path = "../h2/tests/h2-support" }
+http = { path = "../http/" }
+http-body = { path = "../http-body/http-body" }
+http-body-util = { path = "../http-body/http-body-util" }
+httparse = { path = "../httparse/" }
+httpdate = { path = "../httpdate" }
+hyper = { path = "../hyper/", features = ["full"] }
+
+[patch.crates-io]
+http-body-util = { path = "../http-body/http-body-util" }
+http-body = { path = "../http-body/http-body" }
+http = { path = "../http" }
+h2 = { path = "../h2", features = ['unstable'] }
+httparse = { path = "../httparse" }
+httpdate = { path = "../httpdate" }
+hyper = { path = "../hyper/" }
+
+[[bin]]
+name = "f0_http_gen"
+path = "./src/tools/f0_http_gen.rs"
+
+[[bin]]
+name = "h2_fuzz_client_test"
+path = "./src/tools/h2_fuzz_client_test.rs"
+
+
+[profile.release]
+debug = true

README.md

@@ -0,0 +1,8 @@
+# Fuzz Hyperium
+
+Fuzzing harnesses, scripts, etc. for Hyperium projects:
+
+* hyper
+* http
+* httparse
+* h2

clone-deps.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+
+set -ex
+
+if [[ -z "$DEPTH" ]]; then
+    DEPTH_ARG=""
+else
+    DEPTH_ARG="--depth=$DEPTH"
+fi
+
+SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+cd $SCRIPT_DIR/../
+
+for repo in \
+    https://github.com/hyperium/hyper \
+    https://github.com/hyperium/http \
+    https://github.com/hyperium/http-body \
+    https://github.com/seanmonstar/httparse \
+    https://github.com/hyperium/h2 \
+    https://github.com/pyfisch/httpdate \
+; do
+    git clone $DEPTH_ARG "$repo" \
+        || (cd "$(echo "$repo" | cut -d '/' -f 5 )" && git pull --rebase || true)
+done

fuzz/.gitignore

@@ -0,0 +1,5 @@
+target
+corpus
+artifacts
+artifacts.bak
+coverage

fuzz/Cargo.toml

@@ -0,0 +1,134 @@
+[package]
+name = "hyperium-fuzz-targets"
+version = "0.0.0"
+edition = "2021"
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[features]
+default = ["use_libfuzzer", "use_grammar"]
+use_libfuzzer = ["libfuzzer-sys"]
+use_libafl = ["cargo-libafl-helper"]
+use_grammar = []
+enable_tracing = []
+
+[dependencies]
+arbitrary = { version = "1", features = ["derive"] }
+cargo-libafl-helper = { version = "0", optional = true }
+libfuzzer-sys = { version = "0.4", features = ["arbitrary-derive"], optional = true }
+
+hpack = { git = "https://github.com/mlalic/hpack-rs.git", rev = "refs/pull/7/head" }
+hyperium-fuzz-utils = { path = ".." }
+rand = "0.8"
+rand_pcg = "0.3"
+
+futures = { version = "0.3", default-features = false, features = ["std"] }
+tokio = { version = "1", features = ["full"] }
+tokio-test = { version = "0.4" }
+
+bytes = "1"
+lazy_static = "*"
+
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
+tracing = "*"
+
+# in-scope libraries
+h2 = { path = "../../h2/" }
+h2-support = { path = "../../h2/tests/h2-support" }
+http = { path = "../../http/" }
+http-body = { path = "../../http-body/http-body" }
+http-body-util = { path = "../../http-body/http-body-util" }
+httparse = { path = "../../httparse/" }
+httpdate = { path = "../../httpdate" }
+hyper = { path = "../../hyper/", features = ["full"] }
+
+[patch.crates-io]
+http-body-util = { path = "../../http-body/http-body-util" }
+http-body = { path = "../../http-body/http-body" }
+http = { path = "../../http" }
+h2 = { path = "../../h2", features = ['unstable'] }
+httparse = { path = "../../httparse" }
+httpdate = { path = "../../httpdate" }
+hyper = { path = "../../hyper/" }
+
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[profile.release]
+debug = 1
+
+[[bin]]
+name = "fuzz_h2_e2e"
+path = "fuzz_targets/h2/e2e.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_h2_client_builder"
+path = "fuzz_targets/h2/client_builder.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_h2_server2"
+path = "fuzz_targets/h2/server2.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_h2_client2"
+path = "fuzz_targets/h2/client2.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_h2_hpack"
+path = "fuzz_targets/h2/hpack.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_http_http"
+path = "fuzz_targets/http/http.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_http_uri"
+path = "fuzz_targets/http/uri.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_httparse_chunk_size"
+path = "fuzz_targets/httparse/parse_chunk_size.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_httparse_headers"
+path = "fuzz_targets/httparse/parse_headers.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_httpdate_roundtrip"
+path = "fuzz_targets/httpdate/roundtrip.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_httparse_request"
+path = "fuzz_targets/httparse/parse_request.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_httparse_response"
+path = "fuzz_targets/httparse/parse_response.rs"
+test = false
+doc = false

fuzz/compare.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+rm -rf coverage
+cargo fuzz coverage -O fuzz_httparse_request
+./grcov.sh
+
+pushd ../../cov.html/
+mv hyper httparse_req_v1
+popd
+
+rm -rf coverage
+cargo fuzz coverage -O fuzz_httparse_request2
+./grcov.sh
+
+pushd ../../cov.html/
+mv hyper httparse_req_v2
+popd

fuzz/cov_all.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+if [[ -z "$MERGE_RSS" ]]; then
+    MERGE_RSS=122880
+fi
+if [[ -z "$FUZZ_SYNC_TARGET" ]]; then
+    FUZZ_SYNC_TARGET=""
+fi
+
+if [[ "$TEST" -eq 1 ]]; then
+    set -e
+else
+    TEST=0
+fi 
+
+# prevent logging output
+export RUST_LOG=
+
+set -x -u -o pipefail
+
+if [[ -n "$FUZZ_SYNC_TARGET" ]]; then
+    echo "[+] synching corpus"
+    rsync -rtu "$FUZZ_SYNC_TARGET/corpus/" ./corpus || true
+fi
+
+# cargo fuzz build -O
+
+for target in $(cargo fuzz list | shuf); do 
+    echo "[+] running target: $target"
+    cargo fuzz cmin -O -s none "$target" -- -set_cover_merge=1 -rss_limit_mb=$MERGE_RSS
+    cargo fuzz coverage -O "$target"
+
+    if [[ "$TEST" -eq 1 ]]; then
+        break
+    fi
+done
+
+echo "[+] making coverage report"
+./grcov.sh || true