Blame - courgette/encoded_program_fuzz_unittest.cc - chromium/src

blob: 1330510d6bd0ecbf46aba08cd5c05fe868cdd888 [file] [log] [blame]

dgarrett@chromium.org	bf0ece4	2011-10-18 01:08:35	[diff] [blame^]	1	// Copyright (c) 2011 The Chromium Authors. All rights reserved.
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	2	// Use of this source code is governed by a BSD-style license that can be
				3	// found in the LICENSE file.
				4
				5	// Fuzz testing for EncodedProgram serialized format and assembly.
				6	//
				7	// We would like some assurance that if an EncodedProgram is malformed we will
				8	// not crash. The EncodedProgram could be malformed either due to malicious
				9	// attack to due to an error in patch generation.
				10	//
				11	// We try a lot of arbitrary modifications to the serialized form and make sure
				12	// that the outcome is not a crash.
				13
brettw@chromium.org	fb895c6	2009-10-09 18:20:30	[diff] [blame]	14	#include "base/test/test_suite.h"
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	15
dgarrett@chromium.org	bf0ece4	2011-10-18 01:08:35	[diff] [blame^]	16	#include "courgette/base_test_unittest.h"
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	17	#include "courgette/courgette.h"
				18	#include "courgette/streams.h"
				19
dgarrett@chromium.org	bf0ece4	2011-10-18 01:08:35	[diff] [blame^]	20	class DecodeFuzzTest : public BaseTest {
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	21	public:
				22	void FuzzExe(const char *) const;
				23
				24	private:
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	25	void FuzzByte(const std::string& buffer, const std::string& output,
				26	size_t index) const;
				27	void FuzzBits(const std::string& buffer, const std::string& output,
				28	size_t index, int bits_to_flip) const;
				29
				30	// Returns true if could assemble, false if rejected.
				31	bool TryAssemble(const std::string& buffer, std::string* output) const;
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	32	};
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	33
				34	// Loads an executable and does fuzz testing in the serialized format.
				35	void DecodeFuzzTest::FuzzExe(const char* file_name) const {
				36	std::string file1 = FileContents(file_name);
				37
				38	const void* original_buffer = file1.c_str();
				39	size_t original_length = file1.size();
				40
				41	courgette::AssemblyProgram* program = NULL;
				42	const courgette::Status parse_status =
laforge@chromium.org	d244fdf	2011-10-11 18:35:37	[diff] [blame]	43	courgette::ParseWin32X86PE(original_buffer, original_length, &program);
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	44	EXPECT_EQ(courgette::C_OK, parse_status);
				45
				46	courgette::EncodedProgram* encoded = NULL;
				47
				48	const courgette::Status encode_status = Encode(program, &encoded);
				49	EXPECT_EQ(courgette::C_OK, encode_status);
				50
				51	DeleteAssemblyProgram(program);
				52
				53	courgette::SinkStreamSet sinks;
				54	const courgette::Status write_status = WriteEncodedProgram(encoded, &sinks);
				55	EXPECT_EQ(courgette::C_OK, write_status);
				56
				57	DeleteEncodedProgram(encoded);
				58
				59	courgette::SinkStream sink;
				60	bool can_collect = sinks.CopyTo(&sink);
				61	EXPECT_TRUE(can_collect);
				62
				63	size_t length = sink.Length();
				64
				65	std::string base_buffer(reinterpret_cast<const char*>(sink.Buffer()), length);
				66	std::string base_output;
				67	bool ok = TryAssemble(base_buffer, &base_output);
hans@chromium.org	515f249	2011-01-14 10:36:28	[diff] [blame]	68	EXPECT_TRUE(ok);
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	69
				70	// Now we have a good serialized EncodedProgram in \|base_buffer\|. Time to
				71	// fuzz.
				72
				73	// More intense fuzzing on the first part because it contains more control
				74	// information like substeam lengths.
				75	size_t position = 0;
				76	for ( ; position < 100 && position < length; position += 1) {
				77	FuzzByte(base_buffer, base_output, position);
				78	}
				79	// We would love to fuzz every position, but it takes too long.
				80	for ( ; position < length; position += 900) {
				81	FuzzByte(base_buffer, base_output, position);
				82	}
				83	}
				84
				85	// FuzzByte tries to break the EncodedProgram deserializer and assembler. It
				86	// takes a good serialization of and EncodedProgram, flips some bits, and checks
				87	// that the behaviour is reasonable. It has testing checks for unreasonable
				88	// behaviours.
				89	void DecodeFuzzTest::FuzzByte(const std::string& base_buffer,
				90	const std::string& base_output,
				91	size_t index) const {
				92	printf("Fuzzing position %d\n", static_cast<int>(index));
				93
				94	// The following 10 values are a compromize between run time and coverage of
				95	// the 255 'wrong' values at this byte position.
				96
				97	// 0xFF flips all the bits.
				98	FuzzBits(base_buffer, base_output, index, 0xFF);
				99	// 0x7F flips the most bits without changing Varint32 framing.
				100	FuzzBits(base_buffer, base_output, index, 0x7F);
				101	// These all flip one bit.
				102	FuzzBits(base_buffer, base_output, index, 0x80);
				103	FuzzBits(base_buffer, base_output, index, 0x40);
				104	FuzzBits(base_buffer, base_output, index, 0x20);
				105	FuzzBits(base_buffer, base_output, index, 0x10);
				106	FuzzBits(base_buffer, base_output, index, 0x08);
				107	FuzzBits(base_buffer, base_output, index, 0x04);
				108	FuzzBits(base_buffer, base_output, index, 0x02);
				109	FuzzBits(base_buffer, base_output, index, 0x01);
				110	}
				111
				112	// FuzzBits tries to break the EncodedProgram deserializer and assembler. It
				113	// takes a good serialization of and EncodedProgram, flips some bits, and checks
				114	// that the behaviour is reasonable.
				115	//
				116	// There are EXPECT calls to check for unreasonable behaviour. These are
				117	// somewhat arbitrary in that the parameters cannot easily be derived from first
				118	// principles. They may need updating as the serialized format evolves.
				119	void DecodeFuzzTest::FuzzBits(const std::string& base_buffer,
				120	const std::string& base_output,
				121	size_t index, int bits_to_flip) const {
				122	std::string modified_buffer = base_buffer;
				123	std::string modified_output;
				124	modified_buffer[index] ^= bits_to_flip;
				125
				126	bool ok = TryAssemble(modified_buffer, &modified_output);
				127
				128	if (ok) {
				129	// We normally expect TryAssemble to fail. But sometimes it succeeds.
				130	// What could have happened? We changed one byte in the serialized form:
				131	//
				132	// * If we changed one of the copied bytes, we would see a single byte
				133	// change in the output.
				134	// * If we changed an address table element, all the references to that
				135	// address would be different.
				136	// * If we changed a copy count, we would run out of data in some stream,
				137	// or leave data remaining, so should not be here.
				138	// * If we changed an origin address, it could affect all relocations based
				139	// off that address. If no relocations were based off the address then
				140	// there will be no changes.
				141	// * If we changed an origin address, it could cause some abs32 relocs to
				142	// shift from one page to the next, changing the number and layout of
				143	// blocks in the base relocation table.
				144
				145	// Generated length could vary slightly due to base relocation table layout.
				146	// In the worst case the number of base relocation blocks doubles, approx
				147	// 12/4096 or 0.3% size of file.
				148	size_t base_length = base_output.length();
				149	size_t modified_length = modified_output.length();
				150	ptrdiff_t diff = base_length - modified_length;
				151	if (diff < -200 \|\| diff > 200) {
				152	EXPECT_EQ(base_length, modified_length);
				153	}
				154
				155	size_t changed_byte_count = 0;
				156	for (size_t i = 0; i < base_length && i < modified_length; ++i) {
				157	changed_byte_count += (base_output[i] != modified_output[i]);
				158	}
				159
				160	if (index > 60) { // Beyond the origin addresses ...
sra@google.com	54f1b82	2009-07-18 03:28:40	[diff] [blame]	161	EXPECT_NE(0U, changed_byte_count); // ... we expect some difference.
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	162	}
				163	// Currently all changes are smaller than this number:
sra@google.com	54f1b82	2009-07-18 03:28:40	[diff] [blame]	164	EXPECT_GE(45000U, changed_byte_count);
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	165	}
				166	}
				167
				168	bool DecodeFuzzTest::TryAssemble(const std::string& buffer,
				169	std::string* output) const {
				170	courgette::EncodedProgram *encoded = NULL;
				171	bool result = false;
				172
				173	courgette::SourceStreamSet sources;
				174	bool can_get_source_streams = sources.Init(buffer.c_str(), buffer.length());
				175	if (can_get_source_streams) {
				176	const courgette::Status read_status =
				177	ReadEncodedProgram(&sources, &encoded);
				178	if (read_status == courgette::C_OK) {
				179	courgette::SinkStream assembled;
				180	const courgette::Status assemble_status = Assemble(encoded, &assembled);
				181
				182	if (assemble_status == courgette::C_OK) {
				183	const void* assembled_buffer = assembled.Buffer();
				184	size_t assembled_length = assembled.Length();
				185
				186	output->clear();
				187	output->assign(reinterpret_cast<const char*>(assembled_buffer),
				188	assembled_length);
				189	result = true;
				190	}
				191	}
				192	}
				193
				194	DeleteEncodedProgram(encoded);
				195
				196	return result;
				197	}
				198
				199	TEST_F(DecodeFuzzTest, All) {
				200	FuzzExe("setup1.exe");
				201	}
				202
				203	int main(int argc, char** argv) {
brettw@chromium.org	20e1491	2010-08-17 19:40:11	[diff] [blame]	204	return base::TestSuite(argc, argv).Run();
sra@chromium.org	04ca1bc	2009-05-08 23:00:29	[diff] [blame]	205	}