[go: nahoru, domu]
Google Git
Sign in
chromium / chromium / src / d244fdff5fbbda333ea904b7833b81dddc14ba3b / . / courgette / encoded_program_fuzz_unittest.cc
blob: a869bc2af47e4d5fc4c9d5bf2f0326deb022b657 [file] [log] [blame]
laforge@chromium.orgd244fdf2011-10-11 18:35:37[diff] [blame^]1// Copyright (c) 2009 The Chromium Authors. All rights reserved.
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// Fuzz testing for EncodedProgram serialized format and assembly.
6//
7// We would like some assurance that if an EncodedProgram is malformed we will
8// not crash. The EncodedProgram could be malformed either due to malicious
9// attack to due to an error in patch generation.
10//
11// We try a lot of arbitrary modifications to the serialized form and make sure
12// that the outcome is not a crash.
13
14#include <string>
15
16#include "base/path_service.h"
17#include "base/file_util.h"
18#include "base/string_util.h"
brettw@chromium.orgfb895c62009-10-09 18:20:30[diff] [blame]19#include "base/test/test_suite.h"
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]20
21#include "courgette/courgette.h"
22#include "courgette/streams.h"
23
24#include "testing/gtest/include/gtest/gtest.h"
25
26class DecodeFuzzTest : public testing::Test {
27 public:
28 void FuzzExe(const char *) const;
29
30 private:
31 virtual void SetUp() {
32 PathService::Get(base::DIR_SOURCE_ROOT, &testdata_dir_);
sra@google.com54f1b822009-07-18 03:28:40[diff] [blame]33 testdata_dir_ = testdata_dir_.AppendASCII("courgette");
34 testdata_dir_ = testdata_dir_.AppendASCII("testdata");
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]35 }
36
37 virtual void TearDown() { }
38
39 void FuzzByte(const std::string& buffer, const std::string& output,
40 size_t index) const;
41 void FuzzBits(const std::string& buffer, const std::string& output,
42 size_t index, int bits_to_flip) const;
43
44 // Returns true if could assemble, false if rejected.
45 bool TryAssemble(const std::string& buffer, std::string* output) const;
46
47 // Returns contents of |file_name| as uninterprested bytes stored in a string.
48 std::string FileContents(const char* file_name) const;
49
50 // Full path name of testdata directory
51 FilePath testdata_dir_;
52};
53
54// Reads a test file into a string.
55std::string DecodeFuzzTest::FileContents(const char* file_name) const {
56 FilePath file_path = testdata_dir_.AppendASCII(file_name);
57 std::string file_contents;
58 if (!file_util::ReadFileToString(file_path, &file_contents)) {
59 EXPECT_TRUE(!"Could not read test data");
60 }
61 return file_contents;
62}
63
64// Loads an executable and does fuzz testing in the serialized format.
65void DecodeFuzzTest::FuzzExe(const char* file_name) const {
66 std::string file1 = FileContents(file_name);
67
68 const void* original_buffer = file1.c_str();
69 size_t original_length = file1.size();
70
71 courgette::AssemblyProgram* program = NULL;
72 const courgette::Status parse_status =
laforge@chromium.orgd244fdf2011-10-11 18:35:37[diff] [blame^]73 courgette::ParseWin32X86PE(original_buffer, original_length, &program);
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]74 EXPECT_EQ(courgette::C_OK, parse_status);
75
76 courgette::EncodedProgram* encoded = NULL;
77
78 const courgette::Status encode_status = Encode(program, &encoded);
79 EXPECT_EQ(courgette::C_OK, encode_status);
80
81 DeleteAssemblyProgram(program);
82
83 courgette::SinkStreamSet sinks;
84 const courgette::Status write_status = WriteEncodedProgram(encoded, &sinks);
85 EXPECT_EQ(courgette::C_OK, write_status);
86
87 DeleteEncodedProgram(encoded);
88
89 courgette::SinkStream sink;
90 bool can_collect = sinks.CopyTo(&sink);
91 EXPECT_TRUE(can_collect);
92
93 size_t length = sink.Length();
94
95 std::string base_buffer(reinterpret_cast<const char*>(sink.Buffer()), length);
96 std::string base_output;
97 bool ok = TryAssemble(base_buffer, &base_output);
hans@chromium.org515f2492011-01-14 10:36:28[diff] [blame]98 EXPECT_TRUE(ok);
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]99
100 // Now we have a good serialized EncodedProgram in |base_buffer|. Time to
101 // fuzz.
102
103 // More intense fuzzing on the first part because it contains more control
104 // information like substeam lengths.
105 size_t position = 0;
106 for ( ; position < 100 && position < length; position += 1) {
107 FuzzByte(base_buffer, base_output, position);
108 }
109 // We would love to fuzz every position, but it takes too long.
110 for ( ; position < length; position += 900) {
111 FuzzByte(base_buffer, base_output, position);
112 }
113}
114
115// FuzzByte tries to break the EncodedProgram deserializer and assembler. It
116// takes a good serialization of and EncodedProgram, flips some bits, and checks
117// that the behaviour is reasonable. It has testing checks for unreasonable
118// behaviours.
119void DecodeFuzzTest::FuzzByte(const std::string& base_buffer,
120 const std::string& base_output,
121 size_t index) const {
122 printf("Fuzzing position %d\n", static_cast<int>(index));
123
124 // The following 10 values are a compromize between run time and coverage of
125 // the 255 'wrong' values at this byte position.
126
127 // 0xFF flips all the bits.
128 FuzzBits(base_buffer, base_output, index, 0xFF);
129 // 0x7F flips the most bits without changing Varint32 framing.
130 FuzzBits(base_buffer, base_output, index, 0x7F);
131 // These all flip one bit.
132 FuzzBits(base_buffer, base_output, index, 0x80);
133 FuzzBits(base_buffer, base_output, index, 0x40);
134 FuzzBits(base_buffer, base_output, index, 0x20);
135 FuzzBits(base_buffer, base_output, index, 0x10);
136 FuzzBits(base_buffer, base_output, index, 0x08);
137 FuzzBits(base_buffer, base_output, index, 0x04);
138 FuzzBits(base_buffer, base_output, index, 0x02);
139 FuzzBits(base_buffer, base_output, index, 0x01);
140}
141
142// FuzzBits tries to break the EncodedProgram deserializer and assembler. It
143// takes a good serialization of and EncodedProgram, flips some bits, and checks
144// that the behaviour is reasonable.
145//
146// There are EXPECT calls to check for unreasonable behaviour. These are
147// somewhat arbitrary in that the parameters cannot easily be derived from first
148// principles. They may need updating as the serialized format evolves.
149void DecodeFuzzTest::FuzzBits(const std::string& base_buffer,
150 const std::string& base_output,
151 size_t index, int bits_to_flip) const {
152 std::string modified_buffer = base_buffer;
153 std::string modified_output;
154 modified_buffer[index] ^= bits_to_flip;
155
156 bool ok = TryAssemble(modified_buffer, &modified_output);
157
158 if (ok) {
159 // We normally expect TryAssemble to fail. But sometimes it succeeds.
160 // What could have happened? We changed one byte in the serialized form:
161 //
162 // * If we changed one of the copied bytes, we would see a single byte
163 // change in the output.
164 // * If we changed an address table element, all the references to that
165 // address would be different.
166 // * If we changed a copy count, we would run out of data in some stream,
167 // or leave data remaining, so should not be here.
168 // * If we changed an origin address, it could affect all relocations based
169 // off that address. If no relocations were based off the address then
170 // there will be no changes.
171 // * If we changed an origin address, it could cause some abs32 relocs to
172 // shift from one page to the next, changing the number and layout of
173 // blocks in the base relocation table.
174
175 // Generated length could vary slightly due to base relocation table layout.
176 // In the worst case the number of base relocation blocks doubles, approx
177 // 12/4096 or 0.3% size of file.
178 size_t base_length = base_output.length();
179 size_t modified_length = modified_output.length();
180 ptrdiff_t diff = base_length - modified_length;
181 if (diff < -200 || diff > 200) {
182 EXPECT_EQ(base_length, modified_length);
183 }
184
185 size_t changed_byte_count = 0;
186 for (size_t i = 0; i < base_length && i < modified_length; ++i) {
187 changed_byte_count += (base_output[i] != modified_output[i]);
188 }
189
190 if (index > 60) { // Beyond the origin addresses ...
sra@google.com54f1b822009-07-18 03:28:40[diff] [blame]191 EXPECT_NE(0U, changed_byte_count); // ... we expect some difference.
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]192 }
193 // Currently all changes are smaller than this number:
sra@google.com54f1b822009-07-18 03:28:40[diff] [blame]194 EXPECT_GE(45000U, changed_byte_count);
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]195 }
196}
197
198bool DecodeFuzzTest::TryAssemble(const std::string& buffer,
199 std::string* output) const {
200 courgette::EncodedProgram *encoded = NULL;
201 bool result = false;
202
203 courgette::SourceStreamSet sources;
204 bool can_get_source_streams = sources.Init(buffer.c_str(), buffer.length());
205 if (can_get_source_streams) {
206 const courgette::Status read_status =
207 ReadEncodedProgram(&sources, &encoded);
208 if (read_status == courgette::C_OK) {
209 courgette::SinkStream assembled;
210 const courgette::Status assemble_status = Assemble(encoded, &assembled);
211
212 if (assemble_status == courgette::C_OK) {
213 const void* assembled_buffer = assembled.Buffer();
214 size_t assembled_length = assembled.Length();
215
216 output->clear();
217 output->assign(reinterpret_cast<const char*>(assembled_buffer),
218 assembled_length);
219 result = true;
220 }
221 }
222 }
223
224 DeleteEncodedProgram(encoded);
225
226 return result;
227}
228
229TEST_F(DecodeFuzzTest, All) {
230 FuzzExe("setup1.exe");
231}
232
233int main(int argc, char** argv) {
brettw@chromium.org20e14912010-08-17 19:40:11[diff] [blame]234 return base::TestSuite(argc, argv).Run();
sra@chromium.org04ca1bc2009-05-08 23:00:29[diff] [blame]235}