/* Welcome to libEpollFuzzer - a mock implementation of the epoll/socket syscalls */ /* Current implementation is extremely experimental and trashy, mind you */ #include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #include <stdarg.h> //#include <threads.h> #include <sys/timerfd.h> #include <sys/epoll.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <errno.h> // todo: add connect, donät pass invalid-FD to real syscalls // getaddrinfo should return inet6 somtimes and sometimes wrong family (done) // accept4 should produce inet6 sometimes (done) // socket syscall should fail with given invalid family (done) // listen syscall should fail sometimes (done) /* Currently read, close, fcntl are wrapped to real syscalls */ /* TODO: Our FDs should start at 1024 while actual real FDs should be reserved from 0 to 1023 and passed to actual * real syscalls so that we can co-exist with overlapping syscalls like read, open, write, close */ //#define PRINTF_DEBUG /* The test case */ void test(); void teardown(); #ifdef __cplusplus extern "C" { #endif struct file { /* Every file has a type; socket, event, timer, epoll */ int type; /* We assume there can only be one event-loop at any given point in time, * so every file holds its own epoll_event */ struct epoll_event epev; /* A file may be added to an epfd by linking it in a list */ struct file *prev, *next; }; /* If FD is less than this, it should be passed to REAL syscall. * We never produce FDs lower than this (except for -1 on error) */ const int RESERVED_SYSTEM_FDS = 1024; /* Map from some collection of integers to a shared extensible struct of data */ const int MAX_FDS = 1000; struct file *fd_to_file[MAX_FDS]; const int FD_TYPE_EPOLL = 0; const int FD_TYPE_TIMER = 1; const int FD_TYPE_EVENT = 2; const int FD_TYPE_SOCKET = 3; int num_fds = 0; /* Keeping track of cunsumable data */ unsigned char *consumable_data; int consumable_data_length; void set_consumable_data(const unsigned char *new_data, int new_length) { consumable_data = (unsigned char *) new_data; consumable_data_length = new_length; } /* Returns non-null on error */ int consume_byte(unsigned char *b) { if (consumable_data_length) { *b = consumable_data[0]; consumable_data++; consumable_data_length--; return 0; } return -1; } /* Keeping track of FDs */ /* Returns -1 on error, or RESERVED_SYSTEM_FDS and above */ int allocate_fd() { // this can be massively optimized by having a list of free blocks or the like for (int fd = 0; fd < MAX_FDS; fd++) { if (!fd_to_file[fd]) { num_fds++; return fd + RESERVED_SYSTEM_FDS; } } return -1; } /* This one should set the actual file for this FD */ void init_fd(int fd, int type, struct file *f) { if (fd >= RESERVED_SYSTEM_FDS) { fd_to_file[fd - RESERVED_SYSTEM_FDS] = f; fd_to_file[fd - RESERVED_SYSTEM_FDS]->type = type; fd_to_file[fd - RESERVED_SYSTEM_FDS]->next = NULL; fd_to_file[fd - RESERVED_SYSTEM_FDS]->prev = NULL; } } struct file *map_fd(int fd) { if (fd >= RESERVED_SYSTEM_FDS && fd < MAX_FDS + RESERVED_SYSTEM_FDS) { return fd_to_file[fd - RESERVED_SYSTEM_FDS]; } return NULL; } /* This one should remove the FD from any pollset by calling epoll_ctl remove */ int free_fd(int fd) { if (fd >= RESERVED_SYSTEM_FDS && fd < MAX_FDS + RESERVED_SYSTEM_FDS) { if (fd_to_file[fd - RESERVED_SYSTEM_FDS]) { fd_to_file[fd - RESERVED_SYSTEM_FDS] = 0; num_fds--; return 0; } } return -1; } /* The epoll syscalls */ struct epoll_file { struct file base; /* A doubly linked list for polls awaiting events */ struct file *poll_set_head, *poll_set_tail; }; /* This function is O(n) and does not consume any fuzz data, but will fail if run out of FDs */ int __wrap_epoll_create1(int flags) { /* Todo: check that we do not allocate more than one epoll FD */ int fd = allocate_fd(); if (fd != -1) { struct epoll_file *ef = (struct epoll_file *)malloc(sizeof(struct epoll_file)); /* Init the epoll_file */ ef->poll_set_head = NULL; ef->poll_set_tail = NULL; init_fd(fd, FD_TYPE_EPOLL, (struct file *)ef); } #ifdef PRINTF_DEBUG printf("epoll_create1 returning epfd: %d\n", fd); #endif return fd; } // this function cannot be called inside an iteration! it changes the list /* This function is O(1) and does not consume any fuzz data */ int __wrap_epoll_ctl(int epfd, int op, int fd, struct epoll_event *event) { struct epoll_file *ef = (struct epoll_file *)map_fd(epfd); if (!ef) { return -1; } struct file *f = (struct file *)map_fd(fd); if (!f) { return -1; } /* We add new polls in the head */ if (op == EPOLL_CTL_ADD) { // if there is a head already if (ef->poll_set_head) { ef->poll_set_head->prev = f; // then it will be our next f->next = ef->poll_set_head; } else { // if there was no head then we became the tail also ef->poll_set_tail = f; } // we are now the head in any case ef->poll_set_head = f; f->epev = *event; } else if (op == EPOLL_CTL_MOD) { /* Modifying is simply changing the file itself */ f->epev = *event; } else if (op == EPOLL_CTL_DEL) { if (f->prev) { f->prev->next = f->next; } else { ef->poll_set_head = f->next; } if (f->next) { f->next->prev = f->prev; } else { // tail ska vara vår.prev ef->poll_set_tail = f->prev; } // a file that is not in the list should be reset to NULL f->prev = NULL; f->next = NULL; } /* You have to poll for errors and hangups */ f->epev.events |= EPOLLERR | EPOLLHUP; return 0; } /* This function is O(n) and consumes fuzz data and might trigger teardown callback */ int __wrap_epoll_wait(int epfd, struct epoll_event *events, int maxevents, int timeout) { //printf("epoll_wait: %d\n", 0); #ifdef PRINTF_DEBUG printf("Calling epoll_wait\n"); #endif struct epoll_file *ef = (struct epoll_file *)map_fd(epfd); if (!ef) { return -1; } if (consumable_data_length) { int ready_events = 0; for (struct file *f = ef->poll_set_head; f; f = f->next) { /* Consume one fuzz byte, AND it with the event */ if (!consumable_data_length) { // break if we have no data break; } // here we have the main condition that drives everything int ready_event = consumable_data[0] & f->epev.events; // consume the byte consumable_data_length--; consumable_data++; if (ready_event) { if (ready_events < maxevents) { events[ready_events] = f->epev; // todo: the event should be masked by the byte, not everything it wants shold be given all the time! events[ready_events++].events = ready_event; } else { // we are full, break break; } } } return ready_events; } else { #ifdef PRINTF_DEBUG printf("Calling teardown\n"); #endif teardown(); // after shutting down the listen socket we clear the whole list (the bug in epoll_ctl remove) // so the below loop doesn't work - we never close anything more than the listen socket! /* You don't really need to emit teardown, you could simply emit error on every poll */ int ready_events = 0; #ifdef PRINTF_DEBUG printf("Emitting error on every remaining FD\n"); #endif for (struct file *f = ef->poll_set_head; f; f = f->next) { if (f->type == FD_TYPE_SOCKET) { if (ready_events < maxevents) { events[ready_events] = f->epev; // todo: the event should be masked by the byte, not everything it wants shold be given all the time! events[ready_events++].events = EPOLLERR | EPOLLHUP; } else { // we are full, break break; } } } #ifdef PRINTF_DEBUG printf("Ready events: %d\n", ready_events); #endif return ready_events; } } /* The socket syscalls */ struct socket_file { struct file base; /* We store socket addresses created in accept4 */ union { struct sockaddr_in6 in6; struct sockaddr_in in; } addr; /* The size of sockaddr_in6 or sockaddr_in as a whole */ socklen_t len; }; extern int __real_read(int fd, void *buf, size_t count); int __wrap_read(int fd, void *buf, size_t count) { if (fd < RESERVED_SYSTEM_FDS) { return __real_read(fd, buf, count); } #ifdef PRINTF_DEBUG printf("Wrapped read\n"); #endif /* Let's try and clear the buffer first */ //memset(buf, 0, count); struct file *f = map_fd(fd); if (!f) { return -1; } errno = 0; if (f->type == FD_TYPE_SOCKET) { if (!consumable_data_length) { errno = EWOULDBLOCK; return -1; } else { int data_available = (unsigned char) consumable_data[0]; consumable_data_length--; consumable_data++; if (consumable_data_length < data_available) { data_available = consumable_data_length; } if (count < data_available) { data_available = count; } memcpy(buf, consumable_data, data_available); consumable_data_length -= data_available; consumable_data += data_available; return data_available; } } if (f->type == FD_TYPE_EVENT) { memset(buf, 1, 8); return 8; } if (f->type == FD_TYPE_TIMER) { memset(buf, 1, 8); return 8; } return -1; } /* We just ignore the extra flag here */ int __wrap_recv(int sockfd, void *buf, size_t len, int flags) { return __wrap_read(sockfd, buf, len); } int __wrap_send(int sockfd, const void *buf, size_t len, int flags) { if (consumable_data_length) { /* We can send len scaled by the 1 byte */ unsigned char scale = consumable_data[0]; consumable_data++; consumable_data_length--; int written = float(scale) / 255.0f * len; if (written == 0) { errno = EWOULDBLOCK; } else { errno = 0; } return written; } else { return -1; } } int __wrap_sendto(int sockfd, const void *buf, size_t len, int flags, const struct sockaddr *dest_addr, socklen_t addrlen) { return __wrap_send(sockfd, buf, len, flags); } int __wrap_bind() { return 0; } int __wrap_setsockopt() { return 0; } extern int __real_fcntl(int fd, int cmd, ... /* arg */ ); int __wrap_fcntl(int fd, int cmd, ... /* arg */) { if (fd < RESERVED_SYSTEM_FDS) { va_list args; va_start(args, cmd); int ret = __real_fcntl(fd, cmd, args); va_end(args); return ret; } return 0; } /* Addrinfo */ int __wrap_getaddrinfo(const char *node, const char *service, const struct addrinfo *hints, struct addrinfo **res) { //printf("Wrapped getaddrinfo\n"); struct addrinfo default_hints = {}; if (!hints) { hints = &default_hints; } unsigned char b; if (consume_byte(&b)) { return -1; } /* This one should be thread_local */ static /*thread_local*/ struct addrinfo ai; ai.ai_flags = hints->ai_flags; ai.ai_socktype = hints->ai_socktype; ai.ai_protocol = hints->ai_protocol; if (b > 127) { ai.ai_family = AF_INET;//hints->ai_family; } else { ai.ai_family = AF_INET6;//hints->ai_family; } /* This one is for generating the wrong family (maybe invalid?) */ if (b == 0) { ai.ai_family = hints->ai_family; } ai.ai_next = NULL; ai.ai_canonname = NULL; // fel // these should depend on inet6 or inet */ ai.ai_addrlen = 4; // fel ai.ai_addr = NULL; // ska peka på en sockaddr! // we need to return an addrinfo with family AF_INET6 *res = &ai; return 0; } int __wrap_freeaddrinfo() { return 0; } /* This one should return the same address as accept4 did produce */ int __wrap_getpeername(int sockfd, struct sockaddr *addr, socklen_t *addrlen) { struct file *f = map_fd(sockfd); if (!f) { return -1; } // todo: this could fail with -1 also (consume a byte)? if (f->type == FD_TYPE_SOCKET) { struct socket_file *sf = (struct socket_file *) f; if (addr) { memcpy(addr, &sf->addr, sf->len); *addrlen = sf->len; } return 0; } return -1; } int __wrap_accept4(int sockfd, struct sockaddr *addr, socklen_t *addrlen) { /* We must end with -1 since we are called in a loop */ unsigned char b; if (consume_byte(&b)) { return -1; } /* This rule might change, anything below 10 is accepted */ if (b < 10) { int fd = allocate_fd(); if (fd != -1) { /* Allocate the file */ struct socket_file *sf = (struct socket_file *) malloc(sizeof(struct socket_file)); /* Init the file */ /* Here we need to create a socket FD and return */ init_fd(fd, FD_TYPE_SOCKET, (struct file *)sf); /* We need to provide an addr */ /* Begin by setting it to an empty in6 address */ memset(&sf->addr, 0, sizeof(struct sockaddr_in6)); sf->len = sizeof(struct sockaddr_in6); sf->addr.in6.sin6_family = AF_INET6; /* Opt-in to ipv4 */ if (b < 5) { memset(&sf->addr, 0, sizeof(struct sockaddr_in6)); sf->len = sizeof(struct sockaddr_in); sf->addr.in.sin_family = AF_INET; } if (addr) { /* Copy from socket to addr */ memcpy(addr, &sf->addr, sf->len); } } return fd; } return -1; } int __wrap_listen() { /* Listen consumes one byte and fails on -1 */ unsigned char b; if (consume_byte(&b)) { return -1; } if (b) { return 0; } return -1; } /* This one is similar to accept4 and has to return a valid FD of type socket */ int __wrap_socket(int domain, int type, int protocol) { /* Only accept valid families */ if (domain != AF_INET && domain != AF_INET6) { return -1; } int fd = allocate_fd(); if (fd != -1) { struct socket_file *sf = (struct socket_file *)malloc(sizeof(struct socket_file)); /* Init the file */ init_fd(fd, FD_TYPE_SOCKET, (struct file *)sf); } #ifdef PRINTF_DEBUG printf("socket returning fd: %d\n", fd); #endif return fd; } int __wrap_shutdown() { //printf("Wrapped shutdown\n"); return 0; } /* The timerfd syscalls */ struct timer_file { struct file base; }; int __wrap_timerfd_create(int clockid, int flags) { int fd = allocate_fd(); if (fd != -1) { struct timer_file *tf = (struct timer_file *)malloc(sizeof(struct timer_file)); /* Init the file */ init_fd(fd, FD_TYPE_TIMER, (struct file *)tf); } #ifdef PRINTF_DEBUG printf("timerfd_create returning fd: %d\n", fd); #endif return fd; } int __wrap_timerfd_settime(int fd, int flags, const struct itimerspec *new_value, struct itimerspec *old_value) { //printf("timerfd_settime: %d\n", fd); return 0; } /* The eventfd syscalls */ struct event_file { struct file base; }; int __wrap_eventfd() { int fd = allocate_fd(); if (fd != -1) { struct event_file *ef = (struct event_file *)malloc(sizeof(struct event_file)); /* Init the file */ init_fd(fd, FD_TYPE_EVENT, (struct file *)ef); //printf("eventfd: %d\n", fd); } #ifdef PRINTF_DEBUG printf("eventfd returning fd: %d\n", fd); #endif return fd; } // timerfd_settime /* File descriptors exist in a shared dimension, and has to know its type */ extern int __real_close(int fd); int __wrap_close(int fd) { if (fd < RESERVED_SYSTEM_FDS) { return __real_close(fd); } struct file *f = map_fd(fd); if (!f) { return -1; } if (f->type == FD_TYPE_EPOLL) { #ifdef PRINTF_DEBUG printf("Closing epoll FD: %d\n", fd); #endif free(f); return free_fd(fd); } else if (f->type == FD_TYPE_TIMER) { #ifdef PRINTF_DEBUG printf("Closing timer fd: %d\n", fd); #endif free(f); return free_fd(fd); } else if (f->type == FD_TYPE_EVENT) { #ifdef PRINTF_DEBUG printf("Closing event fd: %d\n", fd); #endif free(f); return free_fd(fd); } else if (f->type == FD_TYPE_SOCKET) { #ifdef PRINTF_DEBUG printf("Closing socket fd: %d\n", fd); #endif // we should call epoll_ctl remove here free(f); int ret = free_fd(fd); #ifdef PRINTF_DEBUG printf("Ret: %d\n", ret); #endif //free(-1); return ret; } return -1; } int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { set_consumable_data(data, size); test(); if (num_fds) { printf("ERROR! Cannot leave open FDs after test!\n"); } return 0; } #ifdef __cplusplus } #endif