Added OSS-Fuzz fuzz targets sleuthkit#2429

.github/workflows/build_ossfuzz.yml

@@ -0,0 +1,39 @@
+# Build OSSFuzz fuzz targets from source.
+name: build_ossfuzz
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    branches:
+      - main
+      - develop
+permissions: read-all
+jobs:
+  build_ossfuzz:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        include:
+        - architecture: 'x64'
+          compiler: 'gcc'
+          configure_options: ''
+    steps:
+    - name: Install build dependencies
+      run: |
+        sudo apt-get -y install git
+    - uses: actions/checkout@v4
+      with:
+        repository: google/oss-fuzz
+        path: oss-fuzz
+    - name: Build OSSFuzz fuzz targets
+      working-directory: oss-fuzz
+      run: |
+        # TODO: update ossfuzz script and then remove this work-around
+        # Work around hardcoded -Werror flags https://github.com/sleuthkit/sleuthkit/issues/3012
+        sed 's?./tsk/util/??' -i projects/sleuthkit/build.sh
+        sed 's?./tsk/pool/??' -i projects/sleuthkit/build.sh
+        sed 's?--without-libvmdk?--without-libvmdk --without-libcrypto?' -i projects/sleuthkit/build.sh
+        python3 infra/helper.py build_image --pull sleuthkit 
+        python3 infra/helper.py build_fuzzers --sanitizer address sleuthkit
+        python3 infra/helper.py check_build sleuthkit

Makefile.am

@@ -663,7 +663,7 @@ tests_read_apis_SOURCES = tests/read_apis.cpp
 # Unit tests:
 # Instead of linking with ../tsk/libtsk.la, we recompile everything from scratch
 # and link into a single executable.
-# THis makes things easier with codecov.
+# This makes things easier with codecov.
 
 check_PROGRAMS += unit_tests/runner
 
@@ -799,3 +799,138 @@ samples_posix_cpp_style_SOURCES = samples/posix-cpp-style.cpp
 
 samples_posix_style_LDADD = $(TSK_LIB)
 samples_posix_style_SOURCES = samples/posix-style.cpp
+
+#
+# OSSFuzz fuzz targets fuzz targets
+#
+
+if HAVE_LIB_FUZZING_ENGINE
+noinst_PROGRAMS += \
+	fls_apfs_fuzzer \
+	fls_ext_fuzzer \
+	fls_fat_fuzzer \
+	fls_hfs_fuzzer \
+	fls_iso9660_fuzzer \
+	fls_ntfs_fuzzer \
+	mmls_dos_fuzzer \
+	mmls_gpt_fuzzer \
+	mmls_mac_fuzzer \
+	mmls_sun_fuzzer
+
+fls_apfs_fuzzer_SOURCES = \
+	ossfuzz/fls_apfs_fuzzer.cc \
+	ossfuzz/mem_img.h
+
+fls_apfs_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+fls_ext_fuzzer_SOURCES = \
+	ossfuzz/fls_fuzzer.cc \
+	ossfuzz/mem_img.h
+
+fls_ext_fuzzer_CPPFLAGS = \
+	-DFSTYPE=TSK_FS_TYPE_EXT_DETECT \
+	$(AM_CPPFLAGS)
+
+fls_ext_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+fls_fat_fuzzer_SOURCES = \
+	ossfuzz/fls_fuzzer.cc \
+	ossfuzz/mem_img.h
+
+fls_fat_fuzzer_CPPFLAGS = \
+	-DFSTYPE=TSK_FS_TYPE_FAT_DETECT \
+	$(AM_CPPFLAGS)
+
+fls_fat_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+fls_hfs_fuzzer_SOURCES = \
+	ossfuzz/fls_fuzzer.cc \
+	ossfuzz/mem_img.h
+
+fls_hfs_fuzzer_CPPFLAGS = \
+	-DFSTYPE=TSK_FS_TYPE_HFS \
+	$(AM_CPPFLAGS)
+
+fls_hfs_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+fls_iso9660_fuzzer_SOURCES = \
+	ossfuzz/fls_fuzzer.cc \
+	ossfuzz/mem_img.h
+
+fls_iso9660_fuzzer_CPPFLAGS = \
+	-DFSTYPE=TSK_FS_TYPE_ISO9660 \
+	$(AM_CPPFLAGS)
+
+fls_iso9660_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+fls_ntfs_fuzzer_SOURCES = \
+	ossfuzz/fls_fuzzer.cc \
+	ossfuzz/mem_img.h
+
+fls_ntfs_fuzzer_CPPFLAGS = \
+	-DFSTYPE=TSK_FS_TYPE_NTFS \
+	$(AM_CPPFLAGS)
+
+fls_ntfs_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+mmls_dos_fuzzer_SOURCES = \
+	ossfuzz/mem_img.h \
+	ossfuzz/mmls_fuzzer.cc
+
+mmls_dos_fuzzer_CPPFLAGS = \
+	-DVSTYPE=TSK_VS_TYPE_DOS \
+	$(AM_CPPFLAGS)
+
+mmls_dos_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+mmls_gpt_fuzzer_SOURCES = \
+	ossfuzz/mem_img.h \
+	ossfuzz/mmls_fuzzer.cc
+
+mmls_gpt_fuzzer_CPPFLAGS = \
+	-DVSTYPE=TSK_VS_TYPE_GPT \
+	$(AM_CPPFLAGS)
+
+mmls_gpt_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+mmls_mac_fuzzer_SOURCES = \
+	ossfuzz/mem_img.h \
+	ossfuzz/mmls_fuzzer.cc
+
+mmls_mac_fuzzer_CPPFLAGS = \
+	-DVSTYPE=TSK_VS_TYPE_MAC \
+	$(AM_CPPFLAGS)
+
+mmls_mac_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+
+mmls_sun_fuzzer_SOURCES = \
+	ossfuzz/mem_img.h \
+	ossfuzz/mmls_fuzzer.cc
+
+mmls_sun_fuzzer_CPPFLAGS = \
+	-DVSTYPE=TSK_VS_TYPE_SUN \
+	$(AM_CPPFLAGS)
+
+mmls_sun_fuzzer_LDADD = \
+	@LIB_FUZZING_ENGINE@ \
+	$(TSK_LIB)
+endif # HAVE_LIB_FUZZING_ENGINE
+

acinclude.m4

@@ -0,0 +1,10 @@
+dnl Function to detect if OSS-Fuzz build environment is available
+AC_DEFUN([AX_TESTS_CHECK_OSSFUZZ],
+  [AM_CONDITIONAL(
+    HAVE_LIB_FUZZING_ENGINE,
+    [test "x${LIB_FUZZING_ENGINE}" != x])
+  AC_SUBST(
+    [LIB_FUZZING_ENGINE],
+    ["${LIB_FUZZING_ENGINE}"])
+])
+

configure.ac

@@ -221,6 +221,10 @@ dnl status message and set X_JNI for use in Makefile
 AS_IF([test "x$JNI_CPPFLAGS" != x && test "x$ANT_FOUND" != x && test "x$JAVA" != x], [ax_java_support=yes], [ax_java_support=no])
 AM_CONDITIONAL([X_JNI],[test "x$ax_java_support" = "xyes"])
 
+dnl Dependencies for OSS-Fuzz
+AM_CONDITIONAL(HAVE_LIB_FUZZING_ENGINE, [test "x${LIB_FUZZING_ENGINE}" != x])
+AC_SUBST([LIB_FUZZING_ENGINE], ["${LIB_FUZZING_ENGINE}"])
+
 AC_CONFIG_COMMANDS([tsk/tsk_incs.h],
     [echo "#ifndef _TSK_INCS_H" > tsk/tsk_incs.h
     echo "#define _TSK_INCS_H" >> tsk/tsk_incs.h

licenses/README.md

@@ -126,6 +126,14 @@ Copyright (c) 2008 Steven G. Johnson <[email protected]>
 
 under GNU General Public License version 3 or later
 
+* ossfuzz/*.cc
+
+```
+Copyright 2020-2021 Google LLC
+```
+
+under Apache License, Version 2.0
+
 * rejistry++/*
 
 ```

ossfuzz/buildcorpus.sh

@@ -0,0 +1,77 @@
+#!/bin/bash -eu
+#
+# Script to downloads test data and build the corpus
+#
+# Copyright 2021 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Test data provided by:
+#
+# The Fuzzing Project: https://fuzzing-project.org/resources.html
+#   As CC0 1.0 Universal (CC0 1.0) Public Domain Dedication
+#   https://creativecommons.org/publicdomain/zero/1.0/
+#
+# The dfVFS project: https://github.com/log2timeline/dfvfs
+#   As Apache 2 https://github.com/log2timeline/dfvfs/blob/main/LICENSE
+
+# Files to use for fls fuzz targets
+declare -A FLS_TEST_FILES=(
+  ["apfs"]="https://github.com/log2timeline/dfvfs/blob/main/test_data/apfs.raw?raw=true"
+  ["ext"]="https://files.fuzzing-project.org/filesystems/ext2.img"
+  ["fat"]="https://files.fuzzing-project.org/filesystems/exfat.img https://files.fuzzing-project.org/filesystems/fat12.img https://files.fuzzing-project.org/filesystems/fat16.img https://files.fuzzing-project.org/filesystems/fat32.img"
+  ["hfs"]="https://files.fuzzing-project.org/filesystems/hfsplus.img"
+  ["iso9660"]="https://files.fuzzing-project.org/discimages/iso9660.iso"
+  ["ntfs"]="https://files.fuzzing-project.org/filesystems/ntfs.img"
+)
+
+# Files to use for mmls fuzz targets
+declare -A MMLS_TEST_FILES=(
+  ["dos"]="https://files.fuzzing-project.org/discimages/partition-dos"
+  ["gpt"]="https://files.fuzzing-project.org/discimages/partition-gpt"
+  ["mac"]="https://files.fuzzing-project.org/discimages/partition-mac"
+)
+
+
+for type in ${!FLS_TEST_FILES[@]}; do
+  fuzz_target="sleuthkit_fls_${type}_fuzzer"
+
+  mkdir -p "test_data/${fuzz_target}"
+
+  IFS=" "; for url in ${FLS_TEST_FILES[$type]}; do
+    filename=$( echo ${url} | sed 's/?[^?]*$//' )
+    filename=$( basename ${filename} )
+
+    curl -L -o "test_data/${fuzz_target}/${filename}" "${url}"
+  done
+
+  (cd "test_data/${fuzz_target}" && zip ${OUT}/${fuzz_target}_seed_corpus.zip *)
+done
+
+
+for type in ${!MMLS_TEST_FILES[@]}; do
+  fuzz_target="sleuthkit_mmls_${type}_fuzzer"
+
+  mkdir -p "test_data/${fuzz_target}"
+
+  IFS=" "; for url in ${MMLS_TEST_FILES[$type]}; do
+    filename=$( echo ${url} | sed 's/?[^?]*$//' )
+    filename=$( basename ${filename} )
+
+    curl -L -o "test_data/${fuzz_target}/${filename}" "${url}"
+  done
+
+  (cd "test_data/${fuzz_target}" && zip ${OUT}/${fuzz_target}_seed_corpus.zip *)
+done

ossfuzz/fls_apfs_fuzzer.cc

@@ -0,0 +1,60 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "tsk/tsk_tools_i.h"
+#include "tsk/fs/tsk_fs.h"
+#include "tsk/pool/tsk_pool.h"
+#include "mem_img.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  TSK_IMG_INFO* img;
+  TSK_IMG_INFO* pool_img;
+  TSK_FS_INFO* fs;
+  const TSK_POOL_INFO* pool;
+
+  img = mem_open(data, size);
+  if (img == nullptr) {
+    return 0;
+  }
+  pool = tsk_pool_open_img_sing(img, 0, TSK_POOL_TYPE_APFS);
+
+  if (pool == nullptr) {
+    goto out_img;
+  }
+  // Pool start block is APFS container specific and is hard coded for now
+  pool_img = pool->get_img_info(pool, (TSK_DADDR_T) 106);
+
+  if (pool_img == nullptr) {
+    goto out_pool;
+  }
+  fs = tsk_fs_open_img_decrypt(pool_img, 0, TSK_FS_TYPE_APFS_DETECT, "");
+
+  if (fs != nullptr) {
+    tsk_fs_fls(fs, TSK_FS_FLS_FULL, fs->root_inum, TSK_FS_DIR_WALK_FLAG_RECURSE, nullptr, 0);
+
+    fs->close(fs);
+  }
+  tsk_img_close(pool_img);
+
+out_pool:
+  tsk_pool_close(pool);
+
+out_img:
+  tsk_img_close(img);
+
+  return 0;
+}