ruzzy 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d1625761614ef3e6e00d5b36a446dbbba3e880e75269b81e5e44f88b46945f4
-  data.tar.gz: eb5733016d8caf73b5230a1277e561781649101ebc614707f91a30b558056afc
+  metadata.gz: 0abba0ffb63d4c50fbbb33fb3624299f8421293a02d65e199525c75b4dbd5f46
+  data.tar.gz: 4787489da1373bb820cd66d62a913a4c9c33c49bda68f251dae25745ccac3679
 SHA512:
-  metadata.gz: e46ea2f68f183a5f3c87fd2ce1aeb1e36e2cbd6cbcb699aaa52e0bdee9d485959118ef3dedae073a78079d0afc94838b01ca8ac3a7f0babd59603930f7964b90
-  data.tar.gz: 04bb8723b7dd1ea06abdbc3b52fa6a9cc05e9c333f8f263aaaad6fec6b3b49c01f8eb3fb062c044486aa1325bd41754e60e9829688799358d49fc865df7f38df
+  metadata.gz: c029eca231fbeb0d8b19b469a6cb2de99117a939e35c9f42622f803d06a0b4ad85ceacc25dff1bba9e56b1179358ec8fff054a35d894faa11398727891697216
+  data.tar.gz: cb761ff27a1fa8d462295d9022d03490338d2608d94cddc8454fb2919fd308e8ee7ea18b4735e601574ca1366de266607c2966be18e27af21ab1c3e243f60237

data/ext/cruzzy/cruzzy.c

@@ -7,16 +7,39 @@
 #include <unistd.h>
 
 #include <ruby.h>
+#include <ruby/debug.h>
+
+// This constant is defined in the Ruby C implementation, but it's internal
+// only. Fortunately the event hooking still respects this constant being
+// passed from an external source. For more information see:
+// https://github.com/ruby/ruby/blob/v3_3_0/vm_core.h#L2182-L2184
+#define RUBY_EVENT_COVERAGE_BRANCH 0x020000
 
 // 128 arguments should be enough for anybody
 #define MAX_ARGS_SIZE 128
 
-int LLVMFuzzerRunDriver(
+// TODO: should we mmap like Atheris?
+#define MAX_COUNTERS 8192
+
+extern int LLVMFuzzerRunDriver(
     int *argc,
     char ***argv,
     int (*cb)(const uint8_t *data, size_t size)
 );
 
+extern void __sanitizer_cov_8bit_counters_init(uint8_t *start, uint8_t *stop);
+extern void __sanitizer_cov_pcs_init(uint8_t *pcs_beg, uint8_t *pcs_end);
+extern void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2);
+extern void __sanitizer_cov_trace_div8(uint64_t val);
+
+struct PCTableEntry {
+  void *pc;
+  long flags;
+};
+
+struct PCTableEntry PCTABLE[MAX_COUNTERS];
+uint8_t COUNTERS[MAX_COUNTERS];
+uint32_t COUNTER = 0;
 VALUE PROC_HOLDER = Qnil;
 
 static VALUE c_libfuzzer_is_loaded(VALUE self)
@@ -36,18 +59,21 @@ static VALUE c_libfuzzer_is_loaded(VALUE self)
 
 int ATEXIT_RETCODE = 0;
 
-static void ruzzy_exit() {
+__attribute__((__noreturn__)) static void ruzzy_exit()
+{
      _exit(ATEXIT_RETCODE);
 }
 
-static void graceful_exit(int code) {
+__attribute__((__noreturn__)) static void graceful_exit(int code)
+{
     // Disable libFuzzer's atexit
     ATEXIT_RETCODE = code;
     atexit(ruzzy_exit);
     exit(code);
 }
 
-static void sigint_handler(int signal) {
+__attribute__((__noreturn__)) static void sigint_handler(int signal)
+{
     fprintf(
         stderr,
         "Signal %d (%s) received. Exiting...\n",
@@ -78,7 +104,7 @@ static int proc_caller(const uint8_t *data, size_t size)
         );
     }
 
-    return NUM2INT(result);
+    return FIX2INT(result);
 }
 
 static VALUE c_fuzz(VALUE self, VALUE test_one_input, VALUE args)
@@ -120,7 +146,91 @@ static VALUE c_fuzz(VALUE self, VALUE test_one_input, VALUE args)
     // https://llvm.org/docs/LibFuzzer.html#using-libfuzzer-as-a-library
     int result = LLVMFuzzerRunDriver(&args_len, &args_ptr, proc_caller);
 
-    return INT2NUM(result);
+    return INT2FIX(result);
+}
+
+static VALUE c_trace_cmp8(VALUE self, VALUE arg1, VALUE arg2) {
+    // Ruby numerics include both integers and floats. Integers are further
+    // divided into fixnums and bignums. Fixnums can be 31-bit or 63-bit
+    // integers depending on the bit size of a long. Bignums are arbitrary
+    // precision integers. This function can only handle fixnums because
+    // sancov only provides comparison tracing up to 8-byte integers.
+    if (FIXNUM_P(arg1) && FIXNUM_P(arg2)) {
+        long arg1_val = NUM2LONG(arg1);
+        long arg2_val = NUM2LONG(arg2);
+        __sanitizer_cov_trace_cmp8((uint64_t) arg1_val, (uint64_t) arg2_val);
+    }
+
+    return Qnil;
+}
+
+static VALUE c_trace_div8(VALUE self, VALUE val) {
+    if (FIXNUM_P(val)) {
+        long val_val = NUM2LONG(val);
+        __sanitizer_cov_trace_div8((uint64_t) val_val);
+    }
+
+    return Qnil;
+}
+
+static void event_hook_branch(VALUE counter_hash, rb_trace_arg_t *tracearg) {
+    VALUE path = rb_tracearg_path(tracearg);
+    ID path_sym = rb_intern_str(path);
+    VALUE lineno = rb_tracearg_lineno(tracearg);
+    VALUE tuple = rb_ary_new_from_args(2, INT2NUM(path_sym), lineno);
+    VALUE existing_counter = rb_hash_lookup(counter_hash, tuple);
+
+    int counter_index;
+
+    if (NIL_P(existing_counter)) {
+        rb_hash_aset(counter_hash, tuple, INT2FIX(COUNTER));
+        counter_index = COUNTER++;
+    } else {
+        counter_index = FIX2INT(existing_counter);
+    }
+
+    COUNTERS[counter_index % MAX_COUNTERS]++;
+}
+
+static void enable_branch_coverage_hooks()
+{
+    // Call Coverage.setup(branches: true) to activate branch coverage hooks.
+    // Branch coverage hooks will not be activated without this call despite
+    // adding the event hooks. I suspect rb_set_coverages must be called
+    // first, which initializes some global state that we do not have direct
+    // access to. Calling setup initializes coverage state here:
+    // https://github.com/ruby/ruby/blob/v3_3_0/ext/coverage/coverage.c#L112-L120
+    // If rb_set_coverages is not called, then rb_get_coverages returns a NULL
+    // pointer, which appears to effectively disable coverage collection here:
+    // https://github.com/ruby/ruby/blob/v3_3_0/iseq.c
+    rb_require("coverage");
+    VALUE coverage_mod = rb_const_get(rb_cObject, rb_intern("Coverage"));
+    VALUE hash_arg = rb_hash_new();
+    rb_hash_aset(hash_arg, ID2SYM(rb_intern("branches")), Qtrue);
+    rb_funcall(coverage_mod, rb_intern("setup"), 1, hash_arg);
+}
+
+static VALUE c_trace_branch(VALUE self)
+{
+    VALUE counter_hash = rb_hash_new();
+
+    __sanitizer_cov_8bit_counters_init(COUNTERS, COUNTERS + MAX_COUNTERS);
+    __sanitizer_cov_pcs_init((uint8_t *)PCTABLE, (uint8_t *)(PCTABLE + MAX_COUNTERS));
+
+    rb_event_flag_t events = RUBY_EVENT_COVERAGE_BRANCH;
+    rb_event_hook_flag_t flags = (
+        RUBY_EVENT_HOOK_FLAG_SAFE | RUBY_EVENT_HOOK_FLAG_RAW_ARG
+    );
+    rb_add_event_hook2(
+        (rb_event_hook_func_t) event_hook_branch,
+        events,
+        counter_hash,
+        flags
+    );
+
+    enable_branch_coverage_hooks();
+
+    return Qnil;
 }
 
 void Init_cruzzy()
@@ -133,4 +243,7 @@ void Init_cruzzy()
     VALUE ruzzy = rb_const_get(rb_cObject, rb_intern("Ruzzy"));
     rb_define_module_function(ruzzy, "c_fuzz", &c_fuzz, 2);
     rb_define_module_function(ruzzy, "c_libfuzzer_is_loaded", &c_libfuzzer_is_loaded, 0);
+    rb_define_module_function(ruzzy, "c_trace_cmp8", &c_trace_cmp8, 2);
+    rb_define_module_function(ruzzy, "c_trace_div8", &c_trace_div8, 1);
+    rb_define_module_function(ruzzy, "c_trace_branch", &c_trace_branch, 0);
 }

data/ext/cruzzy/extconf.rb

@@ -6,7 +6,7 @@ require 'tempfile'
 require 'rbconfig'
 require 'logger'
 
-LOGGER = Logger.new(STDERR)
+LOGGER = Logger.new($stderr)
 LOGGER.level = ENV.key?('RUZZY_DEBUG') ? Logger::DEBUG : Logger::INFO
 
 # These ENV variables really shouldn't be used because we don't support
@@ -36,27 +36,26 @@ def get_clang_file_name(file_name)
   success && exists ? stdout.strip : false
 end
 
-def merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
-  merged_output = 'asan_with_fuzzer.so'
-
+def merge_sanitizer_libfuzzer_lib(sanitizer_lib, fuzzer_no_main_lib, merged_output, *preinits)
   # https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#why-this-is-necessary
   Tempfile.create do |file|
-    file.write(File.open(asan_lib).read)
+    LOGGER.debug("Creating #{sanitizer_lib} sanitizer archive at #{file.path}")
+
+    file.write(File.open(sanitizer_lib).read)
 
-    LOGGER.debug("Creating ASAN archive at #{file.path}")
     _, status = Open3.capture2(
       AR,
       'd',
       file.path,
-      'asan_preinit.cc.o',
-      'asan_preinit.cpp.o'
+      *preinits
     )
     unless status.success?
       LOGGER.error("The #{AR} archive command failed.")
       exit(1)
     end
 
-    LOGGER.debug("Merging ASAN at #{file.path} and libFuzzer at #{fuzzer_no_main_lib} to #{merged_output}")
+    LOGGER.debug("Merging sanitizer at #{file.path} with libFuzzer at #{fuzzer_no_main_lib} to #{merged_output}")
+
     _, status = Open3.capture2(
       CXX,
       '-Wl,--whole-archive',
@@ -105,7 +104,33 @@ unless asan_lib
   exit(1)
 end
 
-merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
+merge_sanitizer_libfuzzer_lib(
+  asan_lib,
+  fuzzer_no_main_lib,
+  'asan_with_fuzzer.so',
+  'asan_preinit.cc.o',
+  'asan_preinit.cpp.o'
+)
+
+ubsan_libs = [
+  'libclang_rt.ubsan_standalone.a',
+  'libclang_rt.ubsan_standalone-aarch64.a',
+  'libclang_rt.ubsan_standalone-x86_64.a'
+]
+ubsan_lib = ubsan_libs.map { |lib| get_clang_file_name(lib) }.find(&:itself)
+
+unless ubsan_lib
+  LOGGER.error("Could not find ubsan using #{CC}.")
+  exit(1)
+end
+
+merge_sanitizer_libfuzzer_lib(
+  ubsan_lib,
+  fuzzer_no_main_lib,
+  'ubsan_with_fuzzer.so',
+  'ubsan_init_standalone_preinit.cc.o',
+  'ubsan_init_standalone_preinit.cpp.o'
+)
 
 # The LOCAL_LIBS variable allows linking arbitrary libraries into Ruby C
 # extensions. It is supported by the Ruby mkmf library and C extension Makefile.

data/lib/ruzzy.rb

@@ -7,18 +7,21 @@ module Ruzzy
   require 'cruzzy/cruzzy'
 
   DEFAULT_ARGS = [$PROGRAM_NAME] + ARGV
+  EXT_PATH = Pathname.new(__FILE__).parent.parent / 'ext' / 'cruzzy'
+  ASAN_PATH = (EXT_PATH / 'asan_with_fuzzer.so').to_s
+  UBSAN_PATH = (EXT_PATH / 'ubsan_with_fuzzer.so').to_s
 
   def fuzz(test_one_input, args = DEFAULT_ARGS)
     c_fuzz(test_one_input, args)
   end
 
-  def ext_path
-    (Pathname.new(__FILE__).parent.parent + 'ext' + 'cruzzy').to_s
+  def dummy
+    fuzz(->(data) { Ruzzy.dummy_test_one_input(data) })
   end
 
   def dummy_test_one_input(data)
     # This 'require' depends on LD_PRELOAD, so it's placed inside the function
-    # scope. This allows us to run ext_path for LD_PRELOAD and not have a
+    # scope. This allows us to access EXT_PATH for LD_PRELOAD and not have a
     # circular dependency.
     require 'dummy/dummy'
 
@@ -26,6 +29,76 @@ module Ruzzy
   end
 
   module_function :fuzz
-  module_function :ext_path
+  module_function :dummy
   module_function :dummy_test_one_input
 end
+
+# Hook Integer operations for tracing in SantizerCoverage
+class Integer
+  alias ruzzy_eeql ==
+  alias ruzzy_eeeql ===
+  alias ruzzy_eql? eql?
+  alias ruzzy_spc <=>
+  alias ruzzy_lt <
+  alias ruzzy_le <=
+  alias ruzzy_gt >
+  alias ruzzy_ge >=
+  alias ruzzy_divo /
+  alias ruzzy_div div
+  alias ruzzy_divmod divmod
+
+  def ==(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_eeql(other)
+  end
+
+  def ===(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_eeeql(other)
+  end
+
+  def eql?(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_eql?(other)
+  end
+
+  def <=>(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_spc(other)
+  end
+
+  def <(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_lt(other)
+  end
+
+  def <=(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_le(other)
+  end
+
+  def >(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_gt(other)
+  end
+
+  def >=(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_ge(other)
+  end
+
+  def /(other)
+    Ruzzy.c_trace_div8(other)
+    ruzzy_divo(other)
+  end
+
+  def div(other)
+    Ruzzy.c_trace_div8(other)
+    ruzzy_div(other)
+  end
+
+  def divmod(other)
+    Ruzzy.c_trace_div8(other)
+    ruzzy_divmod(other)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruzzy
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Trail of Bits
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-02 00:00:00.000000000 Z
+date: 2024-02-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rake-release
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -77,14 +91,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
 summary: A Ruby C extension fuzzer