ruzzy 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8d1625761614ef3e6e00d5b36a446dbbba3e880e75269b81e5e44f88b46945f4
-  data.tar.gz: eb5733016d8caf73b5230a1277e561781649101ebc614707f91a30b558056afc
+  metadata.gz: 64fa385ff3dca5a231ebc02511f7240143838b4cf4314a8ced35a57127ac2dc2
+  data.tar.gz: 1cd94db1a0b30debdc03caddf39394b3759b11f85d0b2ef78037e5769b0761ed
 SHA512:
-  metadata.gz: e46ea2f68f183a5f3c87fd2ce1aeb1e36e2cbd6cbcb699aaa52e0bdee9d485959118ef3dedae073a78079d0afc94838b01ca8ac3a7f0babd59603930f7964b90
-  data.tar.gz: 04bb8723b7dd1ea06abdbc3b52fa6a9cc05e9c333f8f263aaaad6fec6b3b49c01f8eb3fb062c044486aa1325bd41754e60e9829688799358d49fc865df7f38df
+  metadata.gz: ed77800fbbe359a7b2be3e215b00d052b2bf8f1038da0e2ad88c6a8ea9d66bcf2d875ed5658592262ef35a18a23c4b1f5fcc9d44e7f669fc81817310dda96122
+  data.tar.gz: 80ef311558dd4c4aa88697014e08a6b06a164d182a16d5c4718ce9355bc6b2f82c52bce11d3eaa1d1071df2a900eef9ef46148013ad7099ed1fbf07df173b6c3

data/ext/cruzzy/cruzzy.c

@@ -7,16 +7,39 @@
 #include <unistd.h>
 
 #include <ruby.h>
+#include <ruby/debug.h>
+
+// This constant is defined in the Ruby C implementation, but it's internal
+// only. Fortunately the event hooking still respects this constant being
+// passed from an external source. For more information see:
+// https://github.com/ruby/ruby/blob/v3_3_0/vm_core.h#L2182-L2184
+#define RUBY_EVENT_COVERAGE_BRANCH 0x020000
 
 // 128 arguments should be enough for anybody
 #define MAX_ARGS_SIZE 128
 
-int LLVMFuzzerRunDriver(
+// TODO: should we mmap like Atheris?
+#define MAX_COUNTERS 8192
+
+extern int LLVMFuzzerRunDriver(
     int *argc,
     char ***argv,
     int (*cb)(const uint8_t *data, size_t size)
 );
 
+extern void __sanitizer_cov_8bit_counters_init(uint8_t *start, uint8_t *stop);
+extern void __sanitizer_cov_pcs_init(uint8_t *pcs_beg, uint8_t *pcs_end);
+extern void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2);
+extern void __sanitizer_cov_trace_div8(uint64_t val);
+
+struct PCTableEntry {
+  void *pc;
+  long flags;
+};
+
+struct PCTableEntry PCTABLE[MAX_COUNTERS];
+uint8_t COUNTERS[MAX_COUNTERS];
+uint32_t COUNTER = 0;
 VALUE PROC_HOLDER = Qnil;
 
 static VALUE c_libfuzzer_is_loaded(VALUE self)
@@ -36,18 +59,21 @@ static VALUE c_libfuzzer_is_loaded(VALUE self)
 
 int ATEXIT_RETCODE = 0;
 
-static void ruzzy_exit() {
+__attribute__((__noreturn__)) static void ruzzy_exit()
+{
      _exit(ATEXIT_RETCODE);
 }
 
-static void graceful_exit(int code) {
+__attribute__((__noreturn__)) static void graceful_exit(int code)
+{
     // Disable libFuzzer's atexit
     ATEXIT_RETCODE = code;
     atexit(ruzzy_exit);
     exit(code);
 }
 
-static void sigint_handler(int signal) {
+__attribute__((__noreturn__)) static void sigint_handler(int signal)
+{
     fprintf(
         stderr,
         "Signal %d (%s) received. Exiting...\n",
@@ -78,7 +104,7 @@ static int proc_caller(const uint8_t *data, size_t size)
         );
     }
 
-    return NUM2INT(result);
+    return FIX2INT(result);
 }
 
 static VALUE c_fuzz(VALUE self, VALUE test_one_input, VALUE args)
@@ -120,7 +146,91 @@ static VALUE c_fuzz(VALUE self, VALUE test_one_input, VALUE args)
     // https://llvm.org/docs/LibFuzzer.html#using-libfuzzer-as-a-library
     int result = LLVMFuzzerRunDriver(&args_len, &args_ptr, proc_caller);
 
-    return INT2NUM(result);
+    return INT2FIX(result);
+}
+
+static VALUE c_trace_cmp8(VALUE self, VALUE arg1, VALUE arg2) {
+    // Ruby numerics include both integers and floats. Integers are further
+    // divided into fixnums and bignums. Fixnums can be 31-bit or 63-bit
+    // integers depending on the bit size of a long. Bignums are arbitrary
+    // precision integers. This function can only handle fixnums because
+    // sancov only provides comparison tracing up to 8-byte integers.
+    if (FIXNUM_P(arg1) && FIXNUM_P(arg2)) {
+        long arg1_val = NUM2LONG(arg1);
+        long arg2_val = NUM2LONG(arg2);
+        __sanitizer_cov_trace_cmp8((uint64_t) arg1_val, (uint64_t) arg2_val);
+    }
+
+    return Qnil;
+}
+
+static VALUE c_trace_div8(VALUE self, VALUE val) {
+    if (FIXNUM_P(val)) {
+        long val_val = NUM2LONG(val);
+        __sanitizer_cov_trace_div8((uint64_t) val_val);
+    }
+
+    return Qnil;
+}
+
+static void event_hook_branch(VALUE counter_hash, rb_trace_arg_t *tracearg) {
+    VALUE path = rb_tracearg_path(tracearg);
+    ID path_sym = rb_intern_str(path);
+    VALUE lineno = rb_tracearg_lineno(tracearg);
+    VALUE tuple = rb_ary_new_from_args(2, INT2NUM(path_sym), lineno);
+    VALUE existing_counter = rb_hash_lookup(counter_hash, tuple);
+
+    int counter_index;
+
+    if (NIL_P(existing_counter)) {
+        rb_hash_aset(counter_hash, tuple, INT2FIX(COUNTER));
+        counter_index = COUNTER++;
+    } else {
+        counter_index = FIX2INT(existing_counter);
+    }
+
+    COUNTERS[counter_index % MAX_COUNTERS]++;
+}
+
+static void enable_branch_coverage_hooks()
+{
+    // Call Coverage.start(branches: true) to activate branch coverage hooks.
+    // Branch coverage hooks will not be activated without this call despite
+    // adding the event hooks. I suspect rb_set_coverages must be called
+    // first, which initializes some global state that we do not have direct
+    // access to. Calling start initializes coverage state here:
+    // https://github.com/ruby/ruby/blob/v3_3_0/ext/coverage/coverage.c#L112-L120
+    // If rb_set_coverages is not called, then rb_get_coverages returns a NULL
+    // pointer, which appears to effectively disable coverage collection here:
+    // https://github.com/ruby/ruby/blob/v3_3_0/iseq.c
+    rb_require("coverage");
+    VALUE coverage_mod = rb_const_get(rb_cObject, rb_intern("Coverage"));
+    VALUE hash_arg = rb_hash_new();
+    rb_hash_aset(hash_arg, ID2SYM(rb_intern("branches")), Qtrue);
+    rb_funcall(coverage_mod, rb_intern("start"), 1, hash_arg);
+}
+
+static VALUE c_trace(VALUE self, VALUE harness_path)
+{
+    VALUE counter_hash = rb_hash_new();
+
+    __sanitizer_cov_8bit_counters_init(COUNTERS, COUNTERS + MAX_COUNTERS);
+    __sanitizer_cov_pcs_init((uint8_t *)PCTABLE, (uint8_t *)(PCTABLE + MAX_COUNTERS));
+
+    rb_event_flag_t events = RUBY_EVENT_COVERAGE_BRANCH;
+    rb_event_hook_flag_t flags = (
+        RUBY_EVENT_HOOK_FLAG_SAFE | RUBY_EVENT_HOOK_FLAG_RAW_ARG
+    );
+    rb_add_event_hook2(
+        (rb_event_hook_func_t) event_hook_branch,
+        events,
+        counter_hash,
+        flags
+    );
+
+    enable_branch_coverage_hooks();
+
+    return rb_require(StringValueCStr(harness_path));
 }
 
 void Init_cruzzy()
@@ -133,4 +243,7 @@ void Init_cruzzy()
     VALUE ruzzy = rb_const_get(rb_cObject, rb_intern("Ruzzy"));
     rb_define_module_function(ruzzy, "c_fuzz", &c_fuzz, 2);
     rb_define_module_function(ruzzy, "c_libfuzzer_is_loaded", &c_libfuzzer_is_loaded, 0);
+    rb_define_module_function(ruzzy, "c_trace_cmp8", &c_trace_cmp8, 2);
+    rb_define_module_function(ruzzy, "c_trace_div8", &c_trace_div8, 1);
+    rb_define_module_function(ruzzy, "c_trace", &c_trace, 1);
 }

data/ext/cruzzy/extconf.rb

@@ -6,7 +6,7 @@ require 'tempfile'
 require 'rbconfig'
 require 'logger'
 
-LOGGER = Logger.new(STDERR)
+LOGGER = Logger.new($stderr)
 LOGGER.level = ENV.key?('RUZZY_DEBUG') ? Logger::DEBUG : Logger::INFO
 
 # These ENV variables really shouldn't be used because we don't support
@@ -36,27 +36,26 @@ def get_clang_file_name(file_name)
   success && exists ? stdout.strip : false
 end
 
-def merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
-  merged_output = 'asan_with_fuzzer.so'
-
+def merge_sanitizer_libfuzzer_lib(sanitizer_lib, fuzzer_no_main_lib, merged_output, *preinits)
   # https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#why-this-is-necessary
   Tempfile.create do |file|
-    file.write(File.open(asan_lib).read)
+    LOGGER.debug("Creating #{sanitizer_lib} sanitizer archive at #{file.path}")
+
+    file.write(File.open(sanitizer_lib).read)
 
-    LOGGER.debug("Creating ASAN archive at #{file.path}")
     _, status = Open3.capture2(
       AR,
       'd',
       file.path,
-      'asan_preinit.cc.o',
-      'asan_preinit.cpp.o'
+      *preinits
     )
     unless status.success?
       LOGGER.error("The #{AR} archive command failed.")
       exit(1)
     end
 
-    LOGGER.debug("Merging ASAN at #{file.path} and libFuzzer at #{fuzzer_no_main_lib} to #{merged_output}")
+    LOGGER.debug("Merging sanitizer at #{file.path} with libFuzzer at #{fuzzer_no_main_lib} to #{merged_output}")
+
     _, status = Open3.capture2(
       CXX,
       '-Wl,--whole-archive',
@@ -65,6 +64,7 @@ def merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
       '-Wl,--no-whole-archive',
       '-lpthread',
       '-ldl',
+      '-lstdc++',
       '-shared',
       '-o',
       merged_output
@@ -105,11 +105,39 @@ unless asan_lib
   exit(1)
 end
 
-merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
+merge_sanitizer_libfuzzer_lib(
+  asan_lib,
+  fuzzer_no_main_lib,
+  'asan_with_fuzzer.so',
+  'asan_preinit.cc.o',
+  'asan_preinit.cpp.o'
+)
+
+ubsan_libs = [
+  'libclang_rt.ubsan_standalone.a',
+  'libclang_rt.ubsan_standalone-aarch64.a',
+  'libclang_rt.ubsan_standalone-x86_64.a'
+]
+ubsan_lib = ubsan_libs.map { |lib| get_clang_file_name(lib) }.find(&:itself)
+
+unless ubsan_lib
+  LOGGER.error("Could not find ubsan using #{CC}.")
+  exit(1)
+end
+
+merge_sanitizer_libfuzzer_lib(
+  ubsan_lib,
+  fuzzer_no_main_lib,
+  'ubsan_with_fuzzer.so',
+  'ubsan_init_standalone_preinit.cc.o',
+  'ubsan_init_standalone_preinit.cpp.o'
+)
 
 # The LOCAL_LIBS variable allows linking arbitrary libraries into Ruby C
 # extensions. It is supported by the Ruby mkmf library and C extension Makefile.
 # For more information, see https://github.com/ruby/ruby/blob/master/lib/mkmf.rb.
 $LOCAL_LIBS = fuzzer_no_main_lib
 
+$LIBS << ' -lstdc++'
+
 create_makefile('cruzzy/cruzzy')

data/ext/dummy/dummy.c

@@ -6,17 +6,18 @@
 // https://llvm.org/docs/LibFuzzer.html#toy-example
 static int _c_dummy_test_one_input(const uint8_t *data, size_t size)
 {
-    char test[] = {'a', 'b', 'c'};
+    volatile char boom = 'x';
 
-    if (size > 0 && data[0] == 'H') {
-        if (size > 1 && data[1] == 'I') {
-            // This code exists specifically to test the driver and ensure
-            // libFuzzer is functioning as expected, so we can safely ignore
-            // the warning.
-            #pragma clang diagnostic push
-            #pragma clang diagnostic ignored "-Warray-bounds"
-            test[1024] = 'd';
-            #pragma clang diagnostic pop
+    if (size == 2) {
+        if (data[0] == 'H') {
+            if (data[1] == 'I') {
+                // Intentional heap-use-after-free for testing purposes
+                char * volatile ptr = malloc(128);
+                ptr[0] = 'x';
+                free(ptr);
+                boom = ptr[0];
+                (void) boom;
+            }
         }
     }
 

data/lib/ruzzy.rb

@@ -2,30 +2,118 @@
 
 require 'pathname'
 
-# A Ruby C extension fuzzer
+# A coverage-guided fuzzer for pure Ruby code and Ruby C extensions
 module Ruzzy
   require 'cruzzy/cruzzy'
 
   DEFAULT_ARGS = [$PROGRAM_NAME] + ARGV
+  EXT_PATH = Pathname.new(__FILE__).parent.parent / 'ext' / 'cruzzy'
+  ASAN_PATH = (EXT_PATH / 'asan_with_fuzzer.so').to_s
+  UBSAN_PATH = (EXT_PATH / 'ubsan_with_fuzzer.so').to_s
 
   def fuzz(test_one_input, args = DEFAULT_ARGS)
     c_fuzz(test_one_input, args)
   end
 
-  def ext_path
-    (Pathname.new(__FILE__).parent.parent + 'ext' + 'cruzzy').to_s
-  end
-
   def dummy_test_one_input(data)
     # This 'require' depends on LD_PRELOAD, so it's placed inside the function
-    # scope. This allows us to run ext_path for LD_PRELOAD and not have a
+    # scope. This allows us to access EXT_PATH for LD_PRELOAD and not have a
     # circular dependency.
     require 'dummy/dummy'
 
     c_dummy_test_one_input(data)
   end
 
+  def dummy
+    fuzz(->(data) { dummy_test_one_input(data) })
+  end
+
+  def trace(harness_script)
+    harness_path = Pathname.new(harness_script)
+
+    # Mimic require_relative. If harness script is provided as an absolute path,
+    # then use that. If not, then assume the script is in the same directory as
+    # as the tracer script, i.e. the caller.
+    if !harness_path.absolute?
+      caller_path = Pathname.new(caller_locations.first.path)
+      harness_path = (caller_path.parent / harness_path).realpath
+    end
+
+    c_trace(harness_path.to_s)
+  end
+
   module_function :fuzz
-  module_function :ext_path
   module_function :dummy_test_one_input
+  module_function :dummy
+  module_function :trace
+end
+
+# Hook Integer operations for tracing in SantizerCoverage
+class Integer
+  alias ruzzy_eeql ==
+  alias ruzzy_eeeql ===
+  alias ruzzy_eql? eql?
+  alias ruzzy_spc <=>
+  alias ruzzy_lt <
+  alias ruzzy_le <=
+  alias ruzzy_gt >
+  alias ruzzy_ge >=
+  alias ruzzy_divo /
+  alias ruzzy_div div
+  alias ruzzy_divmod divmod
+
+  def ==(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_eeql(other)
+  end
+
+  def ===(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_eeeql(other)
+  end
+
+  def eql?(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_eql?(other)
+  end
+
+  def <=>(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_spc(other)
+  end
+
+  def <(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_lt(other)
+  end
+
+  def <=(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_le(other)
+  end
+
+  def >(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_gt(other)
+  end
+
+  def >=(other)
+    Ruzzy.c_trace_cmp8(self, other)
+    ruzzy_ge(other)
+  end
+
+  def /(other)
+    Ruzzy.c_trace_div8(other)
+    ruzzy_divo(other)
+  end
+
+  def div(other)
+    Ruzzy.c_trace_div8(other)
+    ruzzy_div(other)
+  end
+
+  def divmod(other)
+    Ruzzy.c_trace_div8(other)
+    ruzzy_divmod(other)
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ruzzy
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Trail of Bits
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-02 00:00:00.000000000 Z
+date: 2024-03-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rake-release
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -77,15 +91,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.1.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
+rubygems_version: 3.5.3
 signing_key: 
 specification_version: 4
-summary: A Ruby C extension fuzzer
+summary: A coverage-guided fuzzer for pure Ruby code and Ruby C extensions
 test_files: []