ruzzy 0.5.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8d1625761614ef3e6e00d5b36a446dbbba3e880e75269b81e5e44f88b46945f4
+  data.tar.gz: eb5733016d8caf73b5230a1277e561781649101ebc614707f91a30b558056afc
+SHA512:
+  metadata.gz: e46ea2f68f183a5f3c87fd2ce1aeb1e36e2cbd6cbcb699aaa52e0bdee9d485959118ef3dedae073a78079d0afc94838b01ca8ac3a7f0babd59603930f7964b90
+  data.tar.gz: 04bb8723b7dd1ea06abdbc3b52fa6a9cc05e9c333f8f263aaaad6fec6b3b49c01f8eb3fb062c044486aa1325bd41754e60e9829688799358d49fc865df7f38df

data/ext/cruzzy/cruzzy.c

@@ -0,0 +1,136 @@
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <signal.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <ruby.h>
+
+// 128 arguments should be enough for anybody
+#define MAX_ARGS_SIZE 128
+
+int LLVMFuzzerRunDriver(
+    int *argc,
+    char ***argv,
+    int (*cb)(const uint8_t *data, size_t size)
+);
+
+VALUE PROC_HOLDER = Qnil;
+
+static VALUE c_libfuzzer_is_loaded(VALUE self)
+{
+    void *self_lib = dlopen(NULL, RTLD_LAZY);
+
+    if (!self_lib) {
+        return Qfalse;
+    }
+
+    void *sym = dlsym(self_lib, "LLVMFuzzerRunDriver");
+
+    dlclose(self_lib);
+
+    return sym ? Qtrue : Qfalse;
+}
+
+int ATEXIT_RETCODE = 0;
+
+static void ruzzy_exit() {
+     _exit(ATEXIT_RETCODE);
+}
+
+static void graceful_exit(int code) {
+    // Disable libFuzzer's atexit
+    ATEXIT_RETCODE = code;
+    atexit(ruzzy_exit);
+    exit(code);
+}
+
+static void sigint_handler(int signal) {
+    fprintf(
+        stderr,
+        "Signal %d (%s) received. Exiting...\n",
+        signal,
+        strsignal(signal)
+    );
+    graceful_exit(signal);
+}
+
+static int proc_caller(const uint8_t *data, size_t size)
+{
+    VALUE arg = rb_str_new((char *)data, size);
+    VALUE rb_args = rb_ary_new3(1, arg);
+    VALUE result = rb_proc_call(PROC_HOLDER, rb_args);
+
+    // By default, Ruby procs and lambdas will return nil if an explicit return
+    // is not specified. Rather than forcing callers to specify a return, let's
+    // handle the nil case for them and continue adding the input to the corpus.
+    if (NIL_P(result)) {
+        // https://llvm.org/docs/LibFuzzer.html#rejecting-unwanted-inputs
+        return 0;
+    }
+
+    if (!FIXNUM_P(result)) {
+        rb_raise(
+            rb_eTypeError,
+            "fuzz target function did not return an integer or nil"
+        );
+    }
+
+    return NUM2INT(result);
+}
+
+static VALUE c_fuzz(VALUE self, VALUE test_one_input, VALUE args)
+{
+    char *argv[MAX_ARGS_SIZE];
+    int args_len = RARRAY_LEN(args);
+
+    // Assume caller always passes in at least the program name as args[0]
+    if (args_len <= 0) {
+        rb_raise(
+            rb_eRuntimeError,
+            "zero arguments passed, we assume at least the program name is present"
+        );
+    }
+
+    // Account for NULL byte at the end
+    if ((args_len + 1) >= MAX_ARGS_SIZE) {
+        rb_raise(
+            rb_eRuntimeError,
+            "cannot specify %d or more arguments",
+            MAX_ARGS_SIZE
+        );
+    }
+
+    if (!rb_obj_is_proc(test_one_input)) {
+        rb_raise(rb_eRuntimeError, "expected a proc or lambda");
+    }
+
+    PROC_HOLDER = test_one_input;
+
+    for (int i = 0; i < args_len; i++) {
+        VALUE arg = RARRAY_PTR(args)[i];
+        argv[i] = StringValuePtr(arg);
+    }
+    argv[args_len] = NULL;
+
+    char **args_ptr = &argv[0];
+
+    // https://llvm.org/docs/LibFuzzer.html#using-libfuzzer-as-a-library
+    int result = LLVMFuzzerRunDriver(&args_len, &args_ptr, proc_caller);
+
+    return INT2NUM(result);
+}
+
+void Init_cruzzy()
+{
+    if (signal(SIGINT, sigint_handler) == SIG_ERR) {
+        fprintf(stderr, "Could not set SIGINT signal handler\n");
+        exit(1);
+    }
+
+    VALUE ruzzy = rb_const_get(rb_cObject, rb_intern("Ruzzy"));
+    rb_define_module_function(ruzzy, "c_fuzz", &c_fuzz, 2);
+    rb_define_module_function(ruzzy, "c_libfuzzer_is_loaded", &c_libfuzzer_is_loaded, 0);
+}

data/ext/cruzzy/extconf.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require 'mkmf'
+require 'open3'
+require 'tempfile'
+require 'rbconfig'
+require 'logger'
+
+LOGGER = Logger.new(STDERR)
+LOGGER.level = ENV.key?('RUZZY_DEBUG') ? Logger::DEBUG : Logger::INFO
+
+# These ENV variables really shouldn't be used because we don't support
+# compilers other than clang, like gcc, etc. Instead prefer to properly include
+# clang in your PATH. But they're here if you really need them. Also note that
+# *technically* Ruby does not support C extensions compiled with a different
+# compiler than Ruby itself was compiled with. So we're on somewhat shaky
+# ground here. For more information see:
+# https://github.com/rubygems/rubygems/issues/1508
+CC = ENV.fetch('CC', 'clang')
+CXX = ENV.fetch('CXX', 'clang++')
+AR = ENV.fetch('AR', 'ar')
+FUZZER_NO_MAIN_LIB_ENV = 'FUZZER_NO_MAIN_LIB'
+
+LOGGER.debug("Ruby CC: #{RbConfig::CONFIG['CC']}")
+LOGGER.debug("Ruby CXX: #{RbConfig::CONFIG['CXX']}")
+LOGGER.debug("Ruby AR: #{RbConfig::CONFIG['AR']}")
+
+find_executable(CC)
+find_executable(CXX)
+
+def get_clang_file_name(file_name)
+  stdout, status = Open3.capture2(CC, '--print-file-name', file_name)
+  success = status.success?
+  exists = success ? File.exist?(stdout.strip) : false
+  LOGGER.debug("Search for #{file_name} using #{CC}: success=#{success} exists=#{exists}")
+  success && exists ? stdout.strip : false
+end
+
+def merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
+  merged_output = 'asan_with_fuzzer.so'
+
+  # https://github.com/google/atheris/blob/master/native_extension_fuzzing.md#why-this-is-necessary
+  Tempfile.create do |file|
+    file.write(File.open(asan_lib).read)
+
+    LOGGER.debug("Creating ASAN archive at #{file.path}")
+    _, status = Open3.capture2(
+      AR,
+      'd',
+      file.path,
+      'asan_preinit.cc.o',
+      'asan_preinit.cpp.o'
+    )
+    unless status.success?
+      LOGGER.error("The #{AR} archive command failed.")
+      exit(1)
+    end
+
+    LOGGER.debug("Merging ASAN at #{file.path} and libFuzzer at #{fuzzer_no_main_lib} to #{merged_output}")
+    _, status = Open3.capture2(
+      CXX,
+      '-Wl,--whole-archive',
+      fuzzer_no_main_lib,
+      file.path,
+      '-Wl,--no-whole-archive',
+      '-lpthread',
+      '-ldl',
+      '-shared',
+      '-o',
+      merged_output
+    )
+    unless status.success?
+      LOGGER.error("The #{CXX} shared object merging command failed.")
+      exit(1)
+    end
+  end
+end
+
+fuzzer_no_main_libs = [
+  'libclang_rt.fuzzer_no_main.a',
+  'libclang_rt.fuzzer_no_main-aarch64.a',
+  'libclang_rt.fuzzer_no_main-x86_64.a'
+]
+fuzzer_no_main_lib = fuzzer_no_main_libs.map { |lib| get_clang_file_name(lib) }.find(&:itself)
+
+unless fuzzer_no_main_lib
+  LOGGER.warn("Could not find fuzzer_no_main using #{CC}.")
+  fuzzer_no_main_lib = ENV.fetch(FUZZER_NO_MAIN_LIB_ENV, nil)
+  if fuzzer_no_main_lib.nil?
+    LOGGER.error("Could not find fuzzer_no_main in #{FUZZER_NO_MAIN_LIB_ENV}.")
+    LOGGER.error("Please include #{CC} in your path or specify #{FUZZER_NO_MAIN_LIB_ENV} ENV variable.")
+    exit(1)
+  end
+end
+
+asan_libs = [
+  'libclang_rt.asan.a',
+  'libclang_rt.asan-aarch64.a',
+  'libclang_rt.asan-x86_64.a'
+]
+asan_lib = asan_libs.map { |lib| get_clang_file_name(lib) }.find(&:itself)
+
+unless asan_lib
+  LOGGER.error("Could not find asan using #{CC}.")
+  exit(1)
+end
+
+merge_asan_libfuzzer_lib(asan_lib, fuzzer_no_main_lib)
+
+# The LOCAL_LIBS variable allows linking arbitrary libraries into Ruby C
+# extensions. It is supported by the Ruby mkmf library and C extension Makefile.
+# For more information, see https://github.com/ruby/ruby/blob/master/lib/mkmf.rb.
+$LOCAL_LIBS = fuzzer_no_main_lib
+
+create_makefile('cruzzy/cruzzy')

data/ext/dummy/dummy.c

@@ -0,0 +1,40 @@
+#include <stdlib.h>
+#include <stdint.h>
+
+#include <ruby.h>
+
+// https://llvm.org/docs/LibFuzzer.html#toy-example
+static int _c_dummy_test_one_input(const uint8_t *data, size_t size)
+{
+    char test[] = {'a', 'b', 'c'};
+
+    if (size > 0 && data[0] == 'H') {
+        if (size > 1 && data[1] == 'I') {
+            // This code exists specifically to test the driver and ensure
+            // libFuzzer is functioning as expected, so we can safely ignore
+            // the warning.
+            #pragma clang diagnostic push
+            #pragma clang diagnostic ignored "-Warray-bounds"
+            test[1024] = 'd';
+            #pragma clang diagnostic pop
+        }
+    }
+
+    return 0;
+}
+
+static VALUE c_dummy_test_one_input(VALUE self, VALUE data)
+{
+    int result = _c_dummy_test_one_input(
+        (uint8_t *)RSTRING_PTR(data),
+        RSTRING_LEN(data)
+    );
+
+    return INT2NUM(result);
+}
+
+void Init_dummy()
+{
+    VALUE ruzzy = rb_const_get(rb_cObject, rb_intern("Ruzzy"));
+    rb_define_module_function(ruzzy, "c_dummy_test_one_input", &c_dummy_test_one_input, 1);
+}

data/ext/dummy/extconf.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require 'mkmf'
+
+# https://github.com/google/sanitizers/wiki/AddressSanitizerFlags
+$CFLAGS = '-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g'
+$CXXFLAGS = '-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -fno-common -fPIC -g'
+
+create_makefile('dummy/dummy')

data/lib/ruzzy.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'pathname'
+
+# A Ruby C extension fuzzer
+module Ruzzy
+  require 'cruzzy/cruzzy'
+
+  DEFAULT_ARGS = [$PROGRAM_NAME] + ARGV
+
+  def fuzz(test_one_input, args = DEFAULT_ARGS)
+    c_fuzz(test_one_input, args)
+  end
+
+  def ext_path
+    (Pathname.new(__FILE__).parent.parent + 'ext' + 'cruzzy').to_s
+  end
+
+  def dummy_test_one_input(data)
+    # This 'require' depends on LD_PRELOAD, so it's placed inside the function
+    # scope. This allows us to run ext_path for LD_PRELOAD and not have a
+    # circular dependency.
+    require 'dummy/dummy'
+
+    c_dummy_test_one_input(data)
+  end
+
+  module_function :fuzz
+  module_function :ext_path
+  module_function :dummy_test_one_input
+end

metadata

@@ -0,0 +1,91 @@
+--- !ruby/object:Gem::Specification
+name: ruzzy
+version: !ruby/object:Gem::Version
+  version: 0.5.0
+platform: ruby
+authors:
+- Trail of Bits
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2024-02-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.60'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.60'
+description: 
+email: support@trailofbits.com
+executables: []
+extensions:
+- ext/cruzzy/extconf.rb
+- ext/dummy/extconf.rb
+extra_rdoc_files: []
+files:
+- ext/cruzzy/cruzzy.c
+- ext/cruzzy/extconf.rb
+- ext/dummy/dummy.c
+- ext/dummy/extconf.rb
+- lib/ruzzy.rb
+homepage: https://rubygems.org/gems/ruzzy
+licenses:
+- AGPL-3.0-only
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3.1
+signing_key: 
+specification_version: 4
+summary: A Ruby C extension fuzzer
+test_files: []