From 9e01a11e67c86e12d6a689c7b801952c21d587cc Mon Sep 17 00:00:00 2001 From: Ivan Krasin Date: Tue, 8 Sep 2015 21:22:52 +0000 Subject: [PATCH] [libFuzzer]Add a test for defeating a hash sum. Summary: Add a test for a data followed by 4-byte hash value. I use a slightly modified Jenkins hash function, as described in https://en.wikipedia.org/wiki/Jenkins_hash_function The modification is to ensure that hash(zeros) != 0. Reviewers: kcc Subscribers: llvm-commits Differential Revision: http://reviews.llvm.org/D12648 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@247076 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Fuzzer/test/CMakeLists.txt | 1 + lib/Fuzzer/test/SimpleHashTest.cpp | 36 ++++++++++++++++++++++++++++++ lib/Fuzzer/test/fuzzer.test | 3 +++ 3 files changed, 40 insertions(+) create mode 100644 lib/Fuzzer/test/SimpleHashTest.cpp diff --git a/lib/Fuzzer/test/CMakeLists.txt b/lib/Fuzzer/test/CMakeLists.txt index a9e65708ede..2e3081b8960 100644 --- a/lib/Fuzzer/test/CMakeLists.txt +++ b/lib/Fuzzer/test/CMakeLists.txt @@ -22,6 +22,7 @@ set(Tests NullDerefTest SimpleCmpTest SimpleDictionaryTest + SimpleHashTest SimpleTest StrcmpTest StrncmpTest diff --git a/lib/Fuzzer/test/SimpleHashTest.cpp b/lib/Fuzzer/test/SimpleHashTest.cpp new file mode 100644 index 00000000000..a541d6813b5 --- /dev/null +++ b/lib/Fuzzer/test/SimpleHashTest.cpp @@ -0,0 +1,36 @@ +// This test computes a checksum of the data (all but the last 4 bytes), +// and then compares the last 4 bytes with the computed value. +// A fuzzer with cmp traces is expected to defeat this check. +#include +#include +#include +#include + +// A modified jenkins_one_at_a_time_hash initialized by non-zero, +// so that simple_hash(0) != 0. See also +// https://en.wikipedia.org/wiki/Jenkins_hash_function +static uint32_t simple_hash(const uint8_t *Data, size_t Size) { + uint32_t Hash = 0x12039854; + for (uint32_t i = 0; i < Size; i++) { + Hash += Data[i]; + Hash += (Hash << 10); + Hash ^= (Hash >> 6); + } + Hash += (Hash << 3); + Hash ^= (Hash >> 11); + Hash += (Hash << 15); + return Hash; +} + +extern "C" void LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + if (Size < 14) + return; + + uint32_t Hash = simple_hash(&Data[0], Size - 4); + uint32_t Want = reinterpret_cast(&Data[Size - 4])[0]; + if (Hash != Want) + return; + fprintf(stderr, "BINGO; simple_hash defeated: %x == %x\n", (unsigned int)Hash, + (unsigned int)Want); + exit(1); +} diff --git a/lib/Fuzzer/test/fuzzer.test b/lib/Fuzzer/test/fuzzer.test index d5bd9a39230..70dbce80554 100644 --- a/lib/Fuzzer/test/fuzzer.test +++ b/lib/Fuzzer/test/fuzzer.test @@ -40,3 +40,6 @@ RUN: LLVMFuzzer-SwitchTest -seed=1 -runs=1000000 2>&1 | FileC RUN: not LLVMFuzzer-SimpleDictionaryTest -dict=%S/dict1.txt -seed=1 -runs=1000000 2>&1 | FileCheck %s RUN: LLVMFuzzer-SimpleDictionaryTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000 + +RUN: not LLVMFuzzer-SimpleHashTest -use_traces=1 -seed=1 -runs=100000 2>&1 | FileCheck %s +RUN: LLVMFuzzer-SimpleHashTest -seed=1 -runs=1000000 2>&1 | FileCheck %s --check-prefix=Done1000000 -- 2.34.1