Skip to content

fuzz printf #5556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Nov 21, 2023
Merged

fuzz printf #5556

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2cb128a
fuzz printf
sylvestre Nov 10, 2023
1587e3e
Fix the program name
sylvestre Nov 20, 2023
a528802
Merge branch 'main' into fuzz-printf
sylvestre Nov 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/fuzzing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ jobs:
# https://github.com/uutils/coreutils/issues/5311
- { name: fuzz_date, should_pass: false }
- { name: fuzz_expr, should_pass: true }
- { name: fuzz_printf, should_pass: false }
- { name: fuzz_parse_glob, should_pass: true }
- { name: fuzz_parse_size, should_pass: true }
- { name: fuzz_parse_time, should_pass: true }
Expand Down
7 changes: 7 additions & 0 deletions fuzz/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ uucore = { path = "../src/uucore/" }
uu_date = { path = "../src/uu/date/" }
uu_test = { path = "../src/uu/test/" }
uu_expr = { path = "../src/uu/expr/" }
uu_printf = { path = "../src/uu/printf/" }


# Prevent this from interfering with workspaces
Expand All @@ -28,6 +29,12 @@ path = "fuzz_targets/fuzz_date.rs"
test = false
doc = false

[[bin]]
name = "fuzz_printf"
path = "fuzz_targets/fuzz_printf.rs"
test = false
doc = false

[[bin]]
name = "fuzz_expr"
path = "fuzz_targets/fuzz_expr.rs"
Expand Down
110 changes: 110 additions & 0 deletions fuzz/fuzz_targets/fuzz_printf.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
// This file is part of the uutils coreutils package.
//
// For the full copyright and license information, please view the LICENSE
// file that was distributed with this source code.
// spell-checker:ignore parens

#![no_main]
use libfuzzer_sys::fuzz_target;
use uu_printf::uumain;

use rand::seq::SliceRandom;
use rand::Rng;
use std::ffi::OsString;

mod fuzz_common;
use crate::fuzz_common::CommandResult;
use crate::fuzz_common::{
compare_result, generate_and_run_uumain, generate_random_string, run_gnu_cmd,
};

static CMD_PATH: &str = "printf";

fn generate_escape_sequence(rng: &mut impl Rng) -> String {
let escape_sequences = [
"\\\"",
"\\\\",
"\\a",
"\\b",
"\\c",
"\\e",
"\\f",
"\\n",
"\\r",
"\\t",
"\\v",
"\\000",
"\\x00",
"\\u0000",
"\\U00000000",
"%%",
];
escape_sequences.choose(rng).unwrap().to_string()
}

fn generate_printf() -> String {
let mut rng = rand::thread_rng();
let format_specifiers = ["%s", "%d", "%f", "%x", "%o", "%c", "%b", "%q"];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about the format specifiers. For example, https://www.gnu.org/savannah-checkouts/gnu/libc/manual/html_node/Table-of-Output-Conversions.html lists many more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, it is just to start :)

let mut printf_str = String::new();
// Add a 20% chance of generating an invalid format specifier
if rng.gen_bool(0.2) {
printf_str.push_str("%z"); // Invalid format specifier
} else {
let specifier = *format_specifiers.choose(&mut rng).unwrap();
printf_str.push_str(specifier);

// Add a 20% chance of introducing complex format strings
if rng.gen_bool(0.2) {
printf_str.push_str(&format!(" %{}", rng.gen_range(1..=1000)));
} else {
// Add a random string or number after the specifier
if specifier == "%s" {
printf_str.push_str(&format!(
" {}",
generate_random_string(rng.gen_range(1..=10))
));
} else {
printf_str.push_str(&format!(" {}", rng.gen_range(1..=1000)));
}
}
}

// Add a 10% chance of including an escape sequence
if rng.gen_bool(0.1) {
printf_str.push_str(&generate_escape_sequence(&mut rng));
}
printf_str
}

fuzz_target!(|_data: &[u8]| {
let printf_input = generate_printf();
let mut args = vec![OsString::from("printf")];
args.extend(printf_input.split_whitespace().map(OsString::from));
let rust_result = generate_and_run_uumain(&args, uumain);

let gnu_result = match run_gnu_cmd(CMD_PATH, &args[1..], false) {
Ok(result) => result,
Err(error_result) => {
eprintln!("Failed to run GNU command:");
eprintln!("Stderr: {}", error_result.stderr);
eprintln!("Exit Code: {}", error_result.exit_code);
CommandResult {
stdout: String::new(),
stderr: error_result.stderr,
exit_code: error_result.exit_code,
}
}
};

compare_result(
"printf",
&format!("{:?}", &args[1..]),
&rust_result.stdout,
&gnu_result.stdout,
&rust_result.stderr,
&gnu_result.stderr,
rust_result.exit_code,
gnu_result.exit_code,
false, // Set to true if you want to fail on stderr diff
);
});