diff options
Diffstat (limited to 'fuzz/README')
-rw-r--r-- | fuzz/README | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/fuzz/README b/fuzz/README index 2e88db74975e..427625c6e714 100644 --- a/fuzz/README +++ b/fuzz/README @@ -8,7 +8,8 @@ use preload-fuzz.c to read device data from stdin. libFuzzer is better suited for bespoke fuzzers; see fuzz_cred.c, fuzz_credman.c, fuzz_assert.c, fuzz_hid.c, and fuzz_mgmt.c for examples. To build these -harnesses, use -DFUZZ=ON -DLIBFUZZER=ON. +harnesses, use -DCMAKE_C_FLAGS=-fsanitize=fuzzer-no-link +-DFUZZ_LDFLAGS=-fsanitize=fuzzer -DFUZZ=ON. If -DFUZZ=ON is enabled, symbols listed in wrapped.sym are wrapped in the resulting shared object. The wrapper functions simulate failure according to a @@ -21,20 +22,22 @@ To run under ASAN/MSAN/UBSAN, libfido2 needs to be linked against flavours of libcbor and OpenSSL built with the respective sanitiser. In order to keep memory utilisation at a manageable level, you can either enforce limits at the OS level (e.g. cgroups on Linux), or patch libcbor with the diff below. +N.B., the patch below is relative to libcbor 0.10.1. diff --git src/cbor/internal/memory_utils.c src/cbor/internal/memory_utils.c -index aa049a2..e294b38 100644 +index bbea63c..3f7c9af 100644 --- src/cbor/internal/memory_utils.c +++ src/cbor/internal/memory_utils.c -@@ -28,7 +28,10 @@ bool _cbor_safe_to_multiply(size_t a, size_t b) { +@@ -41,7 +41,11 @@ size_t _cbor_safe_signaling_add(size_t a, size_t b) { void* _cbor_alloc_multiple(size_t item_size, size_t item_count) { if (_cbor_safe_to_multiply(item_size, item_count)) { -- return _CBOR_MALLOC(item_size * item_count); +- return _cbor_malloc(item_size * item_count); + if (item_count > 1000) { + return NULL; -+ } else -+ return _CBOR_MALLOC(item_size * item_count); ++ } else { ++ return _cbor_malloc(item_size * item_count); ++ } } else { return NULL; } |