Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DRAFT] Javascript Injection Fuzzer (extends #864) #899

Closed
wants to merge 6 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions fuzzers/jif/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# JIF - Javascript Injection Fuzzer

## building

* setup a chromium repo: https://www.chromium.org/developers/how-tos/get-the-code
* note that this will take several hours
* `mv jif $root/chromium/src/headless/jif`
* `cd $root/chromium/src`
* `python3 tools/mb/mb.py gen -m chromium.fuzz -b 'Libfuzzer Upload Mac ASan' out/jif`
* apply patches in chromium_patches.diff
* `cp args.gn $root/chromium/src/out/jif/` (modify this so the fixed path points to your directory!)
* modify fixed path in `libafl_cc.rs` so it points to the correct place
* `./make.sh` (first time will take several hours, after that about 1m)

## running

* `cd $root/chromium/src/out/jif`
* `./jif --cores 0-3 --broker-port 1337 --harness harness.js -i corpus -x dict -o out`
* to see arguments, run `./jif --help`
4 changes: 4 additions & 0 deletions fuzzers/jif/allowlist.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Enable instrumentation for a whole folder
src:*/blink/*
# Enable instrumentation for all functions in those files
fun:*
17 changes: 17 additions & 0 deletions fuzzers/jif/args.gn
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
dcheck_always_on = false
enable_nacl = false
ffmpeg_branding = "Chrome"
is_asan = false
is_component_build = true
is_debug = false
optimize_for_fuzzing = true
pdf_enable_xfa = true
proprietary_codecs = true
use_goma = false
use_libfuzzer = false
use_external_fuzzing_engine = true
sanitizer_coverage_flags = "trace-pc-guard,trace-cmp"
clang_base_path = "/Users/jhertz/jif/chromium/src/headless/jif/libjif/llvm/"
clang_use_chrome_plugins = false
mac_deployment_target="10.14.0"
mac_sdk_path="/Library/Developer/CommandLineTools/SDKs/MacOSX.sdk" # must be 12.3 or higher, use xcrun --show-sdk-path
78 changes: 78 additions & 0 deletions fuzzers/jif/chromium_patches.diff
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
diff --git a/chrome/BUILD.gn b/chrome/BUILD.gn
index aee9abd99a..dc3beb026e 100644
--- a/chrome/BUILD.gn
+++ b/chrome/BUILD.gn
@@ -1105,6 +1105,8 @@ if (is_win) {
":chrome_framework",
":chrome_framework_create_bundle",
":chrome_framework_shared_library",
+ "//headless:jif", # JIF
+ "//headless:headless_shared_sources", # JIF
]

sources = [
diff --git a/testing/libfuzzer/unittest_main.cc b/testing/libfuzzer/unittest_main.cc
index 01a7af3253..27f2ec0c5a 100644
--- a/testing/libfuzzer/unittest_main.cc
+++ b/testing/libfuzzer/unittest_main.cc
@@ -32,7 +32,7 @@ std::vector<uint8_t> readFile(std::string path) {
size_t LLVMFuzzerMutate(uint8_t *Data, size_t Size, size_t MaxSize) {
return 0;
}
-
+/**
int main(int argc, char **argv) {
if (argc == 1) {
std::cerr
@@ -57,3 +57,4 @@ int main(int argc, char **argv) {
LLVMFuzzerTestOneInput(v.data(), v.size());
}
}
+**/
\ No newline at end of file

diff --git a/headless/BUILD.gn b/headless/BUILD.gn
index 2a44aec23d..4ea02324d5 100644
--- a/headless/BUILD.gn
+++ b/headless/BUILD.gn
@@ -18,6 +18,9 @@ import("//tools/grit/grit_rule.gni")
import("//tools/grit/repack.gni")
import("//tools/v8_context_snapshot/v8_context_snapshot.gni")

+
+
+
if (headless_use_policy) {
assert(headless_use_prefs,
"'headless_use_policy' requires 'headless_use_prefs'.")
@@ -298,6 +301,7 @@ source_set("headless_shared_sources") {
visibility = [
":headless_non_renderer",
":headless_renderer",
+ ":jif", # JIF
]
defines = []

@@ -1063,3 +1067,22 @@ executable("headless_example") {

configs += [ ":headless_defines_config" ]
}
+
+
+# JIF
+
+import("//testing/libfuzzer/fuzzer_test.gni")
+
+ fuzzer_test("jif") {
+ sources = [ "jif/jif.cc" ]
+ deps = [
+ ":headless_shell_lib",
+ "//headless:headless_shared_sources",
+ "//headless:headless_non_renderer",
+ "//content",
+ "//sandbox",
+ "//skia", # we need this to override font render hinting in headless build
+ "//ui/gfx/geometry",
+ ]
+ libs = ["jif/libjif/target/release/libjif.a"]
+ }
Loading