tools/fuzz-test.sh

   1 #!/bin/bash
   2 #
   3 # Fuzz-testing script for TShark
   4 #
   5 # This script uses Editcap to add random errors ("fuzz") to a set of
   6 # capture files specified on the command line.  It runs TShark on
   7 # each fuzzed file and checks for errors.  The files are processed
   8 # repeatedly until an error is found.
   9 #
  10 # Copyright 2013 Gerald Combs <gerald@wireshark.org>
  11 #
  12 # Wireshark - Network traffic analyzer
  13 # By Gerald Combs <gerald@wireshark.org>
  14 # Copyright 1998 Gerald Combs
  15 #
  16 # SPDX-License-Identifier: GPL-2.0-or-later
  17
  18 TEST_TYPE="fuzz"
  19 # shellcheck source=tools/test-common.sh
  20 . "$( dirname "$0" )"/test-common.sh || exit 1
  21
  22 # Sanity check to make sure we can find our plugins. Zero or less disables.
  23 MIN_PLUGINS=0
  24
  25 # Did we catch a signal or time out?
  26 DONE=false
  27
  28 # Currently running children
  29 RUNNER_PIDS=
  30
  31 # Perform a two-pass analysis on the capture file?
  32 TWO_PASS=
  33
  34 # Specific config profile ?
  35 CONFIG_PROFILE=
  36
  37 # Run under valgrind ?
  38 VALGRIND=0
  39
  40 # Abort on UTF-8 encoding errors
  41 CHECK_UTF_8="--log-fatal-domains=UTF-8 "
  42
  43 # Run under AddressSanitizer ?
  44 ASAN=$CONFIGURED_WITH_ASAN
  45
  46 # Don't skip any byte from being changed
  47 CHANGE_OFFSET=0
  48
  49 # The maximum permitted amount of memory leaked. Eventually this should be
  50 # worked down to zero, but right now that would fail on every single capture.
  51 # Only has effect when running under valgrind.
  52 MAX_LEAK=$(( 1024 * 100 ))
  53
  54 # Our maximum run time.
  55 RUN_START_SECONDS=$SECONDS
  56 RUN_MAX_SECONDS=$(( RUN_START_SECONDS + 86400 ))
  57
  58 # To do: add options for file names and limits
  59 while getopts "2b:C:d:e:agp:P:o:t:U" OPTCHAR ; do
  60     case $OPTCHAR in
  61         a) ASAN=1 ;;
  62         2) TWO_PASS="-2 " ;;
  63         b) WIRESHARK_BIN_DIR=$OPTARG ;;
  64         C) CONFIG_PROFILE="-C $OPTARG " ;;
  65         d) TMP_DIR=$OPTARG ;;
  66         e) ERR_PROB=$OPTARG ;;
  67         g) VALGRIND=1 ; CHECK_UTF_8= ;;
  68         p) MAX_PASSES=$OPTARG ;;
  69         P) MIN_PLUGINS=$OPTARG ;;
  70         o) CHANGE_OFFSET=$OPTARG ;;
  71         t) RUN_MAX_SECONDS=$(( RUN_START_SECONDS + OPTARG )) ;;
  72         U) CHECK_UTF_8= ;; # disable
  73         *) printf "Unknown option %s\n" "$OPTCHAR"
  74     esac
  75 done
  76 shift $((OPTIND - 1))
  77
  78 ### usually you won't have to change anything below this line ###
  79
  80 ws_bind_exec_paths
  81 ws_check_exec "$TSHARK" "$EDITCAP" "$CAPINFOS" "$DATE" "$TMP_DIR"
  82
  83 COMMON_ARGS="${CONFIG_PROFILE}${TWO_PASS}${CHECK_UTF_8}"
  84 KEEP=
  85 PACKET_RANGE=
  86 if [ $VALGRIND -eq 1 ]; then
  87     RUNNER=$( dirname "$0" )"/valgrind-wireshark.sh"
  88     COMMON_ARGS="-b $WIRESHARK_BIN_DIR $COMMON_ARGS"
  89     declare -a RUNNER_ARGS=("" "-T")
  90     # Valgrind requires more resources, so permit 1.5x memory and 3x time
  91     # (1.5x time is too small for a few large captures in the menagerie)
  92     MAX_CPU_TIME=$(( 3 * MAX_CPU_TIME ))
  93     MAX_VMEM=$(( 3 * MAX_VMEM / 2 ))
  94     # Valgrind is slow. Trim captures to the first 10k packets so that
  95     # we don't time out.
  96     KEEP=-r
  97     PACKET_RANGE=1-10000
  98 else
  99     # Not using valgrind, use regular tshark.
 100     # TShark arguments (you won't have to change these)
 101     # n Disable network object name resolution
 102     # V Print a view of the details of the packet rather than a one-line summary of the packet
 103     # x Cause TShark to print a hex and ASCII dump of the packet data after printing the summary or details
 104     # r Read packet data from the following infile
 105     RUNNER="$TSHARK"
 106     declare -a RUNNER_ARGS=("-nVxr" "-nr")
 107     # Running with a read filter but without generating the tree exposes some
 108     # "More than 100000 items in tree" bugs.
 109     # Not sure if we want to add even more cycles to the fuzz bot's work load...
 110     #declare -a RUNNER_ARGS=("${CONFIG_PROFILE}${TWO_PASS}-nVxr" "${CONFIG_PROFILE}${TWO_PASS}-nr" "-Yframe ${CONFIG_PROFILE}${TWO_PASS}-nr")
 111 fi
 112
 113
 114 # Make sure we have a valid test set
 115 FOUND=0
 116 for CF in "$@" ; do
 117     if [ "$OSTYPE" == "cygwin" ] ; then
 118         CF=$( cygpath --windows "$CF" )
 119     fi
 120     "$CAPINFOS" "$CF" > /dev/null 2>&1 && FOUND=1
 121     if [ $FOUND -eq 1 ] ; then break ; fi
 122 done
 123
 124 if [ $FOUND -eq 0 ] ; then
 125     cat <<FIN
 126 Error: No valid capture files found.
 127
 128 Usage: $( basename "$0" ) [-2] [-b bin_dir] [-C config_profile] [-d work_dir] [-e error probability] [-o changes offset] [-g] [-a] [-p passes] capture file 1 [capture file 2]...
 129 FIN
 130     exit 1
 131 fi
 132
 133 PLUGIN_COUNT=$( $TSHARK -G plugins | grep -c dissector )
 134 if [ "$MIN_PLUGINS" -gt 0 ] && [ "$PLUGIN_COUNT" -lt "$MIN_PLUGINS" ] ; then
 135     echo "Warning: Found fewer plugins than expected ($PLUGIN_COUNT vs $MIN_PLUGINS)."
 136     exit 1
 137 fi
 138
 139 if [ $ASAN -ne 0 ]; then
 140     echo -n "ASan enabled. Virtual memory limit is "
 141     ulimit -v
 142 else
 143     echo "ASan disabled. Virtual memory limit is $MAX_VMEM"
 144 fi
 145
 146 HOWMANY="forever"
 147 if [ "$MAX_PASSES" -gt 0 ]; then
 148     HOWMANY="$MAX_PASSES passes"
 149 fi
 150 echo -n "Running $RUNNER $COMMON_ARGS with args: "
 151 printf "\"%s\"\n" "${RUNNER_ARGS[@]}"
 152 echo "($HOWMANY)"
 153 echo ""
 154
 155 # Clean up on <ctrl>C, etc
 156 trap_all() {
 157     printf '\n\nCaught signal. Exiting.\n'
 158     rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE"*
 159     exit 0
 160 }
 161
 162 trap_abrt() {
 163     for RUNNER_PID in $RUNNER_PIDS ; do
 164         kill -ABRT "$RUNNER_PID"
 165     done
 166     trap_all
 167 }
 168
 169 trap trap_all HUP INT TERM
 170 trap trap_abrt ABRT
 171
 172 # Iterate over our capture files.
 173 PASS=0
 174 while { [ $PASS -lt "$MAX_PASSES" ] || [ "$MAX_PASSES" -lt 1 ]; } && ! $DONE ; do
 175     PASS=$(( PASS+1 ))
 176     echo "Pass $PASS:"
 177     RUN=0
 178
 179     for CF in "$@" ; do
 180         if $DONE; then
 181             break # We caught a signal or timed out
 182         fi
 183         RUN=$(( RUN + 1 ))
 184         if [ $(( RUN % 50 )) -eq 0 ] ; then
 185             echo "    [Pass $PASS]"
 186         fi
 187         if [ "$OSTYPE" == "cygwin" ] ; then
 188             CF=$( cygpath --windows "$CF" )
 189         fi
 190
 191         "$CAPINFOS" "$CF" > /dev/null 2> "$TMP_DIR/$ERR_FILE"
 192         RETVAL=$?
 193         if [ $RETVAL -eq 1 ] || [ $RETVAL -eq 2 ] ; then
 194             echo "Not a valid capture file"
 195             rm -f "$TMP_DIR/$ERR_FILE"
 196             continue
 197         elif [ $RETVAL -ne 0 ] && ! $DONE ; then
 198             # Some other error
 199             ws_exit_error
 200         fi
 201
 202         # Choose a random subset of large captures.
 203         KEEP=
 204         PACKET_RANGE=
 205         CF_PACKETS=$( "$CAPINFOS" -T -r -c "$CF" | cut -f2 )
 206         if [[ CF_PACKETS -gt $MAX_FUZZ_PACKETS ]] ; then
 207             START_PACKET=$(( CF_PACKETS - MAX_FUZZ_PACKETS ))
 208             START_PACKET=$( shuf --input-range=1-$START_PACKET --head-count=1 )
 209             END_PACKET=$(( START_PACKET + MAX_FUZZ_PACKETS ))
 210             KEEP=-r
 211             PACKET_RANGE="$START_PACKET-$END_PACKET"
 212             printf "    Fuzzing packets %d-%d of %d\n" "$START_PACKET" "$END_PACKET" "$CF_PACKETS"
 213         fi
 214
 215         DISSECTOR_BUG=0
 216         VG_ERR_CNT=0
 217
 218         printf "    %s: " "$( basename "$CF" )"
 219         # shellcheck disable=SC2086
 220         "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE > /dev/null 2>&1
 221         RETVAL=$?
 222         if [ $RETVAL -ne 0 ] ; then
 223             # shellcheck disable=SC2086
 224             "$EDITCAP" -E "$ERR_PROB" -o "$CHANGE_OFFSET" $KEEP -T ether "$CF" "$TMP_DIR/$TMP_FILE" $PACKET_RANGE \
 225                 > /dev/null 2>&1
 226             RETVAL=$?
 227             if [ $RETVAL -ne 0 ] ; then
 228                 echo "Invalid format for editcap"
 229                 continue
 230             fi
 231         fi
 232
 233         FILE_START_SECONDS=$SECONDS
 234         RUNNER_PIDS=
 235         RUNNER_ERR_FILES=
 236         for ARGS in "${RUNNER_ARGS[@]}" ; do
 237             if $DONE; then
 238                 break # We caught a signal
 239             fi
 240             echo -n "($ARGS) "
 241
 242             # Run in a child process with limits.
 243             (
 244                 # Set some limits to the child processes, e.g. stop it if
 245                 # it's running longer than MAX_CPU_TIME seconds. (ulimit
 246                 # is not supported well on cygwin - it shows some warnings -
 247                 # and the features we use may not all be supported on some
 248                 # UN*X platforms.)
 249                 ulimit -S -t "$MAX_CPU_TIME" -s "$MAX_STACK"
 250
 251                 # Allow core files to be generated
 252                 ulimit -c unlimited
 253
 254                 # Don't enable ulimit -v when using ASAN. See
 255                 # https://github.com/google/sanitizers/wiki/AddressSanitizer#ulimit--v
 256                 if [ $ASAN -eq 0 ]; then
 257                     ulimit -S -v "$MAX_VMEM"
 258                 fi
 259
 260                 # shellcheck disable=SC2016
 261                 SUBSHELL_PID=$($SHELL -c 'echo $PPID')
 262
 263                 printf 'Command and args: %s %s %s\n' "$RUNNER" "$COMMON_ARGS" "$ARGS" > "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID"
 264                 # shellcheck disable=SC2086
 265                 "$RUNNER" $COMMON_ARGS $ARGS "$TMP_DIR/$TMP_FILE" \
 266                     > /dev/null 2>> "$TMP_DIR/$ERR_FILE.$SUBSHELL_PID"
 267             ) &
 268             RUNNER_PID=$!
 269             RUNNER_PIDS="$RUNNER_PIDS $RUNNER_PID"
 270             RUNNER_ERR_FILES="$RUNNER_ERR_FILES $TMP_DIR/$ERR_FILE.$RUNNER_PID"
 271
 272             if [ $SECONDS -ge $RUN_MAX_SECONDS ] ; then
 273                 printf "\nStopping after %d seconds.\n" $(( SECONDS - RUN_START_SECONDS ))
 274                 DONE=true
 275             fi
 276         done
 277
 278         for RUNNER_PID in $RUNNER_PIDS ; do
 279             wait "$RUNNER_PID"
 280             RUNNER_RETVAL=$?
 281             mv "$TMP_DIR/$ERR_FILE.$RUNNER_PID" "$TMP_DIR/$ERR_FILE"
 282
 283             # Uncomment the next two lines to enable dissector bug
 284             # checking.
 285             #grep -i "dissector bug" $TMP_DIR/$ERR_FILE \
 286                 #    > /dev/null 2>&1 && DISSECTOR_BUG=1
 287
 288             if [ $VALGRIND -eq 1 ] && ! $DONE; then
 289                 VG_ERR_CNT=$( grep "ERROR SUMMARY:" "$TMP_DIR/$ERR_FILE" | cut -f4 -d' ' )
 290                 VG_DEF_LEAKED=$( grep "definitely lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , )
 291                 VG_IND_LEAKED=$( grep "indirectly lost:" "$TMP_DIR/$ERR_FILE" | cut -f7 -d' ' | tr -d , )
 292                 VG_TOTAL_LEAKED=$(( VG_DEF_LEAKED + VG_IND_LEAKED ))
 293                 if [ $RUNNER_RETVAL -ne 0 ] ; then
 294                     echo "General Valgrind failure."
 295                     VG_ERR_CNT=1
 296                 elif [ "$VG_TOTAL_LEAKED" -gt "$MAX_LEAK" ] ; then
 297                     echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)."
 298                     echo "Definitely + indirectly ($VG_DEF_LEAKED + $VG_IND_LEAKED) exceeds max ($MAX_LEAK)." >> "$TMP_DIR/$ERR_FILE"
 299                     VG_ERR_CNT=1
 300                 fi
 301                 if grep -q "Valgrind cannot continue" "$TMP_DIR/$ERR_FILE" ; then
 302                     echo "Valgrind unable to continue."
 303                     VG_ERR_CNT=-1
 304                 fi
 305             fi
 306
 307             if ! $DONE && { [ $RUNNER_RETVAL -ne 0 ] || [ $DISSECTOR_BUG -ne 0 ] || [ "$VG_ERR_CNT" -ne 0 ]; } ; then
 308                 # shellcheck disable=SC2086
 309                 rm -f $RUNNER_ERR_FILES
 310                 ws_exit_error
 311             fi
 312         done
 313
 314         printf " OK (%s seconds)\\n" $(( SECONDS - FILE_START_SECONDS ))
 315         rm -f "$TMP_DIR/$TMP_FILE" "$TMP_DIR/$ERR_FILE"
 316     done
 317 done