From e7093ca18c5b9e61eeae33d253b3ce58267f0347 Mon Sep 17 00:00:00 2001
From: Nick Terrell <terrelln@fb.com>
Date: Mon, 19 Jun 2017 19:09:15 -0700
Subject: [PATCH] [linux] Add libfuzzer targets

---
 contrib/linux-kernel/test/DecompressCrash.c |  85 ++++++++++
 contrib/linux-kernel/test/Makefile          |  13 ++
 contrib/linux-kernel/test/RoundTripCrash.c  | 162 ++++++++++++++++++++
 3 files changed, 260 insertions(+)
 create mode 100644 contrib/linux-kernel/test/DecompressCrash.c
 create mode 100644 contrib/linux-kernel/test/RoundTripCrash.c

diff --git a/contrib/linux-kernel/test/DecompressCrash.c b/contrib/linux-kernel/test/DecompressCrash.c
new file mode 100644
index 00000000..b5b673aa
--- /dev/null
+++ b/contrib/linux-kernel/test/DecompressCrash.c
@@ -0,0 +1,85 @@
+/**
+ * Copyright (c) 2016-present, Yann Collet, Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ */
+
+/*
+  This program takes a file in input,
+  performs a zstd round-trip test (compression - decompress)
+  compares the result with original
+  and generates a crash (double free) on corruption detection.
+*/
+
+/*===========================================
+*   Dependencies
+*==========================================*/
+#include <stddef.h>     /* size_t */
+#include <stdlib.h>     /* malloc, free, exit */
+#include <stdio.h>      /* fprintf */
+#include <linux/zstd.h>
+
+/*===========================================
+*   Macros
+*==========================================*/
+#define MIN(a,b)  ( (a) < (b) ? (a) : (b) )
+
+static ZSTD_DCtx *dctx = NULL;
+void *dws = NULL;
+static void* rBuff = NULL;
+static size_t buffSize = 0;
+
+static void crash(int errorCode){
+    /* abort if AFL/libfuzzer, exit otherwise */
+    #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* could also use __AFL_COMPILER */
+        abort();
+    #else
+        exit(errorCode);
+    #endif
+}
+
+static void decompressCheck(const void* srcBuff, size_t srcBuffSize)
+{
+    size_t const neededBuffSize = 20 * srcBuffSize;
+
+    /* Allocate all buffers and contexts if not already allocated */
+    if (neededBuffSize > buffSize) {
+        free(rBuff);
+        buffSize = 0;
+
+        rBuff = malloc(neededBuffSize);
+        if (!rBuff) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+        buffSize = neededBuffSize;
+    }
+    if (!dctx) {
+        size_t const workspaceSize = ZSTD_DCtxWorkspaceBound();
+        dws = malloc(workspaceSize);
+        if (!dws) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+        dctx = ZSTD_initDCtx(dws, workspaceSize);
+        if (!dctx) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+    }
+    ZSTD_decompressDCtx(dctx, rBuff, buffSize, srcBuff, srcBuffSize);
+
+#ifndef SKIP_FREE
+    free(dws); dws = NULL; dctx = NULL;
+    free(rBuff); rBuff = NULL;
+    buffSize = 0;
+#endif
+}
+
+int LLVMFuzzerTestOneInput(const unsigned char *srcBuff, size_t srcBuffSize) {
+  decompressCheck(srcBuff, srcBuffSize);
+  return 0;
+}
diff --git a/contrib/linux-kernel/test/Makefile b/contrib/linux-kernel/test/Makefile
index e33a256a..892264f4 100644
--- a/contrib/linux-kernel/test/Makefile
+++ b/contrib/linux-kernel/test/Makefile
@@ -12,12 +12,24 @@ CPPFLAGS += $(IFLAGS)
 ../lib/zstd/libzstd.a: $(OBJECTS)
 	$(AR) $(ARFLAGS) $@ $^
 
+DecompressCrash: DecompressCrash.o $(OBJECTS) libFuzzer.a
+	$(CXX) $(TEST_CPPFLAGS) $(TEST_CXXFLAGS) $(LDFLAGS) $^ -o $@
+
+RoundTripCrash: RoundTripCrash.o $(OBJECTS) ../lib/xxhash.o libFuzzer.a
+	$(CXX) $(TEST_CPPFLAGS) $(TEST_CXXFLAGS) $(LDFLAGS) $^ -o $@
+
 UserlandTest: UserlandTest.cpp ../lib/zstd/libzstd.a ../lib/xxhash.o
 	$(CXX) $(CXXFLAGS) $(CFLAGS) $(CPPFLAGS) $^ googletest/build/googlemock/gtest/libgtest.a googletest/build/googlemock/gtest/libgtest_main.a -o $@
 
 XXHashUserlandTest: XXHashUserlandTest.cpp ../lib/xxhash.o ../../../lib/common/xxhash.o
 	$(CXX) $(CXXFLAGS) $(CFLAGS) $(CPPFLAGS) $^ googletest/build/googlemock/gtest/libgtest.a googletest/build/googlemock/gtest/libgtest_main.a -o $@
 
+# Install libfuzzer
+libFuzzer.a:
+	@$(RM) -rf Fuzzer
+	@git clone https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
+	@./Fuzzer/build.sh
+
 # Install googletest
 .PHONY: googletest
 googletest:
@@ -28,3 +40,4 @@ googletest:
 
 clean:
 	$(RM) -f *.{o,a} ../lib/zstd/*.{o,a}
+	$(RM) -f DecompressCrash RoundTripCrash UserlandTest XXHashUserlandTest
diff --git a/contrib/linux-kernel/test/RoundTripCrash.c b/contrib/linux-kernel/test/RoundTripCrash.c
new file mode 100644
index 00000000..44c67f3a
--- /dev/null
+++ b/contrib/linux-kernel/test/RoundTripCrash.c
@@ -0,0 +1,162 @@
+/**
+ * Copyright (c) 2016-present, Yann Collet, Facebook, Inc.
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree. An additional grant
+ * of patent rights can be found in the PATENTS file in the same directory.
+ */
+
+/*
+  This program takes a file in input,
+  performs a zstd round-trip test (compression - decompress)
+  compares the result with original
+  and generates a crash (double free) on corruption detection.
+*/
+
+/*===========================================
+*   Dependencies
+*==========================================*/
+#include <stddef.h>     /* size_t */
+#include <stdlib.h>     /* malloc, free, exit */
+#include <stdio.h>      /* fprintf */
+#include <linux/xxhash.h>
+#include <linux/zstd.h>
+
+/*===========================================
+*   Macros
+*==========================================*/
+#define MIN(a,b)  ( (a) < (b) ? (a) : (b) )
+
+static const int kMaxClevel = 22;
+
+static ZSTD_CCtx *cctx = NULL;
+void *cws = NULL;
+static ZSTD_DCtx *dctx = NULL;
+void *dws = NULL;
+static void* cBuff = NULL;
+static void* rBuff = NULL;
+static size_t buffSize = 0;
+
+
+/** roundTripTest() :
+*   Compresses `srcBuff` into `compressedBuff`,
+*   then decompresses `compressedBuff` into `resultBuff`.
+*   Compression level used is derived from first content byte.
+*   @return : result of decompression, which should be == `srcSize`
+*          or an error code if either compression or decompression fails.
+*   Note : `compressedBuffCapacity` should be `>= ZSTD_compressBound(srcSize)`
+*          for compression to be guaranteed to work */
+static size_t roundTripTest(void* resultBuff, size_t resultBuffCapacity,
+                            void* compressedBuff, size_t compressedBuffCapacity,
+                      const void* srcBuff, size_t srcBuffSize)
+{
+    size_t const hashLength = MIN(128, srcBuffSize);
+    unsigned const h32 = xxh32(srcBuff, hashLength, 0);
+    int const cLevel = h32 % kMaxClevel;
+    ZSTD_parameters const params = ZSTD_getParams(cLevel, srcBuffSize, 0);
+    size_t const cSize = ZSTD_compressCCtx(cctx, compressedBuff, compressedBuffCapacity, srcBuff, srcBuffSize, params);
+    if (ZSTD_isError(cSize)) {
+        fprintf(stderr, "Compression error : %u \n", ZSTD_getErrorCode(cSize));
+        return cSize;
+    }
+    return ZSTD_decompressDCtx(dctx, resultBuff, resultBuffCapacity, compressedBuff, cSize);
+}
+
+
+static size_t checkBuffers(const void* buff1, const void* buff2, size_t buffSize)
+{
+    const char* ip1 = (const char*)buff1;
+    const char* ip2 = (const char*)buff2;
+    size_t pos;
+
+    for (pos=0; pos<buffSize; pos++)
+        if (ip1[pos]!=ip2[pos])
+            break;
+
+    return pos;
+}
+
+static void crash(int errorCode){
+    /* abort if AFL/libfuzzer, exit otherwise */
+    #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION /* could also use __AFL_COMPILER */
+        abort();
+    #else
+        exit(errorCode);
+    #endif
+}
+
+static void roundTripCheck(const void* srcBuff, size_t srcBuffSize)
+{
+    size_t const neededBuffSize = ZSTD_compressBound(srcBuffSize);
+
+    /* Allocate all buffers and contexts if not already allocated */
+    if (neededBuffSize > buffSize) {
+        free(cBuff);
+        free(rBuff);
+        buffSize = 0;
+
+        cBuff = malloc(neededBuffSize);
+        rBuff = malloc(neededBuffSize);
+        if (!cBuff || !rBuff) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+        buffSize = neededBuffSize;
+    }
+    if (!cctx) {
+        ZSTD_compressionParameters const params = ZSTD_getCParams(kMaxClevel, 0, 0);
+        size_t const workspaceSize = ZSTD_CCtxWorkspaceBound(params);
+        cws = malloc(workspaceSize);
+        if (!cws) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+        cctx = ZSTD_initCCtx(cws, workspaceSize);
+        if (!cctx) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+    }
+    if (!dctx) {
+        size_t const workspaceSize = ZSTD_DCtxWorkspaceBound();
+        dws = malloc(workspaceSize);
+        if (!dws) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+        dctx = ZSTD_initDCtx(dws, workspaceSize);
+        if (!dctx) {
+            fprintf(stderr, "not enough memory ! \n");
+            crash(1);
+        }
+    }
+
+    {   size_t const result = roundTripTest(rBuff, buffSize, cBuff, buffSize, srcBuff, srcBuffSize);
+        if (ZSTD_isError(result)) {
+            fprintf(stderr, "roundTripTest error : %u \n", ZSTD_getErrorCode(result));
+            crash(1);
+        }
+        if (result != srcBuffSize) {
+            fprintf(stderr, "Incorrect regenerated size : %u != %u\n", (unsigned)result, (unsigned)srcBuffSize);
+            crash(1);
+        }
+        if (checkBuffers(srcBuff, rBuff, srcBuffSize) != srcBuffSize) {
+            fprintf(stderr, "Silent decoding corruption !!!");
+            crash(1);
+        }
+    }
+
+#ifndef SKIP_FREE
+    free(cws); cws = NULL; cctx = NULL;
+    free(dws); dws = NULL; dctx = NULL;
+    free(cBuff); cBuff = NULL;
+    free(rBuff); rBuff = NULL;
+    buffSize = 0;
+#endif
+}
+
+int LLVMFuzzerTestOneInput(const unsigned char *srcBuff, size_t srcBuffSize) {
+  roundTripCheck(srcBuff, srcBuffSize);
+  return 0;
+}