From 2d000809ddbebbc6841b4711c2c0440269dce05e Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Fri, 27 Dec 2019 14:57:09 +0100
Subject: fuzz: find bugs when parsing uapi input

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 src/fuzz/.gitignore |  1 +
 src/fuzz/Makefile   | 10 +++++++---
 src/fuzz/uapi.c     | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 3 deletions(-)
 create mode 100644 src/fuzz/uapi.c

diff --git a/src/fuzz/.gitignore b/src/fuzz/.gitignore
index 04204c7..988712e 100644
--- a/src/fuzz/.gitignore
+++ b/src/fuzz/.gitignore
@@ -1 +1,2 @@
 config
+uapi
diff --git a/src/fuzz/Makefile b/src/fuzz/Makefile
index 87a5dcd..0e7ddb5 100644
--- a/src/fuzz/Makefile
+++ b/src/fuzz/Makefile
@@ -2,15 +2,19 @@
 #
 # Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
 
-all: config
+all: config uapi
 
 CFLAGS ?= -O3 -march=native -g
 CFLAGS += -fsanitize=fuzzer -std=gnu11 -idirafter ../uapi
+CC := clang
 
 config: config.c ../config.c ../encoding.c
-	clang $(CFLAGS) -o $@ $<
+	$(CC) $(CFLAGS) -o $@ $<
+
+uapi: uapi.c ../ipc.c ../curve25519.c ../encoding.c
+	$(CC) $(CFLAGS) -o $@ $<
 
 clean:
-	rm -f config
+	rm -f config uapi
 
 .PHONY: all clean
diff --git a/src/fuzz/uapi.c b/src/fuzz/uapi.c
new file mode 100644
index 0000000..3094f1c
--- /dev/null
+++ b/src/fuzz/uapi.c
@@ -0,0 +1,56 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2018-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ */
+
+#include <stdio.h>
+#include <sys/stat.h>
+static FILE *hacked_userspace_interface_file(const char *iface);
+#define stat(a, b) ({ return hacked_userspace_interface_file(iface); 0; })
+#define RUNSTATEDIR "/var/empty"
+#undef __linux__
+#include "../ipc.c"
+#include "../curve25519.c"
+#include "../encoding.c"
+
+#include <stdint.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+const char *__asan_default_options()
+{
+        return "verbosity=1";
+}
+
+union hackiface {
+	char ifname[IFNAMSIZ];
+	struct {
+		const uint8_t *data;
+		size_t len;
+	};
+};
+
+static FILE *hacked_userspace_interface_file(const char *iface)
+{
+	union hackiface *hack = (union hackiface *)iface;
+	FILE *f = fmemopen(NULL, hack->len + 7, "r+");
+	fseek(f, 7, SEEK_SET);
+	fwrite(hack->data, hack->len, 1, f);
+	fseek(f, 0, SEEK_SET);
+	memcpy(hack->ifname, "hack", 5);
+	return f;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t len)
+{
+	union hackiface hack = {
+		.data = data,
+		.len = len
+	};
+	struct wgdevice *dev = NULL;
+
+	userspace_get_device(&dev, (const char *)&hack);
+	free_wgdevice(dev);
+	return 0;
+}
-- 
cgit v1.2.3-59-g8ed1b