From 8452c9f80ee02cb71fb72f638d3bdef754f15297 Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Thu, 18 Jun 2020 13:58:25 -0700 Subject: [PATCH 1/8] Added status_group fuzzer --- .../security/fuzzing/status_group_fuzz.cc | 83 +++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 tensorflow/security/fuzzing/status_group_fuzz.cc diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc new file mode 100644 index 00000000000..979fd444b48 --- /dev/null +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -0,0 +1,83 @@ +/* Copyright 2020 The TensorFlow Authors. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +==============================================================================*/ +#include +#include + +#include "tensorflow/core/platform/status.h" + +#include + +// This is a fuzzer for `tensorflow::StatusGroup`. Since `Status` is used almost +// everywhere, we need to ensure that the common functionality is safe. We don't +// expect many crashes from this fuzzer + +namespace { + +tensorflow::error::Code BuildRandomErrorCode(uint32_t code){ + + // We cannot build a `Status` with error_code of 0 and a message, so force + // error code to be non-zero. + if (code == 0) { + return tensorflow::error::UNKNOWN; + } + + return static_cast(code); +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + tensorflow::error::Code error_code; + + std::string error_message = "ERROR"; + + tensorflow::Status s, derived_s; + + tensorflow::StatusGroup sg; + + bool is_derived; + + uint32_t code; + + FuzzedDataProvider fuzzed_data(data, size); + + while(fuzzed_data.remaining_bytes() > 0) { + code = fuzzed_data.ConsumeIntegral(); + + error_code = BuildRandomErrorCode(code); + + is_derived = fuzzed_data.ConsumeBool(); + + s = tensorflow::Status(error_code, error_message); + + if(is_derived) { + derived_s = tensorflow::StatusGroup::MakeDerived(s); + + sg.Update(derived_s); + + } else { + sg.Update(s); + + } + } + + sg.as_summary_status(); + + sg.as_concatenated_status(); + + sg.AttachLogMessages(); + + return 0; +} + +} // namespace From dda51e1c94160b8252c51dd0ddca445d821ba8b9 Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Thu, 18 Jun 2020 13:59:11 -0700 Subject: [PATCH 2/8] Added status group fuzzer build rules --- tensorflow/security/fuzzing/BUILD | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tensorflow/security/fuzzing/BUILD b/tensorflow/security/fuzzing/BUILD index 9b5aeec2d36..871baa0055b 100644 --- a/tensorflow/security/fuzzing/BUILD +++ b/tensorflow/security/fuzzing/BUILD @@ -19,6 +19,14 @@ tf_fuzz_target( ], ) +tf_fuzz_target( + name = "status_group_fuzz", + srcs = ["status_group_fuzz.cc"], + deps = [ + "//tensorflow/core/platform:status", + ], +) + # A trivial fuzzer with no pre-specified corpus. # TODO(mihaimaruseac): Move fuzz_session and the op fuzzers to a subdirectory tf_fuzz_target( From 852cde437fdd062f52c42e47344029897ee67afd Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Thu, 18 Jun 2020 15:27:56 -0700 Subject: [PATCH 3/8] Make error_message constant Co-authored-by: Mihai Maruseac --- tensorflow/security/fuzzing/status_group_fuzz.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc index 979fd444b48..5e2b7eec403 100644 --- a/tensorflow/security/fuzzing/status_group_fuzz.cc +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -39,7 +39,7 @@ tensorflow::error::Code BuildRandomErrorCode(uint32_t code){ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { tensorflow::error::Code error_code; - std::string error_message = "ERROR"; + const std::string error_message = "ERROR"; tensorflow::Status s, derived_s; From 14e942faaa56b749c81c52595d04a9bb7f26fa02 Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Thu, 18 Jun 2020 15:31:26 -0700 Subject: [PATCH 4/8] Update spacing and variable declaration --- .../security/fuzzing/status_group_fuzz.cc | 27 ++++--------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc index 5e2b7eec403..52d83d00866 100644 --- a/tensorflow/security/fuzzing/status_group_fuzz.cc +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -14,9 +14,7 @@ limitations under the License. ==============================================================================*/ #include #include - #include "tensorflow/core/platform/status.h" - #include // This is a fuzzer for `tensorflow::StatusGroup`. Since `Status` is used almost @@ -37,37 +35,22 @@ tensorflow::error::Code BuildRandomErrorCode(uint32_t code){ } extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - tensorflow::error::Code error_code; - const std::string error_message = "ERROR"; - - tensorflow::Status s, derived_s; - tensorflow::StatusGroup sg; - - bool is_derived; - - uint32_t code; - FuzzedDataProvider fuzzed_data(data, size); while(fuzzed_data.remaining_bytes() > 0) { - code = fuzzed_data.ConsumeIntegral(); + uint32_t code = fuzzed_data.ConsumeIntegral(); + tensorflow::error::Code error_code = BuildRandomErrorCode(code); + bool is_derived = fuzzed_data.ConsumeBool(); - error_code = BuildRandomErrorCode(code); - - is_derived = fuzzed_data.ConsumeBool(); - - s = tensorflow::Status(error_code, error_message); + tensorflow::Status s = tensorflow::Status(error_code, error_message); if(is_derived) { - derived_s = tensorflow::StatusGroup::MakeDerived(s); - + tensorflow::Status derived_s = tensorflow::StatusGroup::MakeDerived(s); sg.Update(derived_s); - } else { sg.Update(s); - } } From 71bbebbf4d04c1bcb6ed44e2156087c9fec06e9e Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Thu, 18 Jun 2020 15:32:15 -0700 Subject: [PATCH 5/8] Moved final StatusGroup method calls --- tensorflow/security/fuzzing/status_group_fuzz.cc | 2 -- 1 file changed, 2 deletions(-) diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc index 52d83d00866..bc80cd72bc9 100644 --- a/tensorflow/security/fuzzing/status_group_fuzz.cc +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -55,9 +55,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } sg.as_summary_status(); - sg.as_concatenated_status(); - sg.AttachLogMessages(); return 0; From 390b259dfc8407484533c1cb61ca3515ed5166e8 Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Fri, 19 Jun 2020 10:16:47 -0700 Subject: [PATCH 6/8] Fix unused variable issue with fuzzing methods --- tensorflow/security/fuzzing/status_group_fuzz.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc index bc80cd72bc9..989e1c9d1cb 100644 --- a/tensorflow/security/fuzzing/status_group_fuzz.cc +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -54,9 +54,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } } - sg.as_summary_status(); - sg.as_concatenated_status(); - sg.AttachLogMessages(); + // Ignore warnings that these values are unused + sg.as_summary_status().IgnoreError();; + sg.as_concatenated_status().IgnoreError();; + sg.AttachLogMessages().IgnoreError();; return 0; } From 40b9713f6459abd043248c55b1b06ebf60712961 Mon Sep 17 00:00:00 2001 From: Gabriel Rasskin Date: Fri, 19 Jun 2020 10:17:22 -0700 Subject: [PATCH 7/8] Doubling syntax --- tensorflow/security/fuzzing/status_group_fuzz.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc index 989e1c9d1cb..002785734bb 100644 --- a/tensorflow/security/fuzzing/status_group_fuzz.cc +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -55,9 +55,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { } // Ignore warnings that these values are unused - sg.as_summary_status().IgnoreError();; - sg.as_concatenated_status().IgnoreError();; - sg.AttachLogMessages().IgnoreError();; + sg.as_summary_status().IgnoreError(); + sg.as_concatenated_status().IgnoreError(); + sg.AttachLogMessages().IgnoreError(); return 0; } From f1f5ed68595a56357d92985466d7e0687b23303e Mon Sep 17 00:00:00 2001 From: Mihai Maruseac Date: Fri, 19 Jun 2020 17:22:51 +0000 Subject: [PATCH 8/8] Update tensorflow/security/fuzzing/status_group_fuzz.cc --- tensorflow/security/fuzzing/status_group_fuzz.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tensorflow/security/fuzzing/status_group_fuzz.cc b/tensorflow/security/fuzzing/status_group_fuzz.cc index 002785734bb..a560766410a 100644 --- a/tensorflow/security/fuzzing/status_group_fuzz.cc +++ b/tensorflow/security/fuzzing/status_group_fuzz.cc @@ -57,7 +57,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { // Ignore warnings that these values are unused sg.as_summary_status().IgnoreError(); sg.as_concatenated_status().IgnoreError(); - sg.AttachLogMessages().IgnoreError(); + sg.AttachLogMessages(); return 0; }