google · catenacyber · Feb 7, 2023 · catenacyber · Jul 13, 2023 · catenacyber
diff --git a/docs/advanced-topics/reproducing.md b/docs/advanced-topics/reproducing.md
@@ -138,6 +138,8 @@ Once you reproduce the bug, you can do the following:
 - **Improve fuzzing support:** Consider
    [improving your integration with OSS-Fuzz]({{ site.baseurl }}/advanced-topics/ideal-integration/).
 
+For `nalloc` sanitizer, if you launch the target yourself, without the python wrapper, be sure to use `-runs=2` or more.
+
 ## Reproducing build failures
 
 Our infrastructure runs some sanity tests to make sure that your build was

diff --git a/docs/getting-started/new_project_guide.md b/docs/getting-started/new_project_guide.md
@@ -140,12 +140,19 @@ UndefinedBehaviourSanitizer build, just specify all supported sanitizers except
 If you want to test a particular sanitizer to see what crashes it generates without filing
 them in the issue tracker, you can set an `experimental` flag. For example, if you want to test "memory", set `experimental: True` like this:
 
+[Nalloc](https://github.com/catenacyber/nallocfuzz) ("nalloc") is also supported
+but is not enabled by default due to the likelihood of bugs in the targets rather
+than in the software itself.
+
+Nalloc sanitizer injects allocation failures, and uses in addition address sanitizer.
+
 ```
 sanitizers:
  - address
  - memory:
     experimental: True
  - undefined
+ - nalloc
  ```
 
 Crashes can be accessed on the [ClusterFuzz

diff --git a/docs/index.md b/docs/index.md
@@ -42,7 +42,7 @@ execution environment and reporting tool.
 [ClusterFuzz]: https://github.com/google/clusterfuzz
 [ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/
 
-Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other
+Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Swift and Java/JVM code. Other
 languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64
 and i386 builds.
 

diff --git a/infra/base-images/base-builder/Dockerfile b/infra/base-images/base-builder/Dockerfile
@@ -72,6 +72,8 @@ ENV SANITIZER_FLAGS_thread "-fsanitize=thread"
 
 ENV SANITIZER_FLAGS_introspector "-O0 -flto -fno-inline-functions -fuse-ld=gold -Wno-unused-command-line-argument"
 
+ENV SANITIZER_FLAGS_nalloc "-DLLVMFuzzerTestOneInput=NaloFuzzerTestOneInput -DLLVMFuzzerInitialize=NaloFuzzerInitialize $SANITIZER_FLAGS_address"
+
 # Do not use any sanitizers in the coverage build.
 ENV SANITIZER_FLAGS_coverage ""
 
@@ -109,6 +111,11 @@ ENV FUZZER_LDFLAGS ""
 
 WORKDIR $SRC
 
+RUN git clone --depth 1 https://github.com/catenacyber/nallocfuzz.git
+RUN git clone --depth 1 https://github.com/ianlancetaylor/libbacktrace.git $SRC/nallocfuzz/libbacktrace
+COPY precompile_nallocfuzz /usr/local/bin/
+RUN precompile_nallocfuzz
+
 RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
     git checkout 091d66fa92cd9e4caa5829d579b1b996c49db8c9 && \
@@ -172,4 +179,4 @@ COPY llvmsymbol.diff $SRC
 COPY detect_repo.py /opt/cifuzz/
 COPY bazel.bazelrc /root/.bazelrc
 
-CMD ["compile"]
+CMD ["compile"]
diff --git a/infra/base-images/base-builder/compile b/infra/base-images/base-builder/compile
@@ -175,6 +175,10 @@ EOF
   export CXXFLAGS="$CXXFLAGS -fno-sanitize=leak"
 fi
 
+if [ "$SANITIZER" = "nalloc" ]; then
+  export LIB_FUZZING_ENGINE="$LIB_FUZZING_ENGINE $SRC/nallocfuzz/nallocsan.a"
+fi
+
 if [ "$SANITIZER" = "introspector" ]; then
   export AR=llvm-ar
   export NM=llvm-nm

diff --git a/infra/base-images/base-builder/precompile_nallocfuzz b/infra/base-images/base-builder/precompile_nallocfuzz
@@ -0,0 +1,31 @@
+#!/bin/bash -eu
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "Precompiling nallocfuzz"
+
+pushd $SRC/nallocfuzz/ > /dev/null
+pushd libbacktrace > /dev/null
+./configure
+make -j$(nproc)
+popd > /dev/null
+clang -fPIE -I. -c nallocsan.c -o nallocsan.o
+ar -x libbacktrace/.libs/libbacktrace.a
+ar rcs nallocsan.a *.o
+rm *.o
+popd > /dev/null
+
+echo "Done."
diff --git a/infra/base-images/base-runner/reproduce b/infra/base-images/base-runner/reproduce
@@ -30,5 +30,6 @@ fi
 export RUN_FUZZER_MODE="interactive"
 export FUZZING_ENGINE="libfuzzer"
 export SKIP_SEED_CORPUS="1"
+export FUZZ_REPRODUCE_VERBOSE="1"
 
 run_fuzzer $FUZZER $@ $TESTCASE
diff --git a/infra/constants.py b/infra/constants.py
@@ -43,6 +43,7 @@
     'coverage',
     'introspector',
     'hwaddress',
+    'nalloc',
 ]
 ARCHITECTURES = ['i386', 'x86_64', 'aarch64']
 ENGINES = ['libfuzzer', 'afl', 'honggfuzz', 'centipede', 'none', 'wycheproof']
diff --git a/projects/flac/project.yaml b/projects/flac/project.yaml
@@ -9,8 +9,13 @@ sanitizers:
  - address
  - undefined
  - memory
+ - nalloc
 architectures:
  - x86_64
  - i386
+fuzzing_engines:
+ - afl
+ - honggfuzz
+ - libfuzzer
 coverage_extra_args: -ignore-filename-regex=/usr/lib/jvm/.*
 main_repo: 'https://github.com/xiph/flac.git'
diff --git a/projects/fluent-bit/project.yaml b/projects/fluent-bit/project.yaml
@@ -10,3 +10,7 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+sanitizers:
+  - address
+  - undefined
+  - nalloc
diff --git a/projects/libpng/project.yaml b/projects/libpng/project.yaml
@@ -12,6 +12,7 @@ sanitizers:
   - address
   - memory
   - undefined
+  - nalloc
 architectures:
   - x86_64
 main_repo: 'https://github.com/pnggroup/libpng.git'

diff --git a/projects/libwebp/project.yaml b/projects/libwebp/project.yaml
@@ -9,6 +9,7 @@ sanitizers:
   - address
   - undefined
   - memory
+  - nalloc
 auto_ccs:
   - [email protected]
   - [email protected]

diff --git a/projects/ndpi/project.yaml b/projects/ndpi/project.yaml
@@ -8,4 +8,9 @@ sanitizers:
   - address
   - undefined
   - memory
+  - nalloc
+fuzzing_engines:
+  - afl
+  - honggfuzz
+  - libfuzzer
 main_repo: 'https://github.com/ntop/nDPI.git'
diff --git a/projects/suricata/project.yaml b/projects/suricata/project.yaml
@@ -8,6 +8,7 @@ sanitizers:
   - address
   - memory
   - undefined
+  - nalloc
 fuzzing_engines:
   - afl
   - honggfuzz

diff --git a/projects/systemd/project.yaml b/projects/systemd/project.yaml
@@ -6,6 +6,7 @@ sanitizers:
   - address
   - undefined
   - memory
+  - nalloc
 fuzzing_engines:
   - afl
   - honggfuzz