Nallocfuzz: fuzzing engine to test allocations failure

docs/advanced-topics/reproducing.md

@@ -138,6 +138,9 @@ Once you reproduce the bug, you can do the following:
 - **Improve fuzzing support:** Consider
    [improving your integration with OSS-Fuzz]({{ site.baseurl }}/advanced-topics/ideal-integration/).
 
+For `nallocfuzz` fuzzing engine, reproducing needs to use nallocfuzz itself.
+If you launch the target yourself, without the python wrapper, be sure to use `-runs=2` or more.
+
 ## Reproducing build failures
 
 Our infrastructure runs some sanity tests to make sure that your build was

docs/getting-started/new_project_guide.md

@@ -185,6 +185,8 @@ The list of fuzzing engines to use.
 By default, `libfuzzer`, `afl`, `honggfuzz`, and `centipede` are used. It is recommended to
 use all of them if possible. `libfuzzer` is required by OSS-Fuzz.
 
+`nallocfuzz` is an optional fuzzing engine to test for allocation failures.
+
 ### help_url (optional) {#help_url}
 A link to a custom help URL that appears in bug reports instead of the default
 [OSS-Fuzz guide to reproducing crashes]({{ site.baseurl }}/advanced-topics/reproducing/). This can be useful if you assign

docs/index.md

@@ -30,19 +30,20 @@ instances of [ClusterFuzz] or [ClusterFuzzLite].
 [Core Infrastructure Initiative]: https://www.coreinfrastructure.org/
 [OpenSSF]: https://www.openssf.org/
 
-We support the [libFuzzer], [AFL++], [Honggfuzz], and [Centipede] fuzzing engines in
+We support the [libFuzzer], [AFL++], [Honggfuzz], [Nallocfuzz], and [Centipede] fuzzing engines in
 combination with [Sanitizers], as well as [ClusterFuzz], a distributed fuzzer
 execution environment and reporting tool.
 
 [libFuzzer]: https://llvm.org/docs/LibFuzzer.html
 [AFL++]: https://github.com/AFLplusplus/AFLplusplus
 [Honggfuzz]: https://github.com/google/honggfuzz
+[Nallocfuzz]: https://github.com/catenacyber/nallocfuzz
 [Centipede]: https://github.com/google/centipede
 [Sanitizers]: https://github.com/google/sanitizers
 [ClusterFuzz]: https://github.com/google/clusterfuzz
 [ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/
 
-Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other
+Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Swift and Java/JVM code. Other
 languages supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64
 and i386 builds.
 

infra/base-images/base-builder/Dockerfile

@@ -109,6 +109,11 @@ ENV FUZZER_LDFLAGS ""
 
 WORKDIR $SRC
 
+RUN git clone --depth 1 https://github.com/catenacyber/nallocfuzz.git
+RUN git clone --depth 1 https://github.com/ianlancetaylor/libbacktrace.git $SRC/nallocfuzz/libbacktrace
+COPY precompile_nallocfuzz /usr/local/bin/
+RUN precompile_nallocfuzz
+
 RUN git clone https://github.com/AFLplusplus/AFLplusplus.git aflplusplus && \
     cd aflplusplus && \
     git checkout a7877416a87506424053e52e41f7a995c05367a4 && \
@@ -153,6 +158,7 @@ COPY bazel_build_fuzz_tests \
     compile_javascript_fuzzer \
     compile_libfuzzer \
     compile_native_go_fuzzer \
+    compile_nallocfuzz \
     compile_python_fuzzer \
     debug_afl \
     # Go, JavaScript, Java, Python, Rust, and Swift installation scripts.

infra/base-images/base-builder/compile_nallocfuzz

@@ -0,0 +1,22 @@
+#!/bin/bash -eu
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "Skipping compilation; using precompiled nallocfuzz"
+
+cp $SRC/nallocfuzz/nallocfuzz.a $LIB_FUZZING_ENGINE
+
+echo " done."

infra/base-images/base-builder/precompile_nallocfuzz

@@ -0,0 +1,32 @@
+#!/bin/bash -eu
+# Copyright 2023 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+echo "Precompiling nallocfuzz"
+
+pushd $SRC/nallocfuzz/ > /dev/null
+pushd libbacktrace > /dev/null
+./configure
+make -j$(nproc)
+popd > /dev/null
+clang -fPIE -I. -c nallocfuzz.c -o nallocfuzz.o
+ar -x /usr/local/lib/clang/*/lib/linux/libclang_rt.fuzzer_no_main-$ARCHITECTURE.a
+ar -x libbacktrace/.libs/libbacktrace.a
+ar rcs nallocfuzz.a *.o
+rm *.o
+popd > /dev/null
+
+echo "Done."

infra/build/functions/build_lib.py

@@ -82,6 +82,10 @@
         EngineInfo(upload_bucket='clusterfuzz-builds-centipede',
                    supported_sanitizers=['address', 'none'],
                    supported_architectures=['x86_64']),
+    'nallocfuzz':
+        EngineInfo(upload_bucket='clusterfuzz-builds-nallocfuzz',
+                   supported_sanitizers=['address'],
+                   supported_architectures=['x86_64']),
 }
 
 OSS_FUZZ_BUILDPOOL_NAME = os.getenv(

infra/constants.py

@@ -45,4 +45,12 @@
     'hwaddress',
 ]
 ARCHITECTURES = ['i386', 'x86_64', 'aarch64']
-ENGINES = ['libfuzzer', 'afl', 'honggfuzz', 'centipede', 'none', 'wycheproof']
+ENGINES = [
+    'libfuzzer',
+    'afl',
+    'honggfuzz',
+    'centipede',
+    'none',
+    'wycheproof',
+    'nallocfuzz',
+]

projects/flac/project.yaml

@@ -12,5 +12,10 @@ sanitizers:
 architectures:
  - x86_64
  - i386
+fuzzing_engines:
+ - afl
+ - honggfuzz
+ - libfuzzer
+ - nallocfuzz
 coverage_extra_args: -ignore-filename-regex=/usr/lib/jvm/.*
 main_repo: 'https://github.com/xiph/flac.git'

projects/fluent-bit/project.yaml

@@ -10,3 +10,4 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz

projects/libpng/project.yaml

@@ -20,4 +20,5 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
 

projects/libwebp/project.yaml

@@ -5,6 +5,7 @@ fuzzing_engines:
   - libfuzzer
   - afl
   - honggfuzz
+  - nallocfuzz
 sanitizers:
   - address
   - undefined

projects/ndpi/project.yaml

@@ -8,4 +8,9 @@ sanitizers:
   - address
   - undefined
   - memory
+fuzzing_engines:
+  - afl
+  - honggfuzz
+  - libfuzzer
+  - nallocfuzz
 main_repo: 'https://github.com/ntop/nDPI.git'

projects/suricata/project.yaml

@@ -12,4 +12,5 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
 main_repo: 'https://github.com/OISF/suricata.git'

projects/systemd/project.yaml

@@ -10,6 +10,7 @@ fuzzing_engines:
   - afl
   - honggfuzz
   - libfuzzer
+  - nallocfuzz
 auto_ccs:
   - [email protected]
   - [email protected]