Commit graph

16 commits

Author SHA1 Message Date
Miklos Vajna
4433e03492 client session fuzzer: try harder to empty SocketPoll::_newCallbacks on shutdown
The DocumentBroker dtor adds a callback:

	#0  SocketPoll::addCallback(std::function<void ()> const&) (this=0x377dce0 <Admin::instance()::admin>, fn=...) at ./net/Socket.hpp:773
	#1  0x0000000000947db5 in Admin::rmDoc (this=<optimized out>, docKey=...) at wsd/Admin.cpp:544
	#2  0x0000000000bb8192 in DocumentBroker::~DocumentBroker (this=0x61900000e690) at wsd/DocumentBroker.cpp:579

So even if the fuzzer called Admin::instance().poll() on shutdown, there
was one more callback inserted to the list later, leading to OOM in the
long run.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I0832d839b098407fa9e8aadb6f84388a85d62323
2022-05-31 15:10:51 +02:00
Miklos Vajna
262befc90e clientsession_fuzzer: fix missing UnitWSD
An alternative would be to tweak online-fuzz/wsd/DocumentBroker.cpp:534
to check for Util::isFuzzing(), but this is probably a better & more
generic way.

'./clientsession_fuzzer fuzzer/data/load' now works again.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I4d9fa387597695ff0802b268bc4d86be51dbabb2
2022-01-21 14:52:31 +01:00
Andras Timar
f07ff8c7e0 rename: remaining lool->cool changes
Signed-off-by: Andras Timar <andras.timar@collabora.com>
Change-Id: Ib7d4e804bebe52dead8d53b0e0bbaed0f08bf3d0
2021-11-18 14:14:11 +01:00
Miklos Vajna
c65d8e7c7f HttpRequest: add missing config.h include
fuzzers build was failing with:

	In file included from fuzzer/Admin.cpp:3:
	In file included from ./wsd/Admin.hpp:12:
	In file included from ./wsd/AdminModel.hpp:20:
	In file included from ./net/WebSocketHandler.hpp:18:
	./net/HttpRequest.hpp:667:31: error: expected ')'
		_header.add("Server", HTTP_SERVER_STRING);
				      ^
	./common/Common.hpp:62:51: note: expanded from macro 'HTTP_SERVER_STRING'
	#define HTTP_SERVER_STRING "LOOLWSD HTTP Server " LOOLWSD_VERSION
							  ^
	./net/HttpRequest.hpp:667:20: note: to match this '('
		_header.add("Server", HTTP_SERVER_STRING);
			   ^

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: Ibc3905e3e62e0eb9788b750971916ff4a4937f12
2021-03-30 12:23:09 +02:00
Miklos Vajna
3c0e7707bd admin fuzzer: fix build
This went wrong in commit 693a2e19e3 (wsd:
SocketPoll::poll accepts chrono duration, 2020-12-14).

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
Change-Id: I04780d7a5ef8ba54530df7727f2fe4df59995fb9
2021-01-04 11:45:01 +01:00
Miklos Vajna
10c1885a83 fuzzer-clientsession
The fuzzer ran out of memory, 955443527 bytes (79%) of the used memory
was this map.

Change-Id: I2dd84a094d3dd3d98618667e3c78591e2193bce2
Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
2020-11-30 10:17:43 +01:00
Miklos Vajna
a3fc39e325 libfuzzer: fix build
Also decrease the poll timeout to 0, otherwise testing each input would
now take 5 sec, rather than ~3 ms.

Change-Id: I1a4f347e5ec08a62d40131bfec3c504a19727323
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95437
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-06-03 16:39:45 +02:00
Ashod Nakashian
44f4e59b6b wsd: RequestDetails takes the service root as argument
This avoids depending on LOOLWSD's statics, which
makes adding unit-tests much more difficult due to
the high number of dependencies LOOLWSD pulls.

Adds a number of unit-tests for RequestDetails.

Change-Id: I9f1d56f80a633505c7ff548ec0e33ffe61f59f53
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/95290
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Tested-by: Jenkins
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
2020-06-02 17:28:40 +02:00
Michael Meeks
34fc7fb6b7 Proxy: move requestDetails closer to ProxyProtocol.
Change-Id: I07c00ea1dad15fd70b658a04f722cbd516fd5c18
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/94088
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-05-13 00:53:24 +02:00
Miklos Vajna
19745e2e44 libfuzzer: fix build
And bypass configuration access at two new places, so the fuzzer can
find more interesting failures.

Change-Id: I4c09172e781a7c6120b8c4befe1a84fdd74f2ddc
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93617
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-05-07 14:04:57 +02:00
Michael Meeks
18c4301a1f Proxy: re-factor proxy handling into ServerURL and cleanup copy/paste.
Also adds ServiceRoot handling for clipboard.

Change-Id: I7bc6591130fcc7d693e59ab8561fb9e99f4e93d5
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/93578
Tested-by: Michael Meeks <michael.meeks@collabora.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-05-06 23:12:12 +02:00
Miklos Vajna
ec3341591b clientsession_fuzzer: fix build
Change-Id: If793ad5d23f5b33d92ccfb681b279821f04a362b
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/92397
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-04-17 09:57:15 +02:00
Miklos Vajna
338a9c5f1d libfuzzer: fix build
After commit e924625cc1 (re-factor: Socket
/ WebSocketHandler., 2020-03-06).

Change-Id: I2c109c26791efa03f54773a3623bcce57b0fb5e6
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/90603
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
2020-03-17 10:34:40 +01:00
Miklos Vajna
1bfd7a363d libfuzzer: fix build
After commit f70e627795 (WebSocket -
simplify handleMessage for now., 2020-03-05).

Change-Id: Iac4be94fa1f9b37714329b6b6941c775c3fe1947
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/90084
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-03-06 13:27:26 +01:00
Miklos Vajna
1016de956a fuzzer: fix OOM with an ever-growing SocketPoll::_newCallbacks
Admin::instance().dumpState(std::cerr) at the end of a run shows:
 Poll [0] - wakeup r: 11 w: 12
        callbacks: 103
        fd      events  rsize   wsize

This is more a problem in the fuzzer itself than in the code, the
unprocessed callbacks reached the intentionally set 2GB limit in about
20 mins, so process them at the end of each run.

Change-Id: Ic12d3e8555417371f4ca44228fc1ff515d704592
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89632
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
2020-02-27 15:11:31 +01:00
Miklos Vajna
57a35bb96c Add an initial libfuzzer based fuzzer
- target ClientSession::_handleInput(), since crashing there would bring
  down the whole loolwsd (not just a kit process), and it deals with
  input from untrusted users (browsers)

- add a --enable-fuzzers configure switch to build with
  -fsanitize=fuzzer (compared to normal sanitizers build, this is the only
  special flag needed)

- configuring other sanitizers is not done automatically, either use
  --with-sanitizer=... or the environment variables from LODE's sanitizer
  config

- run the actual fuzzer like this:

  ./clientsession_fuzzer -max_len=16384 fuzzer/data/

- note that at least openSUSE Leap 15.1 sadly ships with a clang with
  libfuzzer static libs removed from the package, so you need a
  self-built clang to run the fuzzer (either manual build or one from
  LODE)

- <https://chromium.googlesource.com/chromium/src/testing/libfuzzer/+/refs/heads/master/efficient_fuzzing.md#execution-speed>
  suggests that "You should aim for at least 1,000 exec/s from your fuzz
  target locally" (i.e. one run should not take more than 1 ms), so try
  this minimal approach first. The alternative would be to start from the
  existing loolwsd_fuzzer binary, then step by step cut it down to not
  fork(), not do any network traffic, etc -- till it's fast enough that
  the fuzzer can find interesting input

- the various configurations start to be really complex (the matrix is
  just very large), so try to use Util::isFuzzing() for fuzzer-specific
  changes (this is what core.git does as well), and only resort to ifdefs
  for the Util::isFuzzing() itself

Change-Id: I72dc1193b34c93eacb5d8e39cef42387d42bd72f
Reviewed-on: https://gerrit.libreoffice.org/c/online/+/89226
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Michael Meeks <michael.meeks@collabora.com>
2020-02-22 12:18:22 +01:00