Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions loader/loader.c
Original file line number Diff line number Diff line change
Expand Up @@ -2765,6 +2765,7 @@ VkResult loader_read_layer_json(const struct loader_instance *inst, struct loade
loader_log(inst, VULKAN_LOADER_WARN_BIT, 0,
"Layer located at %s didn't find required layer value \"type\" in manifest JSON file, skipping this layer",
filename);
result = VK_ERROR_INITIALIZATION_FAILED;
goto out;
}

Expand Down
Binary file not shown.
Binary file not shown.
8 changes: 8 additions & 0 deletions tests/framework/shim/shim.h
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,12 @@

enum class GpuType { unspecified, integrated, discrete, external };

struct TempFile {
explicit TempFile(std::filesystem::path filename) : filename(filename) {}
~TempFile() { std::filesystem::remove(filename); }
std::filesystem::path filename;
};

#if defined(_WIN32)
#define VK_VARIANT_REG_STR ""
#define VK_VARIANT_REG_STR_W L""
Expand Down Expand Up @@ -231,6 +237,8 @@ struct PlatformShim {
std::string bundle_contents;
#endif
#endif
std::vector<uint8_t> fuzz_data;
std::vector<TempFile> temp_fuzz_files;
bool is_finished_setup = false;
bool is_during_destruction = false;
};
Expand Down
28 changes: 24 additions & 4 deletions tests/framework/shim/unix_shim.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@

#include "shim.h"

#include <cstring>

#include <algorithm>
#include <iostream>

Expand Down Expand Up @@ -266,17 +268,35 @@ FRAMEWORK_EXPORT FILE* FOPEN_FUNC_NAME(const char* in_filename, const char* mode
if (platform_shim.is_during_destruction || !platform_shim.is_finished_setup) {
return real_fopen(in_filename, mode);
}

FILE* out_file = nullptr;
std::filesystem::path path{in_filename};
if (!path.has_parent_path()) {
return real_fopen(in_filename, mode);
out_file = real_fopen(in_filename, mode);
} else if (auto real_path = platform_shim.file_system_manager->get_real_path_of_redirected_path(path.parent_path());
!real_path.empty()) {
real_path /= path.filename();
return real_fopen(real_path.c_str(), mode);
out_file = real_fopen(real_path.c_str(), mode);
} else {
return real_fopen(in_filename, mode);
out_file = real_fopen(in_filename, mode);
}

// Fuzz tests have sub files embedded in the input data file. This
if (!platform_shim.fuzz_data.empty() && out_file == NULL) {
FILE* fp = fopen(path.c_str(), "wb");
if (nullptr == fp) {
path.replace_filename("callback_file_" + std::to_string(platform_shim.temp_fuzz_files.size()));
fp = fopen(path.c_str(), "wb");
if (nullptr == fp) {
abort();
}
}
fwrite(platform_shim.fuzz_data.data(), platform_shim.fuzz_data.size(), 1, fp);
fclose(fp);
platform_shim.temp_fuzz_files.emplace_back(path.c_str());

out_file = fopen(path.c_str(), "rb");
}
return out_file;
}

FRAMEWORK_EXPORT void* DLOPEN_FUNC_NAME(const char* in_filename, int flags) {
Expand Down
69 changes: 60 additions & 9 deletions tests/loader_fuzz_tests.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
* Author: Charles Giessen <charles@lunarg.com>
*/

#include "test_environment.h"
#include "framework/test_environment.h"

#include <fstream>

extern "C" {
#include "loader.h"
Expand All @@ -45,14 +47,10 @@ void execute_instance_enumerate_fuzzer(std::filesystem::path const& filename) {

env.vulkan_functions.vkEnumerateInstanceExtensionProperties("test_auto", &pPropertyCount, &pProperties);
}
void execute_instance_create_fuzzer(std::filesystem::path const& filename) {
FrameworkEnvironment env{};
env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
ManifestCategory::implicit_layer, ManifestLocation::implicit_layer, "complex_layer.json");
env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
ManifestCategory::settings, ManifestLocation::settings_location, "vk_loader_settings.json");
env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
ManifestCategory::icd, ManifestLocation::driver, "icd_test.json");
// Common code for execute_instance_create_fuzzer and execute_instance_create_fuzzer_advanced
void execute_instance_create_fuzzer_logic(FrameworkEnvironment& env) {
EnvVarWrapper enable_all_layers("VK_LOADER_LAYERS_ENABLE", "all");

VkInstance inst = {0};
const char* instance_layers[] = {"VK_LAYER_KHRONOS_validation", "VK_LAYER_test_layer_1", "VK_LAYER_test_layer_2"};
VkApplicationInfo app{};
Expand Down Expand Up @@ -81,6 +79,53 @@ void execute_instance_create_fuzzer(std::filesystem::path const& filename) {
env.vulkan_functions.vkDestroyInstance(inst, NULL);
}

void execute_instance_create_fuzzer(std::filesystem::path const& filename) {
FrameworkEnvironment env{};
env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
ManifestCategory::implicit_layer, ManifestLocation::unsecured_implicit_layer, "complex_layer.json");
env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
ManifestCategory::settings, ManifestLocation::unsecured_settings, "vk_loader_settings.json");
env.write_file_from_source((std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename).string().c_str(),
ManifestCategory::icd, ManifestLocation::unsecured_driver, "icd_test.json");

execute_instance_create_fuzzer_logic(env);
}

void execute_instance_create_advanced_fuzzer(std::filesystem::path const& filename) {
FrameworkEnvironment env{};

// The file actually contains three subfiles with their lengths specified in the first 12 bytes of the file.
auto source_file = std::filesystem::path(CLUSTERFUZZ_TESTCASE_DIRECTORY) / filename;
std::fstream file{source_file.string(), std::ios_base::in | std::ios_base::binary};
ASSERT_TRUE(file.is_open());
std::stringstream file_stream;
file_stream << file.rdbuf();

auto data_string = file_stream.str();
auto data_cstring = data_string.c_str();
std::array<uint64_t, 3> sections;
memcpy(sections.data(), data_cstring, sizeof(uint64_t) * 3);
sections[0] = sections[0] % 40000;
sections[1] = sections[1] % 40000;
sections[2] = sections[2] % 40000;

uint64_t data_index = 3 * sizeof(uint64_t);
std::string first = data_string.substr(data_index, sections[0]);
data_index += sections[0];
std::string second = data_string.substr(data_index, sections[1]);
data_index += sections[1];
std::string third = data_string.substr(data_index, sections[2]);
data_index += sections[2];

env.platform_shim->fuzz_data.resize(data_string.size() - data_index);
memcpy(env.platform_shim->fuzz_data.data(), data_cstring + data_index, env.platform_shim->fuzz_data.size());

env.write_file_from_string(first, ManifestCategory::implicit_layer, ManifestLocation::implicit_layer, "complex_layer.json");
env.write_file_from_string(second, ManifestCategory::settings, ManifestLocation::settings_location, "vk_loader_settings.json");
env.write_file_from_string(third, ManifestCategory::settings, ManifestLocation::settings_location, "icd_test.json");

execute_instance_create_fuzzer_logic(env);
}
void execute_json_load_fuzzer(std::string const& filename) {
FrameworkEnvironment env{};

Expand Down Expand Up @@ -208,6 +253,12 @@ TEST(BadJsonInput, ClusterFuzzTestCase_5817896795701248) {
TEST(BadJsonInput, ClusterFuzzTestCase_6541440380895232) {
execute_instance_create_fuzzer("clusterfuzz-testcase-instance_create_fuzzer-6541440380895232");
}
TEST(BadJsonInput, ClusterFuzzTestCase_5612556809207808) {
execute_instance_create_advanced_fuzzer("clusterfuzz-testcase-minimized-instance_create_advanced_fuzzer-5612556809207808");
}
TEST(BadJsonInput, ClusterFuzzTestCase_4788849181261824) {
execute_instance_create_advanced_fuzzer("clusterfuzz-testcase-minimized-instance_create_advanced_fuzzer-4788849181261824");
}
TEST(BadJsonInput, ClusterFuzzTestCase_6465902356791296) {
// Does crash with UBSAN
// Doesn't crash with ASAN
Expand Down