1#!/usr/bin/env bash
2# SPDX-License-Identifier: LGPL-2.1-or-later
3
4set -ex
5
6export LC_CTYPE=C.UTF-8
7
8export CC=${CC:-clang}
9export CXX=${CXX:-clang++}
10clang_version="$($CC --version | sed -nr 's/.*version ([^ ]+?) .*/\1/p' | sed -r 's/-$//')"
11
12SANITIZER=${SANITIZER:-address -fsanitize-address-use-after-scope}
13flags="-O1 -fno-omit-frame-pointer -g -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=$SANITIZER"
14
15clang_lib="/usr/lib64/clang/${clang_version}/lib/linux"
16[ -d "$clang_lib" ] || clang_lib="/usr/lib/clang/${clang_version}/lib/linux"
17
18export CFLAGS=${CFLAGS:-$flags}
19export CXXFLAGS=${CXXFLAGS:-$flags}
20export LDFLAGS=${LDFLAGS:--L${clang_lib}}
21
22export WORK=${WORK:-$(pwd)}
23export OUT=${OUT:-$(pwd)/out}
24mkdir -p "$OUT"
25
26build="$WORK/build"
27rm -rf "$build"
28mkdir -p "$build"
29
30if [ -z "$FUZZING_ENGINE" ]; then
31    fuzzflag="llvm-fuzz=true"
32else
33    fuzzflag="oss-fuzz=true"
34
35    apt-get update
36    apt-get install -y gperf m4 gettext python3-pip \
37        libcap-dev libmount-dev libkmod-dev \
38        pkg-config wget python3-jinja2 zipmerge
39
40    # gnu-efi is installed here to enable -Dgnu-efi behind which fuzz-bcd
41    # is hidden. It isn't linked against efi. It doesn't
42    # even include "efi.h" because "bcd.c" can work in "unit test" mode
43    # where it isn't necessary.
44    apt-get install -y gnu-efi zstd
45
46    pip3 install -r .github/workflows/requirements.txt --require-hashes
47
48    # https://github.com/google/oss-fuzz/issues/6868
49    ORIG_PYTHONPATH=$(python3 -c 'import sys;print(":".join(sys.path[1:]))')
50    export PYTHONPATH="$ORIG_PYTHONPATH:/usr/lib/python3/dist-packages/"
51
52    if [[ "$SANITIZER" == undefined ]]; then
53        additional_ubsan_checks=pointer-overflow,alignment
54        UBSAN_FLAGS="-fsanitize=$additional_ubsan_checks -fno-sanitize-recover=$additional_ubsan_checks"
55        CFLAGS="$CFLAGS $UBSAN_FLAGS"
56        CXXFLAGS="$CXXFLAGS $UBSAN_FLAGS"
57    fi
58
59    if [[ "$SANITIZER" == introspector ]]; then
60        # fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
61        # https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
62        # https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
63        # It's possible to build systemd with duct tape there using something like
64        # https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
65        # apparently even with gold and lto some parts of systemd are missing from
66        # reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
67        # Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
68        exit 1
69    fi
70fi
71
72if ! meson "$build" "-D$fuzzflag" -Db_lundef=false; then
73    cat "$build/meson-logs/meson-log.txt"
74    exit 1
75fi
76
77ninja -v -C "$build" fuzzers
78
79# Compressed BCD files are kept in test/test-bcd so let's unpack them
80# and put them all in the seed corpus.
81bcd=$(mktemp -d)
82for i in test/test-bcd/*.zst; do
83     unzstd "$i" -o "$bcd/$(basename "${i%.zst}")";
84done
85zip -jqr "$OUT/fuzz-bcd_seed_corpus.zip" "$bcd"
86rm -rf "$bcd"
87
88hosts=$(mktemp)
89wget -O "$hosts" https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
90zip -jq "$OUT/fuzz-etc-hosts_seed_corpus.zip" "$hosts"
91rm -rf "$hosts"
92
93# The seed corpus is a separate flat archive for each fuzzer,
94# with a fixed name ${fuzzer}_seed_corpus.zip.
95for d in test/fuzz/fuzz-*; do
96    zip -jqr "$OUT/$(basename "$d")_seed_corpus.zip" "$d"
97done
98
99# get fuzz-dns-packet corpus
100df="$build/dns-fuzzing"
101git clone --depth 1 https://github.com/CZ-NIC/dns-fuzzing "$df"
102zip -jqr "$OUT/fuzz-dns-packet_seed_corpus.zip" "$df/packet"
103
104install -Dt "$OUT/src/shared/" \
105        "$build"/src/shared/libsystemd-shared-*.so \
106        "$build"/src/core/libsystemd-core-*.so
107
108wget -O "$OUT/fuzz-json.dict" https://raw.githubusercontent.com/rc0r/afl-fuzz/master/dictionaries/json.dict
109
110find "$build" -maxdepth 1 -type f -executable -name "fuzz-*" -exec mv {} "$OUT" \;
111find src -type f -name "fuzz-*.dict" -exec cp {} "$OUT" \;
112cp src/fuzz/*.options "$OUT"
113
114if [[ "$MERGE_WITH_OSS_FUZZ_CORPORA" == "yes" ]]; then
115    for f in "$OUT/"fuzz-*; do
116        [[ -x "$f" ]] || continue
117        fuzzer=$(basename "$f")
118        t=$(mktemp)
119        if wget -O "$t" "https://storage.googleapis.com/systemd-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/systemd_${fuzzer}/public.zip"; then
120            zipmerge "$OUT/${fuzzer}_seed_corpus.zip" "$t"
121        fi
122        rm -rf "$t"
123    done
124fi
125