1 // Copyright 2020 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stddef.h>
6 #include <stdint.h>
7 #include <stdlib.h>
8
9 #include "base/json/json_reader.h"
10 #include "base/logging.h"
11 #include "base/numerics/clamped_math.h"
12 #include "base/numerics/ostream_operators.h"
13 #include "base/strings/string_piece.h"
14 #include "net/dns/host_cache.h"
15 #include "net/dns/host_cache_fuzzer.pb.h"
16 #include "testing/libfuzzer/proto/json.pb.h"
17 #include "testing/libfuzzer/proto/json_proto_converter.h"
18 #include "testing/libfuzzer/proto/lpm_interface.h"
19 #include "third_party/abseil-cpp/absl/types/optional.h"
20
21 namespace net {
22
23 struct Environment {
Environmentnet::Environment24 Environment() { logging::SetMinLogLevel(logging::LOG_INFO); }
25 const bool kDumpStats = getenv("DUMP_FUZZER_STATS");
26 const bool kDumpNativeInput = getenv("LPM_DUMP_NATIVE_INPUT");
27 };
28
29 // This fuzzer checks that parsing a JSON list to a HostCache and then
30 // re-serializing it recreates the original JSON list.
31 //
32 // A side effect of this technique is that our distribution of HostCaches only
33 // contains HostCaches that can be generated by RestoreFromListValue. It's
34 // conceivable that this doesn't capture all possible HostCaches.
35 //
36 // TODO(dmcardle): Check the other direction of this property. Starting from an
37 // arbitrary HostCache, serialize it and then parse a different HostCache.
38 // Verify that the two HostCaches are equal.
DEFINE_PROTO_FUZZER(const host_cache_fuzzer_proto::JsonOrBytes & input)39 DEFINE_PROTO_FUZZER(const host_cache_fuzzer_proto::JsonOrBytes& input) {
40 static Environment env;
41
42 // Clamp these counters to avoid incorrect statistics in case of overflow. On
43 // platforms with 8-byte size_t, it would take roughly 58,000 centuries to
44 // overflow, assuming a very fast fuzzer running at 100,000 exec/s. However, a
45 // 4-byte size_t could overflow in roughly 12 hours.
46 static base::ClampedNumeric<size_t> valid_json_count = 0;
47 static base::ClampedNumeric<size_t> iteration_count = 0;
48
49 constexpr size_t kIterationsPerStatsDump = 1024;
50 static_assert(SIZE_MAX % kIterationsPerStatsDump != 0,
51 "After saturation, stats would print on every iteration.");
52
53 ++iteration_count;
54 if (env.kDumpStats && iteration_count % kIterationsPerStatsDump == 0) {
55 LOG(INFO) << "Valid JSON hit rate:" << valid_json_count << "/"
56 << iteration_count;
57 }
58
59 std::string native_input;
60 if (input.has_json()) {
61 json_proto::JsonProtoConverter converter;
62 native_input = converter.Convert(input.json());
63 } else if (input.has_bytes()) {
64 native_input = input.bytes();
65 } else {
66 return;
67 }
68
69 if (env.kDumpNativeInput)
70 LOG(INFO) << "native_input: " << native_input;
71
72 absl::optional<base::Value> value = base::JSONReader::Read(native_input);
73 if (!value || !value->is_list())
74 return;
75 ++valid_json_count;
76
77 // Parse the HostCache.
78 constexpr size_t kMaxEntries = 1000;
79 HostCache host_cache(kMaxEntries);
80 if (!host_cache.RestoreFromListValue(value->GetList()))
81 return;
82
83 // Serialize the HostCache.
84 base::Value::List serialized;
85 host_cache.GetList(
86 serialized /* entry_list */, true /* include_staleness */,
87 HostCache::SerializationType::kRestorable /* serialization_type */);
88
89 CHECK_EQ(*value, serialized);
90 return;
91 }
92 } // namespace net
93