From a68f9712f78c47d8b082d660ddc8c748e223cd9d Mon Sep 17 00:00:00 2001 From: Ben Luddy Date: Fri, 3 May 2024 09:01:00 -0400 Subject: [PATCH] Add CBOR fuzz test for unreasonable allocations during decode. --- test/fuzz/cbor/cbor.go | 90 +++++++++++++++++++++++++++++++++++-- test/fuzz/cbor/cbor_test.go | 36 +++++++++++++++ 2 files changed, 122 insertions(+), 4 deletions(-) create mode 100644 test/fuzz/cbor/cbor_test.go diff --git a/test/fuzz/cbor/cbor.go b/test/fuzz/cbor/cbor.go index 0e1eace1ab4..c28df1ef11d 100644 --- a/test/fuzz/cbor/cbor.go +++ b/test/fuzz/cbor/cbor.go @@ -17,8 +17,90 @@ limitations under the License. package cbor import ( - // Adds this package and its dependencies to the dependency chain of k8s.io/kubernetes - // without affecting the size of kube binaries. Once fuzz targets are added here, this will - // become a real import. - _ "k8s.io/apimachinery/pkg/runtime/serializer/cbor" + "fmt" + goruntime "runtime" + + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/runtime/serializer/cbor" ) + +var ( + scheme = runtime.NewScheme() + serializers = []cbor.Serializer{ + cbor.NewSerializer(scheme, scheme), + cbor.NewSerializer(scheme, scheme, cbor.Strict(true)), + } +) + +// FuzzDecodeAllocations is a go-fuzz target that panics on inputs that cause an unreasonably large +// number of bytes to be allocated at decode time. +func FuzzDecodeAllocations(data []byte) (result int) { + const ( + MaxInputBytes = 128 + MaxAllocatedBytes = 16 * 1024 + ) + + if len(data) > MaxInputBytes { + // Longer inputs can require more allocations by unmarshaling to larger + // objects. Focus on identifying short inputs that allocate an unreasonable number + // of bytes to identify pathological cases. + return -1 + } + + decode := func(serializer cbor.Serializer, data []byte) int { + var u unstructured.Unstructured + o, gvk, err := serializer.Decode(data, &schema.GroupVersionKind{}, &u) + if err != nil { + if o != nil { + panic("returned non-nil error and non-nil runtime.Object") + } + + return 0 + } + + if o == nil || gvk == nil { + panic("returned nil error and nil runtime.Object or nil schema.GroupVersionKind") + } + + return 1 + } + + for _, serializer := range serializers { + // The first pass pre-warms anything that is lazily initialized. Doing things like + // logging for the first time in a process can account for allocations on the order + // of tens of kB. + decode(serializer, data) + + var nBytesAllocated uint64 + for trial := 1; trial <= 10; trial++ { + func() { + defer goruntime.GOMAXPROCS(goruntime.GOMAXPROCS(1)) + var mem goruntime.MemStats + goruntime.ReadMemStats(&mem) + + result |= decode(serializer, data) + + nBytesAllocated = mem.TotalAlloc + goruntime.ReadMemStats(&mem) + nBytesAllocated = mem.TotalAlloc - nBytesAllocated + + }() + + // The exact number of bytes allocated may vary due to allocations in + // concurrently-executing goroutines or implementation details of the + // runtime. Only panic on inputs that consistently exceed the allocation + // threshold to reduce the false positive rate. + if nBytesAllocated <= MaxAllocatedBytes { + break + } + } + + if nBytesAllocated > MaxAllocatedBytes { + panic(fmt.Sprintf("%d bytes allocated to decode input of length %d exceeds maximum of %d", nBytesAllocated, len(data), MaxAllocatedBytes)) + } + } + + return result +} diff --git a/test/fuzz/cbor/cbor_test.go b/test/fuzz/cbor/cbor_test.go new file mode 100644 index 00000000000..98390d67fef --- /dev/null +++ b/test/fuzz/cbor/cbor_test.go @@ -0,0 +1,36 @@ +/* +Copyright 2024 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cbor_test + +import ( + "testing" + + "k8s.io/kubernetes/test/fuzz/cbor" +) + +// FuzzDecodeAllocations wraps the FuzzDecodeAllocations go-fuzz target as a "go test" fuzz test. +func FuzzDecodeAllocations(f *testing.F) { + f.Add([]byte("\xa2\x4aapiVersion\x41x\x44kind\x41y")) // {'apiVersion': 'x', 'kind': 'y'} + f.Fuzz(func(t *testing.T, in []byte) { + defer func() { + if p := recover(); p != nil { + t.Fatal(p) + } + }() + cbor.FuzzDecodeAllocations(in) + }) +}