Nalloc sanitizer: to test allocations failures

[catenacyber]

#9902 but as a sanitizer instead of a fuzzing engine

cc @oliverchang @alan32liu

Is this less costly than a fuzzing engine ?

[github-actions]

catenacyber is a new contributor to projects/fluent-bit. The PR must be approved by known contributors before it can be merged. The past contributors are: jonathanmetzman, DavidKorczynski, leonardo-albertovich, patrick-stephens, oliverchang, devtty1er, edsiper
catenacyber is a new contributor to projects/flac. The PR must be approved by known contributors before it can be merged. The past contributors are: ktmf01, Alan32Liu, jonathanmetzman, guidovranken, oliverchang, Dor1s, rjotwani, sylvestre, posidron (unverified)
catenacyber is either the primary contact or is in the CCs list of projects/ndpi.
catenacyber has previously contributed to projects/ndpi. The previous PR was #4773
catenacyber is a new contributor to projects/libwebp. The PR must be approved by known contributors before it can be merged. The past contributors are: jzern, jonathanmetzman, inferno-chromium, devtty1er, Dor1s, tysmith (unverified), posidron (unverified), johannkoenig (unverified), YannisGuyon (unverified), pdknsk (unverified), vrabaud (unverified)
catenacyber is a new contributor to projects/systemd. The PR must be approved by known contributors before it can be merged. The past contributors are: evverx, Alan32Liu, jonathanmetzman, keszybz, bluca, oliverchang, devtty1er, Dor1s
catenacyber is either the primary contact or is in the CCs list of projects/suricata.
catenacyber has previously contributed to projects/suricata. The previous PR was #10042
catenacyber is a new contributor to projects/libpng. The PR must be approved by known contributors before it can be merged. The past contributors are: Alan32Liu, tysmith, jonathanmetzman, thealberto, inferno-chromium, devtty1er, Dor1s, oliverchang, glennrp (unverified), kcc (unverified), ssbr (unverified), mikea (unverified), kcwu (unverified)

[catenacyber]

This is the magic trick

Renaming LLVMFuzzerTestOneInput by macro in order to hook before it

[catenacyber]

This is used by nalloc to be verbose about allocation failures when reproducing (it stays quiet during batch fuzzing)

[IvanNardi]

@catenacyber , sorry for the silly question, but I am not able to test it locally (with nDPI). I have done:

• checkout this PR
• remove all the docker images
• python3 infra/helper.py build_image ndpi
• python3 infra/helper.py build_fuzzers --sanitizer nalloc ndpi
• python3 infra/helper.py run_fuzzer --sanitizer nalloc --architecture x86_64 ndpi fuzz_ndpi_reader

It seems that nalloc stuff is never compiled...
What am I doing wrong?

[catenacyber]

@IvanNardi you have to run python3 infra/helper.py build_image --no-pull base-builder first

[catenacyber]

And you also to run python3 infra/helper.py build_image --no-pull ndpi so that you use the local just-built base-builder (and not the oss-fuzz master one)

[IvanNardi]

Now it works! Thank you very much! Astonishing work...

[catenacyber]

Friendly ping @oliverchang

Could we get this new "sanitizer" to test when allocations fail ?

In addition to the projects listed here (see previous PR), there is also icu cf unicode-org/icu#2567 where a double free was found by nallocfuzz and is now fixed (and also curl cf curl/curl@22eb989 )

[jzern]

The fuzzing engine version in #9902 has been helpful in securing libwebp and libvpx. It will be used in validating similar work in libaom.

[catenacyber]

Friendly ping @oliverchang

Could we get this new "sanitizer" to test when memory allocations fail ?

cc @jonathanmetzman @alan32liu