Bug#35097487 fuzzer for client command codecs

The client-side protocol codec is currently tested with unit-,
component- and integration tests which covers most happy cases.

But not all edge-cases are covered.

clang includes libfuzzer which allows writing fuzzers in a portable way.

Change
------

Added fuzzers for all client side messages which is built if the
compiler is clang.

Change-Id: I43ddd2c57f97ca852577b67ca14cc85fd5132e3d

Author: weigon

router/cmake/fuzzer.cmake

@@ -186,9 +186,8 @@ FUNCTION(LIBFUZZER_ADD_TEST TARGET)
       )
   ENDIF()
 
-  # use cmake -E env to set the LLVM_PROFILE_FILE in a portable way
-  ADD_TEST(${TARGET}
-            ${TARGET}
+  ADD_TEST(NAME ${TARGET}
+    COMMAND ${TARGET}
             -max_total_time=${ARG_MAX_TOTAL_TIME} -timeout=${ARG_TIMEOUT}
             -artifact_prefix=${BINARY_ARTIFACT_DIR}/
             ${BINARY_CORPUS_DIR}

router/src/mysql_protocol/tests/CMakeLists.txt

@@ -52,3 +52,47 @@ FOREACH(test_file
     INCLUDE_DIRS ../include/
     LIB_DEPENDS harness_stdx)
 ENDFOREACH()
+
+IF(LIBFUZZER_COMPILE_FLAGS)
+  FOREACH(CMD client_greeting
+      quit
+      init_schema
+      query
+      list_fields
+      # create_db
+      # drop_db
+      reload
+      # shutdown
+      statistics
+      # processinfo
+      # connect
+      # debug
+      ping
+      # time
+      # delayedinsert
+      change_user
+      binlog_dump
+      # table_dump
+      # connect_out
+      register_replica
+      stmt_prepare
+      stmt_execute
+      stmt_param_append_data
+      stmt_close
+      stmt_reset
+      set_option
+      stmt_fetch
+      # daemon
+      binlog_dump_gtid
+      reset_connection
+      clone)
+    MYSQL_ADD_EXECUTABLE(routertest_fuzz_mysql_protocol_${CMD}
+      fuzz_${CMD}.cc
+      COMPONENT Router
+      LINK_LIBRARIES mysql_protocol
+      SKIP_INSTALL
+      )
+    LIBFUZZER_ADD_TEST(routertest_fuzz_mysql_protocol_${CMD}
+      INITIAL_CORPUS_DIR ${CMAKE_CURRENT_SOURCE_DIR}/corpus/${CMD})
+  ENDFOREACH()
+ENDIF()

router/src/mysql_protocol/tests/corpus/binlog_dump/empty_capabilities

@@ -0,0 +1,76 @@
+/*
+  Copyright (c) 2023, Oracle and/or its affiliates.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License, version 2.0,
+  as published by the Free Software Foundation.
+
+  This program is also distributed with certain software (including
+  but not limited to OpenSSL) that is licensed under separate terms,
+  as designated in a particular file or component or in included license
+  documentation.  The authors of MySQL hereby grant you an additional
+  permission to link the program and your derivative works with the
+  separately licensed software that they have included with MySQL.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include "mysqlrouter/classic_protocol_codec_message.h"
+#include "mysqlrouter/classic_protocol_message.h"
+
+#include <iostream>
+
+#include "hexify.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  auto data = net::const_buffer(Data, Size);
+
+  if (data.size() < 4) return 0;
+
+  // byte 0-3: caps
+  // rest    : msg
+
+  const uint32_t caps = *reinterpret_cast<const uint32_t *>(data.data());
+  data += 4;
+
+  using msg_type = classic_protocol::borrowed::message::client::BinlogDump;
+
+  auto decode_res = classic_protocol::Codec<msg_type>::decode(data, caps);
+  if (decode_res) {
+    // if it decode, can we encode it again?
+
+    std::vector<uint8_t> buf;
+    auto encode_res = classic_protocol::encode(decode_res->second, caps,
+                                               net::dynamic_buffer(buf));
+
+    if (!encode_res) {
+      std::cerr << "Encoding encoded msg failed: " << encode_res.error()
+                << "\n";
+      abort();
+    }
+
+    // ... and decode again?
+    auto decode_again_res =
+        classic_protocol::Codec<msg_type>::decode(net::buffer(buf), caps);
+
+    if (!decode_again_res) {
+      std::cerr << "Decoding encoded msg failed: " << decode_again_res.error()
+                << "\n"
+                << "Input:\n"
+                << mysql_harness::hexify(buf) << "\n"
+                << "(original input):\n"
+                << mysql_harness::hexify(data) << "\n";
+
+      abort();
+    }
+  }
+
+  return 0;
+}

router/src/mysql_protocol/tests/corpus/binlog_dump_gtid/empty_capabilities

@@ -0,0 +1,76 @@
+/*
+  Copyright (c) 2023, Oracle and/or its affiliates.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License, version 2.0,
+  as published by the Free Software Foundation.
+
+  This program is also distributed with certain software (including
+  but not limited to OpenSSL) that is licensed under separate terms,
+  as designated in a particular file or component or in included license
+  documentation.  The authors of MySQL hereby grant you an additional
+  permission to link the program and your derivative works with the
+  separately licensed software that they have included with MySQL.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include "mysqlrouter/classic_protocol_codec_message.h"
+#include "mysqlrouter/classic_protocol_message.h"
+
+#include <iostream>
+
+#include "hexify.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  auto data = net::const_buffer(Data, Size);
+
+  if (data.size() < 4) return 0;
+
+  // byte 0-3: caps
+  // rest    : msg
+
+  const uint32_t caps = *reinterpret_cast<const uint32_t *>(data.data());
+  data += 4;
+
+  using msg_type = classic_protocol::borrowed::message::client::BinlogDumpGtid;
+
+  auto decode_res = classic_protocol::Codec<msg_type>::decode(data, caps);
+  if (decode_res) {
+    // if it decode, can we encode it again?
+
+    std::vector<uint8_t> buf;
+    auto encode_res = classic_protocol::encode(decode_res->second, caps,
+                                               net::dynamic_buffer(buf));
+
+    if (!encode_res) {
+      std::cerr << "Encoding encoded msg failed: " << encode_res.error()
+                << "\n";
+      abort();
+    }
+
+    // ... and decode again?
+    auto decode_again_res =
+        classic_protocol::Codec<msg_type>::decode(net::buffer(buf), caps);
+
+    if (!decode_again_res) {
+      std::cerr << "Decoding encoded msg failed: " << decode_again_res.error()
+                << "\n"
+                << "Input:\n"
+                << mysql_harness::hexify(buf) << "\n"
+                << "(original input):\n"
+                << mysql_harness::hexify(data) << "\n";
+
+      abort();
+    }
+  }
+
+  return 0;
+}

router/src/mysql_protocol/tests/corpus/change_user/empty_capabilities

@@ -0,0 +1,76 @@
+/*
+  Copyright (c) 2023, Oracle and/or its affiliates.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License, version 2.0,
+  as published by the Free Software Foundation.
+
+  This program is also distributed with certain software (including
+  but not limited to OpenSSL) that is licensed under separate terms,
+  as designated in a particular file or component or in included license
+  documentation.  The authors of MySQL hereby grant you an additional
+  permission to link the program and your derivative works with the
+  separately licensed software that they have included with MySQL.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include "mysqlrouter/classic_protocol_codec_message.h"
+#include "mysqlrouter/classic_protocol_message.h"
+
+#include <iostream>
+
+#include "hexify.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  auto data = net::const_buffer(Data, Size);
+
+  if (data.size() < 4) return 0;
+
+  // byte 0-3: caps
+  // rest    : msg
+
+  const uint32_t caps = *reinterpret_cast<const uint32_t *>(data.data());
+  data += 4;
+
+  using msg_type = classic_protocol::borrowed::message::client::ChangeUser;
+
+  auto decode_res = classic_protocol::Codec<msg_type>::decode(data, caps);
+  if (decode_res) {
+    // if it decode, can we encode it again?
+
+    std::vector<uint8_t> buf;
+    auto encode_res = classic_protocol::encode(decode_res->second, caps,
+                                               net::dynamic_buffer(buf));
+
+    if (!encode_res) {
+      std::cerr << "Encoding encoded msg failed: " << encode_res.error()
+                << "\n";
+      abort();
+    }
+
+    // ... and decode again?
+    auto decode_again_res =
+        classic_protocol::Codec<msg_type>::decode(net::buffer(buf), caps);
+
+    if (!decode_again_res) {
+      std::cerr << "Decoding encoded msg failed: " << decode_again_res.error()
+                << "\n"
+                << "Input:\n"
+                << mysql_harness::hexify(buf) << "\n"
+                << "(original input):\n"
+                << mysql_harness::hexify(data) << "\n";
+
+      abort();
+    }
+  }
+
+  return 0;
+}

router/src/mysql_protocol/tests/corpus/client_greeting/empty_capabilities

@@ -0,0 +1,76 @@
+/*
+  Copyright (c) 2023, Oracle and/or its affiliates.
+
+  This program is free software; you can redistribute it and/or modify
+  it under the terms of the GNU General Public License, version 2.0,
+  as published by the Free Software Foundation.
+
+  This program is also distributed with certain software (including
+  but not limited to OpenSSL) that is licensed under separate terms,
+  as designated in a particular file or component or in included license
+  documentation.  The authors of MySQL hereby grant you an additional
+  permission to link the program and your derivative works with the
+  separately licensed software that they have included with MySQL.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include "mysqlrouter/classic_protocol_codec_message.h"
+#include "mysqlrouter/classic_protocol_message.h"
+
+#include <iostream>
+
+#include "hexify.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  auto data = net::const_buffer(Data, Size);
+
+  if (data.size() < 4) return 0;
+
+  // byte 0-3: caps
+  // rest    : msg
+
+  const uint32_t caps = *reinterpret_cast<const uint32_t *>(data.data());
+  data += 4;
+
+  using msg_type = classic_protocol::borrowed::message::client::Greeting;
+
+  auto decode_res = classic_protocol::Codec<msg_type>::decode(data, caps);
+  if (decode_res) {
+    // if it decode, can we encode it again?
+
+    std::vector<uint8_t> buf;
+    auto encode_res = classic_protocol::encode(decode_res->second, caps,
+                                               net::dynamic_buffer(buf));
+
+    if (!encode_res) {
+      std::cerr << "Encoding encoded msg failed: " << encode_res.error()
+                << "\n";
+      abort();
+    }
+
+    // ... and decode again?
+    auto decode_again_res =
+        classic_protocol::Codec<msg_type>::decode(net::buffer(buf), caps);
+
+    if (!decode_again_res) {
+      std::cerr << "Decoding encoded msg failed: " << decode_again_res.error()
+                << "\n"
+                << "Input:\n"
+                << mysql_harness::hexify(buf) << "\n"
+                << "(original input):\n"
+                << mysql_harness::hexify(data) << "\n";
+
+      abort();
+    }
+  }
+
+  return 0;
+}