fuzz: add libFuzzer harness suite for SCAP parsing

CMakeLists.txt

@@ -244,6 +244,23 @@ else()
 	option(ENABLE_SCE "enables Script Check Engine - an alternative checking engine that lets you use executables instead of OVAL for checks" ON)
 endif()
 
+# ---------- FUZZING
+option(ENABLE_FUZZING "build libFuzzer harnesses (fuzz/) and instrument the library with libFuzzer + ASan/UBSan. Requires a Clang toolchain." OFF)
+if(ENABLE_FUZZING)
+	if(NOT CMAKE_C_COMPILER_ID MATCHES "Clang")
+		message(FATAL_ERROR "ENABLE_FUZZING requires Clang (libFuzzer). Re-run cmake with CC=clang CXX=clang++.")
+	endif()
+	# Instrument the whole library (and everything else) for libFuzzer coverage
+	# and catch memory/UB errors at runtime. fuzzer-no-link adds the coverage
+	# instrumentation without pulling libFuzzer's main() into every object;
+	# the harness target adds -fsanitize=fuzzer to get the driver.
+	set(OSCAP_FUZZING_FLAGS "-fsanitize=fuzzer-no-link,address,undefined -fno-omit-frame-pointer -g")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${OSCAP_FUZZING_FLAGS}")
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${OSCAP_FUZZING_FLAGS}")
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address,undefined")
+	set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -fsanitize=address,undefined")
+endif()
+
 # ---------- OVAL FEATURE SWITCHES
 
 option(ENABLE_PROBES "build OVAL probes - each probe implements an OVAL test" TRUE)
@@ -635,6 +652,9 @@ endif()
 
 add_subdirectory("compat")
 add_subdirectory("src")
+if(ENABLE_FUZZING)
+	add_subdirectory("fuzz")
+endif()
 add_subdirectory("utils")
 add_subdirectory("docs")
 add_subdirectory("dist")

fuzz/.gitignore

@@ -0,0 +1,23 @@
+# libFuzzer run artifacts (these patterns match anywhere; the curated
+# regression inputs under reproducers/ are re-included below)
+crash-*
+oom-*
+leak-*
+timeout-*
+*.profraw
+
+# Always keep the curated regression corpus, even though some are named crash-*
+!reproducers/
+!reproducers/**
+
+# run-all.sh outputs
+findings/
+logs/
+*.work/
+
+# Fuzzing corpora are large (seeded from tests/, then grown by libFuzzer) and
+# regenerable; they are not committed. Regression inputs live in reproducers/.
+corpus/
+corpus_xccdf/
+corpus_arf/
+corpus_tailoring/

fuzz/CMakeLists.txt

@@ -0,0 +1,44 @@
+# libFuzzer harnesses for SCAP parsing / processing.
+#
+# Enabled with -DENABLE_FUZZING=ON. Requires a Clang toolchain (libFuzzer ships
+# with clang). When enabled, the whole library is compiled with the libFuzzer
+# coverage instrumentation plus AddressSanitizer/UndefinedBehaviorSanitizer (set
+# from the top-level CMakeLists), and each harness is linked with
+# -fsanitize=fuzzer to pull in the libFuzzer driver/main.
+
+set(FUZZ_INCLUDE_DIRS
+	"${CMAKE_CURRENT_SOURCE_DIR}"
+	"${CMAKE_SOURCE_DIR}/src/common/public"
+	"${CMAKE_SOURCE_DIR}/src/source/public"
+	"${CMAKE_SOURCE_DIR}/src/DS/public"
+	"${CMAKE_SOURCE_DIR}/src/XCCDF/public"
+	"${CMAKE_SOURCE_DIR}/src/XCCDF_POLICY/public"
+	"${CMAKE_SOURCE_DIR}/src/CPE/public"
+	"${CMAKE_SOURCE_DIR}/src/OVAL/public"
+	"${LIBXML2_INCLUDE_DIR}"
+)
+
+# add_fuzzer(<name> <source>) builds one libFuzzer executable linked against the
+# instrumented library.
+function(add_fuzzer name source)
+	add_executable(${name} ${source})
+	target_include_directories(${name} PRIVATE ${FUZZ_INCLUDE_DIRS})
+	target_link_libraries(${name} openscap)
+	target_compile_options(${name} PRIVATE -fsanitize=fuzzer)
+	target_link_options(${name} PRIVATE -fsanitize=fuzzer)
+endfunction()
+
+add_fuzzer(scap_parse_fuzzer     scap_parse_fuzzer.c)     # dispatch-by-type parser
+add_fuzzer(xccdf_policy_fuzzer    xccdf_policy_fuzzer.c)   # XCCDF policy/profile layer
+add_fuzzer(validate_fuzzer        validate_fuzzer.c)       # XSD + Schematron validation
+add_fuzzer(arf_fuzzer             arf_fuzzer.c)            # ARF / result data stream (RDS)
+add_fuzzer(xccdf_tailoring_fuzzer xccdf_tailoring_fuzzer.c) # XCCDF tailoring
+
+# Convenience target to build them all: `cmake --build . --target fuzzers`
+add_custom_target(fuzzers DEPENDS
+	scap_parse_fuzzer
+	xccdf_policy_fuzzer
+	validate_fuzzer
+	arf_fuzzer
+	xccdf_tailoring_fuzzer
+)

fuzz/README.md

@@ -0,0 +1,138 @@
+# OpenSCAP fuzzers
+
+[libFuzzer](https://llvm.org/docs/LibFuzzer.html) harnesses that exercise the
+SCAP file processing code paths (parse / resolve / validate). Requires a Clang
+toolchain (libFuzzer ships with Clang).
+
+## Available harnesses
+
+| Binary | Entry point | Corpus dir |
+|--------|-------------|------------|
+| `scap_parse_fuzzer`     | `oscap_source_get_scap_type()` then the matching importer (DS, ARF, XCCDF, all OVAL kinds, CPE) | `corpus/` |
+| `xccdf_policy_fuzzer`   | `xccdf_policy_model_new()` + `build_all_useful_policies()` + `xccdf_policy_resolve()` | `corpus_xccdf/` |
+| `validate_fuzzer`       | `oscap_source_validate()` + `oscap_source_validate_schematron()` | `corpus/` |
+| `arf_fuzzer`            | `ds_rds_session_*` — build the RDS index, walk reports/assets, extract reports | `corpus_arf/` |
+| `xccdf_tailoring_fuzzer`| `xccdf_tailoring_import_source()` against an embedded benchmark | `corpus_tailoring/` |
+
+Each harness is one `*_fuzzer.c` file in this directory. Corpora are seeded from
+`tests/` and grown by the fuzzer; they are git-ignored (regenerable).
+
+## Build
+
+```sh
+mkdir -p build && cd build
+CC=clang CXX=clang++ cmake .. -DENABLE_FUZZING=ON -DENABLE_PROBES=OFF -DENABLE_SCE=OFF
+cmake --build . --target fuzzers -j"$(nproc)"   # builds all harnesses
+```
+
+`ENABLE_FUZZING` instruments the whole library with
+`-fsanitize=fuzzer-no-link,address,undefined` and links each harness with
+`-fsanitize=fuzzer`. (`-DENABLE_PROBES=OFF -DENABLE_SCE=OFF` just trims the build.)
+
+## Run the fuzz tests
+
+Recommended sanitizer environment (LeakSanitizer is noisy on inputs the parser
+intentionally rejects mid-parse; UBSan `halt_on_error=0` keeps benign
+function-pointer-cast reports from aborting):
+
+```sh
+export ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=halt_on_error=0
+```
+
+One harness on its corpus:
+
+```sh
+cd build
+./fuzz/scap_parse_fuzzer  -max_len=65536 ../fuzz/corpus
+./fuzz/xccdf_policy_fuzzer -max_len=65536 ../fuzz/corpus_xccdf
+# validate_fuzzer needs the bundled schemas:
+OSCAP_SCHEMA_PATH=$(pwd)/../schemas ./fuzz/validate_fuzzer -max_len=65536 ../fuzz/corpus
+```
+
+All harnesses in parallel (libFuzzer `-fork` mode; a crash/OOM/timeout in one
+input is recorded and fuzzing continues). `run-all.sh` sets the sanitizer
+options and `OSCAP_SCHEMA_PATH` automatically:
+
+```sh
+fuzz/run-all.sh 3600            # duration in seconds; one fork child per harness
+FORK=4 fuzz/run-all.sh 28800    # 4 fork children per harness
+```
+
+Findings land in `fuzz/findings/<harness>/` (`crash-`/`oom-`/`timeout-`/`leak-`),
+per-harness logs in `fuzz/logs/<harness>.log`; a per-harness summary is printed
+at the end. Both dirs are git-ignored.
+
+## Coverage
+
+Build a second, coverage-instrumented tree, replay the corpus, and report with
+`llvm-cov`:
+
+```sh
+mkdir -p build-cov && cd build-cov
+CC=clang CXX=clang++ cmake .. -DENABLE_FUZZING=ON -DENABLE_PROBES=OFF -DENABLE_SCE=OFF \
+    -DCMAKE_C_FLAGS="-fprofile-instr-generate -fcoverage-mapping" \
+    -DCMAKE_CXX_FLAGS="-fprofile-instr-generate -fcoverage-mapping" \
+    -DCMAKE_EXE_LINKER_FLAGS="-fprofile-instr-generate -fcoverage-mapping" \
+    -DCMAKE_SHARED_LINKER_FLAGS="-fprofile-instr-generate -fcoverage-mapping"
+cmake --build . --target fuzzers -j"$(nproc)"
+
+# Replay the corpus (-runs=0 just executes the inputs, no fuzzing):
+LLVM_PROFILE_FILE=cov.profraw ASAN_OPTIONS=detect_leaks=0 \
+    ./fuzz/scap_parse_fuzzer -runs=0 ../fuzz/corpus
+
+llvm-profdata merge -sparse cov.profraw -o cov.profdata
+# The library lives in a shared object, so pass it with -object:
+llvm-cov report ./fuzz/scap_parse_fuzzer -object ./src/libopenscap.so* \
+    -instr-profile=cov.profdata
+# Per-file/line detail:
+llvm-cov show   ./fuzz/scap_parse_fuzzer -object ./src/libopenscap.so* \
+    -instr-profile=cov.profdata src/OVAL/oval_parser.c
+```
+
+Merge several `*.profraw` (one per harness, via different `LLVM_PROFILE_FILE`)
+before `report` to get combined coverage, and pass each harness with its own
+`-object` to `llvm-cov`.
+
+## Replay / debug a crash
+
+A crashing input is written as `crash-<sha1>` (or `oom-`/`timeout-`) in the
+working dir, or under `fuzz/findings/<harness>/` when using `run-all.sh`.
+Curated regression inputs are in `fuzz/reproducers/`.
+
+Replay one input through the harness that produced it — the ASan report
+(stack trace, fault address, allocation site) prints to stderr:
+
+```sh
+cd build
+ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=halt_on_error=0 \
+    ./fuzz/scap_parse_fuzzer ./crash-<sha1>
+# validate_fuzzer also needs: OSCAP_SCHEMA_PATH=$(pwd)/../schemas
+```
+
+> **Note:** a small number of reproducers (`crash-oval-set-mixed-type-double-free`
+> and `crash-sds-index-checklist-null-strcmp`) trigger a UBSan
+> wrong-function-pointer error rather than an ASan SEGV. Use
+> `UBSAN_OPTIONS=halt_on_error=1` instead of `halt_on_error=0` for those.
+
+Under a debugger — make ASan/UBSan abort into the debugger on the faulting frame:
+
+```sh
+ASAN_OPTIONS=abort_on_error=1:detect_leaks=0 UBSAN_OPTIONS=halt_on_error=1 \
+    gdb --args ./fuzz/scap_parse_fuzzer ./crash-<sha1>
+(gdb) run
+(gdb) bt            # backtrace at the crash
+# (lldb works the same: lldb -- ./fuzz/<harness> ./crash-<sha1>; run; bt)
+```
+
+Useful extras:
+- Symbolized ASan traces need `llvm-symbolizer` on `PATH` (set
+  `ASAN_SYMBOLIZER_PATH=$(command -v llvm-symbolizer)` if needed).
+- Minimize a crash to the smallest triggering input:
+  `./fuzz/<harness> -minimize_crash=1 -exact_artifact_path=min ./crash-<sha1>`.
+- Replay all regression inputs (run from `build/`):
+  ```sh
+  for f in ../fuzz/reproducers/*; do
+      ASAN_OPTIONS=detect_leaks=0 UBSAN_OPTIONS=halt_on_error=0 \
+          ./fuzz/scap_parse_fuzzer "$f" >/dev/null 2>&1 || echo "triggered: $f"
+  done
+  ```

fuzz/arf_fuzzer.c

@@ -0,0 +1,81 @@
+/*
+ * libFuzzer harness for ARF / Result Data Stream (RDS) parsing
+ * (src/DS/rds.c, src/DS/rds_index.c, src/DS/ds_rds_session.c).
+ *
+ * ARF (Asset Reporting Format) result files are the output side of a scan and
+ * are routinely passed around and re-ingested, so their parser is a real attack
+ * surface. The base scap_parse_fuzzer only builds the RDS session; this harness
+ * goes further and walks the result-data-stream index (reports, assets,
+ * report-requests) and extracts the embedded reports, which is what drives the
+ * bulk of the RDS parsing code.
+ *
+ * Pipeline:
+ *   ds_rds_session_new_from_source()      open the ARF
+ *   ds_rds_session_get_rds_idx()          build & return the RDS index
+ *   walk reports / assets / report-requests via the index iterators
+ *   ds_rds_session_select_report(NULL)    extract+parse the first report
+ *   ds_rds_session_select_report_request(NULL)
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "fuzz_common.h"
+#include "oscap_source.h"
+#include "scap_ds.h"
+#include "ds_rds_session.h"
+
+static void walk_index(struct rds_index *idx)
+{
+	if (idx == NULL) {
+		return;
+	}
+
+	struct rds_report_index_iterator *rit = rds_index_get_reports(idx);
+	while (rds_report_index_iterator_has_more(rit)) {
+		struct rds_report_index *r = rds_report_index_iterator_next(rit);
+		rds_report_index_get_id(r);
+	}
+	rds_report_index_iterator_free(rit);
+
+	struct rds_report_request_index_iterator *qit = rds_index_get_report_requests(idx);
+	while (rds_report_request_index_iterator_has_more(qit)) {
+		struct rds_report_request_index *q = rds_report_request_index_iterator_next(qit);
+		rds_report_request_index_get_id(q);
+	}
+	rds_report_request_index_iterator_free(qit);
+
+	struct rds_asset_index_iterator *ait = rds_index_get_assets(idx);
+	while (rds_asset_index_iterator_has_more(ait)) {
+		struct rds_asset_index *a = rds_asset_index_iterator_next(ait);
+		struct rds_report_index_iterator *arit = rds_asset_index_get_reports(a);
+		while (rds_report_index_iterator_has_more(arit)) {
+			rds_report_index_iterator_next(arit);
+		}
+		rds_report_index_iterator_free(arit);
+	}
+	rds_asset_index_iterator_free(ait);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+	FUZZ_INIT();
+
+	struct oscap_source *source =
+		oscap_source_new_from_memory((const char *)data, size, "fuzz-arf.xml");
+	if (source == NULL) {
+		return 0;
+	}
+
+	struct ds_rds_session *session = ds_rds_session_new_from_source(source);
+	if (session != NULL) {
+		walk_index(ds_rds_session_get_rds_idx(session));
+		// Returned sources are owned by the session; do not free them.
+		ds_rds_session_select_report(session, NULL);
+		ds_rds_session_select_report_request(session, NULL);
+		ds_rds_session_free(session);
+	}
+
+	oscap_source_free(source);
+	return 0;
+}

fuzz/fuzz_common.h

@@ -0,0 +1,34 @@
+/*
+ * Shared setup for the OpenSCAP fuzz harnesses.
+ */
+#ifndef OPENSCAP_FUZZ_COMMON_H
+#define OPENSCAP_FUZZ_COMMON_H
+
+#include <libxml/parser.h>
+#include <libxml/xmlerror.h>
+
+#include "oscap.h"
+
+/*
+ * One-time process initialization. Silences libxml2's error reporting (it would
+ * otherwise print a parse error to stderr for every malformed input, which both
+ * slows fuzzing down and buries real sanitizer reports) and initializes the
+ * library. Call from the top of LLVMFuzzerTestOneInput guarded by a static flag.
+ */
+static inline void fuzz_init_once(void)
+{
+	xmlSetGenericErrorFunc(NULL, NULL);
+	xmlSetStructuredErrorFunc(NULL, NULL);
+	oscap_init();
+}
+
+#define FUZZ_INIT()                          \
+	do {                                 \
+		static int _fuzz_inited = 0; \
+		if (!_fuzz_inited) {         \
+			fuzz_init_once();    \
+			_fuzz_inited = 1;    \
+		}                            \
+	} while (0)
+
+#endif /* OPENSCAP_FUZZ_COMMON_H */

fuzz/reproducers/crash-oval-set-mixed-type-double-free

@@ -0,0 +1 @@
+<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"><objects><ind-def:xmlfilecontent_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" id="o:1" version="1"><set><set/><object_reference>o:1</object_reference></set></ind-def:xmlfilecontent_object></objects></oval_definitions>

fuzz/reproducers/crash-oval-state-version-null-atoi

@@ -0,0 +1 @@
+<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"><states><variable_state></variable_state></states></oval_definitions>

fuzz/reproducers/crash-oval-varmodel-duplicate-id-null-frame

@@ -0,0 +1 @@
+<oval_variables xmlns="http://oval.mitre.org/XMLSchema/oval-variables-5"><variables><variable id="oval:x:var:3"></variable> <variable id="oval:x:var:3"><value></value></variable></variables></oval_variables>

fuzz/reproducers/crash-rds-asset-missing-id-strcmp

@@ -0,0 +1,7 @@
+<arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1">
+<arf:assets><arf:asset/></arf:assets>
+<arf:reports><arf:report id="r"><arf:content/></arf:report></arf:reports>
+<core:relationships xmlns:arfvocab="http://scap.nist.gov/specification/arf/vocabulary/relationships/1.0#">
+<core:relationship type="arfvocab:isAbout" subject="r"><core:ref>a</core:ref></core:relationship>
+</core:relationships>
+</arf:asset-report-collection>

fuzz/reproducers/crash-rds-isabout-null-asset

@@ -0,0 +1,7 @@
+<arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1">
+<arf:assets><arf:asset id="a"/></arf:assets>
+<arf:reports><arf:report id="r"><arf:content/></arf:report></arf:reports>
+<core:relationships xmlns:arfvocab="http://scap.nist.gov/specification/arf/vocabulary/relationships/1.0#">
+<core:relationship type="arfvocab:isAbout" subject="r"><core:ref>b</core:ref></core:relationship>
+</core:relationships>
+</arf:asset-report-collection>

fuzz/reproducers/crash-rds-relationship-missing-type

@@ -0,0 +1 @@
+<arf:asset-report-collection xmlns:arf="." xmlns:core="c"><core:relationships><core:relationship></core:relationship></core:relationships></arf:asset-report-collection>

fuzz/reproducers/crash-rds-report-missing-id-htable

@@ -0,0 +1,3 @@
+<arf:asset-report-collection xmlns:arf="http://scap.nist.gov/schema/asset-reporting-format/1.1" xmlns:core="http://scap.nist.gov/schema/reporting-core/1.1">
+<arf:reports><arf:report><arf:content><x/></arf:content></arf:report></arf:reports>
+</arf:asset-report-collection>

fuzz/reproducers/crash-rds-select-report-null-index

@@ -0,0 +1 @@
+<asset-report-collection/>

fuzz/reproducers/crash-schematron-table-no-sentinel-oob

@@ -0,0 +1 @@
+<Tailoring/>