Skip to content

MONGOCRYPT-834 fuzzing for oss-fuzz#1152

Open
mdb-ad wants to merge 12 commits into
mongodb:masterfrom
mdb-ad:oss-fuzz
Open

MONGOCRYPT-834 fuzzing for oss-fuzz#1152
mdb-ad wants to merge 12 commits into
mongodb:masterfrom
mdb-ad:oss-fuzz

Conversation

@mdb-ad

@mdb-ad mdb-ad commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

Background

Libmongocrypt will be added to OSS-Fuzz for continuous fuzz testing. On our end we only have to provide the fuzzing entry point: LLVMFuzzerTestOneInput which is linked into the fuzzing binary.

Design

The fuzzing engine which accepts binary inputs uses the first byte to decide on the target state. It provides some defaults (local encryption keys, etc.) until the state machine is ready to accept input and feeds the fuzzer generated data. A corpus of starting data derived from test inputs improves fuzzing efficiency.

Coverage

The fuzzing added here covers 14.33% of libmongocrypt's functions.

@mdb-ad mdb-ad requested a review from a team as a code owner April 24, 2026 05:26
@mdb-ad mdb-ad requested a review from kevinAlbs April 24, 2026 05:26
Comment thread test/data/fuzz_mongocrypt_corpus/op0_encrypt_aggregate
Comment thread test/fuzz_mongocrypt.c
Comment thread test/fuzz_mongocrypt.c Outdated
Comment thread test/fuzz_mongocrypt.c Outdated
Comment thread test/fuzz_mongocrypt.c Outdated
@mdb-ad mdb-ad requested a review from kevinAlbs July 7, 2026 22:04
if (parser->first_len > (uint32_t) INT32_MAX) {
KMS_ERROR (parser, "KMIP response length field too large");
return false;
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do git merge master. This change should no longer be needed with the fix of 92b5144

Comment thread test/fuzz_mongocrypt.c
Comment on lines +100 to +103
if (bin) {
mongocrypt_ctx_mongo_feed(ctx, bin);
mongocrypt_binary_destroy(bin);
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest removing unnecessary NULL check. I expect mongocrypt_binary_new_from_data cannot return NULL (it uses bson_malloc0, which aborts on allocation failure).

Suggestion also applies to other calls of mongocrypt_binary_new_from_data.

Comment thread test/gen_fuzz_corpus.py
Comment on lines +17 to +18
4 OP_DATAKEY (input_bin ignored; extra bytes unused unless
5 OP_REWRAP_MANY_DATAKEY state machine needs feeding)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I expect comment only applies to OP_DATAKEY.

Suggested change
4 OP_DATAKEY (input_bin ignored; extra bytes unused unless
5 OP_REWRAP_MANY_DATAKEY state machine needs feeding)
4 OP_DATAKEY (input_bin ignored; extra bytes unused unless state machine needs feeding)
5 OP_REWRAP_MANY_DATAKEY

Comment thread test/gen_fuzz_corpus.py

The optional extra bytes are consumed by drive_ctx() as it walks the state
machine. For NEED_MONGO_* states it reads a 2-byte LE length then that many
bytes; for NEED_KMS it reads exactly bytes_needed bytes from the KMS context.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC this is describing how the input bytes are read:

Suggested change
bytes; for NEED_KMS it reads exactly bytes_needed bytes from the KMS context.
bytes; for NEED_KMS it reads exactly bytes_needed bytes from the input.

Comment thread test/gen_fuzz_corpus.py
Comment on lines +84 to +85
for cmd, coll in [("find", "test"), ("aggregate", "test"), ("insert", "test")]:
name = f"op0_encrypt_{cmd}"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: remove "test" from list since it does not differ.

Suggested change
for cmd, coll in [("find", "test"), ("aggregate", "test"), ("insert", "test")]:
name = f"op0_encrypt_{cmd}"
for cmd in ["find", "aggregate", "insert"]:
coll = "test"

Comment thread test/gen_fuzz_corpus.py

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-run test/gen_fuzz_corpus.py. Running locally generates files not in data/fuzz_mongocrypt_corpus (e.g. crash-kmip-parser-overflow).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants