ossf
angus-mail failing to extract relevant data in java frontend analysis
Migrated from https://github.com/ossf/fuzz-introspector/pull/680#issuecomment-1347330552
The angus-mail java project is missing data when analysed by the jvm frontend. For example the calltree for the BASE64EncoderStreamFuzzer we get is:
Call tree
fuzzerTestOneInput(com.code_intelligence.jazzer.api.FuzzedDataProvider) BASE64EncoderStreamFuzzer linenumber=-1
consumeRemainingAsBytes() com.code_intelligence.jazzer.api.FuzzedDataProvider linenumber=29
write(byte[]) com.sun.mail.util.BASE64EncoderStream linenumber=29
This is a call to https://github.com/eclipse-ee4j/angus-mail/blob/46518aad79259d12a115937894ff8f32b86a1a17/core/src/main/java/com/sun/mail/util/BASE64EncoderStream.java#L141-L144
which should be a call to: https://github.com/eclipse-ee4j/angus-mail/blob/46518aad79259d12a115937894ff8f32b86a1a17/core/src/main/java/com/sun/mail/util/BASE64EncoderStream.java#L93
So we ideally would have more calls in the callgraph. It seems like there is no analysis of the code in the angus-core.jar file but the analysis is limited to the .jar files for the fuzzer classes.
With the changes in https://github.com/ossf/fuzz-introspector/pull/684 the logging output I get from a OSS-Fuzz run is the following:
Running introspector frontend on ASCIIUtilityFuzzer.class :: {'ASCIIUtilityFuzzer.jar', 'BASE64EncoderStreamFuzzer.jar', 'angus-core.jar'}
Running command: [java -Xmx6144M -cp /fuzz-introspector/frontends/java/target/ossf.fuzz.introspector.soot-1.0.jar ossf.fuzz.introspector.soot.CallGraphGenerator ASCIIUtilityFuzzer.jar:BASE64EncoderStreamFuzzer.jar:angus-core.jar ASCIIUtilityFuzzer fuzzerTestOneInput jdk.:java.:javax.:sun.:sunw.:com.sun.:com.ibm.:com.apple.:apple.awt.]
[Callgraph] Running callgraph plugin
[Callgraph] Jar files used for analysis: [ASCIIUtilityFuzzer.jar, BASE64EncoderStreamFuzzer.jar, angus-core.jar]
[Callgraph] Internal transform init
[Callgraph] Determining classes to use for analysis.
[Callgraph] [USE] class: ASCIIUtilityFuzzer
[Callgraph] [USE] class: BASE64EncoderStreamFuzzer
[Callgraph] [USE] class: module-info
[Callgraph] Finished going through classes
Inspecting class: ASCIIUtilityFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
Inspecting class: BASE64EncoderStreamFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
Inspecting class: module-info
Running introspector frontend on BASE64EncoderStreamFuzzer.class :: {'ASCIIUtilityFuzzer.jar', 'BASE64EncoderStreamFuzzer.jar', 'angus-core.jar'}
Running command: [java -Xmx6144M -cp /fuzz-introspector/frontends/java/target/ossf.fuzz.introspector.soot-1.0.jar ossf.fuzz.introspector.soot.CallGraphGenerator ASCIIUtilityFuzzer.jar:BASE64EncoderStreamFuzzer.jar:angus-core.jar BASE64EncoderStreamFuzzer fuzzerTestOneInput jdk.:java.:javax.:sun.:sunw.:com.sun.:com.ibm.:com.apple.:apple.awt.]
[Callgraph] Running callgraph plugin
[Callgraph] Jar files used for analysis: [ASCIIUtilityFuzzer.jar, BASE64EncoderStreamFuzzer.jar, angus-core.jar]
[Callgraph] Internal transform init
[Callgraph] Determining classes to use for analysis.
[Callgraph] [USE] class: BASE64EncoderStreamFuzzer
[Callgraph] [USE] class: ASCIIUtilityFuzzer
[Callgraph] [USE] class: module-info
[Callgraph] Finished going through classes
Inspecting class: ASCIIUtilityFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
Inspecting class: BASE64EncoderStreamFuzzer
[Callgraph] Skipping method: <init>
[Callgraph] Analysing method: fuzzerTestOneInput
It seems like the angus-core.jar is not being involved?
Two reason lead to this error.
- Angus-mail project code uses package name that has prefix commonly considered as native code and java standard libraries.
- Soot has a default list of package prefix which are considered as standard library and are ignored by default.
Solution: Alter the soot code to include all those prefix, then use exclude option to manually exclude those not matching the project package prefix, aka com.sun.*
I can confirm it works following https://github.com/ossf/fuzz-introspector/pull/688 as well as removing the necessary com.sun. exclusion prefix from https://github.com/ossf/fuzz-introspector/blob/a3c1037b0e25824c86c866538c5e85cc908ff590/frontends/java/oss-fuzz-main.py#L107
Screenshot:
