[log4j2] intitial integration (#7016)

Author: 0roman

projects/log4j2/Dockerfile

@@ -0,0 +1,29 @@
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-jvm
+
+RUN curl -L https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.zip -o maven.zip && \
+    unzip maven.zip -d $SRC/maven && \
+    rm -rf maven.zip
+
+ENV MVN $SRC/maven/apache-maven-3.6.3/bin/mvn
+
+RUN git clone --depth 1 https://github.com/apache/logging-log4j2
+
+COPY build.sh $SRC/
+COPY Log4jFuzzer.java $SRC/
+WORKDIR $SRC/logging-log4j2

projects/log4j2/Log4jFuzzer.java

@@ -0,0 +1,52 @@
+
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+import org.apache.logging.log4j.Level;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.core.appender.FileAppender;
+import org.apache.logging.log4j.core.config.Configurator;
+import org.apache.logging.log4j.core.config.builder.api.AppenderComponentBuilder;
+import org.apache.logging.log4j.core.config.builder.api.RootLoggerComponentBuilder;
+import org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder;
+import org.apache.logging.log4j.status.StatusLogger;
+
+// This fuzzer reproduces the log4j RCE vulnerability CVE-2021-44228.
+public class Log4jFuzzer {
+    private final static Logger log = LogManager.getLogger(Log4jFuzzer.class.getName());
+
+    public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+        log.error(data.consumeRemainingAsString());
+    }
+
+    public static void fuzzerInitialize() {
+        // Install a logger that constructs the log message, but never prints it.
+        // This noticeably increases the fuzzing performance
+        DefaultConfigurationBuilder configBuilder = new DefaultConfigurationBuilder();
+        AppenderComponentBuilder fuzzingAppender = configBuilder.newAppender("nullAppender", FileAppender.PLUGIN_NAME);
+        fuzzingAppender.addAttribute("fileName", "/dev/null");
+        configBuilder.add(fuzzingAppender);
+        RootLoggerComponentBuilder rootLogger = configBuilder.newRootLogger();
+        rootLogger.add(configBuilder.newAppenderRef("nullAppender"));
+        configBuilder.add(rootLogger);
+        Configurator.reconfigure(configBuilder.build());
+
+        // Disable logging of exceptions caught in log4j itself.
+        StatusLogger.getLogger().reset();
+        StatusLogger.getLogger().setLevel(Level.OFF);
+    }
+}

projects/log4j2/build.sh

@@ -0,0 +1,52 @@
+#!/bin/bash -eu
+# Copyright 2021 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+MAVEN_ARGS="-DskipTests --no-transfer-progress"
+$MVN package -pl log4j-api,log4j-plugins,log4j-core $MAVEN_ARGS
+CURRENT_VERSION=$($MVN org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \
+ -Dexpression=project.version -q -DforceStdout)
+cp "log4j-core/target/log4j-core-$CURRENT_VERSION.jar" $OUT/log4j-core.jar
+cp "log4j-api/target/log4j-api-$CURRENT_VERSION.jar" $OUT/log4j-api.jar
+cp "log4j-plugins/target/log4j-plugins-$CURRENT_VERSION.jar" $OUT/log4j-plugins.jar
+
+ALL_JARS="log4j-core.jar log4j-api.jar log4j-plugins.jar"
+
+# The classpath at build-time includes the project jars in $OUT as well as the
+# Jazzer API. Additionally, include $OUT itself to pick up
+# BufferedImageLuminanceSource.
+BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH:$OUT
+
+# All .jar and .class files lie in the same directory as the fuzzer at runtime.
+RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir
+
+for fuzzer in $(find $SRC -name '*Fuzzer.java'); do
+  fuzzer_basename=$(basename -s .java $fuzzer)
+  javac -cp $BUILD_CLASSPATH $fuzzer
+  cp $SRC/$fuzzer_basename*.class $OUT/
+
+  # Create an execution wrapper that executes Jazzer with the correct arguments.
+  echo "#!/bin/sh
+# LLVMFuzzerTestOneInput for fuzzer detection.
+this_dir=\$(dirname \"\$0\")
+LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \
+\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \
+--cp=$RUNTIME_CLASSPATH \
+--target_class=$fuzzer_basename \
+--jvm_args=\"-Xmx2048m\" \
+\$@" > $OUT/$fuzzer_basename
+  chmod u+x $OUT/$fuzzer_basename
+done

projects/log4j2/project.yaml

@@ -0,0 +1,10 @@
+homepage: "https://logging.apache.org/log4j/2.x/"
+language: jvm
+primary_contact: "[email protected]"
+auto_ccs:
+  - "[email protected]"
+fuzzing_engines:
+  - libfuzzer
+main_repo: "https://github.com/apache/logging-log4j2"
+sanitizers:
+  - address