From: "Zhangjian (Bamvor)" <bamvor.zhangjian@huawei.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzkaller <syzkaller@googlegroups.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-arch@vger.kernel.org, libc-alpha@sourceware.org,
trinity@vger.kernel.org, aponomarenko@rosalab.ru,
Jess Hertz <jesse.hertz@nccgroup.trust>,
Tim Newsham <tim.newsham@nccgroup.trust>,
Arnd Bergmann <arnd@arndb.de>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Brown <broonie@kernel.org>,
joseph@codesourcery.com, maxim.kuvyrkov@linaro.org,
Yury Norov <ynorov@caviumnetworks.com>,
pinskia@gmail.com, schwab@suse.de, agraf@suse.de,
marcus.shawcroft@arm.com, Ding Tianhong <dingtianhong@huawei.com>,
guohanjun@huawei.com, cuibixuan@huawei.com, lijinyue@huawei.com,
Zefan Li <lizefan@huawei.com>
Subject: Re: [RFD] Efficient unit test and fuzz tools for kernel/libc porting
Date: Wed, 6 Jul 2016 18:38:11 +0800 [thread overview]
Message-ID: <577CDF93.4080001@huawei.com> (raw)
In-Reply-To: <CACT4Y+a_5G-G1v4Xn-_dLacuVSNnxGorZMjGKKew6pihg_Hk-Q@mail.gmail.com>
Hi, Dmitry
On 2016/7/6 17:09, Dmitry Vyukov wrote:
> On Wed, Jul 6, 2016 at 10:24 AM, Zhangjian (Bamvor)
> <bamvor.zhangjian@huawei.com> wrote:
>> Hi, Dmitry
>>
>>
>>> Hi Bamvor,
>>>
>>> Nice work!
>>>
>>> Coverage should be easy to do with CONFIG_KCOV, but do you need
>>> fuzzing/coverage? It seems that testing a predefined set of special
>>> values for each arg should be enough for your use case. Namely special
>>> values that can detect endianess/truncation/sign extension/etc issues.
>>
>> Yes. We are trying to cover endianess/truncation/sign extension at this
>> moment.
>> For coverage, there are some code path in syscall wrapper in both glibc
>> and kernel. E.g. overflow check in glibc. I am thinking if coverage
>> could help on this.
>
> Ah, you mean user-space coverage. You may try AFL in binary
> instrumentation mode for this.
Good idea. AFL seems a wonderful tools. I saw some discussion about use AFL
to do kernel fuzz(triforce). If AFL support arm64, I could try it my
aarch64 ILP32 works.
Regards
Bamvor
>
>
>>> I think there is also a number of glibc functions that don't directly
>>> map to syscalls. Most notably wrappers around various ioctl's (e.g.
>>> ptsname). Do you test them?
>>
>> No. Currently, our tools only focus on the syscall function in glibc. In
>> these syscall level, we could compare the parameter and return value
>> directly. As you said, there are only several type of issues. It is easy
>> to handle by tools.
>>
>> I do not know how to test these complex cases. E.g. the ptsname may call
>> ioctl, *stat* syscall. Compare the original parameter is meaningless. But
>> it seems a good type of testcase to show how the user use the syscalls.
>> Do you have some ideas?
>
> I don't have any ideas for automated testing. One could write a model,
> of course....
> --
> To unsubscribe from this list: send the line "unsubscribe linux-arch" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
WARNING: multiple messages have this Message-ID (diff)
From: "Zhangjian (Bamvor)" <bamvor.zhangjian@huawei.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzkaller <syzkaller@googlegroups.com>,
LKML <linux-kernel@vger.kernel.org>, <linux-arch@vger.kernel.org>,
<libc-alpha@sourceware.org>, <trinity@vger.kernel.org>,
<aponomarenko@rosalab.ru>,
Jess Hertz <jesse.hertz@nccgroup.trust>,
"Tim Newsham" <tim.newsham@nccgroup.trust>,
Arnd Bergmann <arnd@arndb.de>,
"Catalin Marinas" <catalin.marinas@arm.com>,
Mark Brown <broonie@kernel.org>, <joseph@codesourcery.com>,
<maxim.kuvyrkov@linaro.org>,
Yury Norov <ynorov@caviumnetworks.com>, <pinskia@gmail.com>,
<schwab@suse.de>, <agraf@suse.de>, <marcus.shawcroft@arm.com>,
Ding Tianhong <dingtianhong@huawei.com>, <guohanjun@huawei.com>,
<cuibixuan@huawei.com>, <lijinyue@huawei.com>,
Zefan Li <lizefan@huawei.com>
Subject: Re: [RFD] Efficient unit test and fuzz tools for kernel/libc porting
Date: Wed, 6 Jul 2016 18:38:11 +0800 [thread overview]
Message-ID: <577CDF93.4080001@huawei.com> (raw)
In-Reply-To: <CACT4Y+a_5G-G1v4Xn-_dLacuVSNnxGorZMjGKKew6pihg_Hk-Q@mail.gmail.com>
Hi, Dmitry
On 2016/7/6 17:09, Dmitry Vyukov wrote:
> On Wed, Jul 6, 2016 at 10:24 AM, Zhangjian (Bamvor)
> <bamvor.zhangjian@huawei.com> wrote:
>> Hi, Dmitry
>>
>>
>>> Hi Bamvor,
>>>
>>> Nice work!
>>>
>>> Coverage should be easy to do with CONFIG_KCOV, but do you need
>>> fuzzing/coverage? It seems that testing a predefined set of special
>>> values for each arg should be enough for your use case. Namely special
>>> values that can detect endianess/truncation/sign extension/etc issues.
>>
>> Yes. We are trying to cover endianess/truncation/sign extension at this
>> moment.
>> For coverage, there are some code path in syscall wrapper in both glibc
>> and kernel. E.g. overflow check in glibc. I am thinking if coverage
>> could help on this.
>
> Ah, you mean user-space coverage. You may try AFL in binary
> instrumentation mode for this.
Good idea. AFL seems a wonderful tools. I saw some discussion about use AFL
to do kernel fuzz(triforce). If AFL support arm64, I could try it my
aarch64 ILP32 works.
Regards
Bamvor
>
>
>>> I think there is also a number of glibc functions that don't directly
>>> map to syscalls. Most notably wrappers around various ioctl's (e.g.
>>> ptsname). Do you test them?
>>
>> No. Currently, our tools only focus on the syscall function in glibc. In
>> these syscall level, we could compare the parameter and return value
>> directly. As you said, there are only several type of issues. It is easy
>> to handle by tools.
>>
>> I do not know how to test these complex cases. E.g. the ptsname may call
>> ioctl, *stat* syscall. Compare the original parameter is meaningless. But
>> it seems a good type of testcase to show how the user use the syscalls.
>> Do you have some ideas?
>
> I don't have any ideas for automated testing. One could write a model,
> of course....
> --
> To unsubscribe from this list: send the line "unsubscribe linux-arch" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2016-07-06 10:38 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-06 7:39 [RFD] Efficient unit test and fuzz tools for kernel/libc porting Zhangjian (Bamvor)
2016-07-06 7:39 ` Zhangjian (Bamvor)
2016-07-06 7:39 ` Zhangjian (Bamvor)
2016-07-06 8:00 ` Dmitry Vyukov
2016-07-06 8:24 ` Zhangjian (Bamvor)
2016-07-06 8:24 ` Zhangjian (Bamvor)
2016-07-06 9:09 ` Dmitry Vyukov
2016-07-06 10:38 ` Zhangjian (Bamvor) [this message]
2016-07-06 10:38 ` Zhangjian (Bamvor)
2016-07-06 8:00 ` Zhangjian (Bamvor)
2016-07-06 8:00 ` Zhangjian (Bamvor)
2016-07-06 8:00 ` Zhangjian (Bamvor)
2016-07-20 15:47 ` Joseph Myers
2016-07-20 15:47 ` Joseph Myers
2016-07-21 12:39 ` Zhangjian (Bamvor)
2016-07-21 12:39 ` Zhangjian (Bamvor)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=577CDF93.4080001@huawei.com \
--to=bamvor.zhangjian@huawei.com \
--cc=agraf@suse.de \
--cc=aponomarenko@rosalab.ru \
--cc=arnd@arndb.de \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=cuibixuan@huawei.com \
--cc=dingtianhong@huawei.com \
--cc=dvyukov@google.com \
--cc=guohanjun@huawei.com \
--cc=jesse.hertz@nccgroup.trust \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=lijinyue@huawei.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=marcus.shawcroft@arm.com \
--cc=maxim.kuvyrkov@linaro.org \
--cc=pinskia@gmail.com \
--cc=schwab@suse.de \
--cc=syzkaller@googlegroups.com \
--cc=tim.newsham@nccgroup.trust \
--cc=trinity@vger.kernel.org \
--cc=ynorov@caviumnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.