Announcing the Berserker toolkit for (semi-)automated fs fuzz testing

[Sami Liedes <sami.liedes@iki.fi>]

[-- Attachment #1: Type: text/plain, Size: 2576 bytes --]

This is an announcement of the first release of the Berserker toolkit
for (semi-)automated fuzz testing and testcase minimization of Linux
kernel filesystem implementations.

The toolkit consists of the following components and their
documentation:

* Debian sid (unstable) based root filesystem image with scripts
  inside and set to run automatically that will test filesystems based
  on kernel commandline parameters, intended to be run inside a
  virtual machine (KVM); a 32-bit x86 system

* berserker-testfs.py, a script to automate running fuzz tests inside
  KVM on a filesystem image (simply give as parameters the filesystem
  type, a working filesystem image and a kernel bzImage - see --help).
  This script takes care of running KVM and interpreting the output.
  Its return values make it suitable for using in "git bisect run". By
  default the VM will fuzz and run until it has produced a crash.

* berserker-minimize.sh (and fuzz-minimize used by it), a program to
  derive a crash-inducing test case with minimal differences to a
  pristine filesystem image by repeatedly automatically running
  berserker-testfs.py on different images. Takes as input the kernel
  image to use, a pristine filesystem image and a fuzzed filesystem
  image that causes the kernel to crash.

To get the source:

   git clone http://www.niksula.hut.fi/~sliedes/berserker/berserker.git

The repository contains a script (download-binaries.sh) that downloads
some files (*at least until my university gets unhappy with the
bandwidth used):

* the root filesystem (hda.autotest; 112 MiB compressed, 501 MiB
  uncompressed); and for quick start

* a vanilla 3.3.4 bzImage for amd64 suitable for use with the system
  (config file included in the git repository)

* testimg.ext4, a 10 MiB ext4 filesystem with the required layout
  (described in more detail in the README file)

The actual fuzzer used is zzuf (Debian package zzuf) by Sam Hocevar. I
believe it is similar in spirit to fsfuzzer which appears to be more
familiar to the kernel community; zzuf was chosen because I was more
familiar with it and because it was packaged for Debian.

Two examples of (what appears to be) ext4 bugs found with this
toolkit, both reproducible with a 1-bit difference to a pristine
filesystem:

  http://www.spinics.net/lists/linux-ext4/msg31850.html
     (sorry, by mistake the subject doesn't quite reflect the bug...)

  http://www.spinics.net/lists/linux-ext4/msg31853.html

See the included README file for a very quick introduction and some
more detailed documentation.

	Sami Liedes

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]