From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752507AbcGFKix (ORCPT ); Wed, 6 Jul 2016 06:38:53 -0400 Received: from szxga05-in.huawei.com ([119.145.14.199]:34493 "EHLO szxga05-in.huawei.com" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1750883AbcGFKiv (ORCPT ); Wed, 6 Jul 2016 06:38:51 -0400 Subject: Re: [RFD] Efficient unit test and fuzz tools for kernel/libc porting To: Dmitry Vyukov References: <577CB5B7.7040204@huawei.com> <577CC058.9030103@huawei.com> CC: syzkaller , LKML , , , , , Jess Hertz , "Tim Newsham" , Arnd Bergmann , "Catalin Marinas" , Mark Brown , , , Yury Norov , , , , , Ding Tianhong , , , , Zefan Li From: "Zhangjian (Bamvor)" Message-ID: <577CDF93.4080001@huawei.com> Date: Wed, 6 Jul 2016 18:38:11 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.111.72.170] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.577CDFAD.007B,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 52586f7b25fe29c0bed61bb3c7cca978 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Dmitry On 2016/7/6 17:09, Dmitry Vyukov wrote: > On Wed, Jul 6, 2016 at 10:24 AM, Zhangjian (Bamvor) > wrote: >> Hi, Dmitry >> >> >>> Hi Bamvor, >>> >>> Nice work! >>> >>> Coverage should be easy to do with CONFIG_KCOV, but do you need >>> fuzzing/coverage? It seems that testing a predefined set of special >>> values for each arg should be enough for your use case. Namely special >>> values that can detect endianess/truncation/sign extension/etc issues. >> >> Yes. We are trying to cover endianess/truncation/sign extension at this >> moment. >> For coverage, there are some code path in syscall wrapper in both glibc >> and kernel. E.g. overflow check in glibc. I am thinking if coverage >> could help on this. > > Ah, you mean user-space coverage. You may try AFL in binary > instrumentation mode for this. Good idea. AFL seems a wonderful tools. I saw some discussion about use AFL to do kernel fuzz(triforce). If AFL support arm64, I could try it my aarch64 ILP32 works. Regards Bamvor > > >>> I think there is also a number of glibc functions that don't directly >>> map to syscalls. Most notably wrappers around various ioctl's (e.g. >>> ptsname). Do you test them? >> >> No. Currently, our tools only focus on the syscall function in glibc. In >> these syscall level, we could compare the parameter and return value >> directly. As you said, there are only several type of issues. It is easy >> to handle by tools. >> >> I do not know how to test these complex cases. E.g. the ptsname may call >> ioctl, *stat* syscall. Compare the original parameter is meaningless. But >> it seems a good type of testcase to show how the user use the syscalls. >> Do you have some ideas? > > I don't have any ideas for automated testing. One could write a model, > of course.... > -- > To unsubscribe from this list: send the line "unsubscribe linux-arch" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >