From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 33E1DC433EF for ; Thu, 7 Apr 2022 09:43:11 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4F43383D0F; Thu, 7 Apr 2022 11:42:40 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="hg8kjE6U"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DA20383D44; Thu, 7 Apr 2022 11:42:07 +0200 (CEST) Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9855483CA3 for ; Thu, 7 Apr 2022 11:41:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=33bFOYgYKBpQyG0I994CC492.0CAI-zCCH96GHG.12BL.12@flex--ascull.bounces.google.com Received: by mail-wm1-x34a.google.com with SMTP id m3-20020a05600c3b0300b0038e74402cb6so2710128wms.8 for ; Thu, 07 Apr 2022 02:41:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=Gh+gXQFndxbFZNUsRWtHUJCLzHbVzmYYy/uqkEgF3uY=; b=hg8kjE6U80rIlGgHJymWEyW99hV+J3QDMDzHFXhCJ0IIl+babs2fEs2/JXYLrfqWIH 4NLGcFEbxDBo951zUM/9nGuW6ISnO1OfcfOKWUjnBbSbHDwS48cJgSo3wKa44+12uKbj KbT4F49AwMAkKmXV6K3BZa/2JH6kTF0CbqTEVVkzU9LG2KRsZm/UfoAm24WoZVYaSEQL qjiqQAoE8b3RYwZAl4bDQNYWcJbqk/glq9YdHlLcFB7tTq0h90iLoh452NvSF+RWC6wA T4LyP9hQHRpbGE6jwU/A629v8X95VyVBRE4oQoe+fwt6sF08fdAK+9Tm5bRCBZ4CwCo1 XZGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=Gh+gXQFndxbFZNUsRWtHUJCLzHbVzmYYy/uqkEgF3uY=; b=EDg7vJO7hd3F++0iynrKd3pnWxY/6CxjPSLz5j6e5x14dWOSYnbMzqyUU5kZV8P/az U4xctdh6Ni60q7QwTNwdMxb8SS8uNsSw9fK1nVGoTlgFifJJPqqUnJDAoh4zRt1qP2/X Ndwlilt6+2YG53mBlp+FBWnniDYS6MxjF04jlrRD2AP1Sqqyra4EYCho7PswbMB49TZx yEuVZ8xbQhjWViIZRpPGqaL5kFXeclf4K9u4FOy4a8H4swg77Jo94Vy9YGB3UrXB9hyA bw1KCYJEVQ9+gYH0zPj4IrT8OBYG6pCBnAqRhN8NkdjcZMeYNKFEvMMkkQtkis7dggZo t+Kg== X-Gm-Message-State: AOAM531pyv6AbVTU03XqXTuJLcWNUetHzBlfGvx+jOHdvDMUaUevIO+7 nVz/nmRu/O4Zn2LUQ/Vb/KqNALjkau8Y9hFEVda5dPp5byepGMYjVoV09/vLGtJDwP28yo8YNT7 DpTKGQ+iIyjVyUhKG+aLRT1XbcaBekskVnPLE4/yYAvNFGccetwIQlyiGiFs= X-Google-Smtp-Source: ABdhPJxUxk4Ho5dGcrcv9HLlodT4VkK5km47EJ7PkrYLvGP3wXR49WWJCXiCEpbsEkVcbZqUL7BcSQmvCSU= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:adf:e8c9:0:b0:207:8cff:549e with SMTP id k9-20020adfe8c9000000b002078cff549emr681065wrn.142.1649324509116; Thu, 07 Apr 2022 02:41:49 -0700 (PDT) Date: Thu, 7 Apr 2022 09:41:20 +0000 In-Reply-To: <20220407094123.1752236-1-ascull@google.com> Message-Id: <20220407094123.1752236-9-ascull@google.com> Mime-Version: 1.0 References: <20220407094123.1752236-1-ascull@google.com> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog Subject: [PATCH 08/11] sandbox: Add libfuzzer integration From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, seanga2@gmail.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add an implementation of LLVMFuzzerTestOneInput() that starts the sandbox on a secondary thread and exposes a function to synchronize the generation of fuzzing inputs with their consumption by the sandbox. Signed-off-by: Andrew Scull --- arch/sandbox/config.mk | 3 + arch/sandbox/cpu/os.c | 70 +++++++++++++++++++++++ arch/sandbox/include/asm/fuzzing_engine.h | 25 ++++++++ 3 files changed, 98 insertions(+) create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h diff --git a/arch/sandbox/config.mk b/arch/sandbox/config.mk index d7ce66fb6c..5fbe1f50e3 100644 --- a/arch/sandbox/config.mk +++ b/arch/sandbox/config.mk @@ -19,6 +19,9 @@ SANITIZERS := ifdef CONFIG_ASAN SANITIZERS += -fsanitize=address endif +ifdef CONFIG_FUZZ +SANITIZERS += -fsanitize=fuzzer +endif KBUILD_CFLAGS += $(SANITIZERS) cmd_u-boot__ = $(CC) -o $@ -Wl,-T u-boot.lds $(u-boot-init) \ diff --git a/arch/sandbox/cpu/os.c b/arch/sandbox/cpu/os.c index 5ea4135741..cd45d7b6b6 100644 --- a/arch/sandbox/cpu/os.c +++ b/arch/sandbox/cpu/os.c @@ -8,6 +8,7 @@ #include #include #include +#include #include #include #include @@ -26,6 +27,7 @@ #include #include +#include #include #include #include @@ -1002,7 +1004,75 @@ void os_relaunch(char *argv[]) os_exit(1); } + +#ifdef CONFIG_FUZZ +static void *fuzzer_thread(void * ptr) +{ + char cmd[64]; + char *argv[5] = {"./u-boot", "-T", "-c", cmd, NULL}; + const char *fuzz_test; + + /* Find which test to run from an environment variable. */ + fuzz_test = getenv("UBOOT_SB_FUZZ_TEST"); + if (!fuzz_test) + os_abort(); + + snprintf(cmd, sizeof(cmd), "fuzz %s", fuzz_test); + + sandbox_main(4, argv); + os_abort(); + return NULL; +} + +static bool fuzzer_initialized = false; +static pthread_mutex_t fuzzer_mutex = PTHREAD_MUTEX_INITIALIZER; +static pthread_cond_t fuzzer_cond = PTHREAD_COND_INITIALIZER; +static const uint8_t *fuzzer_data; +static size_t fuzzer_size; + +int sandbox_fuzzing_engine_get_input(const uint8_t **data, size_t *size) +{ + if (!fuzzer_initialized) + return -ENOSYS; + + /* Tell the main thread we need new inputs then wait for them. */ + pthread_mutex_lock(&fuzzer_mutex); + pthread_cond_signal(&fuzzer_cond); + pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex); + *data = fuzzer_data; + *size = fuzzer_size; + pthread_mutex_unlock(&fuzzer_mutex); + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + static pthread_t tid; + + pthread_mutex_lock(&fuzzer_mutex); + + /* Initialize the sandbox on another thread. */ + if (!fuzzer_initialized) { + fuzzer_initialized = true; + if (pthread_create(&tid, NULL, fuzzer_thread, NULL)) + os_abort(); + pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex); + } + + /* Hand over the input. */ + fuzzer_data = data; + fuzzer_size = size; + pthread_cond_signal(&fuzzer_cond); + + /* Wait for the inputs to be finished with. */ + pthread_cond_wait(&fuzzer_cond, &fuzzer_mutex); + pthread_mutex_unlock(&fuzzer_mutex); + + return 0; +} +#else int main(int argc, char *argv[]) { return sandbox_main(argc, argv); } +#endif diff --git a/arch/sandbox/include/asm/fuzzing_engine.h b/arch/sandbox/include/asm/fuzzing_engine.h new file mode 100644 index 0000000000..cf6396363b --- /dev/null +++ b/arch/sandbox/include/asm/fuzzing_engine.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2022 Google, Inc. + * Written by Andrew Scull + */ + +#ifndef __ASM_FUZZING_ENGINE_H +#define __ASM_FUZZING_ENGINE_H + +/** Function to get fuzzing engine input data. */ +/** + * sandbox_fuzzing_engine_get_input() - get an input from the sandbox fuzzing + * engine + * + * The function will return a pointer to the input data and the size of the + * data pointed to. The pointer will remain valid until the next invocation of + * this function. + * + * @data: output pointer to input data + * @size output size of input data + * Return: 0 if OK, -ve on error + */ +int sandbox_fuzzing_engine_get_input(const uint8_t **data, size_t *size); + +#endif /* __ASM_FUZZING_ENGINE_H */ -- 2.35.1.1094.g7c7d902a7c-goog