From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 440E0C433F5 for ; Thu, 14 Apr 2022 13:59:51 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 862A583E69; Thu, 14 Apr 2022 15:59:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="BzWk0t+9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7190083E82; Thu, 14 Apr 2022 15:59:48 +0200 (CEST) Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 33E2C805FB for ; Thu, 14 Apr 2022 15:59:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=30ChYYgYKBps5N7PGGBJJBG9.7JHP-6JJOGDNON.89IS.89@flex--ascull.bounces.google.com Received: by mail-wm1-x34a.google.com with SMTP id v62-20020a1cac41000000b0038cfe6edf3fso4560328wme.5 for ; Thu, 14 Apr 2022 06:59:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=ahq7UI2bhJuBIKJ3Kd6WKQm9w1293dYynB5Kh96iDds=; b=BzWk0t+9Y3GW0LC/lmx/y7CE6JGaJtAz1z8eA3LMculL/k6vB8keBBtO2mMMMItMQl YKCRAHAmD8B9BfqZ38tv6Uhb8pM/LaA/hnaTv923eKSKtNkJSVXMcsws0mXLBguuNNuD 0FtO/lHThz+2zK1b9MSi4aiXg4NPpixxK2rWwq4g2OSCl3w+JpftNm8y0mAJ52lJNEpY KlRjoIDogFzxkDxdsg4idDgIhUcVBnUjJtYwY+NJ8A0GeOfBg1Ydn4t8sF/+OIRA7tey eu2KiDmaIxfznSD70R+vKhjetC6IJ4js09f1fEmYfFcohwgyd/Obt2Xzjpu0emqu5wGY cceg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=ahq7UI2bhJuBIKJ3Kd6WKQm9w1293dYynB5Kh96iDds=; b=qdkLGvi1XdxZDOWfUIjmxaorWMYOmUXEAABz8Z/Cc84Z32oKQuG+pdO+Ovz9OtZVaj 8QAJVQu/SHpihXbUc7j2SCbtQQPY5IuwJ10B8ft8W12W1uoON40a6LO8wPg63aA7zYZU 20OG/6pkaLIEaamW5pLXFrkCz78PLJY+OkRA1oEx0/C9S3zD/V5DwXvKrBgxeMrABUpP hat0ZmBKzEYSQIX6iC0LTqbi0ul/uddEVZsW1kkJPOqE2RlaHStx1Ft7SQYCeC4SOc3g g6eGQC8PutANDYVgyObLXLi+JyWOToJAPWs50VQ3yw1kIXZ6pOqInw3k+5XOPv48GKhL CVGQ== X-Gm-Message-State: AOAM531u8zdc3sq/IkGzNxZRJPnPvK6NRpsu1jLrHWkkeE4xHSTkhkj7 77qFEumRwvM00X35s27R02SU69vMQUv5gv4zP5bYeuMPXCPD28S+Y/W1Bs3CMTUjwSKVX+cTgUW 0wgHTc+XaJ+LBjZwNuuu7DPFYs9qUftKtdsRHwZVci2RVYDlVr1GOZBZK1Mg= X-Google-Smtp-Source: ABdhPJyN/D+lxMljYqAOTXdZMaDx8SdgDs0jmcLJ4jBUZ/F4ul+YOIQa7LaKlYZPITk4zuaL1Izz/tuYzi8= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a7b:c048:0:b0:38a:12dc:4694 with SMTP id u8-20020a7bc048000000b0038a12dc4694mr3264816wmc.80.1649944784666; Thu, 14 Apr 2022 06:59:44 -0700 (PDT) Date: Thu, 14 Apr 2022 13:59:29 +0000 Message-Id: <20220414135941.1732585-1-ascull@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog Subject: [PATCH 00/11] Fuzzing and ASAN for sandbox From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, xypron.glpk@gmx.de, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This series sets up a basic fuzzing infrastructure that works with sandbox. The example fuzz test towards the end of the series will find something pretty quickly. That something is fixed by the series "virtio: Harden and test vring" that needs to be applied for the final patch in this series. There is some refactoring to stop using '.' prefixed sections that elf defines as being for system use and clang's ASAN instrumentation happily adds redzones between, but that's not what we want for things like linker lists where the linker script has carefully placed the sections contiguously. It may require patches from the "Fix misc ASAN reports" series to be applied as I've already dealt with the first set of ASAN reports from running the tests. >From v1: - corrected handling of EFI symbols by sandbox linker script - per comments, some renaming and explaining - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it) - added patch to reduce logging noise in fuzzer Andrew Scull (12): sandbox: Fix EFI runtime symbol placement sandbox: Rename EFI runtime sections sandbox: Migrate getopt section to linker list linker_lists: Rename sections to remove . prefix sandbox: Add support for Address Sanitizer fuzzing_engine: Add fuzzing engine uclass test: fuzz: Add framework for fuzzing sandbox: Decouple program entry from sandbox init sandbox: Add libfuzzer integration sandbox: Implement fuzzing engine driver fuzz: virtio: Add fuzzer for vring virtio_ring: Reduce logging noise Kconfig | 16 +++ arch/Kconfig | 2 + arch/arc/cpu/u-boot.lds | 4 +- arch/arm/config.mk | 4 +- arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot.lds | 4 +- arch/arm/cpu/u-boot-spl.lds | 4 +- arch/arm/cpu/u-boot.lds | 6 +- arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +- arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +- arch/arm/mach-omap2/u-boot-spl.lds | 4 +- arch/arm/mach-orion5x/u-boot-spl.lds | 4 +- arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +- arch/arm/mach-zynq/u-boot-spl.lds | 4 +- arch/arm/mach-zynq/u-boot.lds | 4 +- arch/m68k/cpu/u-boot.lds | 4 +- arch/microblaze/cpu/u-boot-spl.lds | 4 +- arch/microblaze/cpu/u-boot.lds | 4 +- arch/mips/config.mk | 2 +- arch/mips/cpu/u-boot-spl.lds | 4 +- arch/mips/cpu/u-boot.lds | 4 +- arch/nds32/cpu/n1213/u-boot.lds | 4 +- arch/nios2/cpu/u-boot.lds | 4 +- arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-nand.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-nand_spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +- arch/riscv/cpu/u-boot-spl.lds | 4 +- arch/riscv/cpu/u-boot.lds | 4 +- arch/sandbox/config.mk | 15 ++- arch/sandbox/cpu/os.c | 97 ++++++++++++++++--- arch/sandbox/cpu/start.c | 12 +-- arch/sandbox/cpu/u-boot-spl.lds | 10 +- arch/sandbox/cpu/u-boot.lds | 41 ++++---- arch/sandbox/dts/test.dts | 4 + arch/sandbox/include/asm/fuzzing_engine.h | 25 +++++ arch/sandbox/include/asm/getopt.h | 19 ++-- arch/sandbox/include/asm/main.h | 18 ++++ arch/sandbox/include/asm/sections.h | 25 ----- arch/sandbox/lib/sections.c | 8 +- arch/sh/cpu/u-boot.lds | 4 +- arch/x86/cpu/u-boot-64.lds | 6 +- arch/x86/cpu/u-boot-spl.lds | 6 +- arch/x86/cpu/u-boot.lds | 6 +- arch/x86/lib/elf_ia32_efi.lds | 4 +- arch/x86/lib/elf_x86_64_efi.lds | 4 +- arch/xtensa/cpu/u-boot.lds | 2 +- arch/xtensa/include/asm/ldscript.h | 4 +- board/compulab/cm_t335/u-boot.lds | 4 +- board/cssi/MCR3000/u-boot.lds | 4 +- .../davinci/da8xxevm/u-boot-spl-da850evm.lds | 2 +- board/qualcomm/dragonboard820c/u-boot.lds | 4 +- board/samsung/common/exynos-uboot-spl.lds | 4 +- board/synopsys/iot_devkit/u-boot.lds | 4 +- board/ti/am335x/u-boot.lds | 4 +- board/vscom/baltos/u-boot.lds | 4 +- configs/sandbox_defconfig | 1 + doc/api/linker_lists.rst | 22 ++--- doc/develop/commands.rst | 4 +- doc/develop/driver-model/of-plat.rst | 4 +- drivers/Kconfig | 2 + drivers/Makefile | 1 + drivers/fuzz/Kconfig | 17 ++++ drivers/fuzz/Makefile | 8 ++ drivers/fuzz/fuzzing_engine-uclass.c | 28 ++++++ drivers/fuzz/sandbox_fuzzing_engine.c | 35 +++++++ drivers/virtio/virtio_ring.c | 4 +- include/dm/uclass-id.h | 1 + include/fuzzing_engine.h | 51 ++++++++++ include/linker_lists.h | 18 ++-- include/test/fuzz.h | 51 ++++++++++ test/Makefile | 1 + test/fuzz/Makefile | 8 ++ test/fuzz/cmd_fuzz.c | 82 ++++++++++++++++ test/fuzz/virtio.c | 72 ++++++++++++++ 78 files changed, 680 insertions(+), 204 deletions(-) create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h create mode 100644 arch/sandbox/include/asm/main.h create mode 100644 drivers/fuzz/Kconfig create mode 100644 drivers/fuzz/Makefile create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c create mode 100644 include/fuzzing_engine.h create mode 100644 include/test/fuzz.h create mode 100644 test/fuzz/Makefile create mode 100644 test/fuzz/cmd_fuzz.c create mode 100644 test/fuzz/virtio.c -- 2.35.1.1178.g4f1659d476-goog