From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, trini@konsulko.com, xypron.glpk@gmx.de,
jonbottarini@google.com, seanga2@gmail.com,
Andrew Scull <ascull@google.com>
Subject: [PATCH v3 00/13] Fuzzing and ASAN for sandbox
Date: Mon, 30 May 2022 10:00:00 +0000 [thread overview]
Message-ID: <20220530100013.3753780-1-ascull@google.com> (raw)
This series introduces ASAN and a basic fuzzing infrastructure that
works with sandbox. The example fuzz test towards the end of the series
will find something pretty quickly. That something is fixed by the
series "virtio: Harden and test vring" that needs to be applied for the
final patch in this series.
There is some refactoring to stop using '.' prefixed sections. ELF
defines sections with names that contain anything that isn't
alphanumeric or an underscore as being for system use which means
clang's ASAN instrumentation happily add redzones between the contained
objects. That's not what we want for things like linker lists where the
linker script has carefully placed the sections contiguously. By
renaming the sections, clang sees them as user sections and doesn't add
instrumentation.
ASAN is left disabled by default as there are still some tests that it
triggers on and will need some more investigation to fix. It can be
enabled with CONFIG_ASAN or passing `-a ASAN` to buildman.
I abandonded the previous attempts to refactor sandbox EFI and getopt
declaration as the changes resulted in problems out of the scope of this
CL. I haven't tried to understand what EFI on sandbox should look like,
but I have found that the linker list implementation is very brittle
when up against compiler optimisation since ef123c5253 started to use
static, zero-length arrays to mark the beginning and end of lists but
the compiler see this as something it can get rid of.
From v1:
- corrected handling of EFI symbols by sandbox linker script
- per comments, some renaming and explaining
- dropped RFC for dlmalloc ASAN instrumentation (work required to improve it)
- added patch to reduce logging noise in fuzzer
From v2:
- remove sandbox EFI and getopt refactoring, they obstruct the series
- resolve a couple more ASAN errors
- fix LTO, xtensa and MIPS builds
- add ASAN build targets for CI
Andrew Scull (13):
serial: sandbox: Fix buffer underflow in puts
sandbox: Rename EFI runtime sections
sandbox: Rename getopt sections
linker_lists: Rename sections to remove . prefix
sandbox: Add support for Address Sanitizer
test/py: test_stackprotector: Disable for ASAN
CI: Azure: Build with ASAN enabled
fuzzing_engine: Add fuzzing engine uclass
test: fuzz: Add framework for fuzzing
sandbox: Decouple program entry from sandbox init
sandbox: Add libfuzzer integration
sandbox: Implement fuzzing engine driver
fuzz: virtio: Add fuzzer for vring
.azure-pipelines.yml | 6 ++
Kconfig | 16 ++++
arch/Kconfig | 2 +
arch/arc/cpu/u-boot.lds | 4 +-
arch/arm/config.mk | 4 +-
arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +-
arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +-
arch/arm/cpu/armv8/u-boot-spl.lds | 4 +-
arch/arm/cpu/armv8/u-boot.lds | 4 +-
arch/arm/cpu/u-boot-spl.lds | 4 +-
arch/arm/cpu/u-boot.lds | 6 +-
arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +-
arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +-
arch/arm/mach-omap2/u-boot-spl.lds | 4 +-
arch/arm/mach-orion5x/u-boot-spl.lds | 4 +-
arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +-
arch/arm/mach-zynq/u-boot-spl.lds | 4 +-
arch/arm/mach-zynq/u-boot.lds | 4 +-
arch/m68k/cpu/u-boot.lds | 4 +-
arch/microblaze/cpu/u-boot-spl.lds | 4 +-
arch/microblaze/cpu/u-boot.lds | 4 +-
arch/mips/config.mk | 2 +-
arch/mips/cpu/u-boot-spl.lds | 4 +-
arch/mips/cpu/u-boot.lds | 4 +-
arch/nios2/cpu/u-boot.lds | 4 +-
arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +-
arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +-
arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +-
arch/riscv/cpu/u-boot-spl.lds | 4 +-
arch/riscv/cpu/u-boot.lds | 4 +-
arch/sandbox/config.mk | 21 ++++-
arch/sandbox/cpu/os.c | 76 +++++++++++++++++
arch/sandbox/cpu/start.c | 2 +-
arch/sandbox/cpu/u-boot-spl.lds | 10 +--
arch/sandbox/cpu/u-boot.lds | 32 ++++----
arch/sandbox/dts/test.dts | 4 +
arch/sandbox/include/asm/fuzzing_engine.h | 25 ++++++
arch/sandbox/include/asm/getopt.h | 2 +-
arch/sandbox/include/asm/main.h | 18 ++++
arch/sandbox/include/asm/sections.h | 4 +-
arch/sandbox/lib/sections.c | 8 +-
arch/sh/cpu/u-boot.lds | 4 +-
arch/x86/cpu/u-boot-64.lds | 6 +-
arch/x86/cpu/u-boot-spl.lds | 6 +-
arch/x86/cpu/u-boot.lds | 6 +-
arch/x86/lib/elf_ia32_efi.lds | 4 +-
arch/x86/lib/elf_x86_64_efi.lds | 4 +-
arch/xtensa/cpu/u-boot.lds | 4 +-
arch/xtensa/include/asm/ldscript.h | 13 ++-
board/compulab/cm_t335/u-boot.lds | 4 +-
board/cssi/MCR3000/u-boot.lds | 4 +-
.../davinci/da8xxevm/u-boot-spl-da850evm.lds | 2 +-
board/qualcomm/dragonboard820c/u-boot.lds | 4 +-
board/samsung/common/exynos-uboot-spl.lds | 4 +-
board/synopsys/iot_devkit/u-boot.lds | 4 +-
board/ti/am335x/u-boot.lds | 4 +-
board/vscom/baltos/u-boot.lds | 4 +-
doc/api/linker_lists.rst | 22 ++---
doc/develop/commands.rst | 4 +-
doc/develop/driver-model/of-plat.rst | 4 +-
drivers/Kconfig | 2 +
drivers/Makefile | 1 +
drivers/fuzz/Kconfig | 17 ++++
drivers/fuzz/Makefile | 8 ++
drivers/fuzz/fuzzing_engine-uclass.c | 28 +++++++
drivers/fuzz/sandbox_fuzzing_engine.c | 35 ++++++++
drivers/serial/sandbox.c | 2 +-
include/dm/uclass-id.h | 1 +
include/fuzzing_engine.h | 51 ++++++++++++
include/linker_lists.h | 18 ++--
include/test/fuzz.h | 51 ++++++++++++
test/Makefile | 1 +
test/fuzz/Makefile | 8 ++
test/fuzz/cmd_fuzz.c | 82 +++++++++++++++++++
test/fuzz/virtio.c | 72 ++++++++++++++++
test/py/tests/test_stackprotector.py | 1 +
tools/mips-relocs.c | 9 +-
77 files changed, 673 insertions(+), 151 deletions(-)
create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h
create mode 100644 arch/sandbox/include/asm/main.h
create mode 100644 drivers/fuzz/Kconfig
create mode 100644 drivers/fuzz/Makefile
create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c
create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c
create mode 100644 include/fuzzing_engine.h
create mode 100644 include/test/fuzz.h
create mode 100644 test/fuzz/Makefile
create mode 100644 test/fuzz/cmd_fuzz.c
create mode 100644 test/fuzz/virtio.c
--
2.36.1.124.g0e6072fb45-goog
next reply other threads:[~2022-05-30 10:00 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-30 10:00 Andrew Scull [this message]
2022-05-30 10:00 ` [PATCH v3 01/13] serial: sandbox: Fix buffer underflow in puts Andrew Scull
2022-05-31 14:43 ` Sean Anderson
2022-06-23 18:32 ` Tom Rini
2022-05-30 10:00 ` [PATCH v3 02/13] sandbox: Rename EFI runtime sections Andrew Scull
2022-05-30 10:00 ` [PATCH v3 03/13] sandbox: Rename getopt sections Andrew Scull
2022-05-30 10:00 ` [PATCH v3 04/13] linker_lists: Rename sections to remove . prefix Andrew Scull
2022-05-30 10:00 ` [PATCH v3 05/13] sandbox: Add support for Address Sanitizer Andrew Scull
2022-05-30 10:00 ` [PATCH v3 06/13] test/py: test_stackprotector: Disable for ASAN Andrew Scull
2022-05-30 10:00 ` [PATCH v3 07/13] CI: Azure: Build with ASAN enabled Andrew Scull
2022-05-30 10:00 ` [PATCH v3 08/13] fuzzing_engine: Add fuzzing engine uclass Andrew Scull
2022-05-30 10:00 ` [PATCH v3 09/13] test: fuzz: Add framework for fuzzing Andrew Scull
2022-05-30 10:00 ` [PATCH v3 10/13] sandbox: Decouple program entry from sandbox init Andrew Scull
2022-05-30 10:00 ` [PATCH v3 11/13] sandbox: Add libfuzzer integration Andrew Scull
2022-05-30 10:00 ` [PATCH v3 12/13] sandbox: Implement fuzzing engine driver Andrew Scull
2022-05-30 10:00 ` [PATCH v3 13/13] fuzz: virtio: Add fuzzer for vring Andrew Scull
2023-08-28 16:20 ` [PATCH v3 00/13] Fuzzing and ASAN for sandbox Simon Glass
2023-08-28 19:56 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220530100013.3753780-1-ascull@google.com \
--to=ascull@google.com \
--cc=jonbottarini@google.com \
--cc=seanga2@gmail.com \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox