From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 06E96C433F5 for ; Mon, 30 May 2022 10:00:33 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1BD1984361; Mon, 30 May 2022 12:00:31 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="GCxMWEMk"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 459A584396; Mon, 30 May 2022 12:00:29 +0200 (CEST) Received: from mail-wm1-x349.google.com (mail-wm1-x349.google.com [IPv6:2a00:1450:4864:20::349]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2A535842A8 for ; Mon, 30 May 2022 12:00:26 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=3uZWUYgYKBlIuCwE5508805y.w86E-v88D52CDC.xy7H.xy@flex--ascull.bounces.google.com Received: by mail-wm1-x349.google.com with SMTP id m31-20020a05600c3b1f00b003973a563605so4322437wms.9 for ; Mon, 30 May 2022 03:00:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=V0ym1Y+cp1kyvXt4Y4Fo2SlWumhhSfA0adWU+DI9eMo=; b=GCxMWEMkeIXqLwNYcY2qH7xq4FzDzbZ7XRSAeFHC27p/7y8NgUM+5n+FmD672JyiSi 1dASk1s8HthFgbMJq+TA4k2aOMGiC11QMX3AvLBc4LXnWyVpLr0epSj/mhuoEhhSkQc1 YJFnB1P9Ci0k+GzKmfvDYx+gi7da7N8JzuNjlxdgTVPbozZtLNjDAA7wdPAzBuAiRgND 4M1kFIYNILCoEzOxvMyPcGfCFkdRo0HJGDui5/ZiVESrTM+4sCzOOEj/mSXDM1NKwBmO m8VTKomgtcwBCiv6wQ7HCK+nPMTxMsEH8OfMxJyR6GK5NC912Zcj478iXVAVssjcUSyM kF3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=V0ym1Y+cp1kyvXt4Y4Fo2SlWumhhSfA0adWU+DI9eMo=; b=VXqMjqZeS3k55Ipb8ghoSTCTKv9p2h2KQtAu5g71oCZfW5zXhJdLUXP43RtZezPPxv JQMHfe6402dM/9hlcqTm3fVL1S0eGQVOQXOpvDBu1m7jA1Dil1DGtQ2fwWSIRFGdcLDn PZxQdxOND3OdJEUROtDO873bHmxDUVOAk0dIXZ4laaESSXXmK7VUWWorebFRDmXzXCCc cWsIZfjecOJSM1aZoPZi+w8peiyOIfpRgc+A92wWTohlKGsEKowx0lCxnd2YnRo/6UV+ 7JqdeZ3Q9so4VSvGTCMn8ZRTgyyK7kGIl1dOQxr2rfDv2H+Afs7Uyy5Uxyfx6mi5IcM1 JlfQ== X-Gm-Message-State: AOAM530C68eT3yn4T70evJv1B9GgZR03+2gV/nKhwMOXv11rNuTnf5+T r6IPnKzwo2pQfvXdO5HeQ5mqGgmotkYPIf6FG5iWufUUVVmbK2V6fs3uyztVJ7f9BkV/+MU/wBH oCvLzt8VHCGJvgyN1raHP2w5xGIB8G5k1vLjfLwtljndpTawxqus7p2I0iBY= X-Google-Smtp-Source: ABdhPJxQM/p1u2adzdmmMBL/MB0r1HjtiLyiHHdGtX5Kj2OrgW8un7VBB++7UaV4VzNe6tdMcZ/s1T/tO60= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a05:600c:350f:b0:397:7204:ce8e with SMTP id h15-20020a05600c350f00b003977204ce8emr18285189wmq.0.1653904825566; Mon, 30 May 2022 03:00:25 -0700 (PDT) Date: Mon, 30 May 2022 10:00:00 +0000 Message-Id: <20220530100013.3753780-1-ascull@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.36.1.124.g0e6072fb45-goog Subject: [PATCH v3 00/13] Fuzzing and ASAN for sandbox From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, trini@konsulko.com, xypron.glpk@gmx.de, jonbottarini@google.com, seanga2@gmail.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This series introduces ASAN and a basic fuzzing infrastructure that works with sandbox. The example fuzz test towards the end of the series will find something pretty quickly. That something is fixed by the series "virtio: Harden and test vring" that needs to be applied for the final patch in this series. There is some refactoring to stop using '.' prefixed sections. ELF defines sections with names that contain anything that isn't alphanumeric or an underscore as being for system use which means clang's ASAN instrumentation happily add redzones between the contained objects. That's not what we want for things like linker lists where the linker script has carefully placed the sections contiguously. By renaming the sections, clang sees them as user sections and doesn't add instrumentation. ASAN is left disabled by default as there are still some tests that it triggers on and will need some more investigation to fix. It can be enabled with CONFIG_ASAN or passing `-a ASAN` to buildman. I abandonded the previous attempts to refactor sandbox EFI and getopt declaration as the changes resulted in problems out of the scope of this CL. I haven't tried to understand what EFI on sandbox should look like, but I have found that the linker list implementation is very brittle when up against compiler optimisation since ef123c5253 started to use static, zero-length arrays to mark the beginning and end of lists but the compiler see this as something it can get rid of. >From v1: - corrected handling of EFI symbols by sandbox linker script - per comments, some renaming and explaining - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it) - added patch to reduce logging noise in fuzzer >From v2: - remove sandbox EFI and getopt refactoring, they obstruct the series - resolve a couple more ASAN errors - fix LTO, xtensa and MIPS builds - add ASAN build targets for CI Andrew Scull (13): serial: sandbox: Fix buffer underflow in puts sandbox: Rename EFI runtime sections sandbox: Rename getopt sections linker_lists: Rename sections to remove . prefix sandbox: Add support for Address Sanitizer test/py: test_stackprotector: Disable for ASAN CI: Azure: Build with ASAN enabled fuzzing_engine: Add fuzzing engine uclass test: fuzz: Add framework for fuzzing sandbox: Decouple program entry from sandbox init sandbox: Add libfuzzer integration sandbox: Implement fuzzing engine driver fuzz: virtio: Add fuzzer for vring .azure-pipelines.yml | 6 ++ Kconfig | 16 ++++ arch/Kconfig | 2 + arch/arc/cpu/u-boot.lds | 4 +- arch/arm/config.mk | 4 +- arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot.lds | 4 +- arch/arm/cpu/u-boot-spl.lds | 4 +- arch/arm/cpu/u-boot.lds | 6 +- arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +- arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +- arch/arm/mach-omap2/u-boot-spl.lds | 4 +- arch/arm/mach-orion5x/u-boot-spl.lds | 4 +- arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +- arch/arm/mach-zynq/u-boot-spl.lds | 4 +- arch/arm/mach-zynq/u-boot.lds | 4 +- arch/m68k/cpu/u-boot.lds | 4 +- arch/microblaze/cpu/u-boot-spl.lds | 4 +- arch/microblaze/cpu/u-boot.lds | 4 +- arch/mips/config.mk | 2 +- arch/mips/cpu/u-boot-spl.lds | 4 +- arch/mips/cpu/u-boot.lds | 4 +- arch/nios2/cpu/u-boot.lds | 4 +- arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +- arch/riscv/cpu/u-boot-spl.lds | 4 +- arch/riscv/cpu/u-boot.lds | 4 +- arch/sandbox/config.mk | 21 ++++- arch/sandbox/cpu/os.c | 76 +++++++++++++++++ arch/sandbox/cpu/start.c | 2 +- arch/sandbox/cpu/u-boot-spl.lds | 10 +-- arch/sandbox/cpu/u-boot.lds | 32 ++++---- arch/sandbox/dts/test.dts | 4 + arch/sandbox/include/asm/fuzzing_engine.h | 25 ++++++ arch/sandbox/include/asm/getopt.h | 2 +- arch/sandbox/include/asm/main.h | 18 ++++ arch/sandbox/include/asm/sections.h | 4 +- arch/sandbox/lib/sections.c | 8 +- arch/sh/cpu/u-boot.lds | 4 +- arch/x86/cpu/u-boot-64.lds | 6 +- arch/x86/cpu/u-boot-spl.lds | 6 +- arch/x86/cpu/u-boot.lds | 6 +- arch/x86/lib/elf_ia32_efi.lds | 4 +- arch/x86/lib/elf_x86_64_efi.lds | 4 +- arch/xtensa/cpu/u-boot.lds | 4 +- arch/xtensa/include/asm/ldscript.h | 13 ++- board/compulab/cm_t335/u-boot.lds | 4 +- board/cssi/MCR3000/u-boot.lds | 4 +- .../davinci/da8xxevm/u-boot-spl-da850evm.lds | 2 +- board/qualcomm/dragonboard820c/u-boot.lds | 4 +- board/samsung/common/exynos-uboot-spl.lds | 4 +- board/synopsys/iot_devkit/u-boot.lds | 4 +- board/ti/am335x/u-boot.lds | 4 +- board/vscom/baltos/u-boot.lds | 4 +- doc/api/linker_lists.rst | 22 ++--- doc/develop/commands.rst | 4 +- doc/develop/driver-model/of-plat.rst | 4 +- drivers/Kconfig | 2 + drivers/Makefile | 1 + drivers/fuzz/Kconfig | 17 ++++ drivers/fuzz/Makefile | 8 ++ drivers/fuzz/fuzzing_engine-uclass.c | 28 +++++++ drivers/fuzz/sandbox_fuzzing_engine.c | 35 ++++++++ drivers/serial/sandbox.c | 2 +- include/dm/uclass-id.h | 1 + include/fuzzing_engine.h | 51 ++++++++++++ include/linker_lists.h | 18 ++-- include/test/fuzz.h | 51 ++++++++++++ test/Makefile | 1 + test/fuzz/Makefile | 8 ++ test/fuzz/cmd_fuzz.c | 82 +++++++++++++++++++ test/fuzz/virtio.c | 72 ++++++++++++++++ test/py/tests/test_stackprotector.py | 1 + tools/mips-relocs.c | 9 +- 77 files changed, 673 insertions(+), 151 deletions(-) create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h create mode 100644 arch/sandbox/include/asm/main.h create mode 100644 drivers/fuzz/Kconfig create mode 100644 drivers/fuzz/Makefile create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c create mode 100644 include/fuzzing_engine.h create mode 100644 include/test/fuzz.h create mode 100644 test/fuzz/Makefile create mode 100644 test/fuzz/cmd_fuzz.c create mode 100644 test/fuzz/virtio.c -- 2.36.1.124.g0e6072fb45-goog