[PATCH 0/4] fuzz: basic AFL support

[PATCH 0/4] fuzz: basic AFL support

[Wei Liu]

Provide simple stub programs for AFL fuzzer. For usage, please see README.afl.

This series doesn't aim to improve fuzzing targets. It is just demonstration
for how we could use the same fuzzing code for both oss-fuzz and AFL.

The stub programs are identical in libefl and x86 emulator at the moment, but
they will likely diverge in the future. The duplication of code is deliberate.

Julien, FYI I think the in-tree libfdt could have something similar, too.

Wei.

Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Julien Grall <julien.grall@arm.com>

Wei Liu (4):
  tools/fuzz: add missing dependency in x86 insn fuzzer build rule
  tools/fuzz: add AFL stub program for x86 insn emulator fuzzer
  tools/fuzz: add AFL stub program for libefl fuzzer
  tools/fuzz: add README.afl

 .gitignore                                         |  2 ++
 tools/fuzz/README.afl                              | 27 ++++++++++++++
 tools/fuzz/{README => README.oss-fuzz}             |  0
 tools/fuzz/libelf/Makefile                         |  7 +++-
 tools/fuzz/libelf/afl-libelf-fuzzer.c              | 42 ++++++++++++++++++++++
 tools/fuzz/x86_instruction_emulator/Makefile       | 11 ++++--
 .../afl-x86-insn-emulator-fuzzer.c                 | 42 ++++++++++++++++++++++
 7 files changed, 128 insertions(+), 3 deletions(-)
 create mode 100644 tools/fuzz/README.afl
 rename tools/fuzz/{README => README.oss-fuzz} (100%)
 create mode 100644 tools/fuzz/libelf/afl-libelf-fuzzer.c
 create mode 100644 tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c

-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 1/4] tools/fuzz: add missing dependency in x86 insn fuzzer build rule

[Wei Liu]

The said file needs the two header files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
---
 tools/fuzz/x86_instruction_emulator/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index 1777bf6..6aef3a7 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -18,6 +18,8 @@ CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__
 
 x86_emulate.o: x86_emulate.c x86_emulate.h x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h
 
+x86-insn-emulator-fuzzer.o: x86_emulate.h x86_emulate/x86_emulate.h
+
 x86-insn-emulator.a: x86_emulate.o
 	$(AR) rc $@ $^
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

This is a basic program to call into the unified fuzzing function.

Hook it up into build system so that we can always build test it.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
---
 .gitignore                                         |  1 +
 tools/fuzz/x86_instruction_emulator/Makefile       |  9 +++--
 .../afl-x86-insn-emulator-fuzzer.c                 | 42 ++++++++++++++++++++++
 3 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c

diff --git a/.gitignore b/.gitignore
index 7689596..881e7cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -147,6 +147,7 @@ tools/flask/utils/flask-setenforce
 tools/flask/utils/flask-set-bool
 tools/flask/utils/flask-label-pci
 tools/fuzz/x86_instruction_emulator/x86_emulate*
+tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer
 tools/helpers/_paths.h
 tools/helpers/init-xenstore-domain
 tools/helpers/xen-init-dom0
diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index 6aef3a7..2d1ff78 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -3,7 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk
 
 .PHONY: x86-instruction-emulator-fuzzer-all
 ifeq ($(CONFIG_X86_64),y)
-x86-instruction-emulator-fuzzer-all: x86-insn-emulator.a x86-insn-emulator-fuzzer.o
+x86-instruction-emulator-fuzzer-all: x86-insn-emulator.a x86-insn-emulator-fuzzer.o afl
 else
 x86-instruction-emulator-fuzzer-all:
 endif
@@ -23,6 +23,8 @@ x86-insn-emulator-fuzzer.o: x86_emulate.h x86_emulate/x86_emulate.h
 x86-insn-emulator.a: x86_emulate.o
 	$(AR) rc $@ $^
 
+afl-x86-insn-emulator-fuzzer: afl-x86-insn-emulator-fuzzer.o x86-insn-emulator-fuzzer.o x86_emulate.o
+
 # Common targets
 .PHONY: all
 all: x86-instruction-emulator-fuzzer-all
@@ -33,7 +35,10 @@ distclean: clean
 
 .PHONY: clean
 clean:
-	rm -f *.a *.o
+	rm -f *.a *.o afl-x86-insn-emulator-fuzzer
 
 .PHONY: install
 install: all
+
+.PHONY: afl
+afl: afl-x86-insn-emulator-fuzzer
diff --git a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
new file mode 100644
index 0000000..ec5acfb
--- /dev/null
+++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
@@ -0,0 +1,42 @@
+#include <assert.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
+
+static uint8_t input[4096];
+
+int main(int argc, char **argv)
+{
+    size_t size;
+    int fd;
+
+    if ( argc != 2 )
+    {
+        printf("Expecting only one argument\n");
+        exit(1);
+    }
+
+    fd = open(argv[1], O_RDONLY, 0);
+    assert(fd != -1);
+    size = read(fd, input, sizeof(input));
+    close(fd);
+
+    LLVMFuzzerTestOneInput(input, size);
+
+    return 0;
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 3/4] tools/fuzz: add AFL stub program for libefl fuzzer

[Wei Liu]

And hook it up into build system.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
---
 .gitignore                            |  1 +
 tools/fuzz/libelf/Makefile            |  7 +++++-
 tools/fuzz/libelf/afl-libelf-fuzzer.c | 42 +++++++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 tools/fuzz/libelf/afl-libelf-fuzzer.c

diff --git a/.gitignore b/.gitignore
index 881e7cb..15344b0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -146,6 +146,7 @@ tools/flask/utils/flask-loadpolicy
 tools/flask/utils/flask-setenforce
 tools/flask/utils/flask-set-bool
 tools/flask/utils/flask-label-pci
+tools/fuzz/libelf/afl-libelf-fuzzer
 tools/fuzz/x86_instruction_emulator/x86_emulate*
 tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer
 tools/helpers/_paths.h
diff --git a/tools/fuzz/libelf/Makefile b/tools/fuzz/libelf/Makefile
index c73ce44..3118f3d 100644
--- a/tools/fuzz/libelf/Makefile
+++ b/tools/fuzz/libelf/Makefile
@@ -19,6 +19,8 @@ libelf.a: $(ELF_LIB_OBJS)
 .PHONY: libelf-fuzzer-all
 libelf-fuzzer-all: libelf.a libelf-fuzzer.o
 
+afl-libelf-fuzzer: afl-libelf-fuzzer.o libelf-fuzzer.o $(ELF_LIB_OBJS)
+
 # Common targets
 .PHONY: all
 all: libelf-fuzzer-all
@@ -28,7 +30,10 @@ distclean: clean
 
 .PHONY: clean
 clean:
-	rm -f *.o *.a
+	rm -f *.o *.a afl-libelf-fuzzer
 
 .PHONY: install
 install: all
+
+.PHONY: afl
+afl: afl-libelf-fuzzer
diff --git a/tools/fuzz/libelf/afl-libelf-fuzzer.c b/tools/fuzz/libelf/afl-libelf-fuzzer.c
new file mode 100644
index 0000000..ec5acfb
--- /dev/null
+++ b/tools/fuzz/libelf/afl-libelf-fuzzer.c
@@ -0,0 +1,42 @@
+#include <assert.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
+
+static uint8_t input[4096];
+
+int main(int argc, char **argv)
+{
+    size_t size;
+    int fd;
+
+    if ( argc != 2 )
+    {
+        printf("Expecting only one argument\n");
+        exit(1);
+    }
+
+    fd = open(argv[1], O_RDONLY, 0);
+    assert(fd != -1);
+    size = read(fd, input, sizeof(input));
+    close(fd);
+
+    LLVMFuzzerTestOneInput(input, size);
+
+    return 0;
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 4/4] tools/fuzz: add README.afl

[Wei Liu]

And rename README to README.oss-fuzz.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
---
 tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
 tools/fuzz/{README => README.oss-fuzz} |  0
 2 files changed, 27 insertions(+)
 create mode 100644 tools/fuzz/README.afl
 rename tools/fuzz/{README => README.oss-fuzz} (100%)

diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
new file mode 100644
index 0000000..7214b61
--- /dev/null
+++ b/tools/fuzz/README.afl
@@ -0,0 +1,27 @@
+# OVERVIEW
+
+Some fuzzing targets have American Fuzzy Lop (AFL) support.
+
+See also http://lcamtuf.coredump.cx/afl/
+
+# HOW IT WORKS
+
+AFL provides a customised toolchain to build an executable, which in
+turn is launched by the fuzzer.
+
+# HOW TO USE IT
+
+Use the x86 instruction emulator fuzzer as an example.
+
+1. download and compile AFL in $AFLPATH.
+
+2. run the following commands to build:
+   $ cd tools/fuzz/x86_instruction_emulator
+   $ make distclean
+   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
+
+3. run the fuzzer with AFL:
+   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
+     ./afl-x86-insn-emulator-fuzzer @@
+
+Please see AFL documentation for more information.
diff --git a/tools/fuzz/README b/tools/fuzz/README.oss-fuzz
similarity index 100%
rename from tools/fuzz/README
rename to tools/fuzz/README.oss-fuzz
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Jan Beulich]

>>> On 20.01.17 at 13:11, <wei.liu2@citrix.com> wrote:
> @@ -33,7 +35,10 @@ distclean: clean
>  
>  .PHONY: clean
>  clean:
> -	rm -f *.a *.o
> +	rm -f *.a *.o afl-x86-insn-emulator-fuzzer

Perhaps *-x86-insn-emulator-fuzzer right away?

> --- /dev/null
> +++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
> @@ -0,0 +1,42 @@
> +#include <assert.h>
> +#include <fcntl.h>
> +#include <stdint.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <sys/stat.h>
> +#include <sys/types.h>
> +#include <unistd.h>
> +
> +extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
> +
> +static uint8_t input[4096];
> +
> +int main(int argc, char **argv)
> +{
> +    size_t size;
> +    int fd;
> +
> +    if ( argc != 2 )
> +    {
> +        printf("Expecting only one argument\n");
> +        exit(1);
> +    }
> +
> +    fd = open(argv[1], O_RDONLY, 0);
> +    assert(fd != -1);
> +    size = read(fd, input, sizeof(input));
> +    close(fd);
> +
> +    LLVMFuzzerTestOneInput(input, size);

Please handle the case of read() failing (at least in the same way as
you do for open()). With that
Reviewed-by: Jan Beulich <jbeulich@suse.com>

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 3/4] tools/fuzz: add AFL stub program for libefl fuzzer

[Jan Beulich]

>>> On 20.01.17 at 13:11, <wei.liu2@citrix.com> wrote:
> And hook it up into build system.

Same comments and same conditional R-b as for the other patch.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

On Tue, Jan 24, 2017 at 03:09:35AM -0700, Jan Beulich wrote:
> >>> On 20.01.17 at 13:11, <wei.liu2@citrix.com> wrote:
> > @@ -33,7 +35,10 @@ distclean: clean
> >  
> >  .PHONY: clean
> >  clean:
> > -	rm -f *.a *.o
> > +	rm -f *.a *.o afl-x86-insn-emulator-fuzzer
> 
> Perhaps *-x86-insn-emulator-fuzzer right away?
> 

OK.

> > --- /dev/null
> > +++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
> > @@ -0,0 +1,42 @@
> > +#include <assert.h>
> > +#include <fcntl.h>
> > +#include <stdint.h>
> > +#include <stdio.h>
> > +#include <stdlib.h>
> > +#include <sys/stat.h>
> > +#include <sys/types.h>
> > +#include <unistd.h>
> > +
> > +extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
> > +
> > +static uint8_t input[4096];
> > +
> > +int main(int argc, char **argv)
> > +{
> > +    size_t size;
> > +    int fd;
> > +
> > +    if ( argc != 2 )
> > +    {
> > +        printf("Expecting only one argument\n");
> > +        exit(1);
> > +    }
> > +
> > +    fd = open(argv[1], O_RDONLY, 0);
> > +    assert(fd != -1);
> > +    size = read(fd, input, sizeof(input));
> > +    close(fd);
> > +
> > +    LLVMFuzzerTestOneInput(input, size);
> 
> Please handle the case of read() failing (at least in the same way as
> you do for open()). With that

OK. I change size to be ssize_t and then assert(size != -1) after
read().

> Reviewed-by: Jan Beulich <jbeulich@suse.com>
> 

Thanks for reviewing.

> Jan
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Ian Jackson]

Wei Liu writes ("[PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> This is a basic program to call into the unified fuzzing function.
...
> +    fd = open(argv[1], O_RDONLY, 0);
> +    assert(fd != -1);
> +    size = read(fd, input, sizeof(input));

Why do you use open and read here rather than fopen and fread ?

If you use read you ought to put it in a loop to cope with potential
partial reads.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

On Tue, Jan 24, 2017 at 05:05:16PM +0000, Ian Jackson wrote:
> Wei Liu writes ("[PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> > This is a basic program to call into the unified fuzzing function.
> ...
> > +    fd = open(argv[1], O_RDONLY, 0);
> > +    assert(fd != -1);
> > +    size = read(fd, input, sizeof(input));
> 
> Why do you use open and read here rather than fopen and fread ?
> 

No particular reason.

> If you use read you ought to put it in a loop to cope with potential
> partial reads.
> 

Does fread have better properties than read? I think to deal with short
read we would need to stat the file to get actual size for both fread
and read, right? If so I will just stick with read and put that in a
loop.

Wei.

> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Ian Jackson]

Wei Liu writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> On Tue, Jan 24, 2017 at 05:05:16PM +0000, Ian Jackson wrote:
> > If you use read you ought to put it in a loop to cope with potential
> > partial reads.
> 
> Does fread have better properties than read?

Yes.  fread is not allowed to give a short read for no particular
reason, nor to return with EINTR.

> I think to deal with short read we would need to stat the file to
> get actual size for both fread and read, right?

No.  In both cases, it is possible to detect whether a short read is
due to EOF.  With read, that would have to be in a loop.  With fread
you can test feof.

You don't need to test with stat unless you want to support files
bigger than your static buffer.

I recommend you:
 * use fopen and fread
 * complain if fread filled the whole buffer, on the grounds that
   that means you may be ignoring a longer file than is supported
 * check with feof or ferror that the short read was due to eof

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Andrew Cooper]

On 24/01/17 17:22, Ian Jackson wrote:
> Wei Liu writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
>> On Tue, Jan 24, 2017 at 05:05:16PM +0000, Ian Jackson wrote:
>>> If you use read you ought to put it in a loop to cope with potential
>>> partial reads.
>> Does fread have better properties than read?
> Yes.  fread is not allowed to give a short read for no particular
> reason, nor to return with EINTR.
>
>> I think to deal with short read we would need to stat the file to
>> get actual size for both fread and read, right?
> No.  In both cases, it is possible to detect whether a short read is
> due to EOF.  With read, that would have to be in a loop.  With fread
> you can test feof.
>
> You don't need to test with stat unless you want to support files
> bigger than your static buffer.

It is expected that AFL data will eventually become longer than the
fuzzer wishes.  You should ignore extraneous data.

Also, remember that AFL prefers to pass data by pipe.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

On Tue, Jan 24, 2017 at 05:25:29PM +0000, Andrew Cooper wrote:
> On 24/01/17 17:22, Ian Jackson wrote:
> > Wei Liu writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> >> On Tue, Jan 24, 2017 at 05:05:16PM +0000, Ian Jackson wrote:
> >>> If you use read you ought to put it in a loop to cope with potential
> >>> partial reads.
> >> Does fread have better properties than read?
> > Yes.  fread is not allowed to give a short read for no particular
> > reason, nor to return with EINTR.
> >
> >> I think to deal with short read we would need to stat the file to
> >> get actual size for both fread and read, right?
> > No.  In both cases, it is possible to detect whether a short read is
> > due to EOF.  With read, that would have to be in a loop.  With fread
> > you can test feof.
> >
> > You don't need to test with stat unless you want to support files
> > bigger than your static buffer.
> 
> It is expected that AFL data will eventually become longer than the
> fuzzer wishes.  You should ignore extraneous data.
> 

That's not necessarily true. It depends on how you run the fuzzer.

But yes, ignoring extraneous data is sensible.

> Also, remember that AFL prefers to pass data by pipe.

It supports both using file or STDIN.

Using file would be easier for manual retest.

Wei.

> 
> ~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

On Tue, Jan 24, 2017 at 05:22:37PM +0000, Ian Jackson wrote:
> Wei Liu writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> > On Tue, Jan 24, 2017 at 05:05:16PM +0000, Ian Jackson wrote:
> > > If you use read you ought to put it in a loop to cope with potential
> > > partial reads.
> > 
> > Does fread have better properties than read?
> 
> Yes.  fread is not allowed to give a short read for no particular
> reason, nor to return with EINTR.
> 
> > I think to deal with short read we would need to stat the file to
> > get actual size for both fread and read, right?
> 
> No.  In both cases, it is possible to detect whether a short read is
> due to EOF.  With read, that would have to be in a loop.  With fread
> you can test feof.
> 
> You don't need to test with stat unless you want to support files
> bigger than your static buffer.
> 
> I recommend you:
>  * use fopen and fread
>  * complain if fread filled the whole buffer, on the grounds that
>    that means you may be ignoring a longer file than is supported
>  * check with feof or ferror that the short read was due to eof
> 

NP. This sounds sensible.

Wei.

> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Ian Jackson]

Andrew Cooper writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> On 24/01/17 17:22, Ian Jackson wrote:
> > You don't need to test with stat unless you want to support files
> > bigger than your static buffer.
> 
> It is expected that AFL data will eventually become longer than the
> fuzzer wishes.  You should ignore extraneous data.

No, you should exit nonzero.

That will signal to fuzzers that this is not a "valid" input and so
not interesting.  It will signal to other kinds of test code that
something is wrong.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

On Tue, Jan 24, 2017 at 05:30:32PM +0000, Ian Jackson wrote:
> Andrew Cooper writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> > On 24/01/17 17:22, Ian Jackson wrote:
> > > You don't need to test with stat unless you want to support files
> > > bigger than your static buffer.
> > 
> > It is expected that AFL data will eventually become longer than the
> > fuzzer wishes.  You should ignore extraneous data.
> 
> No, you should exit nonzero.
> 
> That will signal to fuzzers that this is not a "valid" input and so
> not interesting.  It will signal to other kinds of test code that
> something is wrong.
> 

Hmm... I originally thought exit(1) would cause AFL to think the program
has crashed, but I was wrong.

So using exit(1) is more sensible in this case.

Wei.

> Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Ian Jackson]

Wei Liu writes ("Re: [PATCH 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer"):
> Hmm... I originally thought exit(1) would cause AFL to think the program
> has crashed, but I was wrong.

Ah.  Yes, indeed.  Sorry for not explaining that.

> So using exit(1) is more sensible in this case.

Right.

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 0/4] fuzz: basic AFL support

[Julien Grall]

Hi Wei,

On 20/01/17 12:11, Wei Liu wrote:
> Provide simple stub programs for AFL fuzzer. For usage, please see README.afl.
>
> This series doesn't aim to improve fuzzing targets. It is just demonstration
> for how we could use the same fuzzing code for both oss-fuzz and AFL.
>
> The stub programs are identical in libefl and x86 emulator at the moment, but
> they will likely diverge in the future. The duplication of code is deliberate.
>
> Julien, FYI I think the in-tree libfdt could have something similar, too.

I am not sure if it would be useful. We know that libfdt is not 
protected against rogue device-tree and therefore fuzzing will likely 
break it. Any device-tree used are expected to be trusted (this is 
documented in the tools).

Anyway, it would be nice to get libfdt fixed and provide patch the 
upstream version [1].

Cheers,

[1] https://git.kernel.org/cgit/utils/dtc/dtc.git

-- 
Julien Grall

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 0/4] fuzz: basic AFL support

[Wei Liu]

On Tue, Jan 24, 2017 at 06:18:10PM +0000, Julien Grall wrote:
> Hi Wei,
> 
> On 20/01/17 12:11, Wei Liu wrote:
> > Provide simple stub programs for AFL fuzzer. For usage, please see README.afl.
> > 
> > This series doesn't aim to improve fuzzing targets. It is just demonstration
> > for how we could use the same fuzzing code for both oss-fuzz and AFL.
> > 
> > The stub programs are identical in libefl and x86 emulator at the moment, but
> > they will likely diverge in the future. The duplication of code is deliberate.
> > 
> > Julien, FYI I think the in-tree libfdt could have something similar, too.
> 
> I am not sure if it would be useful. We know that libfdt is not protected
> against rogue device-tree and therefore fuzzing will likely break it. Any
> device-tree used are expected to be trusted (this is documented in the
> tools).
> 

OK. In that case we don't need to run AFL against libfdt.

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 0/4] fuzz: basic AFL support

[Stefano Stabellini]

On Tue, 24 Jan 2017, Wei Liu wrote:
> On Tue, Jan 24, 2017 at 06:18:10PM +0000, Julien Grall wrote:
> > Hi Wei,
> > 
> > On 20/01/17 12:11, Wei Liu wrote:
> > > Provide simple stub programs for AFL fuzzer. For usage, please see README.afl.
> > > 
> > > This series doesn't aim to improve fuzzing targets. It is just demonstration
> > > for how we could use the same fuzzing code for both oss-fuzz and AFL.
> > > 
> > > The stub programs are identical in libefl and x86 emulator at the moment, but
> > > they will likely diverge in the future. The duplication of code is deliberate.
> > > 
> > > Julien, FYI I think the in-tree libfdt could have something similar, too.
> > 
> > I am not sure if it would be useful. We know that libfdt is not protected
> > against rogue device-tree and therefore fuzzing will likely break it. Any
> > device-tree used are expected to be trusted (this is documented in the
> > tools).
> > 
> 
> OK. In that case we don't need to run AFL against libfdt.

I agree.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 4/4] tools/fuzz: add README.afl

[Andrew Cooper]

On 20/01/17 12:11, Wei Liu wrote:
> And rename README to README.oss-fuzz.
>
> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> ---
> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> Cc: George Dunlap <George.Dunlap@eu.citrix.com>
> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> Cc: Jan Beulich <jbeulich@suse.com>
> ---
>  tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
>  tools/fuzz/{README => README.oss-fuzz} |  0
>  2 files changed, 27 insertions(+)
>  create mode 100644 tools/fuzz/README.afl
>  rename tools/fuzz/{README => README.oss-fuzz} (100%)
>
> diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
> new file mode 100644
> index 0000000..7214b61
> --- /dev/null
> +++ b/tools/fuzz/README.afl
> @@ -0,0 +1,27 @@
> +# OVERVIEW
> +
> +Some fuzzing targets have American Fuzzy Lop (AFL) support.
> +
> +See also http://lcamtuf.coredump.cx/afl/
> +
> +# HOW IT WORKS
> +
> +AFL provides a customised toolchain to build an executable, which in
> +turn is launched by the fuzzer.
> +
> +# HOW TO USE IT
> +
> +Use the x86 instruction emulator fuzzer as an example.
> +
> +1. download and compile AFL in $AFLPATH.
> +
> +2. run the following commands to build:
> +   $ cd tools/fuzz/x86_instruction_emulator
> +   $ make distclean
> +   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
> +
> +3. run the fuzzer with AFL:
> +   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
> +     ./afl-x86-insn-emulator-fuzzer @@
> +
> +Please see AFL documentation for more information.

Having just debugged this README  (I totally haven't forgotten how to
use AFL, despite all the recent work on it ;p), it is missing the
initial test case.

I previously used a ret instruction as the seed testcase.

$ mkdir testcase_dir
$ echo -n -e '\xc3' > testcase_dir/ret.bin

after which ALF is happy to start running.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 4/4] tools/fuzz: add README.afl

[Wei Liu]

On Tue, Jan 24, 2017 at 07:27:36PM +0000, Andrew Cooper wrote:
> On 20/01/17 12:11, Wei Liu wrote:
> > And rename README to README.oss-fuzz.
> >
> > Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> > ---
> > Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> > Cc: George Dunlap <George.Dunlap@eu.citrix.com>
> > Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> > Cc: Jan Beulich <jbeulich@suse.com>
> > ---
> >  tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
> >  tools/fuzz/{README => README.oss-fuzz} |  0
> >  2 files changed, 27 insertions(+)
> >  create mode 100644 tools/fuzz/README.afl
> >  rename tools/fuzz/{README => README.oss-fuzz} (100%)
> >
> > diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
> > new file mode 100644
> > index 0000000..7214b61
> > --- /dev/null
> > +++ b/tools/fuzz/README.afl
> > @@ -0,0 +1,27 @@
> > +# OVERVIEW
> > +
> > +Some fuzzing targets have American Fuzzy Lop (AFL) support.
> > +
> > +See also http://lcamtuf.coredump.cx/afl/
> > +
> > +# HOW IT WORKS
> > +
> > +AFL provides a customised toolchain to build an executable, which in
> > +turn is launched by the fuzzer.
> > +
> > +# HOW TO USE IT
> > +
> > +Use the x86 instruction emulator fuzzer as an example.
> > +
> > +1. download and compile AFL in $AFLPATH.
> > +
> > +2. run the following commands to build:
> > +   $ cd tools/fuzz/x86_instruction_emulator
> > +   $ make distclean
> > +   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
> > +
> > +3. run the fuzzer with AFL:
> > +   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
> > +     ./afl-x86-insn-emulator-fuzzer @@
> > +
> > +Please see AFL documentation for more information.
> 
> Having just debugged this README  (I totally haven't forgotten how to
> use AFL, despite all the recent work on it ;p), it is missing the
> initial test case.
> 
> I previously used a ret instruction as the seed testcase.
> 
> $ mkdir testcase_dir
> $ echo -n -e '\xc3' > testcase_dir/ret.bin
> 
> after which ALF is happy to start running.

Right, I will add this to README.afl.

Wei.

> 
> ~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 4/4] tools/fuzz: add README.afl

[George Dunlap]

On Tue, Jan 24, 2017 at 7:27 PM, Andrew Cooper
<andrew.cooper3@citrix.com> wrote:
> On 20/01/17 12:11, Wei Liu wrote:
>> And rename README to README.oss-fuzz.
>>
>> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
>> ---
>> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
>> Cc: George Dunlap <George.Dunlap@eu.citrix.com>
>> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
>> Cc: Jan Beulich <jbeulich@suse.com>
>> ---
>>  tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
>>  tools/fuzz/{README => README.oss-fuzz} |  0
>>  2 files changed, 27 insertions(+)
>>  create mode 100644 tools/fuzz/README.afl
>>  rename tools/fuzz/{README => README.oss-fuzz} (100%)
>>
>> diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
>> new file mode 100644
>> index 0000000..7214b61
>> --- /dev/null
>> +++ b/tools/fuzz/README.afl
>> @@ -0,0 +1,27 @@
>> +# OVERVIEW
>> +
>> +Some fuzzing targets have American Fuzzy Lop (AFL) support.
>> +
>> +See also http://lcamtuf.coredump.cx/afl/
>> +
>> +# HOW IT WORKS
>> +
>> +AFL provides a customised toolchain to build an executable, which in
>> +turn is launched by the fuzzer.
>> +
>> +# HOW TO USE IT
>> +
>> +Use the x86 instruction emulator fuzzer as an example.
>> +
>> +1. download and compile AFL in $AFLPATH.
>> +
>> +2. run the following commands to build:
>> +   $ cd tools/fuzz/x86_instruction_emulator
>> +   $ make distclean
>> +   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
>> +
>> +3. run the fuzzer with AFL:
>> +   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
>> +     ./afl-x86-insn-emulator-fuzzer @@
>> +
>> +Please see AFL documentation for more information.
>
> Having just debugged this README  (I totally haven't forgotten how to
> use AFL, despite all the recent work on it ;p), it is missing the
> initial test case.
>
> I previously used a ret instruction as the seed testcase.
>
> $ mkdir testcase_dir
> $ echo -n -e '\xc3' > testcase_dir/ret.bin
>
> after which ALF is happy to start running.

In my own version I had a special option to pass to the binary to
generate a set of test cases.  Wei, do you have any opinions on this?

One of the things I found was that there were certain "corners" of the
code that for some reason AFL had trouble reaching (i.e., after two
days of running there were lines that still didn't have any coverage).
One of the advantages of generating test cases is that if some of
these are identified, we may be able to get a more even coverage more
quickly.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 4/4] tools/fuzz: add README.afl

[Wei Liu]

On Wed, Jan 25, 2017 at 09:51:38AM +0000, George Dunlap wrote:
> On Tue, Jan 24, 2017 at 7:27 PM, Andrew Cooper
> <andrew.cooper3@citrix.com> wrote:
> > On 20/01/17 12:11, Wei Liu wrote:
> >> And rename README to README.oss-fuzz.
> >>
> >> Signed-off-by: Wei Liu <wei.liu2@citrix.com>
> >> ---
> >> Cc: Andrew Cooper <andrew.cooper3@citrix.com>
> >> Cc: George Dunlap <George.Dunlap@eu.citrix.com>
> >> Cc: Ian Jackson <ian.jackson@eu.citrix.com>
> >> Cc: Jan Beulich <jbeulich@suse.com>
> >> ---
> >>  tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
> >>  tools/fuzz/{README => README.oss-fuzz} |  0
> >>  2 files changed, 27 insertions(+)
> >>  create mode 100644 tools/fuzz/README.afl
> >>  rename tools/fuzz/{README => README.oss-fuzz} (100%)
> >>
> >> diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
> >> new file mode 100644
> >> index 0000000..7214b61
> >> --- /dev/null
> >> +++ b/tools/fuzz/README.afl
> >> @@ -0,0 +1,27 @@
> >> +# OVERVIEW
> >> +
> >> +Some fuzzing targets have American Fuzzy Lop (AFL) support.
> >> +
> >> +See also http://lcamtuf.coredump.cx/afl/
> >> +
> >> +# HOW IT WORKS
> >> +
> >> +AFL provides a customised toolchain to build an executable, which in
> >> +turn is launched by the fuzzer.
> >> +
> >> +# HOW TO USE IT
> >> +
> >> +Use the x86 instruction emulator fuzzer as an example.
> >> +
> >> +1. download and compile AFL in $AFLPATH.
> >> +
> >> +2. run the following commands to build:
> >> +   $ cd tools/fuzz/x86_instruction_emulator
> >> +   $ make distclean
> >> +   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
> >> +
> >> +3. run the fuzzer with AFL:
> >> +   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
> >> +     ./afl-x86-insn-emulator-fuzzer @@
> >> +
> >> +Please see AFL documentation for more information.
> >
> > Having just debugged this README  (I totally haven't forgotten how to
> > use AFL, despite all the recent work on it ;p), it is missing the
> > initial test case.
> >
> > I previously used a ret instruction as the seed testcase.
> >
> > $ mkdir testcase_dir
> > $ echo -n -e '\xc3' > testcase_dir/ret.bin
> >
> > after which ALF is happy to start running.
> 
> In my own version I had a special option to pass to the binary to
> generate a set of test cases.  Wei, do you have any opinions on this?
> 
> One of the things I found was that there were certain "corners" of the
> code that for some reason AFL had trouble reaching (i.e., after two
> days of running there were lines that still didn't have any coverage).
> One of the advantages of generating test cases is that if some of
> these are identified, we may be able to get a more even coverage more
> quickly.
> 

I haven't read that version in detailed, but I agree with you that
having ability to generate tailored test case is a good idea.

Wei.

>  -George

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel