[PATCH v3 00/13] Fuzzing and ASAN for sandbox

Mon Aug 28 18:20:02 CEST 2023

Hi Andrew,

On Mon, 30 May 2022 at 04:00, Andrew Scull <ascull at google.com> wrote:
>
> This series introduces ASAN and a basic fuzzing infrastructure that
> works with sandbox. The example fuzz test towards the end of the series
> will find something pretty quickly. That something is fixed by the
> series "virtio: Harden and test vring" that needs to be applied for the
> final patch in this series.
>
> There is some refactoring to stop using '.' prefixed sections. ELF
> defines sections with names that contain anything that isn't
> alphanumeric or an underscore as being for system use which means
> clang's ASAN instrumentation happily add redzones between the contained
> objects. That's not what we want for things like linker lists where the
> linker script has carefully placed the sections contiguously. By
> renaming the sections, clang sees them as user sections and doesn't add
> instrumentation.
>
> ASAN is left disabled by default as there are still some tests that it
> triggers on and will need some more investigation to fix. It can be
> enabled with CONFIG_ASAN or passing `-a ASAN` to buildman.
>
> I abandonded the previous attempts to refactor sandbox EFI and getopt
> declaration as the changes resulted in problems out of the scope of this
> CL. I haven't tried to understand what EFI on sandbox should look like,
> but I have found that the linker list implementation is very brittle
> when up against compiler optimisation since ef123c5253 started to use
> static, zero-length arrays to mark the beginning and end of lists but
> the compiler see this as something it can get rid of.
>
> From v1:
>  - corrected handling of EFI symbols by sandbox linker script
>  - per comments, some renaming and explaining
>  - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it)
>  - added patch to reduce logging noise in fuzzer
>
> From v2:
>  - remove sandbox EFI and getopt refactoring, they obstruct the series
>  - resolve a couple more ASAN errors
>  - fix LTO, xtensa and MIPS builds
>  - add ASAN build targets for CI
>
> Andrew Scull (13):
>   serial: sandbox: Fix buffer underflow in puts
>   sandbox: Rename EFI runtime sections
>   sandbox: Rename getopt sections
>   linker_lists: Rename sections to remove . prefix
>   sandbox: Add support for Address Sanitizer
>   test/py: test_stackprotector: Disable for ASAN
>   CI: Azure: Build with ASAN enabled
>   fuzzing_engine: Add fuzzing engine uclass
>   test: fuzz: Add framework for fuzzing
>   sandbox: Decouple program entry from sandbox init
>   sandbox: Add libfuzzer integration
>   sandbox: Implement fuzzing engine driver
>   fuzz: virtio: Add fuzzer for vring
>
>  .azure-pipelines.yml                          |  6 ++
>  Kconfig                                       | 16 ++++
>  arch/Kconfig                                  |  2 +
>  arch/arc/cpu/u-boot.lds                       |  4 +-
>  arch/arm/config.mk                            |  4 +-
>  arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds   |  4 +-
>  arch/arm/cpu/armv7/sunxi/u-boot-spl.lds       |  4 +-
>  arch/arm/cpu/armv8/u-boot-spl.lds             |  4 +-
>  arch/arm/cpu/armv8/u-boot.lds                 |  4 +-
>  arch/arm/cpu/u-boot-spl.lds                   |  4 +-
>  arch/arm/cpu/u-boot.lds                       |  6 +-
>  arch/arm/mach-at91/arm926ejs/u-boot-spl.lds   |  2 +-
>  arch/arm/mach-at91/armv7/u-boot-spl.lds       |  2 +-
>  arch/arm/mach-omap2/u-boot-spl.lds            |  4 +-
>  arch/arm/mach-orion5x/u-boot-spl.lds          |  4 +-
>  arch/arm/mach-rockchip/u-boot-tpl-v8.lds      |  4 +-
>  arch/arm/mach-zynq/u-boot-spl.lds             |  4 +-
>  arch/arm/mach-zynq/u-boot.lds                 |  4 +-
>  arch/m68k/cpu/u-boot.lds                      |  4 +-
>  arch/microblaze/cpu/u-boot-spl.lds            |  4 +-
>  arch/microblaze/cpu/u-boot.lds                |  4 +-
>  arch/mips/config.mk                           |  2 +-
>  arch/mips/cpu/u-boot-spl.lds                  |  4 +-
>  arch/mips/cpu/u-boot.lds                      |  4 +-
>  arch/nios2/cpu/u-boot.lds                     |  4 +-
>  arch/powerpc/cpu/mpc83xx/u-boot.lds           |  4 +-
>  arch/powerpc/cpu/mpc85xx/u-boot-spl.lds       |  4 +-
>  arch/powerpc/cpu/mpc85xx/u-boot.lds           |  4 +-
>  arch/riscv/cpu/u-boot-spl.lds                 |  4 +-
>  arch/riscv/cpu/u-boot.lds                     |  4 +-
>  arch/sandbox/config.mk                        | 21 ++++-
>  arch/sandbox/cpu/os.c                         | 76 +++++++++++++++++
>  arch/sandbox/cpu/start.c                      |  2 +-
>  arch/sandbox/cpu/u-boot-spl.lds               | 10 +--
>  arch/sandbox/cpu/u-boot.lds                   | 32 ++++----
>  arch/sandbox/dts/test.dts                     |  4 +
>  arch/sandbox/include/asm/fuzzing_engine.h     | 25 ++++++
>  arch/sandbox/include/asm/getopt.h             |  2 +-
>  arch/sandbox/include/asm/main.h               | 18 ++++
>  arch/sandbox/include/asm/sections.h           |  4 +-
>  arch/sandbox/lib/sections.c                   |  8 +-
>  arch/sh/cpu/u-boot.lds                        |  4 +-
>  arch/x86/cpu/u-boot-64.lds                    |  6 +-
>  arch/x86/cpu/u-boot-spl.lds                   |  6 +-
>  arch/x86/cpu/u-boot.lds                       |  6 +-
>  arch/x86/lib/elf_ia32_efi.lds                 |  4 +-
>  arch/x86/lib/elf_x86_64_efi.lds               |  4 +-
>  arch/xtensa/cpu/u-boot.lds                    |  4 +-
>  arch/xtensa/include/asm/ldscript.h            | 13 ++-
>  board/compulab/cm_t335/u-boot.lds             |  4 +-
>  board/cssi/MCR3000/u-boot.lds                 |  4 +-
>  .../davinci/da8xxevm/u-boot-spl-da850evm.lds  |  2 +-
>  board/qualcomm/dragonboard820c/u-boot.lds     |  4 +-
>  board/samsung/common/exynos-uboot-spl.lds     |  4 +-
>  board/synopsys/iot_devkit/u-boot.lds          |  4 +-
>  board/ti/am335x/u-boot.lds                    |  4 +-
>  board/vscom/baltos/u-boot.lds                 |  4 +-
>  doc/api/linker_lists.rst                      | 22 ++---
>  doc/develop/commands.rst                      |  4 +-
>  doc/develop/driver-model/of-plat.rst          |  4 +-
>  drivers/Kconfig                               |  2 +
>  drivers/Makefile                              |  1 +
>  drivers/fuzz/Kconfig                          | 17 ++++
>  drivers/fuzz/Makefile                         |  8 ++
>  drivers/fuzz/fuzzing_engine-uclass.c          | 28 +++++++
>  drivers/fuzz/sandbox_fuzzing_engine.c         | 35 ++++++++
>  drivers/serial/sandbox.c                      |  2 +-
>  include/dm/uclass-id.h                        |  1 +
>  include/fuzzing_engine.h                      | 51 ++++++++++++
>  include/linker_lists.h                        | 18 ++--
>  include/test/fuzz.h                           | 51 ++++++++++++
>  test/Makefile                                 |  1 +
>  test/fuzz/Makefile                            |  8 ++
>  test/fuzz/cmd_fuzz.c                          | 82 +++++++++++++++++++
>  test/fuzz/virtio.c                            | 72 ++++++++++++++++
>  test/py/tests/test_stackprotector.py          |  1 +
>  tools/mips-relocs.c                           |  9 +-
>  77 files changed, 673 insertions(+), 151 deletions(-)
>  create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h
>  create mode 100644 arch/sandbox/include/asm/main.h
>  create mode 100644 drivers/fuzz/Kconfig
>  create mode 100644 drivers/fuzz/Makefile
>  create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c
>  create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c
>  create mode 100644 include/fuzzing_engine.h
>  create mode 100644 include/test/fuzz.h
>  create mode 100644 test/fuzz/Makefile
>  create mode 100644 test/fuzz/cmd_fuzz.c
>  create mode 100644 test/fuzz/virtio.c

Could you please add some documentation about this in doc/ ? I also
wonder if we can make the fuzz test run in CI? Finally, can the azure
stuff work in gitlab too?

I am interested in using fuzzing to test a new 'Universal Payload'
feature which basically converts data from a C struct to a devicetree
and back.

Regards,
Simon