[PATCH v3 00/13] Fuzzing and ASAN for sandbox
Tom Rini
trini at konsulko.com
Mon Aug 28 21:56:31 CEST 2023
On Mon, Aug 28, 2023 at 10:20:02AM -0600, Simon Glass wrote:
> Hi Andrew,
>
> On Mon, 30 May 2022 at 04:00, Andrew Scull <ascull at google.com> wrote:
> >
> > This series introduces ASAN and a basic fuzzing infrastructure that
> > works with sandbox. The example fuzz test towards the end of the series
> > will find something pretty quickly. That something is fixed by the
> > series "virtio: Harden and test vring" that needs to be applied for the
> > final patch in this series.
> >
> > There is some refactoring to stop using '.' prefixed sections. ELF
> > defines sections with names that contain anything that isn't
> > alphanumeric or an underscore as being for system use which means
> > clang's ASAN instrumentation happily add redzones between the contained
> > objects. That's not what we want for things like linker lists where the
> > linker script has carefully placed the sections contiguously. By
> > renaming the sections, clang sees them as user sections and doesn't add
> > instrumentation.
> >
> > ASAN is left disabled by default as there are still some tests that it
> > triggers on and will need some more investigation to fix. It can be
> > enabled with CONFIG_ASAN or passing `-a ASAN` to buildman.
> >
> > I abandonded the previous attempts to refactor sandbox EFI and getopt
> > declaration as the changes resulted in problems out of the scope of this
> > CL. I haven't tried to understand what EFI on sandbox should look like,
> > but I have found that the linker list implementation is very brittle
> > when up against compiler optimisation since ef123c5253 started to use
> > static, zero-length arrays to mark the beginning and end of lists but
> > the compiler see this as something it can get rid of.
> >
> > From v1:
> > - corrected handling of EFI symbols by sandbox linker script
> > - per comments, some renaming and explaining
> > - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it)
> > - added patch to reduce logging noise in fuzzer
> >
> > From v2:
> > - remove sandbox EFI and getopt refactoring, they obstruct the series
> > - resolve a couple more ASAN errors
> > - fix LTO, xtensa and MIPS builds
> > - add ASAN build targets for CI
> >
> > Andrew Scull (13):
> > serial: sandbox: Fix buffer underflow in puts
> > sandbox: Rename EFI runtime sections
> > sandbox: Rename getopt sections
> > linker_lists: Rename sections to remove . prefix
> > sandbox: Add support for Address Sanitizer
> > test/py: test_stackprotector: Disable for ASAN
> > CI: Azure: Build with ASAN enabled
> > fuzzing_engine: Add fuzzing engine uclass
> > test: fuzz: Add framework for fuzzing
> > sandbox: Decouple program entry from sandbox init
> > sandbox: Add libfuzzer integration
> > sandbox: Implement fuzzing engine driver
> > fuzz: virtio: Add fuzzer for vring
> >
> > .azure-pipelines.yml | 6 ++
> > Kconfig | 16 ++++
> > arch/Kconfig | 2 +
> > arch/arc/cpu/u-boot.lds | 4 +-
> > arch/arm/config.mk | 4 +-
> > arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +-
> > arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +-
> > arch/arm/cpu/armv8/u-boot-spl.lds | 4 +-
> > arch/arm/cpu/armv8/u-boot.lds | 4 +-
> > arch/arm/cpu/u-boot-spl.lds | 4 +-
> > arch/arm/cpu/u-boot.lds | 6 +-
> > arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +-
> > arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +-
> > arch/arm/mach-omap2/u-boot-spl.lds | 4 +-
> > arch/arm/mach-orion5x/u-boot-spl.lds | 4 +-
> > arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +-
> > arch/arm/mach-zynq/u-boot-spl.lds | 4 +-
> > arch/arm/mach-zynq/u-boot.lds | 4 +-
> > arch/m68k/cpu/u-boot.lds | 4 +-
> > arch/microblaze/cpu/u-boot-spl.lds | 4 +-
> > arch/microblaze/cpu/u-boot.lds | 4 +-
> > arch/mips/config.mk | 2 +-
> > arch/mips/cpu/u-boot-spl.lds | 4 +-
> > arch/mips/cpu/u-boot.lds | 4 +-
> > arch/nios2/cpu/u-boot.lds | 4 +-
> > arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +-
> > arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +-
> > arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +-
> > arch/riscv/cpu/u-boot-spl.lds | 4 +-
> > arch/riscv/cpu/u-boot.lds | 4 +-
> > arch/sandbox/config.mk | 21 ++++-
> > arch/sandbox/cpu/os.c | 76 +++++++++++++++++
> > arch/sandbox/cpu/start.c | 2 +-
> > arch/sandbox/cpu/u-boot-spl.lds | 10 +--
> > arch/sandbox/cpu/u-boot.lds | 32 ++++----
> > arch/sandbox/dts/test.dts | 4 +
> > arch/sandbox/include/asm/fuzzing_engine.h | 25 ++++++
> > arch/sandbox/include/asm/getopt.h | 2 +-
> > arch/sandbox/include/asm/main.h | 18 ++++
> > arch/sandbox/include/asm/sections.h | 4 +-
> > arch/sandbox/lib/sections.c | 8 +-
> > arch/sh/cpu/u-boot.lds | 4 +-
> > arch/x86/cpu/u-boot-64.lds | 6 +-
> > arch/x86/cpu/u-boot-spl.lds | 6 +-
> > arch/x86/cpu/u-boot.lds | 6 +-
> > arch/x86/lib/elf_ia32_efi.lds | 4 +-
> > arch/x86/lib/elf_x86_64_efi.lds | 4 +-
> > arch/xtensa/cpu/u-boot.lds | 4 +-
> > arch/xtensa/include/asm/ldscript.h | 13 ++-
> > board/compulab/cm_t335/u-boot.lds | 4 +-
> > board/cssi/MCR3000/u-boot.lds | 4 +-
> > .../davinci/da8xxevm/u-boot-spl-da850evm.lds | 2 +-
> > board/qualcomm/dragonboard820c/u-boot.lds | 4 +-
> > board/samsung/common/exynos-uboot-spl.lds | 4 +-
> > board/synopsys/iot_devkit/u-boot.lds | 4 +-
> > board/ti/am335x/u-boot.lds | 4 +-
> > board/vscom/baltos/u-boot.lds | 4 +-
> > doc/api/linker_lists.rst | 22 ++---
> > doc/develop/commands.rst | 4 +-
> > doc/develop/driver-model/of-plat.rst | 4 +-
> > drivers/Kconfig | 2 +
> > drivers/Makefile | 1 +
> > drivers/fuzz/Kconfig | 17 ++++
> > drivers/fuzz/Makefile | 8 ++
> > drivers/fuzz/fuzzing_engine-uclass.c | 28 +++++++
> > drivers/fuzz/sandbox_fuzzing_engine.c | 35 ++++++++
> > drivers/serial/sandbox.c | 2 +-
> > include/dm/uclass-id.h | 1 +
> > include/fuzzing_engine.h | 51 ++++++++++++
> > include/linker_lists.h | 18 ++--
> > include/test/fuzz.h | 51 ++++++++++++
> > test/Makefile | 1 +
> > test/fuzz/Makefile | 8 ++
> > test/fuzz/cmd_fuzz.c | 82 +++++++++++++++++++
> > test/fuzz/virtio.c | 72 ++++++++++++++++
> > test/py/tests/test_stackprotector.py | 1 +
> > tools/mips-relocs.c | 9 +-
> > 77 files changed, 673 insertions(+), 151 deletions(-)
> > create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h
> > create mode 100644 arch/sandbox/include/asm/main.h
> > create mode 100644 drivers/fuzz/Kconfig
> > create mode 100644 drivers/fuzz/Makefile
> > create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c
> > create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c
> > create mode 100644 include/fuzzing_engine.h
> > create mode 100644 include/test/fuzz.h
> > create mode 100644 test/fuzz/Makefile
> > create mode 100644 test/fuzz/cmd_fuzz.c
> > create mode 100644 test/fuzz/virtio.c
>
> Could you please add some documentation about this in doc/ ? I also
> wonder if we can make the fuzz test run in CI? Finally, can the azure
> stuff work in gitlab too?
>
> I am interested in using fuzzing to test a new 'Universal Payload'
> feature which basically converts data from a C struct to a devicetree
> and back.
Fuzzing fails on a number of tests, which is why I've moved it to just
run the version test here:
https://patchwork.ozlabs.org/project/uboot/patch/20230820173129.781985-2-trini@konsulko.com/
There's not much point in running it in GitLab too until we get the
errors fixed.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230828/c6c5cc01/attachment.sig>
More information about the U-Boot
mailing list