[PATCH v3 00/13] Fuzzing and ASAN for sandbox

Tom Rini trini at konsulko.com
Mon Aug 28 21:56:31 CEST 2023


On Mon, Aug 28, 2023 at 10:20:02AM -0600, Simon Glass wrote:
> Hi Andrew,
> 
> On Mon, 30 May 2022 at 04:00, Andrew Scull <ascull at google.com> wrote:
> >
> > This series introduces ASAN and a basic fuzzing infrastructure that
> > works with sandbox. The example fuzz test towards the end of the series
> > will find something pretty quickly. That something is fixed by the
> > series "virtio: Harden and test vring" that needs to be applied for the
> > final patch in this series.
> >
> > There is some refactoring to stop using '.' prefixed sections. ELF
> > defines sections with names that contain anything that isn't
> > alphanumeric or an underscore as being for system use which means
> > clang's ASAN instrumentation happily add redzones between the contained
> > objects. That's not what we want for things like linker lists where the
> > linker script has carefully placed the sections contiguously. By
> > renaming the sections, clang sees them as user sections and doesn't add
> > instrumentation.
> >
> > ASAN is left disabled by default as there are still some tests that it
> > triggers on and will need some more investigation to fix. It can be
> > enabled with CONFIG_ASAN or passing `-a ASAN` to buildman.
> >
> > I abandonded the previous attempts to refactor sandbox EFI and getopt
> > declaration as the changes resulted in problems out of the scope of this
> > CL. I haven't tried to understand what EFI on sandbox should look like,
> > but I have found that the linker list implementation is very brittle
> > when up against compiler optimisation since ef123c5253 started to use
> > static, zero-length arrays to mark the beginning and end of lists but
> > the compiler see this as something it can get rid of.
> >
> > From v1:
> >  - corrected handling of EFI symbols by sandbox linker script
> >  - per comments, some renaming and explaining
> >  - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it)
> >  - added patch to reduce logging noise in fuzzer
> >
> > From v2:
> >  - remove sandbox EFI and getopt refactoring, they obstruct the series
> >  - resolve a couple more ASAN errors
> >  - fix LTO, xtensa and MIPS builds
> >  - add ASAN build targets for CI
> >
> > Andrew Scull (13):
> >   serial: sandbox: Fix buffer underflow in puts
> >   sandbox: Rename EFI runtime sections
> >   sandbox: Rename getopt sections
> >   linker_lists: Rename sections to remove . prefix
> >   sandbox: Add support for Address Sanitizer
> >   test/py: test_stackprotector: Disable for ASAN
> >   CI: Azure: Build with ASAN enabled
> >   fuzzing_engine: Add fuzzing engine uclass
> >   test: fuzz: Add framework for fuzzing
> >   sandbox: Decouple program entry from sandbox init
> >   sandbox: Add libfuzzer integration
> >   sandbox: Implement fuzzing engine driver
> >   fuzz: virtio: Add fuzzer for vring
> >
> >  .azure-pipelines.yml                          |  6 ++
> >  Kconfig                                       | 16 ++++
> >  arch/Kconfig                                  |  2 +
> >  arch/arc/cpu/u-boot.lds                       |  4 +-
> >  arch/arm/config.mk                            |  4 +-
> >  arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds   |  4 +-
> >  arch/arm/cpu/armv7/sunxi/u-boot-spl.lds       |  4 +-
> >  arch/arm/cpu/armv8/u-boot-spl.lds             |  4 +-
> >  arch/arm/cpu/armv8/u-boot.lds                 |  4 +-
> >  arch/arm/cpu/u-boot-spl.lds                   |  4 +-
> >  arch/arm/cpu/u-boot.lds                       |  6 +-
> >  arch/arm/mach-at91/arm926ejs/u-boot-spl.lds   |  2 +-
> >  arch/arm/mach-at91/armv7/u-boot-spl.lds       |  2 +-
> >  arch/arm/mach-omap2/u-boot-spl.lds            |  4 +-
> >  arch/arm/mach-orion5x/u-boot-spl.lds          |  4 +-
> >  arch/arm/mach-rockchip/u-boot-tpl-v8.lds      |  4 +-
> >  arch/arm/mach-zynq/u-boot-spl.lds             |  4 +-
> >  arch/arm/mach-zynq/u-boot.lds                 |  4 +-
> >  arch/m68k/cpu/u-boot.lds                      |  4 +-
> >  arch/microblaze/cpu/u-boot-spl.lds            |  4 +-
> >  arch/microblaze/cpu/u-boot.lds                |  4 +-
> >  arch/mips/config.mk                           |  2 +-
> >  arch/mips/cpu/u-boot-spl.lds                  |  4 +-
> >  arch/mips/cpu/u-boot.lds                      |  4 +-
> >  arch/nios2/cpu/u-boot.lds                     |  4 +-
> >  arch/powerpc/cpu/mpc83xx/u-boot.lds           |  4 +-
> >  arch/powerpc/cpu/mpc85xx/u-boot-spl.lds       |  4 +-
> >  arch/powerpc/cpu/mpc85xx/u-boot.lds           |  4 +-
> >  arch/riscv/cpu/u-boot-spl.lds                 |  4 +-
> >  arch/riscv/cpu/u-boot.lds                     |  4 +-
> >  arch/sandbox/config.mk                        | 21 ++++-
> >  arch/sandbox/cpu/os.c                         | 76 +++++++++++++++++
> >  arch/sandbox/cpu/start.c                      |  2 +-
> >  arch/sandbox/cpu/u-boot-spl.lds               | 10 +--
> >  arch/sandbox/cpu/u-boot.lds                   | 32 ++++----
> >  arch/sandbox/dts/test.dts                     |  4 +
> >  arch/sandbox/include/asm/fuzzing_engine.h     | 25 ++++++
> >  arch/sandbox/include/asm/getopt.h             |  2 +-
> >  arch/sandbox/include/asm/main.h               | 18 ++++
> >  arch/sandbox/include/asm/sections.h           |  4 +-
> >  arch/sandbox/lib/sections.c                   |  8 +-
> >  arch/sh/cpu/u-boot.lds                        |  4 +-
> >  arch/x86/cpu/u-boot-64.lds                    |  6 +-
> >  arch/x86/cpu/u-boot-spl.lds                   |  6 +-
> >  arch/x86/cpu/u-boot.lds                       |  6 +-
> >  arch/x86/lib/elf_ia32_efi.lds                 |  4 +-
> >  arch/x86/lib/elf_x86_64_efi.lds               |  4 +-
> >  arch/xtensa/cpu/u-boot.lds                    |  4 +-
> >  arch/xtensa/include/asm/ldscript.h            | 13 ++-
> >  board/compulab/cm_t335/u-boot.lds             |  4 +-
> >  board/cssi/MCR3000/u-boot.lds                 |  4 +-
> >  .../davinci/da8xxevm/u-boot-spl-da850evm.lds  |  2 +-
> >  board/qualcomm/dragonboard820c/u-boot.lds     |  4 +-
> >  board/samsung/common/exynos-uboot-spl.lds     |  4 +-
> >  board/synopsys/iot_devkit/u-boot.lds          |  4 +-
> >  board/ti/am335x/u-boot.lds                    |  4 +-
> >  board/vscom/baltos/u-boot.lds                 |  4 +-
> >  doc/api/linker_lists.rst                      | 22 ++---
> >  doc/develop/commands.rst                      |  4 +-
> >  doc/develop/driver-model/of-plat.rst          |  4 +-
> >  drivers/Kconfig                               |  2 +
> >  drivers/Makefile                              |  1 +
> >  drivers/fuzz/Kconfig                          | 17 ++++
> >  drivers/fuzz/Makefile                         |  8 ++
> >  drivers/fuzz/fuzzing_engine-uclass.c          | 28 +++++++
> >  drivers/fuzz/sandbox_fuzzing_engine.c         | 35 ++++++++
> >  drivers/serial/sandbox.c                      |  2 +-
> >  include/dm/uclass-id.h                        |  1 +
> >  include/fuzzing_engine.h                      | 51 ++++++++++++
> >  include/linker_lists.h                        | 18 ++--
> >  include/test/fuzz.h                           | 51 ++++++++++++
> >  test/Makefile                                 |  1 +
> >  test/fuzz/Makefile                            |  8 ++
> >  test/fuzz/cmd_fuzz.c                          | 82 +++++++++++++++++++
> >  test/fuzz/virtio.c                            | 72 ++++++++++++++++
> >  test/py/tests/test_stackprotector.py          |  1 +
> >  tools/mips-relocs.c                           |  9 +-
> >  77 files changed, 673 insertions(+), 151 deletions(-)
> >  create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h
> >  create mode 100644 arch/sandbox/include/asm/main.h
> >  create mode 100644 drivers/fuzz/Kconfig
> >  create mode 100644 drivers/fuzz/Makefile
> >  create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c
> >  create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c
> >  create mode 100644 include/fuzzing_engine.h
> >  create mode 100644 include/test/fuzz.h
> >  create mode 100644 test/fuzz/Makefile
> >  create mode 100644 test/fuzz/cmd_fuzz.c
> >  create mode 100644 test/fuzz/virtio.c
> 
> Could you please add some documentation about this in doc/ ? I also
> wonder if we can make the fuzz test run in CI? Finally, can the azure
> stuff work in gitlab too?
> 
> I am interested in using fuzzing to test a new 'Universal Payload'
> feature which basically converts data from a C struct to a devicetree
> and back.

Fuzzing fails on a number of tests, which is why I've moved it to just
run the version test here:
https://patchwork.ozlabs.org/project/uboot/patch/20230820173129.781985-2-trini@konsulko.com/

There's not much point in running it in GitLab too until we get the
errors fixed.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20230828/c6c5cc01/attachment.sig>


More information about the U-Boot mailing list