From patchwork Thu Apr 14 13:59:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Scull X-Patchwork-Id: 1617260 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.a=rsa-sha256 header.s=20210112 header.b=BzWk0t+9; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4KfLgY4FZSz9sG3 for ; Thu, 14 Apr 2022 23:59:53 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 862A583E69; Thu, 14 Apr 2022 15:59:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="BzWk0t+9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 7190083E82; Thu, 14 Apr 2022 15:59:48 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 33E2C805FB for ; Thu, 14 Apr 2022 15:59:45 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=30ChYYgYKBps5N7PGGBJJBG9.7JHP-6JJOGDNON.89IS.89@flex--ascull.bounces.google.com Received: by mail-wm1-x34a.google.com with SMTP id v62-20020a1cac41000000b0038cfe6edf3fso4560328wme.5 for ; Thu, 14 Apr 2022 06:59:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=ahq7UI2bhJuBIKJ3Kd6WKQm9w1293dYynB5Kh96iDds=; b=BzWk0t+9Y3GW0LC/lmx/y7CE6JGaJtAz1z8eA3LMculL/k6vB8keBBtO2mMMMItMQl YKCRAHAmD8B9BfqZ38tv6Uhb8pM/LaA/hnaTv923eKSKtNkJSVXMcsws0mXLBguuNNuD 0FtO/lHThz+2zK1b9MSi4aiXg4NPpixxK2rWwq4g2OSCl3w+JpftNm8y0mAJ52lJNEpY KlRjoIDogFzxkDxdsg4idDgIhUcVBnUjJtYwY+NJ8A0GeOfBg1Ydn4t8sF/+OIRA7tey eu2KiDmaIxfznSD70R+vKhjetC6IJ4js09f1fEmYfFcohwgyd/Obt2Xzjpu0emqu5wGY cceg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=ahq7UI2bhJuBIKJ3Kd6WKQm9w1293dYynB5Kh96iDds=; b=qdkLGvi1XdxZDOWfUIjmxaorWMYOmUXEAABz8Z/Cc84Z32oKQuG+pdO+Ovz9OtZVaj 8QAJVQu/SHpihXbUc7j2SCbtQQPY5IuwJ10B8ft8W12W1uoON40a6LO8wPg63aA7zYZU 20OG/6pkaLIEaamW5pLXFrkCz78PLJY+OkRA1oEx0/C9S3zD/V5DwXvKrBgxeMrABUpP hat0ZmBKzEYSQIX6iC0LTqbi0ul/uddEVZsW1kkJPOqE2RlaHStx1Ft7SQYCeC4SOc3g g6eGQC8PutANDYVgyObLXLi+JyWOToJAPWs50VQ3yw1kIXZ6pOqInw3k+5XOPv48GKhL CVGQ== X-Gm-Message-State: AOAM531u8zdc3sq/IkGzNxZRJPnPvK6NRpsu1jLrHWkkeE4xHSTkhkj7 77qFEumRwvM00X35s27R02SU69vMQUv5gv4zP5bYeuMPXCPD28S+Y/W1Bs3CMTUjwSKVX+cTgUW 0wgHTc+XaJ+LBjZwNuuu7DPFYs9qUftKtdsRHwZVci2RVYDlVr1GOZBZK1Mg= X-Google-Smtp-Source: ABdhPJyN/D+lxMljYqAOTXdZMaDx8SdgDs0jmcLJ4jBUZ/F4ul+YOIQa7LaKlYZPITk4zuaL1Izz/tuYzi8= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a7b:c048:0:b0:38a:12dc:4694 with SMTP id u8-20020a7bc048000000b0038a12dc4694mr3264816wmc.80.1649944784666; Thu, 14 Apr 2022 06:59:44 -0700 (PDT) Date: Thu, 14 Apr 2022 13:59:29 +0000 Message-Id: <20220414135941.1732585-1-ascull@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog Subject: [PATCH 00/11] Fuzzing and ASAN for sandbox From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, xypron.glpk@gmx.de, Andrew Scull X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean This series sets up a basic fuzzing infrastructure that works with sandbox. The example fuzz test towards the end of the series will find something pretty quickly. That something is fixed by the series "virtio: Harden and test vring" that needs to be applied for the final patch in this series. There is some refactoring to stop using '.' prefixed sections that elf defines as being for system use and clang's ASAN instrumentation happily adds redzones between, but that's not what we want for things like linker lists where the linker script has carefully placed the sections contiguously. It may require patches from the "Fix misc ASAN reports" series to be applied as I've already dealt with the first set of ASAN reports from running the tests. From v1: - corrected handling of EFI symbols by sandbox linker script - per comments, some renaming and explaining - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it) - added patch to reduce logging noise in fuzzer Andrew Scull (12): sandbox: Fix EFI runtime symbol placement sandbox: Rename EFI runtime sections sandbox: Migrate getopt section to linker list linker_lists: Rename sections to remove . prefix sandbox: Add support for Address Sanitizer fuzzing_engine: Add fuzzing engine uclass test: fuzz: Add framework for fuzzing sandbox: Decouple program entry from sandbox init sandbox: Add libfuzzer integration sandbox: Implement fuzzing engine driver fuzz: virtio: Add fuzzer for vring virtio_ring: Reduce logging noise Kconfig | 16 +++ arch/Kconfig | 2 + arch/arc/cpu/u-boot.lds | 4 +- arch/arm/config.mk | 4 +- arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot.lds | 4 +- arch/arm/cpu/u-boot-spl.lds | 4 +- arch/arm/cpu/u-boot.lds | 6 +- arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +- arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +- arch/arm/mach-omap2/u-boot-spl.lds | 4 +- arch/arm/mach-orion5x/u-boot-spl.lds | 4 +- arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +- arch/arm/mach-zynq/u-boot-spl.lds | 4 +- arch/arm/mach-zynq/u-boot.lds | 4 +- arch/m68k/cpu/u-boot.lds | 4 +- arch/microblaze/cpu/u-boot-spl.lds | 4 +- arch/microblaze/cpu/u-boot.lds | 4 +- arch/mips/config.mk | 2 +- arch/mips/cpu/u-boot-spl.lds | 4 +- arch/mips/cpu/u-boot.lds | 4 +- arch/nds32/cpu/n1213/u-boot.lds | 4 +- arch/nios2/cpu/u-boot.lds | 4 +- arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-nand.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-nand_spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +- arch/riscv/cpu/u-boot-spl.lds | 4 +- arch/riscv/cpu/u-boot.lds | 4 +- arch/sandbox/config.mk | 15 ++- arch/sandbox/cpu/os.c | 97 ++++++++++++++++--- arch/sandbox/cpu/start.c | 12 +-- arch/sandbox/cpu/u-boot-spl.lds | 10 +- arch/sandbox/cpu/u-boot.lds | 41 ++++---- arch/sandbox/dts/test.dts | 4 + arch/sandbox/include/asm/fuzzing_engine.h | 25 +++++ arch/sandbox/include/asm/getopt.h | 19 ++-- arch/sandbox/include/asm/main.h | 18 ++++ arch/sandbox/include/asm/sections.h | 25 ----- arch/sandbox/lib/sections.c | 8 +- arch/sh/cpu/u-boot.lds | 4 +- arch/x86/cpu/u-boot-64.lds | 6 +- arch/x86/cpu/u-boot-spl.lds | 6 +- arch/x86/cpu/u-boot.lds | 6 +- arch/x86/lib/elf_ia32_efi.lds | 4 +- arch/x86/lib/elf_x86_64_efi.lds | 4 +- arch/xtensa/cpu/u-boot.lds | 2 +- arch/xtensa/include/asm/ldscript.h | 4 +- board/compulab/cm_t335/u-boot.lds | 4 +- board/cssi/MCR3000/u-boot.lds | 4 +- .../davinci/da8xxevm/u-boot-spl-da850evm.lds | 2 +- board/qualcomm/dragonboard820c/u-boot.lds | 4 +- board/samsung/common/exynos-uboot-spl.lds | 4 +- board/synopsys/iot_devkit/u-boot.lds | 4 +- board/ti/am335x/u-boot.lds | 4 +- board/vscom/baltos/u-boot.lds | 4 +- configs/sandbox_defconfig | 1 + doc/api/linker_lists.rst | 22 ++--- doc/develop/commands.rst | 4 +- doc/develop/driver-model/of-plat.rst | 4 +- drivers/Kconfig | 2 + drivers/Makefile | 1 + drivers/fuzz/Kconfig | 17 ++++ drivers/fuzz/Makefile | 8 ++ drivers/fuzz/fuzzing_engine-uclass.c | 28 ++++++ drivers/fuzz/sandbox_fuzzing_engine.c | 35 +++++++ drivers/virtio/virtio_ring.c | 4 +- include/dm/uclass-id.h | 1 + include/fuzzing_engine.h | 51 ++++++++++ include/linker_lists.h | 18 ++-- include/test/fuzz.h | 51 ++++++++++ test/Makefile | 1 + test/fuzz/Makefile | 8 ++ test/fuzz/cmd_fuzz.c | 82 ++++++++++++++++ test/fuzz/virtio.c | 72 ++++++++++++++ 78 files changed, 680 insertions(+), 204 deletions(-) create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h create mode 100644 arch/sandbox/include/asm/main.h create mode 100644 drivers/fuzz/Kconfig create mode 100644 drivers/fuzz/Makefile create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c create mode 100644 include/fuzzing_engine.h create mode 100644 include/test/fuzz.h create mode 100644 test/fuzz/Makefile create mode 100644 test/fuzz/cmd_fuzz.c create mode 100644 test/fuzz/virtio.c