From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTP id 8E8D15A005E for ; Thu, 17 Nov 2022 13:26:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1668687980; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JtD25SdO0uaM4dKYSrI65CGWX/JT93scDmHnz6ZaK3A=; b=bLX+XGUAfoiYEg91cPPnbgIahNSVVSoZZzv2YwZzrupf5gTkHjGq+ENrywwOuniH+DD1Rp ZdaNee7gxvKbrjO6rNsPi2EZqYGNy9PBiw1gUydjHeW10lDzZ8EkxsSpwlQxpXoBwfO5LG ARfsE9cOEPycxbZWah/l6wXfNVGMN1M= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-126-_42ECTH9NvG86OiKCNV6Zw-1; Thu, 17 Nov 2022 07:26:18 -0500 X-MC-Unique: _42ECTH9NvG86OiKCNV6Zw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 92CD6185A78F for ; Thu, 17 Nov 2022 12:26:18 +0000 (UTC) Received: from pick.home.annexia.org (unknown [10.39.193.198]) by smtp.corp.redhat.com (Postfix) with ESMTP id DA2CFC158CF; Thu, 17 Nov 2022 12:26:17 +0000 (UTC) From: "Richard W.M. Jones" To: sbrivio@redhat.com Subject: [PATCH passt 0/5] Add fuzzing Date: Thu, 17 Nov 2022 12:26:09 +0000 Message-Id: <20221117122614.1269214-1-rjones@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-MailFrom: rjones@redhat.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: AI57R2D7UQFW6TMYY4A4AW75IMCA5US4 X-Message-ID-Hash: AI57R2D7UQFW6TMYY4A4AW75IMCA5US4 X-Mailman-Approved-At: Thu, 17 Nov 2022 13:28:25 +0100 CC: passt-dev@passt.top X-Mailman-Version: 3.3.3 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: (Note this patch series does not work so far and needs some help, read on ...) Patches 1 & 2 are general cleanup. The rest of the patches aim to add fuzzing support for Passt using AFL++, Clang and ASAN. I used the same approach as with libnbd: https://gitlab.com/nbdkit/libnbd/-/tree/master/fuzzing Firstly (patch 3) I added an --fd option. This is useful for fuzzing, but also generally useful. It allows a controller process to open a connected stream socket and pass that down to passt via inheritance. Uses outside fuzzing include: having the controlling process open the socket with elevated privleges, and allowing alternate address families to be used (eg. vsock or IB). Unfortunately I don't think the --fd option is working. stracing the code shows the socket being added to the epoll, but it somehow never gets read. It might be something obvious but I couldn't see what was wrong. (NB: The socket passed in is *connected* already). Patch 4 adds the fuzzing wrapper. The purpose of the wrapper is to allow AFL to submit test cases to passt as local files. It works by creating a socketpair(2), forking and execing passt in the parent: (parent) passt -f -e -1 --fd | ^ | | (child) | input file V /dev/null The child reads the input file (test case) from the command line and pushes it into the socket, while discarding anything written by passt. IOW the child takes the place of qemu. With all patches applied you can test the wrapper alone using: $ ./fuzz-wrapper testcase_dir/empty_tap You will see that it currently hangs which it should not do, and I suspect the problem is related to the implementation of --fd as the wrapper is old and well-tested code. Rich.