[PATCH passt v2 0/7] Add fuzzing

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: "Richard W.M. Jones" <rjones@redhat.com>
To: sbrivio@redhat.com
Cc: passt-dev@passt.top
Subject: [PATCH passt v2 0/7] Add fuzzing
Date: Thu, 17 Nov 2022 18:49:31 +0000	[thread overview]
Message-ID: <20221117184938.2270462-1-rjones@redhat.com> (raw)

With this series, fuzzing actually works, albeit slowly.  More on that
below.

Patches 1 & 2 are the same as before.

Patch 3 is Stefano Brivio's modified patch (with some changes that we
discussed together on IRC but otherwise unchanged).

Patch 4 is new, but discussed already upstream: It changes the order
in which EPOLLIN and EPOLLRDHUP events are processed, so that we don't
drop packets when the socket is closed.

Patches 5 & 6 are the hacks that were needed to get fuzzing to work.
Patch 6 removes all seccomp and other isolation stuff because for
unclear reasons that breaks AFL instrumentation.  AFL appears to fork
off a second process, and somehow strace cannot follow that process,
but the second process fails, and that breaks AFL completely.  Without
strace data it's rather hard to see what's going on so I didn't
investigate this further.

Patch 7 adds the fuzzing wrapper and is not greatly changed from
before.  However I did have to disable the AFL "fork server"
optimization which somehow doesn't work with passt (it does work fine
with libnbd & nbdkit).

Speed is not great.  I'm getting ~ 75-80 execs/second.  Really we want
this to be much higher, since that ultimately governs how fast we can
explore new code paths and find bugs.  Ideally well over 1000 execs/s
(per fuzzing process) would be a good target to aim for.  (Of course
this depends on the hardware as well.)

We could try to find out why the fork server is not compatible with
passt, but I don't think we'd gain very much performance there.  To
explore this I ran a dummy fuzzed process from the same wrapper, and
it was hardly any faster.

I think the real gains are going to come from reducing the overhead of
starting passt.  There seem to be some netlink messages sent during
start up and maybe if those could be reduced or eliminated we might
see better performance.

The other factor is fuzzing stability, which hovers around 87-90%.
While this isn't necessarily bad, I wonder where the non-determinism
is coming from [ideal figures would be 95-100%].  Passt doesn't appear
to use threads.  It does call getrandom (for TCP sequence numbers) so
it'd be good to have a way to bypass that.  However I don't fully
understand what's going on here.

Rich.

next             reply	other threads:[~2022-11-17 18:49 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-17 18:49 Richard W.M. Jones [this message]
2022-11-17 18:49 ` [PATCH passt v2 1/7] build: Force-create pasta symlink Richard W.M. Jones
2022-11-18  1:30   ` David Gibson
2022-11-18  7:56     ` Stefano Brivio
2022-11-17 18:49 ` [PATCH passt v2 2/7] build: Remove *~ files with make clean Richard W.M. Jones
2022-11-18  1:31   ` David Gibson
2022-11-17 18:49 ` [PATCH passt v2 3/7] passt, tap: Add --fd option Richard W.M. Jones
2022-11-17 18:49 ` [PATCH passt v2 4/7] passt, tap: Process data on the socket before HUP/ERR events Richard W.M. Jones
2022-11-18  1:32   ` David Gibson
2022-11-17 18:49 ` [PATCH passt v2 5/7] XXX build: Add extra syscalls needed by AFL instrumentation Richard W.M. Jones
2022-11-17 18:49 ` [PATCH passt v2 6/7] XXX passt: Kill seccomp and other isolation mechanisms Richard W.M. Jones
2022-11-17 18:49 ` [PATCH passt v2 7/7] Import fuzzing wrapper from libnbd Richard W.M. Jones
2022-11-17 19:06 ` [PATCH passt v2 0/7] Add fuzzing Richard W.M. Jones
2022-11-18 10:12 ` Richard W.M. Jones
2022-11-25  9:23 ` Stefano Brivio
2022-11-25 10:11   ` Richard W.M. Jones
2022-11-29 13:34     ` Stefano Brivio
2022-11-29 13:44       ` Richard W.M. Jones
2022-11-30  1:11       ` David Gibson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221117184938.2270462-1-rjones@redhat.com \
    --to=rjones@redhat.com \
    --cc=passt-dev@passt.top \
    --cc=sbrivio@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).