[Git][slirp/libslirp][master] 6 commits: Start some fuzzing test
Samuel Thibault (@sthibaul)
gitlab at gitlab.freedesktop.org
Wed Apr 24 23:54:08 UTC 2024
Samuel Thibault pushed to branch master at slirp / libslirp
Commits:
b5f4b774 by Marc-André Lureau at 2024-04-25T01:23:00+02:00
Start some fuzzing test
You can run the tests over the corpus with a "regular" build, then
$ fuzzing/fuzz-input ../fuzzing/IN/*
Or building with fuzzing enabled, and running:
$ CFLAGS="-fsanitize=fuzzer" CC=clang CXX=clang++ meson -Db_lundef=false
$ fuzzing/fuzz-input ../fuzzing/IN
I have an initial corpus which was generated by running fuzz-input for
a few hours starting with qemu.pkt, which is the first packet sent by
qemu. Sadly, it only covers 25%... I tried to increase the coverage
manually, see for example tftp-get-blah.pkt, but that's not so simple,
as multiple packets may be required to setup a session etc.
Neverthess, the fuzzing already found a few issues, so it might be
worth to add it in this current form.
fuzzing/oss-fuzz.sh is used by oss-fuzz, for Google fuzzing.
(see documentation if you want to reproduce the build locally)
Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
- - - - -
0e9b0ad4 by jeremy marchand at 2024-04-25T01:23:00+02:00
First attempt at fuzzing with libFuzzer based on @elmarco work
The slirp_fuzz_ip_header harness should be working and is a basic
example of a custom mutator focusing on part of the input.
The slirp_fuzz_udp harness needs a bit of work to calculate the checksum
properly.
The code can be built using `meson build` followed by `ninja -C build`,
the current meson.build file is not suitable with a general usage.
To run the fuzzing code just run `build/fuzzing/fuzz-ip-header
fuzzing/IN -detect_leaks=0`, crash will be sent to current folder and
new input will go directly in the `IN` folder.
The main point to focus on to improve the fuzzing should be generating
a better corpus.
- - - - -
884d39ee by Maelie CHAN PENG at 2024-04-25T01:23:00+02:00
fuzzing: Increase coverage
- by adding trace examples
- by separating fuzzing different headers / data
- by adding an echo TCP server forward
- also factorizing code along the way
Also-by: JC <luffy33820 at gmail.com>
Also-by: Alisee Lafontaine <alisee.lafontaine at u-bordeaux.fr>
- - - - -
f045cdc9 by Marc-André Lureau at 2024-04-25T01:23:00+02:00
tcp: hack syn/ack
We don't know in advance what the trace will have received as sequence
number, so when fuzzing tcp, just align on what the trace says
- - - - -
6f28e96e by Samuel Thibault at 2024-04-25T01:52:37+02:00
fuzz: Add ip filtering
It's no use sending to the slirp stack the trace packets which are
supposed to be generated by the stack. Also no use fuzzing them, then.
- - - - -
ea785a27 by Samuel Thibault at 2024-04-25T01:52:37+02:00
Add fuzzing CI
- - - - -
30 changed files:
- .gitlab-ci.yml
- + fuzzing/IN_dhcp/dhcp.pkt
- + fuzzing/IN_dhcp/dhcp_capture.pcap
- + fuzzing/IN_icmp/icmp_capture.pcap
- + fuzzing/IN_icmp/ping_10-0-2-2.pcap
- + fuzzing/IN_ip-header/DNS_freedesktop_1-1-1-1.pcap
- + fuzzing/IN_ip-header/dhcp.pkt
- + fuzzing/IN_ip-header/dhcp_capture.pcap
- + fuzzing/IN_ip-header/icmp_capture.pcap
- + fuzzing/IN_ip-header/nc-10.0.2.2-8080.pcap
- + fuzzing/IN_ip-header/nc-ident.pcap
- + fuzzing/IN_ip-header/ping_10-0-2-2.pcap
- + fuzzing/IN_ip-header/tcp_qemucapt.pcap
- + fuzzing/IN_ip-header/tftp-get-blah.pkt
- + fuzzing/IN_ip-header/tftp_capture.pcap
- + fuzzing/IN_ip-header/tftp_get_libslirp-txt.pcap
- + fuzzing/IN_tcp-d
- + fuzzing/IN_tcp-h
- fuzzing/IN/nc-10.0.2.2-8080.pcap → fuzzing/IN_tcp/nc-10.0.2.2-8080.pcap
- + fuzzing/IN_tcp/nc-ident.pcap
- + fuzzing/IN_tcp/tcp_qemucapt.pcap
- + fuzzing/IN_tftp/tftp-get-blah.pkt
- + fuzzing/IN_tftp/tftp_capture.pcap
- + fuzzing/IN_tftp/tftp_get_libslirp-txt.pcap
- + fuzzing/IN_udp-h
- + fuzzing/IN_udp/DNS_freedesktop_1-1-1-1.pcap
- + fuzzing/IN_udp/dhcp.pkt
- + fuzzing/IN_udp/dhcp_capture.pcap
- + fuzzing/IN_udp/tftp-get-blah.pkt
- + fuzzing/IN_udp/tftp_capture.pcap
The diff was not included because it is too large.
View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/bdba265ddf1124c4d5475264532254c728b7e78c...ea785a27a2571f2995bac7264755629e7bb9edef
--
View it on GitLab: https://gitlab.freedesktop.org/slirp/libslirp/-/compare/bdba265ddf1124c4d5475264532254c728b7e78c...ea785a27a2571f2995bac7264755629e7bb9edef
You're receiving this email because of your account on gitlab.freedesktop.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/slirp/attachments/20240424/f2a43d89/attachment-0001.htm>
More information about the Slirp
mailing list