[virglrenderer-devel] [PATCH] fuzzer: Add a libFuzzer based fuzzer.
David Riley
davidriley at chromium.org
Wed Jul 18 20:38:33 UTC 2018
Apologies to anyone who got this email twice -- responded from the wrong
email address initially.
On Wed, Jul 18, 2018 at 4:06 AM Marc-André Lureau <
marcandre.lureau at gmail.com> wrote:
> Hi
>
> On Wed, Jul 18, 2018 at 12:20 AM, David Riley <davidriley at chromium.org>
> wrote:
> > Use LLVM's libFuzzer to fuzz the virgl_renderer_submit_cmd API.
> >
> > Signed-off-by: David Riley <davidriley at chromium.org>
> > ---
> > configure.ac | 10 +-
> > tests/Makefile.am | 2 +
> > tests/fuzzer/Makefile.am | 24 +++++
> > tests/fuzzer/virgl_fuzzer.c | 193 ++++++++++++++++++++++++++++++++++++
> > 4 files changed, 228 insertions(+), 1 deletion(-)
> > create mode 100644 tests/fuzzer/Makefile.am
> > create mode 100644 tests/fuzzer/virgl_fuzzer.c
> >
> > diff --git a/configure.ac b/configure.ac
> > index 0acbccb..c4ce743 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -97,6 +97,13 @@ if test "x$build_tests" = "xyes"; then
> > AC_PATH_PROG(VALGRIND, [valgrind])
> > fi
> >
> > +AC_ARG_ENABLE(fuzzer,
> > + AS_HELP_STRING([--enable-fuzzer], [Build fuzzer targets]),
> > + [enable_fuzzer="$enableval"],
> > + [enable_fuzzer=no]
> > +)
> > +AM_CONDITIONAL(FUZZER, [test "x$enable_fuzzer" = "xyes"])
> > +
> > AC_CHECK_FUNCS_ONCE([eventfd])
> > AC_CHECK_HEADERS_ONCE([sys/uio.h])
> > AM_CONDITIONAL(HAVE_VALGRIND, [test "x$VALGRIND" != "x"])
> > @@ -136,7 +143,6 @@ AS_IF([test "x$with_glx" = "xyes"], [
> > ])
> > AM_CONDITIONAL([WITH_GLX], [test "x$with_glx" = "xyes"])
> >
> > -
> > AC_SUBST([DEFINES])
> > AC_CONFIG_FILES([
> > virglrenderer.pc
> > @@ -145,6 +151,7 @@ AC_CONFIG_FILES([
> > src/gallium/auxiliary/Makefile
> > vtest/Makefile
> > tests/Makefile
> > + tests/fuzzer/Makefile
> > ])
> > AC_OUTPUT
> >
> > @@ -161,5 +168,6 @@ AC_MSG_NOTICE([
> > egl: $epoxy_has_egl
> > debug: $enable_debug
> > tests: $build_tests
> > + fuzzer: $enable_fuzzer
> >
> > ])
> > diff --git a/tests/Makefile.am b/tests/Makefile.am
> > index 8a693e5..592f0fb 100644
> > --- a/tests/Makefile.am
> > +++ b/tests/Makefile.am
> > @@ -1,3 +1,5 @@
> > +SUBDIRS = fuzzer
> > +
> > if BUILD_TESTS
> >
> > AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/gallium/include
> $(CHECK_CFLAGS) -I$(top_srcdir)/src/gallium/auxiliary $(DEFINES)
> > diff --git a/tests/fuzzer/Makefile.am b/tests/fuzzer/Makefile.am
> > new file mode 100644
> > index 0000000..b9e636b
> > --- /dev/null
> > +++ b/tests/fuzzer/Makefile.am
> > @@ -0,0 +1,24 @@
> > +AM_CFLAGS = \
> > + -I$(top_srcdir)/src/gallium/drivers/virgl \
> > + -I$(top_srcdir)/src/gallium/include \
> > + -I$(top_srcdir)/src/gallium/auxiliary \
> > + -I$(top_srcdir)/src/gallium/drivers \
> > + -I$(top_srcdir)/include \
> > + -I$(top_srcdir)/src \
> > + $(DEFINES) \
> > + $(PIC_FLAGS) \
> > + $(LIBDRM_CFLAGS) \
> > + $(EPOXY_CFLAGS) \
> > + $(VISIBILITY_CFLAGS) \
> > + $(CODE_COVERAGE_CFLAGS) \
> > + -fsanitize=address \
> > + -fsanitize=fuzzer
> > +
> > +if FUZZER
> > +noinst_PROGRAMS = virgl_fuzzer
> > +
> > +virgl_fuzzer_SOURCES = \
> > + virgl_fuzzer.c
> > +
> > +virgl_fuzzer_LDADD = $(top_builddir)/src/libvirglrenderer.la
> $(EPOXY_LIBS)
> > +endif
> > diff --git a/tests/fuzzer/virgl_fuzzer.c b/tests/fuzzer/virgl_fuzzer.c
> > new file mode 100644
> > index 0000000..b8f73e2
> > --- /dev/null
> > +++ b/tests/fuzzer/virgl_fuzzer.c
> > @@ -0,0 +1,193 @@
> > +// Copyright 2018 The Chromium OS Authors. All rights reserved.
> > +//
> > +// Redistribution and use in source and binary forms, with or without
> > +// modification, are permitted provided that the following conditions
> are
> > +// met:
> > +//
> > +// * Redistributions of source code must retain the above copyright
> > +// notice, this list of conditions and the following disclaimer.
> > +// * Redistributions in binary form must reproduce the above
> > +// copyright notice, this list of conditions and the following
> disclaimer
> > +// in the documentation and/or other materials provided with the
> > +// distribution.
> > +// * Neither the name of Google Inc. nor the names of its
> > +// contributors may be used to endorse or promote products derived from
> > +// this software without specific prior written permission.
> > +//
> > +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
> > +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> > +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
> > +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
> > +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> > +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> > +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> > +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> > +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> > +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> > +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> > +
> > +// libfuzzer-based fuzzer for public APIs.
> > +
> > +#include <assert.h>
> > +#include <stdint.h>
> > +#include <stdlib.h>
> > +#include <string.h>
> > +#include <unistd.h>
> > +
> > +#include <epoxy/egl.h>
> > +
> > +#include "virglrenderer.h"
> > +
> > +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
> > +
> > +#ifndef CLEANUP_EACH_INPUT
> > +// eglInitialize leaks unless eglTeriminate is called (which only
> happens
> > +// with CLEANUP_EACH_INPUT), so suppress leak detection on everything
> > +// allocated by it.
> > +
> > +#if !defined(__has_feature)
> > +#define __has_feature(x) 0
> > +#endif
> > +
> > +#if __has_feature(address_sanitizer)
> > +const char* __lsan_default_suppressions(void);
> > +
> > +const char* __lsan_default_suppressions() {
> > + return "leak:eglInitialize\n";
> > +}
> > +#endif // __has_feature(address_sanitizer)
> > +
> > +#endif // !CLEANUP_EACH_INPUT
> > +
> > +struct fuzzer_cookie
> > +{
> > + EGLDisplay display;
> > + EGLConfig egl_config;
> > + EGLContext ctx;
> > +};
> > +
> > +static void fuzzer_write_fence(void *opaque, uint32_t fence)
> > +{
> > +}
> > +
> > +static virgl_renderer_gl_context fuzzer_create_gl_context(
> > + void *cookie, int scanout_idx, struct virgl_renderer_gl_ctx_param
> *param)
> > +{
> > + struct fuzzer_cookie *cookie_data = cookie;
> > + EGLContext shared = param->shared ? eglGetCurrentContext() : NULL;
> > + const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,
> > + EGL_NONE };
> > + EGLContext ctx = eglCreateContext(cookie_data->display,
> > + cookie_data->egl_config,
> > + shared,
> > + context_attribs);
> > + assert(ctx);
> > +
> > + return ctx;
> > +}
> > +
> > +static void fuzzer_destroy_gl_context(void *cookie,
> > + virgl_renderer_gl_context ctx)
> > +{
> > + struct fuzzer_cookie *cookie_data = cookie;
> > + eglDestroyContext(cookie_data->display, ctx);
> > +}
> > +
> > +static int fuzzer_make_current(void *cookie, int scanout_idx,
> virgl_renderer_gl_context ctx)
> > +{
> > + return 0;
> > +}
> > +
> > +const int FUZZER_CTX_ID = 1;
> > +const char *SWRAST_ENV = "LIBGL_ALWAYS_SOFTWARE";
> > +
> > +static struct fuzzer_cookie cookie;
> > +
> > +static struct virgl_renderer_callbacks fuzzer_cbs = {
> > + .version = 1,
> > + .write_fence = fuzzer_write_fence,
> > + .create_gl_context = fuzzer_create_gl_context,
> > + .destroy_gl_context = fuzzer_destroy_gl_context,
> > + .make_current = fuzzer_make_current,
> > +};
> > +
> > +static bool initialized = false;
> > +
> > +static int initialize_environment()
> > +{
> > + if (!initialized) {
> > + // Force SW rendering unless env variable is already set.
> > + setenv(SWRAST_ENV, "true", 0);
> > +
> > + cookie.display = eglGetDisplay(EGL_DEFAULT_DISPLAY);
> > + assert(cookie.display != EGL_NO_DISPLAY);
> > +
> > + assert(eglInitialize(cookie.display, NULL, NULL));
> > +
> > + const EGLint config_attribs[] = { EGL_SURFACE_TYPE, EGL_DONT_CARE,
> > + EGL_NONE };
> > + EGLint num_configs;
> > + assert(eglChooseConfig(cookie.display, config_attribs,
> > + &cookie.egl_config, 1, &num_configs));
> > +
> > + assert(eglBindAPI(EGL_OPENGL_ES_API));
> > +
> > + const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,
> > + EGL_NONE };
> > + cookie.ctx = eglCreateContext(cookie.display, cookie.egl_config,
> > + EGL_NO_CONTEXT, context_attribs);
> > + assert(cookie.ctx != EGL_NO_CONTEXT);
> > +
> > + assert(eglMakeCurrent(cookie.display, EGL_NO_SURFACE,
> EGL_NO_SURFACE,
> > + cookie.ctx));
> > +
> > + initialized = true;
> > + }
> > +
> > + return FUZZER_CTX_ID;
> > +}
> > +
> > +#ifdef CLEANUP_EACH_INPUT
> > +static void cleanup_environment()
> > +{
> > + if (cookie.ctx != EGL_NO_CONTEXT) {
> > + eglMakeCurrent(cookie.display, NULL, NULL, NULL);
> > + eglDestroyContext(cookie.display, cookie.ctx);
> > + }
> > +
> > + if (cookie.display != EGL_NO_DISPLAY) {
> > + eglTerminate(cookie.display);
> > + }
> > +
> > + initialized = false;
> > +}
> > +#endif
> > +
> > +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
> > +{
> > + uint32_t ctx_id = initialize_environment();
> > +
> > + // There are trade-offs here between ensuring that state is not
> persisted
> > + // between invocations of virgl_renderer_submit_cmd, and to avoid
> leaking
> > + // resources that comes with repeated dlopen()/dlclose()ing the mesa
> > + // driver with each eglInitialize()/eglTerminate() if
> CLEANUP_EACH_INPUT
> > + // is set.
> > +
> > + assert(!virgl_renderer_init(&cookie, 0, &fuzzer_cbs));
> > +
> > + const char *name = "fuzzctx";
> > + assert(!virgl_renderer_context_create(ctx_id, strlen(name), name));
> > +
> > + virgl_renderer_submit_cmd((void *) data, ctx_id, size /
> sizeof(uint32_t));
>
> I guess this approach is a bit limited if you don't create resources.
>
> The approach I took when doing some AFL fuzzing some time ago was
> save/replay on the vtest bitstream. See commit
> 1b736c547a654647c7c86b41778fb5750d033367.
>
> But it is still too naive to reach a good coverage quickly. I
> guessit's a common problem with fuzzing: how to reach an interesting
> state.
>
It's intended as a starting point to start and get some coverage.
libFuzzer supports the ability to maintain a corpus of interesting inputs
which it builds upon to expand coverage. Just running locally I'm seeing
about 66% coverage on vrend_decode.c at this point and we've found about
half a dozen issues.
Further down the road, I think the expectation would be to start
structuring some of the input instead of just blindly passing it all to
submit_cmd. For example, consume some of the input stream to generate an
initial boolean value, where if true, create some resources manually prior
to issuing data to submit_cmd. Similarly, other APIs and more structured
testing can be done some of the time based on interpretation of the input
data.
>
> > +
> > + virgl_renderer_context_destroy(ctx_id);
> > +
> > + virgl_renderer_cleanup(&cookie);
> > +
> > +#ifdef CLEANUP_EACH_INPUT
> > + // The following cleans up between each input which is a lot slower.
> > + cleanup_environment();
> > +#endif
> > +
> > + return 0;
> > +}
> > --
> > 2.18.0.203.gfac676dfb9-goog
> >
> > _______________________________________________
> > virglrenderer-devel mailing list
> > virglrenderer-devel at lists.freedesktop.org
> > https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel
>
>
>
> --
> Marc-André Lureau
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/virglrenderer-devel/attachments/20180718/4c5b8cc4/attachment-0001.html>
More information about the virglrenderer-devel
mailing list