<div dir="ltr">Apologies to anyone who got this email twice -- responded from the wrong email address initially. <div class="gmail_quote"><div dir="ltr">On Wed, Jul 18, 2018 at 4:06 AM Marc-André Lureau <<a href="mailto:marcandre.lureau@gmail.com">marcandre.lureau@gmail.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi On Wed, Jul 18, 2018 at 12:20 AM, David Riley <<a href="mailto:davidriley@chromium.org" target="_blank">davidriley@chromium.org</a>> wrote: > Use LLVM's libFuzzer to fuzz the virgl_renderer_submit_cmd API. > > Signed-off-by: David Riley <<a href="mailto:davidriley@chromium.org" target="_blank">davidriley@chromium.org</a>> > --- > <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 10 +- > tests/Makefile.am | 2 + > tests/fuzzer/Makefile.am | 24 +++++ > tests/fuzzer/virgl_fuzzer.c | 193 ++++++++++++++++++++++++++++++++++++ > 4 files changed, 228 insertions(+), 1 deletion(-) > create mode 100644 tests/fuzzer/Makefile.am > create mode 100644 tests/fuzzer/virgl_fuzzer.c > > diff --git a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> > index 0acbccb..c4ce743 100644 > --- a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> > +++ b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> > @@ -97,6 +97,13 @@ if test "x$build_tests" = "xyes"; then > AC_PATH_PROG(VALGRIND, [valgrind]) > fi > > +AC_ARG_ENABLE(fuzzer, > + AS_HELP_STRING([--enable-fuzzer], [Build fuzzer targets]), > + [enable_fuzzer="$enableval"], > + [enable_fuzzer=no] > +) > +AM_CONDITIONAL(FUZZER, [test "x$enable_fuzzer" = "xyes"]) > + > AC_CHECK_FUNCS_ONCE([eventfd]) > AC_CHECK_HEADERS_ONCE([sys/uio.h]) > AM_CONDITIONAL(HAVE_VALGRIND, [test "x$VALGRIND" != "x"]) > @@ -136,7 +143,6 @@ AS_IF([test "x$with_glx" = "xyes"], [ > ]) > AM_CONDITIONAL([WITH_GLX], [test "x$with_glx" = "xyes"]) > > - > AC_SUBST([DEFINES]) > AC_CONFIG_FILES([ > virglrenderer.pc > @@ -145,6 +151,7 @@ AC_CONFIG_FILES([ > src/gallium/auxiliary/Makefile > vtest/Makefile > tests/Makefile > + tests/fuzzer/Makefile > ]) > AC_OUTPUT > > @@ -161,5 +168,6 @@ AC_MSG_NOTICE([ > egl: $epoxy_has_egl > debug: $enable_debug > tests: $build_tests > + fuzzer: $enable_fuzzer > > ]) > diff --git a/tests/Makefile.am b/tests/Makefile.am > index 8a693e5..592f0fb 100644 > --- a/tests/Makefile.am > +++ b/tests/Makefile.am > @@ -1,3 +1,5 @@ > +SUBDIRS = fuzzer > + > if BUILD_TESTS > > AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/gallium/include $(CHECK_CFLAGS) -I$(top_srcdir)/src/gallium/auxiliary $(DEFINES) > diff --git a/tests/fuzzer/Makefile.am b/tests/fuzzer/Makefile.am > new file mode 100644 > index 0000000..b9e636b > --- /dev/null > +++ b/tests/fuzzer/Makefile.am > @@ -0,0 +1,24 @@ > +AM_CFLAGS = \ > + -I$(top_srcdir)/src/gallium/drivers/virgl \ > + -I$(top_srcdir)/src/gallium/include \ > + -I$(top_srcdir)/src/gallium/auxiliary \ > + -I$(top_srcdir)/src/gallium/drivers \ > + -I$(top_srcdir)/include \ > + -I$(top_srcdir)/src \ > + $(DEFINES) \ > + $(PIC_FLAGS) \ > + $(LIBDRM_CFLAGS) \ > + $(EPOXY_CFLAGS) \ > + $(VISIBILITY_CFLAGS) \ > + $(CODE_COVERAGE_CFLAGS) \ > + -fsanitize=address \ > + -fsanitize=fuzzer > + > +if FUZZER > +noinst_PROGRAMS = virgl_fuzzer > + > +virgl_fuzzer_SOURCES = \ > + virgl_fuzzer.c > + > +virgl_fuzzer_LDADD = $(top_builddir)/src/<a href="http://libvirglrenderer.la" rel="noreferrer" target="_blank">libvirglrenderer.la</a> $(EPOXY_LIBS) > +endif > diff --git a/tests/fuzzer/virgl_fuzzer.c b/tests/fuzzer/virgl_fuzzer.c > new file mode 100644 > index 0000000..b8f73e2 > --- /dev/null > +++ b/tests/fuzzer/virgl_fuzzer.c > @@ -0,0 +1,193 @@ > +// Copyright 2018 The Chromium OS Authors. All rights reserved. > +// > +// Redistribution and use in source and binary forms, with or without > +// modification, are permitted provided that the following conditions are > +// met: > +// > +// * Redistributions of source code must retain the above copyright > +// notice, this list of conditions and the following disclaimer. > +// * Redistributions in binary form must reproduce the above > +// copyright notice, this list of conditions and the following disclaimer > +// in the documentation and/or other materials provided with the > +// distribution. > +// * Neither the name of Google Inc. nor the names of its > +// contributors may be used to endorse or promote products derived from > +// this software without specific prior written permission. > +// > +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS > +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR > +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT > +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + > +// libfuzzer-based fuzzer for public APIs. > + > +#include <assert.h> > +#include <stdint.h> > +#include <stdlib.h> > +#include <string.h> > +#include <unistd.h> > + > +#include <epoxy/egl.h> > + > +#include "virglrenderer.h" > + > +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size); > + > +#ifndef CLEANUP_EACH_INPUT > +// eglInitialize leaks unless eglTeriminate is called (which only happens > +// with CLEANUP_EACH_INPUT), so suppress leak detection on everything > +// allocated by it. > + > +#if !defined(__has_feature) > +#define __has_feature(x) 0 > +#endif > + > +#if __has_feature(address_sanitizer) > +const char* __lsan_default_suppressions(void); > + > +const char* __lsan_default_suppressions() { > + return "leak:eglInitialize\n"; > +} > +#endif // __has_feature(address_sanitizer) > + > +#endif // !CLEANUP_EACH_INPUT > + > +struct fuzzer_cookie > +{ > + EGLDisplay display; > + EGLConfig egl_config; > + EGLContext ctx; > +}; > + > +static void fuzzer_write_fence(void *opaque, uint32_t fence) > +{ > +} > + > +static virgl_renderer_gl_context fuzzer_create_gl_context( > + void *cookie, int scanout_idx, struct virgl_renderer_gl_ctx_param *param) > +{ > + struct fuzzer_cookie *cookie_data = cookie; > + EGLContext shared = param->shared ? eglGetCurrentContext() : NULL; > + const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3, > + EGL_NONE }; > + EGLContext ctx = eglCreateContext(cookie_data->display, > + cookie_data->egl_config, > + shared, > + context_attribs); > + assert(ctx); > + > + return ctx; > +} > + > +static void fuzzer_destroy_gl_context(void *cookie, > + virgl_renderer_gl_context ctx) > +{ > + struct fuzzer_cookie *cookie_data = cookie; > + eglDestroyContext(cookie_data->display, ctx); > +} > + > +static int fuzzer_make_current(void *cookie, int scanout_idx, virgl_renderer_gl_context ctx) > +{ > + return 0; > +} > + > +const int FUZZER_CTX_ID = 1; > +const char *SWRAST_ENV = "LIBGL_ALWAYS_SOFTWARE"; > + > +static struct fuzzer_cookie cookie; > + > +static struct virgl_renderer_callbacks fuzzer_cbs = { > + .version = 1, > + .write_fence = fuzzer_write_fence, > + .create_gl_context = fuzzer_create_gl_context, > + .destroy_gl_context = fuzzer_destroy_gl_context, > + .make_current = fuzzer_make_current, > +}; > + > +static bool initialized = false; > + > +static int initialize_environment() > +{ > + if (!initialized) { > + // Force SW rendering unless env variable is already set. > + setenv(SWRAST_ENV, "true", 0); > + > + cookie.display = eglGetDisplay(EGL_DEFAULT_DISPLAY); > + assert(cookie.display != EGL_NO_DISPLAY); > + > + assert(eglInitialize(cookie.display, NULL, NULL)); > + > + const EGLint config_attribs[] = { EGL_SURFACE_TYPE, EGL_DONT_CARE, > + EGL_NONE }; > + EGLint num_configs; > + assert(eglChooseConfig(cookie.display, config_attribs, > + &cookie.egl_config, 1, &num_configs)); > + > + assert(eglBindAPI(EGL_OPENGL_ES_API)); > + > + const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3, > + EGL_NONE }; > + cookie.ctx = eglCreateContext(cookie.display, cookie.egl_config, > + EGL_NO_CONTEXT, context_attribs); > + assert(cookie.ctx != EGL_NO_CONTEXT); > + > + assert(eglMakeCurrent(cookie.display, EGL_NO_SURFACE, EGL_NO_SURFACE, > + cookie.ctx)); > + > + initialized = true; > + } > + > + return FUZZER_CTX_ID; > +} > + > +#ifdef CLEANUP_EACH_INPUT > +static void cleanup_environment() > +{ > + if (cookie.ctx != EGL_NO_CONTEXT) { > + eglMakeCurrent(cookie.display, NULL, NULL, NULL); > + eglDestroyContext(cookie.display, cookie.ctx); > + } > + > + if (cookie.display != EGL_NO_DISPLAY) { > + eglTerminate(cookie.display); > + } > + > + initialized = false; > +} > +#endif > + > +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) > +{ > + uint32_t ctx_id = initialize_environment(); > + > + // There are trade-offs here between ensuring that state is not persisted > + // between invocations of virgl_renderer_submit_cmd, and to avoid leaking > + // resources that comes with repeated dlopen()/dlclose()ing the mesa > + // driver with each eglInitialize()/eglTerminate() if CLEANUP_EACH_INPUT > + // is set. > + > + assert(!virgl_renderer_init(&cookie, 0, &fuzzer_cbs)); > + > + const char *name = "fuzzctx"; > + assert(!virgl_renderer_context_create(ctx_id, strlen(name), name)); > + > + virgl_renderer_submit_cmd((void *) data, ctx_id, size / sizeof(uint32_t)); I guess this approach is a bit limited if you don't create resources. The approach I took when doing some AFL fuzzing some time ago was save/replay on the vtest bitstream. See commit 1b736c547a654647c7c86b41778fb5750d033367. But it is still too naive to reach a good coverage quickly. I guessit's a common problem with fuzzing: how to reach an interesting state. </blockquote><div> </div><div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">It's intended as a starting point to start and get some coverage. libFuzzer supports the ability to maintain a corpus of interesting inputs which it builds upon to expand coverage. Just running locally I'm seeing about 66% coverage on vrend_decode.c at this point and we've found about half a dozen issues.</div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"> </div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Further down the road, I think the expectation would be to start structuring some of the input instead of just blindly passing it all to submit_cmd. For example, consume some of the input stream to generate an initial boolean value, where if true, create some resources manually prior to issuing data to submit_cmd. Similarly, other APIs and more structured testing can be done some of the time based on interpretation of the input data. </div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> > + > + virgl_renderer_context_destroy(ctx_id); > + > + virgl_renderer_cleanup(&cookie); > + > +#ifdef CLEANUP_EACH_INPUT > + // The following cleans up between each input which is a lot slower. > + cleanup_environment(); > +#endif > + > + return 0; > +} > -- > 2.18.0.203.gfac676dfb9-goog > > _______________________________________________ > virglrenderer-devel mailing list > <a href="mailto:virglrenderer-devel@lists.freedesktop.org" target="_blank">virglrenderer-devel@lists.freedesktop.org</a> > <a href="https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel</a> -- Marc-André Lureau </blockquote></div></div>