<div dir="ltr">Apologies to anyone who got this email twice -- responded from the wrong email address initially.<br><br><div class="gmail_quote"><div dir="ltr">On Wed, Jul 18, 2018 at 4:06 AM Marc-André Lureau <<a href="mailto:marcandre.lureau@gmail.com">marcandre.lureau@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi<br>
<br>
On Wed, Jul 18, 2018 at 12:20 AM, David Riley <<a href="mailto:davidriley@chromium.org" target="_blank">davidriley@chromium.org</a>> wrote:<br>
> Use LLVM's libFuzzer to fuzz the virgl_renderer_submit_cmd API.<br>
><br>
> Signed-off-by: David Riley <<a href="mailto:davidriley@chromium.org" target="_blank">davidriley@chromium.org</a>><br>
> ---<br>
> <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 10 +-<br>
> tests/Makefile.am | 2 +<br>
> tests/fuzzer/Makefile.am | 24 +++++<br>
> tests/fuzzer/virgl_fuzzer.c | 193 ++++++++++++++++++++++++++++++++++++<br>
> 4 files changed, 228 insertions(+), 1 deletion(-)<br>
> create mode 100644 tests/fuzzer/Makefile.am<br>
> create mode 100644 tests/fuzzer/virgl_fuzzer.c<br>
><br>
> diff --git a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
> index 0acbccb..c4ce743 100644<br>
> --- a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
> +++ b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
> @@ -97,6 +97,13 @@ if test "x$build_tests" = "xyes"; then<br>
> AC_PATH_PROG(VALGRIND, [valgrind])<br>
> fi<br>
><br>
> +AC_ARG_ENABLE(fuzzer,<br>
> + AS_HELP_STRING([--enable-fuzzer], [Build fuzzer targets]),<br>
> + [enable_fuzzer="$enableval"],<br>
> + [enable_fuzzer=no]<br>
> +)<br>
> +AM_CONDITIONAL(FUZZER, [test "x$enable_fuzzer" = "xyes"])<br>
> +<br>
> AC_CHECK_FUNCS_ONCE([eventfd])<br>
> AC_CHECK_HEADERS_ONCE([sys/uio.h])<br>
> AM_CONDITIONAL(HAVE_VALGRIND, [test "x$VALGRIND" != "x"])<br>
> @@ -136,7 +143,6 @@ AS_IF([test "x$with_glx" = "xyes"], [<br>
> ])<br>
> AM_CONDITIONAL([WITH_GLX], [test "x$with_glx" = "xyes"])<br>
><br>
> -<br>
> AC_SUBST([DEFINES])<br>
> AC_CONFIG_FILES([<br>
> virglrenderer.pc<br>
> @@ -145,6 +151,7 @@ AC_CONFIG_FILES([<br>
> src/gallium/auxiliary/Makefile<br>
> vtest/Makefile<br>
> tests/Makefile<br>
> + tests/fuzzer/Makefile<br>
> ])<br>
> AC_OUTPUT<br>
><br>
> @@ -161,5 +168,6 @@ AC_MSG_NOTICE([<br>
> egl: $epoxy_has_egl<br>
> debug: $enable_debug<br>
> tests: $build_tests<br>
> + fuzzer: $enable_fuzzer<br>
><br>
> ])<br>
> diff --git a/tests/Makefile.am b/tests/Makefile.am<br>
> index 8a693e5..592f0fb 100644<br>
> --- a/tests/Makefile.am<br>
> +++ b/tests/Makefile.am<br>
> @@ -1,3 +1,5 @@<br>
> +SUBDIRS = fuzzer<br>
> +<br>
> if BUILD_TESTS<br>
><br>
> AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/gallium/include $(CHECK_CFLAGS) -I$(top_srcdir)/src/gallium/auxiliary $(DEFINES)<br>
> diff --git a/tests/fuzzer/Makefile.am b/tests/fuzzer/Makefile.am<br>
> new file mode 100644<br>
> index 0000000..b9e636b<br>
> --- /dev/null<br>
> +++ b/tests/fuzzer/Makefile.am<br>
> @@ -0,0 +1,24 @@<br>
> +AM_CFLAGS = \<br>
> + -I$(top_srcdir)/src/gallium/drivers/virgl \<br>
> + -I$(top_srcdir)/src/gallium/include \<br>
> + -I$(top_srcdir)/src/gallium/auxiliary \<br>
> + -I$(top_srcdir)/src/gallium/drivers \<br>
> + -I$(top_srcdir)/include \<br>
> + -I$(top_srcdir)/src \<br>
> + $(DEFINES) \<br>
> + $(PIC_FLAGS) \<br>
> + $(LIBDRM_CFLAGS) \<br>
> + $(EPOXY_CFLAGS) \<br>
> + $(VISIBILITY_CFLAGS) \<br>
> + $(CODE_COVERAGE_CFLAGS) \<br>
> + -fsanitize=address \<br>
> + -fsanitize=fuzzer<br>
> +<br>
> +if FUZZER<br>
> +noinst_PROGRAMS = virgl_fuzzer<br>
> +<br>
> +virgl_fuzzer_SOURCES = \<br>
> + virgl_fuzzer.c<br>
> +<br>
> +virgl_fuzzer_LDADD = $(top_builddir)/src/<a href="http://libvirglrenderer.la" rel="noreferrer" target="_blank">libvirglrenderer.la</a> $(EPOXY_LIBS)<br>
> +endif<br>
> diff --git a/tests/fuzzer/virgl_fuzzer.c b/tests/fuzzer/virgl_fuzzer.c<br>
> new file mode 100644<br>
> index 0000000..b8f73e2<br>
> --- /dev/null<br>
> +++ b/tests/fuzzer/virgl_fuzzer.c<br>
> @@ -0,0 +1,193 @@<br>
> +// Copyright 2018 The Chromium OS Authors. All rights reserved.<br>
> +//<br>
> +// Redistribution and use in source and binary forms, with or without<br>
> +// modification, are permitted provided that the following conditions are<br>
> +// met:<br>
> +//<br>
> +// * Redistributions of source code must retain the above copyright<br>
> +// notice, this list of conditions and the following disclaimer.<br>
> +// * Redistributions in binary form must reproduce the above<br>
> +// copyright notice, this list of conditions and the following disclaimer<br>
> +// in the documentation and/or other materials provided with the<br>
> +// distribution.<br>
> +// * Neither the name of Google Inc. nor the names of its<br>
> +// contributors may be used to endorse or promote products derived from<br>
> +// this software without specific prior written permission.<br>
> +//<br>
> +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS<br>
> +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT<br>
> +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR<br>
> +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT<br>
> +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,<br>
> +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT<br>
> +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,<br>
> +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY<br>
> +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT<br>
> +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE<br>
> +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.<br>
> +<br>
> +// libfuzzer-based fuzzer for public APIs.<br>
> +<br>
> +#include <assert.h><br>
> +#include <stdint.h><br>
> +#include <stdlib.h><br>
> +#include <string.h><br>
> +#include <unistd.h><br>
> +<br>
> +#include <epoxy/egl.h><br>
> +<br>
> +#include "virglrenderer.h"<br>
> +<br>
> +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);<br>
> +<br>
> +#ifndef CLEANUP_EACH_INPUT<br>
> +// eglInitialize leaks unless eglTeriminate is called (which only happens<br>
> +// with CLEANUP_EACH_INPUT), so suppress leak detection on everything<br>
> +// allocated by it.<br>
> +<br>
> +#if !defined(__has_feature)<br>
> +#define __has_feature(x) 0<br>
> +#endif<br>
> +<br>
> +#if __has_feature(address_sanitizer)<br>
> +const char* __lsan_default_suppressions(void);<br>
> +<br>
> +const char* __lsan_default_suppressions() {<br>
> + return "leak:eglInitialize\n";<br>
> +}<br>
> +#endif // __has_feature(address_sanitizer)<br>
> +<br>
> +#endif // !CLEANUP_EACH_INPUT<br>
> +<br>
> +struct fuzzer_cookie<br>
> +{<br>
> + EGLDisplay display;<br>
> + EGLConfig egl_config;<br>
> + EGLContext ctx;<br>
> +};<br>
> +<br>
> +static void fuzzer_write_fence(void *opaque, uint32_t fence)<br>
> +{<br>
> +}<br>
> +<br>
> +static virgl_renderer_gl_context fuzzer_create_gl_context(<br>
> + void *cookie, int scanout_idx, struct virgl_renderer_gl_ctx_param *param)<br>
> +{<br>
> + struct fuzzer_cookie *cookie_data = cookie;<br>
> + EGLContext shared = param->shared ? eglGetCurrentContext() : NULL;<br>
> + const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,<br>
> + EGL_NONE };<br>
> + EGLContext ctx = eglCreateContext(cookie_data->display,<br>
> + cookie_data->egl_config,<br>
> + shared,<br>
> + context_attribs);<br>
> + assert(ctx);<br>
> +<br>
> + return ctx;<br>
> +}<br>
> +<br>
> +static void fuzzer_destroy_gl_context(void *cookie,<br>
> + virgl_renderer_gl_context ctx)<br>
> +{<br>
> + struct fuzzer_cookie *cookie_data = cookie;<br>
> + eglDestroyContext(cookie_data->display, ctx);<br>
> +}<br>
> +<br>
> +static int fuzzer_make_current(void *cookie, int scanout_idx, virgl_renderer_gl_context ctx)<br>
> +{<br>
> + return 0;<br>
> +}<br>
> +<br>
> +const int FUZZER_CTX_ID = 1;<br>
> +const char *SWRAST_ENV = "LIBGL_ALWAYS_SOFTWARE";<br>
> +<br>
> +static struct fuzzer_cookie cookie;<br>
> +<br>
> +static struct virgl_renderer_callbacks fuzzer_cbs = {<br>
> + .version = 1,<br>
> + .write_fence = fuzzer_write_fence,<br>
> + .create_gl_context = fuzzer_create_gl_context,<br>
> + .destroy_gl_context = fuzzer_destroy_gl_context,<br>
> + .make_current = fuzzer_make_current,<br>
> +};<br>
> +<br>
> +static bool initialized = false;<br>
> +<br>
> +static int initialize_environment()<br>
> +{<br>
> + if (!initialized) {<br>
> + // Force SW rendering unless env variable is already set.<br>
> + setenv(SWRAST_ENV, "true", 0);<br>
> +<br>
> + cookie.display = eglGetDisplay(EGL_DEFAULT_DISPLAY);<br>
> + assert(cookie.display != EGL_NO_DISPLAY);<br>
> +<br>
> + assert(eglInitialize(cookie.display, NULL, NULL));<br>
> +<br>
> + const EGLint config_attribs[] = { EGL_SURFACE_TYPE, EGL_DONT_CARE,<br>
> + EGL_NONE };<br>
> + EGLint num_configs;<br>
> + assert(eglChooseConfig(cookie.display, config_attribs,<br>
> + &cookie.egl_config, 1, &num_configs));<br>
> +<br>
> + assert(eglBindAPI(EGL_OPENGL_ES_API));<br>
> +<br>
> + const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,<br>
> + EGL_NONE };<br>
> + cookie.ctx = eglCreateContext(cookie.display, cookie.egl_config,<br>
> + EGL_NO_CONTEXT, context_attribs);<br>
> + assert(cookie.ctx != EGL_NO_CONTEXT);<br>
> +<br>
> + assert(eglMakeCurrent(cookie.display, EGL_NO_SURFACE, EGL_NO_SURFACE,<br>
> + cookie.ctx));<br>
> +<br>
> + initialized = true;<br>
> + }<br>
> +<br>
> + return FUZZER_CTX_ID;<br>
> +}<br>
> +<br>
> +#ifdef CLEANUP_EACH_INPUT<br>
> +static void cleanup_environment()<br>
> +{<br>
> + if (cookie.ctx != EGL_NO_CONTEXT) {<br>
> + eglMakeCurrent(cookie.display, NULL, NULL, NULL);<br>
> + eglDestroyContext(cookie.display, cookie.ctx);<br>
> + }<br>
> +<br>
> + if (cookie.display != EGL_NO_DISPLAY) {<br>
> + eglTerminate(cookie.display);<br>
> + }<br>
> +<br>
> + initialized = false;<br>
> +}<br>
> +#endif<br>
> +<br>
> +int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)<br>
> +{<br>
> + uint32_t ctx_id = initialize_environment();<br>
> +<br>
> + // There are trade-offs here between ensuring that state is not persisted<br>
> + // between invocations of virgl_renderer_submit_cmd, and to avoid leaking<br>
> + // resources that comes with repeated dlopen()/dlclose()ing the mesa<br>
> + // driver with each eglInitialize()/eglTerminate() if CLEANUP_EACH_INPUT<br>
> + // is set.<br>
> +<br>
> + assert(!virgl_renderer_init(&cookie, 0, &fuzzer_cbs));<br>
> +<br>
> + const char *name = "fuzzctx";<br>
> + assert(!virgl_renderer_context_create(ctx_id, strlen(name), name));<br>
> +<br>
> + virgl_renderer_submit_cmd((void *) data, ctx_id, size / sizeof(uint32_t));<br>
<br>
I guess this approach is a bit limited if you don't create resources.<br>
<br>
The approach I took when doing some AFL fuzzing some time ago was<br>
save/replay on the vtest bitstream. See commit<br>
1b736c547a654647c7c86b41778fb5750d033367.<br>
<br>
But it is still too naive to reach a good coverage quickly. I<br>
guessit's a common problem with fuzzing: how to reach an interesting<br>
state.<br></blockquote><div> </div><div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">It's intended as a starting point to start and get some coverage. libFuzzer supports the ability to maintain a corpus of interesting inputs which it builds upon to expand coverage. Just running locally I'm seeing about 66% coverage on vrend_decode.c at this point and we've found about half a dozen issues.</div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Further down the road, I think the expectation would be to start structuring some of the input instead of just blindly passing it all to submit_cmd. For example, consume some of the input stream to generate an initial boolean value, where if true, create some resources manually prior to issuing data to submit_cmd. Similarly, other APIs and more structured testing can be done some of the time based on interpretation of the input data. </div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
> +<br>
> + virgl_renderer_context_destroy(ctx_id);<br>
> +<br>
> + virgl_renderer_cleanup(&cookie);<br>
> +<br>
> +#ifdef CLEANUP_EACH_INPUT<br>
> + // The following cleans up between each input which is a lot slower.<br>
> + cleanup_environment();<br>
> +#endif<br>
> +<br>
> + return 0;<br>
> +}<br>
> --<br>
> 2.18.0.203.gfac676dfb9-goog<br>
><br>
> _______________________________________________<br>
> virglrenderer-devel mailing list<br>
> <a href="mailto:virglrenderer-devel@lists.freedesktop.org" target="_blank">virglrenderer-devel@lists.freedesktop.org</a><br>
> <a href="https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/virglrenderer-devel</a><br>
<br>
<br>
<br>
-- <br>
Marc-André Lureau<br>
</blockquote></div></div>