[ovs-dev] [PATCH] ossfuzz: Simplify miniflow fuzzer harness.
From: Bhargava Shastry
Google's oss-fuzz builder bots were complaining that miniflow_target is
too slow to fuzz in that some tests take longer than a second to
complete. This patch fixes this by replacing the random flow generation
within the harness to a more simpler scenario.
Signed-off-by: Bhargava Shastry
---
tests/oss-fuzz/miniflow_target.c | 139 +++
1 file changed, 10 insertions(+), 129 deletions(-)
diff --git a/tests/oss-fuzz/miniflow_target.c b/tests/oss-fuzz/miniflow_target.c
index 800375d63..d747ff9ae 100644
--- a/tests/oss-fuzz/miniflow_target.c
+++ b/tests/oss-fuzz/miniflow_target.c
@@ -9,17 +9,6 @@
#include "classifier-private.h"
#include "util.h"
-static void
-shuffle_u32s(uint32_t *p, size_t n)
-{
-for (; n > 1; n--, p++) {
-uint32_t *q = &p[random_range(n)];
-uint32_t tmp = *p;
-*p = *q;
-*q = tmp;
-}
-}
-
/* Returns a copy of 'src'. The caller must eventually free the returned
* miniflow with free(). */
static struct miniflow *
@@ -59,119 +48,8 @@ miniflow_hash__(const struct miniflow *flow, uint32_t basis)
return hash_finish(hash, n_values);
}
-static uint32_t
-random_value(void)
-{
-static const uint32_t values_[] =
-{ 0x, 0x, 0x, 0x8000,
- 0x0001, 0xface, 0x00d00d1e, 0xdeadbeef };
-
-return values_[random_range(ARRAY_SIZE(values_))];
-}
-
-static bool
-choose(unsigned int n, unsigned int *idxp)
-{
-if (*idxp < n) {
-return true;
-} else {
-*idxp -= n;
-return false;
-}
-}
-
#define FLOW_U32S (FLOW_U64S * 2)
-static bool
-init_consecutive_values(int n_consecutive, struct flow *flow,
-unsigned int *idxp)
-{
-uint32_t *flow_u32 = (uint32_t *) flow;
-
-if (choose(FLOW_U32S - n_consecutive + 1, idxp)) {
-int i;
-
-for (i = 0; i < n_consecutive; i++) {
-flow_u32[i + *idxp] = random_value();
-}
-return true;
-} else {
-return false;
-}
-}
-
-static bool
-next_random_flow(struct flow *flow, unsigned int idx)
-{
-uint32_t *flow_u32 = (uint32_t *) flow;
-
-memset(flow, 0, sizeof *flow);
-
-/* Empty flow. */
-if (choose(1, &idx)) {
-return true;
-}
-
-/* All flows with a small number of consecutive nonzero values. */
-for (int i = 1; i <= 4; i++) {
-if (init_consecutive_values(i, flow, &idx)) {
-return true;
-}
-}
-
-/* All flows with a large number of consecutive nonzero values. */
-for (int i = FLOW_U32S - 4; i <= FLOW_U32S; i++) {
-if (init_consecutive_values(i, flow, &idx)) {
-return true;
-}
-}
-
-/* All flows with exactly two nonconsecutive nonzero values. */
-if (choose((FLOW_U32S - 1) * (FLOW_U32S - 2) / 2, &idx)) {
-int ofs1;
-
-for (ofs1 = 0; ofs1 < FLOW_U32S - 2; ofs1++) {
-int ofs2;
-
-for (ofs2 = ofs1 + 2; ofs2 < FLOW_U32S; ofs2++) {
-if (choose(1, &idx)) {
-flow_u32[ofs1] = random_value();
-flow_u32[ofs2] = random_value();
-return true;
-}
-}
-}
-OVS_NOT_REACHED();
-}
-
-/* 16 randomly chosen flows with N >= 3 nonzero values. */
-if (choose(16 * (FLOW_U32S - 4), &idx)) {
-int n = idx / 16 + 3;
-
-for (int i = 0; i < n; i++) {
-flow_u32[i] = random_value();
-}
-shuffle_u32s(flow_u32, FLOW_U32S);
-
-return true;
-}
-
-return false;
-}
-
-static void
-any_random_flow(struct flow *flow)
-{
-static unsigned int max;
-if (!max) {
-while (next_random_flow(flow, max)) {
-max++;
-}
-}
-
-next_random_flow(flow, random_range(max));
-}
-
static void
toggle_masked_flow_bits(struct flow *flow, const struct flow_wildcards *mask)
{
@@ -251,12 +129,15 @@ test_miniflow(struct flow *flow)
/* Check that masked matches work as expected for identical flows and
* miniflows. */
-do {
-next_random_flow(&mask.masks, 1);
-} while (flow_wildcards_is_catchall(&mask));
+flow_wildcards_init_for_packet(&mask, flow);
+/* Ensure that mask is not catchall just in case
+ * flow_wildcards_init_for_packet returns a catchall mask
+ */
+uint64_t *mask_u64 = (uint64_t *) &mask.masks;
+mask_u64[0] = 1;
+ovs_assert(!flow_wildcards_is_catchall(&mask));
minimask = minimask_create(&mask);
-ovs_assert(minimask_is_catchall(minimask)
- == flow_wildcards_is_catchall(&mask));
+ovs_assert(!minimask_is_catchall(minimask));
ovs_assert(miniflow_equal_in_minimask(miniflow, miniflow2, minimask));
ovs_assert(miniflow_equal_flow_in_minimask(miniflow, &flow2, minimask));
ovs_assert(miniflow_hash_in_minimask(miniflow, minimask, 0x12345678) ==
@@ -325,7 +206,7 @@ test_minimas
[ovs-dev] [PATCH] Remove oss-fuzz tests carried over from ovs
From: Bhargava Shastry It appears that ossfuzz specific test harnesses and configuration files were carried over to the ovn repo from the ovs repo without justification. This patch removes them until there is a need to continuously fuzz ovn code as the ovs code is currently fuzzed. Signed-off-by: Bhargava Shastry --- tests/automake.mk | 2 - tests/oss-fuzz/automake.mk| 66 --- tests/oss-fuzz/config/expr.dict | 120 - .../oss-fuzz/config/expr_parse_target.options | 3 - .../config/flow_extract_target.options| 3 - .../config/json_parser_target.options | 2 - tests/oss-fuzz/config/miniflow_target.options | 3 - tests/oss-fuzz/config/odp.dict| 170 --- tests/oss-fuzz/config/odp_target.options | 3 - .../config/ofctl_parse_target.options | 3 - tests/oss-fuzz/config/ofp-flow.dict | 45 -- .../oss-fuzz/config/ofp_print_target.options | 3 - tests/oss-fuzz/config/ovs.dict| 293 --- tests/oss-fuzz/expr_parse_target.c| 464 -- tests/oss-fuzz/flow_extract_target.c | 100 tests/oss-fuzz/fuzzer.h | 9 - tests/oss-fuzz/json_parser_target.c | 42 -- tests/oss-fuzz/miniflow_target.c | 365 -- tests/oss-fuzz/odp_target.c | 149 -- tests/oss-fuzz/ofctl_parse_target.c | 113 - tests/oss-fuzz/ofp_print_target.c | 47 -- 21 files changed, 2005 deletions(-) delete mode 100644 tests/oss-fuzz/automake.mk delete mode 100644 tests/oss-fuzz/config/expr.dict delete mode 100644 tests/oss-fuzz/config/expr_parse_target.options delete mode 100644 tests/oss-fuzz/config/flow_extract_target.options delete mode 100644 tests/oss-fuzz/config/json_parser_target.options delete mode 100644 tests/oss-fuzz/config/miniflow_target.options delete mode 100644 tests/oss-fuzz/config/odp.dict delete mode 100644 tests/oss-fuzz/config/odp_target.options delete mode 100644 tests/oss-fuzz/config/ofctl_parse_target.options delete mode 100644 tests/oss-fuzz/config/ofp-flow.dict delete mode 100644 tests/oss-fuzz/config/ofp_print_target.options delete mode 100644 tests/oss-fuzz/config/ovs.dict delete mode 100644 tests/oss-fuzz/expr_parse_target.c delete mode 100644 tests/oss-fuzz/flow_extract_target.c delete mode 100644 tests/oss-fuzz/fuzzer.h delete mode 100644 tests/oss-fuzz/json_parser_target.c delete mode 100644 tests/oss-fuzz/miniflow_target.c delete mode 100644 tests/oss-fuzz/odp_target.c delete mode 100644 tests/oss-fuzz/ofctl_parse_target.c delete mode 100644 tests/oss-fuzz/ofp_print_target.c diff --git a/tests/automake.mk b/tests/automake.mk index 013e59280..e86a5273e 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -246,5 +246,3 @@ clean-pki: rm -f tests/pki/stamp rm -rf tests/pki endif - -include tests/oss-fuzz/automake.mk diff --git a/tests/oss-fuzz/automake.mk b/tests/oss-fuzz/automake.mk deleted file mode 100644 index 5bf7d0d7c..0 --- a/tests/oss-fuzz/automake.mk +++ /dev/null @@ -1,66 +0,0 @@ -OSS_FUZZ_TARGETS = \ - tests/oss-fuzz/flow_extract_target \ - tests/oss-fuzz/json_parser_target \ - tests/oss-fuzz/ofp_print_target \ - tests/oss-fuzz/expr_parse_target \ - tests/oss-fuzz/odp_target \ - tests/oss-fuzz/miniflow_target \ - tests/oss-fuzz/ofctl_parse_target -EXTRA_PROGRAMS += $(OSS_FUZZ_TARGETS) -oss-fuzz-targets: $(OSS_FUZZ_TARGETS) - -tests_oss_fuzz_flow_extract_target_SOURCES = \ - tests/oss-fuzz/flow_extract_target.c \ - tests/oss-fuzz/fuzzer.h -tests_oss_fuzz_flow_extract_target_LDADD = lib/libopenvswitch.la -tests_oss_fuzz_flow_extract_target_LDFLAGS = $(LIB_FUZZING_ENGINE) -lc++ - -tests_oss_fuzz_json_parser_target_SOURCES = \ - tests/oss-fuzz/json_parser_target.c \ - tests/oss-fuzz/fuzzer.h -tests_oss_fuzz_json_parser_target_LDADD = lib/libopenvswitch.la -tests_oss_fuzz_json_parser_target_LDFLAGS = $(LIB_FUZZING_ENGINE) -lc++ - -tests_oss_fuzz_ofp_print_target_SOURCES = \ - tests/oss-fuzz/ofp_print_target.c \ - tests/oss-fuzz/fuzzer.h -tests_oss_fuzz_ofp_print_target_LDADD = lib/libopenvswitch.la -tests_oss_fuzz_ofp_print_target_LDFLAGS = $(LIB_FUZZING_ENGINE) -lc++ - -tests_oss_fuzz_expr_parse_target_SOURCES = \ -tests/oss-fuzz/expr_parse_target.c \ -tests/oss-fuzz/fuzzer.h -tests_oss_fuzz_expr_parse_target_LDADD = lib/libopenvswitch.la \ - ovn/lib/libovn.la -tests_oss_fuzz_expr_parse_target_LDFLAGS = $(LIB_FUZZING_ENGINE) -lc++ - -tests_oss_fuzz_odp_target_SOURCES = \ -tests/oss-fuzz/odp_target.c \ -tests/oss-fuzz/fuzzer.h -tests_oss_fuzz_odp_target_LDADD = lib/libopenvswitch.la -tests_oss_fuzz_odp_target_LDFLAGS = $(LIB_FUZZING_ENGINE) -lc++ - -tests_oss_fuzz_miniflow_target_SOURCES = \ -tests/oss-fuzz/min
[ovs-dev] [PATCH v2] ossfuzz: Add documentation
From: Bhargava Shastry
[RFC] Documents OvS fuzzing effort and performs a rudimentary security
analysis of existing OvS fuzzing harnesses.
Feedback on the documentation and analysis appreciated.
Signed-off-by: Bhargava Shastry
---
Documentation/automake.mk | 5 +
Documentation/fuzzing/index.rst | 39 ++
Documentation/fuzzing/ovs-fuzzers.rst | 119 ++
.../fuzzing/ovs-fuzzing-infrastructure.rst| 95 ++
.../security-analysis-of-ovs-fuzzers.rst | 43 +++
Documentation/fuzzing/what-is-fuzzing.rst | 46 +++
6 files changed, 347 insertions(+)
create mode 100644 Documentation/fuzzing/index.rst
create mode 100644 Documentation/fuzzing/ovs-fuzzers.rst
create mode 100644 Documentation/fuzzing/ovs-fuzzing-infrastructure.rst
create mode 100644 Documentation/fuzzing/security-analysis-of-ovs-fuzzers.rst
create mode 100644 Documentation/fuzzing/what-is-fuzzing.rst
diff --git a/Documentation/automake.mk b/Documentation/automake.mk
index 082438e09..807236ac4 100644
--- a/Documentation/automake.mk
+++ b/Documentation/automake.mk
@@ -114,6 +114,11 @@ DOC_SOURCE = \
Documentation/internals/contributing/documentation-style.rst \
Documentation/internals/contributing/libopenvswitch-abi.rst \
Documentation/internals/contributing/submitting-patches.rst \
+ Documentation/fuzzing/index.rst \
+ Documentation/fuzzing/what-is-fuzzing.rst \
+ Documentation/fuzzing/ovs-fuzzing-infrastructure.rst \
+ Documentation/fuzzing/ovs-fuzzers.rst \
+ Documentation/fuzzing/security-analysis-of-ovs-fuzzers.rst \
Documentation/requirements.txt \
$(addprefix Documentation/ref/,$(RST_MANPAGES) $(RST_MANPAGES_NOINST))
FLAKE8_PYFILES += Documentation/conf.py
diff --git a/Documentation/fuzzing/index.rst b/Documentation/fuzzing/index.rst
new file mode 100644
index 0..29480dfe5
--- /dev/null
+++ b/Documentation/fuzzing/index.rst
@@ -0,0 +1,39 @@
+..
+ Copyright (c) 2016, Stephen Finucane
+
+ Licensed under the Apache License, Version 2.0 (the "License"); you may
+ not use this file except in compliance with the License. You may obtain
+ a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ License for the specific language governing permissions and limitations
+ under the License.
+
+ Convention for heading levels in Open vSwitch documentation:
+
+ === Heading 0 (reserved for the title in a document)
+ --- Heading 1
+ ~~~ Heading 2
+ +++ Heading 3
+ ''' Heading 4
+
+ Avoid deeper levels because they do not render well.
+
+===
+Introduction
+===
+
+How to get started with Open vSwitch.
+
+.. toctree::
+ :maxdepth: 2
+
+ what-is-fuzzing
+ ovs-fuzzing-infrastructure
+ ovs-fuzzers
+ security-analysis-of-ovs-fuzzers
+
diff --git a/Documentation/fuzzing/ovs-fuzzers.rst
b/Documentation/fuzzing/ovs-fuzzers.rst
new file mode 100644
index 0..8ed3b53ed
--- /dev/null
+++ b/Documentation/fuzzing/ovs-fuzzers.rst
@@ -0,0 +1,119 @@
+..
+ Copyright (c) 2016, Stephen Finucane
+
+ Licensed under the Apache License, Version 2.0 (the "License"); you may
+ not use this file except in compliance with the License. You may obtain
+ a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ License for the specific language governing permissions and limitations
+ under the License.
+
+ Convention for heading levels in Open vSwitch documentation:
+
+ === Heading 0 (reserved for the title in a document)
+ --- Heading 1
+ ~~~ Heading 2
+ +++ Heading 3
+ ''' Heading 4
+
+ Avoid deeper levels because they do not render well.
+
+
+Introduction
+
+
+OvS fuzzer test harnesses define the libFuzzer fuzz API. In doing so,
+they define what is to be done with the input supplied by the fuzzer.
+
+At a minimum, the libfuzzer API is defined as follows:
+
+```
+// input_ is a byte array, size is the length of said byte array
+int
+LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
+{
+// Input processing
+process_input(input, size);
+
+// Must always return 0. Non-zero return codes are reserved by libFuzzer.
+return 0;
+}
+```
+
+In certain scenarios, it may be necessary to constrain the input supplied by
+the fuzzer. One scen
[ovs-dev] [PATCH] ossfuzz: Add documentation
From: Bhargava Shastry
[RFC] Documents OvS fuzzing effort and performs a rudimentary security
analysis of existing OvS fuzzing harnesses.
Feedback on the documentation and analysis appreciated.
Signed-off-by: Bhargava Shastry
---
Documentation/automake.mk | 5 +
Documentation/fuzzing/index.rst | 39 ++
Documentation/fuzzing/ovs-fuzzers.rst | 119 ++
.../fuzzing/ovs-fuzzing-infrastructure.rst| 95 ++
.../security-analysis-of-ovs-fuzzers.rst | 43 +++
Documentation/fuzzing/what-is-fuzzing.rst | 46 +++
6 files changed, 347 insertions(+)
create mode 100644 Documentation/fuzzing/index.rst
create mode 100644 Documentation/fuzzing/ovs-fuzzers.rst
create mode 100644 Documentation/fuzzing/ovs-fuzzing-infrastructure.rst
create mode 100644 Documentation/fuzzing/security-analysis-of-ovs-fuzzers.rst
create mode 100644 Documentation/fuzzing/what-is-fuzzing.rst
diff --git a/Documentation/automake.mk b/Documentation/automake.mk
index 082438e09..807236ac4 100644
--- a/Documentation/automake.mk
+++ b/Documentation/automake.mk
@@ -114,6 +114,11 @@ DOC_SOURCE = \
Documentation/internals/contributing/documentation-style.rst \
Documentation/internals/contributing/libopenvswitch-abi.rst \
Documentation/internals/contributing/submitting-patches.rst \
+ Documentation/fuzzing/index.rst \
+ Documentation/fuzzing/what-is-fuzzing.rst \
+ Documentation/fuzzing/ovs-fuzzing-infrastructure.rst \
+ Documentation/fuzzing/ovs-fuzzers.rst \
+ Documentation/fuzzing/security-analysis-of-ovs-fuzzers.rst \
Documentation/requirements.txt \
$(addprefix Documentation/ref/,$(RST_MANPAGES) $(RST_MANPAGES_NOINST))
FLAKE8_PYFILES += Documentation/conf.py
diff --git a/Documentation/fuzzing/index.rst b/Documentation/fuzzing/index.rst
new file mode 100644
index 0..29480dfe5
--- /dev/null
+++ b/Documentation/fuzzing/index.rst
@@ -0,0 +1,39 @@
+..
+ Copyright (c) 2016, Stephen Finucane
+
+ Licensed under the Apache License, Version 2.0 (the "License"); you may
+ not use this file except in compliance with the License. You may obtain
+ a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ License for the specific language governing permissions and limitations
+ under the License.
+
+ Convention for heading levels in Open vSwitch documentation:
+
+ === Heading 0 (reserved for the title in a document)
+ --- Heading 1
+ ~~~ Heading 2
+ +++ Heading 3
+ ''' Heading 4
+
+ Avoid deeper levels because they do not render well.
+
+===
+Introduction
+===
+
+How to get started with Open vSwitch.
+
+.. toctree::
+ :maxdepth: 2
+
+ what-is-fuzzing
+ ovs-fuzzing-infrastructure
+ ovs-fuzzers
+ security-analysis-of-ovs-fuzzers
+
diff --git a/Documentation/fuzzing/ovs-fuzzers.rst
b/Documentation/fuzzing/ovs-fuzzers.rst
new file mode 100644
index 0..8ed3b53ed
--- /dev/null
+++ b/Documentation/fuzzing/ovs-fuzzers.rst
@@ -0,0 +1,119 @@
+..
+ Copyright (c) 2016, Stephen Finucane
+
+ Licensed under the Apache License, Version 2.0 (the "License"); you may
+ not use this file except in compliance with the License. You may obtain
+ a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ License for the specific language governing permissions and limitations
+ under the License.
+
+ Convention for heading levels in Open vSwitch documentation:
+
+ === Heading 0 (reserved for the title in a document)
+ --- Heading 1
+ ~~~ Heading 2
+ +++ Heading 3
+ ''' Heading 4
+
+ Avoid deeper levels because they do not render well.
+
+
+Introduction
+
+
+OvS fuzzer test harnesses define the libFuzzer fuzz API. In doing so,
+they define what is to be done with the input supplied by the fuzzer.
+
+At a minimum, the libfuzzer API is defined as follows:
+
+```
+// input_ is a byte array, size is the length of said byte array
+int
+LLVMFuzzerTestOneInput(const uint8_t *input, size_t size)
+{
+// Input processing
+process_input(input, size);
+
+// Must always return 0. Non-zero return codes are reserved by libFuzzer.
+return 0;
+}
+```
+
+In certain scenarios, it may be necessary to constrain the input supplied by
+the fuzzer. One scen
[ovs-dev] [PATCH] ossfuzz: Remove duplicate tcp flags parsing in flow extract target
From: Bhargava Shastry
During a code audit, the flow extraction fuzzer target was seen to be
parsing tcp flags from the fuzzer supplied input twice. This is
probably a typo since the second call to `parse_tcp_flags()` is
identical to the first.
Since a call to `parse_tcp_flags()` parses the Ethernet and IP headers
contained in the packet, the second (buggy) call to `parse_tcp_flags()`
creates an expectation that there is a second set of Ethernet and IP
headers beyond the first which is incorrect. This patch fixes this
problem by removing the duplicate code in question.
Signed-off-by: Bhargava Shastry
---
tests/oss-fuzz/flow_extract_target.c | 6 --
1 file changed, 6 deletions(-)
diff --git a/tests/oss-fuzz/flow_extract_target.c
b/tests/oss-fuzz/flow_extract_target.c
index 4a7451411..869d1e63e 100644
--- a/tests/oss-fuzz/flow_extract_target.c
+++ b/tests/oss-fuzz/flow_extract_target.c
@@ -60,12 +60,6 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
ignore(tcp_flags);
}
-/* Parse TCP flags. */
-if (dp_packet_size(&packet) >= ETH_HEADER_LEN) {
-uint16_t tcp_flags = parse_tcp_flags(&packet);
-ignore(tcp_flags);
-}
-
/* Count headers. */
int count = flow_count_vlan_headers(&flow);
ignore(count);
--
2.17.1
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
