Re: [PATCH v3 00/13] Fuzzing and ASAN for sandbox
On Mon, Aug 28, 2023 at 10:20:02AM -0600, Simon Glass wrote: > Hi Andrew, > > On Mon, 30 May 2022 at 04:00, Andrew Scull wrote: > > > > This series introduces ASAN and a basic fuzzing infrastructure that > > works with sandbox. The example fuzz test towards the end of the series > > will find something pretty quickly. That something is fixed by the > > series "virtio: Harden and test vring" that needs to be applied for the > > final patch in this series. > > > > There is some refactoring to stop using '.' prefixed sections. ELF > > defines sections with names that contain anything that isn't > > alphanumeric or an underscore as being for system use which means > > clang's ASAN instrumentation happily add redzones between the contained > > objects. That's not what we want for things like linker lists where the > > linker script has carefully placed the sections contiguously. By > > renaming the sections, clang sees them as user sections and doesn't add > > instrumentation. > > > > ASAN is left disabled by default as there are still some tests that it > > triggers on and will need some more investigation to fix. It can be > > enabled with CONFIG_ASAN or passing `-a ASAN` to buildman. > > > > I abandonded the previous attempts to refactor sandbox EFI and getopt > > declaration as the changes resulted in problems out of the scope of this > > CL. I haven't tried to understand what EFI on sandbox should look like, > > but I have found that the linker list implementation is very brittle > > when up against compiler optimisation since ef123c5253 started to use > > static, zero-length arrays to mark the beginning and end of lists but > > the compiler see this as something it can get rid of. > > > > From v1: > > - corrected handling of EFI symbols by sandbox linker script > > - per comments, some renaming and explaining > > - dropped RFC for dlmalloc ASAN instrumentation (work required to improve > > it) > > - added patch to reduce logging noise in fuzzer > > > > From v2: > > - remove sandbox EFI and getopt refactoring, they obstruct the series > > - resolve a couple more ASAN errors > > - fix LTO, xtensa and MIPS builds > > - add ASAN build targets for CI > > > > Andrew Scull (13): > > serial: sandbox: Fix buffer underflow in puts > > sandbox: Rename EFI runtime sections > > sandbox: Rename getopt sections > > linker_lists: Rename sections to remove . prefix > > sandbox: Add support for Address Sanitizer > > test/py: test_stackprotector: Disable for ASAN > > CI: Azure: Build with ASAN enabled > > fuzzing_engine: Add fuzzing engine uclass > > test: fuzz: Add framework for fuzzing > > sandbox: Decouple program entry from sandbox init > > sandbox: Add libfuzzer integration > > sandbox: Implement fuzzing engine driver > > fuzz: virtio: Add fuzzer for vring > > > > .azure-pipelines.yml | 6 ++ > > Kconfig | 16 > > arch/Kconfig | 2 + > > arch/arc/cpu/u-boot.lds | 4 +- > > arch/arm/config.mk| 4 +- > > arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +- > > arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +- > > arch/arm/cpu/armv8/u-boot-spl.lds | 4 +- > > arch/arm/cpu/armv8/u-boot.lds | 4 +- > > arch/arm/cpu/u-boot-spl.lds | 4 +- > > arch/arm/cpu/u-boot.lds | 6 +- > > arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +- > > arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +- > > arch/arm/mach-omap2/u-boot-spl.lds| 4 +- > > arch/arm/mach-orion5x/u-boot-spl.lds | 4 +- > > arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +- > > arch/arm/mach-zynq/u-boot-spl.lds | 4 +- > > arch/arm/mach-zynq/u-boot.lds | 4 +- > > arch/m68k/cpu/u-boot.lds | 4 +- > > arch/microblaze/cpu/u-boot-spl.lds| 4 +- > > arch/microblaze/cpu/u-boot.lds| 4 +- > > arch/mips/config.mk | 2 +- > > arch/mips/cpu/u-boot-spl.lds | 4 +- > > arch/mips/cpu/u-boot.lds | 4 +- > > arch/nios2/cpu/u-boot.lds | 4 +- > > arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +- > > arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +- > > arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +- > > arch/riscv/cpu/u-boot-spl.lds | 4 +- > > arch/riscv/cpu/u-boot.lds | 4 +- > > arch/sandbox/config.mk| 21 - > > arch/sandbox/cpu/os.c | 76 + > > arch/sandbox/cpu/start.c | 2 +- > > arch/sandbox/cpu/u-boot-spl.lds | 10 +-- > > arch/sandbox/cpu/u-boot.lds | 32 > > arch/sandbox/dts/test.dts | 4 + > >
Re: [PATCH v3 00/13] Fuzzing and ASAN for sandbox
Hi Andrew, On Mon, 30 May 2022 at 04:00, Andrew Scull wrote: > > This series introduces ASAN and a basic fuzzing infrastructure that > works with sandbox. The example fuzz test towards the end of the series > will find something pretty quickly. That something is fixed by the > series "virtio: Harden and test vring" that needs to be applied for the > final patch in this series. > > There is some refactoring to stop using '.' prefixed sections. ELF > defines sections with names that contain anything that isn't > alphanumeric or an underscore as being for system use which means > clang's ASAN instrumentation happily add redzones between the contained > objects. That's not what we want for things like linker lists where the > linker script has carefully placed the sections contiguously. By > renaming the sections, clang sees them as user sections and doesn't add > instrumentation. > > ASAN is left disabled by default as there are still some tests that it > triggers on and will need some more investigation to fix. It can be > enabled with CONFIG_ASAN or passing `-a ASAN` to buildman. > > I abandonded the previous attempts to refactor sandbox EFI and getopt > declaration as the changes resulted in problems out of the scope of this > CL. I haven't tried to understand what EFI on sandbox should look like, > but I have found that the linker list implementation is very brittle > when up against compiler optimisation since ef123c5253 started to use > static, zero-length arrays to mark the beginning and end of lists but > the compiler see this as something it can get rid of. > > From v1: > - corrected handling of EFI symbols by sandbox linker script > - per comments, some renaming and explaining > - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it) > - added patch to reduce logging noise in fuzzer > > From v2: > - remove sandbox EFI and getopt refactoring, they obstruct the series > - resolve a couple more ASAN errors > - fix LTO, xtensa and MIPS builds > - add ASAN build targets for CI > > Andrew Scull (13): > serial: sandbox: Fix buffer underflow in puts > sandbox: Rename EFI runtime sections > sandbox: Rename getopt sections > linker_lists: Rename sections to remove . prefix > sandbox: Add support for Address Sanitizer > test/py: test_stackprotector: Disable for ASAN > CI: Azure: Build with ASAN enabled > fuzzing_engine: Add fuzzing engine uclass > test: fuzz: Add framework for fuzzing > sandbox: Decouple program entry from sandbox init > sandbox: Add libfuzzer integration > sandbox: Implement fuzzing engine driver > fuzz: virtio: Add fuzzer for vring > > .azure-pipelines.yml | 6 ++ > Kconfig | 16 > arch/Kconfig | 2 + > arch/arc/cpu/u-boot.lds | 4 +- > arch/arm/config.mk| 4 +- > arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +- > arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +- > arch/arm/cpu/armv8/u-boot-spl.lds | 4 +- > arch/arm/cpu/armv8/u-boot.lds | 4 +- > arch/arm/cpu/u-boot-spl.lds | 4 +- > arch/arm/cpu/u-boot.lds | 6 +- > arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +- > arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +- > arch/arm/mach-omap2/u-boot-spl.lds| 4 +- > arch/arm/mach-orion5x/u-boot-spl.lds | 4 +- > arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +- > arch/arm/mach-zynq/u-boot-spl.lds | 4 +- > arch/arm/mach-zynq/u-boot.lds | 4 +- > arch/m68k/cpu/u-boot.lds | 4 +- > arch/microblaze/cpu/u-boot-spl.lds| 4 +- > arch/microblaze/cpu/u-boot.lds| 4 +- > arch/mips/config.mk | 2 +- > arch/mips/cpu/u-boot-spl.lds | 4 +- > arch/mips/cpu/u-boot.lds | 4 +- > arch/nios2/cpu/u-boot.lds | 4 +- > arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +- > arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +- > arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +- > arch/riscv/cpu/u-boot-spl.lds | 4 +- > arch/riscv/cpu/u-boot.lds | 4 +- > arch/sandbox/config.mk| 21 - > arch/sandbox/cpu/os.c | 76 + > arch/sandbox/cpu/start.c | 2 +- > arch/sandbox/cpu/u-boot-spl.lds | 10 +-- > arch/sandbox/cpu/u-boot.lds | 32 > arch/sandbox/dts/test.dts | 4 + > arch/sandbox/include/asm/fuzzing_engine.h | 25 ++ > arch/sandbox/include/asm/getopt.h | 2 +- > arch/sandbox/include/asm/main.h | 18 > arch/sandbox/include/asm/sections.h | 4 +- > arch/sandbox/lib/sections.c
