Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lkl hid fuzzer #515

Merged
merged 6 commits into from
Feb 27, 2023
Merged

Lkl hid fuzzer #515

merged 6 commits into from
Feb 27, 2023

Conversation

rodionov
Copy link

This change adds @HclX's HID fuzzer.

Copy link
Member

@tavip tavip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great work Eugene, thank you! I left a few comments inline for a couple minor issues.

arch/lkl/kernel/vmlinux-fuzzing-postlink.lds Outdated Show resolved Hide resolved
tools/lkl/Makefile Outdated Show resolved Hide resolved
arch/lkl/kernel/setup.c Show resolved Hide resolved
arch/lkl/Makefile.postlink Outdated Show resolved Hide resolved
arch/lkl/Makefile.postlink Show resolved Hide resolved
tools/lkl/Makefile.autoconf Outdated Show resolved Hide resolved
arch/lkl/Kconfig Outdated Show resolved Hide resolved
arch/lkl/Kconfig Outdated Show resolved Hide resolved
tools/lkl/Makefile Outdated Show resolved Hide resolved
Pad '/init' string in fs_setup functio to make sure it's 8 bytes,
otherwise KASan would emit an error. The kernel's strncpy
implementation attempts to read 8 bytes at once and, thus,
triggers KASan violation for the 6-byte string.

Signed-off-by: Eugene Rodionov <[email protected]>
Copy link
Member

@tavip tavip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

There are a few checkpatch warnings please check and see if it makes sense to fix some of them.

rodionov and others added 5 commits February 27, 2023 23:03
This change adds two LKL kernel config options:
 * LKL_FUZZING which enables libFuzzer fuzzing instrumentation for the
   kernel code
 * LKL_LINE_COV which enables code coverage instrumentation for the fuzz
   targets.

These kernel config options are enabled via environment variables which
should be set up either in the environment or in the make files.

To build LKL fuzzers run (currently there are no fuzzers checked in yet):
make -C tools/lkl LKL_FUZZING=1 fuzzers

Signed-off-by: Xuan Xing <[email protected]>
Signed-off-by: Eugene Rodionov <[email protected]>
Incremental linking in lld doesn't work well with the group sections
(GRP_COMDAT) present in the input files -- in this case the linker
semantics is unclear and not defined. This causes problems for building
LKL fuzzers with libFuzzer instrumentation (-fsanitize=fuzzer) which
generates object files with group sections due to the SanitizerCoverage
instrumentation.

This CL implements a workaround for this issue by introducing another
post-link vmlinux pass.

1) First, vmlinux is linked with an empty linker script to avoid merging
   input sections

2) Then, .group sections (GRP_COMDAT) are stripped from the vmlinux
   image with `objcopy --remove-section=.group`.

3) Finally, we relink the vmlinux with the original linker scrip (using
   incremental linking).

Signed-off-by: Eugene Rodionov <[email protected]>
As LKL fuzzers might be built with different kernel config options
than the ones provided in the defconfig this change introduces an
additional fuzzing_defconfig file.

It is assumed that all LKL fuzzers are built using the same kernel
config.

Signed-off-by: Xuan Xing <[email protected]>
Signed-off-by: Eugene Rodionov <[email protected]>
This fuzzer fuzzes Linux kernel HID subsystem via /dev/uhid device.

To build the fuzzer:

make -C tools/lkl LKL_FUZZING=1 fuzzers

Signed-off-by: Xuan Xing <[email protected]>
Add a new target to build LKL-based fuzzers using clang/lld toolchain.

Signed-off-by: Eugene Rodionov <[email protected]>
@tavip tavip merged commit 83a905f into lkl:master Feb 27, 2023
@rodionov
Copy link
Author

Many thanks, @tavip! The checkpatch warning have been fixed.

@D0nYu
Copy link

D0nYu commented Dec 11, 2024

I followed the instructions in the commit message to compile the code using:
make -C tools/lkl LKL_FUZZING=1 fuzzers
However, the resulting hid_fuzzer does not appear to be instrumented:

./hid-fuzzer
[ 0.000000] KernelAddressSanitizer initialized
[ 0.000000] Linux version 6.6.0+ (Ubuntu clang version 14.0.6, Ubuntu LLD 14.0.6) #1 Wed Dec 11 10:16:29 CST 2024
[ 0.000000] memblock address range: 0x7ffff403f000 - 0x7ffff723f000
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00007ffff403f000-0x00007ffff723efff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00007ffff403f000-0x00007ffff723efff]
[ 0.000000] Initmem setup node 0 [mem 0x00007ffff403f000-0x00007ffff723efff]
[ 0.000000] Kernel command line: mem=50M kasan.fault=panic
[ 0.000000] Dentry cache hash table entries: 8192 (order: 4, 65536 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 12625
[ 0.000000] mem auto-init: stack:all(zero), heap alloc:off, heap free:off
[ 0.000000] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.000000] stackdepot hash table entries: 1048576 (order: 11, 8388608 bytes, linear)
[ 0.000000] Memory: 42144K/51200K available (149K kernel code, 4506K rwdata, 18014398509464693K rodata, 12747K init, 13242K bss, 9056K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 4096
[ 0.000000] lkl: irqs initialized
[ 0.000000] clocksource: lkl: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.000001] lkl: time and timers initialized (irq1)
[ 0.000065] pid_max: default: 4096 minimum: 301
[ 0.000355] Mount-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.000386] Mountpoint-cache hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.055874] printk: console [lkl_console0] enabled
[ 0.056470] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.057586] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.058320] lkl_pci: probe of lkl_pci failed with error -1
[ 0.097946] vgaarb: loaded
[ 0.098078] clocksource: Switched to clocksource lkl
[ 0.099748] NET: Registered PF_INET protocol family
[ 0.100058] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.100953] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.101043] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.101105] TCP established hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.101174] TCP bind hash table entries: 512 (order: 1, 8192 bytes, linear)
[ 0.101247] TCP: Hash tables configured (established 512 bind 512)
[ 0.101437] UDP hash table entries: 128 (order: 0, 4096 bytes, linear)
[ 0.101499] UDP-Lite hash table entries: 128 (order: 0, 4096 bytes, linear)
[ 0.101718] PCI: CLS 0 bytes, default 32
[ 0.102887] workingset: timestamp_bits=62 max_order=14 bucket_order=0
[ 0.103236] io scheduler mq-deadline registered
[ 0.103282] io scheduler kyber registered
[ 0.159982] hid: raw HID events driver (C) Jiri Kosina
[ 0.165897] NET: Registered PF_INET6 protocol family
[ 0.168151] Segment Routing with IPv6
[ 0.168345] In-situ OAM (IOAM) with IPv6
[ 0.168519] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 0.169963] NET: Registered PF_VSOCK protocol family
[ 0.201093] Warning: unable to open an initial console.
[ 0.201138] This architecture does not have kernel memory protection.
[ 0.201172] Run /init as init process
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1061817419
INFO: Loaded 1 modules (184220 inline 8-bit counters): 184220 [0x555556df01c8, 0x555556e1d164),
INFO: Loaded 1 PC tables (184220 PCs): 184220 [0x555556e1d168,0x5555570ecb28),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 INITED exec/s: 0 rss: 74Mb
ERROR: no interesting inputs were found. Is the code instrumented for coverage? Exiting.
Flushing coverage data...
Done...

How can I properly compile hid_fuzzer so that it is correctly instrumented and can work with libFuzzer?

@HclX
Copy link

HclX commented Dec 11, 2024 via email

@rodionov rodionov deleted the lkl_hid_fuzzer branch January 2, 2025 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants