-
Notifications
You must be signed in to change notification settings - Fork 136
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lkl hid fuzzer #515
Lkl hid fuzzer #515
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work Eugene, thank you! I left a few comments inline for a couple minor issues.
0dcffd5
to
2f04aec
Compare
2f04aec
to
68d3ca5
Compare
Pad '/init' string in fs_setup functio to make sure it's 8 bytes, otherwise KASan would emit an error. The kernel's strncpy implementation attempts to read 8 bytes at once and, thus, triggers KASan violation for the 6-byte string. Signed-off-by: Eugene Rodionov <[email protected]>
68d3ca5
to
fc719e7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
There are a few checkpatch warnings please check and see if it makes sense to fix some of them.
This change adds two LKL kernel config options: * LKL_FUZZING which enables libFuzzer fuzzing instrumentation for the kernel code * LKL_LINE_COV which enables code coverage instrumentation for the fuzz targets. These kernel config options are enabled via environment variables which should be set up either in the environment or in the make files. To build LKL fuzzers run (currently there are no fuzzers checked in yet): make -C tools/lkl LKL_FUZZING=1 fuzzers Signed-off-by: Xuan Xing <[email protected]> Signed-off-by: Eugene Rodionov <[email protected]>
Incremental linking in lld doesn't work well with the group sections (GRP_COMDAT) present in the input files -- in this case the linker semantics is unclear and not defined. This causes problems for building LKL fuzzers with libFuzzer instrumentation (-fsanitize=fuzzer) which generates object files with group sections due to the SanitizerCoverage instrumentation. This CL implements a workaround for this issue by introducing another post-link vmlinux pass. 1) First, vmlinux is linked with an empty linker script to avoid merging input sections 2) Then, .group sections (GRP_COMDAT) are stripped from the vmlinux image with `objcopy --remove-section=.group`. 3) Finally, we relink the vmlinux with the original linker scrip (using incremental linking). Signed-off-by: Eugene Rodionov <[email protected]>
As LKL fuzzers might be built with different kernel config options than the ones provided in the defconfig this change introduces an additional fuzzing_defconfig file. It is assumed that all LKL fuzzers are built using the same kernel config. Signed-off-by: Xuan Xing <[email protected]> Signed-off-by: Eugene Rodionov <[email protected]>
This fuzzer fuzzes Linux kernel HID subsystem via /dev/uhid device. To build the fuzzer: make -C tools/lkl LKL_FUZZING=1 fuzzers Signed-off-by: Xuan Xing <[email protected]>
Add a new target to build LKL-based fuzzers using clang/lld toolchain. Signed-off-by: Eugene Rodionov <[email protected]>
fc719e7
to
cc563a4
Compare
Many thanks, @tavip! The checkpatch warning have been fixed. |
I followed the instructions in the commit message to compile the code using:
How can I properly compile hid_fuzzer so that it is correctly instrumented and can work with libFuzzer? |
if I remember correctly, it's already instrumented, but the way it's used
here requires you to provide a non-empty input seed to get started. You can
use the files under the "seeds" directory for that.
…On Tue, Dec 10, 2024 at 6:19 PM D0nyu ***@***.***> wrote:
I followed the instructions in the commit message to compile the code
using:
make -C tools/lkl LKL_FUZZING=1 fuzzers
However, the resulting *hid_fuzzer* does not appear to be instrumented:
./hid-fuzzer
[ 0.000000] KernelAddressSanitizer initialized
[ 0.000000] Linux version 6.6.0+ (Ubuntu clang version 14.0.6, Ubuntu LLD
14.0.6) #1 <#1> Wed Dec 11 10:16:29 CST
2024
[ 0.000000] memblock address range: 0x7ffff403f000 - 0x7ffff723f000
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00007ffff403f000-0x00007ffff723efff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00007ffff403f000-0x00007ffff723efff]
[ 0.000000] Initmem setup node 0 [mem
0x00007ffff403f000-0x00007ffff723efff]
[ 0.000000] Kernel command line: mem=50M kasan.fault=panic
[ 0.000000] Dentry cache hash table entries: 8192 (order: 4, 65536 bytes,
linear)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 3, 32768 bytes,
linear)
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 12625
[ 0.000000] mem auto-init: stack:all(zero), heap alloc:off, heap free:off
[ 0.000000] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.000000] stackdepot hash table entries: 1048576 (order: 11, 8388608
bytes, linear)
[ 0.000000] Memory: 42144K/51200K available (149K kernel code, 4506K
rwdata, 18014398509464693K rodata, 12747K init, 13242K bss, 9056K reserved,
0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 4096
[ 0.000000] lkl: irqs initialized
[ 0.000000] clocksource: lkl: mask: 0xffffffffffffffff max_cycles:
0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[ 0.000001] lkl: time and timers initialized (irq1)
[ 0.000065] pid_max: default: 4096 minimum: 301
[ 0.000355] Mount-cache hash table entries: 512 (order: 0, 4096 bytes,
linear)
[ 0.000386] Mountpoint-cache hash table entries: 512 (order: 0, 4096
bytes, linear)
[ 0.055874] printk: console [lkl_console0] enabled
[ 0.056470] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff,
max_idle_ns: 19112604462750000 ns
[ 0.057586] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.058320] lkl_pci: probe of lkl_pci failed with error -1
[ 0.097946] vgaarb: loaded
[ 0.098078] clocksource: Switched to clocksource lkl
[ 0.099748] NET: Registered PF_INET protocol family
[ 0.100058] IP idents hash table entries: 2048 (order: 2, 16384 bytes,
linear)
[ 0.100953] tcp_listen_portaddr_hash hash table entries: 512 (order: 0,
4096 bytes, linear)
[ 0.101043] Table-perturb hash table entries: 65536 (order: 6, 262144
bytes, linear)
[ 0.101105] TCP established hash table entries: 512 (order: 0, 4096 bytes,
linear)
[ 0.101174] TCP bind hash table entries: 512 (order: 1, 8192 bytes, linear)
[ 0.101247] TCP: Hash tables configured (established 512 bind 512)
[ 0.101437] UDP hash table entries: 128 (order: 0, 4096 bytes, linear)
[ 0.101499] UDP-Lite hash table entries: 128 (order: 0, 4096 bytes, linear)
[ 0.101718] PCI: CLS 0 bytes, default 32
[ 0.102887] workingset: timestamp_bits=62 max_order=14 bucket_order=0
[ 0.103236] io scheduler mq-deadline registered
[ 0.103282] io scheduler kyber registered
[ 0.159982] hid: raw HID events driver (C) Jiri Kosina
[ 0.165897] NET: Registered PF_INET6 protocol family
[ 0.168151] Segment Routing with IPv6
[ 0.168345] In-situ OAM (IOAM) with IPv6
[ 0.168519] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 0.169963] NET: Registered PF_VSOCK protocol family
[ 0.201093] Warning: unable to open an initial console.
[ 0.201138] This architecture does not have kernel memory protection.
[ 0.201172] Run /init as init process
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1061817419
INFO: Loaded 1 modules (184220 inline 8-bit counters): 184220
[0x555556df01c8, 0x555556e1d164),
INFO: Loaded 1 PC tables (184220 PCs): 184220
[0x555556e1d168,0x5555570ecb28),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger
than 4096 bytes
INFO: A corpus is not provided, starting from an empty corpus
#2 <#2> INITED exec/s: 0 rss: 74Mb
*ERROR: no interesting inputs were found. Is the code instrumented for
coverage? Exiting.*
Flushing coverage data...
Done...
How can I properly compile hid_fuzzer so that it is correctly instrumented
and can work with libFuzzer?
—
Reply to this email directly, view it on GitHub
<#515 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAZNWD4UAR6O2FTBC3CDKPL2E6OMHAVCNFSM6AAAAABTMOOQOSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZTGQ3TANZVHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
This change adds @HclX's HID fuzzer.