[Libguestfs] [PATCH libnbd INCOMPLETE 3/3] fuzzing: Use fuzzed data provider to direct fuzzing

--- fuzzing/libnbd-fuzz-wrapper.c | 43 +++++++++++++++++++++++++++------ fuzzing/libnbd-libfuzzer-test.c | 4 +++ 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c index 338adc0..fbff095 100644 --- a/fuzzing/libnbd-fuzz-wrapper.c +++ b/fuzzing/libnbd-fuzz-wrapper.c @@ -17,10 +17,25 @@ */ /* This is a wrapper allowing libnbd to be tested using common fuzzers - * such as afl. It takes the fuzzer test case as a filename on the - * command line. This is fed to the libnbd socket. Any output to the - * socket from libnbd is sent to /dev/null. This is basically the - * same way we fuzz nbdkit, but in reverse (see nbdkit.git/fuzzing). + * such as AFL++. It takes the fuzzer test case as a filename on the + * command line. + * + * It uses fuzzed-data-provider.h to parse the input allowing a choice + * of APIs to be called in any order under control of the fuzzer. The + * test cases therefore do not correspond very closely to raw NBD + * protocol. + * + * The fuzzer input is parsed as a series of commands, directing this + * program to execute different libnbd APIs. When the input is + * exhausted we stop the test. Each command is structured as: + * + * <enum of API to call> + * <offset> + * <flags> + * <data buffer> (includes implicit length) + * + * The data buffer field is only used by nbd_aio_pwrite. For other + * APIs only the length is used and the content is ignored. */ #include <config.h> @@ -146,10 +161,20 @@ extent64_callback (void *user_data, return 0; } +enum call_type { + PREAD, + PWRITE, + FLUSH, + TRIM, + ZERO, + CACHE, + PREAD_STRUCTURED, + BLOCK_STATUS, + BLOCK_STATUS_64, + CALL_TYPE_MAX_PLUS_1 /* must be last entry */ +}; + /* This is the client (parent process) running libnbd. */ -static char buf[512]; -static char prbuf[65536]; - static void client (int sock) { @@ -180,6 +205,10 @@ client (int sock) length = nbd_get_size (nbd); + /* Main loop: Consume fuzzer data to decide which calls we will make. */ + while (more_fuzzed_data + + /* Test common asynchronous I/O calls. */ nbd_aio_pread (nbd, buf, sizeof buf, 0, NBD_NULL_COMPLETION, 0); nbd_aio_pwrite (nbd, buf, sizeof buf, 0, NBD_NULL_COMPLETION, 0); diff --git a/fuzzing/libnbd-libfuzzer-test.c b/fuzzing/libnbd-libfuzzer-test.c index 1721b74..cf6c1cf 100644 --- a/fuzzing/libnbd-libfuzzer-test.c +++ b/fuzzing/libnbd-libfuzzer-test.c @@ -22,6 +22,10 @@ * * - This case is mostly unmaintained. The maintainers use AFL++ for * fuzzing (see libnbd-fuzz-wrapper.c). + * + * - This test needs to be updated to use the new method of reading + * input via the fuzzed data provider (see again + * libnbd-fuzz-wrapper.c). */ #include <config.h> -- 2.43.1