4:34 p.m.
Give the fuzzer a few more points to experiment with added branching
by explicitly using opt mode.
---
I'm not quite sure whether the fuzzer is able to synthesize specific
API calls from the client side; but if it can, letting the client
specifically enter the NEGOTIATING state may allow the fuzzer to spot
other nbd_opt_* API call chains that could provoke odd interactions,
which would be completely missed when sticking with the default of
skipping opt mode.
fuzzing/libnbd-fuzz-wrapper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
index 7e390558..e7cf7fe9 100644
--- a/fuzzing/libnbd-fuzz-wrapper.c
+++ b/fuzzing/libnbd-fuzz-wrapper.c
@@ -200,7 +200,10 @@ client (int sock)
nbd_add_meta_context (nbd, LIBNBD_CONTEXT_BASE_ALLOCATION);
/* This tests the handshake phase. */
+ nbd_set_opt_mode (nbd, true);
nbd_connect_socket (nbd, sock);
+ nbd_opt_info (nbd);
+ nbd_opt_go (nbd);
length = nbd_get_size (nbd);
--
2.37.3
4:22 a.m.
On Thu, Oct 06, 2022 at 04:34:52PM -0500, Eric Blake wrote:
Give the fuzzer a few more points to experiment with added branching
by explicitly using opt mode.
---
I'm not quite sure whether the fuzzer is able to synthesize specific
API calls from the client side; but if it can, letting the client
specifically enter the NEGOTIATING state may allow the fuzzer to spot
other nbd_opt_* API call chains that could provoke odd interactions,
which would be completely missed when sticking with the default of
skipping opt mode.
It's essentially looking for new paths through the code. If the
change allows new libnbd paths to be explored then it will be
beneficial to fuzzing, if not then it'll make no difference. I have
no objection to trying the patch anyway, so ACK.
Rich.
fuzzing/libnbd-fuzz-wrapper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
index 7e390558..e7cf7fe9 100644
--- a/fuzzing/libnbd-fuzz-wrapper.c
+++ b/fuzzing/libnbd-fuzz-wrapper.c
@@ -200,7 +200,10 @@ client (int sock)
nbd_add_meta_context (nbd, LIBNBD_CONTEXT_BASE_ALLOCATION);
/* This tests the handshake phase. */
+ nbd_set_opt_mode (nbd, true);
nbd_connect_socket (nbd, sock);
+ nbd_opt_info (nbd);
+ nbd_opt_go (nbd);
length = nbd_get_size (nbd);
--
2.37.3
_______________________________________________
Libguestfs mailing list
Libguestfs(a)redhat.com
https://listman.redhat.com/mailman/listinfo/libguestfs
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
7:37 a.m.
On Fri, Oct 07, 2022 at 10:22:57AM +0100, Richard W.M. Jones wrote:
On Thu, Oct 06, 2022 at 04:34:52PM -0500, Eric Blake wrote:
> Give the fuzzer a few more points to experiment with added branching
> by explicitly using opt mode.
> ---
>
> I'm not quite sure whether the fuzzer is able to synthesize specific
> API calls from the client side; but if it can, letting the client
> specifically enter the NEGOTIATING state may allow the fuzzer to spot
> other nbd_opt_* API call chains that could provoke odd interactions,
> which would be completely missed when sticking with the default of
> skipping opt mode.
It's essentially looking for new paths through the code. If the
change allows new libnbd paths to be explored then it will be
beneficial to fuzzing, if not then it'll make no difference. I have
no objection to trying the patch anyway, so ACK.
Ok, in as 8592caba
Thinking about ways to expose even more code-paths, I wonder if we
could tweak the client along the lines of:
if (rand () & 1)
nbd_set_handshake_flags (nbd, rand ());
if (rand () & 1)
nbd_set_strict_mode (nbd, rand ());
and so forth, to allow the fuzzer to explore different combinations of
settings. Another idea might be:
static void do_opt_structured_reply (void)
{ /* call nbd_opt_structured_reply() */ }
static void do_opt_list_meta_context (void)
{ /* call nbd_opt_list_meta_context[_queries]() */ }
...
void (*opts[])(void) = {
do_opt_structured_reply,
do_opt_list_meta_context,
...
};
for (i = rand () % 20; i > 0; i--)
opts[i % ARRAY_SIZE (opts)] ();
to play with different handshake sequences.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
7:51 a.m.
On Fri, Oct 07, 2022 at 07:37:19AM -0500, Eric Blake wrote:
On Fri, Oct 07, 2022 at 10:22:57AM +0100, Richard W.M. Jones wrote:
> On Thu, Oct 06, 2022 at 04:34:52PM -0500, Eric Blake wrote:
> > Give the fuzzer a few more points to experiment with added branching
> > by explicitly using opt mode.
> > ---
> >
> > I'm not quite sure whether the fuzzer is able to synthesize specific
> > API calls from the client side; but if it can, letting the client
> > specifically enter the NEGOTIATING state may allow the fuzzer to spot
> > other nbd_opt_* API call chains that could provoke odd interactions,
> > which would be completely missed when sticking with the default of
> > skipping opt mode.
>
> It's essentially looking for new paths through the code. If the
> change allows new libnbd paths to be explored then it will be
> beneficial to fuzzing, if not then it'll make no difference. I have
> no objection to trying the patch anyway, so ACK.
Ok, in as 8592caba
Thinking about ways to expose even more code-paths, I wonder if we
could tweak the client along the lines of:
if (rand () & 1)
nbd_set_handshake_flags (nbd, rand ());
if (rand () & 1)
nbd_set_strict_mode (nbd, rand ());
Adding randomization to the fuzzer is a bad idea I'm afraid,
specifically called out in the docs:
https://aflplus.plus/docs/faq/ (search for "Stability")
and so forth, to allow the fuzzer to explore different combinations
of
settings.
The fuzzer will explore different paths by presenting different
inputs. In the case of libnbd, "input" means the network data that
normally libnbd would be reading from the NBD server. As long as
variations in those replies (inputs) can cause libnbd to take
different paths then the fuzzer will eventually explore those paths.
Another idea might be:
static void do_opt_structured_reply (void)
{ /* call nbd_opt_structured_reply() */ }
static void do_opt_list_meta_context (void)
{ /* call nbd_opt_list_meta_context[_queries]() */ }
...
void (*opts[])(void) = {
do_opt_structured_reply,
do_opt_list_meta_context,
...
};
for (i = rand () % 20; i > 0; i--)
opts[i % ARRAY_SIZE (opts)] ();
to play with different handshake sequences.
This won't work for the same reason.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
8:35 a.m.
On Fri, Oct 07, 2022 at 01:51:05PM +0100, Richard W.M. Jones wrote:
> Thinking about ways to expose even more code-paths, I wonder if
we
> could tweak the client along the lines of:
>
> if (rand () & 1)
> nbd_set_handshake_flags (nbd, rand ());
> if (rand () & 1)
> nbd_set_strict_mode (nbd, rand ());
Adding randomization to the fuzzer is a bad idea I'm afraid,
specifically called out in the docs:
https://aflplus.plus/docs/faq/ (search for "Stability")
Interesting reading, including:
"There are functions that are unstable, but also provide value to
coverage, e.g., init functions that use fuzz data as input. If,
however, a function that has nothing to do with the input data is the
source of instability, e.g., checking jitter, or is a hash map
function etc., then it should not be instrumented."
So using rand() is probably going to hurt more than it helps (too
unpredictable; even if seeded, you can only fuzz the seed number, not
the psuedo-random sequence that follows from that seed). But setting
up a mode where we tweak our first few handshaking decisions based on
reading a few bytes from a fuzzed file may be worthwhile - where the
fuzzer can then explore changes it makes to that file as a way of
deterministically exploring different initialization paths.
> and so forth, to allow the fuzzer to explore different combinations of
> settings.
The fuzzer will explore different paths by presenting different
inputs. In the case of libnbd, "input" means the network data that
normally libnbd would be reading from the NBD server. As long as
variations in those replies (inputs) can cause libnbd to take
different paths then the fuzzer will eventually explore those paths.
> Another idea might be:
>
> static void do_opt_structured_reply (void)
> { /* call nbd_opt_structured_reply() */ }
> static void do_opt_list_meta_context (void)
> { /* call nbd_opt_list_meta_context[_queries]() */ }
> ...
> void (*opts[])(void) = {
> do_opt_structured_reply,
> do_opt_list_meta_context,
> ...
> };
>
> for (i = rand () % 20; i > 0; i--)
> opts[i % ARRAY_SIZE (opts)] ();
>
> to play with different handshake sequences.
This won't work for the same reason.
Okay, I see that better after looking at README; the fuzzing we are
attempting is based on a two-step process: first we generate an actual
capture of server replies to a valid client session, then you start
fuzzing on a replay of the client dealing with slight variations of
the server's reply (that is, trying to find spots where a
buggy/malicious server can trip up the client). Throwing in more
randomness to the initialization would let us create exponentially
more starting point files in the first step of capturing actual client
sessions, but may not necesesarily drive us any closer to the second
step of fuzzing the server's replies into tickling client bugs unless
we can tightly correlate which input sequence of the first step
determines which output file we should be fuzzing in the second step.
There may still be some fuzzing gains to be added, but it would be by
having yet another file under the fuzzer's control to read from during
initialization, and not by calls to rand().
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
5:16 a.m.
On 10/06/22 23:34, Eric Blake wrote:
Give the fuzzer a few more points to experiment with added branching
by explicitly using opt mode.
---
I'm not quite sure whether the fuzzer is able to synthesize specific
API calls from the client side; but if it can, letting the client
specifically enter the NEGOTIATING state may allow the fuzzer to spot
other nbd_opt_* API call chains that could provoke odd interactions,
which would be completely missed when sticking with the default of
skipping opt mode.
fuzzing/libnbd-fuzz-wrapper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
index 7e390558..e7cf7fe9 100644
--- a/fuzzing/libnbd-fuzz-wrapper.c
+++ b/fuzzing/libnbd-fuzz-wrapper.c
@@ -200,7 +200,10 @@ client (int sock)
nbd_add_meta_context (nbd, LIBNBD_CONTEXT_BASE_ALLOCATION);
/* This tests the handshake phase. */
+ nbd_set_opt_mode (nbd, true);
nbd_connect_socket (nbd, sock);
+ nbd_opt_info (nbd);
+ nbd_opt_go (nbd);
length = nbd_get_size (nbd);
Based on my memories of the previous discussion:
Reviewed-by: Laszlo Ersek <lersek(a)redhat.com>
(Famous last words!)
10:35 a.m.
FYI I restarted the fuzzing at commit c5a4042640 which includes this
patch.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
757
days inactive
760
days old
6 comments
3 participants
participants (3)
-
Eric Blake -
Laszlo Ersek -
Richard W.M. Jones