[PATCH v2 0/4] fuzz: basic AFL suppport

[PATCH v2 0/4] fuzz: basic AFL suppport

[Wei Liu]

Provide simple stub programs for AFL fuzzer. For usage, please see README.afl.

This series doesn't aim to improve fuzzing targets. It is just demonstration
for how we could use the same fuzzing code for both oss-fuzz and AFL.

The stub programs are identical in libefl and x86 emulator at the moment, but
they will likely diverge in the future. The duplication of code is deliberate.

Wei.

Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>

Wei Liu (4):
  tools/fuzz: add missing dependencies in x86 insn fuzzer build rule
  tools/fuzz: add AFL stub program for x86 insn emulator fuzzer
  tools/fuzz: add AFL stub program for libefl fuzzer
  tools/fuzz: add README.afl

 .gitignore                                         |  2 +
 tools/fuzz/README.afl                              | 27 ++++++++++
 tools/fuzz/{README => README.oss-fuzz}             |  0
 tools/fuzz/libelf/Makefile                         |  7 ++-
 tools/fuzz/libelf/afl-libelf-fuzzer.c              | 57 ++++++++++++++++++++++
 tools/fuzz/x86_instruction_emulator/Makefile       | 11 ++++-
 .../afl-x86-insn-emulator-fuzzer.c                 | 57 ++++++++++++++++++++++
 7 files changed, 158 insertions(+), 3 deletions(-)
 create mode 100644 tools/fuzz/README.afl
 rename tools/fuzz/{README => README.oss-fuzz} (100%)
 create mode 100644 tools/fuzz/libelf/afl-libelf-fuzzer.c
 create mode 100644 tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c

-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 1/4] tools/fuzz: add missing dependencies in x86 insn fuzzer build rule

[Wei Liu]

The said file needs the two header files.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
---
 tools/fuzz/x86_instruction_emulator/Makefile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index 1777bf6fb6..6aef3a703f 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -18,6 +18,8 @@ CFLAGS += $(CFLAGS_xeninclude) -D__XEN_TOOLS__
 
 x86_emulate.o: x86_emulate.c x86_emulate.h x86_emulate/x86_emulate.c x86_emulate/x86_emulate.h
 
+x86-insn-emulator-fuzzer.o: x86_emulate.h x86_emulate/x86_emulate.h
+
 x86-insn-emulator.a: x86_emulate.o
 	$(AR) rc $@ $^
 
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 2/4] tools/fuzz: add AFL stub program for x86 insn emulator fuzzer

[Wei Liu]

This is a basic program to call into the unified fuzzing function.

Hook it up into build system so that we can always build test it.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
---
 .gitignore                                         |  1 +
 tools/fuzz/x86_instruction_emulator/Makefile       |  9 +++-
 .../afl-x86-insn-emulator-fuzzer.c                 | 57 ++++++++++++++++++++++
 3 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c

diff --git a/.gitignore b/.gitignore
index 01ad29e66b..b50f7ea5d3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -147,6 +147,7 @@ tools/flask/utils/flask-setenforce
 tools/flask/utils/flask-set-bool
 tools/flask/utils/flask-label-pci
 tools/fuzz/x86_instruction_emulator/x86_emulate*
+tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer
 tools/helpers/_paths.h
 tools/helpers/init-xenstore-domain
 tools/helpers/xen-init-dom0
diff --git a/tools/fuzz/x86_instruction_emulator/Makefile b/tools/fuzz/x86_instruction_emulator/Makefile
index 6aef3a703f..f2bb12e871 100644
--- a/tools/fuzz/x86_instruction_emulator/Makefile
+++ b/tools/fuzz/x86_instruction_emulator/Makefile
@@ -3,7 +3,7 @@ include $(XEN_ROOT)/tools/Rules.mk
 
 .PHONY: x86-instruction-emulator-fuzzer-all
 ifeq ($(CONFIG_X86_64),y)
-x86-instruction-emulator-fuzzer-all: x86-insn-emulator.a x86-insn-emulator-fuzzer.o
+x86-instruction-emulator-fuzzer-all: x86-insn-emulator.a x86-insn-emulator-fuzzer.o afl
 else
 x86-instruction-emulator-fuzzer-all:
 endif
@@ -23,6 +23,8 @@ x86-insn-emulator-fuzzer.o: x86_emulate.h x86_emulate/x86_emulate.h
 x86-insn-emulator.a: x86_emulate.o
 	$(AR) rc $@ $^
 
+afl-x86-insn-emulator-fuzzer: afl-x86-insn-emulator-fuzzer.o x86-insn-emulator-fuzzer.o x86_emulate.o
+
 # Common targets
 .PHONY: all
 all: x86-instruction-emulator-fuzzer-all
@@ -33,7 +35,10 @@ distclean: clean
 
 .PHONY: clean
 clean:
-	rm -f *.a *.o
+	rm -f *.a *.o *-x86-insn-emulator-fuzzer
 
 .PHONY: install
 install: all
+
+.PHONY: afl
+afl: afl-x86-insn-emulator-fuzzer
diff --git a/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
new file mode 100644
index 0000000000..b5668c11e7
--- /dev/null
+++ b/tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer.c
@@ -0,0 +1,57 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
+
+#define INPUT_SIZE  4096
+static uint8_t input[INPUT_SIZE];
+
+int main(int argc, char **argv)
+{
+    size_t size;
+    FILE *fp;
+
+    if ( argc != 2 )
+    {
+        printf("Expecting only one argument\n");
+        exit(-1);
+    }
+
+    fp = fopen(argv[1], "rb");
+    if ( fp == NULL )
+    {
+        perror("fopen");
+        exit(-1);
+    }
+
+    size = fread(input, 1, INPUT_SIZE, fp);
+
+    if ( ferror(fp) )
+    {
+        perror("fread");
+        exit(-1);
+    }
+
+    if ( !feof(fp) )
+    {
+        printf("Input too large\n");
+        exit(-1);
+    }
+
+    fclose(fp);
+
+    LLVMFuzzerTestOneInput(input, size);
+
+    return 0;
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 3/4] tools/fuzz: add AFL stub program for libefl fuzzer

[Wei Liu]

And hook it up into build system.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
---
 .gitignore                            |  1 +
 tools/fuzz/libelf/Makefile            |  7 ++++-
 tools/fuzz/libelf/afl-libelf-fuzzer.c | 57 +++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 tools/fuzz/libelf/afl-libelf-fuzzer.c

diff --git a/.gitignore b/.gitignore
index b50f7ea5d3..8810c6975a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -146,6 +146,7 @@ tools/flask/utils/flask-loadpolicy
 tools/flask/utils/flask-setenforce
 tools/flask/utils/flask-set-bool
 tools/flask/utils/flask-label-pci
+tools/fuzz/libelf/afl-libelf-fuzzer
 tools/fuzz/x86_instruction_emulator/x86_emulate*
 tools/fuzz/x86_instruction_emulator/afl-x86-insn-emulator-fuzzer
 tools/helpers/_paths.h
diff --git a/tools/fuzz/libelf/Makefile b/tools/fuzz/libelf/Makefile
index c73ce44e87..3313601caa 100644
--- a/tools/fuzz/libelf/Makefile
+++ b/tools/fuzz/libelf/Makefile
@@ -19,6 +19,8 @@ libelf.a: $(ELF_LIB_OBJS)
 .PHONY: libelf-fuzzer-all
 libelf-fuzzer-all: libelf.a libelf-fuzzer.o
 
+afl-libelf-fuzzer: afl-libelf-fuzzer.o libelf-fuzzer.o $(ELF_LIB_OBJS)
+
 # Common targets
 .PHONY: all
 all: libelf-fuzzer-all
@@ -28,7 +30,10 @@ distclean: clean
 
 .PHONY: clean
 clean:
-	rm -f *.o *.a
+	rm -f *.o *.a *-libelf-fuzzer
 
 .PHONY: install
 install: all
+
+.PHONY: afl
+afl: afl-libelf-fuzzer
diff --git a/tools/fuzz/libelf/afl-libelf-fuzzer.c b/tools/fuzz/libelf/afl-libelf-fuzzer.c
new file mode 100644
index 0000000000..b5668c11e7
--- /dev/null
+++ b/tools/fuzz/libelf/afl-libelf-fuzzer.c
@@ -0,0 +1,57 @@
+#include <assert.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+extern int LLVMFuzzerTestOneInput(const uint8_t *data_p, size_t size);
+
+#define INPUT_SIZE  4096
+static uint8_t input[INPUT_SIZE];
+
+int main(int argc, char **argv)
+{
+    size_t size;
+    FILE *fp;
+
+    if ( argc != 2 )
+    {
+        printf("Expecting only one argument\n");
+        exit(-1);
+    }
+
+    fp = fopen(argv[1], "rb");
+    if ( fp == NULL )
+    {
+        perror("fopen");
+        exit(-1);
+    }
+
+    size = fread(input, 1, INPUT_SIZE, fp);
+
+    if ( ferror(fp) )
+    {
+        perror("fread");
+        exit(-1);
+    }
+
+    if ( !feof(fp) )
+    {
+        printf("Input too large\n");
+        exit(-1);
+    }
+
+    fclose(fp);
+
+    LLVMFuzzerTestOneInput(input, size);
+
+    return 0;
+}
+
+/*
+ * Local variables:
+ * mode: C
+ * c-file-style: "BSD"
+ * c-basic-offset: 4
+ * indent-tabs-mode: nil
+ * End:
+ */
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH v2 4/4] tools/fuzz: add README.afl

[Wei Liu]

And rename README to README.oss-fuzz.

Signed-off-by: Wei Liu <wei.liu2@citrix.com>
---
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
---
 tools/fuzz/README.afl                  | 27 +++++++++++++++++++++++++++
 tools/fuzz/{README => README.oss-fuzz} |  0
 2 files changed, 27 insertions(+)
 create mode 100644 tools/fuzz/README.afl
 rename tools/fuzz/{README => README.oss-fuzz} (100%)

diff --git a/tools/fuzz/README.afl b/tools/fuzz/README.afl
new file mode 100644
index 0000000000..7214b61dc4
--- /dev/null
+++ b/tools/fuzz/README.afl
@@ -0,0 +1,27 @@
+# OVERVIEW
+
+Some fuzzing targets have American Fuzzy Lop (AFL) support.
+
+See also http://lcamtuf.coredump.cx/afl/
+
+# HOW IT WORKS
+
+AFL provides a customised toolchain to build an executable, which in
+turn is launched by the fuzzer.
+
+# HOW TO USE IT
+
+Use the x86 instruction emulator fuzzer as an example.
+
+1. download and compile AFL in $AFLPATH.
+
+2. run the following commands to build:
+   $ cd tools/fuzz/x86_instruction_emulator
+   $ make distclean
+   $ make CC=$AFLPATH/afl-gcc afl # produces afl-x86-insn-emulator-fuzzer
+
+3. run the fuzzer with AFL:
+   $ $AFLPATH/afl-fuzz -m none -t 1000 -i testcase_dir -o findings_dir -- \
+     ./afl-x86-insn-emulator-fuzzer @@
+
+Please see AFL documentation for more information.
diff --git a/tools/fuzz/README b/tools/fuzz/README.oss-fuzz
similarity index 100%
rename from tools/fuzz/README
rename to tools/fuzz/README.oss-fuzz
-- 
2.11.0


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH v2 3/4] tools/fuzz: add AFL stub program for libefl fuzzer

[Ian Jackson]

Wei Liu writes ("[PATCH v2 3/4] tools/fuzz: add AFL stub program for libefl fuzzer"):
> And hook it up into build system.

Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel