imageloader: support fuzzing |
|||||||
Issue description
,
Nov 5
,
Nov 8
Hey i'm trying to run 'cros_fuzz' but in chroot but it doesn't seem to be installed? (cr) ((c924c2c...)) xiaochu@xiaochu0 ~/trunk/src/scripts $ cros_fuzz -bash: cros_fuzz: command not found
,
Nov 8
,
Nov 8
Is your chromite directory synced?
,
Nov 8
does 'repo sync' synch chromite?
,
Nov 8
Very weird. What happens when you run `/mnt/host/source/chromite/bin/cros_fuzz`
,
Nov 8
,
Nov 8
Or `~/trunk/chromite/bin/cros_fuzz`?
,
Nov 8
~/trunk/chromite/bin/cros_fuzz doesn't exist on my local tree. Let me 'repo sync' again.
,
Nov 8
Could your chromite check out be on a branch and not syncing for that reason (I think this happened to me once).
,
Nov 8
Thanks! chromite appears after 'repo sync'.
,
Nov 9
When I add LOG(INFO) in my fuzzer, it gives me following error (removing it works well):
=================================================================
==205148==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x55c916b5b010 in thread T0
#0 0x55c914835042 in operator delete(void*) /var/tmp/portage/sys-devel/llvm-8.0_pre339409_p20180926-r4/work/llvm-8.0_pre339409_p20180926/projects/compiler-rt/lib/asan/asan_new_delete.cc:167:3
#1 0x7f4bebe02873 in std::__1::__libcpp_deallocate(void*, unsigned long) /usr/bin/../include/c++/v1/new:279:10
#2 0x7f4bebe02873 in std::__1::allocator<char>::deallocate(char*, unsigned long) /usr/bin/../include/c++/v1/memory:1802
#3 0x7f4bebe02873 in std::__1::allocator_traits<std::__1::allocator<char> >::deallocate(std::__1::allocator<char>&, char*, unsigned long) /usr/bin/../include/c++/v1/memory:1556
#4 0x7f4bebe02873 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::~basic_string() /usr/bin/../include/c++/v1/string:1966
#5 0x7f4bebe02873 in logging::LogMessage::Init(char const*, int) /build/kefka/tmp/portage/chromeos-base/libchrome-395517-r45/work/libchrome-395517/base/logging.cc:806
Address 0x55c916b5b010 is a wild pointer.
SUMMARY: AddressSanitizer: bad-free /var/tmp/portage/sys-devel/llvm-8.0_pre339409_p20180926-r4/work/llvm-8.0_pre339409_p20180926/projects/compiler-rt/lib/asan/asan_new_delete.cc:167:3 in operator delete(void*)
==205148==ABORTING
MS: 0 ; base unit: 0000000000000000000000000000000000000000
artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709
,
Nov 9
How are you building your fuzzer, from the error it looks like that libchrome may not be built correctly. Can you try building with USE="asan fuzzer" ./build_packages --board=$BOARD --skip_chroot_upgrade <pkg>
,
Nov 9
Thanks! After building with: USE="asan fuzzer dlc" ./build_packages --board=kefka I get following errors: puffin-1.0.0-r425: [23/25] LINK puffin_fuzzer puffin-1.0.0-r425: FAILED: puffin_fuzzer puffin-1.0.0-r425: x86_64-pc-linux-gnu-clang++ -Wl,-O2 -Wl,--as-needed -Wl,-O2 -Wl,--as-needed -fsanitize=address -fsanitize=alignment -fsanitize=shift -Wl,-z,relro -Wl,-z,noexecstack -Wl,-z,now -Wl,--as-needed -pie -fsanitize=address -fsanitize=fuzzer -pthread -o puffin_fuzzer -Wl,--start-group obj/puffin/src/puffin_fuzzer.fuzzer.o libpuffdiff.a libpuffpatch.a -Wl,--end-group -lbase-395517 -lbrillo-395517 -lprotobuf-lite -lpthread -lbsdiff -lbz2 -lbrotlienc -ldivsufsort -ldivsufsort64 -lbspatch -lbrotlidec puffin-1.0.0-r425: /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.x/../../../../lib64/libbspatch.a(libbspatch.bz2_decompressor.o): In function `~BZ2Decompressor': puffin-1.0.0-r425: /var/cache/portage/dev-util/bsdiff/out/Default/../../../../../../tmp/portage/dev-util/bsdiff-4.3.1-r19/work/bsdiff-4.3.1/platform2/bsdiff/bz2_decompressor.cc:19: undefined reference to `BZ2_bzDecompressEnd' puffin-1.0.0-r425: /var/cache/portage/dev-util/bsdiff/out/Default/../../../../../../tmp/portage/dev-util/bsdiff-4.3.1-r19/work/bsdiff-4.3.1/platform2/bsdiff/bz2_decompressor.cc:19: undefined reference to `BZ2_bzDecompressEnd' puffin-1.0.0-r425: /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.x/../../../../lib64/libbspatch.a(libbspatch.bz2_decompressor.o): In function `bsdiff::BZ2Decompressor::SetInputData(unsigned char const*, unsigned long)': puffin-1.0.0-r425: /var/cache/portage/dev-util/bsdiff/out/Default/../../../../../../tmp/portage/dev-util/bsdiff-4.3.1-r19/work/bsdiff-4.3.1/platform2/bsdiff/bz2_decompressor.cc:34: undefined reference to `BZ2_bzDecompressInit' puffin-1.0.0-r425: /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.x/../../../../lib64/libbspatch.a(libbspatch.bz2_decompressor.o): In function `bsdiff::BZ2Decompressor::Read(unsigned char*, unsigned long)': puffin-1.0.0-r425: /var/cache/portage/dev-util/bsdiff/out/Default/../../../../../../tmp/portage/dev-util/bsdiff-4.3.1-r19/work/bsdiff-4.3.1/platform2/bsdiff/bz2_decompressor.cc:55: undefined reference to `BZ2_bzDecompress' puffin-1.0.0-r425: /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.x/../../../../lib64/libbspatch.a(libbspatch.bz2_decompressor.o): In function `bsdiff::BZ2Decompressor::Close()': puffin-1.0.0-r425: /var/cache/portage/dev-util/bsdiff/out/Default/../../../../../../tmp/portage/dev-util/bsdiff-4.3.1-r19/work/bsdiff-4.3.1/platform2/bsdiff/bz2_decompressor.cc:77: undefined reference to `BZ2_bzDecompressEnd' puffin-1.0.0-r425: clang-8: error: linker command failed with exit code 1 (use -v to see invocation) puffin-1.0.0-r425: puffin-1.0.0-r425: [24/25] LINK puffin
,
Nov 9
I think this is because you skipped the part: "--skip_chroot_upgrade <pkg>" when calling build_packages . Without --skip_chroot_upgrade, portage will even try to build host packages with the sanitizer flags which is not desired at all. Similarly, please do pass the <pkg> field. We do not want to build chrome and other packages not needed for fuzzing. To restore sanity, I think you should now run: $ ./update_chroot (To fix host packages that got built with bad use flags) $ USE="asan fuzzer" ./build_packages --board=$BOARD --skip_chroot_upgrade <pkg>
,
Nov 9
That's very helpful! It works.
,
Nov 12
,
Nov 14
,
Nov 14
,
Nov 15
We just moved some manifest parser code to imageloader from libbrillo (https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1332387). Does it make sense to fuzz the parser itself (specifically ParseManifest function)?
,
Nov 15
Generally any type of parsing is a good fuzzing candidate. Please add a fuzzer if it is not too hard.
,
Nov 15
Imagloader internally uses a server/client model. The parser is used in server process while the parser that we'll land is the client process (https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1327663).So it seems fine to fuzz the parser which is a self-contained module. Fuzzing the server process entirely seems difficult since we need to mock the I/O and other relevant modules...
,
Nov 15
(correction for the deleted comment) If it doesn't already get good coverage through the imageloader fuzzer, you might need to add it, but otherwise Manoj is right.
,
Nov 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/6164728ad80404da4d481bef38b1cf27d2e6e294 commit 6164728ad80404da4d481bef38b1cf27d2e6e294 Author: Xiaochu Liu <xiaochu@chromium.org> Date: Fri Nov 16 02:49:22 2018 imageloader: add a fuzzer target We add a fuzzer target 'run_fuzzers'. Inside the target we add a fuzzing test helper_process_reciever_fuzzer. BUG=chromium:901893 TEST=cros_fuzz --board=kefka shell Change-Id: I7e9b42e4e81647174d539faddaf8c9c480c0a97d Reviewed-on: https://chromium-review.googlesource.com/1327663 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Xiaochu Liu <xiaochu@chromium.org> Reviewed-by: Manoj Gupta <manojgupta@chromium.org> [modify] https://crrev.com/6164728ad80404da4d481bef38b1cf27d2e6e294/imageloader/imageloader.gyp [modify] https://crrev.com/6164728ad80404da4d481bef38b1cf27d2e6e294/imageloader/helper_process_receiver.h [add] https://crrev.com/6164728ad80404da4d481bef38b1cf27d2e6e294/imageloader/helper_process_receiver_fuzzer.cc
,
Nov 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/d59216789beb2586adecd0bdc7da94f6143e4ec2 commit d59216789beb2586adecd0bdc7da94f6143e4ec2 Author: Xiaochu Liu <xiaochu@chromium.org> Date: Fri Nov 16 02:49:22 2018 imageloader: support fuzzing target Install the fuzz target. BUG=chromium:901893 TEST=USE="asan fuzzer" emerge-kefka imageloader CQ-DEPEND=CL:1327663 Change-Id: I5148ee6af320fc79c127db4b9021db7fb9994bb2 Reviewed-on: https://chromium-review.googlesource.com/1327189 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Xiaochu Liu <xiaochu@chromium.org> Reviewed-by: Manoj Gupta <manojgupta@chromium.org> [modify] https://crrev.com/d59216789beb2586adecd0bdc7da94f6143e4ec2/chromeos-base/imageloader/imageloader-9999.ebuild
,
Nov 16
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/b7cd6fb61a82436f46f8cc7c86348b5a8a7406a3 commit b7cd6fb61a82436f46f8cc7c86348b5a8a7406a3 Author: Xiaochu Liu <xiaochu@chromium.org> Date: Fri Nov 16 13:01:55 2018 chromium-os-fuzzers: add imageloader Add imageloader as dependency to chromium-os-fuzzers. BUG=chromium:901893 TEST=None CQ-DEPEND=CL:1327189 Change-Id: Iff1915fbdf256ba29449ab8d5dc97c4fbc9b220c Reviewed-on: https://chromium-review.googlesource.com/1327192 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Xiaochu Liu <xiaochu@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/b7cd6fb61a82436f46f8cc7c86348b5a8a7406a3/virtual/chromium-os-fuzzers/chromium-os-fuzzers-1.ebuild [rename] https://crrev.com/b7cd6fb61a82436f46f8cc7c86348b5a8a7406a3/virtual/chromium-os-fuzzers/chromium-os-fuzzers-1-r13.ebuild
,
Nov 21
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/e6bdc02b0fb28f75832c012bcadd6c826c0c6a43 commit e6bdc02b0fb28f75832c012bcadd6c826c0c6a43 Author: Xiaochu Liu <xiaochu@chromium.org> Date: Wed Nov 21 09:25:31 2018 imageloader: add target imageloader_manifest_fuzzer This target feeds a random string into ParseManifest public function. BUG=chromium:901893 TEST=cros_fuzz Change-Id: I7d7c81808f1aa7fc8b9e97f8ba4d86fca1e9b642 Reviewed-on: https://chromium-review.googlesource.com/1340420 Commit-Ready: Xiaochu Liu <xiaochu@chromium.org> Tested-by: Xiaochu Liu <xiaochu@chromium.org> Reviewed-by: Xiaochu Liu <xiaochu@chromium.org> [modify] https://crrev.com/e6bdc02b0fb28f75832c012bcadd6c826c0c6a43/imageloader/imageloader.gyp [add] https://crrev.com/e6bdc02b0fb28f75832c012bcadd6c826c0c6a43/imageloader/fuzz/manifest.dict [add] https://crrev.com/e6bdc02b0fb28f75832c012bcadd6c826c0c6a43/imageloader/manifest_fuzzer.cc
,
Nov 21
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/2e758c4c0ef19b457dd8fe78809e0f27b6fee088 commit 2e758c4c0ef19b457dd8fe78809e0f27b6fee088 Author: Xiaochu Liu <xiaochu@chromium.org> Date: Wed Nov 21 13:52:55 2018 imageloader: add imageloader_manifest_fuzzer target Install the new target with dedicated with dictionary. BUG=chromium:901893 TEST=USE="asan fuzzer" emerge-kefka imageloader CQ-DEPEND=CL:1340420 Change-Id: I280e7210955669951ea8187c6e6e8104b72bf7c8 Reviewed-on: https://chromium-review.googlesource.com/1340759 Commit-Ready: Xiaochu Liu <xiaochu@chromium.org> Tested-by: Xiaochu Liu <xiaochu@chromium.org> Reviewed-by: Manoj Gupta <manojgupta@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/2e758c4c0ef19b457dd8fe78809e0f27b6fee088/chromeos-base/imageloader/imageloader-9999.ebuild |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by xiaochu@chromium.org
, Nov 5