This series sets up a basic fuzzing infrastructure that works with sandbox. The example fuzz test towards the end of the series will find something pretty quickly. That something is fixed by the series "virtio: Harden and test vring" that needs to be applied for the final patch in this series.
There is some refactoring to stop using '.' prefixed sections that elf defines as being for system use and clang's ASAN instrumentation happily adds redzones between, but that's not what we want for things like linker lists where the linker script has carefully placed the sections contiguously.
It may require patches from the "Fix misc ASAN reports" series to be applied as I've already dealt with the first set of ASAN reports from running the tests.
From v1:
- corrected handling of EFI symbols by sandbox linker script - per comments, some renaming and explaining - dropped RFC for dlmalloc ASAN instrumentation (work required to improve it) - added patch to reduce logging noise in fuzzer
Andrew Scull (12): sandbox: Fix EFI runtime symbol placement sandbox: Rename EFI runtime sections sandbox: Migrate getopt section to linker list linker_lists: Rename sections to remove . prefix sandbox: Add support for Address Sanitizer fuzzing_engine: Add fuzzing engine uclass test: fuzz: Add framework for fuzzing sandbox: Decouple program entry from sandbox init sandbox: Add libfuzzer integration sandbox: Implement fuzzing engine driver fuzz: virtio: Add fuzzer for vring virtio_ring: Reduce logging noise
Kconfig | 16 +++ arch/Kconfig | 2 + arch/arc/cpu/u-boot.lds | 4 +- arch/arm/config.mk | 4 +- arch/arm/cpu/arm926ejs/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv7/sunxi/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot-spl.lds | 4 +- arch/arm/cpu/armv8/u-boot.lds | 4 +- arch/arm/cpu/u-boot-spl.lds | 4 +- arch/arm/cpu/u-boot.lds | 6 +- arch/arm/mach-at91/arm926ejs/u-boot-spl.lds | 2 +- arch/arm/mach-at91/armv7/u-boot-spl.lds | 2 +- arch/arm/mach-omap2/u-boot-spl.lds | 4 +- arch/arm/mach-orion5x/u-boot-spl.lds | 4 +- arch/arm/mach-rockchip/u-boot-tpl-v8.lds | 4 +- arch/arm/mach-zynq/u-boot-spl.lds | 4 +- arch/arm/mach-zynq/u-boot.lds | 4 +- arch/m68k/cpu/u-boot.lds | 4 +- arch/microblaze/cpu/u-boot-spl.lds | 4 +- arch/microblaze/cpu/u-boot.lds | 4 +- arch/mips/config.mk | 2 +- arch/mips/cpu/u-boot-spl.lds | 4 +- arch/mips/cpu/u-boot.lds | 4 +- arch/nds32/cpu/n1213/u-boot.lds | 4 +- arch/nios2/cpu/u-boot.lds | 4 +- arch/powerpc/cpu/mpc83xx/u-boot.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-nand.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-nand_spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot-spl.lds | 4 +- arch/powerpc/cpu/mpc85xx/u-boot.lds | 4 +- arch/riscv/cpu/u-boot-spl.lds | 4 +- arch/riscv/cpu/u-boot.lds | 4 +- arch/sandbox/config.mk | 15 ++- arch/sandbox/cpu/os.c | 97 ++++++++++++++++--- arch/sandbox/cpu/start.c | 12 +-- arch/sandbox/cpu/u-boot-spl.lds | 10 +- arch/sandbox/cpu/u-boot.lds | 41 ++++---- arch/sandbox/dts/test.dts | 4 + arch/sandbox/include/asm/fuzzing_engine.h | 25 +++++ arch/sandbox/include/asm/getopt.h | 19 ++-- arch/sandbox/include/asm/main.h | 18 ++++ arch/sandbox/include/asm/sections.h | 25 ----- arch/sandbox/lib/sections.c | 8 +- arch/sh/cpu/u-boot.lds | 4 +- arch/x86/cpu/u-boot-64.lds | 6 +- arch/x86/cpu/u-boot-spl.lds | 6 +- arch/x86/cpu/u-boot.lds | 6 +- arch/x86/lib/elf_ia32_efi.lds | 4 +- arch/x86/lib/elf_x86_64_efi.lds | 4 +- arch/xtensa/cpu/u-boot.lds | 2 +- arch/xtensa/include/asm/ldscript.h | 4 +- board/compulab/cm_t335/u-boot.lds | 4 +- board/cssi/MCR3000/u-boot.lds | 4 +- .../davinci/da8xxevm/u-boot-spl-da850evm.lds | 2 +- board/qualcomm/dragonboard820c/u-boot.lds | 4 +- board/samsung/common/exynos-uboot-spl.lds | 4 +- board/synopsys/iot_devkit/u-boot.lds | 4 +- board/ti/am335x/u-boot.lds | 4 +- board/vscom/baltos/u-boot.lds | 4 +- configs/sandbox_defconfig | 1 + doc/api/linker_lists.rst | 22 ++--- doc/develop/commands.rst | 4 +- doc/develop/driver-model/of-plat.rst | 4 +- drivers/Kconfig | 2 + drivers/Makefile | 1 + drivers/fuzz/Kconfig | 17 ++++ drivers/fuzz/Makefile | 8 ++ drivers/fuzz/fuzzing_engine-uclass.c | 28 ++++++ drivers/fuzz/sandbox_fuzzing_engine.c | 35 +++++++ drivers/virtio/virtio_ring.c | 4 +- include/dm/uclass-id.h | 1 + include/fuzzing_engine.h | 51 ++++++++++ include/linker_lists.h | 18 ++-- include/test/fuzz.h | 51 ++++++++++ test/Makefile | 1 + test/fuzz/Makefile | 8 ++ test/fuzz/cmd_fuzz.c | 82 ++++++++++++++++ test/fuzz/virtio.c | 72 ++++++++++++++ 78 files changed, 680 insertions(+), 204 deletions(-) create mode 100644 arch/sandbox/include/asm/fuzzing_engine.h create mode 100644 arch/sandbox/include/asm/main.h create mode 100644 drivers/fuzz/Kconfig create mode 100644 drivers/fuzz/Makefile create mode 100644 drivers/fuzz/fuzzing_engine-uclass.c create mode 100644 drivers/fuzz/sandbox_fuzzing_engine.c create mode 100644 include/fuzzing_engine.h create mode 100644 include/test/fuzz.h create mode 100644 test/fuzz/Makefile create mode 100644 test/fuzz/cmd_fuzz.c create mode 100644 test/fuzz/virtio.c