fuzzer: Add a libFuzzer based fuzzer.

Use LLVM's libFuzzer to fuzz the virgl_renderer_submit_cmd API.

Signed-off-by: David Riley <davidriley@chromium.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
macos/master
David Riley 7 years ago committed by Dave Airlie
parent 5057fb9b05
commit 87b346a1a3
  1. 10
      configure.ac
  2. 2
      tests/Makefile.am
  3. 24
      tests/fuzzer/Makefile.am
  4. 193
      tests/fuzzer/virgl_fuzzer.c

@ -97,6 +97,13 @@ if test "x$build_tests" = "xyes"; then
AC_PATH_PROG(VALGRIND, [valgrind])
fi
AC_ARG_ENABLE(fuzzer,
AS_HELP_STRING([--enable-fuzzer], [Build fuzzer targets]),
[enable_fuzzer="$enableval"],
[enable_fuzzer=no]
)
AM_CONDITIONAL(FUZZER, [test "x$enable_fuzzer" = "xyes"])
AC_CHECK_FUNCS_ONCE([eventfd])
AC_CHECK_HEADERS_ONCE([sys/uio.h])
AM_CONDITIONAL(HAVE_VALGRIND, [test "x$VALGRIND" != "x"])
@ -136,7 +143,6 @@ AS_IF([test "x$with_glx" = "xyes"], [
])
AM_CONDITIONAL([WITH_GLX], [test "x$with_glx" = "xyes"])
AC_SUBST([DEFINES])
AC_CONFIG_FILES([
virglrenderer.pc
@ -145,6 +151,7 @@ AC_CONFIG_FILES([
src/gallium/auxiliary/Makefile
vtest/Makefile
tests/Makefile
tests/fuzzer/Makefile
])
AC_OUTPUT
@ -161,5 +168,6 @@ AC_MSG_NOTICE([
egl: $epoxy_has_egl
debug: $enable_debug
tests: $build_tests
fuzzer: $enable_fuzzer
])

@ -1,3 +1,5 @@
SUBDIRS = fuzzer
if BUILD_TESTS
AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/gallium/include $(CHECK_CFLAGS) -I$(top_srcdir)/src/gallium/auxiliary $(DEFINES)

@ -0,0 +1,24 @@
AM_CFLAGS = \
-I$(top_srcdir)/src/gallium/drivers/virgl \
-I$(top_srcdir)/src/gallium/include \
-I$(top_srcdir)/src/gallium/auxiliary \
-I$(top_srcdir)/src/gallium/drivers \
-I$(top_srcdir)/include \
-I$(top_srcdir)/src \
$(DEFINES) \
$(PIC_FLAGS) \
$(LIBDRM_CFLAGS) \
$(EPOXY_CFLAGS) \
$(VISIBILITY_CFLAGS) \
$(CODE_COVERAGE_CFLAGS) \
-fsanitize=address \
-fsanitize=fuzzer
if FUZZER
noinst_PROGRAMS = virgl_fuzzer
virgl_fuzzer_SOURCES = \
virgl_fuzzer.c
virgl_fuzzer_LDADD = $(top_builddir)/src/libvirglrenderer.la $(EPOXY_LIBS)
endif

@ -0,0 +1,193 @@
// Copyright 2018 The Chromium OS Authors. All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following disclaimer
// in the documentation and/or other materials provided with the
// distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived from
// this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// libfuzzer-based fuzzer for public APIs.
#include <assert.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <epoxy/egl.h>
#include "virglrenderer.h"
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
#ifndef CLEANUP_EACH_INPUT
// eglInitialize leaks unless eglTeriminate is called (which only happens
// with CLEANUP_EACH_INPUT), so suppress leak detection on everything
// allocated by it.
#if !defined(__has_feature)
#define __has_feature(x) 0
#endif
#if __has_feature(address_sanitizer)
const char* __lsan_default_suppressions(void);
const char* __lsan_default_suppressions() {
return "leak:eglInitialize\n";
}
#endif // __has_feature(address_sanitizer)
#endif // !CLEANUP_EACH_INPUT
struct fuzzer_cookie
{
EGLDisplay display;
EGLConfig egl_config;
EGLContext ctx;
};
static void fuzzer_write_fence(void *opaque, uint32_t fence)
{
}
static virgl_renderer_gl_context fuzzer_create_gl_context(
void *cookie, int scanout_idx, struct virgl_renderer_gl_ctx_param *param)
{
struct fuzzer_cookie *cookie_data = cookie;
EGLContext shared = param->shared ? eglGetCurrentContext() : NULL;
const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,
EGL_NONE };
EGLContext ctx = eglCreateContext(cookie_data->display,
cookie_data->egl_config,
shared,
context_attribs);
assert(ctx);
return ctx;
}
static void fuzzer_destroy_gl_context(void *cookie,
virgl_renderer_gl_context ctx)
{
struct fuzzer_cookie *cookie_data = cookie;
eglDestroyContext(cookie_data->display, ctx);
}
static int fuzzer_make_current(void *cookie, int scanout_idx, virgl_renderer_gl_context ctx)
{
return 0;
}
const int FUZZER_CTX_ID = 1;
const char *SWRAST_ENV = "LIBGL_ALWAYS_SOFTWARE";
static struct fuzzer_cookie cookie;
static struct virgl_renderer_callbacks fuzzer_cbs = {
.version = 1,
.write_fence = fuzzer_write_fence,
.create_gl_context = fuzzer_create_gl_context,
.destroy_gl_context = fuzzer_destroy_gl_context,
.make_current = fuzzer_make_current,
};
static bool initialized = false;
static int initialize_environment()
{
if (!initialized) {
// Force SW rendering unless env variable is already set.
setenv(SWRAST_ENV, "true", 0);
cookie.display = eglGetDisplay(EGL_DEFAULT_DISPLAY);
assert(cookie.display != EGL_NO_DISPLAY);
assert(eglInitialize(cookie.display, NULL, NULL));
const EGLint config_attribs[] = { EGL_SURFACE_TYPE, EGL_DONT_CARE,
EGL_NONE };
EGLint num_configs;
assert(eglChooseConfig(cookie.display, config_attribs,
&cookie.egl_config, 1, &num_configs));
assert(eglBindAPI(EGL_OPENGL_ES_API));
const EGLint context_attribs[] = { EGL_CONTEXT_CLIENT_VERSION, 3,
EGL_NONE };
cookie.ctx = eglCreateContext(cookie.display, cookie.egl_config,
EGL_NO_CONTEXT, context_attribs);
assert(cookie.ctx != EGL_NO_CONTEXT);
assert(eglMakeCurrent(cookie.display, EGL_NO_SURFACE, EGL_NO_SURFACE,
cookie.ctx));
initialized = true;
}
return FUZZER_CTX_ID;
}
#ifdef CLEANUP_EACH_INPUT
static void cleanup_environment()
{
if (cookie.ctx != EGL_NO_CONTEXT) {
eglMakeCurrent(cookie.display, NULL, NULL, NULL);
eglDestroyContext(cookie.display, cookie.ctx);
}
if (cookie.display != EGL_NO_DISPLAY) {
eglTerminate(cookie.display);
}
initialized = false;
}
#endif
int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
{
uint32_t ctx_id = initialize_environment();
// There are trade-offs here between ensuring that state is not persisted
// between invocations of virgl_renderer_submit_cmd, and to avoid leaking
// resources that comes with repeated dlopen()/dlclose()ing the mesa
// driver with each eglInitialize()/eglTerminate() if CLEANUP_EACH_INPUT
// is set.
assert(!virgl_renderer_init(&cookie, 0, &fuzzer_cbs));
const char *name = "fuzzctx";
assert(!virgl_renderer_context_create(ctx_id, strlen(name), name));
virgl_renderer_submit_cmd((void *) data, ctx_id, size / sizeof(uint32_t));
virgl_renderer_context_destroy(ctx_id);
virgl_renderer_cleanup(&cookie);
#ifdef CLEANUP_EACH_INPUT
// The following cleans up between each input which is a lot slower.
cleanup_environment();
#endif
return 0;
}
Loading…
Cancel
Save