thr3ads.net - Libguestfs - [Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps [Oct 2022]

If this information is useful, please help other people find it:
Share via:

Eric Blake

2022-Oct-06 21:34 UTC

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

Give the fuzzer a few more points to experiment with added branching
by explicitly using opt mode.
---

I'm not quite sure whether the fuzzer is able to synthesize specific
API calls from the client side; but if it can, letting the client
specifically enter the NEGOTIATING state may allow the fuzzer to spot
other nbd_opt_* API call chains that could provoke odd interactions,
which would be completely missed when sticking with the default of
skipping opt mode.

 fuzzing/libnbd-fuzz-wrapper.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
index 7e390558..e7cf7fe9 100644
--- a/fuzzing/libnbd-fuzz-wrapper.c
+++ b/fuzzing/libnbd-fuzz-wrapper.c
@@ -200,7 +200,10 @@ client (int sock)
   nbd_add_meta_context (nbd, LIBNBD_CONTEXT_BASE_ALLOCATION);

   /* This tests the handshake phase. */
+  nbd_set_opt_mode (nbd, true);
   nbd_connect_socket (nbd, sock);
+  nbd_opt_info (nbd);
+  nbd_opt_go (nbd);

   length = nbd_get_size (nbd);

-- 
2.37.3

Richard W.M. Jones

2022-Oct-07 09:22 UTC

head link

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

On Thu, Oct 06, 2022 at 04:34:52PM -0500, Eric Blake
wrote:> Give the fuzzer a few more points to experiment with added branching
> by explicitly using opt mode.
> ---
> 
> I'm not quite sure whether the fuzzer is able to synthesize specific
> API calls from the client side; but if it can, letting the client
> specifically enter the NEGOTIATING state may allow the fuzzer to spot
> other nbd_opt_* API call chains that could provoke odd interactions,
> which would be completely missed when sticking with the default of
> skipping opt mode.
It's essentially looking for new paths through the code.  If the
change allows new libnbd paths to be explored then it will be
beneficial to fuzzing, if not then it'll make no difference.  I have
no objection to trying the patch anyway, so ACK.

Rich.
>  fuzzing/libnbd-fuzz-wrapper.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
> index 7e390558..e7cf7fe9 100644
> --- a/fuzzing/libnbd-fuzz-wrapper.c
> +++ b/fuzzing/libnbd-fuzz-wrapper.c
> @@ -200,7 +200,10 @@ client (int sock)
>    nbd_add_meta_context (nbd, LIBNBD_CONTEXT_BASE_ALLOCATION);
> 
>    /* This tests the handshake phase. */
> +  nbd_set_opt_mode (nbd, true);
>    nbd_connect_socket (nbd, sock);
> +  nbd_opt_info (nbd);
> +  nbd_opt_go (nbd);
> 
>    length = nbd_get_size (nbd);
> 
> -- 
> 2.37.3
> 
> _______________________________________________
> Libguestfs mailing list
> Libguestfs at redhat.com
> https://listman.redhat.com/mailman/listinfo/libguestfs
-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

Laszlo Ersek

2022-Oct-07 10:16 UTC

head link

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

On 10/06/22 23:34, Eric Blake wrote:> Give the fuzzer a few more points to experiment with added branching
> by explicitly using opt mode.
> ---
> 
> I'm not quite sure whether the fuzzer is able to synthesize specific
> API calls from the client side; but if it can, letting the client
> specifically enter the NEGOTIATING state may allow the fuzzer to spot
> other nbd_opt_* API call chains that could provoke odd interactions,
> which would be completely missed when sticking with the default of
> skipping opt mode.
> 
>  fuzzing/libnbd-fuzz-wrapper.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fuzzing/libnbd-fuzz-wrapper.c b/fuzzing/libnbd-fuzz-wrapper.c
> index 7e390558..e7cf7fe9 100644
> --- a/fuzzing/libnbd-fuzz-wrapper.c
> +++ b/fuzzing/libnbd-fuzz-wrapper.c
> @@ -200,7 +200,10 @@ client (int sock)
>    nbd_add_meta_context (nbd, LIBNBD_CONTEXT_BASE_ALLOCATION);
> 
>    /* This tests the handshake phase. */
> +  nbd_set_opt_mode (nbd, true);
>    nbd_connect_socket (nbd, sock);
> +  nbd_opt_info (nbd);
> +  nbd_opt_go (nbd);
> 
>    length = nbd_get_size (nbd);
> 
Based on my memories of the previous discussion:

Reviewed-by: Laszlo Ersek <lersek at redhat.com>

(Famous last words!)

Richard W.M. Jones

2022-Oct-09 15:35 UTC

head link

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

FYI I restarted the fuzzing at commit c5a4042640 which includes this
patch.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

Libguestfs - Oct 2022 - [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps

[Libguestfs] [libnbd PATCH] RFC: fuzzing: Break up handshake into more steps