Libguestfs - Nov 2019 - [PATCH nbdkit 0/2] Implement fuzzing using Clang's libFuzzer.

libFuzzer is Clang's fuzzer, and alternative to using AFL:

  https://llvm.org/docs/LibFuzzer.html

I implemented an alternative method of fuzzing for libnbd earlier
today and it's pretty simple:

 
https://github.com/libguestfs/libnbd/commit/c19a6fbae9a21a7d4693418706c59e81ed256875

However it's considerably more difficult to use libFuzzer with
non-library code -- in this case nbdkit.

I think the first patch in this series has some merit on its own.  The
second patch does a lot of pretty ugly stuff to turn nbdkit into a
long-running process as required by libFuzzer.

It does kind of work, although it leaks a few MB of memory for each
minute that you run the fuzzer which is less than ideal.

Rich.

This option discards error messages.
---
 docs/nbdkit-service.pod | 5 +++--
 docs/nbdkit.pod         | 7 +++++--
 server/internal.h       | 1 +
 server/log.c            | 3 +++
 server/main.c           | 5 ++++-
 5 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/docs/nbdkit-service.pod b/docs/nbdkit-service.pod
index e743628..145a652 100644
--- a/docs/nbdkit-service.pod
+++ b/docs/nbdkit-service.pod
@@ -52,8 +52,9 @@
L<http://0pointer.de/blog/projects/socket-activation.html>
 
 =head1 LOGGING
 
-Error messages from nbdkit can be sent to either standard error
-(I<--log=stderr>) or to the system log (I<--log=syslog>).
+Error messages from nbdkit can be sent to standard error
+(I<--log=stderr>), or to the system log (I<--log=syslog>), or can
be
+discarded completely (I<--log=null>, not recommended for normal use).
 
 The default, if I<--log> is not specified on the command line, is to
 send error messages to stderr, unless nbdkit forks into the background
diff --git a/docs/nbdkit.pod b/docs/nbdkit.pod
index 094cfca..f262fa0 100644
--- a/docs/nbdkit.pod
+++ b/docs/nbdkit.pod
@@ -250,8 +250,11 @@ interfaces.  See also I<-p>.
 
 =item B<--log=syslog>
 
-Send error messages to either standard error (I<--log=stderr>) or to
-the system log (I<--log=syslog>).
+=item B<--log=null>
+
+Send error messages to standard error (I<--log=stderr>), or to the
+system log (I<--log=syslog>), or discard them completely
+(I<--log=null>, not recommended for normal use).
 
 The default is to send error messages to stderr, unless nbdkit
 forks into the background in which case they are sent to syslog.
diff --git a/server/internal.h b/server/internal.h
index 5e11e1a..eb46d9e 100644
--- a/server/internal.h
+++ b/server/internal.h
@@ -84,6 +84,7 @@ enum log_to {
                             case log to syslog */
   LOG_TO_STDERR,         /* --log=stderr forced on the command line */
   LOG_TO_SYSLOG,         /* --log=syslog forced on the command line */
+  LOG_TO_NULL,           /* --log=null forced on the command line */
 };
 
 extern struct debug_flag *debug_flags;
diff --git a/server/log.c b/server/log.c
index d909b8f..a801aa2 100644
--- a/server/log.c
+++ b/server/log.c
@@ -59,6 +59,9 @@ nbdkit_verror (const char *fs, va_list args)
   case LOG_TO_STDERR:
     log_stderr_verror (fs, args);
     break;
+  case LOG_TO_NULL:
+    /* nothing */
+    break;
   }
 }
 
diff --git a/server/main.c b/server/main.c
index 115fa98..3e2ac2f 100644
--- a/server/main.c
+++ b/server/main.c
@@ -274,8 +274,11 @@ main (int argc, char *argv[])
         log_to = LOG_TO_STDERR;
       else if (strcmp (optarg, "syslog") == 0)
         log_to = LOG_TO_SYSLOG;
+      else if (strcmp (optarg, "null") == 0)
+        log_to = LOG_TO_NULL;
       else {
-        fprintf (stderr, "%s: --log must be \"stderr\" or
\"syslog\"\n",
+        fprintf (stderr, "%s: "
+                 "--log must be \"stderr\", \"syslog\"
or \"null\"\n",
                  program_name);
         exit (EXIT_FAILURE);
       }
-- 
2.23.0

This works by building a special version of nbdkit as a kind of
library, linked against libFuzzer (note that libFuzzer provides the
main() function).  The test entry point forks a subprocess which feeds
input to nbdkit, working in a similar way to libnbd?s
fuzzing/libnbd-libfuzzer-test.c.
---
 .gitignore         |   1 +
 Makefile.am        |   9 +-
 TODO               |   3 +-
 configure.ac       |  12 +++
 fuzzing/README     |  43 +++++++++-
 server/Makefile.am |  13 +++
 server/fuzzer.c    | 208 +++++++++++++++++++++++++++++++++++++++++++++
 server/internal.h  |   5 +-
 server/main.c      |  31 +++++--
 9 files changed, 313 insertions(+), 12 deletions(-)

diff --git a/.gitignore b/.gitignore
index 22a20ef..b6cfd73 100644
--- a/.gitignore
+++ b/.gitignore
@@ -51,6 +51,7 @@ Makefile.in
 /docs/lang-plugin-links.pod
 /docs/plugin-links.pod
 /fuzzing/sync_dir/
+/fuzzing/testcase_dir/[0-f]*
 /html/*.html
 /include/nbdkit-version.h
 /INSTALL
diff --git a/Makefile.am b/Makefile.am
index 707751f..3daf9fb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -47,6 +47,7 @@ EXTRA_DIST = \
 
 CLEANFILES += html/*.html
 
+if !ENABLE_LIBFUZZER
 # NB: This is not the real nbdkit binary.  It's a wrapper that allows
 # you to run nbdkit from the build directory before it is installed.
 noinst_PROGRAMS = nbdkit
@@ -63,6 +64,7 @@ nbdkit_LDADD = \
 	$(top_builddir)/common/utils/libutils.la \
 	$(NULL)
 nbdkit_DEPENDENCIES = config.status
+endif !ENABLE_LIBFUZZER
 
 SUBDIRS = \
 	bash \
@@ -73,9 +75,14 @@ SUBDIRS = \
 	common/include \
 	common/protocol \
 	common/utils \
-	server \
 	$(NULL)
 
+if ENABLE_LIBFUZZER
+SUBDIRS += common/sparse
+endif
+
+SUBDIRS += server
+
 if HAVE_PLUGINS
 SUBDIRS += \
 	common/bitmap \
diff --git a/TODO b/TODO
index 03fa656..fa7ec5f 100644
--- a/TODO
+++ b/TODO
@@ -113,8 +113,7 @@ General ideas for improvements
   good enough?  Also allowing multiple instances of nbdkit to be
   loaded in the same process is probably impossible.
 
-* Examine other fuzzers: oss-fuzz, libfuzzer, fuzzit, and whatever it
-  is that syzkaller uses.
+* Examine other fuzzers: https://gitlab.com/akihe/radamsa
 
 * Analyze code with Coverity.
 
diff --git a/configure.ac b/configure.ac
index cb0351e..658391d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -391,6 +391,18 @@ AS_IF([test "x$enable_valgrind" =
"xyes"],[
     ])
 ])
 
+dnl Build the special libFuzzer version of nbdkit.  DO NOT USE THIS for
+dnl normal builds.  See fuzzing/README.
+AC_ARG_ENABLE([libfuzzer],
+    [AS_HELP_STRING([--enable-libfuzzer],
+                    [build libFuzzer test binary (developers only)])],
+    [enable_libfuzzer=yes],
+    [enable_libfuzzer=no])
+AS_IF([test "x$enable_libfuzzer" = "xyes"],[
+    AC_DEFINE([ENABLE_LIBFUZZER],[1],[Enable special libFuzzer binary])
+])
+AM_CONDITIONAL([ENABLE_LIBFUZZER],[test "x$enable_libfuzzer" =
"xyes"])
+
 dnl Bash completion.
 PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0], [
     bash_completion=yes
diff --git a/fuzzing/README b/fuzzing/README
index 9fcce89..fe5a283 100644
--- a/fuzzing/README
+++ b/fuzzing/README
@@ -1,5 +1,7 @@
+To report security bugs, see ?SECURITY? in the top source directory.
+
 Fuzzing nbdkit using the American Fuzzy Lop (afl) fuzzer
---------------------------------------------------------
+======================================================= 
 We can fuzz nbdkit using the -s (read from stdin) option, and feeding
 in a file of "network" input.  The stdout from nbdkit (ie. data that
@@ -57,8 +59,6 @@ This will create an HTML test coverage report in
 Notes
 -----
 
-To report security bugs, see ?SECURITY? in the top source directory.
-
 We only have testcases for the newstyle fixed protocol so far, but if
 people report that they are exposing the oldstyle protocol to the
 internet / untrusted clients then we could extend the testing for
@@ -68,3 +68,40 @@ We have only fuzzed the memory plugin, which is convenient
because it
 stores everything in memory and throws it away when nbdkit exits.
 Since plugins can have bugs as well as the core server, it may be
 productive to test other plugins and filters.
+
+Fuzzing nbdkit using Clang + libFuzzer
+=====================================+
+Recompile nbdkit with libFuzzer enabled and build the libFuzzer test
+binary:
+
+  ./configure \
+      CC=clang \
+      CFLAGS="-g -O1" \
+      --enable-libfuzzer \
+      --disable-perl
+  make clean
+  make CFLAGS="-g -O1 -fsanitize=fuzzer,address"
+
+(The awkward additional CFLAGS on the make command line are necessary
+because ./configure attempts to test that the compiler works, but this
+test fails when -fsanitize=fuzzer is used as that option adds an extra
+main() definition.)
+
+",address" enables the Clang Address Sanitizer, and can be omitted
for
+faster fuzzing.
+
+This builds a specialized version of nbdkit which is the fuzzer test
+program (testing only nbdkit-memory-plugin unless you modify the
+source).  You can run it like this on the input corpus:
+
+  ./server/nbdkit fuzzing/testcase_dir
+
+New test inputs are written to fuzzing/testcase_dir and will be used
+on subsequent runs.  If this is undesirable then delete
+fuzzing/testcase_dir/[0-f]* before the run.
+
+There are various extra command line options supported by libFuzzer.
+For more details see:
+
+  https://llvm.org/docs/LibFuzzer.html
diff --git a/server/Makefile.am b/server/Makefile.am
index c846fc7..cc148ac 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -102,6 +102,19 @@ if USE_LINKER_SCRIPT_FOR_SERVER
 nbdkit_LDFLAGS += -Wl,--version-script=$(srcdir)/nbdkit.syms
 endif
 
+if ENABLE_LIBFUZZER
+nbdkit_SOURCES += \
+	fuzzer.c \
+	$(top_srcdir)/plugins/memory/memory.c \
+	$(NULL)
+nbdkit_CPPFLAGS += \
+	-I$(top_srcdir)/common/sparse \
+	$(NULL)
+nbdkit_LDFLAGS += \
+	$(top_builddir)/common/sparse/libsparse.la \
+	$(NULL)
+endif
+
 # synopsis.c is generated from docs/synopsis.txt where it is also
 # used to generate the man page.  It is included in main.c.
 
diff --git a/server/fuzzer.c b/server/fuzzer.c
new file mode 100644
index 0000000..f1c525f
--- /dev/null
+++ b/server/fuzzer.c
@@ -0,0 +1,208 @@
+/* nbdkit
+ * Copyright (C) 2013-2019 Red Hat Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * * Neither the name of Red Hat nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS
IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <poll.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+
+#include "internal.h"
+
+#ifdef ENABLE_LIBFUZZER
+
+/* When we're compiled with --enable-libfuzzer, the normal main()
+ * function is renamed to fuzzer_main.  We call it with particular
+ * parameters to make it use the memory plugin.
+ */
+extern int fuzzer_main (int argc, char *argv[]);
+
+/* When compiled with --enable-libfuzzer we are linked directly with
+ * the memory plugin.  We provide a specialized open_plugin_so called
+ * from fuzzer_main which registers the already loaded plugin.
+ */
+struct backend *
+open_plugin_so (size_t i, const char *name, int short_name)
+{
+  extern struct nbdkit_plugin *plugin_init (void);
+
+  return plugin_register (i, name, NULL, plugin_init);
+}
+
+static void server (int sock);
+static void client (const uint8_t *data, size_t size, int sock);
+
+/* This is the entry point called by libFuzzer. */
+int
+LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
+{
+  pid_t pid;
+  int sv[2], r, status;
+
+  /* Create a connected socket. */
+  if (socketpair (AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, sv) == -1) {
+    perror ("socketpair");
+    exit (EXIT_FAILURE);
+  }
+
+  /* Fork: The parent will be the nbdkit process (server).  The child
+   * will be the phony NBD client.
+   */
+  pid = fork ();
+  if (pid == -1) {
+    perror ("fork");
+    exit (EXIT_FAILURE);
+  }
+
+  if (pid > 0) {
+    /* Parent: nbdkit server. */
+    close (sv[1]);
+
+    server (sv[0]);
+
+    close (sv[0]);
+
+  again:
+    r = wait (&status);
+    if (r == -1) {
+      if (errno == EINTR)
+        goto again;
+      perror ("wait");
+      exit (EXIT_FAILURE);
+    }
+    if (!WIFEXITED (status) || WEXITSTATUS (status) != 0)
+      fprintf (stderr, "bad exit status %d\n", status);
+
+    return 0;
+  }
+
+  /* Child: phony NBD client. */
+  close (sv[0]);
+
+  client (data, size, sv[1]);
+
+  close (sv[1]);
+
+  _exit (EXIT_SUCCESS);
+}
+
+static void
+server (int sock)
+{
+  char *argv[] = { "nbdkit",
+                   "-s",         /* take input from stdin/stdout */
+                   "--log=null", /* discard error messages */
+                   "./plugins/memory/.libs/nbdkit-memory-plugin.so",
"1M",
+                   NULL };
+  const int argc = sizeof argv / sizeof argv[0] - 1;
+  int saved_stdin, saved_stdout;
+
+  /* Make the socket appear as stdin and stdout of the process, saving
+   * the existing stdin/stdout.
+   */
+  saved_stdin = dup (0);
+  saved_stdout = dup (1);
+  dup2 (sock, 0);
+  dup2 (sock, 1);
+
+  /* Call nbdkit's normal main() function. */
+  fuzzer_main (argc, argv);
+
+  /* Restore stdin/stdout. */
+  dup2 (saved_stdin, 0);
+  dup2 (saved_stdout, 1);
+  close (saved_stdin);
+  close (saved_stdout);
+}
+
+static void
+client (const uint8_t *data, size_t size, int sock)
+{
+  struct pollfd pfds[1];
+  char rbuf[512];
+  ssize_t r;
+
+  if (size == 0)
+    shutdown (sock, SHUT_WR);
+
+  for (;;) {
+    pfds[0].fd = sock;
+    pfds[0].events = POLLIN;
+    if (size > 0) pfds[0].events |= POLLOUT;
+    pfds[0].revents = 0;
+
+    if (poll (pfds, 1, -1) == -1) {
+      if (errno == EINTR)
+        continue;
+      perror ("poll");
+      /* This is not an error. */
+      return;
+    }
+
+    /* We can read from the server socket.  Just throw away anything sent. */
+    if ((pfds[0].revents & POLLIN) != 0) {
+      r = read (sock, rbuf, sizeof rbuf);
+      if (r == -1 && errno != EINTR) {
+        //perror ("read");
+        return;
+      }
+      else if (r == 0)          /* end of input from the server */
+        return;
+    }
+
+    /* We can write to the server socket. */
+    if ((pfds[0].revents & POLLOUT) != 0) {
+      if (size > 0) {
+        r = write (sock, data, size);
+        if (r == -1 && errno != EAGAIN && errno != EWOULDBLOCK)
{
+          perror ("write");
+          return;
+        }
+        else if (r > 0) {
+          data += r;
+          size -= r;
+
+          if (size == 0)
+            shutdown (sock, SHUT_WR);
+        }
+      }
+    }
+  } /* for (;;) */
+}
+
+#endif /* ENABLE_LIBFUZZER */
diff --git a/server/internal.h b/server/internal.h
index eb46d9e..36f8492 100644
--- a/server/internal.h
+++ b/server/internal.h
@@ -57,6 +57,8 @@
 # define DO_DLCLOSE !RUNNING_ON_VALGRIND
 #elif defined(__SANITIZE_ADDRESS__)
 # define DO_DLCLOSE 0
+#elif defined(ENABLE_LIBFUZZER)
+# define DO_DLCLOSE 0
 #else
 # define DO_DLCLOSE 1
 #endif
@@ -111,6 +113,7 @@ extern bool verbose;
 
 extern struct backend *backend;
 #define for_each_backend(b) for (b = backend; b != NULL; b = b->next)
+extern struct backend *open_plugin_so (size_t i, const char *filename, int
short_name);
 
 /* quit.c */
 extern volatile int quit;
@@ -432,7 +435,7 @@ extern int backend_cache (struct backend *b, struct
connection *conn,
 /* plugins.c */
 extern struct backend *plugin_register (size_t index, const char *filename,
                                         void *dl, struct nbdkit_plugin
*(*plugin_init) (void))
-  __attribute__((__nonnull__ (2, 3, 4)));
+  __attribute__((__nonnull__ (2, /* 3,*/ 4)));
 
 /* filters.c */
 extern struct backend *filter_register (struct backend *next, size_t index,
diff --git a/server/main.c b/server/main.c
index 3e2ac2f..a6932ce 100644
--- a/server/main.c
+++ b/server/main.c
@@ -60,8 +60,15 @@
 #include "options.h"
 #include "exit-with-parent.h"
 
+#ifdef ENABLE_LIBFUZZER
+#define main fuzzer_main
+#define ONCE(code) if (!fuzzer_called) code
+static bool fuzzer_called;
+#else
+#define ONCE(code) code
+#endif
+
 static char *make_random_fifo (void);
-static struct backend *open_plugin_so (size_t i, const char *filename, int
short_name);
 static struct backend *open_filter_so (struct backend *next, size_t i, const
char *filename, int short_name);
 static void start_serving (void);
 static void write_pidfile (void);
@@ -168,7 +175,7 @@ main (int argc, char *argv[])
     exit (EXIT_FAILURE);
   }
 
-  threadlocal_init ();
+  ONCE (threadlocal_init ());
 
   /* The default setting for TLS depends on whether we were
    * compiled with GnuTLS.
@@ -702,7 +709,13 @@ main (int argc, char *argv[])
 
   crypto_free ();
 
-  exit (EXIT_SUCCESS);
+  /* Note: Don't exit here, otherwise this won't work when compiled
+   * for libFuzzer.
+   */
+#ifdef ENABLE_LIBFUZZER
+  fuzzer_called = true;
+#endif
+  return EXIT_SUCCESS;
 }
 
 /* Implementation of '-U -' */
@@ -737,7 +750,8 @@ make_random_fifo (void)
   return sock;
 }
 
-static struct backend *
+#ifndef ENABLE_LIBFUZZER
+struct backend *
 open_plugin_so (size_t i, const char *name, int short_name)
 {
   struct backend *ret;
@@ -788,6 +802,7 @@ open_plugin_so (size_t i, const char *name, int short_name)
 
   return ret;
 }
+#endif /* !ENABLE_LIBFUZZER */
 
 static struct backend *
 open_filter_so (struct backend *next, size_t i,
@@ -865,8 +880,10 @@ start_serving (void)
     exit (EXIT_FAILURE);
   }
 
-  set_up_quit_pipe ();
+  ONCE (set_up_quit_pipe ());
+#if !ENABLE_LIBFUZZER
   set_up_signals ();
+#endif
 
   /* Socket activation -- we are handling connections on pre-opened
    * file descriptors [FIRST_SOCKET_ACTIVATION_FD ..
@@ -895,7 +912,11 @@ start_serving (void)
     write_pidfile ();
     threadlocal_new_server_thread ();
     if (handle_single_connection (0, 1) == -1)
+#ifndef ENABLE_LIBFUZZER
       exit (EXIT_FAILURE);
+#else
+      /* When running under libFuzzer, don't exit on invalid input. */;
+#endif
     return;
   }
 
-- 
2.23.0