Libguestfs - Apr 2022 - [PATCH nbdkit v2 3/5] configure: Disable linker script for server when using libfuzzer

v1 was here:

https://listman.redhat.com/archives/libguestfs/2022-April/028568.html

v2:

- Picked up Reviewed-by line for first patch.

- Split second patch into 3 parts.  Add ASAN_OPTIONS which is
  necessary for the tests to run successfully under ASAN.

- Third patch has been extensively modified based on actually now
  doing fuzzing of nbdkit with ASAN.  In particular it's necessary to
  set ASAN_OPTIONS when fuzzing to avoid bogus failures.

- Document why -m 256 was dropped.

This changes the summary output to report whether or not the
./configure --enable-libfuzzer flag was set:

    libfuzzer .............................. yes

or for --disable-libfuzzer / the default of not set:

    libfuzzer .............................. no

Reviewed-by: Laszlo Ersek <lersek at redhat.com>
---
 configure.ac | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/configure.ac b/configure.ac
index 6a3be4ec..f86215d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1417,6 +1417,8 @@ echo "Optional server features:"
 echo
 feature "bash-completion ........................ " \
         test "x$HAVE_BASH_COMPLETION_TRUE" = "x"
+feature "libfuzzer .............................. " \
+        test "x$ENABLE_LIBFUZZER_TRUE" = "x"
 feature "manual pages ........................... " \
         test "x$HAVE_POD_TRUE" = "x"
 feature "SELinux ................................ " \
-- 
2.35.1

There will be several reasons for disabling the linker script for
nbdkit (in forthcoming patches).  Make the
use_linker_script_for_server variable into a "global" (top level).
Move the AM_CONDITIONAL that checks this variable later.

This is just refactoring.
---
 configure.ac | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index f86215d9..81c75fda 100644
--- a/configure.ac
+++ b/configure.ac
@@ -502,17 +502,19 @@ main (int argc, char *argv[])
     ])
 AM_CONDITIONAL([HAVE_ICONV], [test "x$iconv_working" =
"xyes"])
 
+use_linker_script_for_server=yes
+
 dnl Don't use linker script for the server on FreeBSD because
 dnl FreeBSD's linker is broken.  See eg:
 dnl https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=190851
-AC_MSG_CHECKING([if we should use a linker script for the server])
+AC_MSG_CHECKING([if we should disable the linker script (FreeBSD only)])
 AS_CASE([$host_os],
-  [freebsd*], [use_linker_script_for_server=no],
-  [use_linker_script_for_server=yes]
+  [freebsd*], [
+      use_linker_script_for_server=no
+      AC_MSG_RESULT([yes])
+  ],
+  [AC_MSG_RESULT([no])]
 )
-AC_MSG_RESULT([$use_linker_script_for_server])
-AM_CONDITIONAL([USE_LINKER_SCRIPT_FOR_SERVER],
-               [test "x$use_linker_script_for_server" =
"xyes"])
 
 dnl Check if -rdynamic linker flag works.
 acx_nbdkit_save_LDFLAGS="${LDFLAGS}"
@@ -694,6 +696,9 @@ AS_IF([test "x$enable_libfuzzer" =
"xyes"],[
 ])
 AM_CONDITIONAL([ENABLE_LIBFUZZER],[test "x$enable_libfuzzer" =
"xyes"])
 
+AM_CONDITIONAL([USE_LINKER_SCRIPT_FOR_SERVER],
+               [test "x$use_linker_script_for_server" =
"xyes"])
+
 dnl Bash completion.
 PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0], [
     bash_completion=yes
@@ -1419,6 +1424,8 @@ feature "bash-completion ........................
" \
         test "x$HAVE_BASH_COMPLETION_TRUE" = "x"
 feature "libfuzzer .............................. " \
         test "x$ENABLE_LIBFUZZER_TRUE" = "x"
+feature "linker script .......................... " \
+        test "x$USE_LINKER_SCRIPT_FOR_SERVER_TRUE" = "x"
 feature "manual pages ........................... " \
         test "x$HAVE_POD_TRUE" = "x"
 feature "SELinux ................................ " \
-- 
2.35.1

Libfuzzer used its own conditional flag for this.  Instead use the
USE_LINKER_SCRIPT_FOR_SERVER flag.
---
 configure.ac       | 4 ++++
 server/Makefile.am | 5 -----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 81c75fda..ba194781 100644
--- a/configure.ac
+++ b/configure.ac
@@ -693,6 +693,10 @@ AC_ARG_ENABLE([libfuzzer],
     [enable_libfuzzer=no])
 AS_IF([test "x$enable_libfuzzer" = "xyes"],[
     AC_DEFINE([ENABLE_LIBFUZZER],[1],[Enable special libFuzzer binary])
+    # We have to disable the linker script for libFuzzer because Clang
+    # adds loads of fuzzer and ASAN-related symbols that are required
+    # by the plugins but which our linker script tries to hide.
+    use_linker_script_for_server=no
 ])
 AM_CONDITIONAL([ENABLE_LIBFUZZER],[test "x$enable_libfuzzer" =
"xyes"])
 
diff --git a/server/Makefile.am b/server/Makefile.am
index 0039d1da..9ab621d5 100644
--- a/server/Makefile.am
+++ b/server/Makefile.am
@@ -108,13 +108,8 @@ nbdkit_LDFLAGS = \
 	$(NULL)
 EXTRA_nbdkit_DEPENDENCIES = nbdkit.syms
 if USE_LINKER_SCRIPT_FOR_SERVER
-# We have to disable the linker script for libFuzzer because Clang
-# adds loads of fuzzer and ASAN-related symbols that are required by
-# the plugins but which our linker script tries to hide.
-if !ENABLE_LIBFUZZER
 nbdkit_LDFLAGS += -Wl,--version-script=$(srcdir)/nbdkit.syms
 endif
-endif
 
 if IS_WINDOWS
 # On Windows, generate an import library so that plugins can link
-- 
2.35.1

This flag allows you to disable the linker script (for the server
only).  This is necessary for ASAN to work, and the documentation has
been updated to explain how to run nbdkit under ASAN.

Thanks Eric Blake for helping me with working out the root cause.
---
 configure.ac |  7 +++++++
 README       | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/configure.ac b/configure.ac
index ba194781..404d4e23 100644
--- a/configure.ac
+++ b/configure.ac
@@ -700,6 +700,13 @@ AS_IF([test "x$enable_libfuzzer" =
"xyes"],[
 ])
 AM_CONDITIONAL([ENABLE_LIBFUZZER],[test "x$enable_libfuzzer" =
"xyes"])
 
+dnl Should we use the linker script with the server?  Note
+dnl some tests above may set this variable.
+AC_ARG_ENABLE([linker-script],
+    [AS_HELP_STRING([--disable-linker-script],
+                    [disable linker script for server (developers only)])],
+    [use_linker_script_for_server=$enableval],
+    [])
 AM_CONDITIONAL([USE_LINKER_SCRIPT_FOR_SERVER],
                [test "x$use_linker_script_for_server" =
"xyes"])
 
diff --git a/README b/README
index 3480d561..7aa93b1d 100644
--- a/README
+++ b/README
@@ -324,6 +324,19 @@ For further information, see:
 https://libguestfs.org/
 https://github.com/NetworkBlockDevice/nbd/blob/master/doc/proto.md
 
+Address sanitizer (ASAN)
+------------------------
+
+You can compile nbdkit with clang and ASAN with:
+
+    ./configure CC=clang CXX=clang++ \
+                CFLAGS="-O0 -g -fsanitize=address
-fno-omit-frame-pointer" \
+                --disable-linker-script \
+                --disable-golang
+    make clean
+    make
+    ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false"
make check
+
 Test coverage
 -------------
 
-- 
2.35.1

ASAN (ie. Address Sanitizer or -fsanitize=address) adds extra checks
for out-of-bounds memory access, use-after-free and other memory
checks.  It's useful to combine this with fuzzing.

Fuzzing can normally only detect paths which cause the binary to
crash.  But some serious, latent bugs might not cause crashes (eg. a
rogue pointer overwrites another object in memory, but the other
object is not used or not used in a way that will cause a crash).
ASAN turns these kinds of bugs into crashes.

Note the -m 256 (limit memory) flag has been removed from the example
afl_fuzz command lines because it conflicts with ASAN.  See the second
link below for detailed reasons.

See also:
https://clang.llvm.org/docs/AddressSanitizer.html
https://aflplus.plus/docs/notes_for_asan/

Cherry picked from libnbd commit 43b1b95c981861c5c03cd563cf1b90e1f4c52cf8.
RWMJ: Some modifications were required for fuzzing to work with nbdkit.
---
 fuzzing/README | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fuzzing/README b/fuzzing/README
index eeab9744..928ad962 100644
--- a/fuzzing/README
+++ b/fuzzing/README
@@ -15,7 +15,9 @@ You will need to recompile nbdkit with AFL instrumentation:
 
 To use clang instead (recommended with AFL++):
 
-  ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++
+  export AFL_USE_ASAN=1
+  ./configure CC=/usr/bin/afl-clang-lto CXX=/usr/bin/afl-clang-lto++ \
+      --disable-linker-script
   make clean
   make
 
@@ -29,14 +31,16 @@ Master:
 
   mkdir -p fuzzing/sync_dir
   export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
-  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -M fuzz01 \
+  export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false
abort_on_error=1 symbolize=0"
+  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -M fuzz01 \
       ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
 
 Slaves:
 
   # replace fuzzNN with fuzz02, fuzz03, etc.
   export AFL_PRELOAD=./plugins/memory/.libs/nbdkit-memory-plugin.so
-  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -m 256 -S fuzzNN \
+  export ASAN_OPTIONS="allocator_may_return_null=1 detect_leaks=false
abort_on_error=1 symbolize=0"
+  afl-fuzz -i fuzzing/testcase_dir -o fuzzing/sync_dir -S fuzzNN \
       ./server/nbdkit -s -t 1 ./plugins/memory/.libs/nbdkit-memory-plugin.so 1M
 
 Test Coverage
-- 
2.35.1

On Thu, Apr 07, 2022 at 10:42:44AM +0100, Richard W.M. Jones
wrote:
> v1 was here:
> 
> https://listman.redhat.com/archives/libguestfs/2022-April/028568.html
> 
> v2:
> 
> - Picked up Reviewed-by line for first patch.
> 
> - Split second patch into 3 parts.  Add ASAN_OPTIONS which is
>   necessary for the tests to run successfully under ASAN.
> 
> - Third patch has been extensively modified based on actually now
>   doing fuzzing of nbdkit with ASAN.  In particular it's necessary to
>   set ASAN_OPTIONS when fuzzing to avoid bogus failures.
> 
> - Document why -m 256 was dropped.
ACK series.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org