[PULL 15/31] fuzz: Add support for custom crossover functions

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 15/31] fuzz: Add support for custom crossover functions

From:	Thomas Huth
Subject:	[PULL 15/31] fuzz: Add support for custom crossover functions
Date:	Mon, 26 Oct 2020 11:06:16 +0100

From: Alexander Bulekov <alxndr@bu.edu>

libfuzzer supports a "custom crossover function". Libfuzzer often tries
to blend two inputs to create a new interesting input. Sometimes, we
have a better idea about how to blend inputs together. This change
allows fuzzers to specify a custom function for blending two inputs
together.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-8-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
---
 tests/qtest/fuzz/fuzz.c | 13 +++++++++++++
 tests/qtest/fuzz/fuzz.h | 27 +++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c
index eb0070437f..7be7226bc0 100644
--- a/tests/qtest/fuzz/fuzz.c
+++ b/tests/qtest/fuzz/fuzz.c
@@ -118,6 +118,19 @@ static FuzzTarget *fuzz_get_target(char* name)
 }
 
 
+/* Sometimes called by libfuzzer to mutate two inputs into one */
+size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
+                                 const uint8_t *data2, size_t size2,
+                                 uint8_t *out, size_t max_out_size,
+                                 unsigned int seed)
+{
+    if (fuzz_target->crossover) {
+        return fuzz_target->crossover(data1, size1, data2, size2, out,
+                                      max_out_size, seed);
+    }
+    return 0;
+}
+
 /* Executed for each fuzzing-input */
 int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size)
 {
diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h
index 8eb765edc8..ed9ce17154 100644
--- a/tests/qtest/fuzz/fuzz.h
+++ b/tests/qtest/fuzz/fuzz.h
@@ -77,6 +77,29 @@ typedef struct FuzzTarget {
      */
     void(*fuzz)(QTestState *, const unsigned char *, size_t);
 
+    /*
+     * The fuzzer can specify a "Custom Crossover" function for combining two
+     * inputs from the corpus. This function is sometimes called by libfuzzer
+     * when mutating inputs.
+     *
+     * data1: location of first input
+     * size1: length of first input
+     * data1: location of second input
+     * size1: length of second input
+     * out: where to place the resulting, mutated input
+     * max_out_size: the maximum length of the input that can be placed in out
+     * seed: the seed that should be used to make mutations deterministic, when
+     *       needed
+     *
+     * See libfuzzer's LLVMFuzzerCustomCrossOver API for more info.
+     *
+     * Can be NULL
+     */
+    size_t(*crossover)(const uint8_t *data1, size_t size1,
+                       const uint8_t *data2, size_t size2,
+                       uint8_t *out, size_t max_out_size,
+                       unsigned int seed);
+
 } FuzzTarget;
 
 void flush_events(QTestState *);
@@ -91,6 +114,10 @@ void fuzz_qtest_set_serialize(bool option);
  */
 void fuzz_add_target(const FuzzTarget *target);
 
+size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
+                                 const uint8_t *data2, size_t size2,
+                                 uint8_t *out, size_t max_out_size,
+                                 unsigned int seed);
 int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
 int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp);
 
-- 
2.18.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 02/31] tests/qtest/libqtest: Fix detection of architecture for binaries without path, (continued)
- [PULL 02/31] tests/qtest/libqtest: Fix detection of architecture for binaries without path, Thomas Huth, 2020/10/26
- [PULL 04/31] accel: move qtest CpusAccel functions to a common location, Thomas Huth, 2020/10/26
- [PULL 05/31] accel: Add xen CpusAccel using dummy-cpus, Thomas Huth, 2020/10/26
- [PULL 06/31] tests/qtest: Make npcm7xx_timer-test conditional on CONFIG_NPCM7XX, Thomas Huth, 2020/10/26
- [PULL 07/31] libqtest: fix the order of buffered events, Thomas Huth, 2020/10/26
- [PULL 08/31] libqtest: fix memory leak in the qtest_qmp_event_ref, Thomas Huth, 2020/10/26
- [PULL 09/31] memory: Add FlatView foreach function, Thomas Huth, 2020/10/26
- [PULL 10/31] fuzz: Add generic virtual-device fuzzer, Thomas Huth, 2020/10/26
- [PULL 11/31] fuzz: Add PCI features to the generic fuzzer, Thomas Huth, 2020/10/26
- [PULL 12/31] fuzz: Add DMA support to the generic-fuzzer, Thomas Huth, 2020/10/26
- [PULL 15/31] fuzz: Add support for custom crossover functions, Thomas Huth <=
- [PULL 14/31] fuzz: Add fuzzer callbacks to DMA-read functions, Thomas Huth, 2020/10/26
- [PULL 19/31] scripts/oss-fuzz: Add crash trace minimization script, Thomas Huth, 2020/10/26
- [PULL 16/31] fuzz: add a DISABLE_PCI op to generic-fuzzer, Thomas Huth, 2020/10/26
- [PULL 20/31] fuzz: Add instructions for using generic-fuzz, Thomas Huth, 2020/10/26
- [PULL 21/31] fuzz: add an "opaque" to the FuzzTarget struct, Thomas Huth, 2020/10/26
- [PULL 17/31] fuzz: add a crossover function to generic-fuzzer, Thomas Huth, 2020/10/26
- [PULL 18/31] scripts/oss-fuzz: Add script to reorder a generic-fuzzer trace, Thomas Huth, 2020/10/26
- [PULL 22/31] fuzz: add generic-fuzz configs for oss-fuzz, Thomas Huth, 2020/10/26
- [PULL 24/31] scripts/oss-fuzz: use hardlinks instead of copying, Thomas Huth, 2020/10/26
- [PULL 13/31] fuzz: Declare DMA Read callback function, Thomas Huth, 2020/10/26

Prev by Date: [PULL 12/31] fuzz: Add DMA support to the generic-fuzzer
Next by Date: [PULL 14/31] fuzz: Add fuzzer callbacks to DMA-read functions
Previous by thread: [PULL 12/31] fuzz: Add DMA support to the generic-fuzzer
Next by thread: [PULL 14/31] fuzz: Add fuzzer callbacks to DMA-read functions
Index(es):
- Date
- Thread