11:09 a.m.
This series introduces multiple fuzzers developed as part of Google Summer
of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt
XML formats. The fuzzing methodology makes use of libFuzzer and
libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs
and converting them to XML.
The fuzzing method in use requires inclusion of C++ sources. However, C++
compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will
compile normally as before. The fuzzing method works only on clang compilers
which support libFuzzer.
This series introduces a total of six fuzzers:
1. QEMU XML domain
2. QEMU XML hotplug
3. CH XML domain
4. VMX XML domain
5. libXL XML domain
6. NWFilter XML
In terms of the number of crashes discovered, QEMU XML domain, QEMU XML
hotplug and libXL fuzzers are the most interesting ones.
The setup process is documented at the end of the series (patch 14).
Rayhan Faizel (14):
src: Tweak source code to allow C++ compilation
meson: Add support for clang/LLVM coverage instrumentation
tests: Export handlers for fake secondary drivers
schemas: Refactor relaxNG schema to ease protobuf conversion
scripts: Add script to convert relaxNG to protobuf
fuzz: Implement base fuzzing setup for XML domain
fuzz: Implement QEMU XML domain fuzzer
fuzz: Implement QEMU XML hotplug fuzzer
ch: Remove unused variables
fuzz: Implement CH XML domain fuzzer
fuzz: Implement VMX XML domain fuzzer
fuzz: Implement libXL XML domain fuzzer
fuzz: Implement NWFilter XML fuzzer
docs: Document the fuzzers
build-aux/syntax-check.mk | 1 +
docs/kbase/index.rst | 3 +
docs/kbase/internals/meson.build | 1 +
docs/kbase/internals/xml-fuzzing.rst | 120 ++++
meson.build | 55 ++
meson_options.txt | 5 +-
scripts/meson.build | 1 +
scripts/relaxng-to-proto.py | 521 ++++++++++++++++++
src/ch/ch_monitor.c | 2 +-
src/ch/ch_monitor.h | 3 +
src/ch/ch_process.c | 2 -
src/conf/domain_conf.c | 18 +-
src/conf/domain_conf.h | 6 +-
src/conf/netdev_vport_profile_conf.c | 2 +-
src/conf/schemas/basictypes.rng | 20 +-
src/conf/schemas/domaincommon.rng | 11 +-
src/conf/schemas/networkcommon.rng | 14 +-
src/qemu/qemu_hotplug.c | 4 +
src/qemu/qemu_monitor.c | 6 +-
src/qemu/qemu_monitor.h | 2 +-
src/util/virfile.h | 2 +-
src/util/virnetdev.h | 12 +-
src/util/virnetdevip.h | 2 +-
src/util/virnetdevmacvlan.h | 2 +-
src/util/virnetdevvportprofile.c | 2 +-
src/util/virnetdevvportprofile.h | 2 +-
src/util/virnvme.c | 4 +-
src/util/virnvme.h | 2 +-
src/util/viruuid.h | 2 +-
tests/commandhelper.c | 8 +-
tests/fuzz/README.rst | 131 +++++
tests/fuzz/ch_xml_domain_fuzz.cc | 157 ++++++
tests/fuzz/libxl_xml_domain_fuzz.cc | 159 ++++++
tests/fuzz/llvm_symbolizer_wrapper.c | 11 +
tests/fuzz/meson.build | 183 ++++++
tests/fuzz/proto_custom_datatypes.cc | 234 ++++++++
tests/fuzz/proto_custom_datatypes.h | 30 +
tests/fuzz/proto_header_common.h | 51 ++
tests/fuzz/proto_to_xml.cc | 277 ++++++++++
tests/fuzz/proto_to_xml.h | 39 ++
tests/fuzz/protos/meson.build | 46 ++
tests/fuzz/protos/xml_datatypes.proto | 93 ++++
tests/fuzz/protos/xml_domain.proto | 62 +++
tests/fuzz/protos/xml_domain_disk_only.proto | 21 +
.../protos/xml_domain_interface_only.proto | 21 +
tests/fuzz/protos/xml_hotplug.proto | 38 ++
tests/fuzz/protos/xml_nwfilter.proto | 9 +
tests/fuzz/qemu_xml_domain_fuzz.cc | 277 ++++++++++
tests/fuzz/qemu_xml_hotplug_fuzz.cc | 340 ++++++++++++
tests/fuzz/run_fuzz.in | 142 +++++
tests/fuzz/vmx_xml_domain_fuzz.cc | 208 +++++++
tests/fuzz/xml_nwfilter_fuzz.cc | 149 +++++
tests/meson.build | 5 +
tests/qemumonitortestutils.c | 48 ++
tests/qemumonitortestutils.h | 6 +
tests/qemuxmlconftest.c | 249 ---------
tests/testutilsqemu.c | 256 +++++++++
tests/testutilsqemu.h | 57 ++
58 files changed, 3832 insertions(+), 302 deletions(-)
create mode 100644 docs/kbase/internals/xml-fuzzing.rst
create mode 100644 scripts/relaxng-to-proto.py
create mode 100644 tests/fuzz/README.rst
create mode 100644 tests/fuzz/ch_xml_domain_fuzz.cc
create mode 100644 tests/fuzz/libxl_xml_domain_fuzz.cc
create mode 100644 tests/fuzz/llvm_symbolizer_wrapper.c
create mode 100644 tests/fuzz/meson.build
create mode 100644 tests/fuzz/proto_custom_datatypes.cc
create mode 100644 tests/fuzz/proto_custom_datatypes.h
create mode 100644 tests/fuzz/proto_header_common.h
create mode 100644 tests/fuzz/proto_to_xml.cc
create mode 100644 tests/fuzz/proto_to_xml.h
create mode 100644 tests/fuzz/protos/meson.build
create mode 100644 tests/fuzz/protos/xml_datatypes.proto
create mode 100644 tests/fuzz/protos/xml_domain.proto
create mode 100644 tests/fuzz/protos/xml_domain_disk_only.proto
create mode 100644 tests/fuzz/protos/xml_domain_interface_only.proto
create mode 100644 tests/fuzz/protos/xml_hotplug.proto
create mode 100644 tests/fuzz/protos/xml_nwfilter.proto
create mode 100644 tests/fuzz/qemu_xml_domain_fuzz.cc
create mode 100644 tests/fuzz/qemu_xml_hotplug_fuzz.cc
create mode 100644 tests/fuzz/run_fuzz.in
create mode 100644 tests/fuzz/vmx_xml_domain_fuzz.cc
create mode 100644 tests/fuzz/xml_nwfilter_fuzz.cc
--
2.34.1