Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libfuzzer based fuzzer's aren't covering all code paths #3455

Open
Alan-Jowett opened this issue Apr 15, 2024 · 1 comment
Open

libfuzzer based fuzzer's aren't covering all code paths #3455

Alan-Jowett opened this issue Apr 15, 2024 · 1 comment
Assignees
@mikeagun @Alan-Jowett
Labels
enhancement New feature or request tests triaged Discussed in a triage meeting
Milestone
2406

Comments

@Alan-Jowett
Copy link
Member

  1. Launch execution context fuzzer under debugger.
  2. Place breakpoints on all protocol handler functions.
  3. As each function is hit, remove that breakpoint.

Expected result:
All protocol handles should be hit at least once.

Actual result:
The following were never hit:

execution_context_fuzzer!_ebpf_core_protocol_map_update_element_with_handle
execution_context_fuzzer!_ebpf_core_protocol_ring_buffer_map_query_buffer
execution_context_fuzzer!_ebpf_core_protocol_create_program
execution_context_fuzzer!_ebpf_core_protocol_load_code
execution_context_fuzzer!_ebpf_core_protocol_map_get_next_key_value_batch
execution_context_fuzzer!_ebpf_core_protocol_get_pinned_object
execution_context_fuzzer!_ebpf_core_protocol_get_pinned_map_info
execution_context_fuzzer!_ebpf_core_protocol_create_map
execution_context_fuzzer!_ebpf_core_protocol_get_program_handle_by_id
execution_context_fuzzer!_ebpf_core_protocol_link_program
execution_context_fuzzer!_ebpf_core_protocol_close_handle
execution_context_fuzzer!_ebpf_core_protocol_map_delete_element
execution_context_fuzzer!_ebpf_core_protocol_map_update_element
execution_context_fuzzer!_ebpf_core_protocol_convert_pinning_entries_to_map_info_array
execution_context_fuzzer!_ebpf_core_protocol_get_link_handle_by_id
execution_context_fuzzer!_ebpf_core_protocol_unlink_program
execution_context_fuzzer!_ebpf_core_protocol_get_map_handle_by_id
execution_context_fuzzer!_ebpf_core_protocol_map_update_element_batch
execution_context_fuzzer!_ebpf_core_protocol_map_delete_element_batch
execution_context_fuzzer!_ebpf_core_protocol_load_native_module
execution_context_fuzzer!_ebpf_core_protocol_serialize_map_info_reply
execution_context_fuzzer!_ebpf_core_protocol_bind_map
execution_context_fuzzer!_ebpf_core_protocol_get_ec_function
@dthaler dthaler added tests enhancement New feature or request labels Apr 22, 2024
@shankarseal
Copy link
Collaborator

shankarseal commented Apr 22, 2024
edited

Since libfuzzer sets the reply buffer size to random value, it misses all the protocol messages that require a specific size.

@shankarseal shankarseal added this to the 2405 milestone Apr 22, 2024
@shankarseal shankarseal added the triaged Discussed in a triage meeting label Apr 22, 2024
@shankarseal shankarseal modified the milestones: 2405, 2406 May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikeagun mikeagun

@Alan-Jowett Alan-Jowett

Labels
enhancement New feature or request tests triaged Discussed in a triage meeting
Projects
None yet
Milestone
2406
Development

No branches or pull requests
4 participants
@mikeagun @dthaler @Alan-Jowett @shankarseal