Verifier integration with libfuzzer tests.

Signed-off-by: Alan Jowett <[email protected]>

.github/workflows/fuzzing.yml

@@ -10,13 +10,14 @@ on:
   schedule: # Run every day at 21:00 UTC
     - cron: '00 21 * * *'
   workflow_dispatch: # Run manually
+  workflow_call:
 
 jobs:
   build:
     strategy:
       matrix:
         platform:
-          - ubuntu-latest
+          - ubuntu-24.04
         arch:
           - x86_64
 
@@ -48,7 +49,7 @@ jobs:
           ccache
 
     - name: Install system dependencies (Linux)
-      if: matrix.platform == 'ubuntu-latest'
+      if: matrix.platform == 'ubuntu-24.04'
       run: |
         sudo apt-get update
 
@@ -60,7 +61,8 @@ jobs:
           libboost-dev \
           libboost-program-options-dev \
           libboost-filesystem-dev \
-          libelf-dev
+          libelf-dev \
+          libyaml-cpp-dev
 
         if [[ "${{ matrix.arch }}" == "arm64" ]] ; then
           sudo apt install -y \
@@ -70,7 +72,7 @@ jobs:
         fi
 
     - name: Build/install libbpf From Source
-      if: matrix.platform == 'ubuntu-latest'
+      if: matrix.platform == 'ubuntu-24.04'
       run: ./.github/scripts/build-libbpf.sh
       shell: bash
 
@@ -92,11 +94,11 @@ jobs:
           -G Ninja \
           -S . \
           -B build \
-          -DCMAKE_BUILD_TYPE=Debug \
+          -DCMAKE_BUILD_TYPE=RelWithDebInfo \
           -DCMAKE_C_COMPILER=clang \
           -DCMAKE_CXX_COMPILER=clang++ \
           -DUBPF_ENABLE_LIBFUZZER=1 \
-          -DCMAKE_BUILD_TYPE=Debug
+          -DVERIFIER_ENABLE_TESTS=false \
           ${arch_flags}
 
     - name: Build uBPF
@@ -136,6 +138,7 @@ jobs:
         ./ubpf_fuzzer new_corpus -artifact_prefix=artifacts/ -use_value_profile=1 -max_total_time=300
 
     - name: Merge corpus into fuzz/corpus
+      if: ${{ github.event_name == 'schedule' }}
       run: |
         ./ubpf_fuzzer -merge=1 fuzz/corpus new_corpus
         git add fuzz/corpus

.github/workflows/main.yml

@@ -11,7 +11,7 @@
 name: Main
 
 permissions:
-  contents: read
+  contents: write # Required by fuzzing task.
   security-events: write # Required by codeql task.
   actions: read
 
@@ -340,6 +340,9 @@ jobs:
       build_codeql: true
       disable_retpolines: true
 
+  linux_release_fuzzing:
+    uses: ./.github/workflows/fuzzing.yml
+
   # Disabled until https://github.com/iovisor/ubpf/issues/155 is resolved.
   # linux_debug_arm64_sanitizers:
   #   uses: ./.github/workflows/posix.yml

.gitmodules

@@ -4,3 +4,6 @@
 [submodule "external/bpf_conformance"]
 	path = external/bpf_conformance
 	url = https://github.com/Alan-Jowett/bpf_conformance.git
+[submodule "external/ebpf-verifier"]
+	path = external/ebpf-verifier
+	url = https://github.com/vbpf/ebpf-verifier.git

CMakeLists.txt

@@ -43,4 +43,5 @@ endif()
 
 if (UBPF_ENABLE_LIBFUZZER)
   add_subdirectory("libfuzzer")
+  add_subdirectory("external/ebpf-verifier")
 endif()

cmake/options.cmake

@@ -10,6 +10,7 @@ if(PLATFORM_LINUX OR PLATFORM_MACOS)
   option(UBPF_ENABLE_COVERAGE "Set to true to enable coverage flags")
   option(UBPF_ENABLE_SANITIZERS "Set to true to enable the address and undefined sanitizers")
   option(UBPF_ENABLE_LIBFUZZER "Set to true to enable the libfuzzer")
+  option(UBPF_ENABLE_LIBFUZZER_CONSTRAINT_CHECK "Set to true to enable the libfuzzer constraint check")
 endif()
 
 option(UBPF_DISABLE_RETPOLINES "Disable retpoline security on indirect calls and jumps")

custom_tests/srcs/ubpf_test_debug_function.cc

@@ -22,8 +22,10 @@ typedef struct _vm_state {
 } vm_state_t;
 
 void
-debug_callout(void* context, int program_counter, const uint64_t registers[16], const uint8_t* stack_start, size_t stack_length)
+debug_callout(void* context, int program_counter, const uint64_t registers[16], const uint8_t* stack_start, size_t stack_length, uint64_t register_mask, const uint8_t* stack_mask)
 {
+    UNREFERENCED_PARAMETER(register_mask);
+    UNREFERENCED_PARAMETER(stack_mask);
     std::vector<vm_state_t>* vm_states = static_cast<std::vector<vm_state_t>*>(context);
     vm_state_t vm_state{};
 

libfuzzer/CMakeLists.txt

@@ -6,24 +6,54 @@ if (UBPF_SKIP_EXTERNAL)
     return()
 endif()
 
-set(CMAKE_CXX_STANDARD 20)
-
-add_executable(
-    ubpf_fuzzer
-    libfuzz_harness.cc
-)
-
-target_include_directories("ubpf_fuzzer" PRIVATE
-    "${CMAKE_SOURCE_DIR}/vm"
+set(UBPF_FUZZER_INCLUDES "${CMAKE_SOURCE_DIR}/vm"
     "${CMAKE_BINARY_DIR}/vm"
+    "${CMAKE_BINARY_DIR}/_deps/gsl-src/include"
     "${CMAKE_SOURCE_DIR}/vm/inc"
     "${CMAKE_BINARY_DIR}/vm/inc"
     "${CMAKE_SOURCE_DIR}/ubpf_plugin"
-)
+    "${CMAKE_SOURCE_DIR}/external/ebpf-verifier/src"
+    "${CMAKE_SOURCE_DIR}/external/ebpf-verifier/src/crab"
+    "${CMAKE_SOURCE_DIR}/external/ebpf-verifier/src/crab_utils"
+    "${CMAKE_CURRENT_BINARY_DIR}")
 
-target_link_libraries(
-    ubpf_fuzzer
+set(UBPF_FUZZER_LIBS
     ubpf
     ubpf_settings
+    ebpfverifier)
+
+# include(CheckCXXSymbolExists)
+
+set(CMAKE_REQUIRED_INCLUDES ${UBPF_FUZZER_INCLUDES})
+
+# check_cxx_symbol_exists(ebpf_verifier_options_t::store_pre_invariants "config.hpp" HAVE_EBPF_CHECK_CONSTRAINTS_AT_LABEL)
+
+include(CheckCXXSourceCompiles)
+
+set(CHECK_CONFIG_STORE_PRE_INVARIANTS "
+#include <config.hpp>
+int main() {
+    ebpf_verifier_options_t options;
+    options.store_pre_invariants = true;
+    return 0;
+}
+")
+
+check_cxx_source_compiles("${CHECK_CONFIG_STORE_PRE_INVARIANTS}" HAVE_EBPF_VERIFIER_CHECK_CONSTRAINTS_AT_LABEL)
+
+set(CMAKE_CXX_STANDARD 20)
+
+configure_file(
+    libfuzzer_config.h.inc
+    "${CMAKE_CURRENT_BINARY_DIR}/libfuzzer_config.h"
+)
+
+add_executable(
+    ubpf_fuzzer
+    libfuzz_harness.cc
 )
 
+target_include_directories("ubpf_fuzzer" PRIVATE ${UBPF_FUZZER_INCLUDES})
+
+target_link_libraries(ubpf_fuzzer PRIVATE ${UBPF_FUZZER_LIBS})
+