From 0c5204c5b80d96a663d533466e29aad249ccc160 Mon Sep 17 00:00:00 2001 From: Alan Jowett Date: Fri, 25 Oct 2024 12:48:27 -0700 Subject: [PATCH 1/3] Enable constraints check on Linux Signed-off-by: Alan Jowett --- .github/workflows/fuzzing.yml | 2 +- external/ebpf-verifier | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index ed56012ba..e0f518128 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -224,7 +224,7 @@ jobs: if: matrix.platform == 'ubuntu-24.04' run: | ls - ./ubpf_fuzzer new_corpus -artifact_prefix=artifacts/ -use_value_profile=1 -max_total_time=300 -dict=dictionary.txt + UBPF_FUZZER_CONSTRAINT_CHECK=1 ./ubpf_fuzzer new_corpus -artifact_prefix=artifacts/ -use_value_profile=1 -max_total_time=300 -dict=dictionary.txt - name: Run fuzzing if: matrix.platform == 'windows-latest' diff --git a/external/ebpf-verifier b/external/ebpf-verifier index 85dfbd2b8..6150934fd 160000 --- a/external/ebpf-verifier +++ b/external/ebpf-verifier @@ -1 +1 @@ -Subproject commit 85dfbd2b8c18f8a6462baaea26cf9ea5dead9699 +Subproject commit 6150934fd85bf47beb83c59970acfb30fcc19a64 From 8daefe3f2072b567f0ce630e8190235a0a221c5e Mon Sep 17 00:00:00 2001 From: Alan Jowett Date: Sat, 26 Oct 2024 12:12:04 -0700 Subject: [PATCH 2/3] Fix context handling Signed-off-by: Alan Jowett --- libfuzzer/libfuzz_harness.cc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/libfuzzer/libfuzz_harness.cc b/libfuzzer/libfuzz_harness.cc index d89498e9b..7f0a33683 100644 --- a/libfuzzer/libfuzz_harness.cc +++ b/libfuzzer/libfuzz_harness.cc @@ -85,6 +85,8 @@ typedef struct _ubpf_context { uint64_t data; uint64_t data_end; + uint64_t original_data; + uint64_t original_data_end; uint64_t stack_start; uint64_t stack_end; } ubpf_context_t; @@ -94,7 +96,7 @@ typedef struct _ubpf_context * structure in memory. */ ebpf_context_descriptor_t g_ebpf_context_descriptor_ubpf = { - .size = sizeof(ubpf_context_t), + .size = offsetof(ubpf_context_t, original_data), .data = offsetof(ubpf_context_t, data), .end = offsetof(ubpf_context_t, data_end), .meta = -1, @@ -476,8 +478,8 @@ ubpf_classify_address(const ubpf_context_t* context, uint64_t register_value) uintptr_t stack_end = static_cast(context->stack_end); uintptr_t context_start = reinterpret_cast(context); uintptr_t context_end = context_start + sizeof(ubpf_context_t); - uintptr_t packet_start = static_cast(context->data); - uintptr_t packet_end = static_cast(context->data_end); + uintptr_t packet_start = static_cast(context->original_data); + uintptr_t packet_end = static_cast(context->original_data_end); if (register_value_ptr >= stack_start && register_value_ptr < stack_end) { return address_type_t::Stack; @@ -539,6 +541,7 @@ ubpf_debug_function( // Build set of string constraints from the register values. std::set constraints; + constraints.insert("packet_size=" + std::to_string(ubpf_context->original_data_end - ubpf_context->original_data)); for (int i = 0; i < 10; i++) { if ((register_mask & (1 << i)) == 0) { continue; @@ -611,6 +614,8 @@ ubpf_context_from(std::vector& memory, std::vector& ubpf_stack ubpf_context_t context; context.data = reinterpret_cast(memory.data()); context.data_end = context.data + memory.size(); + context.original_data = context.data; + context.original_data_end = context.data_end; context.stack_start = reinterpret_cast(ubpf_stack.data()); context.stack_end = context.stack_start + ubpf_stack.size(); return context; From 203e9b97488548e83a16ce91e38481f34c3614ae Mon Sep 17 00:00:00 2001 From: Alan Jowett Date: Sat, 26 Oct 2024 12:13:40 -0700 Subject: [PATCH 3/3] Fix uninitialized values Signed-off-by: Alan Jowett --- libfuzzer/libfuzz_harness.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libfuzzer/libfuzz_harness.cc b/libfuzzer/libfuzz_harness.cc index 7f0a33683..818d9a34a 100644 --- a/libfuzzer/libfuzz_harness.cc +++ b/libfuzzer/libfuzz_harness.cc @@ -611,7 +611,7 @@ ubpf_debug_function( ubpf_context_t ubpf_context_from(std::vector& memory, std::vector& ubpf_stack) { - ubpf_context_t context; + ubpf_context_t context{}; context.data = reinterpret_cast(memory.data()); context.data_end = context.data + memory.size(); context.original_data = context.data;