[riot-commits] [RIOT-OS/RIOT] d7104e: makefiles/toolchain: add support for afl

Martine Lenders noreply at github.com
Sat Apr 18 10:54:28 CEST 2020


  Branch: refs/heads/master
  Home:   https://github.com/RIOT-OS/RIOT
  Commit: d7104e49923409208155fcf7fa68c1903a6b6571
      https://github.com/RIOT-OS/RIOT/commit/d7104e49923409208155fcf7fa68c1903a6b6571
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-07 (Tue, 07 Apr 2020)

  Changed paths:
    M boards/native/Makefile.include
    M cpu/native/Makefile.include
    A makefiles/toolchain/afl.inc.mk

  Log Message:
  -----------
  makefiles/toolchain: add support for afl


  Commit: 9e72f717e039e0416299454cf234210ca61f2a16
      https://github.com/RIOT-OS/RIOT/commit/9e72f717e039e0416299454cf234210ca61f2a16
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-07 (Tue, 07 Apr 2020)

  Changed paths:
    M Makefile.dep
    A sys/fuzzing/Makefile
    A sys/fuzzing/fuzzing.c
    A sys/fuzzing/netdev.c
    A sys/include/fuzzing.h

  Log Message:
  -----------
  sys/fuzzing: Initialize

This adds a utility module which is used to write applications for
fuzzing RIOT network modules. The module provides a dummy network
interface which is configured with a static IPv6 addresses for modules
which perform operations on the underlying network interface. Besides,
it contains a utility function for transforming data received on
standard input into a `gnrc_pktsnip_t`.


  Commit: e0570181e4d788b76f199068d61a7819b543c283
      https://github.com/RIOT-OS/RIOT/commit/e0570181e4d788b76f199068d61a7819b543c283
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-07 (Tue, 07 Apr 2020)

  Changed paths:
    M sys/net/gnrc/pktbuf_malloc/gnrc_pktbuf_malloc.c

  Log Message:
  -----------
  gnrc_pktbuf_malloc: Terminate when fuzzing packet is freed

Since RIOT is an operating system the native binary will never terminate
[0]. The termination condition for fuzzing GNRC is that the packet was
handled by the network stack and therefore freed. If it is never freed
we will deadlock meaning a memory leak was found, afl should be able to
detect this through timeouts.

This is currently only supported for gnrc_pktbuf_malloc since this is
the pktbuf implementation I used for fuzzing. Implementing this in
pktbuf.h is not possible.

[0]: Except NATIVE_AUTO_EXIT is defined, however, even with that define
set RIOT will only terminate when all threads terminated. Unfortunately,
gnrc_udp and other network threads will never terminate.


  Commit: 65c7bbf76dab958bf6c9c421b3935a5f12a902fe
      https://github.com/RIOT-OS/RIOT/commit/65c7bbf76dab958bf6c9c421b3935a5f12a902fe
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-07 (Tue, 07 Apr 2020)

  Changed paths:
    M sys/net/gnrc/sock/gnrc_sock.c

  Log Message:
  -----------
  gnrc_sock: Implement termination condition for fuzzing

The termination condition implemented in gnrc_pktbuf_malloc does not
work when using the sock interface as sock copies packet data to a local
buffer and frees the packet afterwards. As such, the fuzzing application
would exit before performing any input processing.

For this reason, the termination condition in gnrc_pktbuf_malloc is
disabled when using sock. Instead, the application terminates if
gnrc_sock_recv previously returned the fuzzing packet. The underlying
assumption of this implementation is that gnrc_sock_recv is called in a
loop.


  Commit: 24468bead67b6a4108e312bc6c65a0a6857bad86
      https://github.com/RIOT-OS/RIOT/commit/24468bead67b6a4108e312bc6c65a0a6857bad86
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-17 (Fri, 17 Apr 2020)

  Changed paths:
    M .gitignore
    M Makefile.include
    A dist/tools/fuzzing/afl.sh
    A fuzzing/Makefile.fuzzing_common
    A fuzzing/README.md
    M makefiles/vars.inc.mk

  Log Message:
  -----------
  fuzzing: Initialize

This adds a new subdirectory called `fuzzing/` which will contain
applications for fuzzing various RIOT network modules in the future.
This subdirectory is heavily inspired by the `examples/` subdirectory.

The fuzzing applications use AFL as a fuzzer. Each application contains
Makefiles, source code, and an input corpus used by AFL to generate
input for fuzzing.


  Commit: ac9c1f4a69b12a27e872c723ac0fd9f94e1cbca6
      https://github.com/RIOT-OS/RIOT/commit/ac9c1f4a69b12a27e872c723ac0fd9f94e1cbca6
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-17 (Fri, 17 Apr 2020)

  Changed paths:
    M sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloop.c

  Log Message:
  -----------
  gnrc_tcp: disable checksum checks during fuzzing


  Commit: 0a189c2d739929e61df7c0d326b8a22da6112f6d
      https://github.com/RIOT-OS/RIOT/commit/0a189c2d739929e61df7c0d326b8a22da6112f6d
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-17 (Fri, 17 Apr 2020)

  Changed paths:
    A fuzzing/gnrc_tcp/Makefile
    A fuzzing/gnrc_tcp/input/ack.dat
    A fuzzing/gnrc_tcp/input/fin_ack.dat
    A fuzzing/gnrc_tcp/input/payload.dat
    A fuzzing/gnrc_tcp/input/syn.dat
    A fuzzing/gnrc_tcp/main.c

  Log Message:
  -----------
  fuzzing/gnrc_tcp: Initialize


  Commit: 830479ece526a127822beba04e9b9edcc902a4b4
      https://github.com/RIOT-OS/RIOT/commit/830479ece526a127822beba04e9b9edcc902a4b4
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-17 (Fri, 17 Apr 2020)

  Changed paths:
    M fuzzing/README.md

  Log Message:
  -----------
  fuzzing: Add some documentation on writing fuzzing applications


  Commit: 24d71f9d15b3730d52bb3ab9242ef87ac53c21b6
      https://github.com/RIOT-OS/RIOT/commit/24d71f9d15b3730d52bb3ab9242ef87ac53c21b6
  Author: Sören Tempel <soeren+git at soeren-tempel.net>
  Date:   2020-04-17 (Fri, 17 Apr 2020)

  Changed paths:
    M makefiles/app_dirs.inc.mk

  Log Message:
  -----------
  makefiles: Add the fuzzing/ directory to APPLICATION_DIRS

This should ensure that fuzzing applications are build by the CI.


  Commit: 55a7010a0a681f3270a11a170c9d7312f038c4af
      https://github.com/RIOT-OS/RIOT/commit/55a7010a0a681f3270a11a170c9d7312f038c4af
  Author: Martine Lenders <m.lenders at fu-berlin.de>
  Date:   2020-04-18 (Sat, 18 Apr 2020)

  Changed paths:
    M .gitignore
    M Makefile.dep
    M Makefile.include
    M boards/native/Makefile.include
    M cpu/native/Makefile.include
    A dist/tools/fuzzing/afl.sh
    A fuzzing/Makefile.fuzzing_common
    A fuzzing/README.md
    A fuzzing/gnrc_tcp/Makefile
    A fuzzing/gnrc_tcp/input/ack.dat
    A fuzzing/gnrc_tcp/input/fin_ack.dat
    A fuzzing/gnrc_tcp/input/payload.dat
    A fuzzing/gnrc_tcp/input/syn.dat
    A fuzzing/gnrc_tcp/main.c
    M makefiles/app_dirs.inc.mk
    A makefiles/toolchain/afl.inc.mk
    M makefiles/vars.inc.mk
    A sys/fuzzing/Makefile
    A sys/fuzzing/fuzzing.c
    A sys/fuzzing/netdev.c
    A sys/include/fuzzing.h
    M sys/net/gnrc/pktbuf_malloc/gnrc_pktbuf_malloc.c
    M sys/net/gnrc/sock/gnrc_sock.c
    M sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloop.c

  Log Message:
  -----------
  Merge pull request #13157 from nmeum/pr/fuzzing_tcp_only

Add AFL-based fuzzing setup for network modules


Compare: https://github.com/RIOT-OS/RIOT/compare/2f75c60527a3...55a7010a0a68


More information about the commits mailing list