Initial fuzzer integration#961
Conversation
|
|
||
| [patch.crates-io] | ||
| webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21", rev = "b2c3bb3" } | ||
| webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21" } |
There was a problem hiding this comment.
did the pinned revision cause problems?
There was a problem hiding this comment.
Yes, I get the following issue:
linkerd2-proxy/linkerd/proxy/http$ cargo +nightly fuzz build
error: failed to parse manifest at `/linkerd2-proxy-6/linkerd2-proxy/Cargo.toml`
Caused by:
dependency (webpki) specification is ambiguous. Only one of `branch`, `tag` or `rev` is allowed.
Error: failed to build fuzz script: "cargo" "build" "--manifest-path" "linkerd2-proxy/linkerd/proxy/http/fuzz/Cargo.toml" "--target" "x86_64-unknown-linux-gnu" "--release" "--bins"```
There was a problem hiding this comment.
hmm, maybe we should prefer the pinned revision over the pinned branch, since the rev is more specific? but i don't have a strong opinion on this one (and the branch is much more nicely human readable!)
There was a problem hiding this comment.
out of curiosity, is there a reason we don't use the latest of the branch?
There was a problem hiding this comment.
nope: https://github.com/linkerd/webpki/commits/cert-dns-names-0.21 - just a single commit behind which bumps the version.
There was a problem hiding this comment.
welp, maybe we should fix this...but it's a job for another PR :)
hawkw
left a comment
hawkw
left a comment
There was a problem hiding this comment.
I had some largely procedural questions about how the fuzz tests are organized.
hawkw
left a comment
hawkw
left a comment
There was a problem hiding this comment.
Gave this a closer read and I had some additional suggestions. Let me know if any of these don't or you have follow-up questions?
linkerd/dns/src/lib.rs
Outdated
| pub fn fuzz_entry(fuzz_data: &str) { | ||
| if let Ok(_name) = Name::from_str(fuzz_data) { | ||
| let _fcon = FuzzConfig {}; | ||
| let _resolver = Resolver::from_system_config_with(&_fcon).unwrap(); | ||
| let a1 = async { | ||
| let _w = _resolver.resolve_a(&_name).await; | ||
| }; | ||
| futures::executor::block_on(a1); | ||
| let a2 = async { | ||
| let _w2 = _resolver.resolve_srv(&_name).await; | ||
| }; | ||
| futures::executor::block_on(a2); | ||
| } | ||
| } |
There was a problem hiding this comment.
Using futures::executor::block_on will block the current thread on the returned futures, not allowing any background tasks spawned by trust-dns etc to proceed. I don't know if this will correctly exercise the resolver code. Could we maybe change this so that fuzz_entry is an async fn that's passed to Runtime::block_on in fuzz_target_1, rather than using futures::executor::block_on? That would look something like this:
| pub fn fuzz_entry(fuzz_data: &str) { | |
| if let Ok(_name) = Name::from_str(fuzz_data) { | |
| let _fcon = FuzzConfig {}; | |
| let _resolver = Resolver::from_system_config_with(&_fcon).unwrap(); | |
| let a1 = async { | |
| let _w = _resolver.resolve_a(&_name).await; | |
| }; | |
| futures::executor::block_on(a1); | |
| let a2 = async { | |
| let _w2 = _resolver.resolve_srv(&_name).await; | |
| }; | |
| futures::executor::block_on(a2); | |
| } | |
| } | |
| pub async fn fuzz_entry(fuzz_data: &str) { | |
| if let Ok(_name) = Name::from_str(fuzz_data) { | |
| let _fcon = FuzzConfig {}; | |
| let _resolver = Resolver::from_system_config_with(&_fcon).unwrap(); | |
| let _w = _resolver.resolve_a(&_name).await; | |
| let _w2 = _resolver.resolve_srv(&_name).await; | |
| } | |
| } |
I think this code may happen to work as-is if the Tokio runtime is configured in multithreaded mode (by another crate enabling the "rt-multi-thread" feature). But, I think we should remove the use of futures::executor::block_on regardless, since it's adding additional complexity that isn't actually part of the code we want to fuzz here, and it's never used in the actual proxy binary...
There was a problem hiding this comment.
I think you're right entirely - it also seems the fuzzer is running much better with your suggestions. Please check the new set up!
linkerd/dns/fuzz/Cargo.toml
Outdated
|
|
||
| [dependencies] | ||
| libfuzzer-sys = "0.4" | ||
| tokio = { version = "1", features = ["rt", "sync", "time"] } |
There was a problem hiding this comment.
I think we may need to also enable tokio's "io" feature flag --- I believe constructing the resolver here
linkerd2-proxy/linkerd/dns/src/lib.rs
Lines 49 to 51 in 743c0f1
will try to bind a UDP socket to the Tokio event loop, which will fail without the "io" feature flag enabled?
I'm surprised we need the "sync" feature, also --- AFAICT, the fuzz targets don't use tokio's synchronization primitives?
There was a problem hiding this comment.
I don't think Tokio has an "io" flag? Do you perhaps mean io-util?
We have to build fuzzers with Cargo nightly, which complains about having both the branch and rev tag. Only one can be used. Signed-off-by: davkor <[email protected]>
Creates a set up for fuzzing Addr. This fuzzer is minor but nice to have. Signed-off-by: davkor <[email protected]>
Integrates a fuzzer for DNS. Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
|
@hawkw please check my replies to your review. There are a few ones still ones I didn't resolves as they can perhaps be up for debate. |
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
This is an attempt to fix CI issue by removing cfg(fuzzing) feature. This simplifies things and if it works we should use the same fix elsewhere. Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
hawkw
left a comment
hawkw
left a comment
There was a problem hiding this comment.
Thanks for making the changes we discussed, this looks great. I had a few more comments, but none of them are critical --- I think this is close to ready to merge!
|
|
||
| [patch.crates-io] | ||
| webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21", rev = "b2c3bb3" } | ||
| webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21" } |
There was a problem hiding this comment.
welp, maybe we should fix this...but it's a job for another PR :)
| use libfuzzer_sys::arbitrary::Arbitrary; | ||
|
|
||
| #[derive(Debug, Arbitrary)] | ||
| pub struct AllocatorMethod { |
There was a problem hiding this comment.
I'm not sure if I understand the naming "AllocatorMethod"?
| pub struct AllocatorMethod { | ||
| pub data: Vec<u8>, | ||
| pub port: u16, | ||
| pub protocol: bool, | ||
| } |
There was a problem hiding this comment.
nit, not important: I don't think any of this needs to be pub?
| pub struct AllocatorMethod { | |
| pub data: Vec<u8>, | |
| pub port: u16, | |
| pub protocol: bool, | |
| } | |
| struct AllocatorMethod { | |
| data: Vec<u8>, | |
| port: u16, | |
| protocol: bool, | |
| } |
Signed-off-by: davkor <[email protected]>
Signed-off-by: davkor <[email protected]>
hawkw
left a comment
hawkw
left a comment
There was a problem hiding this comment.
Thanks for adding the new fuzzer for invalid input to TransportHeader::read_prefaced! I think this PR looks great now --- it looks like cargo fmt needs to be run before it'll pass CI, but then I'm happy to merge it!
This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)
This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)
This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)
This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965) Signed-off-by: Jijeesh <[email protected]>
This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)
This release fixes a caching issue in the outbound proxy's "ingress mode" that could cause the incorrect client to be used for requests. This caching has been fixed so that clients cannot be incorrectly reused across logical destinations. --- * transport: introduce Bind trait and move orig dst to the type level (linkerd/linkerd2-proxy#957) * Initial fuzzer integration (linkerd/linkerd2-proxy#961) * Fix caching in ingress mode (linkerd/linkerd2-proxy#965)
3 participants
Adds a set of fuzzers for various of the
linkerdcrates.The goal of this PR is to create an initial fuzzer infrastructure as well as fuzzers that can be integrated with OSS-Fuzz for continuous fuzzing.
The way I set it up was to place the fuzzers for a given crate within the crate folder itself. I then put in a
fuzz_logicmodule in the source code that is to be fuzzed, thus following the low of how the existing tests are written. The majority of additions in this PR are independent of the linkerd2-proxy source code, but there are a few changes.