On Wed, 7 May 2025, Volodymyr Babchuk wrote:
> Add new alpine-based build that enables LibAFL-based fuzzer.
>
> Use this new build to run two fuzzing sessions: hypercall fuzzing and
> gicv2 fuzzing. Currently, this is all the fuzzing modes supported by
> xen fuzzer. Every fuzzing session will run approximately 10 minutes.
>
> Fuzzing session will provide fuzzer log and any crash input data as
> artifacts. This crash data can be used later to replay the input to
> reproduce the crash.
>
> Signed-off-by: Volodymyr Babchuk <volodymyr_babc...@epam.com>
>
> ---
>
> This patch is demonstration on how xen fuzzer can be integrated in
> CI. With this setup, it can serve as smoke test, because 10 minute
> fuzzing session is not enough. While there is no strict rule on now
> long fuzzing session should run, most widely accepted time is 24
> hours. This will require additional rules (weekly tests?) and separate
> runners (probably).
Thank you, this is great as a smoke test. It serves as documentation on
how to run this too.
Yes, it could be a weekly test in the weekend or even better simply
manually triggered.
We need to investigate what is the longest time we can run this without
break Gitlab.
> Right now this patch uses docker container build by me that is hosted
> on docker hub. Of course, in the final version, this container should
> hosted together with other Xen CI containers.
Yes, agreed
> Also, that container is built based on xen-fuzzer-rs project that is
> also hosted on Xen-Troops GitHub repo, along with custom XTF
> fork. These components also should be moved to gitlab/xen.
Agreed as well
> ---
> automation/gitlab-ci/build.yaml | 11 +++++++++++
> automation/gitlab-ci/test.yaml | 34 +++++++++++++++++++++++++++++++++
> 2 files changed, 45 insertions(+)
>
> diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml
> index ab5211f77e..6fc11fffe6 100644
> --- a/automation/gitlab-ci/build.yaml
> +++ b/automation/gitlab-ci/build.yaml
> @@ -407,12 +407,23 @@ alpine-3.18-gcc-arm64:
> CONTAINER: alpine:3.18-arm64v8
>
> alpine-3.18-gcc-debug-arm64:
> + extends: .gcc-arm64-build-debug
> + variables:
> + CONTAINER: alpine:3.18-arm64v8
> + EXTRA_XEN_CONFIG: |
> + CONFIG_UBSAN=y
> + CONFIG_UBSAN_FATAL=
The diff is strange and I might be wrong, but it looks like this should
be CONFIG_UBSAN_FATAL=y
> +alpine-3.18-gcc-fuzzing-arm64:
> extends: .gcc-arm64-build-debug
> variables:
> CONTAINER: alpine:3.18-arm64v8
> EXTRA_XEN_CONFIG: |
> CONFIG_UBSAN=y
> CONFIG_UBSAN_FATAL=y
> + CONFIG_FUZZING=y
> + CONFIG_FUZZER_LIBAFL_QEMU=y
> + CONFIG_FUZZER_PASS_BLOCKING=y
>
> alpine-3.18-gcc-arm64-randconfig:
> extends: .gcc-arm64-build
> diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml
> index a603d4039a..bb8670026f 100644
> --- a/automation/gitlab-ci/test.yaml
> +++ b/automation/gitlab-ci/test.yaml
> @@ -197,6 +197,30 @@
> tags:
> - qubes-hw11
>
> +.fuzzer-arm:
> + stage: test
> + image: xentroops/xen-fuzzer:v1
> + variables:
> + HARNESS: hypercall
> + FUZZING_TIME: 600
> + rules:
> + - if: $SELECTED_JOBS_ONLY && $CI_JOB_NAME =~ $SELECTED_JOBS_ONLY
> + - if: $SELECTED_JOBS_ONLY
> + when: never
> + - when: on_success
> + script:
> + - cd /root/
> + - ./xen_fuzzer -t ${FUZZING_TIME} run ${CI_PROJECT_DIR}/binaries/xen
> test-mmu64le-arm-${HARNESS}-fuzzer 2>&1 | tee
> ${CI_PROJECT_DIR}/fuzzer-${HARNESS}.log
Can you run it from outside the directory, like this?
/root/xen_fuzzer -t ...
> + after_script:
> + - cd ${CI_PROJECT_DIR}
> + - mv /root/crashes .
Also here you could probably do:
mv /root/crashes ${CI_PROJECT_DIR}
> + artifacts:
> + paths:
> + - fuzzer-${HARNESS}.log
> + - crashes/
> + needs:
> + - alpine-3.18-gcc-fuzzing-arm64
> +
> # Test jobs
> build-each-commit-gcc:
> extends: .test-jobs-common
> @@ -704,3 +728,13 @@ qemu-smoke-ppc64le-powernv9-gcc:
> - ./automation/scripts/qemu-smoke-ppc64le.sh powernv9 2>&1 | tee
> ${LOGFILE}
> needs:
> - debian-12-ppc64le-gcc-debug
> +
> +arm-hypercall-fuzzer:
> + extends: .fuzzer-arm
> + variables:
> + HARNESS: hypercall
> +
> +arm-vgic-fuzzer:
> + extends: .fuzzer-arm
> + variables:
> + HARNESS: vgic
> --
> 2.48.1
>
