This series introduces multiple fuzzers developed as part of Google Summer
of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt
XML formats. The fuzzing methodology makes use of libFuzzer and
libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs
and converting them to XML.

The fuzzing method in use requires inclusion of C++ sources. However, C++
compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will
compile normally as before. The fuzzing method works only on clang compilers
which support libFuzzer.

This series introduces a total of six fuzzers:

1. QEMU XML domain
2. QEMU XML hotplug
3. CH XML domain
4. VMX XML domain
5. libXL XML domain
6. NWFilter XML

In terms of the number of crashes discovered, QEMU XML domain, QEMU XML
hotplug and libXL fuzzers are the most interesting ones.

The setup process is documented at the end of the series (patch 14).

Rayhan Faizel (14):
  src: Tweak source code to allow C++ compilation
  meson: Add support for clang/LLVM coverage instrumentation
  tests: Export handlers for fake secondary drivers
  schemas: Refactor relaxNG schema to ease protobuf conversion
  scripts: Add script to convert relaxNG to protobuf
  fuzz: Implement base fuzzing setup for XML domain
  fuzz: Implement QEMU XML domain fuzzer
  fuzz: Implement QEMU XML hotplug fuzzer
  ch: Remove unused variables
  fuzz: Implement CH XML domain fuzzer
  fuzz: Implement VMX XML domain fuzzer
  fuzz: Implement libXL XML domain fuzzer
  fuzz: Implement NWFilter XML fuzzer
  docs: Document the fuzzers

 build-aux/syntax-check.mk                     |   1 +
 docs/kbase/index.rst                          |   3 +
 docs/kbase/internals/meson.build              |   1 +
 docs/kbase/internals/xml-fuzzing.rst          | 120 ++++
 meson.build                                   |  55 ++
 meson_options.txt                             |   5 +-
 scripts/meson.build                           |   1 +
 scripts/relaxng-to-proto.py                   | 521 ++++++++++++++++++
 src/ch/ch_monitor.c                           |   2 +-
 src/ch/ch_monitor.h                           |   3 +
 src/ch/ch_process.c                           |   2 -
 src/conf/domain_conf.c                        |  18 +-
 src/conf/domain_conf.h                        |   6 +-
 src/conf/netdev_vport_profile_conf.c          |   2 +-
 src/conf/schemas/basictypes.rng               |  20 +-
 src/conf/schemas/domaincommon.rng             |  11 +-
 src/conf/schemas/networkcommon.rng            |  14 +-
 src/qemu/qemu_hotplug.c                       |   4 +
 src/qemu/qemu_monitor.c                       |   6 +-
 src/qemu/qemu_monitor.h                       |   2 +-
 src/util/virfile.h                            |   2 +-
 src/util/virnetdev.h                          |  12 +-
 src/util/virnetdevip.h                        |   2 +-
 src/util/virnetdevmacvlan.h                   |   2 +-
 src/util/virnetdevvportprofile.c              |   2 +-
 src/util/virnetdevvportprofile.h              |   2 +-
 src/util/virnvme.c                            |   4 +-
 src/util/virnvme.h                            |   2 +-
 src/util/viruuid.h                            |   2 +-
 tests/commandhelper.c                         |   8 +-
 tests/fuzz/README.rst                         | 131 +++++
 tests/fuzz/ch_xml_domain_fuzz.cc              | 157 ++++++
 tests/fuzz/libxl_xml_domain_fuzz.cc           | 159 ++++++
 tests/fuzz/llvm_symbolizer_wrapper.c          |  11 +
 tests/fuzz/meson.build                        | 183 ++++++
 tests/fuzz/proto_custom_datatypes.cc          | 234 ++++++++
 tests/fuzz/proto_custom_datatypes.h           |  30 +
 tests/fuzz/proto_header_common.h              |  51 ++
 tests/fuzz/proto_to_xml.cc                    | 277 ++++++++++
 tests/fuzz/proto_to_xml.h                     |  39 ++
 tests/fuzz/protos/meson.build                 |  46 ++
 tests/fuzz/protos/xml_datatypes.proto         |  93 ++++
 tests/fuzz/protos/xml_domain.proto            |  62 +++
 tests/fuzz/protos/xml_domain_disk_only.proto  |  21 +
 .../protos/xml_domain_interface_only.proto    |  21 +
 tests/fuzz/protos/xml_hotplug.proto           |  38 ++
 tests/fuzz/protos/xml_nwfilter.proto          |   9 +
 tests/fuzz/qemu_xml_domain_fuzz.cc            | 277 ++++++++++
 tests/fuzz/qemu_xml_hotplug_fuzz.cc           | 340 ++++++++++++
 tests/fuzz/run_fuzz.in                        | 142 +++++
 tests/fuzz/vmx_xml_domain_fuzz.cc             | 208 +++++++
 tests/fuzz/xml_nwfilter_fuzz.cc               | 149 +++++
 tests/meson.build                             |   5 +
 tests/qemumonitortestutils.c                  |  48 ++
 tests/qemumonitortestutils.h                  |   6 +
 tests/qemuxmlconftest.c                       | 249 ---------
 tests/testutilsqemu.c                         | 256 +++++++++
 tests/testutilsqemu.h                         |  57 ++
 58 files changed, 3832 insertions(+), 302 deletions(-)
 create mode 100644 docs/kbase/internals/xml-fuzzing.rst
 create mode 100644 scripts/relaxng-to-proto.py
 create mode 100644 tests/fuzz/README.rst
 create mode 100644 tests/fuzz/ch_xml_domain_fuzz.cc
 create mode 100644 tests/fuzz/libxl_xml_domain_fuzz.cc
 create mode 100644 tests/fuzz/llvm_symbolizer_wrapper.c
 create mode 100644 tests/fuzz/meson.build
 create mode 100644 tests/fuzz/proto_custom_datatypes.cc
 create mode 100644 tests/fuzz/proto_custom_datatypes.h
 create mode 100644 tests/fuzz/proto_header_common.h
 create mode 100644 tests/fuzz/proto_to_xml.cc
 create mode 100644 tests/fuzz/proto_to_xml.h
 create mode 100644 tests/fuzz/protos/meson.build
 create mode 100644 tests/fuzz/protos/xml_datatypes.proto
 create mode 100644 tests/fuzz/protos/xml_domain.proto
 create mode 100644 tests/fuzz/protos/xml_domain_disk_only.proto
 create mode 100644 tests/fuzz/protos/xml_domain_interface_only.proto
 create mode 100644 tests/fuzz/protos/xml_hotplug.proto
 create mode 100644 tests/fuzz/protos/xml_nwfilter.proto
 create mode 100644 tests/fuzz/qemu_xml_domain_fuzz.cc
 create mode 100644 tests/fuzz/qemu_xml_hotplug_fuzz.cc
 create mode 100644 tests/fuzz/run_fuzz.in
 create mode 100644 tests/fuzz/vmx_xml_domain_fuzz.cc
 create mode 100644 tests/fuzz/xml_nwfilter_fuzz.cc

-- 
2.34.1

On Mon, Aug 19, 2024 at 09:39:38PM +0530, Rayhan Faizel wrote:
> This series introduces multiple fuzzers developed as part of Google Summer
> of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt
> XML formats. The fuzzing methodology makes use of libFuzzer and
> libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs
> and converting them to XML.
> 
> The fuzzing method in use requires inclusion of C++ sources. However, C++
> compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will
> compile normally as before. The fuzzing method works only on clang compilers
> which support libFuzzer.

Hmm, I wish you'd raised this issue on the list before investing all
this work becasue IMHO the dependency on C++ is not something I would
want to see in the libvirt project, even just for tests. It was a
very delibrate decision that libvirt be a C project, not C++ project,
and if we're going to extend libvirt to take code in any new language
the choices that make sense looking to the future are Rust or Go,
not C++.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On Tue, Aug 20, 2024 at 03:03:47PM +0100, Daniel P. Berrangé wrote:
>On Mon, Aug 19, 2024 at 09:39:38PM +0530, Rayhan Faizel wrote:
>> This series introduces multiple fuzzers developed as part of Google Summer
>> of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt
>> XML formats. The fuzzing methodology makes use of libFuzzer and
>> libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs
>> and converting them to XML.
>>
>> The fuzzing method in use requires inclusion of C++ sources. However, C++
>> compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will
>> compile normally as before. The fuzzing method works only on clang compilers
>> which support libFuzzer.
>
>Hmm, I wish you'd raised this issue on the list before investing all
>this work becasue IMHO the dependency on C++ is not something I would
>want to see in the libvirt project, even just for tests. It was a
>very delibrate decision that libvirt be a C project, not C++ project,
>and if we're going to extend libvirt to take code in any new language
>the choices that make sense looking to the future are Rust or Go,
>not C++.
>

That was unfortunate, but since Rayhan had the first implementation done
in a very short time we rather spent the rest of the time enhancing the
fuzzing and it definitely bore fruit -- some of the found things are
fixed, some are still waiting for a patch or two.

The crucial part of this is the existing libprotobuf-mutator which is
already in C++ and does provide very specific C++ APIs.

Another approach (except writing our own mutator) would be to keep the
code in a separate repository.  I'm not completely sure whether we would
still need the code modifications, I don't remember our discussions
about whether the fuzzing compilation could work with all current
libvirt code compiled as C and only the fuzzing parts compiled in C++.

>With regards,
>Daniel
>-- 
>|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
>|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
>|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
>

On Tue, Aug 27, 2024 at 10:06:58AM +0200, Martin Kletzander wrote:
> On Tue, Aug 20, 2024 at 03:03:47PM +0100, Daniel P. Berrangé wrote:
> > On Mon, Aug 19, 2024 at 09:39:38PM +0530, Rayhan Faizel wrote:
> > > This series introduces multiple fuzzers developed as part of Google Summer
> > > of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt
> > > XML formats. The fuzzing methodology makes use of libFuzzer and
> > > libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs
> > > and converting them to XML.
> > > 
> > > The fuzzing method in use requires inclusion of C++ sources. However, C++
> > > compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will
> > > compile normally as before. The fuzzing method works only on clang compilers
> > > which support libFuzzer.
> > 
> > Hmm, I wish you'd raised this issue on the list before investing all
> > this work becasue IMHO the dependency on C++ is not something I would
> > want to see in the libvirt project, even just for tests. It was a
> > very delibrate decision that libvirt be a C project, not C++ project,
> > and if we're going to extend libvirt to take code in any new language
> > the choices that make sense looking to the future are Rust or Go,
> > not C++.
> > 
> 
> That was unfortunate, but since Rayhan had the first implementation done
> in a very short time we rather spent the rest of the time enhancing the
> fuzzing and it definitely bore fruit -- some of the found things are
> fixed, some are still waiting for a patch or two.

Do you have pointers to the list of things that it found ?

> The crucial part of this is the existing libprotobuf-mutator which is
> already in C++ and does provide very specific C++ APIs.

I'm struggling a little to understand exactly what kind of changes
this code actually produces ?  Are there examples of the mutated
XML files showing these changes ?

> Another approach (except writing our own mutator) would be to keep the
> code in a separate repository.  I'm not completely sure whether we would
> still need the code modifications, I don't remember our discussions
> about whether the fuzzing compilation could work with all current
> libvirt code compiled as C and only the fuzzing parts compiled in C++.

If we could have it in a separate repo, and NOT have to change libvirt
code to avoid C++ keywords/etc, then that could make it more palatable.
Ultimately though the libvirt maintainers are still on the hook to
maintain C++ code long term now, so a separate repo just stops the
C++ stuff spreading :-(

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

On Mon, Sep 02, 2024 at 03:46:26PM +0100, Daniel P. Berrangé wrote:
>On Tue, Aug 27, 2024 at 10:06:58AM +0200, Martin Kletzander wrote:
>> On Tue, Aug 20, 2024 at 03:03:47PM +0100, Daniel P. Berrangé wrote:
>> > On Mon, Aug 19, 2024 at 09:39:38PM +0530, Rayhan Faizel wrote:
>> > > This series introduces multiple fuzzers developed as part of Google Summer
>> > > of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt
>> > > XML formats. The fuzzing methodology makes use of libFuzzer and
>> > > libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs
>> > > and converting them to XML.
>> > >
>> > > The fuzzing method in use requires inclusion of C++ sources. However, C++
>> > > compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will
>> > > compile normally as before. The fuzzing method works only on clang compilers
>> > > which support libFuzzer.
>> >
>> > Hmm, I wish you'd raised this issue on the list before investing all
>> > this work becasue IMHO the dependency on C++ is not something I would
>> > want to see in the libvirt project, even just for tests. It was a
>> > very delibrate decision that libvirt be a C project, not C++ project,
>> > and if we're going to extend libvirt to take code in any new language
>> > the choices that make sense looking to the future are Rust or Go,
>> > not C++.
>> >
>>
>> That was unfortunate, but since Rayhan had the first implementation done
>> in a very short time we rather spent the rest of the time enhancing the
>> fuzzing and it definitely bore fruit -- some of the found things are
>> fixed, some are still waiting for a patch or two.
>
>Do you have pointers to the list of things that it found ?
>

Oh, I thought the link to the write-up was somewhere in here, sorry.

https://gitlab.com/Skryptonyte/libvirt-gsoc-finalreport

>> The crucial part of this is the existing libprotobuf-mutator which is
>> already in C++ and does provide very specific C++ APIs.
>
>I'm struggling a little to understand exactly what kind of changes
>this code actually produces ?  Are there examples of the mutated
>XML files showing these changes ?
>

See the link above.

Once The fuzzing is running (and it had pretty quick results for me) it
is written in a way that the conflicting XMLs can be produced from the
results.

>> Another approach (except writing our own mutator) would be to keep the
>> code in a separate repository.  I'm not completely sure whether we would
>> still need the code modifications, I don't remember our discussions
>> about whether the fuzzing compilation could work with all current
>> libvirt code compiled as C and only the fuzzing parts compiled in C++.
>
>If we could have it in a separate repo, and NOT have to change libvirt
>code to avoid C++ keywords/etc, then that could make it more palatable.
>Ultimately though the libvirt maintainers are still on the hook to
>maintain C++ code long term now, so a separate repo just stops the
>C++ stuff spreading :-(
>

It is definitely possible, the question is how long until that becomes
stale/out of date.

>With regards,
>Daniel
>-- 
>|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
>|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
>|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
>

On Tue, Aug 27, 2024 at 11:07 AM Martin Kletzander <mkletzan@redhat.com> wrote:
>
> That was unfortunate, but since Rayhan had the first implementation done
> in a very short time we rather spent the rest of the time enhancing the
> fuzzing and it definitely bore fruit -- some of the found things are
> fixed, some are still waiting for a patch or two.
>
> The crucial part of this is the existing libprotobuf-mutator which is
> already in C++ and does provide very specific C++ APIs.
>
> Another approach (except writing our own mutator) would be to keep the
> code in a separate repository.  I'm not completely sure whether we would
> still need the code modifications, I don't remember our discussions
> about whether the fuzzing compilation could work with all current
> libvirt code compiled as C and only the fuzzing parts compiled in C++.
>

All the existing code is indeed still compiled as C. Only the fuzzing
executables (under tests/fuzz/) are compiled in C++ and linked to
those C objects. We still do need some of the minor code modifications
(in PATCH 1) because existing C headers are sometimes interpreted a
bit differently from the fuzzer's PoV, even with C linkage.

There are still some other code modifications in tests/ and src/ for a
few other fuzzers (mostly hotplug and CH) to make fuzzing easier.

I agree that we could keep it as a separate repo, perhaps a
subproject. I have seen some projects keep their fuzzing code separate
(mostly on oss-fuzz).

--
Rayhan Faizel

On Tue, Aug 27, 2024 at 12:08:27PM +0300, Rayhan Faizel wrote:
>On Tue, Aug 27, 2024 at 11:07 AM Martin Kletzander <mkletzan@redhat.com> wrote:
>>
>> That was unfortunate, but since Rayhan had the first implementation done
>> in a very short time we rather spent the rest of the time enhancing the
>> fuzzing and it definitely bore fruit -- some of the found things are
>> fixed, some are still waiting for a patch or two.
>>
>> The crucial part of this is the existing libprotobuf-mutator which is
>> already in C++ and does provide very specific C++ APIs.
>>
>> Another approach (except writing our own mutator) would be to keep the
>> code in a separate repository.  I'm not completely sure whether we would
>> still need the code modifications, I don't remember our discussions
>> about whether the fuzzing compilation could work with all current
>> libvirt code compiled as C and only the fuzzing parts compiled in C++.
>>
>
>All the existing code is indeed still compiled as C. Only the fuzzing
>executables (under tests/fuzz/) are compiled in C++ and linked to
>those C objects. We still do need some of the minor code modifications
>(in PATCH 1) because existing C headers are sometimes interpreted a
>bit differently from the fuzzer's PoV, even with C linkage.
>

Sorry, what I meant is whether it would be possible to keep the code as
is, the keyword parameters are a bit of a problem, but writing a layer
of C code to call it through from the C++ code feels weird.  Of course
attributes are also complicated to make work, but those changes in the C
code are pretty okay I think.

>There are still some other code modifications in tests/ and src/ for a
>few other fuzzers (mostly hotplug and CH) to make fuzzing easier.
>
>I agree that we could keep it as a separate repo, perhaps a
>subproject. I have seen some projects keep their fuzzing code separate
>(mostly on oss-fuzz).
>
>--
>Rayhan Faizel
>

On Tue, Aug 27, 2024 at 1:51 PM Martin Kletzander <mkletzan@redhat.com> wrote:
>
> On Tue, Aug 27, 2024 at 12:08:27PM +0300, Rayhan Faizel wrote:
> >
> >All the existing code is indeed still compiled as C. Only the fuzzing
> >executables (under tests/fuzz/) are compiled in C++ and linked to
> >those C objects. We still do need some of the minor code modifications
> >(in PATCH 1) because existing C headers are sometimes interpreted a
> >bit differently from the fuzzer's PoV, even with C linkage.
> >
>
> Sorry, what I meant is whether it would be possible to keep the code as
> is, the keyword parameters are a bit of a problem, but writing a layer
> of C code to call it through from the C++ code feels weird.  Of course
> attributes are also complicated to make work, but those changes in the C
> code are pretty okay I think.
>

Sorry, I am not sure I fully understand the first statement regarding
writing a layer of C code. I had only replaced the keyword parameters
with alternative names in PATCH 1.

> >There are still some other code modifications in tests/ and src/ for a
> >few other fuzzers (mostly hotplug and CH) to make fuzzing easier.
> >
> >I agree that we could keep it as a separate repo, perhaps a
> >subproject. I have seen some projects keep their fuzzing code separate
> >(mostly on oss-fuzz).
> >
> >--
> >Rayhan Faizel
> >

--
Rayhan Faizel

On Tue, Aug 27, 2024 at 02:15:10PM +0300, Rayhan Faizel wrote:
>On Tue, Aug 27, 2024 at 1:51 PM Martin Kletzander <mkletzan@redhat.com> wrote:
>>
>> On Tue, Aug 27, 2024 at 12:08:27PM +0300, Rayhan Faizel wrote:
>> >
>> >All the existing code is indeed still compiled as C. Only the fuzzing
>> >executables (under tests/fuzz/) are compiled in C++ and linked to
>> >those C objects. We still do need some of the minor code modifications
>> >(in PATCH 1) because existing C headers are sometimes interpreted a
>> >bit differently from the fuzzer's PoV, even with C linkage.
>> >
>>
>> Sorry, what I meant is whether it would be possible to keep the code as
>> is, the keyword parameters are a bit of a problem, but writing a layer
>> of C code to call it through from the C++ code feels weird.  Of course
>> attributes are also complicated to make work, but those changes in the C
>> code are pretty okay I think.
>>
>
>Sorry, I am not sure I fully understand the first statement regarding
>writing a layer of C code. I had only replaced the keyword parameters
>with alternative names in PATCH 1.
>

My bad, I was trying to be brief and overdone it.  What I meant is a
function that would look like the following, but it would not be a very
nice solution:

int callableFromCPlusPlus(int a, int b) {
     return orig(a, b);
}

and call that one from C++.  Now that I think about it, it could be even
easier, and maybe more awkward, if you only changed the declarations in
the header.

But anyway, we're getting sidetracked, sorry for that.

>> >There are still some other code modifications in tests/ and src/ for a
>> >few other fuzzers (mostly hotplug and CH) to make fuzzing easier.
>> >
>> >I agree that we could keep it as a separate repo, perhaps a
>> >subproject. I have seen some projects keep their fuzzing code separate
>> >(mostly on oss-fuzz).
>> >
>> >--
>> >Rayhan Faizel
>> >
>
>--
>Rayhan Faizel
>