Xen project Mailing List

Re: [RFC PATCH v3 2/2] ci: enable fuzzing for arm64

To: Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Fri, 9 May 2025 14:52:10 -0700 (PDT)

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Doug Goldstein <cardoe@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>

Delivery-date: Fri, 09 May 2025 21:52:16 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, 7 May 2025, Volodymyr Babchuk wrote: > Add new alpine-based build that enables LibAFL-based fuzzer. > > Use this new build to run two fuzzing sessions: hypercall fuzzing and > gicv2 fuzzing. Currently, this is all the fuzzing modes supported by > xen fuzzer. Every fuzzing session will run approximately 10 minutes. > > Fuzzing session will provide fuzzer log and any crash input data as > artifacts. This crash data can be used later to replay the input to > reproduce the crash. > > Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@xxxxxxxx> > > --- > > This patch is demonstration on how xen fuzzer can be integrated in > CI. With this setup, it can serve as smoke test, because 10 minute > fuzzing session is not enough. While there is no strict rule on now > long fuzzing session should run, most widely accepted time is 24 > hours. This will require additional rules (weekly tests?) and separate > runners (probably). Thank you, this is great as a smoke test. It serves as documentation on how to run this too. Yes, it could be a weekly test in the weekend or even better simply manually triggered. We need to investigate what is the longest time we can run this without break Gitlab. > Right now this patch uses docker container build by me that is hosted > on docker hub. Of course, in the final version, this container should > hosted together with other Xen CI containers. Yes, agreed > Also, that container is built based on xen-fuzzer-rs project that is > also hosted on Xen-Troops GitHub repo, along with custom XTF > fork. These components also should be moved to gitlab/xen. Agreed as well > --- > automation/gitlab-ci/build.yaml | 11 +++++++++++ > automation/gitlab-ci/test.yaml | 34 +++++++++++++++++++++++++++++++++ > 2 files changed, 45 insertions(+) > > diff --git a/automation/gitlab-ci/build.yaml b/automation/gitlab-ci/build.yaml > index ab5211f77e..6fc11fffe6 100644 > --- a/automation/gitlab-ci/build.yaml > +++ b/automation/gitlab-ci/build.yaml > @@ -407,12 +407,23 @@ alpine-3.18-gcc-arm64: > CONTAINER: alpine:3.18-arm64v8 > > alpine-3.18-gcc-debug-arm64: > + extends: .gcc-arm64-build-debug > + variables: > + CONTAINER: alpine:3.18-arm64v8 > + EXTRA_XEN_CONFIG: | > + CONFIG_UBSAN=y > + CONFIG_UBSAN_FATAL= The diff is strange and I might be wrong, but it looks like this should be CONFIG_UBSAN_FATAL=y > +alpine-3.18-gcc-fuzzing-arm64: > extends: .gcc-arm64-build-debug > variables: > CONTAINER: alpine:3.18-arm64v8 > EXTRA_XEN_CONFIG: | > CONFIG_UBSAN=y > CONFIG_UBSAN_FATAL=y > + CONFIG_FUZZING=y > + CONFIG_FUZZER_LIBAFL_QEMU=y > + CONFIG_FUZZER_PASS_BLOCKING=y > > alpine-3.18-gcc-arm64-randconfig: > extends: .gcc-arm64-build > diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml > index a603d4039a..bb8670026f 100644 > --- a/automation/gitlab-ci/test.yaml > +++ b/automation/gitlab-ci/test.yaml > @@ -197,6 +197,30 @@ > tags: > - qubes-hw11 > > +.fuzzer-arm: > + stage: test > + image: xentroops/xen-fuzzer:v1 > + variables: > + HARNESS: hypercall > + FUZZING_TIME: 600 > + rules: > + - if: $SELECTED_JOBS_ONLY && $CI_JOB_NAME =~ $SELECTED_JOBS_ONLY > + - if: $SELECTED_JOBS_ONLY > + when: never > + - when: on_success > + script: > + - cd /root/ > + - ./xen_fuzzer -t ${FUZZING_TIME} run ${CI_PROJECT_DIR}/binaries/xen > test-mmu64le-arm-${HARNESS}-fuzzer 2>&1 | tee > ${CI_PROJECT_DIR}/fuzzer-${HARNESS}.log Can you run it from outside the directory, like this? /root/xen_fuzzer -t ... > + after_script: > + - cd ${CI_PROJECT_DIR} > + - mv /root/crashes . Also here you could probably do: mv /root/crashes ${CI_PROJECT_DIR} > + artifacts: > + paths: > + - fuzzer-${HARNESS}.log > + - crashes/ > + needs: > + - alpine-3.18-gcc-fuzzing-arm64 > + > # Test jobs > build-each-commit-gcc: > extends: .test-jobs-common > @@ -704,3 +728,13 @@ qemu-smoke-ppc64le-powernv9-gcc: > - ./automation/scripts/qemu-smoke-ppc64le.sh powernv9 2>&1 | tee > ${LOGFILE} > needs: > - debian-12-ppc64le-gcc-debug > + > +arm-hypercall-fuzzer: > + extends: .fuzzer-arm > + variables: > + HARNESS: hypercall > + > +arm-vgic-fuzzer: > + extends: .fuzzer-arm > + variables: > + HARNESS: vgic > -- > 2.48.1 >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.