This series introduces multiple fuzzers developed as part of Google Summer of Code 2024. We adopt a structure-aware fuzzing approach to fuzz libvirt XML formats. The fuzzing methodology makes use of libFuzzer and libprotobuf-mutator. The fuzzers work by mutating intermediate protobufs and converting them to XML. The fuzzing method in use requires inclusion of C++ sources. However, C++ compilation will be done only if '-Dfuzz' is enabled. Otherwise, libvirt will compile normally as before. The fuzzing method works only on clang compilers which support libFuzzer. This series introduces a total of six fuzzers: 1. QEMU XML domain 2. QEMU XML hotplug 3. CH XML domain 4. VMX XML domain 5. libXL XML domain 6. NWFilter XML In terms of the number of crashes discovered, QEMU XML domain, QEMU XML hotplug and libXL fuzzers are the most interesting ones. The setup process is documented at the end of the series (patch 14). Rayhan Faizel (14): src: Tweak source code to allow C++ compilation meson: Add support for clang/LLVM coverage instrumentation tests: Export handlers for fake secondary drivers schemas: Refactor relaxNG schema to ease protobuf conversion scripts: Add script to convert relaxNG to protobuf fuzz: Implement base fuzzing setup for XML domain fuzz: Implement QEMU XML domain fuzzer fuzz: Implement QEMU XML hotplug fuzzer ch: Remove unused variables fuzz: Implement CH XML domain fuzzer fuzz: Implement VMX XML domain fuzzer fuzz: Implement libXL XML domain fuzzer fuzz: Implement NWFilter XML fuzzer docs: Document the fuzzers build-aux/syntax-check.mk | 1 + docs/kbase/index.rst | 3 + docs/kbase/internals/meson.build | 1 + docs/kbase/internals/xml-fuzzing.rst | 120 ++++ meson.build | 55 ++ meson_options.txt | 5 +- scripts/meson.build | 1 + scripts/relaxng-to-proto.py | 521 ++++++++++++++++++ src/ch/ch_monitor.c | 2 +- src/ch/ch_monitor.h | 3 + src/ch/ch_process.c | 2 - src/conf/domain_conf.c | 18 +- src/conf/domain_conf.h | 6 +- src/conf/netdev_vport_profile_conf.c | 2 +- src/conf/schemas/basictypes.rng | 20 +- src/conf/schemas/domaincommon.rng | 11 +- src/conf/schemas/networkcommon.rng | 14 +- src/qemu/qemu_hotplug.c | 4 + src/qemu/qemu_monitor.c | 6 +- src/qemu/qemu_monitor.h | 2 +- src/util/virfile.h | 2 +- src/util/virnetdev.h | 12 +- src/util/virnetdevip.h | 2 +- src/util/virnetdevmacvlan.h | 2 +- src/util/virnetdevvportprofile.c | 2 +- src/util/virnetdevvportprofile.h | 2 +- src/util/virnvme.c | 4 +- src/util/virnvme.h | 2 +- src/util/viruuid.h | 2 +- tests/commandhelper.c | 8 +- tests/fuzz/README.rst | 131 +++++ tests/fuzz/ch_xml_domain_fuzz.cc | 157 ++++++ tests/fuzz/libxl_xml_domain_fuzz.cc | 159 ++++++ tests/fuzz/llvm_symbolizer_wrapper.c | 11 + tests/fuzz/meson.build | 183 ++++++ tests/fuzz/proto_custom_datatypes.cc | 234 ++++++++ tests/fuzz/proto_custom_datatypes.h | 30 + tests/fuzz/proto_header_common.h | 51 ++ tests/fuzz/proto_to_xml.cc | 277 ++++++++++ tests/fuzz/proto_to_xml.h | 39 ++ tests/fuzz/protos/meson.build | 46 ++ tests/fuzz/protos/xml_datatypes.proto | 93 ++++ tests/fuzz/protos/xml_domain.proto | 62 +++ tests/fuzz/protos/xml_domain_disk_only.proto | 21 + .../protos/xml_domain_interface_only.proto | 21 + tests/fuzz/protos/xml_hotplug.proto | 38 ++ tests/fuzz/protos/xml_nwfilter.proto | 9 + tests/fuzz/qemu_xml_domain_fuzz.cc | 277 ++++++++++ tests/fuzz/qemu_xml_hotplug_fuzz.cc | 340 ++++++++++++ tests/fuzz/run_fuzz.in | 142 +++++ tests/fuzz/vmx_xml_domain_fuzz.cc | 208 +++++++ tests/fuzz/xml_nwfilter_fuzz.cc | 149 +++++ tests/meson.build | 5 + tests/qemumonitortestutils.c | 48 ++ tests/qemumonitortestutils.h | 6 + tests/qemuxmlconftest.c | 249 --------- tests/testutilsqemu.c | 256 +++++++++ tests/testutilsqemu.h | 57 ++ 58 files changed, 3832 insertions(+), 302 deletions(-) create mode 100644 docs/kbase/internals/xml-fuzzing.rst create mode 100644 scripts/relaxng-to-proto.py create mode 100644 tests/fuzz/README.rst create mode 100644 tests/fuzz/ch_xml_domain_fuzz.cc create mode 100644 tests/fuzz/libxl_xml_domain_fuzz.cc create mode 100644 tests/fuzz/llvm_symbolizer_wrapper.c create mode 100644 tests/fuzz/meson.build create mode 100644 tests/fuzz/proto_custom_datatypes.cc create mode 100644 tests/fuzz/proto_custom_datatypes.h create mode 100644 tests/fuzz/proto_header_common.h create mode 100644 tests/fuzz/proto_to_xml.cc create mode 100644 tests/fuzz/proto_to_xml.h create mode 100644 tests/fuzz/protos/meson.build create mode 100644 tests/fuzz/protos/xml_datatypes.proto create mode 100644 tests/fuzz/protos/xml_domain.proto create mode 100644 tests/fuzz/protos/xml_domain_disk_only.proto create mode 100644 tests/fuzz/protos/xml_domain_interface_only.proto create mode 100644 tests/fuzz/protos/xml_hotplug.proto create mode 100644 tests/fuzz/protos/xml_nwfilter.proto create mode 100644 tests/fuzz/qemu_xml_domain_fuzz.cc create mode 100644 tests/fuzz/qemu_xml_hotplug_fuzz.cc create mode 100644 tests/fuzz/run_fuzz.in create mode 100644 tests/fuzz/vmx_xml_domain_fuzz.cc create mode 100644 tests/fuzz/xml_nwfilter_fuzz.cc -- 2.34.1
