Enables AddressSanitizer to discover out-of-bounds accesses,
use-after-free, double-free and memory leaks.
+config FUZZ
+ bool "Enable fuzzing"
+ depends on CC_IS_CLANG
+ depends on DM_FUZZING_ENGINE
+ select ASAN
+ help
+ Enables the fuzzing infrastructure to generate fuzzing data and run
+ fuzz tests.
+
config CC_HAS_ASM_INLINE
def_bool $(success,echo 'void foo(void) { asm inline (""); }' | $(CC) -x c - -c -o /dev/null)
--- /dev/null
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2022 Google, Inc.
+ * Written by Andrew Scull <ascull@google.com>
+ */
+
+#ifndef __TEST_FUZZ_H
+#define __TEST_FUZZ_H
+
+#include <linker_lists.h>
+#include <linux/types.h>
+
+/**
+ * struct fuzz_test - Information about a fuzz test
+ *
+ * @name: Name of fuzz test
+ * @func: Function to call to perform fuzz test on an input
+ * @flags: Flags indicate pre-conditions for fuzz test
+ */
+struct fuzz_test {
+ const char *name;
+ int (*func)(const uint8_t * data, size_t size);
+ int flags;
+};
+
+/**
+ * FUZZ_TEST() - register a fuzz test
+ *
+ * The fuzz test function must return 0 as other values are reserved for future
+ * use.
+ *
+ * @_name: the name of the fuzz test function
+ * @_flags: an integer field that can be evaluated by the fuzzer
+ * implementation
+ */
+#define FUZZ_TEST(_name, _flags) \
+ ll_entry_declare(struct fuzz_test, _name, fuzz_tests) = { \
+ .name = #_name, \
+ .func = _name, \
+ .flags = _flags, \
+ }
+
+/** Get the start of the list of fuzz tests */
+#define FUZZ_TEST_START() \
+ ll_entry_start(struct fuzz_test, fuzz_tests)
+
+/** Get the number of elements in the list of fuzz tests */
+#define FUZZ_TEST_COUNT() \
+ ll_entry_count(struct fuzz_test, fuzz_tests)
+
+#endif /* __TEST_FUZZ_H */
obj-$(CONFIG_$(SPL_)CMDLINE) += command_ut.o
obj-$(CONFIG_$(SPL_)UT_COMPRESSION) += compression.o
obj-y += dm/
+obj-$(CONFIG_FUZZ) += fuzz/
obj-$(CONFIG_$(SPL_)CMDLINE) += print_ut.o
obj-$(CONFIG_$(SPL_)CMDLINE) += str_ut.o
obj-$(CONFIG_UT_TIME) += time_ut.o
--- /dev/null
+# SPDX-License-Identifier: GPL-2.0+
+#
+# Copyright (c) 2022 Google, Inc.
+# Written by Andrew Scull <ascull@google.com>
+#
+
+obj-$(CONFIG_$(SPL_)CMDLINE) += cmd_fuzz.o
--- /dev/null
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2022 Google, Inc.
+ * Written by Andrew Scull <ascull@google.com>
+ */
+
+#include <command.h>
+#include <common.h>
+#include <dm.h>
+#include <fuzzing_engine.h>
+#include <test/fuzz.h>
+
+static struct fuzz_test *find_fuzz_test(const char *name)
+{
+ struct fuzz_test *fuzzer = FUZZ_TEST_START();
+ size_t count = FUZZ_TEST_COUNT();
+ size_t i;
+
+ for (i = 0; i < count; ++i) {
+ if (strcmp(name, fuzzer->name) == 0)
+ return fuzzer;
+ ++fuzzer;
+ }
+
+ return NULL;
+}
+
+static struct udevice *find_fuzzing_engine(void)
+{
+ struct udevice *dev;
+
+ if (uclass_first_device(UCLASS_FUZZING_ENGINE, &dev))
+ return NULL;
+
+ return dev;
+}
+
+static int do_fuzz(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
+{
+ struct fuzz_test *fuzzer;
+ struct udevice *dev;
+
+ if (argc != 2)
+ return CMD_RET_USAGE;
+
+ fuzzer = find_fuzz_test(argv[1]);
+ if (!fuzzer) {
+ printf("Could not find fuzzer: %s\n", argv[1]);
+ return 1;
+ }
+
+ dev = find_fuzzing_engine();
+ if (!dev) {
+ puts("No fuzzing engine available\n");
+ return 1;
+ }
+
+ while (1) {
+ const uint8_t *data;
+ size_t size;
+
+ if (dm_fuzzing_engine_get_input(dev, &data, &size)) {
+ puts("Fuzzing engine failed\n");
+ return 1;
+ }
+
+ fuzzer->func(data, size);
+ }
+
+ return 1;
+}
+
+#ifdef CONFIG_SYS_LONGHELP
+static char fuzz_help_text[] =
+ "[fuzz-test-name] - execute the named fuzz test\n"
+ ;
+#endif /* CONFIG_SYS_LONGHELP */
+
+U_BOOT_CMD(
+ fuzz, CONFIG_SYS_MAXARGS, 1, do_fuzz,
+ "fuzz tests", fuzz_help_text
+);