Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / libcper / d759a18bd3b74811b3a0c3f21cda0378ea02c5d6^! / . / cper-parse.c
commitd759a18bd3b74811b3a0c3f21cda0378ea02c5d6[log] [tgz]
authorEd Tanous <etanous@nvidia.com>Fri Mar 07 15:51:45 2025 -0800
committerEd Tanous <ed@tanous.net>Tue Mar 18 22:55:13 2025 +0000
tree7d0ef7a74d7dd7d3257dae3fee2174c585e2312f
parent8121f7e95c3040dbeb1b2726d2a53f8a157442a5 [diff] [blame]
Add fuzz entropy

Coverage shows that fuzzing has a lot of trouble generating a correct
GUID for a section.  This makes sense, as the guids have a lot of
entropy (on purpose) and the fuzzer would have to check the whole
address space to make progress.

libfuzzer calls this out in their docs, and suggests a common flag,
FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION.

Implement that flag when fuzzing is enabled, and look up the ir callback
based on the first byte of the guid, rather than the entire thing.

Note, this immediately shows length failures.

[1] https://llvm.org/docs/LibFuzzer.html

Change-Id: Idd5654739be3d8de69d60e9deb014d92c067956c
Signed-off-by: Ed Tanous <etanous@nvidia.com>

diff --git a/cper-parse.c b/cper-parse.c
index f293fd1..54f4cde 100644
--- a/cper-parse.c
+++ b/cper-parse.c

@@ -411,6 +411,17 @@
 	return section_descriptor_ir;
 }
 
+json_object *read_section(const unsigned char *cper_section_buf,
+			  CPER_SECTION_DEFINITION *definition,
+			  json_object **section_ir)
+{
+	*section_ir = definition->ToIR(cper_section_buf);
+
+	json_object *result = json_object_new_object();
+	json_object_object_add(result, definition->ShortName, *section_ir);
+	return result;
+}
+
 //Converts the section described by a single given section descriptor.
 json_object *cper_buf_section_to_ir(const void *cper_section_buf, size_t size,
 				    EFI_ERROR_SECTION_DESCRIPTOR *descriptor)
@@ -426,21 +437,36 @@
 	json_object *section_ir = NULL;
 	int section_converted = 0;
 	for (size_t i = 0; i < section_definitions_len; i++) {
-		if (guid_equal(section_definitions[i].Guid,
-			       &descriptor->SectionType) &&
-		    section_definitions[i].ToIR != NULL) {
-			section_ir =
-				section_definitions[i].ToIR(cper_section_buf);
+		if (!guid_equal(section_definitions[i].Guid,
+				&descriptor->SectionType)) {
+			continue;
+		}
+		result = read_section(cper_section_buf, &section_definitions[i],
+				      &section_ir);
+		section_converted = 1;
+		break;
+	}
 
-			result = json_object_new_object();
-			json_object_object_add(result,
-					       section_definitions[i].ShortName,
-					       section_ir);
-
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+	// It's unlikely fuzzing can reliably come up with a correct guid, given how
+	// much entropy there is.  If we're in fuzzing mode, and if we haven't found
+	// a match, try to force a match so we get some coverage.  Note, we still
+	// want coverage of the section failed to convert code, so treat index ==
+	// size as section failed to convert.
+	if (!section_converted) {
+		unsigned char index = 0;
+		if (index > 0) {
+			index = descriptor->SectionType.Data1 %
+				section_definitions_len;
+		}
+		if (index < section_definitions_len) {
+			result = read_section(cper_section_buf,
+					      &section_definitions[index],
+					      &section_ir);
 			section_converted = 1;
-			break;
 		}
 	}
+#endif
 
 	//Was it an unknown GUID/failed read?
 	if (!section_converted) {
@@ -478,7 +504,8 @@
 	//Read the section descriptor out.
 	EFI_ERROR_SECTION_DESCRIPTOR *section_descriptor;
 	if (sizeof(EFI_ERROR_SECTION_DESCRIPTOR) > size) {
-		printf("Failed to read section descriptor for CPER single section\n");
+		printf("Size of cper buffer was too small to read section descriptor %zu\n",
+		       size);
 		return NULL;
 	}