vulkan-loader: add new fuzzers for settings enumeration of extensions and creation of instance (#11153)

This commit provide new fuzzers and updates seed corpuses for
Vulkan-Loader project:

- settings fuzzer
- extension enumeration fuzzer
- instance creation fuzzer

Author: MykolaMykhno

projects/vulkan-loader/Dockerfile

@@ -29,5 +29,5 @@ RUN apt-get update && \
 # Vulkan-Loader depends on the header file in Vulkan-Headers
 RUN git clone https://github.com/khronosgroup/Vulkan-Headers vulkan-headers
 RUN git clone https://github.com/khronosgroup/Vulkan-Loader vulkan-loader
-COPY *_fuzzer.c *.sh $SRC/
+COPY fuzzers/*_fuzzer.c *.sh $SRC/
 WORKDIR $SRC/vulkan-loader

projects/vulkan-loader/build.sh

@@ -23,11 +23,15 @@ make -j4
 
 ar rcs $OUT/libvulkan.a $SRC/vulkan-loader/build/loader/CMakeFiles/vulkan.dir/*.o
 
-$CC $CXXFLAGS -I$SRC/vulkan-loader/loader \
-    -I$SRC/vulkan-loader/loader/generated \
-    -I$SRC/vulkan-headers/include \
-    -c $SRC/json_load_fuzzer.c -o json_load_fuzzer.o
+for fuzzers in $(find $SRC -name '*_fuzzer.c'); do
+    fuzz_basename=$(basename -s .c $fuzzers)
+    $CC $CXXFLAGS -I$SRC/vulkan-loader/loader \
+        -I$SRC/vulkan-loader/loader/generated \
+        -I$SRC/vulkan-headers/include \
+        -c $fuzzers -o $fuzz_basename.o
 
-$CXX $CXXFLAGS $LIB_FUZZING_ENGINE json_load_fuzzer.o \
-    -o $OUT/json_load_fuzzer -lpthread $OUT/libvulkan.a
+    $CXX $CXXFLAGS $LIB_FUZZING_ENGINE $fuzz_basename.o \
+        -o $OUT/$fuzz_basename -lpthread $OUT/libvulkan.a
 
+    zip -q $OUT/${fuzz_basename}_seed_corpus.zip $SRC/vulkan-loader/tests/corpus/*
+done

projects/vulkan-loader/fuzzers/instance_create_fuzzer.c

@@ -0,0 +1,119 @@
+/* Copyright 2023 Google LLC
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "cJSON.h"
+#include "loader.h"
+
+/*
+ * Create config files for given path and data.
+ */
+int create_config_file(const char* config_path, const char* config_filename, const uint8_t* data, size_t size) {
+  char filename[512];
+  char path[256];
+  char command[256];
+
+  sprintf(path, "%s/%s", getenv("HOME"), config_path);
+  sprintf(command, "mkdir -p %s", path);
+
+  system(command);
+
+  sprintf(filename, "%s/%s", path, config_filename);
+
+  FILE *fp = fopen(filename, "wb");
+  if (!fp) {
+    return 1;
+  }
+  fwrite(data, size, 1, fp);
+  fclose(fp);
+
+  return 0;
+}
+
+/*
+ * Remove config file
+ */
+void remove_config_file(const char* config_path, const char* config_filename) {
+  char filename[512];
+  sprintf(filename, "%s/%s/%s", getenv("HOME"), config_path, config_filename);
+  unlink(filename);
+}
+
+/*
+ * Targets the instance creation.
+ */
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  setenv("HOME", "/tmp", 1);
+
+  // Create implicit layer configuration file
+  int result = create_config_file(".local/share/vulkan/implicit_layer.d", "complex_layer.json", data, size);
+  if (result) {
+    return 0;
+  }
+  
+  // Create loader configuration file
+  result = create_config_file(".local/share/vulkan/loader_settings.d", "vk_loader_settings.json", data, size);
+  if (result) {
+    return 0;
+  }
+
+  // Create icd configuration file
+  result = create_config_file(".local/share/vulkan/icd.d", "icd_test.json", data, size);
+  if (result) {
+    return 0;
+  }
+
+  setenv("VK_LOADER_LAYERS_ENABLE", "all", 1);
+
+
+  VkInstance inst = {0};
+  char *instance_layers[] = {
+    "VK_LAYER_KHRONOS_validation",
+    "VK_LAYER_test_layer_1",
+    "VK_LAYER_test_layer_2"
+  };
+  const VkApplicationInfo app = {
+      .sType = VK_STRUCTURE_TYPE_APPLICATION_INFO,
+      .pNext = NULL,
+      .pApplicationName = "TEST_APP",
+      .applicationVersion = 0,
+      .pEngineName = "TEST_ENGINE",
+      .engineVersion = 0,
+      .apiVersion = VK_API_VERSION_1_0,
+  };
+  VkInstanceCreateInfo inst_info = {
+      .sType = VK_STRUCTURE_TYPE_INSTANCE_CREATE_INFO,
+      .pNext = NULL,
+      .pApplicationInfo = &app,
+      .enabledLayerCount = 1,
+      .ppEnabledLayerNames = (const char *const *)instance_layers,
+      .enabledExtensionCount = 0,
+      .ppEnabledExtensionNames = NULL,
+  };
+  VkResult err = vkCreateInstance(&inst_info, NULL, &inst);
+  if (err != VK_SUCCESS) {
+    goto out;
+  }
+
+  vkDestroyInstance(inst, NULL);
+
+out:
+  // Clean up config files
+  remove_config_file(".local/share/vulkan/implicit_layer.d", "complex_layer.json");
+  remove_config_file(".local/share/vulkan/loader_settings.d", "vk_loader_settings.json");
+  remove_config_file(".local/share/vulkan/icd.d", "icd_test.json");
+
+  return 0;
+}

projects/vulkan-loader/fuzzers/instance_enumerate_fuzzer.c

@@ -0,0 +1,84 @@
+/* Copyright 2023 Google LLC
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "cJSON.h"
+#include "loader.h"
+
+/*
+ * Create config files for given path and data.
+ */
+int create_config_file(const char* config_path, const char* config_filename, const uint8_t* data, size_t size) {
+  char filename[512];
+  char path[256];
+  char command[256];
+
+  sprintf(path, "%s/%s", getenv("HOME"), config_path);
+  sprintf(command, "mkdir -p %s", path);
+
+  system(command);
+
+  sprintf(filename, "%s/%s", path, config_filename);
+
+  FILE *fp = fopen(filename, "wb");
+  if (!fp) {
+    return 1;
+  }
+  fwrite(data, size, 1, fp);
+  fclose(fp);
+
+  return 0;
+}
+
+/*
+ * Remove config file
+ */
+void remove_config_file(const char* config_path, const char* config_filename) {
+  char filename[512];
+  sprintf(filename, "%s/%s/%s", getenv("HOME"), config_path, config_filename);
+  unlink(filename);
+}
+
+/*
+ * Targets the instance extension enumeration.
+ */
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  setenv("HOME", "/tmp", 1);
+
+  // Create implicit layer configuration file
+  int result = create_config_file(".local/share/vulkan/implicit_layer.d", "complex_layer.json", data, size);
+  if (result) {
+    return 0;
+  }
+  
+  // Create loader configuration file
+  result = create_config_file(".local/share/vulkan/loader_settings.d", "vk_loader_settings.json", data, size);
+  if (result) {
+    return 0;
+  }
+
+  setenv("VK_LOADER_LAYERS_ENABLE", "all", 1);
+
+  uint32_t pPropertyCount;
+  VkExtensionProperties pProperties = {0};
+
+  vkEnumerateInstanceExtensionProperties("test_auto", &pPropertyCount, &pProperties);
+
+  // Clean up config files
+  remove_config_file(".local/share/vulkan/implicit_layer.d", "complex_layer.json");
+  remove_config_file(".local/share/vulkan/loader_settings.d", "vk_loader_settings.json");
+
+  return 0;
+}

projects/vulkan-loader/json_load_fuzzer.c renamed to projects/vulkan-loader/fuzzers/json_load_fuzzer.c

@@ -33,9 +33,22 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   cJSON *json = NULL;
   loader_get_json(NULL, filename, &json);
+
+  if (json == NULL) {
+    goto out;
+  }
+
+  char *json_data = loader_cJSON_Print(json);
+
+  if (json_data != NULL) {
+    free(json_data);
+  }
+
   if (json != NULL) {
     free(json);
   }
+
+out:
   unlink(filename);
 
   return 0;

projects/vulkan-loader/fuzzers/settings_fuzzer.c

@@ -0,0 +1,82 @@
+/* Copyright 2023 Google LLC
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+      http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "cJSON.h"
+#include "loader.h"
+
+/*
+ * Create config files for given path and data.
+ */
+int create_config_file(const char* config_path, const char* config_filename, const uint8_t* data, size_t size) {
+  char filename[512];
+  char path[256];
+  char command[256];
+
+  sprintf(path, "%s/%s", getenv("HOME"), config_path);
+  sprintf(command, "mkdir -p %s", path);
+
+  system(command);
+
+  sprintf(filename, "%s/%s", path, config_filename);
+
+  FILE *fp = fopen(filename, "wb");
+  if (!fp) {
+    return 1;
+  }
+  fwrite(data, size, 1, fp);
+  fclose(fp);
+
+  return 0;
+}
+
+/*
+ * Remove config file
+ */
+void remove_config_file(const char* config_path, const char* config_filename) {
+  char filename[512];
+  sprintf(filename, "%s/%s/%s", getenv("HOME"), config_path, config_filename);
+  unlink(filename);
+}
+
+/*
+ * Targets the settings parser.
+ */
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  setenv("HOME", "/tmp", 1);
+
+  // Create loader configuration file
+  int result = create_config_file(".local/share/vulkan/loader_settings.d", "vk_loader_settings.json", data, size);
+  if (result) {
+    return 0;
+  }
+
+  update_global_loader_settings();
+  update_global_loader_settings();
+  get_current_settings_and_lock(NULL);
+  release_current_settings_lock(NULL);
+  struct loader_layer_list settings_layers = {0};
+
+  bool should_search_for_other_layers = true;
+  get_settings_layers(NULL, &settings_layers, &should_search_for_other_layers);
+  should_skip_logging_global_messages(0);
+  update_global_loader_settings();
+  teardown_global_loader_settings();
+
+  // Clean up config file
+  remove_config_file(".local/share/vulkan/loader_settings.d", "vk_loader_settings.json");
+
+  return 0;
+}