[PATCH 18/21] fdt: add fuzz test

[Ahmad Fatoum]

We have four parsers that operate on device trees in barebox:

  - OF unflattener: Used in barebox proper on the same DTs as libfdt,
    but additionally also processes FIT images, which are untrusted

  - fdt_machine_is_compatible: very minimal device tree parser for
    extracting compatibles out of untrusted device trees without
    unflattening

  - The FIT image hashing code, but this only runs after unflattening

  - libfdt: optionally used in PBL. Only operates on trusted input,
    either barebox' own device tree or an externally passed device tree
    from a previous boot stage

Add fuzz tests for operating on the two parsers that take untrusted
input. Multiple issues have already been found by them in the past and
fixed.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 drivers/of/fdt.c        | 39 +++++++++++++++++++++++++++++++++++++++
 images/Makefile.sandbox |  2 ++
 2 files changed, 41 insertions(+)

diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 9638b3d238be..84a36c77bbf0 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -12,6 +12,7 @@
 #include <malloc.h>
 #include <init.h>
 #include <memory.h>
+#include <fuzz.h>
 #include <linux/sizes.h>
 #include <linux/ctype.h>
 #include <linux/log2.h>
@@ -355,6 +356,18 @@ struct device_node *of_unflatten_dtb_const(const void *infdt, int size)
 	return __of_unflatten_dtb(infdt, size, true);
 }
 
+static int fuzz_dtb(const u8 *data, size_t size)
+{
+	struct device_node *np;
+
+	np = of_unflatten_dtb_const(data, size);
+	if (!IS_ERR(np))
+		of_delete_node(np);
+
+	return 0;
+}
+fuzz_test("dtb", fuzz_dtb);
+
 struct fdt {
 	void *dt;
 	uint32_t dt_nextofs;
@@ -812,3 +825,29 @@ int fdt_machine_is_compatible(const struct fdt_header *fdt, size_t fdt_size, con
 
 	return 0;
 }
+
+/*
+ * In order to randomize all inputs to fdt_machine_is_compatible,
+ * we use the last 32 bytes of the random data as a compatible.
+ * As there maybe embedded nul bytes, the size thus varies
+ * between 0 and 31 bytes.
+ * of 
+ */
+#define COMPAT_THRESHOLD	768
+#define COMPAT_LEN		32
+
+static int fuzz_fdt_compatible(const u8 *data, size_t size)
+{
+	char compat[32] = "barebox,sandbox";
+
+	if (size > COMPAT_THRESHOLD) {
+		size -= COMPAT_LEN;
+		memcpy(compat, &data[COMPAT_THRESHOLD - COMPAT_LEN], COMPAT_LEN);
+		compat[COMPAT_LEN - 1] = '\0';
+	}
+
+	fdt_machine_is_compatible((const void *)data, size, compat);
+
+	return 0;
+}
+fuzz_test("fdt-compatible", fuzz_fdt_compatible);
diff --git a/images/Makefile.sandbox b/images/Makefile.sandbox
index b6893d314668..87963e2f432f 100644
--- a/images/Makefile.sandbox
+++ b/images/Makefile.sandbox
@@ -4,6 +4,8 @@ SYMLINK_TARGET_barebox = sandbox_main.elf
 symlink-$(CONFIG_SANDBOX) += barebox
 
 fuzzer-$(CONFIG_FILETYPE)	+= filetype
+fuzzer-$(CONFIG_OFTREE)		+= dtb
+fuzzer-$(CONFIG_OFTREE)		+= fdt-compatible
 fuzzer-$(CONFIG_PARTITION)	+= partitions
 fuzzer-$(CONFIG_PRINTF_HEXSTR)	+= printf
 
-- 
2.39.5