frr-cli-fuzzer 0.1.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 378f404d19c9beb961473414202aa8f24e5faad8
-  data.tar.gz: 5a5aff0028114fc40add71aba2a389e555c3c0e1
+  metadata.gz: 5e8ad21ba8f6f41b93c2d61d4d68dd123a5707c0
+  data.tar.gz: 0dec0e76549f98d5b8e8c6eb76106d83cda3d647
 SHA512:
-  metadata.gz: 55459c77035f9d77cbe35218e20c9594bb53bb8424885329e2c89f394ca72dc105f5085c26b136255a4926120a847764dabc94e044848b30d689f75788db9c14
-  data.tar.gz: 513b03ec3aa21574310abd7663d5c2d9536d6254df5ef3c616febdb1b86b624a28664634ccfae9a7a45f474c3e80a02e7812ee07168d22cabfbd0a4d5a786f21
+  metadata.gz: 8d57fb7833789767b120997653f1e12264fff0d50a29b9fd25ac51562c562bf864b89d6e911a65e53b4a4305e5a10f6ce517d58c519d78234f3387592f1acbfc
+  data.tar.gz: a90704a5aeeedeb5a07e3547a3dbdb821c0858911e32e81ff932b4fce872af4a9ca8b52a4554858bcc43ff4ab82add1043d80e80665b1b8d7a6ad6f0596e5678

data/.rubocop.yml

@@ -0,0 +1,8 @@
+Style/MutableConstant:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/SymbolArray:
+  EnforcedStyle: brackets

data/Gemfile

@@ -1,4 +1,4 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
-# Specify your gem's dependencies in frr-cli-fuzzer.gemspec
+# Specify your gem"s dependencies in frr-cli-fuzzer.gemspec
 gemspec

data/README.md

@@ -1,28 +1,95 @@
-# FrrCliFuzzer
+# FRR CLI Fuzzer
+
+The FRR CLI fuzzer works by executing all existing CLI commands (obtained using the `list permutations` command) and checking for segmentation faults.
+
+This program receives as input a configuration file specifying the test parameters, which are mostly self explanatory. The [config.yml](config.yml) file can be used as a reference configuration.
+
+The CLI fuzzer uses Linux PID, mount and network namespaces to run on a completely isolated environment, which allows multiple instances of the CLI fuzzer to run concurrently. Linux is the only supported platform.
 
 ## Installation
 
-After checking out the repo, run `bin/setup` to install the dependencies (currently, only the _ffi_ gem).
+After checking out the repo, run `bin/setup` to install the dependencies (currently, only the _ffi_ gem):
+```
+$ git clone https://github.com/rwestphal/frr-cli-fuzzer
+$ cd frr-cli-fuzzer
+# ./bin/setup
+```
+
+Alternatively, install the latest version of the _frr-cli-fuzzer_ gem using the following command:
+```
+# gem install frr-cli-fuzzer
+```
+
+> NOTE: in order to install this gem it might be necessary to install the `ruby-dev` or `ruby-devel` package first.
 
 ## Usage
 
-Edit _config.yml_ as desired. Run the CLI fuzzer using the following command:
-```sh
-./bin/frr-cli-fuzzer config.yml
+Edit [config.yml](config.yml) to configure the test parameters. Run the CLI fuzzer using the following command:
+```
+# frr-cli-fuzzer config.yml
+```
+
+Once the tests complete, the results are displayed in the standard output. Example:
+```
+results:
+- non-filtered commands: 197
+- whitelist filtered commands: 0
+- blacklist filtered commands: 11
+- tested commands: 426
+- segfaults detected: 5
+    (x3) ripd aborted: vtysh -c "configure terminal" -c "router rip" -c "allow-ecmp"
+      PIDs: 7 342 686
+    (x2) ripd aborted: vtysh -c "configure terminal" -c "router rip" -c "no allow-ecmp"
+      PIDs: 225 547
+```
+
+The `runstatedir` (_/tmp/frr-cli-fuzzer/_ by default) directory will contain the following files:
+* _segfaults.txt_: log of the detected segmentation faults.
+* _*.log.<PID>_: log files of the FRR daemons.
+* _*.stdout.<PID>_: capture of the standard output of the FRR daemons.
+* _*.stderr.<PID>_: capture of the standard error of the FRR daemons.
+* _vtysh.stdout_: capture of the standard output of vtysh.
+* _vtysh.stderr_: capture of the standard error of vtysh.
+
+It's recommend to build FRR with compiler optimizations (e.g. `-O2`) to allow the CLI fuzzer to test more commands per second.
+
+If desired, it's possible to run multiple instances of the CLI fuzzer at the same time.
+For that, each instance must use a different configuration file, and the `runstatedir` parameter (under the `fuzzer` section) must be different among all running instances to separate their running state data.
+
+To run the CLI fuzzer for a specific amount of time, use the `timeout` command. Example:
+```
+# timeout --signal=INT 12h frr-cli-fuzzer config.yml
+```
+
+## Core Dumps
+
+It's suggested to enable the generation of core dumps to make it easier to debug the segfaults triggered by the CLI fuzzer. This can be done by following the steps below:
+* Create the _/var/crash_ directory to store the core dumps:
+```
+# mkdir /var/crash
+# chmod 0777 /var/crash
 ```
 
-Once the tests complete, the results are displayed in the standard output like this:
+* Edit _/etc/sysctl.conf_:
 ```
-Results:
-- Non-filtered commands: 465
-- Whitelist filtered commands: 0
-- Blacklist filtered commands: 20
-- Tested commands: 465
-- Segfaults detected: 6
+kernel.core_pattern = /var/crash/core-%e-signal-%s-pid-%p-ts-%t
+fs.suid_dumpable = 1
 ```
 
-More details about which commands caused which segmentation faults are available in the _output.txt_ file.
+* Edit _/etc/security/limits.conf_:
+```
+*              soft    core           unlimited
+root           soft    core           unlimited
+*              hard    core           unlimited
+root           hard    core           unlimited
+```
+
+Reboot the system for the changes to take effect.
 
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/rwestphal/frr-cli-fuzzer.
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details

data/Rakefile

@@ -1,2 +1,2 @@
 require "bundler/gem_tasks"
-task :default => :spec
+task default: :spec

data/bin/frr-cli-fuzzer

@@ -1,11 +1,11 @@
 #!/usr/bin/env ruby
 $VERBOSE = true
 
-require 'yaml'
-require_relative '../lib/frr-cli-fuzzer.rb'
+require "yaml"
+require_relative "../lib/frr-cli-fuzzer.rb"
 
 # Signal handler.
-trap('INT') do
+trap("INT") do
   FrrCliFuzzer.print_results
   exit(0)
 end
@@ -26,19 +26,17 @@ rescue SystemCallError, Psych::SyntaxError, ArgumentError => e
   exit(1)
 end
 
-FrrCliFuzzer::LibC.prctl(FrrCliFuzzer::LibC::PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0)
-
-# Start fuzzer and print the results when we're done.
-FrrCliFuzzer.init(iterations: config.dig('fuzzer', 'iterations'),
-                  random_order: config.dig('fuzzer', 'random-order'),
-                  runstatedir: config.dig('fuzzer', 'runstatedir'),
-                  frr_build_parameters: config['frr-build-parameters'],
-                  daemons: config['daemons'],
-                  configs: config['configs'],
-                  nodes: config['nodes'],
-                  regexps: config['regexps'],
-                  whitelist: config['whitelist'],
-                  blacklist: config['blacklist'])
+# Start fuzzer and print the results when we"re done.
+FrrCliFuzzer.init(iterations: config.dig("fuzzer", "iterations"),
+                  random_order: config.dig("fuzzer", "random-order"),
+                  runstatedir: config.dig("fuzzer", "runstatedir"),
+                  frr_build_parameters: config["frr-build-parameters"],
+                  daemons: config["daemons"],
+                  configs: config["configs"],
+                  nodes: config["nodes"],
+                  regexps: config["regexps"],
+                  global_whitelist: config["global_whitelist"],
+                  global_blacklist: config["global_blacklist"])
 FrrCliFuzzer.gen_configs
 FrrCliFuzzer.start_daemons
 FrrCliFuzzer.test_fuzzing

data/config.yml

@@ -20,7 +20,7 @@ frr-build-parameters:
 
 daemons:
   - zebra
-  #- bgpd
+  - bgpd
   - ospfd
   - ospf6d
   - isisd
@@ -60,11 +60,11 @@ regexps:
   BANDWIDTH: "1000"
   PERCENTAGE: "50"
 
-whitelist:
+global_whitelist:
   #- ^show (ip|ipv6)
   #- redistribute
 
-blacklist:
+global_blacklist:
   - output file
   - ^write
   - ^copy
@@ -73,65 +73,201 @@ blacklist:
   - ^exit
   - ^quit
   - ^end
-  - ^(no )?(ip|ipv6) route
-  - ^show (ip|ipv6) (route|fib)
-  - ^no router bgp
-  - ^no neighbor (A.B.C.D|X:X::X:X|WORD)$
-  - ^no neighbor (A.B.C.D|X:X::X:X|WORD) remote-as
-  #- ospf
   #- ^(no )?debug
 
 nodes:
-  #- ""
-  - -c "configure terminal"
-  - -c "configure terminal" -c "interface eth99"
-  - -c "configure terminal" -c "interface eth99" -c "link-params"
-  - -c "configure terminal" -c "route-map RMAP permit 1"
-  #- -c "configure terminal" -c "router bgp 1"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 unicast"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 multicast"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 vpn"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 labeled-unicast"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 flowspec"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 unicast"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 multicast"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 vpn"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 labeled-unicast"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 flowspec"
-  #- -c "configure terminal" -c "router bgp 1" -c "address-family l2vpn evpn"
-  #- -c "configure terminal" -c "router bgp 1" -c "vnc defaults"
-  #- -c "configure terminal" -c "router bgp 1" -c "vnc nve-group NAME"
-  #- -c "configure terminal" -c "router bgp 1" -c "vnc l2-group NAME"
-  #- -c "configure terminal" -c "router bgp 1" -c "vrf-policy NAME"
-  - -c "configure terminal" -c "key chain WORD"
-  - -c "configure terminal" -c "key chain WORD" -c "key 255"
-  - -c "configure terminal" -c "router babel"
-  - -c "configure terminal" -c "router ospf"
-  - -c "configure terminal" -c "router ospf6"
-  - -c "configure terminal" -c "router isis 1"
-  - -c "configure terminal" -c "router openfabric 1"
-  - -c "configure terminal" -c "router rip"
-  - -c "configure terminal" -c "router ripng"
-  - -c "configure terminal" -c "router eigrp 1"
-  - -c "configure terminal" -c "mpls ldp"
-  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv4"
-  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv4" -c "interface eth99"
-  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv6"
-  - -c "configure terminal" -c "mpls ldp" -c "address-family ipv6" -c "interface eth99"
-  - -c "configure terminal" -c "l2vpn WORD type vpls"
-  - -c "configure terminal" -c "l2vpn WORD type vpls" -c "member pseudowire mpw0"
-  - -c "configure terminal" -c "line vty"
-  - -c "configure terminal" -c "logical-router 1 ns /var/run/netns/ns1"
-  - -c "configure terminal" -c "vrf RED"
-  - -c "configure terminal" -c "nexthop-group NHGROUP"
-  - -c "configure terminal" -c "pbr-map WORD seq 100"
-  #- -c "configure terminal" -c "bfd"
-  #- -c "configure terminal" -c "bfd" -c "peer 1.1.1.1"
+  - hierarchy: -c ""
+    whitelist:
+    blacklist:
+      - ^show (ip|ipv6) (route|fib)
+      - ^sharp install
+
+  - hierarchy: -c "configure terminal"
+    whitelist:
+    blacklist:
+      - ^(no )?log
+      - ^(no )?(ip|ipv6) route
+      - ^no router bgp
+
+  - hierarchy: -c "configure terminal" -c "interface eth99"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "interface eth99" -c "link-params"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "route-map RMAP permit 1"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1"
+    whitelist:
+    blacklist:
+      - ^no neighbor (A.B.C.D|X:X::X:X|WORD)$
+      - ^no neighbor (A.B.C.D|X:X::X:X|WORD) remote-as
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 unicast"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 multicast"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 vpn"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 labeled-unicast"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv4 flowspec"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 unicast"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 multicast"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 vpn"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 labeled-unicast"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family ipv6 flowspec"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "address-family l2vpn evpn"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "vnc defaults"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "vnc nve-group NAME"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "vnc l2-group NAME"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router bgp 1" -c "vrf-policy NAME"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "key chain WORD"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "key chain WORD" -c "key 255"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router babel"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router ospf"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router ospf6"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router isis 1"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router openfabric 1"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router rip"
+    whitelist:
+    blacklist:
+      - redistribute
+
+  - hierarchy: -c "configure terminal" -c "router ripng"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "router eigrp 1"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "mpls ldp"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "mpls ldp" -c "address-family ipv4"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "mpls ldp" -c "address-family ipv4" -c "interface eth99"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "mpls ldp" -c "address-family ipv6"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "mpls ldp" -c "address-family ipv6" -c "interface eth99"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "l2vpn WORD type vpls"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "l2vpn WORD type vpls" -c "member pseudowire mpw0"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "line vty"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "logical-router 1 ns /var/run/netns/ns1"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "vrf RED"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "nexthop-group NHGROUP"
+    whitelist:
+    blacklist:
+
+  - hierarchy: -c "configure terminal" -c "pbr-map WORD seq 100"
+    whitelist:
+    blacklist:
+
+  #- hierarchy: -c "configure terminal" -c "bfd"
+  #  whitelist:
+  #  blacklist:
+
+  #- hierarchy: -c "configure terminal" -c "bfd" -c "peer 1.1.1.1"
+  #  whitelist:
+  #  blacklist:
 
 configs:
   all: |
     hostname %(daemon)
-    log file %(runstatedir)/%(daemon).log
+    log file %(logfile)
     log commands
     !
     debug northbound

data/frr-cli-fuzzer.gemspec

@@ -1,6 +1,5 @@
-# coding: utf-8
-$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
-require 'frr-cli-fuzzer/version'
+$LOAD_PATH.unshift File.expand_path("lib", __dir__)
+require "frr-cli-fuzzer/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "frr-cli-fuzzer"
@@ -8,7 +7,7 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Renato Westphal"]
   spec.email         = ["renato@opensourcerouting.org"]
 
-  spec.summary       = %q{FRR CLI fuzzer.}
+  spec.summary       = "FRR CLI fuzzer."
   spec.homepage      = "https://github.com/rwestphal/frr-cli-fuzzer"
   spec.license       = "MIT"
 

data/lib/frr-cli-fuzzer.rb

@@ -1,16 +1,16 @@
-require 'fileutils'
-require 'scanf'
-require_relative 'frr-cli-fuzzer/libc'
-require_relative 'frr-cli-fuzzer/linux_namespace'
-require_relative 'frr-cli-fuzzer/version'
+require "fileutils"
+require "scanf"
+require_relative "frr-cli-fuzzer/libc"
+require_relative "frr-cli-fuzzer/linux_namespace"
+require_relative "frr-cli-fuzzer/version"
 
 module FrrCliFuzzer
   DFLT_ITERATIONS = 1
-  DFLT_RUNSTATEDIR = '/tmp/frr-cli-fuzzer'
-  DFLT_FRR_SYSCONFDIR = '/etc/frr'
-  DFLT_FRR_LOCALSTATE_DIR = '/var/run/frr'
-  DFLT_FRR_USER = 'frr'
-  DFLT_FRR_GROUP = 'frr'
+  DFLT_RUNSTATEDIR = "/tmp/frr-cli-fuzzer"
+  DFLT_FRR_SYSCONFDIR = "/etc/frr"
+  DFLT_FRR_LOCALSTATE_DIR = "/var/run/frr"
+  DFLT_FRR_USER = "frr"
+  DFLT_FRR_GROUP = "frr"
 
   class << self
     def init(iterations: nil,
@@ -21,93 +21,82 @@ module FrrCliFuzzer
              configs: nil,
              nodes: nil,
              regexps: nil,
-             whitelist: nil,
-             blacklist: nil)
+             global_whitelist: nil,
+             global_blacklist: nil)
       # Load configuration and default values if necessary.
       @iterations = iterations || DFLT_ITERATIONS
       @random_order = random_order || false
       @runstatedir = runstatedir || DFLT_RUNSTATEDIR
       @frr = frr_build_parameters || []
-      @frr['sysconfdir'] ||= DFLT_FRR_SYSCONFDIR
-      @frr['localstatedir'] ||= DFLT_FRR_LOCALSTATE_DIR
-      @frr['user'] ||= DFLT_FRR_USER
-      @frr['group'] ||= DFLT_FRR_GROUP
-      @daemons = daemons || []
+      @frr["sysconfdir"] ||= DFLT_FRR_SYSCONFDIR
+      @frr["localstatedir"] ||= DFLT_FRR_LOCALSTATE_DIR
+      @frr["user"] ||= DFLT_FRR_USER
+      @frr["group"] ||= DFLT_FRR_GROUP
+      daemons ||= []
+      @daemons = Hash[daemons.collect { |daemon| [daemon, nil] }]
       @configs = configs || []
       @nodes = nodes || []
       @regexps = regexps || []
-      @whitelist = whitelist || []
-      @blacklist = blacklist || []
+      @global_whitelist = global_whitelist || []
+      @global_blacklist = global_blacklist || []
 
       # Initialize counters.
       @counters = {}
-      @counters['non-filtered-cmds'] = 0
-      @counters['filtered-blacklist'] = 0
-      @counters['filtered-whitelist'] = 0
-      @counters['tested-cmds'] = 0
-      @counters['segfaults'] = 0
+      @counters["non-filtered-cmds"] = 0
+      @counters["filtered-blacklist"] = 0
+      @counters["filtered-whitelist"] = 0
+      @counters["tested-cmds"] = 0
+      @counters["segfaults"] = 0
       @segfaults = {}
 
       # Security check to prevent accidental deletion of data.
-      unless @runstatedir.include?('frr-cli-fuzzer')
+      unless @runstatedir.include?("frr-cli-fuzzer")
         abort("The runstatedir configuration parameter must contain "\
-              "'frr-cli-fuzzer' somewhere in the path.")
+              "\"frr-cli-fuzzer\" somewhere in the path.")
       end
       FileUtils.rm_rf(@runstatedir)
       FileUtils.mkdir_p(@runstatedir)
-      FileUtils.chown_R(@frr['user'], @frr['group'], @runstatedir)
+      FileUtils.chown_R(@frr["user"], @frr["group"], @runstatedir)
 
       # Create a new process on a new pid, mount and network namespace.
       @ns = LinuxNamespace.new
-      @ns.fork_and_unshare do
-        # This is the init process of this fuzzer. We need to reap the zombies.
-        trap(:CHLD) { Process.wait }
-        trap(:INT, :IGNORE)
-        sleep
-      end
 
       # Bind mount FRR directories.
-      mount(@frr['sysconfdir'], @frr['user'], @frr['group'])
-      mount(@frr['localstatedir'], @frr['user'], @frr['group'])
-    end
-
-    # nsenter(1) is a standard tool from the util-linux package. It can be used
-    # to run a program with namespaces of other processes.
-    def nsenter
-      "nsenter -t #{@ns.pid} --mount --pid --net"
+      bind_mount(@frr["sysconfdir"], @frr["user"], @frr["group"])
+      bind_mount(@frr["localstatedir"], @frr["user"], @frr["group"])
     end
 
     # Bind mount a path under the configured runstatedir.
-    def mount(path, user, group)
+    def bind_mount(path, user, group)
       source = "#{@runstatedir}/#{path}"
       FileUtils.mkdir_p(path)
       FileUtils.mkdir_p(source)
       FileUtils.chown_R(user, group, source)
-      system("#{nsenter} mount --bind #{source} #{path}")
+      system("#{@ns.nsenter} mount --bind #{source} #{path}")
     end
 
     # Save configuration in the file system.
     def save_config(daemon, config)
       path = "#{@runstatedir}/#{@frr['sysconfdir']}/#{daemon}.conf"
-      File.open(path, 'w') { |file| file.write(config) }
+      File.open(path, "w") { |file| file.write(config) }
     end
 
     # Generate FRR configuration file.
     def gen_config(daemon)
-      config = @configs['all'] || ''
-      config += @configs[daemon] || ''
+      config = @configs["all"] || ""
+      config += @configs[daemon] || ""
 
       # Replace variables.
-      config.gsub!('%(daemon)', daemon)
-      config.gsub!('%(runstatedir)', @runstatedir)
+      config.gsub!("%(daemon)", daemon)
+      config.gsub!("%(logfile)", "#{@runstatedir}/#{daemon}.log")
 
       save_config(daemon, config)
     end
 
     # Generate FRR configuration files.
     def gen_configs
-      save_config('vtysh', '')
-      @daemons.each do |daemon|
+      save_config("vtysh", "")
+      @daemons.keys.each do |daemon|
         gen_config(daemon)
       end
     end
@@ -118,37 +107,45 @@ module FrrCliFuzzer
       FileUtils.rm_f("#{@runstatedir}/#{@frr['localstatedir']}/#{daemon}.pid")
 
       # Spawn new process.
-      pid = Process.spawn("#{nsenter} #{daemon} -d --log=stdout "\
-                          ">> #{@runstatedir}/#{daemon}.stdout "\
-                          "2>> #{@runstatedir}/#{daemon}.stderr")
+      pid = Process.spawn("#{@ns.nsenter} #{daemon} --log=stdout -d",
+                          out: "#{@runstatedir}/#{daemon}.stdout",
+                          err: "#{@runstatedir}/#{daemon}.stderr")
       Process.detach(pid)
+
+      # Obtain the PID of the daemon as seen in the PID namespace where
+      # it resides.
+      @daemons[daemon] = `#{@ns.nsenter} pidof -s #{daemon}`.rstrip
     end
 
     # Start all FRR daemons.
     def start_daemons
-      @daemons.each do |daemon|
+      @daemons.keys.each do |daemon|
         start_daemon(daemon)
       end
     end
 
     # Check if a FRR daemon is still alive.
     def daemon_alive?(daemon)
-      `#{nsenter} ps aux | grep #{daemon} | grep -E -v "defunct|grep"` != ''
+      `#{@ns.nsenter} ps aux | grep #{daemon} | grep -E -v "defunct|grep"` != ""
     end
 
     # Check if a command should be white-list filtered.
-    def filter_whitelist(command)
-      return false if @whitelist.empty?
+    def filter_whitelist(command, whitelist)
+      whitelist += @global_whitelist
+
+      return false if whitelist.empty?
 
-      @whitelist.each do |regexp|
+      whitelist.each do |regexp|
         return false if command =~ /#{regexp}/
       end
       true
     end
 
     # Check if a command should be black-list filtered.
-    def filter_blacklist(command)
-      @blacklist.each do |regexp|
+    def filter_blacklist(command, blacklist)
+      blacklist += @global_blacklist
+
+      blacklist.each do |regexp|
         return true if command =~ /#{regexp}/
       end
       false
@@ -156,7 +153,7 @@ module FrrCliFuzzer
 
     # Prepare command to be used by the CLI fuzzing tester.
     def prepare_command(command)
-      new_command = ''
+      new_command = ""
 
       command.split.each do |word|
         # Custom regexps.
@@ -166,14 +163,14 @@ module FrrCliFuzzer
 
         # Handle intervals.
         if word =~ /(\d+\-\d+)/
-          interval = word.scanf('(%d-%d)')
+          interval = word.scanf("(%d-%d)")
           new_command << interval[1].to_s
         else
           new_command << word
         end
 
         # Append whitespace after each word.
-        new_command << ' '
+        new_command << " "
       end
 
       new_command.rstrip
@@ -183,24 +180,28 @@ module FrrCliFuzzer
     def prepare_commmands
       commands = []
 
-      @nodes.each do |hierarchy|
-        permutations = `#{nsenter} vtysh #{hierarchy} -c \"list permutations\"`
+      @nodes.each do |node|
+        hierarchy = node["hierarchy"]
+        whitelist = node["whitelist"] || []
+        blacklist = node["blacklist"] || []
+
+        permutations = `#{@ns.nsenter} vtysh #{hierarchy} -c \"list permutations\"`
         permutations.each_line do |command|
           command = command.strip
 
           # Check whitelist and blacklist.
-          if filter_whitelist(command)
+          if filter_whitelist(command, whitelist)
             puts "filtering (whitelist): #{command}"
-            @counters['filtered-whitelist'] += 1
+            @counters["filtered-whitelist"] += 1
             next
           end
-          if filter_blacklist(command)
+          if filter_blacklist(command, blacklist)
             puts "filtering (blacklist): #{command}"
-            @counters['filtered-blacklist'] += 1
+            @counters["filtered-blacklist"] += 1
             next
           end
 
-          @counters['non-filtered-cmds'] += 1
+          @counters["non-filtered-cmds"] += 1
 
           commands.push("vtysh #{hierarchy} -c \"#{prepare_command(command)}\"")
         end
@@ -214,9 +215,12 @@ module FrrCliFuzzer
     def send_command(command)
       puts "testing: #{command}"
 
-      vtysh_log = "#{@runstatedir}/vtysh.txt"
-      File.open(vtysh_log, 'a') { |f| f.puts command }
-      system("#{nsenter} #{command} >> #{vtysh_log} 2>&1")
+      ["stdout", "stderr"].each do |suffix|
+        File.open("#{@runstatedir}/vtysh.#{suffix}", "a") { |f| f.puts command }
+      end
+      Kernel.system("#{@ns.nsenter} #{command}",
+                    out: ["#{@runstatedir}/vtysh.stdout", "a"],
+                    err: ["#{@runstatedir}/vtysh.stderr", "a"])
     end
 
     # Print the results of the fuzzing tests.
@@ -227,19 +231,35 @@ module FrrCliFuzzer
       puts "- blacklist filtered commands: #{@counters['filtered-blacklist']}"
       puts "- tested commands: #{@counters['tested-cmds']}"
       puts "- segfaults detected: #{@counters['segfaults']}"
-      @segfaults.each_pair do |msg, count|
-        puts "    (x#{count}) #{msg}"
+      @segfaults.each_pair do |msg, pids|
+        puts "    (x#{pids.size}) #{msg}"
+        print "      PIDs:"
+        pids.each { |pid| print " #{pid}" }
+        puts ""
       end
     end
 
     # Log a segfault to both the standard output and to the fuzzer output file.
     def log_segfault(daemon, command)
       msg = "#{daemon} aborted: #{command}"
+      pid = @daemons[daemon]
+
+      @counters["segfaults"] += 1
+      @segfaults[msg] ||= []
+      @segfaults[msg].push(pid)
+      msg << " (PID: #{pid})"
       puts msg
-      File.open("#{@runstatedir}/output.txt", 'a') { |f| f.puts msg }
+      File.open("#{@runstatedir}/segfaults.txt", "a") { |f| f.puts msg }
+    end
+
+    # Append PID of the aborted daemon to its log files.
+    def rename_log_files(daemon)
+      pid = @daemons[daemon]
 
-      @counters['segfaults'] += 1
-      @segfaults[msg] = @segfaults[msg].to_i + 1
+      ["log", "stdout", "stderr"].each do |suffix|
+        log_file = "#{@runstatedir}/#{daemon}.#{suffix}"
+        FileUtils.mv(log_file, "#{log_file}.#{pid}")
+      end
     end
 
     # Start fuzzing tests.
@@ -255,14 +275,15 @@ module FrrCliFuzzer
 
         # Iterate over all commands.
         commands.each do |command|
-          @counters['tested-cmds'] += 1
+          @counters["tested-cmds"] += 1
           send_command(command)
 
           # Check if all daemons are still alive.
-          @daemons.each do |daemon|
+          @daemons.keys.each do |daemon|
             next if daemon_alive?(daemon)
 
             log_segfault(daemon, command)
+            rename_log_files(daemon)
             start_daemon(daemon)
           end
         end

data/lib/frr-cli-fuzzer/libc.rb

@@ -1,14 +1,37 @@
-require 'ffi'
+require "ffi"
 
 module FrrCliFuzzer
-  # Bindings for a few libc's functions.
-  class LibC
-    extend FFI::Library
-    ffi_lib 'c'
-
-    attach_function :unshare, [:int], :int
-    attach_function :mount, [:string, :string, :string, :ulong, :pointer], :int
-    attach_function :prctl, [:int, :long, :long, :long, :long], :int
+  # Bindings for a few libc"s functions.
+  module LibC
+    class Bindings
+      extend FFI::Library
+      ffi_lib "c"
+
+      attach_function :unshare, [:int], :int
+      attach_function :mount, [:string, :string, :string, :ulong, :pointer], :int
+      attach_function :prctl, [:int, :long, :long, :long, :long], :int
+    end
+
+    # Wrapper for mount(2).
+    def self.mount(source, target, fs_type, flags, data)
+      if Bindings.mount(source, target, fs_type, flags, data) < 0
+        raise SystemCallError.new("mount failed", FFI::LastError.error)
+      end
+    end
+
+    # Wrapper for unshare(2).
+    def self.unshare(flags)
+      if Bindings.unshare(flags) < 0
+        raise SystemCallError.new("unshare failed", FFI::LastError.error)
+      end
+    end
+
+    # Wrapper for prctl(2).
+    def self.prctl(option, arg2, arg3, arg4, arg5)
+      if Bindings.prctl(option, arg2, arg3, arg4, arg5) == -1
+        raise SystemCallError.new("prctl failed", FFI::LastError.error)
+      end
+    end
 
     # include/uapi/linux/sched.h
     CLONE_NEWNS  = 0x00020000

data/lib/frr-cli-fuzzer/linux_namespace.rb

@@ -1,69 +1,69 @@
 module FrrCliFuzzer
   class LinuxNamespace
-    attr_accessor :pid
+    def initialize
+      fork_and_unshare do
+        # This is the init process of the new PID namespace. We need to reap
+        # the zombies.
+        trap(:CHLD) { Process.wait }
+        trap(:INT, :IGNORE)
+        sleep
+      end
+    end
 
     # Create a child process running on a separate network and mount namespace.
     def fork_and_unshare
-      begin
-        io_in, io_out = IO.pipe
+      io_in, io_out = IO.pipe
 
-        pid = Kernel.fork do
-          unshare(LibC::CLONE_NEWNS | LibC::CLONE_NEWPID | LibC::CLONE_NEWNET)
+      LibC.prctl(FrrCliFuzzer::LibC::PR_SET_CHILD_SUBREAPER, 1, 0, 0, 0)
 
-          # Fork again to use the new PID namespace.
-          # Need to supress a warning that is irrelevant for us.
-          warn_level = $VERBOSE
-          $VERBOSE = nil
-          pid = Kernel.fork do
-            # HACK: kill when parent dies.
-            trap(:SIGUSR1) do
-              LibC.prctl(LibC::PR_SET_PDEATHSIG, 15, 0, 0, 0)
-              trap(:SIGUSR1, :IGNORE)
-            end
-            LibC.prctl(LibC::PR_SET_PDEATHSIG, 10, 0, 0, 0)
+      pid = Kernel.fork do
+        LibC.unshare(LibC::CLONE_NEWNS | LibC::CLONE_NEWPID | LibC::CLONE_NEWNET)
 
-            mount_propagation(LibC::MS_REC | LibC::MS_PRIVATE)
-            mount_proc
-            yield
+        # Fork again to use the new PID namespace.
+        # Need to supress a warning that is irrelevant for us.
+        warn_level = $VERBOSE
+        $VERBOSE = nil
+        pid = Kernel.fork do
+          # HACK: kill when parent dies.
+          trap(:SIGUSR1) do
+            LibC.prctl(LibC::PR_SET_PDEATHSIG, 15, 0, 0, 0)
+            trap(:SIGUSR1, :IGNORE)
           end
-          $VERBOSE = warn_level
-          io_out.puts "#{pid}"
-          exit(0)
-        end
+          LibC.prctl(LibC::PR_SET_PDEATHSIG, 10, 0, 0, 0)
 
-        @pid = io_in.gets.to_i
-        Process.waitpid(pid)
-      rescue SystemCallError => e
-        $stderr.puts "System call error:: #{e.message}"
-        $stderr.puts e.backtrace
-        exit(1)
+          mount_propagation(LibC::MS_REC | LibC::MS_PRIVATE)
+          mount_proc
+          yield
+        end
+        $VERBOSE = warn_level
+        io_out.puts(pid)
+        exit(0)
       end
+
+      @pid = io_in.gets.to_i
+      Process.waitpid(pid)
+    rescue SystemCallError => e
+      warn "System call error:: #{e.message}"
+      warn e.backtrace
+      exit(1)
     end
 
     # Set the mount propagation of the process.
     def mount_propagation(flags)
-      mount('none', '/', nil, flags, nil)
+      LibC.mount("none", "/", nil, flags, nil)
     end
 
     # Mount the proc filesystem (useful after creating a new PID namespace).
     def mount_proc
-      mount('none', '/proc', nil, LibC::MS_REC | LibC::MS_PRIVATE, nil)
-      mount('proc', '/proc', 'proc',
-            LibC::MS_NOSUID | LibC::MS_NOEXEC | LibC::MS_NODEV, nil)
+      LibC.mount("none", "/proc", nil, LibC::MS_REC | LibC::MS_PRIVATE, nil)
+      LibC.mount("proc", "/proc", "proc",
+                 LibC::MS_NOSUID | LibC::MS_NOEXEC | LibC::MS_NODEV, nil)
     end
 
-    # Wrapper for mount(2).
-    def mount(source, target, fs_type, flags, data)
-      if LibC.mount(source, target, fs_type, flags, data) < 0
-        raise SystemCallError.new('mount failed', FFI::LastError.error)
-      end
-    end
-
-    # Wrapper for unshare(2).
-    def unshare(flags)
-      if LibC.unshare(flags) < 0
-        raise SystemCallError.new('unshare failed', FFI::LastError.error)
-      end
+    # nsenter(1) is a standard tool from the util-linux package. It can be used
+    # to run a program with namespaces of other processes.
+    def nsenter
+      "nsenter -t #{@pid} --mount --pid --net"
     end
   end
 end

data/lib/frr-cli-fuzzer/version.rb

@@ -1,3 +1,3 @@
 module FrrCliFuzzer
-  VERSION = "0.1.0"
+  VERSION = "1.0.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: frr-cli-fuzzer
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0
 platform: ruby
 authors:
 - Renato Westphal
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-06 00:00:00.000000000 Z
+date: 2018-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -61,6 +61,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - Gemfile
 - LICENSE.txt
 - README.md