Fuzzing Rust FIDL bindings?

Adam Perry

unread,

Dec 21, 2022, 5:47:07 PM12/21/22

to fidl-dev, Mark Dittmer

Hello!

I'm discussing a new feature for Component Manager with the Security team, and they raised the question of what parser I'm using and whether it's fuzzed. In this case the data I'm ingesting will be parsed as a persistent FIDL message by the Rust bindings, and +Mark Dittmer was wondering whether the Rust bindings are fuzzed today for that use case and if so how hard it would be to define a fuzzer for this particular FIDL library that includes some expected inputs to this feature as part of the corpus.

I'm looking in codesearch and only seeing code that looks like it's fuzzing the C++ bindings, but I haven't looked that hard yet. Can anyone tell me off-hand whether we fuzz our Rust bindings, and if so where that code lives? Thanks!

--

Adam Perry

Yifei Teng

unread,

Dec 21, 2022, 6:03:25 PM12/21/22

to fidl-dev, Adam Perry, Mark Dittmer

AFAIK fidlgen_libfuzzer [1] generates fuzzing code and it fuzzes the encoding and decoding of C++ wire types. It additionally generates code for fuzzing FIDL protocol implementations over a channel, which may indirectly exercise the encoding and decoding of FIDL types in various languages, but it doesn't directly fuzz e.g. Rust persistent message parsing. It should be possible to extend it to generate the relevant logic.

[1]: https://cs.opensource.google/fuchsia/fuchsia/+/main:tools/fidl/fidlgen_libfuzzer/

Adam Perry

unread,

Dec 21, 2022, 7:03:45 PM12/21/22

to Yifei Teng, fidl-dev, Mark Dittmer

OK, thanks for the context! I couldn't find existing ones so I filed a couple of bugs, feel free to re-triage as appropriate.