Fuzz introspector: qrexec_daemon_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 21 1 :

['send_service_refused']

0 21 handle_execute_service call site: 00039 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:1043
0 4 1 :

['fuzz_exit']

0 4 send_service_refused call site: 00036 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:712
0 0 None 2 276 handle_message_from_agent call site: 00038 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:1313
0 0 None 0 6 fuzz_libvchan_read call site: 00009 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:62
0 0 None 0 4 send_service_refused call site: 00032 /src/qubes-os/qubes-core-qrexec/fuzz/../daemon/qrexec-daemon.c:707
0 0 None 0 0 fuzz_libvchan_read call site: 00010 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:65
0 0 None 0 0 fuzz_write call site: 00033 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:128
0 0 None 0 0 fuzz_write call site: 00034 /src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c:131

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 fuzz_file_create [function] [call site] 00001
2 panic [function] [call site] 00002
3 fprintf [call site] 00003
3 abort [call site] 00004
1 _setjmp [call site] 00005
1 fuzz_file_destroy [function] [call site] 00006
1 handle_message_from_agent [function] [call site] 00007
2 fuzz_libvchan_recv [function] [call site] 00008
3 fuzz_libvchan_read [function] [call site] 00009
4 panic [function] [call site] 00010
4 file_input_eof [function] [call site] 00011
4 file_read [function] [call site] 00012
5 __assert_fail [call site] 00013
2 handle_vchan_error [function] [call site] 00014
3 fuzz_exit [function] [call site] 00015
4 longjmp [call site] 00016
2 sanitize_message_from_agent [function] [call site] 00017
3 fuzz_exit [function] [call site] 00018
3 fuzz_exit [function] [call site] 00019
3 fuzz_exit [function] [call site] 00020
3 fuzz_exit [function] [call site] 00021
3 fuzz_exit [function] [call site] 00022
3 fuzz_exit [function] [call site] 00023
3 fuzz_exit [function] [call site] 00024
2 fuzz_libvchan_recv [function] [call site] 00025
2 handle_vchan_error [function] [call site] 00026
2 sanitize_name [function] [call site] 00027
3 strchr [call site] 00028
2 sanitize_name [function] [call site] 00029
2 validate_request_id [function] [call site] 00030
2 send_service_refused [function] [call site] 00031
3 fuzz_libvchan_send [function] [call site] 00032
4 fuzz_write [function] [call site] 00033
5 panic [function] [call site] 00034
3 fuzz_exit [function] [call site] 00035
3 fuzz_libvchan_send [function] [call site] 00036
3 fuzz_exit [function] [call site] 00037
2 handle_execute_service [function] [call site] 00038
3 find_policy_pending_slot [function] [call site] 00039
3 send_service_refused [function] [call site] 00040
3 fuzz_exit [function] [call site] 00041
3 close [call site] 00042
3 connect_daemon_socket [function] [call site] 00043
4 socket [call site] 00044
4 _exit [call site] 00045
4 connect [call site] 00046
4 send_request_to_daemon [function] [call site] 00047
5 asprintf [call site] 00048
5 _exit [call site] 00049
5 send [call site] 00050
5 abort [call site] 00051
5 __assert_fail [call site] 00052
5 _exit [call site] 00053
4 qubes_read_all_to_malloc [function] [call site] 00054
5 abort [call site] 00055
5 abort [call site] 00056
5 abort [call site] 00057
5 fuzz_read [function] [call site] 00058
6 panic [function] [call site] 00059
6 file_input_eof [function] [call site] 00060
6 file_read [function] [call site] 00061
5 __errno_location [call site] 00062
5 abort [call site] 00063
5 __errno_location [call site] 00064
5 abort [call site] 00065
5 __errno_location [call site] 00066
5 realloc [call site] 00067
5 __errno_location [call site] 00068
5 close [call site] 00069
4 parse_policy_response [function] [call site] 00070
5 strlen [call site] 00071
5 strsep [call site] 00072
5 strncmp [call site] 00073
5 strcmp [call site] 00074
5 strcmp [call site] 00075
5 strncmp [call site] 00076
5 strdup [call site] 00077
5 abort [call site] 00078
5 strncmp [call site] 00079
5 strdup [call site] 00080
5 abort [call site] 00081
5 strncmp [call site] 00082
5 strcmp [call site] 00083
5 strcmp [call site] 00084
5 strncmp [call site] 00085
5 strdup [call site] 00086
5 abort [call site] 00087
5 strchr [call site] 00088
4 __assert_fail [call site] 00089
4 close [call site] 00090
4 abort [call site] 00091
4 socketpair [call site] 00092
4 _exit [call site] 00093
4 _exit [call site] 00094
4 close [call site] 00095
4 abort [call site] 00096
4 dup2 [call site] 00097
4 _exit [call site] 00098
4 close [call site] 00099
4 abort [call site] 00100
4 snprintf [call site] 00101
4 execl [call site] 00102
4 _exit [call site] 00103
4 close [call site] 00104
4 abort [call site] 00105
4 qubes_read_all_to_malloc [function] [call site] 00106
4 waitpid [call site] 00107
4 _exit [call site] 00108
4 _exit [call site] 00109
4 parse_policy_response [function] [call site] 00110
3 _exit [call site] 00111
3 strchr [call site] 00112
3 strcmp [call site] 00113
3 strcmp [call site] 00114
3 asprintf [call site] 00115
3 _exit [call site] 00116
3 strncmp [call site] 00117
3 qubesd_call [function] [call site] 00118
4 strlen [call site] 00119
4 strlen [call site] 00120
4 strlen [call site] 00121
4 socket [call site] 00122
4 __errno_location [call site] 00123
4 __errno_location [call site] 00124
4 connect [call site] 00125
4 qubes_sendmsg_all [function] [call site] 00126
5 sendmsg [call site] 00127
5 __errno_location [call site] 00128
5 __assert_fail [call site] 00129
5 __errno_location [call site] 00130
5 __assert_fail [call site] 00131
4 shutdown [call site] 00132
4 qubes_read_all_to_malloc [function] [call site] 00133
4 strlen [call site] 00134
4 close [call site] 00135
3 _exit [call site] 00136
3 memcmp [call site] 00137
3 memcmp [call site] 00138
3 _exit [call site] 00139
3 asprintf [call site] 00140
3 _exit [call site] 00141
3 qubesd_call [function] [call site] 00142
3 _exit [call site] 00143
3 memcmp [call site] 00144
3 memcmp [call site] 00145
3 memcmp [call site] 00146
3 _exit [call site] 00147
3 asprintf [call site] 00148
3 _exit [call site] 00149
3 execv [call site] 00150
3 _exit [call site] 00151
2 handle_vchan_error [function] [call site] 00152
2 fuzz_libvchan_recv [function] [call site] 00153
2 handle_vchan_error [function] [call site] 00154
2 fuzz_libvchan_recv [function] [call site] 00155
2 handle_vchan_error [function] [call site] 00156
2 sanitize_name [function] [call site] 00157
2 validate_request_id [function] [call site] 00158
2 strlen [call site] 00159
2 sanitize_name [function] [call site] 00160
2 handle_execute_service [function] [call site] 00161
2 send_service_refused [function] [call site] 00162
2 handle_connection_terminated [function] [call site] 00163
3 fuzz_libvchan_recv [function] [call site] 00164
3 handle_vchan_error [function] [call site] 00165
3 fuzz_exit [function] [call site] 00166
3 release_vchan_port [function] [call site] 00167
4 terminate_client [function] [call site] 00168
5 close [call site] 00169
1 fuzz_file_destroy [function] [call site] 00170