Fuzz introspector: qrexec_daemon_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
588 0 EP call site: 00000 handle_message_from_agent

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 fuzz_file_create [function] [call site] 00001
2 panic [function] [call site] 00002
3 fprintf [call site] 00003
3 abort [call site] 00004
1 _setjmp [call site] 00005
1 fuzz_file_destroy [function] [call site] 00006
1 handle_message_from_agent [function] [call site] 00007
2 fuzz_libvchan_recv [function] [call site] 00008
3 fuzz_libvchan_read [function] [call site] 00009
4 panic [function] [call site] 00010
4 file_input_eof [function] [call site] 00011
4 file_read [function] [call site] 00012
5 __assert_fail [call site] 00013
2 handle_vchan_error [function] [call site] 00014
3 fuzz_exit [function] [call site] 00015
4 longjmp [call site] 00016
2 sanitize_message_from_agent [function] [call site] 00017
3 fuzz_exit [function] [call site] 00018
3 fuzz_exit [function] [call site] 00019
3 fuzz_exit [function] [call site] 00020
3 fuzz_exit [function] [call site] 00021
3 fuzz_exit [function] [call site] 00022
3 fuzz_exit [function] [call site] 00023
3 fuzz_exit [function] [call site] 00024
3 fuzz_exit [function] [call site] 00025
3 fuzz_exit [function] [call site] 00026
3 fuzz_exit [function] [call site] 00027
2 fuzz_libvchan_recv [function] [call site] 00028
2 handle_vchan_error [function] [call site] 00029
2 sanitize_name [function] [call site] 00030
3 strchr [call site] 00031
2 sanitize_name [function] [call site] 00032
2 validate_request_id [function] [call site] 00033
2 send_service_refused [function] [call site] 00034
3 fuzz_libvchan_send [function] [call site] 00035
4 fuzz_write [function] [call site] 00036
5 panic [function] [call site] 00037
3 fuzz_exit [function] [call site] 00038
3 fuzz_libvchan_send [function] [call site] 00039
3 fuzz_exit [function] [call site] 00040
2 validate_service_name [function] [call site] 00041
3 sanitize_name [function] [call site] 00042
2 send_service_refused [function] [call site] 00043
2 handle_execute_service [function] [call site] 00044
3 find_policy_pending_slot [function] [call site] 00045
3 send_service_refused [function] [call site] 00046
3 fuzz_exit [function] [call site] 00047
3 atexit [call site] 00048
3 null_exit [function] [call site] 00049
4 _exit [call site] 00050
3 _exit [call site] 00051
3 sigaction [call site] 00052
3 handle_execute_service_child [function] [call site] 00053
4 close [call site] 00054
4 connect_daemon_socket [function] [call site] 00055
5 socket [call site] 00056
5 daemon__exit [function] [call site] 00057
6 _exit [call site] 00058
5 connect [call site] 00059
5 send_request_to_daemon [function] [call site] 00060
6 asprintf [call site] 00061
6 daemon__exit [function] [call site] 00062
6 send [call site] 00063
6 abort [call site] 00064
6 __assert_fail [call site] 00065
6 daemon__exit [function] [call site] 00066
5 qubes_read_all_to_malloc [function] [call site] 00067
6 abort [call site] 00068
6 abort [call site] 00069
6 abort [call site] 00070
6 __assert_fail [call site] 00071
6 fuzz_read [function] [call site] 00072
7 panic [function] [call site] 00073
7 file_input_eof [function] [call site] 00074
7 file_read [function] [call site] 00075
6 __errno_location [call site] 00076
6 abort [call site] 00077
6 __errno_location [call site] 00078
6 abort [call site] 00079
6 __errno_location [call site] 00080
6 realloc [call site] 00081
6 __errno_location [call site] 00082
6 close [call site] 00083
5 parse_policy_response [function] [call site] 00084
6 strlen [call site] 00085
6 strsep [call site] 00086
6 strncmp [call site] 00087
6 strcmp [call site] 00088
6 strcmp [call site] 00089
6 strncmp [call site] 00090
6 strdup [call site] 00091
6 abort [call site] 00092
6 strncmp [call site] 00093
6 strdup [call site] 00094
6 abort [call site] 00095
6 strncmp [call site] 00096
6 strdup [call site] 00097
6 abort [call site] 00098
6 strncmp [call site] 00099
6 strcmp [call site] 00100
6 strcmp [call site] 00101
6 strncmp [call site] 00102
6 strdup [call site] 00103
6 abort [call site] 00104
6 strncmp [call site] 00105
6 strdup [call site] 00106
6 abort [call site] 00107
6 strncmp [call site] 00108
6 strdup [call site] 00109
6 abort [call site] 00110
6 strchr [call site] 00111
5 __assert_fail [call site] 00112
5 close [call site] 00113
5 abort [call site] 00114
5 socketpair [call site] 00115
5 daemon__exit [function] [call site] 00116
5 daemon__exit [function] [call site] 00117
5 close [call site] 00118
5 daemon__exit [function] [call site] 00119
5 dup2 [call site] 00120
5 daemon__exit [function] [call site] 00121
5 close [call site] 00122
5 abort [call site] 00123
5 snprintf [call site] 00124
5 execl [call site] 00125
5 daemon__exit [function] [call site] 00126
5 close [call site] 00127
5 abort [call site] 00128
5 qubes_read_all_to_malloc [function] [call site] 00129
5 waitpid [call site] 00130
5 daemon__exit [function] [call site] 00131
5 daemon__exit [function] [call site] 00132
5 parse_policy_response [function] [call site] 00133
4 daemon__exit [function] [call site] 00134
4 strchr [call site] 00135
4 target_refers_to_dom0 [function] [call site] 00136
5 strcmp [call site] 00137
5 strcmp [call site] 00138
5 strcmp [call site] 00139
4 asprintf [call site] 00140
4 daemon__exit [function] [call site] 00141
4 register_exec_func [function] [call site] 00142
5 abort [call site] 00143
4 do_exec [function] [call site] 00144
5 exec_qubes_rpc2 [function] [call site] 00145
6 __assert_fail [call site] 00146
6 calloc [call site] 00147
6 _exit [call site] 00148
6 should_strip_env_var [function] [call site] 00149
7 strncmp [call site] 00150
7 strncmp [call site] 00151
7 strncmp [call site] 00152
6 abort [call site] 00153
6 strdup [call site] 00154
6 _exit [call site] 00155
6 strtok_r [call site] 00156
6 _exit [call site] 00157
6 strtok_r [call site] 00158
6 _exit [call site] 00159
6 _exit [call site] 00160
6 strchr [call site] 00161
6 abort [call site] 00162
6 asprintf [call site] 00163
6 strcmp [call site] 00164
6 abort [call site] 00165
6 asprintf [call site] 00166
6 strcmp [call site] 00167
6 abort [call site] 00168
6 asprintf [call site] 00169
6 abort [call site] 00170
6 abort [call site] 00171
6 asprintf [call site] 00172
6 abort [call site] 00173
6 asprintf [call site] 00174
6 abort [call site] 00175
6 asprintf [call site] 00176
6 __assert_fail [call site] 00177
6 execve [call site] 00178
6 __errno_location [call site] 00179
6 _exit [call site] 00180
6 _exit [call site] 00181
6 strcmp [call site] 00182
6 strcmp [call site] 00183
6 asprintf [call site] 00184
6 execve [call site] 00185
6 _exit [call site] 00186
6 _exit [call site] 00187
5 execl [call site] 00188
5 _exit [call site] 00189
4 run_qrexec_to_dom0 [function] [call site] 00190
5 set_remote_domain [function] [call site] 00191
6 setenv [call site] 00192
6 abort [call site] 00193
5 connect_unix_socket_by_id [function] [call site] 00194
6 snprintf [call site] 00195
6 abort [call site] 00196
6 connect_unix_socket [function] [call site] 00197
7 socket [call site] 00198
7 snprintf [call site] 00199
7 abort [call site] 00200
7 close [call site] 00201
7 connect [call site] 00202
7 __errno_location [call site] 00203
7 close [call site] 00204
7 handle_daemon_handshake [function] [call site] 00205
8 read_all [function] [call site] 00206
9 fuzz_read [function] [call site] 00207
9 __errno_location [call site] 00208
9 __errno_location [call site] 00209
9 __errno_location [call site] 00210
9 set_block [function] [call site] 00211
10 fcntl [call site] 00212
10 fcntl [call site] 00213
8 read_all [function] [call site] 00214
8 write_all [function] [call site] 00215
9 fuzz_write [function] [call site] 00216
9 __errno_location [call site] 00217
8 write_all [function] [call site] 00218
5 negotiate_connection_params [function] [call site] 00219
6 write_all [function] [call site] 00220
6 write_all [function] [call site] 00221
6 write_all [function] [call site] 00222
6 read_all [function] [call site] 00223
6 __assert_fail [call site] 00224
6 read_all [function] [call site] 00225
5 buffer_init [function] [call site] 00226
5 parse_qubes_rpc_command [function] [call site] 00227
6 calloc [call site] 00228
6 strchr [call site] 00229
6 memdupnul [function] [call site] 00230
6 strncmp [call site] 00231
6 strncmp [call site] 00232
6 strchr [call site] 00233
6 memchr [call site] 00234
6 memdupnul [function] [call site] 00235
6 memdupnul [function] [call site] 00236
6 strchrnul [call site] 00237
6 memdupnul [function] [call site] 00238
6 destroy_qrexec_parsed_command [function] [call site] 00239
5 wait_for_session_maybe [function] [call site] 00240
6 load_service_config_v2 [function] [call site] 00241
7 __assert_fail [call site] 00242
7 load_service_config_raw [function] [call site] 00243
8 getenv [call site] 00244
8 find_file [function] [call site] 00245
9 strlen [call site] 00246
9 strchrnul [call site] 00247
9 strcpy [call site] 00248
9 lstat [call site] 00249
9 readlink [call site] 00250
9 memcmp [call site] 00251
9 memcmp [call site] 00252
9 stat [call site] 00253
9 __assert_fail [call site] 00254
9 __assert_fail [call site] 00255
9 __errno_location [call site] 00256
8 find_file [function] [call site] 00257
8 qubes_toml_config_parse [function] [call site] 00258
9 fopen [call site] 00259
9 getline [call site] 00260
9 abort [call site] 00261
9 strlen [call site] 00262
9 qubes_isspace [function] [call site] 00263
9 qubes_is_key_byte [function] [call site] 00264
9 qubes_isspace [function] [call site] 00265
9 qubes_isspace [function] [call site] 00266
9 parse_toml_value [function] [call site] 00267
10 __errno_location [call site] 00268
10 strtoull [call site] 00269
10 __errno_location [call site] 00270
10 strncmp [call site] 00271
10 strncmp [call site] 00272
10 strchr [call site] 00273
10 qubes_isspace [function] [call site] 00274
9 strcmp [call site] 00275
9 toml_check_dup_key [function] [call site] 00276
9 toml_value_free [function] [call site] 00277
9 toml_invalid_type [function] [call site] 00278
9 toml_value_free [function] [call site] 00279
9 strcmp [call site] 00280
9 toml_check_dup_key [function] [call site] 00281
9 toml_value_free [function] [call site] 00282
9 toml_invalid_type [function] [call site] 00283
9 toml_value_free [function] [call site] 00284
9 strcmp [call site] 00285
9 toml_check_dup_key [function] [call site] 00286
9 toml_value_free [function] [call site] 00287
9 toml_invalid_type [function] [call site] 00288
9 toml_value_free [function] [call site] 00289
9 strcmp [call site] 00290
9 toml_check_dup_key [function] [call site] 00291
9 toml_value_free [function] [call site] 00292
9 toml_invalid_type [function] [call site] 00293
9 toml_value_free [function] [call site] 00294
9 strcmp [call site] 00295
9 toml_check_dup_key [function] [call site] 00296
9 toml_value_free [function] [call site] 00297
9 toml_invalid_type [function] [call site] 00298
9 toml_value_free [function] [call site] 00299
9 toml_value_free [function] [call site] 00300
9 fclose [call site] 00301
6 close [call site] 00302
6 exec_wait_for_session [function] [call site] 00303
7 getenv [call site] 00304
7 find_file [function] [call site] 00305
7 setenv [call site] 00306
7 execl [call site] 00307
6 _exit [call site] 00308
6 waitpid [call site] 00309
5 prepare_local_fds [function] [call site] 00310
6 abort [call site] 00311
6 sigemptyset [call site] 00312
6 sigaction [call site] 00313
6 execute_parsed_qubes_rpc_command [function] [call site] 00314
7 find_qrexec_service [function] [call site] 00315
8 __assert_fail [call site] 00316
8 __assert_fail [call site] 00317
8 getenv [call site] 00318
8 find_file [function] [call site] 00319
8 find_file [function] [call site] 00320
8 socket [call site] 00321
8 strlen [call site] 00322
8 qubes_connect [function] [call site] 00323
9 mkdtemp [call site] 00324
9 symlink [call site] 00325
9 __errno_location [call site] 00326
9 connect [call site] 00327
9 __errno_location [call site] 00328
9 __errno_location [call site] 00329
9 unlink [call site] 00330
9 rmdir [call site] 00331
9 __errno_location [call site] 00332
8 close [call site] 00333
8 strlen [call site] 00334
8 buffer_append [function] [call site] 00335
9 __assert_fail [call site] 00336
9 abort [call site] 00337
9 abort [call site] 00338
9 limited_malloc [function] [call site] 00339
10 abort [call site] 00340
10 abort [call site] 00341
9 buffer_free [function] [call site] 00342
10 limited_free [function] [call site] 00343
11 abort [call site] 00344
10 buffer_init [function] [call site] 00345
8 __assert_fail [call site] 00346
8 memcmp [call site] 00347
8 __assert_fail [call site] 00348
8 strchr [call site] 00349
8 __assert_fail [call site] 00350
8 strrchr [call site] 00351
8 strlen [call site] 00352
8 buffer_append [function] [call site] 00353
8 qubes_tcp_connect [function] [call site] 00354
9 validate_port [function] [call site] 00355
10 memcmp [call site] 00356
9 strchr [call site] 00357
9 getaddrinfo [call site] 00358
9 __assert_fail [call site] 00359
9 __assert_fail [call site] 00360
9 socket [call site] 00361
9 setsockopt [call site] 00362
9 abort [call site] 00363
9 connect [call site] 00364
9 close [call site] 00365
9 freeaddrinfo [call site] 00366
8 euidaccess [call site] 00367
7 __assert_fail [call site] 00368
7 do_fork_exec [function] [call site] 00369
8 socketpair [call site] 00370
8 socketpair [call site] 00371
8 pipe2 [call site] 00372
8 signal [call site] 00373
8 abort [call site] 00374
8 fix_fds [function] [call site] 00375
9 _exit [call site] 00376
9 dup2 [call site] 00377
9 dup2 [call site] 00378
9 dup2 [call site] 00379
9 abort [call site] 00380
9 close [call site] 00381
8 fix_fds [function] [call site] 00382
8 abort [call site] 00383
8 close [call site] 00384
8 close [call site] 00385
8 close [call site] 00386
7 do_fork_exec [function] [call site] 00387
5 fuzz_libvchan_client_init_async [function] [call site] 00388
5 qubes_wait_for_vchan_connection_with_timeout [function] [call site] 00389
6 clock_gettime [call site] 00390
6 __assert_fail [call site] 00391
6 clock_gettime [call site] 00392
6 __assert_fail [call site] 00393
6 ppoll [call site] 00394
6 __errno_location [call site] 00395
6 fuzz_libvchan_wait [function] [call site] 00396
6 fuzz_libvchan_client_init_async_finish [function] [call site] 00397
7 abort [call site] 00398
5 fuzz_libvchan_close [function] [call site] 00399
5 handshake_and_go [function] [call site] 00400
6 fuzz_libvchan_is_open [function] [call site] 00401
6 handle_agent_handshake [function] [call site] 00402
7 read_vchan_all [function] [call site] 00403
8 fuzz_libvchan_read [function] [call site] 00404
7 read_vchan_all [function] [call site] 00405
7 write_vchan_all [function] [call site] 00406
8 fuzz_libvchan_write [function] [call site] 00407
9 fuzz_write [function] [call site] 00408
7 write_vchan_all [function] [call site] 00409
6 handle_failed_exec [function] [call site] 00410
7 fuzz_libvchan_send [function] [call site] 00411
7 send_exit_code [function] [call site] 00412
8 fuzz_libvchan_send [function] [call site] 00413
8 fuzz_libvchan_send [function] [call site] 00414
6 __assert_fail [call site] 00415
6 select_loop [function] [call site] 00416
7 qrexec_process_io [function] [call site] 00417
8 __assert_fail [call site] 00418
8 max_data_chunk_size [function] [call site] 00419
8 fuzz_libvchan_send [function] [call site] 00420
8 handle_vchan_error [function] [call site] 00421
9 fuzz_exit [function] [call site] 00422
8 sigemptyset [call site] 00423
8 sigaddset [call site] 00424
8 sigprocmask [call site] 00425
8 sigemptyset [call site] 00426
8 set_nonblock [function] [call site] 00427
9 fcntl [call site] 00428
9 abort [call site] 00429
9 fcntl [call site] 00430
8 set_nonblock [function] [call site] 00431
8 __assert_fail [call site] 00432
8 __assert_fail [call site] 00433
8 __assert_fail [call site] 00434
8 set_nonblock [function] [call site] 00435
8 __assert_fail [call site] 00436
8 __assert_fail [call site] 00437
8 waitpid [call site] 00438
8 fuzz_libvchan_send [function] [call site] 00439
8 close_stdio [function] [call site] 00440
9 shutdown [call site] 00441
9 __errno_location [call site] 00442
9 close [call site] 00443
9 __errno_location [call site] 00444
9 set_block [function] [call site] 00445
9 close [call site] 00446
8 send_exit_code [function] [call site] 00447
8 handle_vchan_error [function] [call site] 00448
8 fuzz_libvchan_is_open [function] [call site] 00449
8 fuzz_libvchan_data_ready [function] [call site] 00450
8 buffer_len [function] [call site] 00451
8 close_stdio [function] [call site] 00452
8 buffer_len [function] [call site] 00453
8 fuzz_libvchan_buffer_space [function] [call site] 00454
8 fuzz_libvchan_fd_for_select [function] [call site] 00455
8 buffer_len [function] [call site] 00456
8 fuzz_libvchan_data_ready [function] [call site] 00457
8 ppoll [call site] 00458
8 ppoll [call site] 00459
8 __errno_location [call site] 00460
8 fuzz_libvchan_wait [function] [call site] 00461
8 handle_vchan_error [function] [call site] 00462
8 fuzz_libvchan_send [function] [call site] 00463
8 close_stdio [function] [call site] 00464
8 handle_remote_data_v2 [function] [call site] 00465
9 abort [call site] 00466
9 flush_client_data [function] [call site] 00467
10 buffer_len [function] [call site] 00468
10 buffer_data [function] [call site] 00469
10 fuzz_write [function] [call site] 00470
10 buffer_remove [function] [call site] 00471
11 abort [call site] 00472
11 limited_malloc [function] [call site] 00473
11 buffer_free [function] [call site] 00474
9 fuzz_libvchan_data_ready [function] [call site] 00475
9 fuzz_libvchan_recv [function] [call site] 00476
9 read_vchan_all [function] [call site] 00477
9 do_replace_chars [function] [call site] 00478
9 write_stdin [function] [call site] 00479
10 buffer_len [function] [call site] 00480
10 buffer_append [function] [call site] 00481
10 fuzz_write [function] [call site] 00482
10 abort [call site] 00483
10 __errno_location [call site] 00484
10 buffer_append [function] [call site] 00485
9 __errno_location [call site] 00486
9 do_replace_chars [function] [call site] 00487
9 write_all [function] [call site] 00488
8 handle_vchan_error [function] [call site] 00489
8 fuzz_libvchan_send [function] [call site] 00490
8 close_stdio [function] [call site] 00491
8 fuzz_libvchan_send [function] [call site] 00492
8 close_stdio [function] [call site] 00493
8 handle_input_v2 [function] [call site] 00494
9 abort [call site] 00495
9 fuzz_libvchan_buffer_space [function] [call site] 00496
9 fuzz_read [function] [call site] 00497
9 write_all [function] [call site] 00498
9 __errno_location [call site] 00499
9 __errno_location [call site] 00500
9 fuzz_libvchan_send [function] [call site] 00501
9 write_vchan_all [function] [call site] 00502
8 close_stdio [function] [call site] 00503
8 handle_vchan_error [function] [call site] 00504
8 close_stdio [function] [call site] 00505
8 handle_input_v2 [function] [call site] 00506
8 handle_vchan_error [function] [call site] 00507
8 close_stderr [function] [call site] 00508
9 set_block [function] [call site] 00509
9 close [call site] 00510
8 fuzz_libvchan_send [function] [call site] 00511
8 close_stdio [function] [call site] 00512
8 close_stdio [function] [call site] 00513
8 close_stderr [function] [call site] 00514
8 waitpid [call site] 00515
6 fuzz_libvchan_close [function] [call site] 00516
4 daemon__exit [function] [call site] 00517
4 asprintf [call site] 00518
4 daemon__exit [function] [call site] 00519
4 qrexec_execute_vm [function] [call site] 00520
5 strncmp [call site] 00521
5 qubesd_call2 [function] [call site] 00522
6 strlen [call site] 00523
6 strlen [call site] 00524
6 strlen [call site] 00525
6 socket [call site] 00526
6 __errno_location [call site] 00527
6 __errno_location [call site] 00528
6 connect [call site] 00529
6 qubes_sendmsg_all [function] [call site] 00530
7 sendmsg [call site] 00531
7 __errno_location [call site] 00532
7 __assert_fail [call site] 00533
7 __errno_location [call site] 00534
6 shutdown [call site] 00535
6 qubes_read_all_to_malloc [function] [call site] 00536
6 strlen [call site] 00537
6 close [call site] 00538
5 memcmp [call site] 00539
5 strlen [call site] 00540
5 memcmp [call site] 00541
5 memcmp [call site] 00542
5 connect_unix_socket [function] [call site] 00543
5 qubesd_call [function] [call site] 00544
6 qubesd_call2 [function] [call site] 00545
5 memcmp [call site] 00546
5 memcmp [call site] 00547
5 memcmp [call site] 00548
5 connect_unix_socket [function] [call site] 00549
5 negotiate_connection_params [function] [call site] 00550
5 close [call site] 00551
5 connect_unix_socket_by_id [function] [call site] 00552
5 send_service_connect [function] [call site] 00553
6 strncpy [call site] 00554
6 write_all [function] [call site] 00555
6 write_all [function] [call site] 00556
6 write_all [function] [call site] 00557
5 close [call site] 00558
5 poll [call site] 00559
5 qubesd_call [function] [call site] 00560
4 daemon__exit [function] [call site] 00561
2 handle_vchan_error [function] [call site] 00562
2 fuzz_libvchan_recv [function] [call site] 00563
2 handle_vchan_error [function] [call site] 00564
2 sanitize_name [function] [call site] 00565
2 validate_request_id [function] [call site] 00566
2 strlen [call site] 00567
2 validate_service_name [function] [call site] 00568
2 handle_execute_service [function] [call site] 00569
2 send_service_refused [function] [call site] 00570
2 handle_vchan_error [function] [call site] 00571
2 fuzz_libvchan_recv [function] [call site] 00572
2 handle_vchan_error [function] [call site] 00573
2 sanitize_name [function] [call site] 00574
2 sanitize_name [function] [call site] 00575
2 validate_request_id [function] [call site] 00576
2 strlen [call site] 00577
2 validate_service_name [function] [call site] 00578
2 handle_execute_service [function] [call site] 00579
2 send_service_refused [function] [call site] 00580
2 handle_connection_terminated [function] [call site] 00581
3 fuzz_libvchan_recv [function] [call site] 00582
3 handle_vchan_error [function] [call site] 00583
3 fuzz_exit [function] [call site] 00584
3 release_vchan_port [function] [call site] 00585
4 terminate_client [function] [call site] 00586
5 close [call site] 00587
1 fuzz_file_destroy [function] [call site] 00588