[v4,00/16] Add a General Virtual Device Fuzzer

Message ID	20201015134137.205958-1-alxndr@bu.edu
Headers	show Return-Path: <SRS0=muvY=DW=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D88802223F From: Alexander Bulekov <alxndr@bu.edu> To: qemu-devel@nongnu.org Subject: [PATCH v4 00/16] Add a General Virtual Device Fuzzer Date: Thu, 15 Oct 2020 09:41:20 -0400 Message-Id: <20201015134137.205958-1-alxndr@bu.edu> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received-SPF: pass client-ip=40.107.75.134; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com Precedence: list Cc: Alexander Bulekov <alxndr@bu.edu>, f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	Add a General Virtual Device Fuzzer \| expand [v4,00/16] Add a General Virtual Device Fuzzer [v4,01/16] memory: Add FlatView foreach function [v4,02/16] fuzz: Add general virtual-device fuzzer [v4,03/16] fuzz: Add PCI features to the general fuzzer [v4,04/16] fuzz: Add DMA support to the generic-fuzzer [v4,05/16] fuzz: Declare DMA Read callback function [v4,06/16] fuzz: Add fuzzer callbacks to DMA-read functions [v4,07/16] fuzz: Add support for custom crossover functions [v4,08/16] fuzz: add a DISABLE_PCI op to general-fuzzer [v4,09/16] fuzz: add a crossover function to generic-fuzzer [v4,10/16] scripts/oss-fuzz: Add script to reorder a general-fuzzer trace [v4,11/16] scripts/oss-fuzz: Add crash trace minimization script [v4,12/16] fuzz: Add instructions for using general-fuzz [v4,13/16] fuzz: add an "opaque" to the FuzzTarget struct [v4,14/16] fuzz: add general-fuzz configs for oss-fuzz [v4,15/16] fuzz: register predefined general-fuzz configs [v4,16/16] scripts/oss-fuzz: remove the general-fuzz target

Message ID

20201015134137.205958-1-alxndr@bu.edu

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D88802223F
From: Alexander Bulekov <alxndr@bu.edu>
To: qemu-devel@nongnu.org
Subject: [PATCH v4 00/16] Add a General Virtual Device Fuzzer
Date: Thu, 15 Oct 2020 09:41:20 -0400
Message-Id: <20201015134137.205958-1-alxndr@bu.edu>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from stormtrooper.vrmnet (72.93.72.163) by
	BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via
	Frontend Transport; Thu, 15 Oct 2020 13:41:49 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 269c48e8-297c-4fc8-ba01-08d87110118e
X-MS-TrafficTypeDiagnostic: SA0PR03MB5465:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <SA0PR03MB5465926C15226F32A5850E15BA020@SA0PR03MB5465.namprd03.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: J5LMcHZ/1D1XB3uOEvHuk9SfQzEJQCq9JCWRzHTSWuvMSn1PC5gHDJVMOIwFalvzWGWjefbsy1mHAC4kwgsjEgU8H/hluv4SkUHmtErHeN8I7TLPweaHiDZ56fy+88Kwdjx5BDvslQHOskY6ny+Blh0nuEbFiV8Rk2JvzBNk0lDKvV0eJ4guzyeIdoMMDZdjm2I9cX7N37NQboRkeWX/iqNbm0AER8Ag7azFXYUD8Ka+34zuUsteVlge4Mxq9fv7odpw/iT8LKQ0BEBoK8W2fwJKk+6l6dLWh6+Y37GpRUm+9DsYLKFPrC+B13iufYi9fBAsS1lqT04e5/MX7ZMPwrrK3Djo+aj0fCISRJG1+pl7CfolUnT+7hKNcbhUUQoknsMYxfL0Obha1ntjb+YLIbofIipVqSTvKwvFPMS1I93gVN3gRfcxYp38p16PY2wHIbAaC4KqAFGEor/CFHMbQw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:;
	CAT:NONE; 
	SFS:(4636009)(346002)(39860400002)(366004)(136003)(376002)(396003)(2906002)(6506007)(26005)(6916009)(52116002)(66556008)(966005)(36756003)(478600001)(86362001)(186003)(786003)(316002)(16526019)(8936002)(34490700002)(2616005)(66476007)(66946007)(83080400001)(1076003)(5660300002)(6666004)(8676002)(75432002)(6486002)(83380400001)(956004)(4326008)(6512007);
	DIR:OUT; SFP:1102; 
X-MS-Exchange-AntiSpam-MessageData: T9ub9jS4NrzcQRPF5bADfXxs/ULNmLi0KIuq69fUp7chf4YweTq2q/uG0g76hv1B7KhlwfbKnSzH0zVH3l1VxLMiJQaU6Z4SNqAFfysm2Fr2Yjke2cmXysK+uKFsrSFvX8gy/iuDq1N6dEbq4DMeUggFsFgRnshEt9TnWvnU+3vJaGMuETfXC0F0wEOIZGGh8rm/WktEVz7834YR4xXhFHkyZz9aYOQXisYTPYpBVnpXhP8eqDFG+LTzECwtsTPcZt/eSOeLW7qRq+be5HX5qfgf+6nRCScj4iqgiaQCNKHzf+JrqSun/fDP9YJpSxbIFTIMvpHStxIu0iIpL6Z58DDsEkZNZ0G6xxOCklVHfBhFb+pGh3DJXKTbr00Mw9o/BXd5oP2TmsJO7Wu15yKQsJMov7DoUO0/i0JG/5M8hRYpLv9O5nT7mfKTpPAflZFrn2jhT3KBnUHpEetg5H99zPrB1G3gSYS1K6pdIqiDLAf2/st3RvAX9OM9Kr/B9+w4d4EMPSSzCGU51CHn2JGazougohPbhLod7ZKKx4W7Qkip6Aaz0vJ/B4LyrutQxqxwFI1JcjREXPw2OhibxkokXfWMS2/FKty3Gfj17aktzsAseRV1vj5saXM6fWTHCvNBb8Dow/o4nbaLqnxonCmapA==
X-OriginatorOrg: bu.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 269c48e8-297c-4fc8-ba01-08d87110118e
X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:41:50.3575
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: w/gUyKtbnYIa5rNF21sdICXT0t6e0oTOadlhg7IBaB+unTSoMYciAUA36RL9zOnV
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465
Received-SPF: pass client-ip=40.107.75.134; envelope-from=alxndr@bu.edu;
	helo=NAM02-BL2-obe.outbound.protection.outlook.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15
	09:56:53
X-ACL-Warn: Detected OS   = Windows NT kernel [generic] [fuzzy]
X-Spam_score_int: -8
X-Spam_score: -0.9
X-Spam_bar: /
X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998,
	MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
	SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Alexander Bulekov <alxndr@bu.edu>, f4bug@amsat.org,
	darren.kenny@oracle.com, 
	bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com,
	dimastep@yandex-team.ru
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

Add a General Virtual Device Fuzzer | expand

Message

Alexander Bulekov Oct. 15, 2020, 1:41 p.m. UTC

v4:
    - Replace yaml + c template-based oss-fuzz configs, with C code to
      register a FuzzTarget for each config (as suggested by Paolo)
    - Replicate the functionality of address_space_write_rom to ensure
      matching behavior when QTEST_LOG is enabled
    - Improve code documentation/comments
    - Small formatting changes
v3:
	- Use flatviews to help select regions for fuzzing 
	- Meson-related changes
    - Add some documentation
	- Improve minimalization script to trim write{bwlq} commands
v2:
	- Remove QOS dependency.
	- Add a custom crossover function
	- Fix broken minimization scripts
	- Fixes to the IO region and DMA handling code

This is a general virtual-device fuzzer, designed to fuzz devices over Port IO,
MMIO, and DMA.

To get started with this:
 1. Build the fuzzers (see docs/devel/fuzzing.txt)
    Note: Build with --enable-sanitizers, or create a "dictionary file":
    echo kw1=\"FUZZ\" > dict
    and pass it as an argument to libFuzzer with -dict=./dict
    This magic value is a command separator that lets the fuzzer perform
    multiple IO actions with a single input.

 2. Pick the qemu arguments you wish to fuzz:
    export QEMU_FUZZ_ARGS="-M q35 -device virtio-balloon"

 3. Tell the fuzzer which QOM objects or MemoryRegion names to fuzz. I find the
 "info qom-tree", "info qtree" and "info mtree" commands useful for identifying
 these. Supports globbing. Here I will try to simultaneously fuzz(for no good
 reason) virtio-balloon and e1000e, which is included by default in the q35:
    export QEMU_FUZZ_OBJECTS='virtio* e1000*'
    You can also try to fuzz the whole machine:
    export QEMU_FUZZ_OBJECTS='*'

 4. Run the fuzzer for 0 inputs. The fuzzer should output a list of
 MemoryRegions/PCI Devices it will try to fuzz. Confirm that these match your
 expectations.
    ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-fuzz -runs=0

 5. Run the fuzzer:
    ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-fuzz 


Basically, at the core, this fuzzer is an interpreter that splits the input
into a series of commands, such as mmio_write, pio_write, etc. We structure
these commands to hit only MemoryRegions that are associated with the devices
specified in QEMU_FUZZ_OBJECTS. Additionally, these patches add "hooks" to
functions that are typically used by virtual-devices to read from RAM (DMA).
These hooks attempt to populate these DMA regions with fuzzed data, just in
time.

Some of the issues I have found or reproduced with this fuzzer:
https://bugs.launchpad.net/bugs/1525123
https://bugs.launchpad.net/bugs/1681439
https://bugs.launchpad.net/bugs/1777315
https://bugs.launchpad.net/bugs/1878034
https://bugs.launchpad.net/bugs/1878043
https://bugs.launchpad.net/bugs/1878054
https://bugs.launchpad.net/bugs/1878057
https://bugs.launchpad.net/bugs/1878067
https://bugs.launchpad.net/bugs/1878134
https://bugs.launchpad.net/bugs/1878136
https://bugs.launchpad.net/bugs/1878253
https://bugs.launchpad.net/bugs/1878255
https://bugs.launchpad.net/bugs/1878259
https://bugs.launchpad.net/bugs/1878263
https://bugs.launchpad.net/bugs/1878323
https://bugs.launchpad.net/bugs/1878641
https://bugs.launchpad.net/bugs/1878642
https://bugs.launchpad.net/bugs/1878645
https://bugs.launchpad.net/bugs/1878651
https://bugs.launchpad.net/bugs/1879223
https://bugs.launchpad.net/bugs/1879227
https://bugs.launchpad.net/bugs/1879531
https://bugs.launchpad.net/bugs/1880355
https://bugs.launchpad.net/bugs/1880539
https://bugs.launchpad.net/bugs/1884693
https://bugs.launchpad.net/bugs/1886362
https://bugs.launchpad.net/bugs/1887303
https://bugs.launchpad.net/bugs/1887309
https://bugs.launchpad.net/bugs/697510

Alexander Bulekov (16):
  memory: Add FlatView foreach function
  fuzz: Add general virtual-device fuzzer
  fuzz: Add PCI features to the general fuzzer
  fuzz: Add DMA support to the generic-fuzzer
  fuzz: Declare DMA Read callback function
  fuzz: Add fuzzer callbacks to DMA-read functions
  fuzz: Add support for custom crossover functions
  fuzz: add a DISABLE_PCI op to general-fuzzer
  fuzz: add a crossover function to generic-fuzzer
  scripts/oss-fuzz: Add script to reorder a general-fuzzer trace
  scripts/oss-fuzz: Add crash trace minimization script
  fuzz: Add instructions for using general-fuzz
  fuzz: add an "opaque" to the FuzzTarget struct
  fuzz: add general-fuzz configs for oss-fuzz
  fuzz: register predefined general-fuzz configs
  scripts/oss-fuzz: remove the general-fuzz target

 docs/devel/fuzzing.txt                        |  39 +
 include/exec/memory.h                         |  21 +
 include/exec/memory_ldst_cached.h.inc         |   3 +
 memory_ldst.c.inc                             |   4 +
 scripts/oss-fuzz/build.sh                     |   6 +
 scripts/oss-fuzz/minimize_qtest_trace.py      | 157 +++
 .../oss-fuzz/reorder_fuzzer_qtest_trace.py    | 103 ++
 softmmu/memory.c                              |  23 +
 softmmu/physmem.c                             |   2 +
 tests/qtest/fuzz/fuzz.c                       |  13 +
 tests/qtest/fuzz/fuzz.h                       |  28 +
 tests/qtest/fuzz/general_fuzz.c               | 948 ++++++++++++++++++
 tests/qtest/fuzz/general_fuzz_configs.c       | 140 +++
 tests/qtest/fuzz/general_fuzz_configs.h       |  24 +
 tests/qtest/fuzz/meson.build                  |   1 +
 15 files changed, 1512 insertions(+)
 create mode 100755 scripts/oss-fuzz/minimize_qtest_trace.py
 create mode 100755 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py
 create mode 100644 tests/qtest/fuzz/general_fuzz.c
 create mode 100644 tests/qtest/fuzz/general_fuzz_configs.c
 create mode 100644 tests/qtest/fuzz/general_fuzz_configs.h

Comments

no-reply@patchew.org Oct. 15, 2020, 2:03 p.m. UTC | #1

Patchew URL: https://patchew.org/QEMU/20201015134137.205958-1-alxndr@bu.edu/



Hi,

This series seems to have some coding style problems. See output below for
more information:

Type: series
Message-id: 20201015134137.205958-1-alxndr@bu.edu
Subject: [PATCH v4 00/16] Add a General Virtual Device Fuzzer

=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===

Updating 3c8cf5a9c21ff8782164d1def7f44bd888713384
From https://github.com/patchew-project/qemu
 - [tag update]      patchew/1602767767-32713-1-git-send-email-mjrosato@linux.ibm.com -> patchew/1602767767-32713-1-git-send-email-mjrosato@linux.ibm.com
 * [new tag]         patchew/20201015134137.205958-1-alxndr@bu.edu -> patchew/20201015134137.205958-1-alxndr@bu.edu
Switched to a new branch 'test'
03323c2 scripts/oss-fuzz: remove the general-fuzz target
3c59bd5 fuzz: register predefined general-fuzz configs
0d80db3 fuzz: add general-fuzz configs for oss-fuzz
cea76d4 fuzz: add an "opaque" to the FuzzTarget struct
10cf373 fuzz: Add instructions for using general-fuzz
540fed2 scripts/oss-fuzz: Add crash trace minimization script
0550db0 scripts/oss-fuzz: Add script to reorder a general-fuzzer trace
106e830 fuzz: add a crossover function to generic-fuzzer
90837f5 fuzz: add a DISABLE_PCI op to general-fuzzer
adf044f fuzz: Add support for custom crossover functions
0851cb4 fuzz: Add fuzzer callbacks to DMA-read functions
4acf44b fuzz: Declare DMA Read callback function
86fec34 fuzz: Add DMA support to the generic-fuzzer
237e9d6 fuzz: Add PCI features to the general fuzzer
41e6d7b fuzz: Add general virtual-device fuzzer
ba68f35 memory: Add FlatView foreach function

=== OUTPUT BEGIN ===
1/16 Checking commit ba68f35ed358 (memory: Add FlatView foreach function)
2/16 Checking commit 41e6d7bb40d3 (fuzz: Add general virtual-device fuzzer)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#19: 
new file mode 100644

WARNING: line over 80 characters
#322: FILE: tests/qtest/fuzz/general_fuzz.c:299:
+ * Some commands can be variable-width, so we use a separator, SEPARATOR, to specify

WARNING: line over 80 characters
#330: FILE: tests/qtest/fuzz/general_fuzz.c:307:
+ *      Simply, by removing the first byte, we end up with a very different sequence:

total: 0 errors, 3 warnings, 516 lines checked

Patch 2/16 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
3/16 Checking commit 237e9d6e734d (fuzz: Add PCI features to the general fuzzer)
4/16 Checking commit 86fec343b37a (fuzz: Add DMA support to the generic-fuzzer)
ERROR: externs should be avoided in .c files
#84: FILE: tests/qtest/fuzz/general_fuzz.c:120:
+void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write);

WARNING: Block comments use a leading /* on a separate line
#109: FILE: tests/qtest/fuzz/general_fuzz.c:145:
+    /* Regions are assumed to support 1-4 byte accesses unless

WARNING: Block comments use * on subsequent lines
#110: FILE: tests/qtest/fuzz/general_fuzz.c:146:
+    /* Regions are assumed to support 1-4 byte accesses unless
+       otherwise specified.  */

WARNING: Block comments use a trailing */ on a separate line
#110: FILE: tests/qtest/fuzz/general_fuzz.c:146:
+       otherwise specified.  */

total: 1 errors, 3 warnings, 299 lines checked

Patch 4/16 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.

5/16 Checking commit 4acf44ba5630 (fuzz: Declare DMA Read callback function)
6/16 Checking commit 0851cb4b787d (fuzz: Add fuzzer callbacks to DMA-read functions)
7/16 Checking commit adf044f2b9d2 (fuzz: Add support for custom crossover functions)
8/16 Checking commit 90837f5a8315 (fuzz: add a DISABLE_PCI op to general-fuzzer)
9/16 Checking commit 106e83015d43 (fuzz: add a crossover function to generic-fuzzer)
10/16 Checking commit 0550db09152f (scripts/oss-fuzz: Add script to reorder a general-fuzzer trace)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#22: 
new file mode 100755

WARNING: line over 80 characters
#117: FILE: scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py:91:
+                    sys.stderr.write("Warning: Likely double fetch on line {}.\n"

total: 0 errors, 2 warnings, 103 lines checked

Patch 10/16 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
11/16 Checking commit 540fed26dc40 (scripts/oss-fuzz: Add crash trace minimization script)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#17: 
new file mode 100755

total: 0 errors, 1 warnings, 157 lines checked

Patch 11/16 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
12/16 Checking commit 10cf3731768d (fuzz: Add instructions for using general-fuzz)
13/16 Checking commit cea76d423400 (fuzz: add an "opaque" to the FuzzTarget struct)
14/16 Checking commit 0d80db351b77 (fuzz: add general-fuzz configs for oss-fuzz)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#15: 
new file mode 100644

total: 0 errors, 1 warnings, 172 lines checked

Patch 14/16 has style problems, please review.  If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
15/16 Checking commit 3c59bd5b67df (fuzz: register predefined general-fuzz configs)
16/16 Checking commit 03323c23616b (scripts/oss-fuzz: remove the general-fuzz target)
=== OUTPUT END ===

Test command exited with code: 1


The full log is available at
http://patchew.org/logs/20201015134137.205958-1-alxndr@bu.edu/testing.checkpatch/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com

Paolo Bonzini Oct. 16, 2020, 1:33 p.m. UTC | #2

If you have to do a v5, the correct word is generic not general. :)

Otherwise looks great.

Paolo

On 15/10/20 15:41, Alexander Bulekov wrote:
> v4:

>     - Replace yaml + c template-based oss-fuzz configs, with C code to

>       register a FuzzTarget for each config (as suggested by Paolo)

>     - Replicate the functionality of address_space_write_rom to ensure

>       matching behavior when QTEST_LOG is enabled

>     - Improve code documentation/comments

>     - Small formatting changes

> v3:

> 	- Use flatviews to help select regions for fuzzing 

> 	- Meson-related changes

>     - Add some documentation

> 	- Improve minimalization script to trim write{bwlq} commands

> v2:

> 	- Remove QOS dependency.

> 	- Add a custom crossover function

> 	- Fix broken minimization scripts

> 	- Fixes to the IO region and DMA handling code

> 

> This is a general virtual-device fuzzer, designed to fuzz devices over Port IO,

> MMIO, and DMA.

> 

> To get started with this:

>  1. Build the fuzzers (see docs/devel/fuzzing.txt)

>     Note: Build with --enable-sanitizers, or create a "dictionary file":

>     echo kw1=\"FUZZ\" > dict

>     and pass it as an argument to libFuzzer with -dict=./dict

>     This magic value is a command separator that lets the fuzzer perform

>     multiple IO actions with a single input.

> 

>  2. Pick the qemu arguments you wish to fuzz:

>     export QEMU_FUZZ_ARGS="-M q35 -device virtio-balloon"

> 

>  3. Tell the fuzzer which QOM objects or MemoryRegion names to fuzz. I find the

>  "info qom-tree", "info qtree" and "info mtree" commands useful for identifying

>  these. Supports globbing. Here I will try to simultaneously fuzz(for no good

>  reason) virtio-balloon and e1000e, which is included by default in the q35:

>     export QEMU_FUZZ_OBJECTS='virtio* e1000*'

>     You can also try to fuzz the whole machine:

>     export QEMU_FUZZ_OBJECTS='*'

> 

>  4. Run the fuzzer for 0 inputs. The fuzzer should output a list of

>  MemoryRegions/PCI Devices it will try to fuzz. Confirm that these match your

>  expectations.

>     ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-fuzz -runs=0

> 

>  5. Run the fuzzer:

>     ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-fuzz 

> 

> 

> Basically, at the core, this fuzzer is an interpreter that splits the input

> into a series of commands, such as mmio_write, pio_write, etc. We structure

> these commands to hit only MemoryRegions that are associated with the devices

> specified in QEMU_FUZZ_OBJECTS. Additionally, these patches add "hooks" to

> functions that are typically used by virtual-devices to read from RAM (DMA).

> These hooks attempt to populate these DMA regions with fuzzed data, just in

> time.

> 

> Some of the issues I have found or reproduced with this fuzzer:

> https://bugs.launchpad.net/bugs/1525123

> https://bugs.launchpad.net/bugs/1681439

> https://bugs.launchpad.net/bugs/1777315

> https://bugs.launchpad.net/bugs/1878034

> https://bugs.launchpad.net/bugs/1878043

> https://bugs.launchpad.net/bugs/1878054

> https://bugs.launchpad.net/bugs/1878057

> https://bugs.launchpad.net/bugs/1878067

> https://bugs.launchpad.net/bugs/1878134

> https://bugs.launchpad.net/bugs/1878136

> https://bugs.launchpad.net/bugs/1878253

> https://bugs.launchpad.net/bugs/1878255

> https://bugs.launchpad.net/bugs/1878259

> https://bugs.launchpad.net/bugs/1878263

> https://bugs.launchpad.net/bugs/1878323

> https://bugs.launchpad.net/bugs/1878641

> https://bugs.launchpad.net/bugs/1878642

> https://bugs.launchpad.net/bugs/1878645

> https://bugs.launchpad.net/bugs/1878651

> https://bugs.launchpad.net/bugs/1879223

> https://bugs.launchpad.net/bugs/1879227

> https://bugs.launchpad.net/bugs/1879531

> https://bugs.launchpad.net/bugs/1880355

> https://bugs.launchpad.net/bugs/1880539

> https://bugs.launchpad.net/bugs/1884693

> https://bugs.launchpad.net/bugs/1886362

> https://bugs.launchpad.net/bugs/1887303

> https://bugs.launchpad.net/bugs/1887309

> https://bugs.launchpad.net/bugs/697510

> 

> Alexander Bulekov (16):

>   memory: Add FlatView foreach function

>   fuzz: Add general virtual-device fuzzer

>   fuzz: Add PCI features to the general fuzzer

>   fuzz: Add DMA support to the generic-fuzzer

>   fuzz: Declare DMA Read callback function

>   fuzz: Add fuzzer callbacks to DMA-read functions

>   fuzz: Add support for custom crossover functions

>   fuzz: add a DISABLE_PCI op to general-fuzzer

>   fuzz: add a crossover function to generic-fuzzer

>   scripts/oss-fuzz: Add script to reorder a general-fuzzer trace

>   scripts/oss-fuzz: Add crash trace minimization script

>   fuzz: Add instructions for using general-fuzz

>   fuzz: add an "opaque" to the FuzzTarget struct

>   fuzz: add general-fuzz configs for oss-fuzz

>   fuzz: register predefined general-fuzz configs

>   scripts/oss-fuzz: remove the general-fuzz target

> 

>  docs/devel/fuzzing.txt                        |  39 +

>  include/exec/memory.h                         |  21 +

>  include/exec/memory_ldst_cached.h.inc         |   3 +

>  memory_ldst.c.inc                             |   4 +

>  scripts/oss-fuzz/build.sh                     |   6 +

>  scripts/oss-fuzz/minimize_qtest_trace.py      | 157 +++

>  .../oss-fuzz/reorder_fuzzer_qtest_trace.py    | 103 ++

>  softmmu/memory.c                              |  23 +

>  softmmu/physmem.c                             |   2 +

>  tests/qtest/fuzz/fuzz.c                       |  13 +

>  tests/qtest/fuzz/fuzz.h                       |  28 +

>  tests/qtest/fuzz/general_fuzz.c               | 948 ++++++++++++++++++

>  tests/qtest/fuzz/general_fuzz_configs.c       | 140 +++

>  tests/qtest/fuzz/general_fuzz_configs.h       |  24 +

>  tests/qtest/fuzz/meson.build                  |   1 +

>  15 files changed, 1512 insertions(+)

>  create mode 100755 scripts/oss-fuzz/minimize_qtest_trace.py

>  create mode 100755 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py

>  create mode 100644 tests/qtest/fuzz/general_fuzz.c

>  create mode 100644 tests/qtest/fuzz/general_fuzz_configs.c

>  create mode 100644 tests/qtest/fuzz/general_fuzz_configs.h

>