[v5,00/16] Add a Generic Virtual Device Fuzzer

Message ID	20201021010752.973230-1-alxndr@bu.edu
Headers	show Return-Path: <SRS0=0rPh=D4=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 84C862098B From: Alexander Bulekov <alxndr@bu.edu> To: qemu-devel@nongnu.org Subject: [PATCH v5 00/16] Add a Generic Virtual Device Fuzzer Date: Tue, 20 Oct 2020 21:07:36 -0400 Message-Id: <20201021010752.973230-1-alxndr@bu.edu> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received-SPF: pass client-ip=40.107.75.127; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com Precedence: list Cc: Alexander Bulekov <alxndr@bu.edu>, f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	Add a Generic Virtual Device Fuzzer \| expand [v5,00/16] Add a Generic Virtual Device Fuzzer [v5,01/16] memory: Add FlatView foreach function [v5,02/16] fuzz: Add general virtual-device fuzzer [v5,03/16] fuzz: Add PCI features to the general fuzzer [v5,04/16] fuzz: Add DMA support to the generic-fuzzer [v5,05/16] fuzz: Declare DMA Read callback function [v5,06/16] fuzz: Add fuzzer callbacks to DMA-read functions [v5,07/16] fuzz: Add support for custom crossover functions [v5,08/16] fuzz: add a DISABLE_PCI op to general-fuzzer [v5,09/16] fuzz: add a crossover function to generic-fuzzer [v5,10/16] scripts/oss-fuzz: Add script to reorder a general-fuzzer trace [v5,11/16] scripts/oss-fuzz: Add crash trace minimization script [v5,12/16] fuzz: Add instructions for using general-fuzz [v5,13/16] fuzz: add an "opaque" to the FuzzTarget struct [v5,14/16] fuzz: add general-fuzz configs for oss-fuzz [v5,15/16] fuzz: register predefined general-fuzz configs [v5,16/16] scripts/oss-fuzz: remove the general-fuzz target

Message ID

20201021010752.973230-1-alxndr@bu.edu

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 84C862098B
From: Alexander Bulekov <alxndr@bu.edu>
To: qemu-devel@nongnu.org
Subject: [PATCH v5 00/16] Add a Generic Virtual Device Fuzzer
Date: Tue, 20 Oct 2020 21:07:36 -0400
Message-Id: <20201021010752.973230-1-alxndr@bu.edu>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from stormtrooper.vrmnet (72.93.72.163) by
	BL1PR13CA0119.namprd13.prod.outlook.com (2603:10b6:208:2b9::34) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via
	Frontend Transport; Wed, 21 Oct 2020 01:08:03 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 67d73458-53bc-42ba-52e1-08d8755dc2ef
X-MS-TrafficTypeDiagnostic: SN2PR03MB2333:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <SN2PR03MB233384BC478720FC1B8A631DBA1C0@SN2PR03MB2333.namprd03.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nVnIjGDeKpdhVTc2B8rTLLssxPlYPIQXPFKy9NGs+/QoGl2VD4qyfl3gOPmFo/usZqG/HW2UHeoDey9jTdIqpV3qjZKSHPvYVxDIxl7n4Mxf4gTESNfb5HbYyB1bKbYRHYjjsPE4GWaH6quSJaIXPQgjPaFisXvQPLeLBM9nI8CqqwMPrSUwfQDx2e2KTz5yI0s2HU0kfzVOCBVsneQcpc20FBKHrmYGWoFqkx+lm0zzH5ynkLsQpOFn61ZwowJcrecOzN3OWONayikGgb5/XBs/YIwqQy4fsWkjDAu0KaZhtsQM0L5rQNqaQn+2JPVFfaNQrGr626DQdQZAfvmajD1VfqZABhvHqwhx5Q/X0YDK5Nn5eMiHsy4y9mCW2xxOb7blVPlgxrCwITEbN95ri8e4OY0TfC5n74/wMCc8s2H9PkobQaNI3C9uAHGdtjxlF3TjRIkcGwxw46KJqCECew==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:;
	CAT:NONE; 
	SFS:(4636009)(39860400002)(396003)(376002)(346002)(366004)(136003)(52116002)(2616005)(8676002)(6512007)(6916009)(6506007)(36756003)(786003)(316002)(956004)(83380400001)(478600001)(1076003)(4326008)(6486002)(75432002)(8936002)(86362001)(5660300002)(26005)(16526019)(186003)(966005)(6666004)(66946007)(2906002)(66476007)(66556008)(41533002);
	DIR:OUT; SFP:1102; 
X-MS-Exchange-AntiSpam-MessageData: 9WxZwct6sNkEDxGC8zVB22prdHiNDopRoxz2CScx/IQX4qHPBt7a6/W6BX2ZO+IJ93K90rn5JFWurNklRqUOq/YQ/MG9+m6hhZJWJtceIQTdnI0/uCV5+lCZNcAq6CpBbpMFNOqOPO4viLvHQX1ydxPebOu1qY3F1bc9MRaGxYqFUOM8atzbVKRmFCEI4ep0rInVHlC//11t78OJSoLJnRPiwXHMVBK86ja5457dsGtxC8eWxE15N7yrT/gPIJNwjMFfI3BeU0u1kNWMLparFnJvcdsD4hVdDdPnyYfq7h4k1jHf4CarpsUIYIQ/vZWn87NIuVUzlGrji0Y0TG7pzENCE1gBLxC5JIYiOavapK/U5wNh59LbVrGYuCiKtlYhXRhzP30iK39GVdPwF8OD9/O1P2tIESb/OdrS/Ju7zdHWVijUHgW8yGOqSC6kRHm30dN2g3FaZS66zuMUoQF8yZXZ7rytXuN6ta2qIBuZcnar8s+Bf/S8tmWWgodRFTzM1vGPSoY92ti4XAiYgFn9vC3In7htRibRwKlxPCtIrGNXNvRNSKVH7OPiCrY0NPNN7t9hAd83kgkXunfJkjldyQIJo5fNYXIoEvjhuUmH1u2pzSFbIXGTatJcJoMoQ/qpWQjF0v5xJGtTuJoDKlknug==
X-OriginatorOrg: bu.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 67d73458-53bc-42ba-52e1-08d8755dc2ef
X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Oct 2020 01:08:03.9325
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: LceV5uNiiUGnXlVzwHjn9jOdnTnNNZ1r/62kaNRWOfHmMbXQOCAA5kWc8D2+32g0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2333
Received-SPF: pass client-ip=40.107.75.127; envelope-from=alxndr@bu.edu;
	helo=NAM02-BL2-obe.outbound.protection.outlook.com
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/20
	21:23:08
X-ACL-Warn: Detected OS   = Windows NT kernel [generic] [fuzzy]
X-Spam_score_int: -14
X-Spam_score: -1.5
X-Spam_bar: -
X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.441,
	MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
	SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Alexander Bulekov <alxndr@bu.edu>, f4bug@amsat.org,
	darren.kenny@oracle.com, 
	bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com,
	dimastep@yandex-team.ru
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

Add a Generic Virtual Device Fuzzer | expand

Message

Alexander Bulekov Oct. 21, 2020, 1:07 a.m. UTC

v5:
    - Replace GArray-based predefined fuzzer configs with a static
      struct array
    - "General" -> "Generic"
    - Fix bugs with wrong timeout denominator and skipping DMA memwrites
      without QTEST_LOG
v4:
    - Replace yaml + c template-based oss-fuzz configs, with C code to
      register a FuzzTarget for each config (as suggested by Paolo)
    - Replicate the functionality of address_space_write_rom to ensure
      matching behavior when QTEST_LOG is enabled
    - Improve code documentation/comments
    - Small formatting changes
v3:
	- Use flatviews to help select regions for fuzzing 
	- Meson-related changes
    - Add some documentation
	- Improve minimalization script to trim write{bwlq} commands
v2:
	- Remove QOS dependency.
	- Add a custom crossover function
	- Fix broken minimization scripts
	- Fixes to the IO region and DMA handling code

This is a general virtual-device fuzzer, designed to fuzz devices over Port IO,
MMIO, and DMA.

To get started with this:
 1. Build the fuzzers (see docs/devel/fuzzing.txt)
    Note: Build with --enable-sanitizers, or create a "dictionary file":
    echo kw1=\"FUZZ\" > dict
    and pass it as an argument to libFuzzer with -dict=./dict
    This magic value is a command separator that lets the fuzzer perform
    multiple IO actions with a single input.

 2. Pick the qemu arguments you wish to fuzz:
    export QEMU_FUZZ_ARGS="-M q35 -device virtio-balloon"

 3. Tell the fuzzer which QOM objects or MemoryRegion names to fuzz. I find the
 "info qom-tree", "info qtree" and "info mtree" commands useful for identifying
 these. Supports globbing. Here I will try to simultaneously fuzz(for no good
 reason) virtio-balloon and e1000e, which is included by default in the q35:
    export QEMU_FUZZ_OBJECTS='virtio* e1000*'
    You can also try to fuzz the whole machine:
    export QEMU_FUZZ_OBJECTS='*'

 4. Run the fuzzer for 0 inputs. The fuzzer should output a list of
 MemoryRegions/PCI Devices it will try to fuzz. Confirm that these match your
 expectations.
    ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-fuzz -runs=0

 5. Run the fuzzer:
    ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-fuzz 


Basically, at the core, this fuzzer is an interpreter that splits the input
into a series of commands, such as mmio_write, pio_write, etc. We structure
these commands to hit only MemoryRegions that are associated with the devices
specified in QEMU_FUZZ_OBJECTS. Additionally, these patches add "hooks" to
functions that are typically used by virtual-devices to read from RAM (DMA).
These hooks attempt to populate these DMA regions with fuzzed data, just in
time.

Some of the issues I have found or reproduced with this fuzzer:
https://bugs.launchpad.net/bugs/1525123
https://bugs.launchpad.net/bugs/1681439
https://bugs.launchpad.net/bugs/1777315
https://bugs.launchpad.net/bugs/1878034
https://bugs.launchpad.net/bugs/1878043
https://bugs.launchpad.net/bugs/1878054
https://bugs.launchpad.net/bugs/1878057
https://bugs.launchpad.net/bugs/1878067
https://bugs.launchpad.net/bugs/1878134
https://bugs.launchpad.net/bugs/1878136
https://bugs.launchpad.net/bugs/1878253
https://bugs.launchpad.net/bugs/1878255
https://bugs.launchpad.net/bugs/1878259
https://bugs.launchpad.net/bugs/1878263
https://bugs.launchpad.net/bugs/1878323
https://bugs.launchpad.net/bugs/1878641
https://bugs.launchpad.net/bugs/1878642
https://bugs.launchpad.net/bugs/1878645
https://bugs.launchpad.net/bugs/1878651
https://bugs.launchpad.net/bugs/1879223
https://bugs.launchpad.net/bugs/1879227
https://bugs.launchpad.net/bugs/1879531
https://bugs.launchpad.net/bugs/1880355
https://bugs.launchpad.net/bugs/1880539
https://bugs.launchpad.net/bugs/1884693
https://bugs.launchpad.net/bugs/1886362
https://bugs.launchpad.net/bugs/1887303
https://bugs.launchpad.net/bugs/1887309
https://bugs.launchpad.net/bugs/697510

Alexander Bulekov (16):
  memory: Add FlatView foreach function
  fuzz: Add general virtual-device fuzzer
  fuzz: Add PCI features to the general fuzzer
  fuzz: Add DMA support to the generic-fuzzer
  fuzz: Declare DMA Read callback function
  fuzz: Add fuzzer callbacks to DMA-read functions
  fuzz: Add support for custom crossover functions
  fuzz: add a DISABLE_PCI op to general-fuzzer
  fuzz: add a crossover function to generic-fuzzer
  scripts/oss-fuzz: Add script to reorder a general-fuzzer trace
  scripts/oss-fuzz: Add crash trace minimization script
  fuzz: Add instructions for using general-fuzz
  fuzz: add an "opaque" to the FuzzTarget struct
  fuzz: add general-fuzz configs for oss-fuzz
  fuzz: register predefined general-fuzz configs
  scripts/oss-fuzz: remove the general-fuzz target

 docs/devel/fuzzing.txt                        |  39 +
 include/exec/memory.h                         |  21 +
 include/exec/memory_ldst_cached.h.inc         |   3 +
 memory_ldst.c.inc                             |   4 +
 scripts/oss-fuzz/build.sh                     |   6 +
 scripts/oss-fuzz/minimize_qtest_trace.py      | 157 +++
 .../oss-fuzz/reorder_fuzzer_qtest_trace.py    | 103 ++
 softmmu/memory.c                              |  23 +
 softmmu/physmem.c                             |   2 +
 tests/qtest/fuzz/fuzz.c                       |  13 +
 tests/qtest/fuzz/fuzz.h                       |  28 +
 tests/qtest/fuzz/generic_fuzz.c               | 948 ++++++++++++++++++
 tests/qtest/fuzz/generic_fuzz_configs.h       | 121 +++
 tests/qtest/fuzz/meson.build                  |   1 +
 14 files changed, 1469 insertions(+)
 create mode 100755 scripts/oss-fuzz/minimize_qtest_trace.py
 create mode 100755 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py
 create mode 100644 tests/qtest/fuzz/generic_fuzz.c
 create mode 100644 tests/qtest/fuzz/generic_fuzz_configs.h

Comments

Thomas Huth Oct. 21, 2020, 1:24 p.m. UTC | #1

On 21/10/2020 03.07, Alexander Bulekov wrote:
> v5:

>     - Replace GArray-based predefined fuzzer configs with a static

>       struct array

>     - "General" -> "Generic"

>     - Fix bugs with wrong timeout denominator and skipping DMA memwrites

>       without QTEST_LOG

> v4:

>     - Replace yaml + c template-based oss-fuzz configs, with C code to

>       register a FuzzTarget for each config (as suggested by Paolo)

>     - Replicate the functionality of address_space_write_rom to ensure

>       matching behavior when QTEST_LOG is enabled

>     - Improve code documentation/comments

>     - Small formatting changes

> v3:

> 	- Use flatviews to help select regions for fuzzing 

> 	- Meson-related changes

>     - Add some documentation

> 	- Improve minimalization script to trim write{bwlq} commands

> v2:

> 	- Remove QOS dependency.

> 	- Add a custom crossover function

> 	- Fix broken minimization scripts

> 	- Fixes to the IO region and DMA handling code

> 

> This is a general virtual-device fuzzer, designed to fuzz devices over Port IO,

> MMIO, and DMA.


 Hi Alexander,

this fails to compile in the Gitlab-CI:

https://gitlab.com/huth/qemu/-/jobs/803091952#L2308

../softmmu/memory.c: In function 'flatview_for_each_range':
2309../softmmu/memory.c:663:24: error: incompatible type for argument 1 of 'cb'
2310         if (cb(fr->addr.start, fr->addr.size, fr->mr, opaque))
2311                ~~~~~~~~^~~~~~
2312../softmmu/memory.c:663:24: note: expected 'ram_addr_t' {aka 'unsigned
int'} but argument is of type 'Int128' {aka 'struct Int128'}
2313../softmmu/memory.c:663:40: error: incompatible type for argument 2 of 'cb'
2314         if (cb(fr->addr.start, fr->addr.size, fr->mr, opaque))
2315                                ~~~~~~~~^~~~~
2316../softmmu/memory.c:663:40: note: expected 'ram_addr_t' {aka 'unsigned
int'} but argument is of type 'Int128' {aka 'struct Int128'}

 Thomas