From patchwork Thu Oct 15 13:41:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302826 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0949CC433E7 for ; Thu, 15 Oct 2020 13:44:18 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 010492078A for ; Thu, 15 Oct 2020 13:44:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="J1MBKlOh" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 010492078A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:51086 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3YF-0000lK-RL for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:44:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52712) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WC-0007Pq-Uw for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:08 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WA-0000kr-Li for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:08 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RiukT7eEzJShPo+E2naSnW/ArE/LqJfJUGHR0oHIofwJJDEoB91Q2w/Lh+nFqF/nuIY94pecDf/2pkrSHO/DsiFb4Lgl/aeqhFNrEb2UnylKXFmvp0BPytAJQocZk2aPzsW8Lvul29WBMZ4WH1dlLaOzzQ/k8mZKqU7DLx5Ucrdno2pU9vlX1uvdlKqooCl5dzOcwFHmxTz5mHP9MoMqOokQVFxWMcVUPylT2mff4mFlNzswc8YWhLBgj1/6ZXdbx7Fnl8eoZ8xpbvTgXuS2q2bPDUsuVxPa0sW2wob5Ujr3S0ffSJXSR29/lo6NnJ5B3b3aGjOkvMseIZkZMgk24Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MX056Rf6DSUltnR4J91NJYCtam/Fo4tFlIXd4RkYse8=; b=d0kqRn3VWl9oetMCZFG2bzEHxiHxuU9XV3AFcTFkAqD9d4zsASwzyTAbxHrb0wJxW9XmqjlFr+vt1B7Q7HqneJBojsJkkHDN53H4ZKq5HXCGJGvQFEWsosXIJRUn9I0c9NaT5N2qlupi3BEYoGiO7NeQPi2H10QAsXiweywHvFVNF7Mlt2V4ni2XQ+AofXAu/gwh3t03bztFb8R5l4Dsubi4nLgvgP4lgo11TUkoA9g+UE7h/LKotwZxh5g8ekYto0RG4vyPWYXPDK1cYGnKljDEs8CmFisPl8R8RQ8XnTkjc/CT05Cm7iHCOrLYKviUL69jnm8ZNFbwO+syarx3AA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MX056Rf6DSUltnR4J91NJYCtam/Fo4tFlIXd4RkYse8=; b=J1MBKlOhfJvURLAKex3Eoo/1B0sxoB7CQxbG0PyzwyrdHXnHt0WGZnXDY6B7x+Kr8GPYKP+5mcLq6GDIRfDngPofOlXqBkpatUsDJl1//74eu/29BDN86L2hQcYmB0mI/oe/1bRT/uiFDgQ+JdhQsqVTVfqvUxTj3RT+S96A1TY= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:41:51 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:41:51 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 01/16] memory: Add FlatView foreach function Date: Thu, 15 Oct 2020 09:41:21 -0400 Message-Id: <20201015134137.205958-2-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:41:50 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 42e37d5c-8523-4d87-0424-08d871101248 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2657; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: RdcR3w17suhEAQrqf2a5ZKg1O4TzwQmn2A6Ud6D4Nr2u4fdlJ8uEajrb2vNGrGjaqRiRt6fuERxsXO+cKiiX4rXd0NWaSdBNO775PahZlwTERiNEiG6MvO3eCb7Kkmdb06ncF4+IDdNt7+pjtwJrCkr3zY5CDvxVAhRrohVlsPWpHLTzYvK7L1eU1waQMIJIMNRQG44UHfhJh+qlM3FfxZIylhuMgkLUrfLcJhRHOypY91vgE1QRYen6P+LEQwfhACDnR/oCV4W+fQJInIN+eMvG3QPWRU/rbTjGhdL/yQSfYVLm0rqvykXLpnzTh0mb+582fNK5KJYIA4L6hMzyfZe/eqnSpufiZ98ElEXcCB7VJlT0OZZMZ24QZ2M4TZQo X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: 5f842UzZcywj7M9YxC9pmmYTt43HlNMg3ew+rjU90qBFmPQnA6KZS3eIx2nkgqlEdvjfsclJNoqB1H2J6tQ5WdiYRG0NGUyEI1JAbu39B5XzvEXwNsoC5vXp7roachfa04vySqTsg8h5E9v9OPHCiyQmJrxdlKtON3/vtxjwEPNgD61FFweFzxvmRNyJUr63U40VNT6D69c/xF0yIURMjDSRv1gmJ0+UcOxKct/YIin70p5r7ilMF3lD8H+flyJjlZwBNk5ugC16oqGxArew2tGyDiCzmrfCK76wDijN8jmcoDGpoyGgIBfJp65fWU3lIu21GU/9JPhxrG3fwgtz6q1oi4vyQ1ROSFxDTUUvcfsqbUFNSvoaJ8jBI8FvDn4oNywXJhQC9Gw2b1V/2TakzZy7veNSQUMOww14+yWnSr2WmzhRMXv9Zihu3gun/jcJcWRYb5Vl2qn4zzj/kbNsRtDUZI4HBdYfTmCvM6vMUjYLCLcFkElc50kScAu2mD7MUdIBNXvxncvxVAesL/J62bmaM1RFVXfwdz1zb0tr2QnEw3E6di95yzZs3Hosn9hzK65UZR4hojHJ7wY6lLiipOZNSNmGn8u/RNE2JJ2Y/hA7GD1uW/qvIm+ZqKWKZWzbXAqGKfYPD3g1PAWdxh5ZeA== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 42e37d5c-8523-4d87-0424-08d871101248 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:41:51.5019 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: x0NUB1TiCfeSIXguLzafEUm+h3WiAocTs33QL/IHslwUSERu8fn2FJs01seHp0/9 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Acked-by: Paolo Bonzini Signed-off-by: Alexander Bulekov --- include/exec/memory.h | 5 +++++ softmmu/memory.c | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/include/exec/memory.h b/include/exec/memory.h index 622207bde1..233655b29a 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -719,6 +719,11 @@ static inline FlatView *address_space_to_flatview(AddressSpace *as) return qatomic_rcu_read(&as->current_map); } +typedef int (*flatview_cb)(ram_addr_t start, + ram_addr_t len, + const MemoryRegion*, void*); + +void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque); /** * struct MemoryRegionSection: describes a fragment of a #MemoryRegion diff --git a/softmmu/memory.c b/softmmu/memory.c index 403ff3abc9..c46b0c6d65 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -656,6 +656,15 @@ static void render_memory_region(FlatView *view, } } +void flatview_for_each_range(FlatView *fv, flatview_cb cb , void *opaque) +{ + FlatRange *fr; + FOR_EACH_FLAT_RANGE(fr, fv) { + if (cb(fr->addr.start, fr->addr.size, fr->mr, opaque)) + break; + } +} + static MemoryRegion *memory_region_get_flatview_root(MemoryRegion *mr) { while (mr->enabled) { From patchwork Thu Oct 15 13:41:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302825 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 158EAC433E7 for ; Thu, 15 Oct 2020 13:44:39 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5F01C2078A for ; Thu, 15 Oct 2020 13:44:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="HvbiCD9h" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5F01C2078A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:52962 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3Yb-0001Wn-17 for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:44:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52726) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WG-0007T8-Rx for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:13 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WE-0000kr-Bg for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:12 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DSw1Lc83IYzO9cnyES9FAZsmg1TJKwujrMfWWEW0bwJPGoiZJT4f8yE1BfzyAoy83WeKdTuGpgdbWDpkfwil4RyhSxoYtClFHcJOSxbQt+TaOqMGQm4wHi1MoF8Q7OZFptXEdePB0jv+6zFS2UroFB/vIRoxYm7K7dXwVp7kjHntnXqzCmBxF0A/0cA14K1pzFzZuyvBEdWbsIyFvlMXnnCEr6UrPGjERHGN4/NHwxVm+O5tEdlOMXLwGTWZar6JNGfJwv4KpoKH4YvgrsaKgo2DRhYFHdM8osXiGgKkSi1rqsLcFXcPy0mFtgC+cWBK1umkt1JXtatYOAW8p4hvxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bNwuoSZCN1xDIfurTHUFmWI5gkkjYhsBm9XcERWfx2U=; b=io4b7sL+lOYtbPhK6qartl4rg/uM6gHfhTNK0mVw/AR2v/fF80BXh0UUVQe9PeDLuZsR+Q0lByvCg4Dt7hjXG4+QmXz4HAzexoCSiqMHZL6HeEW4GfsAWBPQGmaZaPdUSsBF5yTGDuRpnYMRaCaj9+o4BRp6txhaSIg75vfWs/u4WQkXiNJaBhg2PifDJMTuB626wXUrIUKqfHlQdT0KnGofCt4Xoiy5x/DLo3Lg8MIMxC6RZnb6NQR+Eyw73FDOZd1MpQpu9IUtp/a10Hqo5ib9OqrS1aa3xtyqPQ7OCtblb0ZP3orWAo6RwRQwuZXwO3pVA2Rz/9t9lZ+sWMAFVQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bNwuoSZCN1xDIfurTHUFmWI5gkkjYhsBm9XcERWfx2U=; b=HvbiCD9hxQvTiwrXU9ytxYqoWdcxM7cDVSya8QUimWxbzYdrJ/ZqG7XIHBwNUBwh1KrFBQHUAUrLmlwS/4s9FXHf30ca2CnNwt6Xv8PnCOD5+X5Fu9t0SnuBuSaXksFPcJPciPPxooDc+zzS73dy/yikrDxKDyV596i85MS8Ads= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:41:53 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:41:53 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 02/16] fuzz: Add general virtual-device fuzzer Date: Thu, 15 Oct 2020 09:41:22 -0400 Message-Id: <20201015134137.205958-3-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:41:52 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 02e542bb-1198-4b38-a616-08d871101331 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:849; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: w/dDIer8m9JjcWGppz680ENHu3hH6y8jKZ6bsFebJaCUAxE6K4XZ/XxbJz6pQUmdaLDaTAJ8biT/kOuPoHc54dVbuyXJIK/eHhlruFieHZbYEQfc9O6W4AqyPDbN8E6ElK/mm6iMkbITZj5TURw56FxhlE+OwQ5nQYpHB9SskNN/q0XETr+x8c2KOCz+epHnrM+Anwu7O2pT1Iar1nLmsIxDZXxRspuhWKqx9iD+2BrUMB6Z1sOz0rmEgb5Y1TgzBjWX5VNDRga40XBTzuVcTaiDjCjqH4LnxMAPSRtaw55JQPibvz/HxnGxhAHfZtjnNM1fwmzcvV7qR4cVxoiLqIm9aQlkDSBC8jLgrRMlfMHwmCwXC0LnW5McrPGAzAID X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(30864003)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: IB4dAjtTDd2xTKIfapAT9U4djcqGD9SlP6ddLedjOAchRczZXPBHN4ZnmJXYfE8Gisr9mJ0+AQd+wqGpAWMOqmXv/LPkTtawzYfE+njWOwOiZnFZxH+SRuD2FWKj9+1D/ZzEKI5meIo9gZmvwVP6rW5NhFrwK+utlIBtagHyz3aC0HlRTnWI2GFcNHLrCKAWKKTak6Ls51oA5qxsjSiNFz/t9i2DjJ+7cGN1QtotXLPaV2a+EskqrJVTbkWrCRbiR9AVXl1yv3ZVTJnjmqFVoiAVFO9tjS+CfBl4UY1bpz+LkyKreWG9I2EIKJkYaMuqbd0bd1CIRHYJTrCCHWDj14R9OnZSW16fqzrpodYofsORK2tQ4lmBRWNKOed7HPEjnLjGU/thEFAHhNsspvQ9SYYKYgKLWG9AoFdSy00dlRvh2vWdWekR3+VedVQVUOB+UcWuCDmYMtv92sTDzlq21291fBNQR+zONW1VLl1UxOWAmbSKSkVmXYSebl5H21L+iHchIM+1OYV/1T0Ck9+W/urzuuWaZnZFN4+w9yoe1e6VE0DGP1IJbA7M/h1IGE7WH3Dj15uP6xBxR0eeXRo91sDWpJCnjIWGi+puXzVxQDTMi2f6S41RGwDQ6HTEiwq0fgRiBBoYLP/rRvklC6QjZQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 02e542bb-1198-4b38-a616-08d871101331 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:41:53.2109 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: WJ0bMUQmjScbkmjorpBCN7p3uceS0Yy0vqilFIKaAotO3ERVCE3m1ins8VuObzOY X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This is a generic fuzzer designed to fuzz a virtual device's MemoryRegions, as long as they exist within the Memory or Port IO (if it exists) AddressSpaces. The fuzzer's input is interpreted into a sequence of qtest commands (outb, readw, etc). The interpreted commands are separated by a magic seaparator, which should be easy for the fuzzer to guess. Without ASan, the separator can be specified as a "dictionary value" using the -dict argument (see libFuzzer documentation). Signed-off-by: Alexander Bulekov --- tests/qtest/fuzz/general_fuzz.c | 509 ++++++++++++++++++++++++++++++++ tests/qtest/fuzz/meson.build | 1 + 2 files changed, 510 insertions(+) create mode 100644 tests/qtest/fuzz/general_fuzz.c diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c new file mode 100644 index 0000000000..c1c6dd3ba6 --- /dev/null +++ b/tests/qtest/fuzz/general_fuzz.c @@ -0,0 +1,509 @@ +/* + * General Virtual-Device Fuzzing Target + * + * Copyright Red Hat Inc., 2020 + * + * Authors: + * Alexander Bulekov + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include + +#include "hw/core/cpu.h" +#include "tests/qtest/libqos/libqtest.h" +#include "fuzz.h" +#include "fork_fuzz.h" +#include "exec/address-spaces.h" +#include "string.h" +#include "exec/memory.h" +#include "exec/ramblock.h" +#include "exec/address-spaces.h" +#include "hw/qdev-core.h" + +/* + * SEPARATOR is used to separate "operations" in the fuzz input + */ +#define SEPARATOR "FUZZ" + +enum cmds { + OP_IN, + OP_OUT, + OP_READ, + OP_WRITE, + OP_CLOCK_STEP, +}; + +#define DEFAULT_TIMEOUT_US 100000 +#define USEC_IN_SEC 100000000 + +typedef struct { + ram_addr_t addr; + ram_addr_t size; /* The number of bytes until the end of the I/O region */ +} address_range; + +static useconds_t timeout = 100000; + +static bool qtest_log_enabled; + +/* + * List of memory regions that are children of QOM objects specified by the + * user for fuzzing. + */ +static GHashTable *fuzzable_memoryregions; + +struct get_io_cb_info { + int index; + int found; + address_range result; +}; + +static int get_io_address_cb(ram_addr_t start, ram_addr_t size, + const MemoryRegion *mr, void *opaque) { + struct get_io_cb_info *info = opaque; + if (g_hash_table_lookup(fuzzable_memoryregions, mr)) { + if (info->index == 0) { + info->result.addr = start; + info->result.size = size; + info->found = 1; + return 1; + } + info->index--; + } + return 0; +} + +/* + * Here we want to convert a fuzzer-provided [io-region-index, offset] to + * a physical address. To do this, we iterate over all of the matched + * MemoryRegions. Check whether each region exists within the particular io + * space. Return the absolute address of the offset within the index'th region + * that is a subregion of the io_space and the distance until the end of the + * memory region. + */ +static bool get_io_address(address_range *result, AddressSpace *as, + uint8_t index, + uint32_t offset) { + FlatView *view; + view = as->current_map; + g_assert(view); + struct get_io_cb_info cb_info = {}; + + cb_info.index = index; + + /* + * Loop around the FlatView until we match "index" number of + * fuzzable_memoryregions, or until we know that there are no matching + * memory_regions. + */ + do { + flatview_for_each_range(view, get_io_address_cb , &cb_info); + } while (cb_info.index != index && !cb_info.found); + + *result = cb_info.result; + return cb_info.found; +} +static bool get_pio_address(address_range *result, + uint8_t index, uint16_t offset) +{ + /* + * PIO BARs can be set past the maximum port address (0xFFFF). Thus, result + * can contain an addr that extends past the PIO space. When we pass this + * address to qtest_in/qtest_out, it is cast to a uint16_t, so we might end + * up fuzzing a completely different MemoryRegion/Device. Therefore, check + * that the address here is within the PIO space limits. + */ + bool found = get_io_address(result, &address_space_io, index, offset); + return result->addr <= 0xFFFF ? found : false; +} +static bool get_mmio_address(address_range *result, + uint8_t index, uint32_t offset) +{ + return get_io_address(result, &address_space_memory, index, offset); +} + +static void op_in(QTestState *s, const unsigned char * data, size_t len) +{ + enum Sizes {Byte, Word, Long, end_sizes}; + struct { + uint8_t size; + uint8_t base; + uint16_t offset; + } a; + address_range abs; + + if (len < sizeof(a)) { + return; + } + memcpy(&a, data, sizeof(a)); + if (get_pio_address(&abs, a.base, a.offset) == 0) { + return; + } + + switch (a.size %= end_sizes) { + case Byte: + qtest_inb(s, abs.addr); + break; + case Word: + if (abs.size >= 2) { + qtest_inw(s, abs.addr); + } + break; + case Long: + if (abs.size >= 4) { + qtest_inl(s, abs.addr); + } + break; + } +} + +static void op_out(QTestState *s, const unsigned char * data, size_t len) +{ + enum Sizes {Byte, Word, Long, end_sizes}; + struct { + uint8_t size; + uint8_t base; + uint16_t offset; + uint32_t value; + } a; + address_range abs; + + if (len < sizeof(a)) { + return; + } + memcpy(&a, data, sizeof(a)); + + if (get_pio_address(&abs, a.base, a.offset) == 0) { + return; + } + + switch (a.size %= end_sizes) { + case Byte: + qtest_outb(s, abs.addr, a.value & 0xFF); + break; + case Word: + if (abs.size >= 2) { + qtest_outw(s, abs.addr, a.value & 0xFFFF); + } + break; + case Long: + if (abs.size >= 4) { + qtest_outl(s, abs.addr, a.value); + } + break; + } +} + +static void op_read(QTestState *s, const unsigned char * data, size_t len) +{ + enum Sizes {Byte, Word, Long, Quad, end_sizes}; + struct { + uint8_t size; + uint8_t base; + uint32_t offset; + } a; + address_range abs; + + if (len < sizeof(a)) { + return; + } + memcpy(&a, data, sizeof(a)); + + if (get_mmio_address(&abs, a.base, a.offset) == 0) { + return; + } + + switch (a.size %= end_sizes) { + case Byte: + qtest_readb(s, abs.addr); + break; + case Word: + if (abs.size >= 2) { + qtest_readw(s, abs.addr); + } + break; + case Long: + if (abs.size >= 4) { + qtest_readl(s, abs.addr); + } + break; + case Quad: + if (abs.size >= 8) { + qtest_readq(s, abs.addr); + } + break; + } +} + +static void op_write(QTestState *s, const unsigned char * data, size_t len) +{ + enum Sizes {Byte, Word, Long, Quad, end_sizes}; + struct { + uint8_t size; + uint8_t base; + uint32_t offset; + uint64_t value; + } a; + address_range abs; + + if (len < sizeof(a)) { + return; + } + memcpy(&a, data, sizeof(a)); + + if (get_mmio_address(&abs, a.base, a.offset) == 0) { + return; + } + + switch (a.size %= end_sizes) { + case Byte: + qtest_writeb(s, abs.addr, a.value & 0xFF); + break; + case Word: + if (abs.size >= 2) { + qtest_writew(s, abs.addr, a.value & 0xFFFF); + } + break; + case Long: + if (abs.size >= 4) { + qtest_writel(s, abs.addr, a.value & 0xFFFFFFFF); + } + break; + case Quad: + if (abs.size >= 8) { + qtest_writeq(s, abs.addr, a.value); + } + break; + } +} +static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) +{ + qtest_clock_step_next(s); +} + +static void handle_timeout(int sig) +{ + if (qtest_log_enabled) { + fprintf(stderr, "[Timeout]\n"); + fflush(stderr); + } + _Exit(0); +} + +/* + * Here, we interpret random bytes from the fuzzer, as a sequence of commands. + * Some commands can be variable-width, so we use a separator, SEPARATOR, to specify + * the boundaries between commands. SEPARATOR is used to separate "operations" + * in the fuzz input. Why use a separator, instead of just using the operations' + * length to identify operation boundaries? + * 1. This is a simple way to support variable-length operations + * 2. This adds "stability" to the input. + * For example take the input "AbBcgDefg", where there is no separator and + * Opcodes are capitalized. + * Simply, by removing the first byte, we end up with a very different sequence: + * BbcGdefg... + * By adding a separator, we avoid this problem: + * Ab SEP Bcg SEP Defg -> B SEP Bcg SEP Defg + * Since B uses two additional bytes as operands, the first "B" will be + * ignored. The fuzzer actively tries to reduce inputs, so such unused + * bytes are likely to be pruned, eventually. + * + * SEPARATOR is trivial for the fuzzer to discover when using ASan. Optionally, + * SEPARATOR can be manually specified as a dictionary value (see libfuzzer's + * -dict), though this should not be necessary. + * + * As a result, the stream of bytes is converted into a sequence of commands. + * In a simplified example where SEPARATOR is 0xFF: + * 00 01 02 FF 03 04 05 06 FF 01 FF ... + * becomes this sequence of commands: + * 00 01 02 -> op00 (0102) -> in (0102, 2) + * 03 04 05 06 -> op03 (040506) -> write (040506, 3) + * 01 -> op01 (-,0) -> out (-,0) + * ... + * + * Note here that it is the job of the individual opcode functions to check + * that enough data was provided. I.e. in the last command out (,0), out needs + * to check that there is not enough data provided to select an address/value + * for the operation. + */ +static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) +{ + void (*ops[]) (QTestState *s, const unsigned char* , size_t) = { + [OP_IN] = op_in, + [OP_OUT] = op_out, + [OP_READ] = op_read, + [OP_WRITE] = op_write, + [OP_CLOCK_STEP] = op_clock_step, + }; + const unsigned char *cmd = Data; + const unsigned char *nextcmd; + size_t cmd_len; + uint8_t op; + + if (fork() == 0) { + /* + * Sometimes the fuzzer will find inputs that take quite a long time to + * process. Often times, these inputs do not result in new coverage. + * Even if these inputs might be interesting, they can slow down the + * fuzzer, overall. Set a timeout to avoid hurting performance, too much + */ + if (timeout) { + struct sigaction sact; + struct itimerval timer; + + sigemptyset(&sact.sa_mask); + sact.sa_flags = SA_NODEFER; + sact.sa_handler = handle_timeout; + sigaction(SIGALRM, &sact, NULL); + + memset(&timer, 0, sizeof(timer)); + timer.it_value.tv_sec = timeout / USEC_IN_SEC; + timer.it_value.tv_usec = timeout % USEC_IN_SEC; + setitimer(ITIMER_VIRTUAL, &timer, NULL); + } + + while (cmd && Size) { + /* Get the length until the next command or end of input */ + nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR)); + cmd_len = nextcmd ? nextcmd - cmd : Size; + + if (cmd_len > 0) { + /* Interpret the first byte of the command as an opcode */ + op = *cmd % (sizeof(ops) / sizeof((ops)[0])); + ops[op](s, cmd + 1, cmd_len - 1); + + /* Run the main loop */ + flush_events(s); + } + /* Advance to the next command */ + cmd = nextcmd ? nextcmd + sizeof(SEPARATOR) - 1 : nextcmd; + Size = Size - (cmd_len + sizeof(SEPARATOR) - 1); + } + _Exit(0); + } else { + flush_events(s); + wait(0); + } +} + +static void usage(void) +{ + printf("Please specify the following environment variables:\n"); + printf("QEMU_FUZZ_ARGS= the command line arguments passed to qemu\n"); + printf("QEMU_FUZZ_OBJECTS= " + "a space separated list of QOM type names for objects to fuzz\n"); + printf("Optionally: QEMU_FUZZ_TIMEOUT= Specify a custom timeout (us). " + "0 to disable. %d by default\n", timeout); + exit(0); +} + +static int locate_fuzz_memory_regions(Object *child, void *opaque) +{ + const char *name; + MemoryRegion *mr; + if (object_dynamic_cast(child, TYPE_MEMORY_REGION)) { + mr = MEMORY_REGION(child); + if ((memory_region_is_ram(mr) || + memory_region_is_ram_device(mr) || + memory_region_is_rom(mr)) == false) { + name = object_get_canonical_path_component(child); + /* + * We don't want duplicate pointers to the same MemoryRegion, so + * try to remove copies of the pointer, before adding it. + */ + g_hash_table_insert(fuzzable_memoryregions, mr, (gpointer)true); + } + } + return 0; +} +static int locate_fuzz_objects(Object *child, void *opaque) +{ + char *pattern = opaque; + if (g_pattern_match_simple(pattern, object_get_typename(child))) { + /* Find and save ptrs to any child MemoryRegions */ + object_child_foreach_recursive(child, locate_fuzz_memory_regions, NULL); + + } else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) { + if (g_pattern_match_simple(pattern, + object_get_canonical_path_component(child))) { + MemoryRegion *mr; + mr = MEMORY_REGION(child); + if ((memory_region_is_ram(mr) || + memory_region_is_ram_device(mr) || + memory_region_is_rom(mr)) == false) { + g_hash_table_insert(fuzzable_memoryregions, mr, (gpointer)true); + } + } + } + return 0; +} + +static void general_pre_fuzz(QTestState *s) +{ + GHashTableIter iter; + MemoryRegion *mr; + char **result; + + if (!getenv("QEMU_FUZZ_OBJECTS")) { + usage(); + } + if (getenv("QTEST_LOG")) { + qtest_log_enabled = 1; + } + if (getenv("QEMU_FUZZ_TIMEOUT")) { + timeout = g_ascii_strtoll(getenv("QEMU_FUZZ_TIMEOUT"), NULL, 0); + } + + fuzzable_memoryregions = g_hash_table_new(NULL, NULL); + + result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1); + for (int i = 0; result[i] != NULL; i++) { + printf("Matching objects by name %s\n", result[i]); + object_child_foreach_recursive(qdev_get_machine(), + locate_fuzz_objects, + result[i]); + } + g_strfreev(result); + printf("This process will try to fuzz the following MemoryRegions:\n"); + + g_hash_table_iter_init(&iter, fuzzable_memoryregions); + while (g_hash_table_iter_next(&iter, (gpointer)&mr, NULL)) { + printf(" * %s (size %lx)\n", + object_get_canonical_path_component(&(mr->parent_obj)), + mr->addr); + } + + if (!g_hash_table_size(fuzzable_memoryregions)) { + printf("No fuzzable memory regions found...\n"); + exit(1); + } + + counter_shm_init(); +} +static GString *general_fuzz_cmdline(FuzzTarget *t) +{ + GString *cmd_line = g_string_new(TARGET_NAME); + if (!getenv("QEMU_FUZZ_ARGS")) { + usage(); + } + g_string_append_printf(cmd_line, " -display none \ + -machine accel=qtest, \ + -m 64 %s ", getenv("QEMU_FUZZ_ARGS")); + return cmd_line; +} + +static void register_general_fuzz_targets(void) +{ + fuzz_add_target(&(FuzzTarget){ + .name = "general-fuzz", + .description = "Fuzz based on any qemu command-line args. ", + .get_init_cmdline = general_fuzz_cmdline, + .pre_fuzz = general_pre_fuzz, + .fuzz = general_fuzz}); +} + +fuzz_target_init(register_general_fuzz_targets); diff --git a/tests/qtest/fuzz/meson.build b/tests/qtest/fuzz/meson.build index b31ace7d5a..a59de6aa8c 100644 --- a/tests/qtest/fuzz/meson.build +++ b/tests/qtest/fuzz/meson.build @@ -5,6 +5,7 @@ specific_fuzz_ss.add(files('fuzz.c', 'fork_fuzz.c', 'qos_fuzz.c', specific_fuzz_ss.add(when: 'CONFIG_I440FX', if_true: files('i440fx_fuzz.c')) specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_NET', if_true: files('virtio_net_fuzz.c')) specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio_scsi_fuzz.c')) +specific_fuzz_ss.add(files('general_fuzz.c')) fork_fuzz = declare_dependency( link_args: config_host['FUZZ_EXE_LDFLAGS'].split() + From patchwork Thu Oct 15 13:41:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302823 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8118CC433DF for ; Thu, 15 Oct 2020 13:47:50 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D2E342223F for ; Thu, 15 Oct 2020 13:47:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="23IkHOz1" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D2E342223F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:33348 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3bg-0005Ew-Op for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:47:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52750) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WJ-0007V2-T7 for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:16 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WI-0000kr-4o for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:15 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fzKpr4CaxqRXCs7gWHp/YrNe1XmBP+HKBv7SbN6GfLDDsIcgGhN6Kc1Rd6LJ3Uk5L790QFXCQhtPQwkrJf8EHl4BIlQSEK9aHkhe8YBsCdGK/5X6dt/CdiyU6FwbfXDpTVlwLxxrQl1eL2Nw9RxRDp3t1fMuEilhjHCmRNd+ga0ihYujyIcC4D+NrWWT5WALml4PSsR7qHcaZ4wiu19ZtRyTg9X6y+61PD/TWShgapQnc6Ow3Uqer5mNqw/W24lD+hrGcoe6qLy+l6OXDqACBunU5KhkMmI74WfuGylcJqsseL508UuWU+GaZqucnvVJHG966yNqCctuBcXOJv800w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LJ2vk3EK3gZBly59m6sfF1WwI+U0NOLarCT9Z3fuauQ=; b=X+syqWo+2lLImqQa2D0SvAUO/wQgSDrBU49RjzTH/PgK4N2vwXtQ5kodAtrM37QbhZ15jBfTMM3WExZKaJgGKwePWyZMQpukBUVdX0JQWy9XZIVG4/umC/ZSwOaf9FizI3JjKrEy7QHUfRboq+MsZc70a+J9jSyXsJRxhvDPpXuuSKxPzQs9nunkmIQ7Qv2rxWm4KB/M4lpJnN2eFgPtCA2S87b57hmFLzvspS4FxtQDpZA2P2o+w9S3tKjofR6tRLpOEgshPY/fZA5PFl6hhlX6zmcA+fZmyMMnd0lRyZhiP9NMvAUOvj/A7N2a09tfxxuhiNbyOed0PTUiFWgRlA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LJ2vk3EK3gZBly59m6sfF1WwI+U0NOLarCT9Z3fuauQ=; b=23IkHOz1KWnmrLGBNz2z40HoMK0tZutLA7H2S/U16B0rnw0C7l79TsyWVAwyTN8LImi33LK7Tb6tX1al1bvpC0cUY25Es42Y1L53T/IfCWxVRfpdclRGJy+tC1KocYfR5IPdL1gHB1OjsTG3KQmocWbNYb7lDTDXcmJZf4vMb+Q= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:41:54 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:41:54 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 03/16] fuzz: Add PCI features to the general fuzzer Date: Thu, 15 Oct 2020 09:41:23 -0400 Message-Id: <20201015134137.205958-4-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:41:53 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8ba7b55d-94d0-4e6f-edbd-08d87110140e X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:268; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: iET7ut4rVSCDwBIld/CSQOxvlm8LyxD2DOTOlj/GBi/W9CtCc2p1psaSL/ketNJxxuyj3R9lSe2LyyZzFTj5LQIdt2+O/UfmZkZu9o3aE/GUO/IkOOGrdXzxHDzoDPteLbBM/DtSDR+RxIlVLW8H2zYuJgUGKSAkGtw7R/8iahSixcLd6eZ6ihnzjaCcuO2FDGAFAMR3lk9vGu91BeujKsBh52pGviTjhcZqwn6xtgDcjeX2gSZUB1yHgDKORNcSbZGku5C3g4421S/K4aZPEuTIXsYKIFy3zvPKfkCxKNu4lz5cNkfp7Uih0AAPTEaMggUD0F2HBUodlY8B53t7dsZZ+XQ3uIJdqDv5vvWRouzIcHDVsUl18L7hIKvw/r0U X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: J1QDG/sm3j9KYqzTCJ2/u94xQOAwReLO7oouMWTDkGy0XYdOEdO3ip6aP1To+TCHrJJ+pDnWrdeK3pT6rU0Ez5HOTIiVyly8ZE6W9kavt1xuG6NmRRPM3uMppBt9Zb4sSDqUyCljtjgX8M+mT9nLc2BZ46vDl0A0rgf0V3FBcwdV/GyWGWe1W9UewpkDHMXU0HAFwv8zraLvNfVE7VwXntbij52Pr2l2p+EIszC/CZ+LOz/tN5RMPjekPZhnh2rRBGjmhDWb6KA+KJEvXf+0QAPQmIj4BEfebgJxEA50VojP72lHfbBIKB+MeFdmMlJxEMLCTqqAD/fks6ue8d1nmRr9JPdO5Evk52k4z4UrCwe8KODWXFUSaixr7Aqq+tQtt37i9b4QprwNlSsztC08Ulp1GBkeX8MeeL9qEmHJgJWlaKmxRoNjii7ATdt3zYFkx+eyReRgGdBudWGGw3W8cZ+5IvQAlNWseQg/W2dGk4YdIC3UKBACgm0mya8/r6uxwR7xAj+DjsHIZzlBIoFLCuTrIcjemzlu/SlLfwWVyFlsXYeJHg+CaQB4QNyFO9el544EgyaVwCzM89hbXUiv8wdbqoWIYk2fgFkVrZ9TlnEM9AH6jJoaoidlKL6qr57EKo5MOFJOKPlcfOrKeEvaUg== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 8ba7b55d-94d0-4e6f-edbd-08d87110140e X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:41:54.5981 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Fxul7OtuPDyS6YN2sEGLGlyh8GKg0l3w/fBITpID1u1ZoGfKsL29ICpj7A8njjVm X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This patch compares TYPE_PCI_DEVICE objects against the user-provided matching pattern. If there is a match, we use some hacks and leverage QOS to map each possible BAR for that device. Now fuzzed inputs might be converted to pci_read/write commands which target specific. This means that we can fuzz a particular device's PCI configuration space, Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- tests/qtest/fuzz/general_fuzz.c | 81 +++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index c1c6dd3ba6..ef754843ed 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -24,6 +24,7 @@ #include "exec/ramblock.h" #include "exec/address-spaces.h" #include "hw/qdev-core.h" +#include "hw/pci/pci.h" /* * SEPARATOR is used to separate "operations" in the fuzz input @@ -35,12 +36,17 @@ enum cmds { OP_OUT, OP_READ, OP_WRITE, + OP_PCI_READ, + OP_PCI_WRITE, OP_CLOCK_STEP, }; #define DEFAULT_TIMEOUT_US 100000 #define USEC_IN_SEC 100000000 +#define PCI_HOST_BRIDGE_CFG 0xcf8 +#define PCI_HOST_BRIDGE_DATA 0xcfc + typedef struct { ram_addr_t addr; ram_addr_t size; /* The number of bytes until the end of the I/O region */ @@ -55,6 +61,7 @@ static bool qtest_log_enabled; * user for fuzzing. */ static GHashTable *fuzzable_memoryregions; +static GPtrArray *fuzzable_pci_devices; struct get_io_cb_info { int index; @@ -280,6 +287,65 @@ static void op_write(QTestState *s, const unsigned char * data, size_t len) break; } } +static void op_pci_read(QTestState *s, const unsigned char * data, size_t len) +{ + enum Sizes {Byte, Word, Long, end_sizes}; + struct { + uint8_t size; + uint8_t base; + uint8_t offset; + } a; + if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + return; + } + memcpy(&a, data, sizeof(a)); + PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices, + a.base % fuzzable_pci_devices->len); + int devfn = dev->devfn; + qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset); + switch (a.size %= end_sizes) { + case Byte: + qtest_inb(s, PCI_HOST_BRIDGE_DATA); + break; + case Word: + qtest_inw(s, PCI_HOST_BRIDGE_DATA); + break; + case Long: + qtest_inl(s, PCI_HOST_BRIDGE_DATA); + break; + } +} + +static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) +{ + enum Sizes {Byte, Word, Long, end_sizes}; + struct { + uint8_t size; + uint8_t base; + uint8_t offset; + uint32_t value; + } a; + if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + return; + } + memcpy(&a, data, sizeof(a)); + PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices, + a.base % fuzzable_pci_devices->len); + int devfn = dev->devfn; + qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset); + switch (a.size %= end_sizes) { + case Byte: + qtest_outb(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFF); + break; + case Word: + qtest_outw(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFF); + break; + case Long: + qtest_outl(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFFFFFF); + break; + } +} + static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) { qtest_clock_step_next(s); @@ -337,6 +403,8 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) [OP_OUT] = op_out, [OP_READ] = op_read, [OP_WRITE] = op_write, + [OP_PCI_READ] = op_pci_read, + [OP_PCI_WRITE] = op_pci_write, [OP_CLOCK_STEP] = op_clock_step, }; const unsigned char *cmd = Data; @@ -427,6 +495,18 @@ static int locate_fuzz_objects(Object *child, void *opaque) /* Find and save ptrs to any child MemoryRegions */ object_child_foreach_recursive(child, locate_fuzz_memory_regions, NULL); + /* + * We matched an object. If its a PCI device, store a pointer to it so + * we can map BARs and fuzz its config space. + */ + if (object_dynamic_cast(OBJECT(child), TYPE_PCI_DEVICE)) { + /* + * Don't want duplicate pointers to the same PCIDevice, so remove + * copies of the pointer, before adding it. + */ + g_ptr_array_remove_fast(fuzzable_pci_devices, PCI_DEVICE(child)); + g_ptr_array_add(fuzzable_pci_devices, PCI_DEVICE(child)); + } } else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) { if (g_pattern_match_simple(pattern, object_get_canonical_path_component(child))) { @@ -459,6 +539,7 @@ static void general_pre_fuzz(QTestState *s) } fuzzable_memoryregions = g_hash_table_new(NULL, NULL); + fuzzable_pci_devices = g_ptr_array_new(); result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1); for (int i = 0; result[i] != NULL; i++) { From patchwork Thu Oct 15 13:41:24 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271231 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6C5FC433DF for ; Thu, 15 Oct 2020 13:44:48 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EE0342078A for ; Thu, 15 Oct 2020 13:44:47 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="O/ZlX3QJ" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EE0342078A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:53934 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3Yk-0001vJ-PB for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:44:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52800) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WN-0007Zu-Qe for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:19 -0400 Received: from mail-eopbgr750103.outbound.protection.outlook.com ([40.107.75.103]:37594 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WL-0000mT-Kb for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:19 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I+/08XjLx/4qvIIEt4Yrb5J6qQOkSoPQ7gq0Q6C5CbbuhuJhhEK7re6Sf9Ix7GlA5wrJwdW1sqc71Dspf7j/dlc1816Kbhgn4eUfRLRoFHR2GgzhPb+D4T2Mq7H+cSeTOH7mlPDhlZLD2EbJR9ADFLOs1uRid2VsgHOCiMzWPb7VyOX4VJz09vjPI+ipy7/Uha5g38dS6HcKusVecebR5UvGFgwF05zSBnEZjCVhqmOEwIbIyAsUjtSbxP2JjI+DGfE6GL93meo7qBQN1I3w8gnz+bVUxbToWwVauaKNU8d01pGr9BKHXxfPQB1C88UD4MSz4hOFp0xSe7NE/pmnFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xBF/BVG5rDNEcd2X3pagRCpq29Gcig777jMSLHfO/2o=; b=X2+WtvxibY9j2eDTK1Ks3KAu86vv2ZcEvULSDl6hv6jq15xo+D7mkypAs+pwiCuVh217mjIpJft4LxuPxHzc4qqze34hkMExmPYxbq9Dje/Rlwtc5UWIXgUXWOTaa7reR3ouV3yZXybk6LMybydHixzSsBHwaLRlmKo0IXwECP+UV3B6y0bDDNcKk7iUU8Qy6lNG01ZKOL7gniAUgiglB3P/CHc4E7gUNLyD0tagaMsaZbU92qrB0LccRZN080uOy/hgW4hgbKGUsKRjkYKucNCITcEMIP9GSc5qgkK6axntznxQmr+ZOMZ67gYB/uc4zqnREP+OSEVWYMJeOyePOw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xBF/BVG5rDNEcd2X3pagRCpq29Gcig777jMSLHfO/2o=; b=O/ZlX3QJO+jq61dTXB6NIgZsuso6XYCM/ZIyxaMzooWyS8puSEXnKulCiOFgs8CsVSyVPtlFyojU5PpcJT4ilgiRUBR7TOWJQO/1ibZaTOBH8I1G2Qcd+ssGP/4t6DXKE9ZZyDwHArGOrmsl479e/2AQK3jkuhfsBnFd8dbsZk4= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:41:56 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:41:56 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 04/16] fuzz: Add DMA support to the generic-fuzzer Date: Thu, 15 Oct 2020 09:41:24 -0400 Message-Id: <20201015134137.205958-5-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:41:54 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5def9273-3d4b-4732-a36a-08d8711014d5 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:67; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: sOVer//jGNJGjJPLI4rVAcksah1CQZ+egor0Z6BsjFqSDP0gnH9xUeSii8FIyQlXWf8ISgp+KFc/DIWK1fbNiGJOQN7fLF+aYR8tPUJD8uudsO5FbYGbgCt+ejgCfTY/tz8yF1+TZrDu2NYAwRouE7iqzxJQVtxcmBXPokmzOJEAIZpP89hg5ZG68EX0E051CoLyoO5o08Fk7Ll0lmxlj2ClF0mEiRnzwHrZdT4nHJJ25UMWfKDOckEefNPlq3TR00O5wKJGUAsUATC0EDmOnpT+xa+2sXJNUqQnw0skzbkYAdXcF4PMH9YIg9fB6arWtWpT12HsZVPuUUP6c7iVHqfE4+EYDsGNdLxwvYtaVHKfIL/qK/3Jqa7eZgpVkkuR3c+3BydplLpyrPSFB54tgw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003)(41533002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: imSMLpG6alMQdIgZYlBLrRqnu9tyImSHAJR76F8HwMRA+ib/dtkzgYjeTAjYXIbhjz+Tuqp3J0jL5pXmONLStLJqP5KrvYqogpJbph+bWpY9nCXcPNCMAsnV4XMClNFDBLaan0gFULV/BPzyOrpQNJPISM2z7BjbSJfAmILe4lvJRvE2wYdGaz9Nu9OjlYUGffxhyRiokzRUD3ifvgyNBGpy26kN8ruCezrxuhHVGOpd0aquNMvtWj52AQsNCLi16uZkp3TtvWapqOWsSa9vaRXvGsdvlU7pXWUDTOMcawIerSXyBZz9YtdkPkKz0COh4stg9l6lDTy8lcsKgllS8jhbKHaB04frMg3wx5N15z9As6dDS/bBhFjkCkGMp3E7Z3LG3fjQnJKlDring3j/D0YLI/X70J7OfqzelQvFjySouh60HKkbc/WJ1t+TKb6YaHDMdNHW2lXc5wvQPaDngCyy757HGkTwkgiidBqF65Bks7LVNBgM0HOmHU63WhxcslkWzH1A4Uf912m3AXWbF0s1O+gcYKt/SdJY03A/KZkWRiLGnRpQ79ph5yqDuLELURjSTunMT7akcLqJ/qF/StnWHTz5rEqvz8CgtJOPDsZAgKxGdjFxaNa+j0bxsEpkKae72UlyJAb1ycu8sJhNqw== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 5def9273-3d4b-4732-a36a-08d8711014d5 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:41:55.7604 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: E0JsSgMKqmzLwm+SwCOthl8vc3U8K0mvYkoXgs9RkD7Q/i+vkMtYlSCm/J505lWS X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.103; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When a virtual-device tries to access some buffer in memory over DMA, we add call-backs into the fuzzer(next commit). The fuzzer checks verifies that the DMA request maps to a physical RAM address and fills the memory with fuzzer-provided data. The patterns that we use to fill this memory are specified using add_dma_pattern and clear_dma_patterns operations. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- tests/qtest/fuzz/general_fuzz.c | 230 ++++++++++++++++++++++++++++++++ 1 file changed, 230 insertions(+) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index ef754843ed..0fd42a16da 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -25,6 +25,7 @@ #include "exec/address-spaces.h" #include "hw/qdev-core.h" #include "hw/pci/pci.h" +#include "hw/boards.h" /* * SEPARATOR is used to separate "operations" in the fuzz input @@ -38,12 +39,16 @@ enum cmds { OP_WRITE, OP_PCI_READ, OP_PCI_WRITE, + OP_ADD_DMA_PATTERN, + OP_CLEAR_DMA_PATTERNS, OP_CLOCK_STEP, }; #define DEFAULT_TIMEOUT_US 100000 #define USEC_IN_SEC 100000000 +#define MAX_DMA_FILL_SIZE 0x10000 + #define PCI_HOST_BRIDGE_CFG 0xcf8 #define PCI_HOST_BRIDGE_DATA 0xcfc @@ -56,6 +61,24 @@ static useconds_t timeout = 100000; static bool qtest_log_enabled; +/* + * A pattern used to populate a DMA region or perform a memwrite. This is + * useful for e.g. populating tables of unique addresses. + * Example {.index = 1; .stride = 2; .len = 3; .data = "\x00\x01\x02"} + * Renders as: 00 01 02 00 03 02 00 05 02 00 07 02 ... + */ +typedef struct { + uint8_t index; /* Index of a byte to increment by stride */ + uint8_t stride; /* Increment each index'th byte by this amount */ + size_t len; + const uint8_t *data; +} pattern; + +/* Avoid filling the same DMA region between MMIO/PIO commands ? */ +static bool avoid_double_fetches; + +static QTestState *qts_global; /* Need a global for the DMA callback */ + /* * List of memory regions that are children of QOM objects specified by the * user for fuzzing. @@ -84,6 +107,169 @@ static int get_io_address_cb(ram_addr_t start, ram_addr_t size, return 0; } +/* + * List of dma regions populated since the last fuzzing command. Used to ensure + * that we only write to each DMA address once, to avoid race conditions when + * building reproducers. + */ +static GArray *dma_regions; + +static GArray *dma_patterns; +static int dma_pattern_index; + +void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); + +/* + * Allocate a block of memory and populate it with a pattern. + */ +static void *pattern_alloc(pattern p, size_t len) +{ + int i; + uint8_t *buf = g_malloc(len); + uint8_t sum = 0; + + for (i = 0; i < len; ++i) { + buf[i] = p.data[i % p.len]; + if ((i % p.len) == p.index) { + buf[i] += sum; + sum += p.stride; + } + } + return buf; +} + +static int memory_access_size(MemoryRegion *mr, unsigned l, hwaddr addr) +{ + unsigned access_size_max = mr->ops->valid.max_access_size; + + /* Regions are assumed to support 1-4 byte accesses unless + otherwise specified. */ + if (access_size_max == 0) { + access_size_max = 4; + } + + /* Bound the maximum access by the alignment of the address. */ + if (!mr->ops->impl.unaligned) { + unsigned align_size_max = addr & -addr; + if (align_size_max != 0 && align_size_max < access_size_max) { + access_size_max = align_size_max; + } + } + + /* Don't attempt accesses larger than the maximum. */ + if (l > access_size_max) { + l = access_size_max; + } + l = pow2floor(l); + + return l; +} + +/* + * Call-back for functions that perform DMA reads from guest memory. Confirm + * that the region has not already been populated since the last loop in + * general_fuzz(), avoiding potential race-conditions, which we don't have + * a good way for reproducing right now. + */ +void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write) +{ + /* Are we in the general-fuzzer or are we using another fuzz-target? */ + if (!qts_global) { + return; + } + + /* + * Return immediately if: + * - We have no DMA patterns defined + * - The length of the DMA read request is zero + * - The DMA read is hitting an MR other than the machine's main RAM + * - The DMA request is not a read (what happens for a address_space_map + * with is_write=True? Can the device use the same pointer to do reads?) + * - The DMA request hits past the bounds of our RAM + */ + if (dma_patterns->len == 0 + || len == 0 + || mr != MACHINE(qdev_get_machine())->ram + || is_write + || addr > current_machine->ram_size) { + return; + } + + /* + * If we overlap with any existing dma_regions, split the range and only + * populate the non-overlapping parts. + */ + address_range region; + bool double_fetch = false; + for (int i = 0; + i < dma_regions->len && (avoid_double_fetches || qtest_log_enabled); + ++i) { + region = g_array_index(dma_regions, address_range, i); + if (addr < region.addr + region.size && addr + len > region.addr) { + double_fetch = true; + if (addr < region.addr + && avoid_double_fetches) { + fuzz_dma_read_cb(addr, region.addr - addr, mr, is_write); + } + if (addr + len > region.addr + region.size + && avoid_double_fetches) { + fuzz_dma_read_cb(region.addr + region.size, + addr + len - (region.addr + region.size), mr, is_write); + } + return; + } + } + + /* Cap the length of the DMA access to something reasonable */ + len = MIN(len, MAX_DMA_FILL_SIZE); + + address_range ar = {addr, len}; + g_array_append_val(dma_regions, ar); + pattern p = g_array_index(dma_patterns, pattern, dma_pattern_index); + void *buf = pattern_alloc(p, ar.size); + hwaddr l, addr1; + MemoryRegion *mr1; + uint8_t *ram_ptr; + while (len > 0) { + l = len; + mr1 = address_space_translate(first_cpu->as, + addr, &addr1, &l, true, + MEMTXATTRS_UNSPECIFIED); + + if (!(memory_region_is_ram(mr1) || + memory_region_is_romd(mr1))) { + l = memory_access_size(mr1, l, addr1); + } else { + /* ROM/RAM case */ + ram_ptr = qemu_map_ram_ptr(mr1->ram_block, addr1); + memcpy(ram_ptr, buf, l); + break; + } + len -= l; + buf += l; + addr += l; + + } + if (qtest_log_enabled) { + /* + * With QTEST_LOG, use a normal, slow QTest memwrite. Prefix the log + * that will be written by qtest.c with a DMA tag, so we can reorder + * the resulting QTest trace so the DMA fills precede the last PIO/MMIO + * command. + */ + fprintf(stderr, "[DMA] "); + if (double_fetch) { + fprintf(stderr, "[DOUBLE-FETCH] "); + } + fflush(stderr); + qtest_memwrite(qts_global, ar.addr, buf, ar.size); + } + g_free(buf); + + /* Increment the index of the pattern for the next DMA access */ + dma_pattern_index = (dma_pattern_index + 1) % dma_patterns->len; +} + /* * Here we want to convert a fuzzer-provided [io-region-index, offset] to * a physical address. To do this, we iterate over all of the matched @@ -346,6 +532,35 @@ static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) } } +static void op_add_dma_pattern(QTestState *s, + const unsigned char *data, size_t len) +{ + struct { + /* + * index and stride can be used to increment the index-th byte of the + * pattern by the value stride, for each loop of the pattern. + */ + uint8_t index; + uint8_t stride; + } a; + + if (len < sizeof(a) + 1) { + return; + } + memcpy(&a, data, sizeof(a)); + pattern p = {a.index, a.stride, len - sizeof(a), data + sizeof(a)}; + p.index = a.index % p.len; + g_array_append_val(dma_patterns, p); + return; +} + +static void op_clear_dma_patterns(QTestState *s, + const unsigned char *data, size_t len) +{ + g_array_set_size(dma_patterns, 0); + dma_pattern_index = 0; +} + static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) { qtest_clock_step_next(s); @@ -405,6 +620,8 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) [OP_WRITE] = op_write, [OP_PCI_READ] = op_pci_read, [OP_PCI_WRITE] = op_pci_write, + [OP_ADD_DMA_PATTERN] = op_add_dma_pattern, + [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns, [OP_CLOCK_STEP] = op_clock_step, }; const unsigned char *cmd = Data; @@ -434,6 +651,8 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) setitimer(ITIMER_VIRTUAL, &timer, NULL); } + op_clear_dma_patterns(s, NULL, 0); + while (cmd && Size) { /* Get the length until the next command or end of input */ nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR)); @@ -450,6 +669,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) /* Advance to the next command */ cmd = nextcmd ? nextcmd + sizeof(SEPARATOR) - 1 : nextcmd; Size = Size - (cmd_len + sizeof(SEPARATOR) - 1); + g_array_set_size(dma_regions, 0); } _Exit(0); } else { @@ -464,6 +684,9 @@ static void usage(void) printf("QEMU_FUZZ_ARGS= the command line arguments passed to qemu\n"); printf("QEMU_FUZZ_OBJECTS= " "a space separated list of QOM type names for objects to fuzz\n"); + printf("Optionally: QEMU_AVOID_DOUBLE_FETCH= " + "Try to avoid racy DMA double fetch bugs? %d by default\n", + avoid_double_fetches); printf("Optionally: QEMU_FUZZ_TIMEOUT= Specify a custom timeout (us). " "0 to disable. %d by default\n", timeout); exit(0); @@ -534,9 +757,16 @@ static void general_pre_fuzz(QTestState *s) if (getenv("QTEST_LOG")) { qtest_log_enabled = 1; } + if (getenv("QEMU_AVOID_DOUBLE_FETCH")) { + avoid_double_fetches = 1; + } if (getenv("QEMU_FUZZ_TIMEOUT")) { timeout = g_ascii_strtoll(getenv("QEMU_FUZZ_TIMEOUT"), NULL, 0); } + qts_global = s; + + dma_regions = g_array_new(false, false, sizeof(address_range)); + dma_patterns = g_array_new(false, false, sizeof(pattern)); fuzzable_memoryregions = g_hash_table_new(NULL, NULL); fuzzable_pci_devices = g_ptr_array_new(); From patchwork Thu Oct 15 13:41:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29E48C433DF for ; Thu, 15 Oct 2020 13:46:59 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8A9D22078A for ; Thu, 15 Oct 2020 13:46:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="bCdsd6Kc" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8A9D22078A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:59640 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3ar-0004P3-HL for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:46:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52774) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WM-0007WZ-0D for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:18 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WK-0000kr-GF for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:17 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kp3IElWanH9wbVjokiT2MZoXZvWRQJaF9Omc0qrkeDEgkYJcJpHdOM8S63zXY2jSmfMLmtl8WjxUyPdVc0aYZi72vAgtwyCbhYtWFMANVfpQI5pMArPhfwTrlHsoAWLVY7EHOXywHbWrBMpT0j2UkrB1X+aEPPSaP20u/ACDdd/MTHyjYnGdb5jlcwU+V61ZnxMjWxOaQnC6WyvaoQjcsKM09RIBzXgBNRgQsWyda0WZDr0hV9dHYyA3SamvDaTKTbJuDVv44uivgKrqk+jXNC5mbGBdfGinyw4y8wGnogGrGGtMqa5MEALxWryJxTsDuibY5V9435Pb42s17uQl4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ci22B9+CiUjNTUCVGBkXaJ8wImRg0THcFTXNJ0jdLzU=; b=SWUjFmHIx3HLr6OHHkxBc6xLSJ1grt5/BxmMM0CDJotG2cO3/dxKh9tBGIvY9477a+wYh9FrOpXMPMf/W12RVenXGOgMPTEk5+XMLA8iae2Jrmmf7vmbMI+fMiKatRmRWMC0utmFnonf3YLT9S8Y/4aCCBfr8byDd8dw6vHOabi9WlLZzWrHOC18k4p8N7YLFG+F8co/Lh4zKC5jhBTwdA6pK7RiJ9LMvIJOEua/Woi5JRtfour/OE/1VhqtP4v0h/d4I7XPN08WYTYuSfUKgDWZaGdEbEjfOBIR/JmIE1S8pnQ4Ef7Ua+2MLjAAGGqvdAzr+8eV5APGu4bylQvxLg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ci22B9+CiUjNTUCVGBkXaJ8wImRg0THcFTXNJ0jdLzU=; b=bCdsd6KctmYP/fDGA3wwOCuArZ8XlCeQ3yObaQ9/AN0fvsaGDaGHr0gQI+OqZM5V+dgrMkuFZGzaIi7hSttvrx/C4hGWrXak+byahUZN3QyY02S7OTitnDf8u2qSHU357yCOMKyhG+ITUgZhyqm7mWResBB0Z9bXXLGeq7YMFlA= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:41:59 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:41:59 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 05/16] fuzz: Declare DMA Read callback function Date: Thu, 15 Oct 2020 09:41:25 -0400 Message-Id: <20201015134137.205958-6-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:41:56 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 9e478b00-6671-46f8-b6fd-08d871101632 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2512; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ES0Wx64JuWNVB+HJWyfzVSSxB/zdKE3bxIQMkDHxEXSD4jqL5HGaLO7s7cxTP3xGaCfJF1NwRtadZjoaN4jbBB3fGznwNPse9Zr0tUV7cAAaIMOMYwW5maL8bl9ulacIF3MgAGrTVAFclqe+YzCXzGUs4Y0noKKi2FAtavuVQPQk9FYOL9C5Qa4HosXJgkWSL9kHYL0rrXA6WoF8Sq5QgvysYbjmLrA+5uIlt+WzmihMp9zKZh4jhqkGqU/I89TfXYJ4kfDN593R4HX7SOmYcZd4tRR1cyqmHCfs8oNNH32Wi61vNd6JIstFVgkkMzdcI3QgKqTWCquVk7cB6bMWl5qPcxGo36RbzRq+SL6BX5DwcmnUIcYV98QkycP8ACHS X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: DhFQwOdOtY82kqFkLDOOqxG8dUBrUVLD6jIhlzgsh17JhatclT0pio1e+0wIFhq36e371r/JlSz/5cAnRnk5c11HhnDfY+XYCWHlZKZPOQh7yLXYbs8einM+npGgvAoBdM//fGPBUU9AYiw+ZYDZGGEp9O5ttRrShcRD2jsMTon4fWYQmrnroCO/sjxsNBBRNwmyXU4cp9FDBQsLXk8CCkcqZQ6CbI3avDFGprqz5fnY0eQruuXFJVATpUfV9RXUaftYQxkmX5y6+fb1O0lu7UM2bLg/WtAnwO1sogHm1biQ2udrxYYYkf/0VjvopJu3uNO/dSFu0d6pHZpV6NFd02n/N6TTN5IWtoI4Si85K5zhVJqIQ9ZTs35lHKO554G+xOMSfiSnkm5YfDYUFcqQr4nu1LQr67iDMx8gxyEYygLaRI6d3tOOIqqUGP1f8TBhvuDSImSz1hUkOTCckSMXOMtBoMzzWRNUnDgEhJxJE54bA7TG6JPu1NiqFfgKtPdiIySXPgMrlDn6Ocg4iIVW4sH0tqY+irIvDal1Q+2djpicp5EU2a7ffCEjX6SmO38zX2rW4e0+z2+4MEXXBkY/vr8+/4yZGAMDAorLt09dLlGy7eS1wK0xIy97iPIy2ZZYrFhIl6PDL6+UXNf0wrkBUQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 9e478b00-6671-46f8-b6fd-08d871101632 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:41:58.9746 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: K9EdnZAIhQsaq6pqkW5kIN15EvRryJgUqntS897ZRnGrA37eyIsUPTaO4U/Mso2d X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This patch declares the fuzz_dma_read_cb function and uses the preprocessor and linker(weak symbols) to handle these cases: When we build softmmu/all with --enable-fuzzing, there should be no strong symbol defined for fuzz_dma_read_cb, and we link against a weak stub function. When we build softmmu/fuzz with --enable-fuzzing, we link against the strong symbol in general_fuzz.c When we build softmmu/all without --enable-fuzzing, fuzz_dma_read_cb is an empty, inlined function. As long as we don't call any other functions when building the arguments, there should be no overhead. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- include/exec/memory.h | 15 +++++++++++++++ softmmu/memory.c | 13 +++++++++++++ 2 files changed, 28 insertions(+) diff --git a/include/exec/memory.h b/include/exec/memory.h index 233655b29a..854480859d 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -42,6 +42,21 @@ typedef struct IOMMUMemoryRegionClass IOMMUMemoryRegionClass; DECLARE_OBJ_CHECKERS(IOMMUMemoryRegion, IOMMUMemoryRegionClass, IOMMU_MEMORY_REGION, TYPE_IOMMU_MEMORY_REGION) +#ifdef CONFIG_FUZZ +void fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write); +#else +static inline void fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write) +{ + /* Do Nothing */ +} +#endif + extern bool global_dirty_log; typedef struct MemoryRegionOps MemoryRegionOps; diff --git a/softmmu/memory.c b/softmmu/memory.c index c46b0c6d65..d3cdb46459 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -3242,6 +3242,19 @@ void memory_region_init_rom_device(MemoryRegion *mr, vmstate_register_ram(mr, owner_dev); } +/* + * Support softmmu builds with CONFIG_FUZZ using a weak symbol and a stub for + * the fuzz_dma_read_cb callback + */ +#ifdef CONFIG_FUZZ +void __attribute__((weak)) fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write) +{ +} +#endif + static const TypeInfo memory_region_info = { .parent = TYPE_OBJECT, .name = TYPE_MEMORY_REGION, From patchwork Thu Oct 15 13:41:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271229 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EFBCC433DF for ; Thu, 15 Oct 2020 13:49:52 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AEC6A2222B for ; Thu, 15 Oct 2020 13:49:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="VIezbrXK" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AEC6A2222B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:38954 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3de-0007bv-Gk for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:49:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52826) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WO-0007cd-SD for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:20 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WM-0000kr-RF for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:20 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bqeRk/59swkBqHk4dFVzVcURDXOpuUOmvL6OSOgaKmEHLW2pBQ36HCuQzXgVGrJ6NHI3dSFkzP788CerjtDN2/m8eC9vWepq6zGB2oAi+CLU2j5pPz1f4XAFsc8T5m+sleCG58yDc0/EwfqCo7ESYU0if1oWvNw0cEbDXc0tgtfywG3W45v/sR3HFHIDqfLoHYHtIgoKMvITC7Z99u4zqYFScr6BYjTDgLlTqIKX0bNfaTLsqTCBuCH72yvQwq6MdA2VuYXX27MZqNiQRYivRGAd3rVxv+pv//5WTmifcmX3TjDDGHaLOtwDR2wMN4R7PHQ3QTPQnvNwbV2ncVKp8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zibG1vb8DHFZlDj8ORt0e1CO8t0QRuCdfxBn+zf9/uo=; b=HE0tqnFmPjW4jM5Z6VntotGKiJ8wt/W7+4xOCiprvPX9r6G0TM77fnujCUbRKe/Z9QP5DrKIEwXSIISd1WN4WlJMvYcNUXaApPpE2Qps/qKMV3oK8XeMPzK7oCfIcRnTy0XW2UKI3UNiP3Oh+DeM6mPvLX7uOz/lSjAKi0YazsVzLY0x4Eajglg/j0YgCpvEBCWKO6PL86Yb83rQIZYVUxE2ZZvsAzcZ9YaeplEoq7dkbj5cog5TJN9fqSP8W+OcL3rZQC3z9h/L1ZcqareIkFePNCntiHRzYq+0uZZQ8YsgBZzLCPHmMhmNWCAktFwJCV2DpX2096W0xZDZRgJXqw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zibG1vb8DHFZlDj8ORt0e1CO8t0QRuCdfxBn+zf9/uo=; b=VIezbrXKxi8R8RemKwmpUxUtofQ089BE0SZ1An1bO2GZoeZy5ltDSL7AiBKo/1raC3PKafQ3ZGpnaxh91BpWbzvGKyRY8fNSG8IPWklkwMDOLR1EfklcmDdPY3cFnb0ZvT+35wPOom8/oTQqO6xbS+NU7jCYsGE7zF6QDZ4QIVc= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:01 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:01 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 06/16] fuzz: Add fuzzer callbacks to DMA-read functions Date: Thu, 15 Oct 2020 09:41:26 -0400 Message-Id: <20201015134137.205958-7-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:41:59 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 509bb4ba-8212-468a-d108-08d8711017af X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:308; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TaMmduZMBmR2G9NBzgOrv0LlSluLVKVGMsfqx7WmKH5gb9NWB/XPJpEbM8kIwq0P6FX3QThJ3lkco+QSTLAdteMYcj0hDA8BgtBBNCGpAZk3mUzsKtV02G/Auq0qKCOGIDMgkJ9qkUuB6zD4JDiOQKaTx6jPaOVsCck1yg7QmZEgk7/3cOM/EyBmW+C9uPf4yMOKk3TmSZN9x3cpyepiVYqbllrOK8IPDCKGIheyXYaPVWTAaW73XeWi7vKMQqks92trQ7Xp+9E8+GDPJ9jHWfBLuODmhh7DLC6s6WNNd+vBZmXd4zQfNndAFdsKK0Ce+6/QmZ8pnDG7CggdF1aNvdH9+RwaJw0p/g9RSyAtjw402Z6hc3Cy1cPTkXDL+Me2 X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: jEpgaJRgznhGE89hULfj4TLr3OWAy/b25LtH0uclVdioTtFyVxW2GllHOKJcmDfoCSZYmGN5+UiD2AzKXy1H1ofQltZhZJZs7ENEN3uWczchBMkVxf2aMvS1U1+BZHEN6XpuWFZ7hnez3WWnbrYZg1ouaMZODvG96db0magZX6DKiYwtNksgKTsl320I4yQrXc58LH8Wi56ZBZBHC0KuhgdsL5TmXemKcZ4iRNBbJzC4EP/hXNRLmfy3hfFmMnJOGaHU1fa6xwBN6tZYNhpq3s18vmMrx9IXoLsyaw4G99wwcF/R8+R6k0W2nNS+UAfhgXWrdV+t/YYRee2uuMPdZtjcaFDq5pqPnzMB8BiNULHwEdeqsE7EOXzttgDFHsQvBcr0vw7qiFDy4ug6+wM9cn8wevv4VpWisa4Q8XNGci7FTU1SzXWzHRNblshOWhyeZ29Ru+EOy62RLRA2bVchdRBJX6pewjZQz4Y4Ub/hDWmnIphURrl8RpSoH8ZU4+T+Y+OAhLYAJ1YShGYDh+sr9gHAoMqZYnad6a0tHf9FJs3lpelhtEwle+kfRwy2Vt6t9UcNR0bJmrZpUK0dph+aEL8nMqNDahkZDjznERX6J+HKjG1IJBt5T8N7BpKw6Fy0JfHrCBDPqgtl8mYVShWrww== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 509bb4ba-8212-468a-d108-08d8711017af X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:01.2473 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AD52ycLkGHaRfrA/HMi8H/53KtjK8XsuwJxhA3snJDLTxWcPd/4VlUvIEbVKeWAm X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" We should be careful to not call any functions besides fuzz_dma_read_cb. Without --enable-fuzzing, fuzz_dma_read_cb is an empty inlined function. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- include/exec/memory.h | 1 + include/exec/memory_ldst_cached.h.inc | 3 +++ memory_ldst.c.inc | 4 ++++ softmmu/memory.c | 1 + softmmu/physmem.c | 2 ++ 5 files changed, 11 insertions(+) diff --git a/include/exec/memory.h b/include/exec/memory.h index 854480859d..588668547b 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -2462,6 +2462,7 @@ address_space_read_cached(MemoryRegionCache *cache, hwaddr addr, void *buf, hwaddr len) { assert(addr < cache->len && len <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, len, cache->mrs.mr, false); if (likely(cache->ptr)) { memcpy(buf, cache->ptr + addr, len); return MEMTX_OK; diff --git a/include/exec/memory_ldst_cached.h.inc b/include/exec/memory_ldst_cached.h.inc index fd4bbb40e7..aff574039f 100644 --- a/include/exec/memory_ldst_cached.h.inc +++ b/include/exec/memory_ldst_cached.h.inc @@ -28,6 +28,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(l)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 4 <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, 4, cache->mrs.mr, false); if (likely(cache->ptr)) { return LD_P(l)(cache->ptr + addr); } else { @@ -39,6 +40,7 @@ static inline uint64_t ADDRESS_SPACE_LD_CACHED(q)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 8 <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, 8, cache->mrs.mr, false); if (likely(cache->ptr)) { return LD_P(q)(cache->ptr + addr); } else { @@ -50,6 +52,7 @@ static inline uint32_t ADDRESS_SPACE_LD_CACHED(uw)(MemoryRegionCache *cache, hwaddr addr, MemTxAttrs attrs, MemTxResult *result) { assert(addr < cache->len && 2 <= cache->len - addr); + fuzz_dma_read_cb(cache->xlat + addr, 2, cache->mrs.mr, false); if (likely(cache->ptr)) { return LD_P(uw)(cache->ptr + addr); } else { diff --git a/memory_ldst.c.inc b/memory_ldst.c.inc index c54aee4a95..8d45d2eeff 100644 --- a/memory_ldst.c.inc +++ b/memory_ldst.c.inc @@ -42,6 +42,7 @@ static inline uint32_t glue(address_space_ldl_internal, SUFFIX)(ARG1_DECL, MO_32 | devend_memop(endian), attrs); } else { /* RAM case */ + fuzz_dma_read_cb(addr, 4, mr, false); ptr = qemu_map_ram_ptr(mr->ram_block, addr1); switch (endian) { case DEVICE_LITTLE_ENDIAN: @@ -110,6 +111,7 @@ static inline uint64_t glue(address_space_ldq_internal, SUFFIX)(ARG1_DECL, MO_64 | devend_memop(endian), attrs); } else { /* RAM case */ + fuzz_dma_read_cb(addr, 8, mr, false); ptr = qemu_map_ram_ptr(mr->ram_block, addr1); switch (endian) { case DEVICE_LITTLE_ENDIAN: @@ -175,6 +177,7 @@ uint32_t glue(address_space_ldub, SUFFIX)(ARG1_DECL, r = memory_region_dispatch_read(mr, addr1, &val, MO_8, attrs); } else { /* RAM case */ + fuzz_dma_read_cb(addr, 1, mr, false); ptr = qemu_map_ram_ptr(mr->ram_block, addr1); val = ldub_p(ptr); r = MEMTX_OK; @@ -212,6 +215,7 @@ static inline uint32_t glue(address_space_lduw_internal, SUFFIX)(ARG1_DECL, MO_16 | devend_memop(endian), attrs); } else { /* RAM case */ + fuzz_dma_read_cb(addr, 2, mr, false); ptr = qemu_map_ram_ptr(mr->ram_block, addr1); switch (endian) { case DEVICE_LITTLE_ENDIAN: diff --git a/softmmu/memory.c b/softmmu/memory.c index d3cdb46459..d7fdca2603 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -1429,6 +1429,7 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr, unsigned size = memop_size(op); MemTxResult r; + fuzz_dma_read_cb(addr, size, mr, false); if (!memory_region_access_valid(mr, addr, size, false, attrs)) { *pval = unassigned_mem_read(mr, addr, size); return MEMTX_DECODE_ERROR; diff --git a/softmmu/physmem.c b/softmmu/physmem.c index e319fb2a1e..a9adedb9f8 100644 --- a/softmmu/physmem.c +++ b/softmmu/physmem.c @@ -2832,6 +2832,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr, stn_he_p(buf, l, val); } else { /* RAM case */ + fuzz_dma_read_cb(addr, len, mr, false); ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false); memcpy(buf, ram_ptr, l); } @@ -3192,6 +3193,7 @@ void *address_space_map(AddressSpace *as, memory_region_ref(mr); *plen = flatview_extend_translation(fv, addr, len, mr, xlat, l, is_write, attrs); + fuzz_dma_read_cb(addr, *plen, mr, is_write); ptr = qemu_ram_ptr_length(mr->ram_block, xlat, plen, true); return ptr; From patchwork Thu Oct 15 13:41:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271232 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92C1EC433DF for ; Thu, 15 Oct 2020 13:44:24 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AF0662078A for ; Thu, 15 Oct 2020 13:44:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="0xkRr4m8" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AF0662078A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:51690 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3YM-00010d-L9 for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:44:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52832) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WP-0007dd-Ip for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:21 -0400 Received: from mail-eopbgr750103.outbound.protection.outlook.com ([40.107.75.103]:37594 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WN-0000mT-Tc for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:21 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WXLWSKGluLznXOybzjqOkZkCcwnV0Z+TpiseNwiZQF7kt8cyBIWlIVYCmSak+yOficOt569Z+2Xkapbb1ECOENjpb+KhKF6eOIUCIh0KZ6CIxeqIWnGhfPdVTdNySBTyiH134VP5Y7J+OKi90xcWfIb+mVSAVVhqwd8KSnQJ99kwf8eQznqNp5Kp1acOx4STOx/bty8nIvqPCNPHDMtaQmbhFHdHjSi8ikCqbNQddcVHAEA+vpni+FIjPaT56kQdvCCafC9pw8xUWin5xZXYoVBfBy0CsaS90d4NG2KDbgMw8Ny8iSzAifibbZlzbkVX6JijRPb0GXkqlBkaNq8KKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TEdOBmV+jxI0q3dedgxQp2gssCkRU8p2it3ccaE/kOE=; b=ap0WYRykBEUynOvzYcyFjBCa8cQ4sxJ1po3l8/dyJLPOkRoxVyY+P1sgHj+tSIQMIGU0fxGokwj6N8xSoCEoZl4HeTK57hcL58woq30a2KpqjRiiq2a1PLag+b/6vRfeP0eYmx9tMG8bNXB33ixOOGTKEw5yPBvwHIbgYISBXFqfKjPSqHTXS5x6IGYW+AKqU5uvB1GZ1a8jTKObkVkDNj1IaUpKw76ErTt7u5WmeD4xYfX0bftyLoD4J4TzqSAmFpJsTtVssRUzqWzfonLTM5xjXpxi9vR94Ud0wGkF1GO/Im+dTfzpNdHDn8JEOax/9Fq17hxCDHSp5PLbxU7mUQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TEdOBmV+jxI0q3dedgxQp2gssCkRU8p2it3ccaE/kOE=; b=0xkRr4m84awGXBtUzoBjvqUmHABDVk28aSzAukoEhJKz47Jltv+ko/xXB2avOtCXoBH0vNit1eScDa/8mjAEW/j47XUTsRCVwmgDkAmZ/mUriKvu5/rlMC+bU4qHeEVQBrMMFBSTIr+zFsZuQX9fInz5kSLzsRyzAekc3El5XFo= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:03 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:03 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 07/16] fuzz: Add support for custom crossover functions Date: Thu, 15 Oct 2020 09:41:27 -0400 Message-Id: <20201015134137.205958-8-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:01 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f62925d3-7fb7-4a89-b332-08d8711018e5 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: cQyNYmESgtwDpfr9TrCRBMTgmvqELfOJqRvsBhfiQCHyetc3R0ZuUgiXKlLo2hEGQputnk9N3c4z0mze5XwJVo6f80ssgKt2KVXKzczUcqSMaIUOOYPeKHpvV5EHh/tYWjjPqCQo+oLsUREU80rT8AQwGYXmmK+6Dm74Ge57z3ncWxPoIWql6HlxZcsClHkHNl/DGVXBPjqd3mUIk3BvVYmCwmJ4k0B0m8OLa3OTV2k8SIlIKw5HjKaW8oII/EUdSokKFbM/7JDcpKOKaZYOXh/7Hi2BZ+b9eN1TQpi6i0rRjOPaCBpz6c5DMhZjk+c5wThsq+l6DI3rgMZs2J4ZbAL3BtU/wCBX9hJeJjgSlQlXI/YxjlCcDy0QCtnkPltJ X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: QGOXdT5udOQWJCFG1UcAy3aijHr3Wf6QX4hzh5hY9tjw/ejgsDYwmURX6yGtmKOMxDcYWCSEGuIwlqViVPUdQUAI9ehEsjI2TETbihGBhwE/aVB/nAo80GX2WPBqIljQXqVYR9S489ak+N/NPk3qU+90UEms5vjEcdlonnwH1Jjr8WT/QT/rFuxizc4cplE/9MY0OrcZ6M5ZE1BE2AYHiBzb7dcQplsTAt1yAqpGN1ddENXLiqcG4wNzZCJgf2i/rd0UBYTdVOO/c1bR+M2NMluxcf7uZJZ1IlZNhq/7WV8Z5g9iy4c2yQgZ+t4BzZL6nz9gCTauzz4dLsBHmLreWG607pbD7x44w20Hq3ZVlZgl9ANJZu6uuyXax8+scVPl1OAW/YVRs9adAhv70xBp4aXHGtvygTIAnYkA1Q7ABuUwHYOd/MZsYuha7ze3jTKB2IXYO4UJQ2OewUb8KYvxqcwRlYdg9TJUsHxOapy7fb17gzPnm7eDfUxzsRst7l7LW93kZwQxs1isHNE7nGXjEi/kxil8PT12ue9TbFOZ5QLtTLg2daf3YC9HzkzzHhyexmdVxt9MrRgia0bg0zdogeiiVxWk5V6SdA0SEUjx317Fi1ffKCrqFjUnGQ3C8iJE8ft4QdzNgbueiqhr1vQ+Fw== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: f62925d3-7fb7-4a89-b332-08d8711018e5 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:02.8994 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: pwx3B0tXPdx5ZgMxnS9rihcKmPNoGOdx5gU1XZ3ffmjrlNPI/DGD+sLtGQcIXdl8 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.103; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" libfuzzer supports a "custom crossover function". Libfuzzer often tries to blend two inputs to create a new interesting input. Sometimes, we have a better idea about how to blend inputs together. This change allows fuzzers to specify a custom function for blending two inputs together. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- tests/qtest/fuzz/fuzz.c | 13 +++++++++++++ tests/qtest/fuzz/fuzz.h | 27 +++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c index d926c490c5..00fa5fd52f 100644 --- a/tests/qtest/fuzz/fuzz.c +++ b/tests/qtest/fuzz/fuzz.c @@ -118,6 +118,19 @@ static FuzzTarget *fuzz_get_target(char* name) } +/* Sometimes called by libfuzzer to mutate two inputs into one */ +size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1, + const uint8_t *data2, size_t size2, + uint8_t *out, size_t max_out_size, + unsigned int seed) +{ + if (fuzz_target->crossover) { + return fuzz_target->crossover(data1, size1, data2, size2, out, + max_out_size, seed); + } + return 0; +} + /* Executed for each fuzzing-input */ int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size) { diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h index 8eb765edc8..ed9ce17154 100644 --- a/tests/qtest/fuzz/fuzz.h +++ b/tests/qtest/fuzz/fuzz.h @@ -77,6 +77,29 @@ typedef struct FuzzTarget { */ void(*fuzz)(QTestState *, const unsigned char *, size_t); + /* + * The fuzzer can specify a "Custom Crossover" function for combining two + * inputs from the corpus. This function is sometimes called by libfuzzer + * when mutating inputs. + * + * data1: location of first input + * size1: length of first input + * data1: location of second input + * size1: length of second input + * out: where to place the resulting, mutated input + * max_out_size: the maximum length of the input that can be placed in out + * seed: the seed that should be used to make mutations deterministic, when + * needed + * + * See libfuzzer's LLVMFuzzerCustomCrossOver API for more info. + * + * Can be NULL + */ + size_t(*crossover)(const uint8_t *data1, size_t size1, + const uint8_t *data2, size_t size2, + uint8_t *out, size_t max_out_size, + unsigned int seed); + } FuzzTarget; void flush_events(QTestState *); @@ -91,6 +114,10 @@ void fuzz_qtest_set_serialize(bool option); */ void fuzz_add_target(const FuzzTarget *target); +size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1, + const uint8_t *data2, size_t size2, + uint8_t *out, size_t max_out_size, + unsigned int seed); int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size); int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp); From patchwork Thu Oct 15 13:41:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302821 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBCD3C433DF for ; Thu, 15 Oct 2020 13:52:42 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4B10C22248 for ; Thu, 15 Oct 2020 13:52:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="fnIdjTmE" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4B10C22248 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:48686 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3gP-0003JS-9d for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:52:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52870) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WS-0007fI-Fu for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:24 -0400 Received: from mail-eopbgr750103.outbound.protection.outlook.com ([40.107.75.103]:37594 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WP-0000mT-Qz for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:23 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=htdh9hdCfoA0/HNfwbjcR8hzPbdbwGE6jesfSr6GKVOvEAGsN61BHj1YT5lFXTvrKndA+zipihUON5/azG1fKXg1FWB1gE+uwsBtEGcaYU+bD9I/0e6Ptr/w8YAevbanQtMuo4eYU0ZS1Pz+Tn4fuixkT60UFfPYpKasH1ZdfnuXHWXR9xfK31b8ctHZ3UMPJf/ID8pgwHliycL/laa589K+mm5mJo8hx/asaOKuIebT9tvQEAB2idWZO3yxv2V/4Md68Iv0i/3Mp+RMnev6pEEbf/4u6hAyBXPsUu47Pwc0hWusd+yp1nnGlIc+3WRb+9RArX3M1+z/CK+z6OqCmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9Oq3f7e7uOrwatNI1t5E8DKlQvhKHtRG10y754C+dYs=; b=ANjYamRCxbcM14oXXHyTnrBMWbYAeLcmKYtoVZ+uJh0DYifMWuXWi8cAlT3Tfi+4nRhxLAIdCrERzOk4uDxj4ql/GmCYqJ8y1kAIlnL8JrQYAPY1yWjWSpWzcDY6zUZVkdRRzkdC0qqFpv4duBXFrtUFKjU7S922AWdJNXkNVLBSsCldFczkzWrKMfHyW7FBPHQJ6qsHWp6scJUJSLnLfV8vwDpIji8EiWctzBjSk4dxxRxxJX2ABpRxa1F1U7jgSSYDiLpeTdUIZ1SzxJVAsD/Ji88KOLgTT3zcEWil2qlSVFpL+lKNxkJZo6Npnx9TwkljEbhg85I6J5iSTY0YwA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9Oq3f7e7uOrwatNI1t5E8DKlQvhKHtRG10y754C+dYs=; b=fnIdjTmEjXD6+HvWHzU+6txzgIxDFfhwBFUeNUmLw5dz2JqJaz5eLo+PSCw8CaE8XmbU9lcRbTuvhRLPL60OzLzOBYt1DJ+eJW6rhV0O4PaxE7z3ugxKLnj/OBvxo8+nAe1BO7cWHoWnEUtUE4lJ4kRDAEb4EJdvAor0rxjRrYU= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:05 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:04 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 08/16] fuzz: add a DISABLE_PCI op to general-fuzzer Date: Thu, 15 Oct 2020 09:41:28 -0400 Message-Id: <20201015134137.205958-9-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:03 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5bd423aa-7062-4237-b235-08d871101a31 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:49; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Rj+UN48/3Kilwf9/mMvoo86AMw3DfJYMhGnhjgWS1M+Rkq8LhiH8aqhA/89R8gkAJfjCqxRti3owKeVHfwIcnKdYk0Y1Vl8zg00R3Ql7e93luaXtsOe1N/i+4FEX3l2HRbAolkN1grzfpiWnlS/qVjwG7fQdf6qeksbpy4P0wKMnznwa87Pvdugzp5nn3BpgE2gU9MF/hKQk06ZhC4XatMpNOx6kHaH6aeF4EM3Itgxa6GnmZKV22WqrCDtc6qgNsVp8tPmkeueShxqvDNUpu5zOYPpDUU+9yRb2TOl83NFZqHTJEKPhMW6dn9ORG1+I2/x9RyAsKfAogKM+siHIl/VMvfhAZv7/Gz9B6eDkD7CrAYEScs8IUnlWF6INbcO3 X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: WZAcZwZTCax/1LSQ1Xfo1ez9fcISFtba4oGN76WDWLaT/ohsLZmnm1ul7Ezwtw21cf+jDAPHXqHUUjcKvXpOJiHmj9F85eaFdHUCLHqaRTux5n3qIkfU7M637a6zWiywrAnRiELvNrwa+NKoTZR5oN/cXcOTCWBRRCEal16ehz2AYQsV4ATTOnEWbpYQUwhDO59k9zKGCM4YxFMAHomrTnEaP2mTxbR5FNf7630YIqeAp0EUR/pSAjSNxRePY9scSIoSBF+CULGFjdSpuXmK4I3zi95Yv67tpeS/3kSsLfpvcqcz5fPZ0s09Ywn3gmJrjOlwBvQBKB0VqPNbawsgs0bDUGeZDnJuUZWXzNV1RwTranGfzB7XUX/Ofdaa77PXURzLgCMBpC08yNOSda7ekmWyFFXi5T2DgeG2s+IWI/O/gnJNzHrBZrwaFTtuNNc1i1x77QAONN8ofL2VfRRjwwtaO0VENu8znp5RJZIFFbl3Fbq2ackD9U5qJCUwulvAmFBi+uka8QoBAdAZLNvNwf6nUyFStdFi8h5aoSIrD9kP/d8PDk9eEwM/Rx1N/l+YdgtVBauVo9ZOPEw60+slykATaivJQtznIM8VpgToOn8rASaO3uRGQhERc2huQKNkySjfD4iE0VPGb4P5KrmgtA== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 5bd423aa-7062-4237-b235-08d871101a31 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:04.7724 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: zJISex3jgLi8QEa1NpALLUYMU6SjAANZSMo9l4obqoo1r5NYUE9ko6HFq9WuKXTk X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.103; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This new operation is used in the next commit, which concatenates two fuzzer-generated inputs. With this operation, we can prevent the second input from clobbering the PCI configuration performed by the first. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- tests/qtest/fuzz/general_fuzz.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index 0fd42a16da..11346e229a 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -39,6 +39,7 @@ enum cmds { OP_WRITE, OP_PCI_READ, OP_PCI_WRITE, + OP_DISABLE_PCI, OP_ADD_DMA_PATTERN, OP_CLEAR_DMA_PATTERNS, OP_CLOCK_STEP, @@ -116,6 +117,7 @@ static GArray *dma_regions; static GArray *dma_patterns; static int dma_pattern_index; +static bool pci_disabled; void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); @@ -481,7 +483,7 @@ static void op_pci_read(QTestState *s, const unsigned char * data, size_t len) uint8_t base; uint8_t offset; } a; - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { return; } memcpy(&a, data, sizeof(a)); @@ -511,7 +513,7 @@ static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) uint8_t offset; uint32_t value; } a; - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { return; } memcpy(&a, data, sizeof(a)); @@ -566,6 +568,11 @@ static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) qtest_clock_step_next(s); } +static void op_disable_pci(QTestState *s, const unsigned char *data, size_t len) +{ + pci_disabled = true; +} + static void handle_timeout(int sig) { if (qtest_log_enabled) { @@ -620,6 +627,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) [OP_WRITE] = op_write, [OP_PCI_READ] = op_pci_read, [OP_PCI_WRITE] = op_pci_write, + [OP_DISABLE_PCI] = op_disable_pci, [OP_ADD_DMA_PATTERN] = op_add_dma_pattern, [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns, [OP_CLOCK_STEP] = op_clock_step, @@ -652,6 +660,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) } op_clear_dma_patterns(s, NULL, 0); + pci_disabled = false; while (cmd && Size) { /* Get the length until the next command or end of input */ From patchwork Thu Oct 15 13:41:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271230 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 912C6C433DF for ; Thu, 15 Oct 2020 13:47:20 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EAA762078A for ; Thu, 15 Oct 2020 13:47:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="prM3D4Mc" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EAA762078A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:60148 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3bC-0004cu-SO for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:47:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52868) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WS-0007fH-Eo for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:24 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WQ-0000kr-1z for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:23 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e4YrytuCzukf9C1hnzm/P5tNY2suEgzsnyPB0TTtE2ADsIvYFtu/+APZD0/rlLghHVPLsPjItSWOCgb4QO0peiQwgwVY110Ue4T9WvGSTofif/C1it6PKZFq5wKTrYa0hJTSgAwbGnqR5Kv1brfZ1CynoAsAiW3RXxCRFug7I90VUUs4rOH4+hdVi8+j44tHjMxvL8xkezo4C1exNOHegglGkE+LiRmtHddokWbuF591dh011YwRaen4Mqp3pUycqjAWCEjXUg9Q1ellHctlhjyLItpQndCSY9FQVveQRVznentRiKm8EiKv2KJtLxsv+13B4mReD1MRFK/BnhXV3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qmYdT4Pze5RzdGyA4ExlEwpp2pJSoOzy7DjI+JLqg0c=; b=VQRMNNSxAym6ETe+p/BGTdJnaEkxLzBbJMQW9kDWTJB1rsrrR4ACWs0f+OJULWTKB80SykE5OyAfTJ6KK9cqU9UYj8O5nQEPR4BTw9CvP7lR5YuowfKHcnfbO6Wc1DWyAZS2bsh7m7XSvp/DLGLSQ6QREf16VPJrA5fWCbDH2eO0D+WOUMd0kZQTbmsJC0zNMajahBonX32m+fJaWP0eIsPm9etJ1lVBHKK4TC6u3WXCIUdxzFDrEv9DSAD48kl8Jd0FUof4OU5orknkrRe6VvWH6HVXPwuSRA2RHZQL/pEq5ZuRpGumFG0A/AHztYz7JgGaxxvYNnK/VDegpW0XMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qmYdT4Pze5RzdGyA4ExlEwpp2pJSoOzy7DjI+JLqg0c=; b=prM3D4McglLH+UH9lAjbEw+t1yvN474N8tuOOjIdR+UX64/APOnD3nE2dEl43KYvR6kZnedNEqHjXfLEJ11JgZEE/+sawOslHdCxGNrjCDEDD+cjG3+h98Lr6xt9clw7fVXaOIr3gDG/1nQ7BGbHr3U4nAarHTmze8kT6i8QGUA= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:06 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:06 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 09/16] fuzz: add a crossover function to generic-fuzzer Date: Thu, 15 Oct 2020 09:41:29 -0400 Message-Id: <20201015134137.205958-10-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:05 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: cfb30387-4ac6-4361-cc86-08d871101b2b X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zcJb0Y9MsBFsw7B+4ysSHIZlPot1F8RmYhR38NCCd1xp8JxnjP7xhYAtFfHECOo9507u0X1MJpNeHaxTssGCEzbL+95FXZqpl6LaIPJ+AvXI3S9xFUsWq0Bncr42KLiVoSeIDp33dWmJIzw2+weJ8KYjfKp3est3yRxINGBqweAEf/iW/hm6esZpeJFvH9bFAZ0yGn56zCSkI9NqKNGA/fvtrMk2ssesEvHzHNeXy2LwmAXxV6RXZwzrkDLKO91vMqpm4BEF2mLJnMXPOfGNf369ZVtNZhIGIi1c7t4IYmWOI1O1yRae5OfX4awZ5SRO4iDrmrwpKkfLNsGYye0GZ9RbVbr9RXSFpsAV3YDJ0cHyKitzULuIuk5FD3vIniHYXj47QI4AO/eoBxmdUHRRxg== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003)(41533002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: fCqH4GlmJDzd+ABCPnjMPBGFI913UtTN18agiKHyP+hspnR1PY9mLTPGecEmE8h9o4mel8kShA55Z6t7GRK9+EBrCzXsm70LER+2lXJ15gj4DIayGDR5wsrxv54Fgl0FxrR1xLMKS43LXirKLSBM7zME6ifkaDyxysYUKgNrmSWX2KgGFrOMD1M5J0+ksMtJIqwzA84D3kNUAnUMt8D3XKBVfOsYUspq4uVG68KVfsu0P9sdCgqsYggD5jILLTUlYWcPr/y8MCKz/rg1pAVwW68zfalQSuU0G8NpyghV00d9NVB2IeFE4Z9nXoj4luP+SfTe4b7pKhnM3vt9nNyMSVEfw/Ws3bzJ0v//8OZFdGaRFEXrsbvPppe4OnhacfLcBo4qfL2nWcA8gzPKBquPLiYWpTZFlvLTNJ9NfUoufntinmowHJtMuXGuz91/szUmQPbdDJHtl/R/9DGSjMorBIM+XoTA+5qrlTf7je57ERD0jPsrbEFqh2PuRTnBNFLplmn+buT778+0giMU98Y/ISOgaMOfj+DKaiH/F65VuocvbwbHJBNcEeyeZlOVl9AzvrxxzB0JfM+tVUIIP4Enu2aOVHx2i32EoJvzboZe/+866el0Ps7JK9ZAgXP5x2K7DoVAUb1de7BJLNxynzv90Q== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: cfb30387-4ac6-4361-cc86-08d871101b2b X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:06.5503 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: U1U7x99sxWMuEf7vKvtN37hE7N5fMV6z97gjXGWzjbKav23SouuIpNP/m+bpDgez X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Reviewed-by: Darren Kenny Signed-off-by: Alexander Bulekov --- tests/qtest/fuzz/general_fuzz.c | 90 ++++++++++++++++++++++++++++++++- 1 file changed, 89 insertions(+), 1 deletion(-) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index 11346e229a..22884512a3 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -804,6 +804,92 @@ static void general_pre_fuzz(QTestState *s) counter_shm_init(); } + +/* + * When libfuzzer gives us two inputs to combine, return a new input with the + * following structure: + * + * Input 1 (data1) + * SEPARATOR + * Clear out the DMA Patterns + * SEPARATOR + * Disable the pci_read/write instructions + * SEPARATOR + * Input 2 (data2) + * + * The idea is to collate the core behaviors of the two inputs. + * For example: + * Input 1: maps a device's BARs, sets up three DMA patterns, and triggers + * device functionality A + * Input 2: maps a device's BARs, sets up one DMA pattern, and triggers device + * functionality B + * + * This function attempts to produce an input that: + * Ouptut: maps a device's BARs, set up three DMA patterns, triggers + * functionality A device, replaces the DMA patterns with a single + * patten, and triggers device functionality B. + */ +static size_t general_fuzz_crossover(const uint8_t *data1, size_t size1, const + uint8_t *data2, size_t size2, uint8_t *out, + size_t max_out_size, unsigned int seed) +{ + size_t copy_len = 0, size = 0; + + /* Check that we have enough space for data1 and at least part of data2 */ + if (max_out_size <= size1 + strlen(SEPARATOR) * 3 + 2) { + return 0; + } + + /* Copy_Len in the first input */ + copy_len = size1; + memcpy(out + size, data1, copy_len); + size += copy_len; + max_out_size -= copy_len; + + /* Append a separator */ + copy_len = strlen(SEPARATOR); + memcpy(out + size, SEPARATOR, copy_len); + size += copy_len; + max_out_size -= copy_len; + + /* Clear out the DMA Patterns */ + copy_len = 1; + if (copy_len) { + out[size] = OP_CLEAR_DMA_PATTERNS; + } + size += copy_len; + max_out_size -= copy_len; + + /* Append a separator */ + copy_len = strlen(SEPARATOR); + memcpy(out + size, SEPARATOR, copy_len); + size += copy_len; + max_out_size -= copy_len; + + /* Disable PCI ops. Assume data1 took care of setting up PCI */ + copy_len = 1; + if (copy_len) { + out[size] = OP_DISABLE_PCI; + } + size += copy_len; + max_out_size -= copy_len; + + /* Append a separator */ + copy_len = strlen(SEPARATOR); + memcpy(out + size, SEPARATOR, copy_len); + size += copy_len; + max_out_size -= copy_len; + + /* Copy_Len over the second input */ + copy_len = MIN(size2, max_out_size); + memcpy(out + size, data2, copy_len); + size += copy_len; + max_out_size -= copy_len; + + return size; +} + + static GString *general_fuzz_cmdline(FuzzTarget *t) { GString *cmd_line = g_string_new(TARGET_NAME); @@ -823,7 +909,9 @@ static void register_general_fuzz_targets(void) .description = "Fuzz based on any qemu command-line args. ", .get_init_cmdline = general_fuzz_cmdline, .pre_fuzz = general_pre_fuzz, - .fuzz = general_fuzz}); + .fuzz = general_fuzz, + .crossover = general_fuzz_crossover + }); } fuzz_target_init(register_general_fuzz_targets); From patchwork Thu Oct 15 13:41:30 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302822 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9DB6C433DF for ; Thu, 15 Oct 2020 13:49:57 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3BCF22222B for ; Thu, 15 Oct 2020 13:49:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="wtr72CB7" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3BCF22222B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:39330 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3dj-0007lB-Ut for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:49:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52906) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WV-0007fv-7Z for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:27 -0400 Received: from mail-eopbgr750103.outbound.protection.outlook.com ([40.107.75.103]:37594 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WT-0000mT-4Z for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:26 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DseWEtVhlFicVvxAXqJr9l4HkFgjYKWa8xBSphHH6TOfKKwCTAVdkdRZNMHjNMtGc7EULg1HsAvkPXOat72kWYSaNWzMHlVZV4OIZL6M4E42wpGw3RPYfS70CFxNLNO5nRmcGyhmmXcNPJ1v92klWSIJKn0SBoeVZnnbyeEahqGEL9YaZCkCinKiB8cF94yfncCagC6e0ku6sEN4UBg4iRI3OQuPlE55QrIkNPNAYeh9PkkAElz7VFFJdqluN0RTewZwD2wztdBvs36tbMaXnIzs/IACjqQMsljXJHMZS+BzraW4TjjpK12pw+ug2z9NghXUkavPmMfCvFHpXViPUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WScjuUzY/vo2bUYGzpalJuKASEjOyJefrye5Ye3R9Ac=; b=Be0BfydF1U1hb22mE8kkvqa0c+lzmmJHP8UJSurJy42Lv0KBALAAP08yW8O84JuLaoMbwaAWXrH7KYPeEZ5LAZnqDfc9AVn+EthwTIvgC8FwO0qX5P+DMa4rE0m3C5gpdmkC253l5ZsTtcm5mAcNgiiVDYfPxohhFHB/lulgXfxGOBZmYSr9F9eldD88WVPKEhLZdoU8L9nv6XAL0GZQwt5odRfYeg2V3XYIHD/1GOxnduYEGIoUMuEux7BJd/O1TCPnm3iBYROOdHJFYEAIRMpRRyPXeeQHehrNwRLIxPENNmewMBdFXJTJGnqXZlpPXCyXA5xE+WFeQOum0LIi4g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WScjuUzY/vo2bUYGzpalJuKASEjOyJefrye5Ye3R9Ac=; b=wtr72CB7W2fakUECBXAIpOFDSdXzWmtvvjTwJTcQDwxTWeXe6x6AoTFb3AxCduZ+1S7AXVctblfi78buMU3LzbvFVaXShTw6IR6eU3HKdOAQdnLaO076gFfqGaqr/OhylJd1sT64R8AlPL1RK1iImujHTDe7IpOrFEbhtV/OFM4= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:08 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:08 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 10/16] scripts/oss-fuzz: Add script to reorder a general-fuzzer trace Date: Thu, 15 Oct 2020 09:41:30 -0400 Message-Id: <20201015134137.205958-11-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:06 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ddaf4fe6-4729-4f3d-1233-08d871101be7 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0n/JIjT84PRew0UV+Rugh+0txiA8OJrDP6WrtpXH+OjYV2BLhmTrFQAhjxMz57XDOeqvKwlLIO76USTu1QWIz4nA6raFy3upk5ee5NO89gSfoonqn/GiEJovS0kvprVWkox//LINDaDJBRY5AJViiMYnCftpMTbUbAQRTO9NIruecTSqnPvgUURrtCqGvghvIs+xq9wf1/ALO5R0Jx8/7dW0tAZTDAewz7tn7mq+51rUWZsp21git2n67reJm+YcOI3xdkCZvXasZkQ66McMQQqrKMH6oTMSDZub1yVFhlAyR1UHxhq2O5DCtzrm2/I+oUpFqnQeUlJSFYXUeeOf3PrmlE2QaHF5FhS1ODU22eksmBybeHVrTViWkTNSlbXV X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: Q0i0kexkOo5ujkeEA3dZs8Tz/Jlzead1cmO8WeyqGiD/RJmOlKCCSh7XSxpxyDOuheIuIp48kIDNrNEaOwKNxIVba4pbCjQyVi3+kGxEf1PP/QcfFM+mgoLxdcrpFxo1BMoqzMOnW++wY+PkrEVOgIEw5+e/FPwGWHCtJ1H7R0P53pw+g/4+uksfrvAix1mDbvK/5Kt600qmKmQnmuYVGbeMxV2xfQTv3r05k2b564pqb8hcWHGrBstwh66RKqSQastxXeu+HTsUs3sDABLgtTWqRFd/X532JQDCGT6+y64jdbQ5eMgFM2T9aqJKqqMx+7HAEh1OhQjU2Lj4GJJfoCj8PlY+MulNi3gmtBu/fdr6P5nGNfDbDwCKr79lK/y6LyrJo9+CYitvw6zFon5HpHoXgTEXaiHGgFrhiETFUnAGDO66BPv2TZruwfYu9jAFfupvZAx0iwyqyF9zupdCu0u3fjFRXv+5Lv4ossAWmfBEXzTIqFDqcHnkU26tsLiKc+ki1AljXA6ZkakoH5BDq3kbG7yyUfK10D8DFzzF7j0URv91alazo/0V3gALEV1S1dH9/mSUQJJ/Awfajh0fvMJXzEq4076urK157E3lVGrKDthqaTThvNgcCdXSqzjEIcobkuhaTTUDzt2WHTS69A== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: ddaf4fe6-4729-4f3d-1233-08d871101be7 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:07.6287 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: m1TA0zzZ/v3jx7+A3UQN4MBQZOYVTUQepXBqsL1WpwIfRA2vpl03QP1wfU6pavsV X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.103; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The general-fuzzer uses hooks to fulfill DMA requests just-in-time. This means that if we try to use QTEST_LOG=1 to build a reproducer, the DMA writes will be logged _after_ the in/out/read/write that triggered the DMA read. To work work around this, the general-fuzzer annotates these just-in time DMA fulfilments with a tag that we can use to discern them. This script simply iterates over a raw qtest trace (including log messages, errors, timestamps etc), filters it and re-orders it so that DMA fulfillments are placed directly _before_ the qtest command that will cause the DMA access. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- .../oss-fuzz/reorder_fuzzer_qtest_trace.py | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100755 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py diff --git a/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py b/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py new file mode 100755 index 0000000000..be54de961d --- /dev/null +++ b/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +Use this to convert qtest log info from a generic fuzzer input into a qtest +trace that you can feed into a standard qemu-system process. Example usage: + +QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \ + ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-fuzz +# .. Finds some crash +QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \ +QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \ + ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-fuzz + /path/to/crash 2> qtest_log_output +scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace +./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \ + -qtest stdin < qtest_trace + +### Details ### + +Some fuzzer make use of hooks that allow us to populate some memory range, just +before a DMA read from that range. This means that the fuzzer can produce +activity that looks like: + [start] read from mmio addr + [end] read from mmio addr + [start] write to pio addr + [start] fill a DMA buffer just in time + [end] fill a DMA buffer just in time + [start] fill a DMA buffer just in time + [end] fill a DMA buffer just in time + [end] write to pio addr + [start] read from mmio addr + [end] read from mmio addr + +We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace +might look something like: +[R +0.028431] readw 0x10000 +[R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00 +[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA +[DMA][R +0.034639] write 0xbf00 0x2 0xBBBB +[R +0.028431] readw 0xfc000 + +This script would reorder the above trace so it becomes: +readw 0x10000 +write 0xbeef 0x2 0xAAAA +write 0xbf00 0x2 0xBBBB +outl 0xc000 0xbeef +readw 0xfc000 + +I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already +been set up, removing the need for the DMA hooks. We can simply provide this +reordered trace via -qtest stdio to reproduce the input + +Note: this won't work for traces where the device tries to read from the same +DMA region twice in between MMIO/PIO commands. E.g: + [R +0.028434] outl 0xc000 0xbeef + [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA + [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB + +The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This +script looks for these tags and warns the users that the resulting trace might +not reproduce the bug. +""" + +import sys + +__author__ = "Alexander Bulekov " +__copyright__ = "Copyright (C) 2020, Red Hat, Inc." +__license__ = "GPL version 2 or (at your option) any later version" + +__maintainer__ = "Alexander Bulekov" +__email__ = "alxndr@bu.edu" + + +def usage(): + sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0]))) + + +def main(filename): + with open(filename, "r") as f: + trace = f.readlines() + + # Leave only lines that look like logged qtest commands + trace[:] = [x.strip() for x in trace if "[R +" in x + or "[S +" in x and "CLOSED" not in x] + + for i in range(len(trace)): + if i+1 < len(trace): + if "[DMA]" in trace[i+1]: + if "[DOUBLE-FETCH]" in trace[i+1]: + sys.stderr.write("Warning: Likely double fetch on line {}.\n" + "There will likely be problems reproducing " + "behavior with the " + "resulting qtest trace\n\n".format(i+1)) + trace[i], trace[i+1] = trace[i+1], trace[i] + for line in trace: + print(line.split("]")[-1].strip()) + + +if __name__ == '__main__': + if len(sys.argv) == 1: + usage() + main(sys.argv[1]) From patchwork Thu Oct 15 13:41:31 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271227 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B382C433E7 for ; Thu, 15 Oct 2020 13:52:03 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A96752223F for ; Thu, 15 Oct 2020 13:52:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="KLKrp7ag" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A96752223F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:46832 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3fl-0002Xc-Bc for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:52:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52924) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WW-0007gO-E5 for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:28 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WT-0000kr-Pa for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:27 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mnzRMn2AiJiP9B25sbvyg4e7w991keDReA2BhPQvrwfNvDV7gr+MjSjigGwRSnXYAoKeJYPKURlv6qLKOhLZdwA4P9KtXk3PspJVVnjKLCVBxA+EIx1n5+oSjX37IWev/e0+X17QCHLou+iiUjQSqswIE3xFA/IQP04cXqoxkZfd0LWJbdROhZFd7zV2QK/fzcRJbdTmoMrDOTo+imdhrQXfUBM4kdUHBbrK0fOrkAHEQR8Z08big9OBjdywLqscM+P+dsNV7tzRIaXWDKh7n51gmkoTUfiYNy/yM99VNmdWV7cIjCvD7kYKKCmleEhzC9PcdfvrTLxqauBmozQzZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hEFUshzLvCD3WoaBe1HXg+kvAmJfN0iQC9/oKOMPCBY=; b=QSWplBEO14WM3IY9J3vc7fpzhb/rE2QBU7BuexnlotFFhlc8M4jl7aaqA9F7wNDGVSwVhx1iXQ3fgsj6bBoManY8LgTwENM+uAZTdMEd/6j2ZM0PtDjJsst0xzq+Clz4pBvI8rc6xAzl8ZloX5jeEBkLbf8eeMnmEIoNP9chCNq63LW6veTfMtfuVlAvFFVr59p+aETOOjflzRE9WUTFUpPFUEn6lc/Jqaiiafbr+UyE8YGGol4/PfnbhftYwE6DNsPjea3dmXSJRyXr1MhZqpX8tRjZpb8TVk+yxeYOSUD10F/f7lvOKz2BKQbhWghMUpM61WWkcmg5uA8MzFfR2g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hEFUshzLvCD3WoaBe1HXg+kvAmJfN0iQC9/oKOMPCBY=; b=KLKrp7agBYhm2tZ8UsJaoKjZ0NzUItBY9UyxcKHvxzwM77sq8+bwjE9YnfbmxDb6LLstOH4otSdhiZPK3O1rlzLoyfUHRJNkzNr7pP6yyDUOoC1YuEcdqtmJmM/nJUcU9tuNrsxX1EGm62KUC5mzy9SAAG6iSNDoWcLwpLh6nTE= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:09 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:09 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 11/16] scripts/oss-fuzz: Add crash trace minimization script Date: Thu, 15 Oct 2020 09:41:31 -0400 Message-Id: <20201015134137.205958-12-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:08 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7742fc98-b48c-4141-8e53-08d871101cbe X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1923; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9XwjS3phOsO/tHMStSQnPa8cSb+GKs15nIHnBcLNcgA9Sikq4qYiQb2qoVUdoGIRi5hHNiOtd7QElND7yW1YhtREbzJCFGlviWckmaHE5teJOu18a/D2RzgJJ8Q3vE7v/zbq7vfP78AgOtYDvotSyHbQNsXeBvQ3zsXPuzIoOWaIWCGhc0LfW9KCpdPUCkhNQ4JpUdJBPNvameDY9fq3Lq9KHpPYPE8wYeuyNRzxfAPMF/WfLf/1lODYcksq2cK5La6xnMzetWT5JFmtPUdtEl8n8KaK4AGreQL7hKlYwmimPiHX45QVf1HwO9LN88KKQQLLda6a3PqaYkMASWi9nmbjgxye5SYZD4eF+4UMwY2qJOcEOXeLKtZN5tZyneKd X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: A6n8foDwuxo25GJ43qIu+535KhVdH8ZFvrxYsiHgqs0M6SikCq/Lbi1ZVSGs7oJzoU8CeCWWKYBttq9ymYBcGbvJ2+nQWH+fW1q1KQWSSb/YrqKQ7V65DyffxW5hnBRPO04OWRq09yAMZW5GyCDGYzBduB9USPY293bfDsV6rcO8V/io9qkT13Trthtn98QSFN2sIcN8g+2db0A/30FRZeWmZ4vTACj7pde8BXDaph8cwtQAD8sDh4zd23/5EdUyuKbEPVpnFxfSFOO0gLpUdseASTH/EnArGZcZ59YXgA5kJngFjqfI8A2TeGK65pTfOxvOIOyY0M6NtpT1Tf5ARq88PbIeAuNHqCSak7yCS2s6ZYg2QJs4s6Q6Htf+OCpn6XmNQnIn6hn9gp6c2tYAXbcr9So0HnuRv/CZoP5Ss1h0nk+jhmRnkLoZZ/Bn8x21am6AeUB3DzXjvP83iMYNhIy+/47yCDEQFbYd2gE6BVG6C5fAZe+vFb9GC1iQQUILfnWofvHPf10BF0ZiRDfs/OXC0Jk0tUelykNeMJqWGr1MfgREA8WzjcMRcaz72MFmGp29P2HFbCtTZVH0Gr7OGTcmswQ3UuzKpMdYpt9O4lY34YmUBs+2l3dLz0XWsfcgI3PFsDuQhxW2pkm9lQ3PFg== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 7742fc98-b48c-4141-8e53-08d871101cbe X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:09.0639 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: P0K16U5QnDIaYTiGNHL3Q65FJJa/bo8IPpfAV+6BEjvuIkl19uyoh/xX6gHL0bhf X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Once we find a crash, we can convert it into a QTest trace. Usually this trace will contain many operations that are unneeded to reproduce the crash. This script tries to minimize the crashing trace, by removing operations and trimming QTest bufwrite(write addr len data...) commands. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- scripts/oss-fuzz/minimize_qtest_trace.py | 157 +++++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100755 scripts/oss-fuzz/minimize_qtest_trace.py diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py new file mode 100755 index 0000000000..5e405a0d5f --- /dev/null +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -0,0 +1,157 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +This takes a crashing qtest trace and tries to remove superflous operations +""" + +import sys +import os +import subprocess +import time +import struct + +QEMU_ARGS = None +QEMU_PATH = None +TIMEOUT = 5 +CRASH_TOKEN = None + +write_suffix_lookup = {"b": (1, "B"), + "w": (2, "H"), + "l": (4, "L"), + "q": (8, "Q")} + +def usage(): + sys.exit("""\ +Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace +By default, will try to use the second-to-last line in the output to identify +whether the crash occred. Optionally, manually set a string that idenitifes the +crash by setting CRASH_TOKEN= +""".format((sys.argv[0]))) + +def check_if_trace_crashes(trace, path): + global CRASH_TOKEN + with open(path, "w") as tracefile: + tracefile.write("".join(trace)) + + rc = subprocess.Popen("timeout -s 9 {timeout}s {qemu_path} {qemu_args} 2>&1\ + < {trace_path}".format(timeout=TIMEOUT, + qemu_path=QEMU_PATH, + qemu_args=QEMU_ARGS, + trace_path=path), + shell=True, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE) + stdo = rc.communicate()[0] + output = stdo.decode('unicode_escape') + if rc.returncode == 137: # Timed Out + return False + if len(output.splitlines()) < 2: + return False + + if CRASH_TOKEN is None: + CRASH_TOKEN = output.splitlines()[-2] + + return CRASH_TOKEN in output + + +def minimize_trace(inpath, outpath): + global TIMEOUT + with open(inpath) as f: + trace = f.readlines() + start = time.time() + if not check_if_trace_crashes(trace, outpath): + sys.exit("The input qtest trace didn't cause a crash...") + end = time.time() + print("Crashed in {} seconds".format(end-start)) + TIMEOUT = (end-start)*5 + print("Setting the timeout for {} seconds".format(TIMEOUT)) + print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) + + i = 0 + newtrace = trace[:] + # For each line + while i < len(newtrace): + # 1.) Try to remove it completely and reproduce the crash. If it works, + # we're done. + prior = newtrace[i] + print("Trying to remove {}".format(newtrace[i])) + # Try to remove the line completely + newtrace[i] = "" + if check_if_trace_crashes(newtrace, outpath): + i += 1 + continue + newtrace[i] = prior + + # 2.) Try to replace write{bwlq} commands with a write addr, len + # command. Since this can require swapping endianness, try both LE and + # BE options. We do this, so we can "trim" the writes in (3) + if (newtrace[i].startswith("write") and not + newtrace[i].startswith("write ")): + suffix = newtrace[i].split()[0][-1] + assert(suffix in write_suffix_lookup) + addr = int(newtrace[i].split()[1], 16) + value = int(newtrace[i].split()[2], 16) + for endianness in ['<', '>']: + data = struct.pack("{end}{size}".format(end=endianness, + size=write_suffix_lookup[suffix][1]), + value) + newtrace[i] = "write {addr} {size} 0x{data}\n".format( + addr=hex(addr), + size=hex(write_suffix_lookup[suffix][0]), + data=data.hex()) + if(check_if_trace_crashes(newtrace, outpath)): + break + else: + newtrace[i] = prior + + # 3.) If it is a qtest write command: write addr len data, try to split + # it into two separate write commands. If splitting the write down the + # middle does not work, try to move the pivot "left" and retry, until + # there is no space left. The idea is to prune unneccessary bytes from + # long writes, while accommodating arbitrary MemoryRegion access sizes + # and alignments. + if newtrace[i].startswith("write "): + addr = int(newtrace[i].split()[1], 16) + length = int(newtrace[i].split()[2], 16) + data = newtrace[i].split()[3][2:] + if length > 1: + leftlength = int(length/2) + rightlength = length - leftlength + newtrace.insert(i+1, "") + while leftlength > 0: + newtrace[i] = "write {addr} {size} 0x{data}\n".format( + addr=hex(addr), + size=hex(leftlength), + data=data[:leftlength*2]) + newtrace[i+1] = "write {addr} {size} 0x{data}\n".format( + addr=hex(addr+leftlength), + size=hex(rightlength), + data=data[leftlength*2:]) + if check_if_trace_crashes(newtrace, outpath): + break + else: + leftlength -= 1 + rightlength += 1 + if check_if_trace_crashes(newtrace, outpath): + i -= 1 + else: + newtrace[i] = prior + del newtrace[i+1] + i += 1 + check_if_trace_crashes(newtrace, outpath) + + +if __name__ == '__main__': + if len(sys.argv) < 3: + usage() + + QEMU_PATH = os.getenv("QEMU_PATH") + QEMU_ARGS = os.getenv("QEMU_ARGS") + if QEMU_PATH is None or QEMU_ARGS is None: + usage() + # if "accel" not in QEMU_ARGS: + # QEMU_ARGS += " -accel qtest" + CRASH_TOKEN = os.getenv("CRASH_TOKEN") + QEMU_ARGS += " -qtest stdio -monitor none -serial none " + minimize_trace(sys.argv[1], sys.argv[2]) From patchwork Thu Oct 15 13:41:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271224 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A30E5C433E7 for ; Thu, 15 Oct 2020 13:58:52 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E37C82223F for ; Thu, 15 Oct 2020 13:58:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="mNiNGka+" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E37C82223F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:37496 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3mK-0002F6-U4 for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:58:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52946) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WX-0007hE-Pn for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:29 -0400 Received: from mail-eopbgr750103.outbound.protection.outlook.com ([40.107.75.103]:37594 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WW-0000mT-6p for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:29 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FdYNc8ChLH57Rq/wIbESDMGm+Upac67fjDKa/PLwz3O+QNF7r1fZBq6+8nUbFiZ/YTeE2jdu5++r6S7wlNb0KJZlcu/OVFAaZ9ghkBgR3uo/SNKZgu8lSoVl9awMsMgWn+ya4BIced5FxJyohrL5WKRMx3p4Aecdp2NtFCa7kc52y9QfXjy0ReoryacO+O/B4c11dZt//Oewyyf2WejK4e1di868bxCBIw4Z6SOp5OGJUI28gJ/BopG+VQjuEKoIpD0f01SwZYCBxMAMAVnKEMEAcvPL0I+Gv19jTHGnJR00MrIgVI7SWbbRnF6UJz4gyp1OXWLX+wmgmLuU1Dxw0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZkPtyz+s8b1KH6hKK/ioFOQE62kpgItYmb7x6kdTH/8=; b=ZOqx5lK1k+HTPkF9lyTOKtN7doMh6JAEZgHqvjA4qmXqrwiwWAgB0Or6jf/IOzE+XNLJ2u4f0aQBfQqtSs6auFljtQDrBLwbkQEQNVXWfUgoz2SZsezynQqTOLvhdxIQlavMUkXSNObabwqvpaYj5iMAYOJHKC8m+dOEfOIWXlPPrpf4ruDmf0wCx6XBW4MbnpZ+4opEQ5ZE5wtEwQUZ84ufZCW80CUuDPkXiMN6wyPCwmc9fzMML1a9b5bqHpzqvlYRRgD9d22tDCuTG8OS3XZmpQSaP88t5Etpub50mpsa3G4HnAcXdgLG5u4AGvGk9U/JPQyqJIrJgQmhgn/LyQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZkPtyz+s8b1KH6hKK/ioFOQE62kpgItYmb7x6kdTH/8=; b=mNiNGka+soHEWi4yn3ZLGhYt3YyA00n7OHE/hKHvgePlltj1JNtQ3eyT3ulDRHMpsLb5Crr5bqQUffm3HbEO3/6DltgYUapLpk1r8PBUxwXA2W3eMFd0KxvhoFxuFkLTCwO3xpJLD9zC/GQa/DBcNylITAtSNCF+X70kJaYJxds= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:11 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:11 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 12/16] fuzz: Add instructions for using general-fuzz Date: Thu, 15 Oct 2020 09:41:32 -0400 Message-Id: <20201015134137.205958-13-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:09 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 5fa245b4-8b42-4d91-c7f9-08d871101daa X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VhOJdYAFO9kLpzVO7516s+EntXYg6fTsj4qpF8MjnNU2V8i5YhiX/LtR+pdjOTzlyNETHf5Kpb7Fy2toqKu4mMiaLnr51ACTPGuvAea9nrgOP+nmRRZchEWYafscLfe7xAC450PUi5eDLWkw0rUAjVsETfp7nXVS5ZtEt6likhTqiNaMrvmdYRTPRuG2ugmvAhinad0Qc+tyCOpRu/jZk5AZuzbJn76b7V7WnkbEvQg0YmyoDFlGDx9n1EboJq6bD3K+t/S2EJTUz9ZnHXNTEV+vlkghGZuxfcNLuZup5UuXQ2/2G++dSpf5uHvKejmx11VCP6Wz41w6+qTvnovnHfy7RrSwuvpblMCRm7/sNoi7SDNsedT8z3OUGvh7Fdd1 X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(83380400001)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: yBYdZCoyCxkXw5sDIpdVGZIYhpIdaCmXsaChMjlWY9Q5s5XXLzLWVdAypziY8d+cmfq2hIDo0ADqFtKVPensjJqixehLPeVpxsfOZ4SHsX8YKA3EXQ09Wf2d7luG+GQq8o+jVIk8nJE1hvgCB0p5HBqfPsY+b7alEH2QhVrPdyD+Sbg6xGTddaLpEHP4ZeI/kZOnc0I7dXA1WoQvdu5t3J2o+mXndm7zYmKwVuEfSbM1v85aON2tQV6rq+nM5V/mIzArSrBxfhmm2rkZVJ9HbsRMJDJ3V1PnZKVgum19uQJjj3UaL+Lyv0D6sVJ4SGDzQJ/cwuuFnvHxdNquYoKslA5PywZ33ssp42yj0Pem0lcErdVVuxHHWZCEgBueMeWwoCXmou5DMbDCsNBvIr/S3Xee6qFO7+IYWevkoMV407vKzPKVswdVx9Aj2s0BGNzBrRNqwltIrd/LghQPDSQrHKDv590ESywa7ats67MAZ4bb1qXbKiJX6hYK+TaHVXDh1FRT78BEkxq4UfKmT1i8sQbfApMoDPRLYqVvoE/OW96m7pxU4bsE67zz0fiFp01qO0YZy9+RLzw6elN/FuNT3Tvi0XuWExEbFMXj9z2vZRQHVQi6jM1+tHEqO4IwJFLGdAsBYTkMuMDqyey9EQyXKw== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 5fa245b4-8b42-4d91-c7f9-08d871101daa X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:11.3746 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: v5oszfliUMJj34ciJVjMzu8JfH8RfKFc5c23arhWvhx+u4TvMBSC+YGmuP0T8HwX X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.103; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Reviewed-by: Darren Kenny Signed-off-by: Alexander Bulekov --- docs/devel/fuzzing.txt | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt index 96d71c94d7..c40278fe0a 100644 --- a/docs/devel/fuzzing.txt +++ b/docs/devel/fuzzing.txt @@ -125,6 +125,45 @@ provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly the fuzzer loops over the byte-array interpreting it as a list of qtest commands, addresses, or values. +== The General Fuzzer == +Writing a fuzz target can be a lot of effort (especially if a device driver has +not be built-out within libqos). Many devices can be fuzzed to some degree, +without any device-specific code, using the general-fuzz target. + +The general-fuzz target is capable of fuzzing devices over their PIO, MMIO, +and DMA input-spaces. To apply the general-fuzz to a device, we need to define +two env-variables, at minimum: + +QEMU_FUZZ_ARGS= is the set of QEMU arguments used to configure a machine, with +the device attached. For example, if we want to fuzz the virtio-net device +attached to a pc-i440fx machine, we can specify: +QEMU_FUZZ_ARGS="-M pc -nodefaults -netdev user,id=user0 \ + -device virtio-net,netdev=user0" + +QEMU_FUZZ_OBJECTS= is a set of space-delimited strings used to identify the +MemoryRegions that will be fuzzed. These strings are compared against +MemoryRegion names and MemoryRegion owner names, to decide whether each +MemoryRegion should be fuzzed. These strings support globbing. For the +virtio-net example, we could use QEMU_FUZZ_OBJECTS= + * 'virtio-net' + * 'virtio*' + * 'virtio* pcspk' (Fuzz the virtio devices and the PC speaker...) + * '*' (Fuzz the whole machine) + +The "info mtree" and "info qom-tree" monitor commands can be especially useful +for identifying the MemoryRegion and Object names used for matching. + +As a general rule-of-thumb, the more MemoryRegions/Devices we match, the greater +the input-space, and the smaller the probability of finding crashing inputs for +individual devices. As such, it is usually a good idea to limit the fuzzer to +only a few MemoryRegions. + +To ensure that these env variables have been configured correctly, we can use: + +./qemu-fuzz-i386 --fuzz-target=general-fuzz -runs=0 + +The output should contain a complete list of matched MemoryRegions. + = Implementation Details = == The Fuzzer's Lifecycle == From patchwork Thu Oct 15 13:41:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271226 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AAE5C433E7 for ; Thu, 15 Oct 2020 13:53:11 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A1C702222B for ; Thu, 15 Oct 2020 13:53:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="J9ylmOmJ" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A1C702222B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:49952 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3gr-0003sK-ML for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:53:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52966) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WZ-0007hq-2a for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:31 -0400 Received: from mail-eopbgr750112.outbound.protection.outlook.com ([40.107.75.112]:30180 helo=NAM02-BL2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WW-0000kr-TZ for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:30 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VDm0nanmSmdCWJYzDIwk8Hn0uA+tRXqIsj4820vjWcALfs5SXJ0Mx3qMYVbKk2Kix+d+eW1C4TZ6OEH3bb2XjakZRl2D62Xz6/bNpwRpIrJ5g6CsYbHODa7POixrxd9jNTlEp0jLmgoa2MoDEI/6xXCbNgstPZaJ0rGk7w58YnTJCF1xvsHA1J4ggmTPsyWPgfuOy95/xV0+82hFDhv1owM5y08W2du4CbPyf1GNYq/+AE+qCSqB7u8jc49qVqwVu2flDpT2Lo2g2Fhqmyu1OM3ySFh388QG9SGATFTy59Sj9L21bTPiVN7Ya+A7lGynwtliuVM64ta1IXUYOltmlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ofhel/Y+zk6nPpUJhwyqcyc0WQlzkNTfewTkfViO8DY=; b=d6PeMqs70BfKY6wOYDk9zt0J42pefP52ti4utBkhdisnjOlHAkEorGpFtPvfMRqVMjCz50pYAa0JLUWGiIXjEA9d5LW/XmypsNTdkOciBvZ8sx6OJjq+7Y6wg6hf5x4kR1w/6TofV9lYEl9PHON2IAyMtcin7p7S3zUxIDCzVjnsFWwa6EkxJEdXhR4qeuuH1YhPDYlL6h+RIPtXlupJGl1riSypdpViUBmn5Gs/XZYjIlmHVuhL0cgF7kWtR/ICmnvxAv+A2AA8GoTaeR1Ao2zVWWggpIr73V0z09X3woG3Kc4T5Y8EeHusCwPoqZQEObXayd5KsXfxU9JX/wauBQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ofhel/Y+zk6nPpUJhwyqcyc0WQlzkNTfewTkfViO8DY=; b=J9ylmOmJw8CMAxF27UNc43Oih/u8slZXINsOzdquokahJKlBiofMRebWQoKVlpy0Mb8LQe9C+KIaQBByDIttdLKcLZSwwHj6GR8h8HXnX2K8R8vIdJJi1USlgNwOYVdStrbAZ9mHqjibsn4C9XkFQg8kfa0ho3XagUW4OGWkeLw= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA0PR03MB5465.namprd03.prod.outlook.com (2603:10b6:806:b5::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.21; Thu, 15 Oct 2020 13:42:13 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:13 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 13/16] fuzz: add an "opaque" to the FuzzTarget struct Date: Thu, 15 Oct 2020 09:41:33 -0400 Message-Id: <20201015134137.205958-14-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:12 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 580574b0-c5ff-4bcc-af68-08d871101f12 X-MS-TrafficTypeDiagnostic: SA0PR03MB5465: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:5797; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: eQSnS1+sa4fqd2aM3sMRvEnp/1Vwrly+I+ZR/7qZk5tL3l0L83oNZ0qM660WVkh++yBy7OCV4ErmSi4IbIxYyL5ASkCGaIDuGUzgC7/eFJw0pAW/OHAFdj6L6CYhiPtqLTZcMJJR+iI4ATOoRdHhLwUGtZKHwScqAWWgOeUpQhvKMnqhDZk2yP7ld0cXPVX0QT8CZhCAFPRKRgb59nhlNIrtQ5g/fUkpkls03yc+5aTSPsDO5zIUwbs07dcSLEI9BB/vqIYQYM2uQ796uWxiG8/7FezAhRDbuH6hEjO/+AsX+7djqC+7iMf2V6asP24OVgm49feOwPrsq4YOZ5w2yFau3Xv6PY6Yl98NRMqqYcxrY3/ItqecG0u+JiyNMUjW X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(136003)(366004)(39860400002)(346002)(5660300002)(54906003)(4744005)(2616005)(8936002)(34490700002)(1076003)(66476007)(66946007)(6666004)(956004)(4326008)(6512007)(6486002)(8676002)(75432002)(6506007)(26005)(6916009)(52116002)(2906002)(86362001)(186003)(16526019)(786003)(316002)(66556008)(478600001)(36756003); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: NDQHs0jvtymtzDSLA31sc7UlAwrb3lwc9ERRlpZYY3VuSeNGHcyvI6Re6Hc/ZkXBD+xKac9iVu22ELmzjnx4/4jDRM6G8TqOngM6P7cm2ExlDrz1jaeKWja7bxw21G3wvqbmt17wPLTp8YchMhk62gRYJNPTvYqZhdmXaVbKVKfvlXuYvtba9TYCL4v9+wKmIwP62rsMQLmOv9ochaqaLSJ2mkRg/5a1N7Z/AbRYfh9l+uSqYzsMyfHpJ/7j50vL3wAJHnGuEUSB7t8Mfd3Hry10n+VZKkaw4oZ5TN0ipylBPbQGvSF+Ydw3ElwC2skxSS8Q0r9OLv2UucjnGqbt+BsXR0BZteocjP5XWh1/cTFZu050ODfpBxc08DikW6JTiHZxvOzz6BgX+y3oOa0tHewedOT4QomkOEeDELihuj3jlCw4IlSfBBxadzksc+viFwip0P9jpmEfMVrw0QE+mWgqE8WGN/KHEAzZF1Cclw5t126spW4XTYdKGE0v7hQAVH9EaSBzXhdSwhUK5vqM6TZZYJqehHAXYE07b9Z9kFxHLmsotzEZjfmN8Xr4QAtSQrAVLoCJ4+frqMUv8vRaonDc//WUOmyxYKdLH2wbIgsVCNGJWQoD9eNQqwPUB5ZSO0xQ60LP5paJrVleYL77Rg== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 580574b0-c5ff-4bcc-af68-08d871101f12 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:13.2795 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1ceHqAsY2AxjF5JdovWVLMrEMt5PMmsDugQJkF4bHgalAH5vaLVvByUgAFwdGyaN X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR03MB5465 Received-SPF: pass client-ip=40.107.75.112; envelope-from=alxndr@bu.edu; helo=NAM02-BL2-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:04 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" It can be useful to register FuzzTargets that have nearly-identical initialization handlers (e.g. for using the same fuzzing code, with different configuration options). Add an opaque pointer to the FuzzTarget struct, so that FuzzTargets can hold some data, useful for storing target-specific configuration options, that can be read by the get_init_cmdline function. Signed-off-by: Alexander Bulekov --- tests/qtest/fuzz/fuzz.h | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h index ed9ce17154..08e9560a79 100644 --- a/tests/qtest/fuzz/fuzz.h +++ b/tests/qtest/fuzz/fuzz.h @@ -100,6 +100,7 @@ typedef struct FuzzTarget { uint8_t *out, size_t max_out_size, unsigned int seed); + void *opaque; } FuzzTarget; void flush_events(QTestState *); From patchwork Thu Oct 15 13:41:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 271228 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F5CEC433DF for ; Thu, 15 Oct 2020 13:50:16 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EDC6E2222B for ; Thu, 15 Oct 2020 13:50:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="355ibJgk" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EDC6E2222B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:40408 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3e2-0008EJ-Hn for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:50:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52824) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WO-0007cU-RI for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:20 -0400 Received: from mail-co1nam11on2103.outbound.protection.outlook.com ([40.107.220.103]:1568 helo=NAM11-CO1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WM-0000mo-Lt for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:20 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=naLuXTNA0wqWaVu1WwPZUvvXrOFTtf5O5+CiCzJiYwguzitJvlhk9UD0xygrRHZIaJHoKP7KmRnnul9ds2wy7b0mS2HytfvxHIvbUGh0CaLBLvieX5JvAm8lvkW+0DLx8ehPz8SjrlWPjRdgjZhyzfcfAX5qqJcKk6/Xm1yS05g9dZVvJXrmltTQzGUUWYnlKA5IUhktLXWeK2V72egE0BrdNEXxY8oQr+43hT1Y2H4cdrss7c4IG066s+SO9vx7D6X1E+JKfpWnyzQcv9T7n8trKu7dWPRMJrlqbERp/9AWvi2j58O8caaII+qBlX1hzIW0DZvce0ZVi8NDEviQuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UCBBGrfWvyFwZfMWdP1r2U1LXwYwMfU7hllKV3ukG2c=; b=YU+AsaZjm0k0X6ifHR2xRTKaFwdh2y4M/IEQKlwNcCTTlXQc3Phoiuk/QfyhKVOgqon22ATeuqBuDVpN2Fzck+q4ZeyEXmYvtZv7WpY6NOs9UJqKUEbbW/9sq+GVLeaI+Jk3gtzzZPLa8D2N1FQLIKjVwbPEvj2Zd+mJj3PxdPiTde7AwQcJGQnMh8GaafsqbJN4XddvR4np7cIddw11AbkWSdAvcUw4JIJ2Ce9QdsF6Q5zBgLysK4LvepDSajoCR4wUWa7hbtXlu5YzDe58yXV2VPjkAyugb45BPyqySUj4h59XFKYvvGzNJKJDnnaB0GOEChLdQyq/wN7pzz8J0A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UCBBGrfWvyFwZfMWdP1r2U1LXwYwMfU7hllKV3ukG2c=; b=355ibJgkQW+3Sr4/kEDZz1n974x7mXLXUrh9f5T4gfGsBew7vsAyR/fzBnBe33hwQD/P+8obu5J5B/Vrcdp+YqQcZnW7ii8aSG2A8ujBa+qNG2wlvWlOHAyV9AQZ3IHSj85OJ45e+RhQN85PJNVVMrY+gHNKEnolAyHQ9Hh4dPY= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA2PR03MB5721.namprd03.prod.outlook.com (2603:10b6:806:117::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.30; Thu, 15 Oct 2020 13:42:15 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:15 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 14/16] fuzz: add general-fuzz configs for oss-fuzz Date: Thu, 15 Oct 2020 09:41:34 -0400 Message-Id: <20201015134137.205958-15-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:14 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6e848cf6-d599-4e42-4d10-08d87110203b X-MS-TrafficTypeDiagnostic: SA2PR03MB5721: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:8273; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: eGeXTsxs6MLssZ17rtVvnVTVb5VDkrFZg7ceBk+O9KFigBotQ0XGR4zAcdiG3LVY3pAbc0ko60h7hc+G1G5C9jHO01yFZi5SFlRgGOApb1nNUn8fVDY7hlYMejcjLLJybJz4xbLZZ7YHdVsgYU07eT9Vrl4s98uykStiF4pcpNU4dLq1JDWMWq78JHpwmt5lPh5bW/WS5iO/ui8UAcI7vNuOlF+lgnqvyxz3QcOT1Wz02merfEYriER4BpTdHa7zOv5NQPlLtxtXunWpo/TjuFAJZ9T+XSo9BfgiOhkHdOIkcoOHkYePrYSbcaz3BUm9UqYSt6AcTEbtIunOI3+eIMtZruQ/WW8fOnbzyKvdogCnPF68AhgDEXFFay7Y1+Ey X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(396003)(39860400002)(136003)(366004)(5660300002)(1076003)(34490700002)(26005)(6486002)(66556008)(6512007)(8676002)(86362001)(52116002)(6506007)(8936002)(66946007)(83380400001)(75432002)(4326008)(186003)(956004)(54906003)(16526019)(786003)(2906002)(478600001)(6666004)(36756003)(2616005)(66476007)(6916009)(316002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: Q5fg4VKCE4ycd7zgiQxZnjKQmdFwqFCqCNisRw9C6wNMyw6mcbYXrEwbdq6GOvpw+qXUi1P4j0TMq57T72uAvj/T6f3kbVl6z4Gr/NTshNI8UAvr5qVrTdY+Q94ZE6YwFHidyJqKBvGgZ0XUUi55jIvRsy1uH2StasK5jJBeEXusPTD0YxBclczflcFwTQ4Xo4NEVUsZw5LJ8X06pTxVhxP36E05MBzn4Got1Oulc5UHLIMG1bq3KRI44EjPEF6tUBCUoz4ajnEYsIuq3dZ2TD1p5m9iCOiHxuVzx/+yUl3DLvmF1FbeqJV6nxqBCQNM95i9JLK4wuavh1Vi6XGOGc9d484cuiqsp7XJdSrkZjKcP6Gl3wxfyqLdzz0bxMCu83/YrfNk7pgN0HXgC4rs2rdcGOMkRr6bpkP9CR2KGrvtD3XdOKWGrbGKM+3BJP/tihNRuvF0w2iyW2tnfcv59qVoeQwRrJprjtJs9OG2bedo5VqPb+H1+sGPRrBLtROtwaowHZLzupF7JMic2ergqucmDA8fhmdsxYqLg4z24YU2C6mMaxkQ5nVgQptqq6OA/DeqOmY2v5avZWABft3A08nd2lKYOzvFZ82WffTrcGQmu63OH/D2mL5AV5dDlPEMHtVKeuUV9/QKHZmRbLugWg== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 6e848cf6-d599-4e42-4d10-08d87110203b X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:15.3734 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: p6TUi9sBBZ2Aeb2XEhvhZrJw17Z1oQ01S565ykIBb9P40jJr4MVYGF7cx828fonz X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR03MB5721 Received-SPF: pass client-ip=40.107.220.103; envelope-from=alxndr@bu.edu; helo=NAM11-CO1-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:16 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Predefine some general-fuzz configs. For each of these, we will create a separate FuzzTarget that can be selected through argv0 and, therefore, fuzzed on oss-fuzz. Signed-off-by: Alexander Bulekov --- Maybe this isn't the best way to specify a list string-triples. I saw that some files use QLIT_QDICT for purposes that seem similar, however I don't think that plays well with multi-line strings. Does anyone have a better suggestion? tests/qtest/fuzz/general_fuzz_configs.c | 140 ++++++++++++++++++++++++ tests/qtest/fuzz/general_fuzz_configs.h | 24 ++++ tests/qtest/fuzz/meson.build | 2 +- 3 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 tests/qtest/fuzz/general_fuzz_configs.c create mode 100644 tests/qtest/fuzz/general_fuzz_configs.h diff --git a/tests/qtest/fuzz/general_fuzz_configs.c b/tests/qtest/fuzz/general_fuzz_configs.c new file mode 100644 index 0000000000..5364976517 --- /dev/null +++ b/tests/qtest/fuzz/general_fuzz_configs.c @@ -0,0 +1,140 @@ +/* + * General Virtual-Device Fuzzing Target Configs + * + * Copyright Red Hat Inc., 2020 + * + * Authors: + * Alexander Bulekov + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "general_fuzz_configs.h" + +/* + * Specify pre-defined general-fuzz configs here. + */ +GArray *get_general_fuzz_configs(void){ + + struct general_fuzz_config config; + GArray *configs = g_array_new(false, false, sizeof(general_fuzz_config)); + + config.name = "virtio-net-pci-slirp"; + config.args = "-M q35 -nodefaults " + "-device virtio-net,netdev=net0 -netdev user,id=net0"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-blk"; + config.args = "-machine q35 -device virtio-blk,drive=disk0 " + "-drive file=null-co://,id=disk0,if=none,format=raw"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-scsi"; + config.args = "-machine q35 -device virtio-scsi,num_queues=8 " + "-device scsi-hd,drive=disk0 " + "-drive file=null-co://,id=disk0,if=none,format=raw"; + config.objects = "scsi* virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-gpu"; + config.args = "-machine q35 -nodefaults -device virtio-gpu"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-vga"; + config.args = "-machine q35 -nodefaults -device virtio-vga"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-rng"; + config.args = "-machine q35 -nodefaults -device virtio-rng"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-balloon"; + config.args = "-machine q35 -nodefaults -device virtio-balloon"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-serial"; + config.args = "-machine q35 -nodefaults -device virtio-serial"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "virtio-mouse"; + config.args = "-machine q35 -nodefaults -device virtio-mouse"; + config.objects = "virtio*"; + g_array_append_val(configs, config); + + config.name = "e1000"; + config.args = "-M q35 -nodefaults " + "-device e1000,netdev=net0 -netdev user,id=net0"; + config.objects = "e1000"; + g_array_append_val(configs, config); + + config.name = "e1000e"; + config.args = "-M q35 -nodefaults " + "-device e1000e,netdev=net0 -netdev user,id=net0"; + config.objects = "e1000e"; + g_array_append_val(configs, config); + + config.name = "cirrus-vga"; + config.args = "-machine q35 -nodefaults -device cirrus-vga"; + config.objects = "cirrus*"; + g_array_append_val(configs, config); + + config.name = "bochs-display"; + config.args = "-machine q35 -nodefaults -device bochs-display"; + config.objects = "bochs*"; + g_array_append_val(configs, config); + + config.name = "intel-hda"; + config.args = "-machine q35 -nodefaults -device intel-hda,id=hda0 " + "-device hda-output,bus=hda0.0 -device hda-micro,bus=hda0.0 " + "-device hda-duplex,bus=hda0.0"; + config.objects = "intel-hda"; + g_array_append_val(configs, config); + + config.name = "ide-hd"; + config.args = "-machine q35 -nodefaults " + "-drive file=null-co://,if=none,format=raw,id=disk0 " + "-device ide-hd,drive=disk0"; + config.objects = "ahci*"; + g_array_append_val(configs, config); + + config.name = "floppy"; + config.args = "-machine pc -nodefaults -device floppy,id=floppy0 " + "-drive id=disk0,file=null-co://,file.read-zeroes=on,if=none " + "-device floppy,drive=disk0,drive-type=288"; + config.objects = "fd* floppy*"; + g_array_append_val(configs, config); + + config.name = "xhci"; + config.args = "-machine q35 -nodefaults" + "-drive file=null-co://,if=none,format=raw,id=disk0 " + "-device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 " + "-device usb-bot -device usb-storage,drive=disk0 " + "-chardev null,id=cd0 -chardev null,id=cd1 " + "-device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid " + "-device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 " + "-device usb-tablet -device usb-wacom-tablet -device usb-audio"; + config.objects = "*usb* *uhci* *xhci*"; + g_array_append_val(configs, config); + + config.name = "pc-i440fx"; + config.args = "-machine pc"; + config.objects = "*"; + g_array_append_val(configs, config); + + config.name = "pc-q35"; + config.args = "-machine q35"; + config.objects = "*"; + g_array_append_val(configs, config); + + return configs; +} diff --git a/tests/qtest/fuzz/general_fuzz_configs.h b/tests/qtest/fuzz/general_fuzz_configs.h new file mode 100644 index 0000000000..afea8dee92 --- /dev/null +++ b/tests/qtest/fuzz/general_fuzz_configs.h @@ -0,0 +1,24 @@ +/* + * General Virtual-Device Fuzzing Target Configs + * + * Copyright Red Hat Inc., 2020 + * + * Authors: + * Alexander Bulekov + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#ifndef GENERAL_FUZZ_CONFIGS_H +#define GENERAL_FUZZ_CONFIGS_H + +#include "qemu/osdep.h" + +typedef struct general_fuzz_config { + const char *name, *args, *objects; +} general_fuzz_config; + +GArray *get_general_fuzz_configs(void); + +#endif diff --git a/tests/qtest/fuzz/meson.build b/tests/qtest/fuzz/meson.build index a59de6aa8c..42f97555bf 100644 --- a/tests/qtest/fuzz/meson.build +++ b/tests/qtest/fuzz/meson.build @@ -5,7 +5,7 @@ specific_fuzz_ss.add(files('fuzz.c', 'fork_fuzz.c', 'qos_fuzz.c', specific_fuzz_ss.add(when: 'CONFIG_I440FX', if_true: files('i440fx_fuzz.c')) specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_NET', if_true: files('virtio_net_fuzz.c')) specific_fuzz_ss.add(when: 'CONFIG_VIRTIO_SCSI', if_true: files('virtio_scsi_fuzz.c')) -specific_fuzz_ss.add(files('general_fuzz.c')) +specific_fuzz_ss.add(files('general_fuzz.c', 'general_fuzz_configs.c')) fork_fuzz = declare_dependency( link_args: config_host['FUZZ_EXE_LDFLAGS'].split() + From patchwork Thu Oct 15 13:41:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302820 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A811C433E7 for ; Thu, 15 Oct 2020 13:54:37 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3C31B2223F for ; Thu, 15 Oct 2020 13:54:36 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="rb3ZGaYs" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3C31B2223F Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:54254 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3iF-0005fi-7o for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:54:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52866) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WS-0007fG-F9 for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:25 -0400 Received: from mail-co1nam11on2103.outbound.protection.outlook.com ([40.107.220.103]:1568 helo=NAM11-CO1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WP-0000mo-4o for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:22 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ajxqsyb20VuApc1wK2G4WAS/WaUYW4zd49Smid+BpeIMCQzhyaWKEnTC0+XkN3bHfve4uEum7WCt0JrDT+x//j0pIRuZlfxs4SGL4V+BiALD0I/mSjeuyLHqUJE1ttPTXjZNxNSXyN87rlnEGYlwhEwf3dmK9P7JKGEcSWc5aaBjeV179kTh3TlXMzlj0wDg6DQWepFxZT5Bxr9Zm9d8qC7Ce7aqwel8oWFdRTG5c5wPfw8eNeF6WbkkRzjinc6i7Qx80Q/sGAe+xciueZddA8wHljRCg8vb6Pm78Pj23fMlNjMdgUNDdRMM+i9Tf73QfAvG2TqeamRlA0spKIDzEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EeziuHxjHP52juDKX0HNE8NWbHIDQemp1hX8ht7niK0=; b=EthJQEprNnEZEc3eaufaoYdglE9aiOClzMnHpcNBtMIlds3Go2uBTit2Wu/gYMGeAlbjETeThrvZAfS6etrCTV/TRAJcYj1QLmCjcJKc6gQ9l57/4WiM+SaeO+zyk6otsSOcjEOifVGXL/wqT0UPh15lfCcKePg7oK7txO36rS5VA7Rl0A5fJpxWLCLB40QIX5d9QYlBntYFOyG9pWqCpciy+Vt1JG9LZ+BVfS0qCHPbmQKLqz/spGyTAush6bBb6HDTDLfma6u3mbSZstq8s/eo4ubg/Sgb5bFEqHm/v/pY3Mjh2ewpIC9OaUEkUIujS2+dEq8a+nCWpkSbfywzhw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EeziuHxjHP52juDKX0HNE8NWbHIDQemp1hX8ht7niK0=; b=rb3ZGaYs1H+DtcNNzOUXNng4xhuAIMQc6Vyun/SCdhCfr1Imln2zmLrUakdoMT0EpII8hrpoQdvRBt0w/tARAxrbk1K9ZdDqVC3+efb6178codkTxp+8Ljp1o3vOq78NdsLbSV6iGnKSvptJcnTpwFJbz/mZmjhDpoekvkpE2AI= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA2PR03MB5721.namprd03.prod.outlook.com (2603:10b6:806:117::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.30; Thu, 15 Oct 2020 13:42:18 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:17 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 15/16] fuzz: register predefined general-fuzz configs Date: Thu, 15 Oct 2020 09:41:35 -0400 Message-Id: <20201015134137.205958-16-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:16 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ed71fd46-5670-4830-f9b9-08d8711021c5 X-MS-TrafficTypeDiagnostic: SA2PR03MB5721: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:3044; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 1NTpWFmLF8Z78BhzeP9vAGmGWt/i3jCUFkaLNFnwsVZnc2akCp/dX0WEsFbLjFEyVCgvrnF57C3djMuXm3BOK7pX9syV22WEp6PhKI/lAtgFuD/dB7/x+ieSCYCMvq+D5VPBbIkBvz0sIOO5iVHwEd3ppzqXi8nMATXKPDN9gkIlwPm+ZbIw+gtnq9L2Qsu8ScKRQOhESeyUFx5P9AeKGKUWos57kr6u6cNVVoSqnoKLlKSHpcQ3iOj9XHqMF1S1fLrZZOUBwnUY9yJL+j6G+Tf6/qyXjHXCpXtV5FfvJlUu67zcHekldjJV9tSmMOQyYPi4OYFuWOg+fqQU+g+98b4t5oPG7wiyn1vvcODQ/39KhurN2NTaoK1QkuF4U8Ax X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(396003)(39860400002)(136003)(366004)(5660300002)(1076003)(34490700002)(26005)(6486002)(66556008)(6512007)(8676002)(86362001)(52116002)(6506007)(8936002)(66946007)(75432002)(4326008)(186003)(956004)(54906003)(16526019)(786003)(2906002)(478600001)(6666004)(36756003)(2616005)(66476007)(6916009)(316002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: 0x/C65gGzTXjZwq799ErSJ/Yrgm2h6h9DptrQf9hjRIj3Rx5fSLnKd3uf9Biz220Lo193b0iTLPPyeewC2+72G6i0sXR9k4f/qFmc06iY4zzga+RGguBLiBQtH2xb+PziW+gfsLqfXPeujAulWUsP4baW6Yl5zW5tEy8hbVwKouMeL7aW2jACBdwwr7C4XlgJSVIWK/H53yOLhrjM3dLsTKlfmXEp6w35e0yj6aGHvPzP3VS42M6Mn9RqqJpc4BbI8tS1Fes9f9IaiLAY3yKaNb1rAHHYHP5hrydy5t8/IG9B05aWaxiN1i6q8nnV7zS6EZTr/pkLpsB0XdshjF2B+/1kbmHOi7XM7M7Zo31WUPNkENNRKUs8nUDitL4DE5Gms/Ea9D+J2e7IDvQ4GBmVWxIcoeLar9OUEWjvW3eZ4KMA7l9uZIFrVGfnuuJdImKu1FkEFL7FAektCmkXg4yheZrIwDQeODwM9AX+/RA9T5qDyNKRAV5tB21mQR21PBb1WY3n8ELRRbmledU9hxplG8orix1c8hTXDkl9n7ilvPojalrnVwEGWH8Em7h8zywezlAou5aX/pdcjBye9wjgpLL5G/6EUdZ4o081KhpuTu5ciAohMUbkHJAFdvkCiDqPYJ9PcwjT4Yon4pGEyO+lQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: ed71fd46-5670-4830-f9b9-08d8711021c5 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:17.6891 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: DKD3LIg49nlPc1D6pE/qF+80SUFpJ+Yy4/Bnp00YdYWJ21Pcv57NRLq8MGTc7wfQ X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR03MB5721 Received-SPF: pass client-ip=40.107.220.103; envelope-from=alxndr@bu.edu; helo=NAM11-CO1-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:16 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" We call get_general_fuzz_configs, which fills an array with predefined {name, args, objects} triples. For each of these, we add a new FuzzTarget, that uses a small wrapper to set QEMU_FUZZ_{ARGS,OBJECTS} to the corresponding predefined values. Signed-off-by: Alexander Bulekov --- tests/qtest/fuzz/general_fuzz.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index 22884512a3..04c4550694 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -26,6 +26,7 @@ #include "hw/qdev-core.h" #include "hw/pci/pci.h" #include "hw/boards.h" +#include "general_fuzz_configs.h" /* * SEPARATOR is used to separate "operations" in the fuzz input @@ -902,6 +903,17 @@ static GString *general_fuzz_cmdline(FuzzTarget *t) return cmd_line; } +static GString *general_fuzz_predefined_config_cmdline(FuzzTarget *t) +{ + general_fuzz_config *config; + g_assert(t->opaque); + + config = t->opaque; + setenv("QEMU_FUZZ_ARGS", config->args, 1); + setenv("QEMU_FUZZ_OBJECTS", config->objects, 1); + return general_fuzz_cmdline(t); +} + static void register_general_fuzz_targets(void) { fuzz_add_target(&(FuzzTarget){ @@ -912,6 +924,25 @@ static void register_general_fuzz_targets(void) .fuzz = general_fuzz, .crossover = general_fuzz_crossover }); + + GString *name; + general_fuzz_config *config; + GArray *predefined_configs = get_general_fuzz_configs(); + + for (int i = 0; i < predefined_configs->len; i++) { + config = &g_array_index(predefined_configs, general_fuzz_config, i); + name = g_string_new("general-fuzz"); + g_string_append_printf(name, "-%s", config->name); + fuzz_add_target(&(FuzzTarget){ + .name = name->str, + .description = "Predefined general-fuzz config.", + .get_init_cmdline = general_fuzz_predefined_config_cmdline, + .pre_fuzz = general_pre_fuzz, + .fuzz = general_fuzz, + .crossover = general_fuzz_crossover, + .opaque = config + }); + } } fuzz_target_init(register_general_fuzz_targets); From patchwork Thu Oct 15 13:41:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 302819 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB687C433E7 for ; Thu, 15 Oct 2020 13:57:21 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 05F992222B for ; Thu, 15 Oct 2020 13:57:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="B+z/X6b4" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 05F992222B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:59344 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kT3kt-0007yB-P1 for qemu-devel@archiver.kernel.org; Thu, 15 Oct 2020 09:57:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52922) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WW-0007gN-Dn for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:28 -0400 Received: from mail-co1nam11on2103.outbound.protection.outlook.com ([40.107.220.103]:1568 helo=NAM11-CO1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kT3WT-0000mo-Ac for qemu-devel@nongnu.org; Thu, 15 Oct 2020 09:42:27 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=avOGbXz5j+f15ouHVUD5auOhhsb0uR3cF+Nc+8qUxmT2giz3tINYp2IoTEBIk4SHqzqcfAMaeeetwmjewtFHXJJRHrPYclWWDSDJLAavoR+QBqcC/d5hdtxfsiLO3/ih+417vbaOzAs1CsAb8OPOBfFQELNEOM8pPj+L0v84/etygln8KeHIFliKCamhAtqTgv9SOdCJu5eKadKF6sqBKCpVu7+olNyVG4hPNc3xubhXE3kQy3kLeDg64+Gbl6TtW+YQE5luqaM9UUfH5FDovsyg3zFjIeXyzyZGF3qhRGzOK+yVVYsGZYfHN2lbwrVHUoJn3MUuG0U7uU/0HAbo2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qzftJy83Kkyh0SvycGdUAqsn3APx2vCrNfLWB5KU5aw=; b=O35Rq7tZx6/5AeljSjN9J7UZjoXmI34MwmK2AJG/Al5DKJnUBVr+hsLUaFYlFfi4YqwlfwkEe07Q+S0IIQKAJ1nLV32KRbPAU3Wic67t59kkxQnz5Bewdl7Uoqc2hZfXT8VsZlyVgSc26KlRQ8FOo2u56dN6ltnLYWGVj2gYpJnCqrz0BONfrFgJE9Coksq0u+awwlgWsGkupsdjwqutOihx3f8E4Y6e30b8GFk0TN/3d60AYgZFZ1OgfFoIGuthdSQFWTtAH5QZHzoV121B5IpHgk8/LzugJIhbs+g/V9BKeYgYS+2qvq+zBULkUjpFK9sAPu8C3i9TQ2FBxoRRpw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qzftJy83Kkyh0SvycGdUAqsn3APx2vCrNfLWB5KU5aw=; b=B+z/X6b4D+qYobZR+Ea9KvZMCS6H78tF6uwqXFtZX2sWoZLjS9pdqyNIZUSzPFJLuHyk2g6Ln/U6hExoqQ8RfE3XPML5rqVilRcgX6Byg3/19K0NTjjRpgs6PfSDOFlOBfxpQzuPTO/1O9/1fEop7ghhbFUZLfruS+sQQn1ptus= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SA2PR03MB5721.namprd03.prod.outlook.com (2603:10b6:806:117::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.30; Thu, 15 Oct 2020 13:42:19 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3455.031; Thu, 15 Oct 2020 13:42:19 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v4 16/16] scripts/oss-fuzz: remove the general-fuzz target Date: Thu, 15 Oct 2020 09:41:36 -0400 Message-Id: <20201015134137.205958-17-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201015134137.205958-1-alxndr@bu.edu> References: <20201015134137.205958-1-alxndr@bu.edu> X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL1PR13CA0055.namprd13.prod.outlook.com (2603:10b6:208:257::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.8 via Frontend Transport; Thu, 15 Oct 2020 13:42:18 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e1dc5b05-330e-463a-756e-08d8711022e3 X-MS-TrafficTypeDiagnostic: SA2PR03MB5721: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Ft4jGL2MZZrTRAdLz6b+zoRWPaIXK9TAvsO6u2cs3wwX7BikJvCV7ezlSeepmCrWrA+ZLk9movEw439Zr9EreJIjXH2FJIrJb+2/wyHE8b2Px8KB1h9NmURmgnrAcZwTftNqzhd+1sRwL8CYO8E+SldOpkKSR/maYe6BoLIKM/pmC969EnZm5hg77PUXpPyzHPuY3HySuflaGuAag3wyhEIAWDw79RDM/7sqFnwodCtqJRN2KxPc7uswGc+dBnBtxdx9BH4gQM0Abc9t70OCHMTtnNc6NBXK/Z7lcSnkxfPgSStO4WIzJKAJCLLXViNzZMAUNzhy5UUUQeGRlq/V61TdmGmar7029COEsSns8509c1XXxhjHBdfwpwa8O9Ov X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(396003)(39860400002)(136003)(366004)(5660300002)(1076003)(34490700002)(26005)(6486002)(66556008)(6512007)(8676002)(86362001)(52116002)(6506007)(8936002)(66946007)(75432002)(4326008)(186003)(956004)(54906003)(16526019)(786003)(2906002)(478600001)(6666004)(36756003)(2616005)(66476007)(6916009)(316002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: zG0dBZgIuVVR3L6GTlfID8yX/m45XrJx37pkZsTBRIdrzfdo6d8uSgoRs+mH0MmtyUbHLP62dWD/iDiFGnKm0zsLmYp5hijdStay0uVpiyGU708i/uaVmwcOA9nP4VhhFwX6C9LV6rT6pYKcYCjdl1eUV+t24tff3TXHX/N4on08P6mDUjRBs3syfNu2twr7Vv8EqEI5Ls/5m+8kcVXacT2P8FFCUasqrT+/wWbJtICT0NSKdGFIaUUtvGjF6Am9i0HoLh9SWSW4WK4H9DY/HObjdH9roesU+liADs7YgGUQrIssSi+hACkWcXbbkj4x/yvyWPdeglIvTnTt+VOkFwKZs/k8Q64WzAT3qs/F21nv1xQgN92vS7xXh8GKsI7leMESoFPyPoSnqavYNx95rKCR5gzY2aqH4w+7T1Tph0SGpeqevEYzJEYHs4qbJlbtrpXxtWzPMIk23QtIsl9cbC80kFdJ5dILWxiQhec6zIDFeNSWswTkju/h9pl4h+bi6BXKZMro/Yv6/hvrev93X4j4zKJRIAl+1PVDCeX/gXBiVQwV0g3P8yX3/puUZmiurJiVgfKB0Nlq5sbzWHHzcsY+4ZUVJqoxMqkxOxfLwGgd6Ac9AQOe6wQFGczcH4GugtRvyg6Jy2jWVHd2yYmedg== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: e1dc5b05-330e-463a-756e-08d8711022e3 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Oct 2020 13:42:19.4141 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: WWiGISpLiIOw8WJKInOj2L8+qY08SdoQu68kLdyU8ZpRqmbkHKubvyc4gIlCC7Kp X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA2PR03MB5721 Received-SPF: pass client-ip=40.107.220.103; envelope-from=alxndr@bu.edu; helo=NAM11-CO1-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/10/15 09:42:16 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com, dimastep@yandex-team.ru Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" general-fuzz is not a standalone fuzzer - it requires some env variables to be set. On oss-fuzz, we set these with some predefined general-fuzz-{...} targets, that are thin wrappers around general-fuzz. Remove general-fuzz from the oss-fuzz build, so oss-fuzz does not treat it as a standalone fuzzer. Signed-off-by: Alexander Bulekov --- scripts/oss-fuzz/build.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/oss-fuzz/build.sh b/scripts/oss-fuzz/build.sh index 0c3ca9e06f..eed73ea410 100755 --- a/scripts/oss-fuzz/build.sh +++ b/scripts/oss-fuzz/build.sh @@ -97,5 +97,11 @@ do cp qemu-fuzz-i386 "$DEST_DIR/qemu-fuzz-i386-target-$target" done +# Remove the general-fuzz target, as it requires some environment variables to +# be configured. We have some general-fuzz-{pc-q35, floppy, ...} targets that +# are thin wrappers around this target that set the required environment +# variables according to predefined configs. +rm "$DEST_DIR/qemu-fuzz-i386-target-general-fuzz" + echo "Done. The fuzzers are located in $DEST_DIR" exit 0