From: "Oleinik, Alexander" <alxndr@bu.edu>
To: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Cc: "pbonzini@redhat.com" <pbonzini@redhat.com>,
"bsd@redhat.com" <bsd@redhat.com>,
"stefanha@redhat.com" <stefanha@redhat.com>,
"Oleinik, Alexander" <alxndr@bu.edu>
Subject: [PATCH v5 15/20] fuzz: add fuzzer skeleton
Date: Wed, 13 Nov 2019 22:50:51 +0000 [thread overview]
Message-ID: <20191113225030.17023-16-alxndr@bu.edu> (raw)
In-Reply-To: <20191113225030.17023-1-alxndr@bu.edu>
tests/fuzz/fuzz.c serves as the entry point for the virtual-device
fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and
LLVMFuzzerTestOneInput functions, both of which are defined in this
file. This change adds a "FuzzTarget" struct, along with the
fuzz_add_target function, which should be used to define new fuzz
targets.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/fuzz/Makefile.include | 4 +-
tests/fuzz/fuzz.c | 179 ++++++++++++++++++++++++++++++++++++
tests/fuzz/fuzz.h | 94 +++++++++++++++++++
3 files changed, 275 insertions(+), 2 deletions(-)
create mode 100644 tests/fuzz/fuzz.c
create mode 100644 tests/fuzz/fuzz.h
diff --git a/tests/fuzz/Makefile.include b/tests/fuzz/Makefile.include
index 324e6c1433..b415b056b0 100644
--- a/tests/fuzz/Makefile.include
+++ b/tests/fuzz/Makefile.include
@@ -1,4 +1,4 @@
-# QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
+QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF)
fuzz-obj-y = $(libqos-obj-y)
fuzz-obj-y += tests/libqtest.o
-
+fuzz-obj-y += tests/fuzz/fuzz.o
diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
new file mode 100644
index 0000000000..f4abaa3484
--- /dev/null
+++ b/tests/fuzz/fuzz.c
@@ -0,0 +1,179 @@
+/*
+ * fuzzing driver
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ * Alexander Bulekov <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+
+#include <wordexp.h>
+
+#include "sysemu/qtest.h"
+#include "sysemu/runstate.h"
+#include "sysemu/sysemu.h"
+#include "qemu/main-loop.h"
+#include "tests/libqtest.h"
+#include "tests/libqos/qgraph.h"
+#include "fuzz.h"
+
+#define MAX_EVENT_LOOPS 10
+
+typedef struct FuzzTargetState {
+ FuzzTarget *target;
+ QSLIST_ENTRY(FuzzTargetState) target_list;
+} FuzzTargetState;
+
+typedef QSLIST_HEAD(, FuzzTargetState) FuzzTargetList;
+
+static const char *fuzz_arch = TARGET_NAME;
+
+static FuzzTargetList *fuzz_target_list;
+static FuzzTarget *fuzz_target;
+static QTestState *fuzz_qts;
+
+
+
+void flush_events(QTestState *s)
+{
+ int i = MAX_EVENT_LOOPS;
+ while (g_main_context_pending(NULL) && i-- > 0) {
+ main_loop_wait(false);
+ }
+}
+
+static QTestState *qtest_setup(void)
+{
+ qtest_server_set_send_handler(&qtest_client_inproc_recv, &fuzz_qts);
+ return qtest_inproc_init(&fuzz_qts, false fuzz_arch,
+ &qtest_server_inproc_recv);
+}
+
+void fuzz_add_target(const FuzzTarget *target)
+{
+ FuzzTargetState *tmp;
+ FuzzTargetState *target_state;
+ if (!fuzz_target_list) {
+ fuzz_target_list = g_new0(FuzzTargetList, 1);
+ }
+
+ QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
+ if (g_strcmp0(tmp->target->name, target->name) == 0) {
+ fprintf(stderr, "Error: Fuzz target name %s already in use\n",
+ target->name);
+ abort();
+ }
+ }
+ target_state = g_new0(FuzzTargetState, 1);
+ target_state->target = g_new0(FuzzTarget, 1);
+ *(target_state->target) = *target;
+ QSLIST_INSERT_HEAD(fuzz_target_list, target_state, target_list);
+}
+
+
+
+static void usage(char *path)
+{
+ printf("Usage: %s --fuzz-target=FUZZ_TARGET [LIBFUZZER ARGUMENTS]\n", path);
+ printf("where FUZZ_TARGET is one of:\n");
+ FuzzTargetState *tmp;
+ if (!fuzz_target_list) {
+ fprintf(stderr, "Fuzz target list not initialized\n");
+ abort();
+ }
+ QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
+ printf(" %s : %s\n", tmp->target->name,
+ tmp->target->description);
+ }
+ exit(0);
+}
+
+static FuzzTarget *fuzz_get_target(char* name)
+{
+ FuzzTargetState *tmp;
+ if (!fuzz_target_list) {
+ fprintf(stderr, "Fuzz target list not initialized\n");
+ abort();
+ }
+
+ QSLIST_FOREACH(tmp, fuzz_target_list, target_list) {
+ if (strcmp(tmp->target->name, name) == 0) {
+ return tmp->target;
+ }
+ }
+ return NULL;
+}
+
+
+/* Executed for each fuzzing-input */
+int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size)
+{
+ /*
+ * Do the pre-fuzz-initialization before the first fuzzing iteration,
+ * instead of before the actual fuzz loop. This is needed since libfuzzer
+ * may fork off additional workers, prior to the fuzzing loop, and if
+ * pre_fuzz() sets up e.g. shared memory, this should be done for the
+ * individual worker processes
+ */
+ static int pre_fuzz_done;
+ if (!pre_fuzz_done && fuzz_target->pre_fuzz) {
+ fuzz_target->pre_fuzz(fuzz_qts);
+ pre_fuzz_done = true;
+ }
+
+ fuzz_target->fuzz(fuzz_qts, Data, Size);
+ return 0;
+}
+
+/* Executed once, prior to fuzzing */
+int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
+{
+
+ char *target_name;
+
+ /* Initialize qgraph and modules */
+ qos_graph_init();
+ module_call_init(MODULE_INIT_FUZZ_TARGET);
+ module_call_init(MODULE_INIT_QOM);
+ module_call_init(MODULE_INIT_LIBQOS);
+
+ if (*argc <= 1) {
+ usage(**argv);
+ }
+
+ /* Identify the fuzz target */
+ target_name = (*argv)[1];
+ if (!strstr(target_name, "--fuzz-target=")) {
+ usage(**argv);
+ }
+
+ target_name += strlen("--fuzz-target=");
+
+ fuzz_target = fuzz_get_target(target_name);
+ if (!fuzz_target) {
+ usage(**argv);
+ }
+
+ fuzz_qts = qtest_setup();
+
+ if (fuzz_target->pre_vm_init) {
+ fuzz_target->pre_vm_init();
+ }
+
+ /* Run QEMU's softmmu main with the fuzz-target dependent arguments */
+ const char *init_cmdline = fuzz_target->get_init_cmdline(fuzz_target);
+
+ /* Split the runcmd into an argv and argc */
+ wordexp_t result;
+ wordexp(init_cmdline, &result, 0);
+
+ qemu_init(result.we_wordc, result.we_wordv, NULL);
+
+ return 0;
+}
diff --git a/tests/fuzz/fuzz.h b/tests/fuzz/fuzz.h
new file mode 100644
index 0000000000..5135b252bf
--- /dev/null
+++ b/tests/fuzz/fuzz.h
@@ -0,0 +1,94 @@
+/*
+ * fuzzing driver
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ * Alexander Bulekov <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#ifndef FUZZER_H_
+#define FUZZER_H_
+
+#include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
+#include "exec/memory.h"
+#include "tests/libqtest.h"
+
+/**
+ * A libfuzzer fuzzing target
+ *
+ * The QEMU fuzzing binary is built with all available targets, each
+ * with a unique @name that can be specified on the command-line to
+ * select which target should run.
+ *
+ * A target must implement ->fuzz() to process a random input. If QEMU
+ * crashes in ->fuzz() then libfuzzer will record a failure.
+ *
+ * Fuzzing targets are registered with fuzz_add_target():
+ *
+ * static const FuzzTarget fuzz_target = {
+ * .name = "my-device-fifo",
+ * .description = "Fuzz the FIFO buffer registers of my-device",
+ * ...
+ * };
+ *
+ * static void register_fuzz_target(void)
+ * {
+ * fuzz_add_target(&fuzz_target);
+ * }
+ * fuzz_target_init(register_fuzz_target);
+ */
+typedef struct FuzzTarget {
+ const char *name; /* command-line option(FUZZ_TARGET) for the target */
+ const char *description; /* help text */
+
+
+ /* returns the arg-list that is passed to qemu/softmmu init()
+ * Cannot be NULL
+ */
+ const char* (*get_init_cmdline)(struct FuzzTarget *);
+
+ /*
+ * will run once, prior to running qemu/softmmu init.
+ * eg: set up shared-memory for communication with the child-process
+ * Can be NULL
+ */
+ void(*pre_vm_init)(void);
+
+ /*
+ * will run once, after QEMU has been initialized, prior to the fuzz-loop.
+ * eg: detect the memory map
+ * Can be NULL
+ */
+ void(*pre_fuzz)(QTestState *);
+
+ /*
+ * accepts and executes an input from libfuzzer. this is repeatedly
+ * executed during the fuzzing loop. Its should handle setup, input
+ * execution and cleanup.
+ * Cannot be NULL
+ */
+ void(*fuzz)(QTestState *, const unsigned char *, size_t);
+
+} FuzzTarget;
+
+void flush_events(QTestState *);
+void reboot(QTestState *);
+
+/*
+ * makes a copy of *target and adds it to the target-list.
+ * i.e. fine to set up target on the caller's stack
+ */
+void fuzz_add_target(const FuzzTarget *target);
+
+int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
+int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp);
+
+#endif
+
--
2.23.0
next prev parent reply other threads:[~2019-11-13 23:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 22:50 [PATCH v5 00/20] Add virtual device fuzzing support Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 01/20] softmmu: split off vl.c:main() into main.c Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 02/20] libqos: Rename i2c_send and i2c_recv Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 03/20] fuzz: Add FUZZ_TARGET module type Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 04/20] qtest: add qtest_server_send abstraction Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 05/20] libqtest: Add a layer of abstraciton to send/recv Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 06/20] module: check module wasn't already initialized Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 07/20] qtest: add in-process incoming command handler Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 08/20] tests: provide test variables to other targets Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 09/20] libqos: split qos-test and libqos makefile vars Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 10/20] libqos: move useful qos-test funcs to qos_external Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 11/20] libqtest: make bufwrite rely on the TransportOps Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 12/20] libqtest: add in-process qtest.c tx/rx handlers Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 13/20] fuzz: add configure flag --enable-fuzzing Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 14/20] fuzz: Add target/fuzz makefile rules Oleinik, Alexander
2019-11-13 22:50 ` Oleinik, Alexander [this message]
2019-11-13 22:50 ` [PATCH v5 16/20] fuzz: add support for fork-based fuzzing Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 17/20] fuzz: add support for qos-assisted fuzz targets Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 19/20] fuzz: add virtio-net fuzz target Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 18/20] fuzz: add i440fx fuzz targets Oleinik, Alexander
2019-11-13 22:50 ` [PATCH v5 20/20] fuzz: add documentation to docs/devel/ Oleinik, Alexander
2019-11-14 10:55 ` [PATCH v5 00/20] Add virtual device fuzzing support Darren Kenny
2019-11-14 15:04 ` Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191113225030.17023-16-alxndr@bu.edu \
--to=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.