From: Alexander Bulekov <alxndr@bu.edu>
To: qemu-devel@nongnu.org
Cc: Laurent Vivier <lvivier@redhat.com>,
Thomas Huth <thuth@redhat.com>,
darren.kenny@oracle.com, Alexander Bulekov <alxndr@bu.edu>,
bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com
Subject: [PATCH v9 22/23] fuzz: add virtio-scsi fuzz target
Date: Tue, 11 Feb 2020 15:35:09 -0500 [thread overview]
Message-ID: <20200211203510.3534-23-alxndr@bu.edu> (raw)
In-Reply-To: <20200211203510.3534-1-alxndr@bu.edu>
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest/fuzz/virtio_scsi_fuzz.c | 214 ++++++++++++++++++++++++++++
2 files changed, 215 insertions(+)
create mode 100644 tests/qtest/fuzz/virtio_scsi_fuzz.c
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index 77385777ef..cde3e9636c 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -9,6 +9,7 @@ fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
# Targets
fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o
+fuzz-obj-y += tests/qtest/fuzz/virtio_scsi_fuzz.o
FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
diff --git a/tests/qtest/fuzz/virtio_scsi_fuzz.c b/tests/qtest/fuzz/virtio_scsi_fuzz.c
new file mode 100644
index 0000000000..f62f512a26
--- /dev/null
+++ b/tests/qtest/fuzz/virtio_scsi_fuzz.c
@@ -0,0 +1,214 @@
+/*
+ * virtio-serial Fuzzing Target
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ * Alexander Bulekov <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "tests/qtest/libqtest.h"
+#include "tests/qtest/libqos/virtio-net.h"
+#include "libqos/virtio-scsi.h"
+#include "libqos/virtio.h"
+#include "libqos/virtio-pci.h"
+#include "standard-headers/linux/virtio_ids.h"
+#include "standard-headers/linux/virtio_pci.h"
+#include "standard-headers/linux/virtio_scsi.h"
+#include "fuzz.h"
+#include "fork_fuzz.h"
+#include "qos_fuzz.h"
+
+#define PCI_SLOT 0x02
+#define PCI_FN 0x00
+#define QVIRTIO_SCSI_TIMEOUT_US (1 * 1000 * 1000)
+
+#define MAX_NUM_QUEUES 64
+
+/* Based on tests/virtio-scsi-test.c */
+typedef struct {
+ int num_queues;
+ QVirtQueue *vq[MAX_NUM_QUEUES + 2];
+} QVirtioSCSIQueues;
+
+static QVirtioSCSIQueues *qvirtio_scsi_init(QVirtioDevice *dev, uint64_t mask)
+{
+ QVirtioSCSIQueues *vs;
+ uint64_t feat;
+ int i;
+
+ vs = g_new0(QVirtioSCSIQueues, 1);
+
+ feat = qvirtio_get_features(dev);
+ if (mask) {
+ feat &= ~QVIRTIO_F_BAD_FEATURE | mask;
+ } else {
+ feat &= ~(QVIRTIO_F_BAD_FEATURE | (1ull << VIRTIO_RING_F_EVENT_IDX));
+ }
+ qvirtio_set_features(dev, feat);
+
+ vs->num_queues = qvirtio_config_readl(dev, 0);
+
+ for (i = 0; i < vs->num_queues + 2; i++) {
+ vs->vq[i] = qvirtqueue_setup(dev, fuzz_qos_alloc, i);
+ }
+
+ qvirtio_set_driver_ok(dev);
+
+ return vs;
+}
+
+static void virtio_scsi_fuzz(QTestState *s, QVirtioSCSIQueues* queues,
+ const unsigned char *Data, size_t Size)
+{
+ /*
+ * Data is a sequence of random bytes. We split them up into "actions",
+ * followed by data:
+ * [vqa][dddddddd][vqa][dddd][vqa][dddddddddddd] ...
+ * The length of the data is specified by the preceding vqa.length
+ */
+ typedef struct vq_action {
+ uint8_t queue;
+ uint8_t length;
+ uint8_t write;
+ uint8_t next;
+ uint8_t kick;
+ } vq_action;
+
+ /* Keep track of the free head for each queue we interact with */
+ bool vq_touched[MAX_NUM_QUEUES + 2] = {0};
+ uint32_t free_head[MAX_NUM_QUEUES + 2];
+
+ QGuestAllocator *t_alloc = fuzz_qos_alloc;
+
+ QVirtioSCSI *scsi = fuzz_qos_obj;
+ QVirtioDevice *dev = scsi->vdev;
+ QVirtQueue *q;
+ vq_action vqa;
+ while (Size >= sizeof(vqa)) {
+ /* Copy the action, so we can normalize length, queue and flags */
+ memcpy(&vqa, Data, sizeof(vqa));
+
+ Data += sizeof(vqa);
+ Size -= sizeof(vqa);
+
+ vqa.queue = vqa.queue % queues->num_queues;
+ /* Cap length at the number of remaining bytes in data */
+ vqa.length = vqa.length >= Size ? Size : vqa.length;
+ vqa.write = vqa.write & 1;
+ vqa.next = vqa.next & 1;
+ vqa.kick = vqa.kick & 1;
+
+
+ q = queues->vq[vqa.queue];
+
+ /* Copy the data into ram, and place it on the virtqueue */
+ uint64_t req_addr = guest_alloc(t_alloc, vqa.length);
+ qtest_memwrite(s, req_addr, Data, vqa.length);
+ if (vq_touched[vqa.queue] == 0) {
+ vq_touched[vqa.queue] = 1;
+ free_head[vqa.queue] = qvirtqueue_add(s, q, req_addr, vqa.length,
+ vqa.write, vqa.next);
+ } else {
+ qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next);
+ }
+
+ if (vqa.kick) {
+ qvirtqueue_kick(s, dev, q, free_head[vqa.queue]);
+ free_head[vqa.queue] = 0;
+ }
+ Data += vqa.length;
+ Size -= vqa.length;
+ }
+ /* In the end, kick each queue we interacted with */
+ for (int i = 0; i < MAX_NUM_QUEUES + 2; i++) {
+ if (vq_touched[i]) {
+ qvirtqueue_kick(s, dev, queues->vq[i], free_head[i]);
+ }
+ }
+}
+
+static void virtio_scsi_fork_fuzz(QTestState *s,
+ const unsigned char *Data, size_t Size)
+{
+ QVirtioSCSI *scsi = fuzz_qos_obj;
+ static QVirtioSCSIQueues *queues;
+ if (!queues) {
+ queues = qvirtio_scsi_init(scsi->vdev, 0);
+ }
+ if (fork() == 0) {
+ virtio_scsi_fuzz(s, queues, Data, Size);
+ flush_events(s);
+ _Exit(0);
+ } else {
+ wait(NULL);
+ }
+}
+
+static void virtio_scsi_with_flag_fuzz(QTestState *s,
+ const unsigned char *Data, size_t Size)
+{
+ QVirtioSCSI *scsi = fuzz_qos_obj;
+ static QVirtioSCSIQueues *queues;
+
+ if (fork() == 0) {
+ if (Size >= sizeof(uint64_t)) {
+ queues = qvirtio_scsi_init(scsi->vdev, *(uint64_t *)Data);
+ virtio_scsi_fuzz(s, queues,
+ Data + sizeof(uint64_t), Size - sizeof(uint64_t));
+ flush_events(s);
+ }
+ _Exit(0);
+ } else {
+ wait(NULL);
+ }
+}
+
+static void virtio_scsi_pre_fuzz(QTestState *s)
+{
+ qos_init_path(s);
+ counter_shm_init();
+}
+
+static void *virtio_scsi_test_setup(GString *cmd_line, void *arg)
+{
+ g_string_append(cmd_line,
+ " -drive file=blkdebug::null-co://,"
+ "file.image.read-zeroes=on,"
+ "if=none,id=dr1,format=raw,file.align=4k "
+ "-device scsi-hd,drive=dr1,lun=0,scsi-id=1");
+ return arg;
+}
+
+
+static void register_virtio_scsi_fuzz_targets(void)
+{
+ fuzz_add_qos_target(&(FuzzTarget){
+ .name = "virtio-scsi-fuzz",
+ .description = "Fuzz the virtio-net virtual queues, forking"
+ "for each fuzz run",
+ .pre_vm_init = &counter_shm_init,
+ .pre_fuzz = &virtio_scsi_pre_fuzz,
+ .fuzz = virtio_scsi_fork_fuzz,},
+ "virtio-scsi",
+ &(QOSGraphTestOptions){.before = virtio_scsi_test_setup}
+ );
+
+ fuzz_add_qos_target(&(FuzzTarget){
+ .name = "virtio-scsi-flags-fuzz",
+ .description = "Fuzz the virtio-net virtual queues, forking"
+ "for each fuzz run (also fuzzes the virtio flags)",
+ .pre_vm_init = &counter_shm_init,
+ .pre_fuzz = &virtio_scsi_pre_fuzz,
+ .fuzz = virtio_scsi_with_flag_fuzz,},
+ "virtio-scsi",
+ &(QOSGraphTestOptions){.before = virtio_scsi_test_setup}
+ );
+}
+
+fuzz_target_init(register_virtio_scsi_fuzz_targets);
--
2.25.0
next prev parent reply other threads:[~2020-02-11 20:44 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-11 20:34 [PATCH v9 00/23] Add virtual device fuzzing support Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 01/23] checkpatch: replace vl.c in the top of repo check Alexander Bulekov
2020-02-13 11:55 ` Stefan Hajnoczi
2020-02-11 20:34 ` [PATCH v9 02/23] softmmu: move vl.c to softmmu/ Alexander Bulekov
2020-02-13 11:58 ` Stefan Hajnoczi
2020-02-11 20:34 ` [PATCH v9 03/23] softmmu: split off vl.c:main() into main.c Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 04/23] module: check module wasn't already initialized Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 05/23] fuzz: add FUZZ_TARGET module type Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 06/23] qtest: add qtest_server_send abstraction Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 07/23] libqtest: add a layer of abstraction to send/recv Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 08/23] libqtest: make bufwrite rely on the TransportOps Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 09/23] qtest: add in-process incoming command handler Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 10/23] libqos: rename i2c_send and i2c_recv Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 11/23] libqos: split qos-test and libqos makefile vars Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 12/23] libqos: move useful qos-test funcs to qos_external Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 13/23] fuzz: add fuzzer skeleton Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 14/23] exec: keep ram block across fork when using qtest Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 15/23] main: keep rcu_atfork callback enabled for qtest Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 16/23] fuzz: support for fork-based fuzzing Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 17/23] fuzz: add support for qos-assisted fuzz targets Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 18/23] fuzz: add target/fuzz makefile rules Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 19/23] fuzz: add configure flag --enable-fuzzing Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 20/23] fuzz: add i440fx fuzz targets Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 21/23] fuzz: add virtio-net fuzz target Alexander Bulekov
2020-02-11 20:35 ` Alexander Bulekov [this message]
2020-02-13 13:42 ` [PATCH v9 22/23] fuzz: add virtio-scsi " Stefan Hajnoczi
2020-02-11 20:35 ` [PATCH v9 23/23] fuzz: add documentation to docs/devel/ Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200211203510.3534-23-alxndr@bu.edu \
--to=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.