From: Alexander Bulekov <alxndr@bu.edu>
To: qemu-devel@nongnu.org
Cc: Laurent Vivier <lvivier@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
Thomas Huth <thuth@redhat.com>, Alexander Bulekov <alxndr@bu.edu>,
Darren Kenny <darren.kenny@oracle.com>,
Bandan Das <bsd@redhat.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Paolo Bonzini <pbonzini@redhat.com>
Subject: [PULL 5/7] fuzz: add virtio-9p configurations for fuzzing
Date: Wed, 20 Jan 2021 12:35:31 -0500 [thread overview]
Message-ID: <20210120173536.265601-10-alxndr@bu.edu> (raw)
In-Reply-To: <20210120173536.265601-1-alxndr@bu.edu>
virtio-9p devices are often used to expose a virtual-filesystem to the
guest. There have been some bugs reported in this device, such as
CVE-2018-19364, and CVE-2021-20181. We should fuzz this device
This patch adds two virtio-9p configurations:
* One with the widely used -fsdev local driver. This driver leaks some
state in the form of files/directories created in the shared dir.
* One with the synth driver. While it is not used in the real world, this
driver won't leak leak state between fuzz inputs.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
---
tests/qtest/fuzz/generic_fuzz_configs.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h
index 1a133655ee..f99657cdbc 100644
--- a/tests/qtest/fuzz/generic_fuzz_configs.h
+++ b/tests/qtest/fuzz/generic_fuzz_configs.h
@@ -19,6 +19,16 @@ typedef struct generic_fuzz_config {
gchar* (*argfunc)(void); /* Result must be freeable by g_free() */
} generic_fuzz_config;
+static inline gchar *generic_fuzzer_virtio_9p_args(void){
+ char tmpdir[] = "/tmp/qemu-fuzz.XXXXXX";
+ g_assert_nonnull(mkdtemp(tmpdir));
+
+ return g_strdup_printf("-machine q35 -nodefaults "
+ "-device virtio-9p,fsdev=hshare,mount_tag=hshare "
+ "-fsdev local,id=hshare,path=%s,security_model=mapped-xattr,"
+ "writeout=immediate,fmode=0600,dmode=0700", tmpdir);
+}
+
const generic_fuzz_config predefined_configs[] = {
{
.name = "virtio-net-pci-slirp",
@@ -60,6 +70,16 @@ const generic_fuzz_config predefined_configs[] = {
.name = "virtio-mouse",
.args = "-machine q35 -nodefaults -device virtio-mouse",
.objects = "virtio*",
+ },{
+ .name = "virtio-9p",
+ .argfunc = generic_fuzzer_virtio_9p_args,
+ .objects = "virtio*",
+ },{
+ .name = "virtio-9p-synth",
+ .args = "-machine q35 -nodefaults "
+ "-device virtio-9p,fsdev=hshare,mount_tag=hshare "
+ "-fsdev synth,id=hshare",
+ .objects = "virtio*",
},{
.name = "e1000",
.args = "-M q35 -nodefaults "
--
2.28.0
next prev parent reply other threads:[~2021-01-20 17:50 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 17:35 [PULL 0/7] 2021-01-20 fuzzing patches Alexander Bulekov
2021-01-20 17:35 ` [PULL 1/7] docs/fuzz: fix pre-meson path Alexander Bulekov
2021-01-20 17:35 ` [PULL 1/7] fuzz: ignore address_space_map is_write flag Alexander Bulekov
2021-01-20 17:35 ` [PULL 2/7] fuzz: log the arguments used to initialize QEMU Alexander Bulekov
2021-01-20 17:35 ` [PULL 2/7] fuzz: refine the ide/ahci fuzzer configs Alexander Bulekov
2021-01-20 17:35 ` [PULL 3/7] docs/fuzz: fix pre-meson path Alexander Bulekov
2021-01-20 17:35 ` [PULL 3/7] fuzz: enable dynamic args for generic-fuzz configs Alexander Bulekov
2021-01-20 17:35 ` [PULL 4/7] docs/fuzz: add some information about OSS-Fuzz Alexander Bulekov
2021-01-20 17:35 ` [PULL 4/7] fuzz: log the arguments used to initialize QEMU Alexander Bulekov
2021-01-20 17:35 ` Alexander Bulekov [this message]
2021-01-20 17:35 ` [PULL 5/7] fuzz: enable dynamic args for generic-fuzz configs Alexander Bulekov
2021-01-20 17:35 ` [PULL 6/7] docs/fuzz: add some information about OSS-Fuzz Alexander Bulekov
2021-01-20 17:35 ` [PULL 6/7] fuzz: ignore address_space_map is_write flag Alexander Bulekov
2021-01-20 17:35 ` [PULL 7/7] fuzz: add virtio-9p configurations for fuzzing Alexander Bulekov
2021-01-20 17:35 ` [PULL 7/7] fuzz: refine the ide/ahci fuzzer configs Alexander Bulekov
2021-01-20 17:41 ` [PULL 0/7] 2021-01-20 fuzzing patches Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210120173536.265601-10-alxndr@bu.edu \
--to=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.