On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote:
> These patches add a generic fuzzer for virtual devices. This should
> allow us to fuzz devices that accept inputs over MMIO, PIO and DMA
> without any device-specific code.
> 
> Example:
> QEMU_FUZZ_ARGS="-device virtio-net" \
> FUZZ_REGION_WHITELIST="virtio pci-" \
> ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz
> 
> The above command will add a virtio-net device to the QEMU arguments and
> restrict the fuzzer to only interact with MMIO and PIO regions with
> names that contain "virtio" or "pci-". I find these names using the info
> mtree monitor command. 
> 
> Basically, the fuzzer splits the input into a series of commands, such
> as mmio_write, pio_write, etc. Additionally, these patches add "hooks"
> to functions that are typically used by virtual-devices to read from RAM
> (DMA). These hooks attempt to populate these DMA regions with fuzzed
> data, just in time.  There are some differences from my reference code
> that seem to result in performance issues that I am still trying to iron
> out. I also need to figure out how to add the DMA "hooks" in a neat way.
> Maybe I can use -Wl,--wrap for this. I appreciate any feedback.
> 
> Alexander Bulekov (3):
>   fuzz: add a general fuzzer for any qemu arguments
>   fuzz: add support for fuzzing DMA regions
>   fuzz: Add callbacks for dma-access functions
> 
>  exec.c                                |  17 +-
>  include/exec/memory.h                 |   8 +
>  include/exec/memory_ldst_cached.inc.h |   9 +
>  include/sysemu/dma.h                  |   5 +-
>  memory_ldst.inc.c                     |  12 +
>  tests/qtest/fuzz/Makefile.include     |   1 +
>  tests/qtest/fuzz/general_fuzz.c       | 556 ++++++++++++++++++++++++++
>  7 files changed, 606 insertions(+), 2 deletions(-)
>  create mode 100644 tests/qtest/fuzz/general_fuzz.c

CCing Dima in case he is interested in this generic fuzzing approach.

Stefan