[Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Blue Swirl]

[-- Attachment #1: Type: text/plain, Size: 2390 bytes --]

Add a simple register fuzzing test to floppy controller tests.

Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
---
There's a lot of output like:
GTESTER check-qtest-i386
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x1f
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xa8
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x37
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x93
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xe4
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xc1
FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x92

Maybe they should be fixed first.

---
 tests/fdc-test.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tests/fdc-test.c b/tests/fdc-test.c
index 5b5dd74..5a22a31 100644
--- a/tests/fdc-test.c
+++ b/tests/fdc-test.c
@@ -154,6 +154,22 @@ static void test_media_change(void)
     assert_bit_clear(dir, DSKCHG);
 }

+/* success if no crash or abort */
+static void fuzz_registers(void)
+{
+    unsigned int i;
+
+    for (i = 0; i < 1000; i++) {
+        uint8_t reg, val;
+
+        reg = (uint8_t)g_test_rand_int_range(0, 8);
+        val = (uint8_t)g_test_rand_int_range(0, 256);
+
+        outb(FLOPPY_BASE + reg, val);
+        inb(FLOPPY_BASE + reg);
+    }
+}
+
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -184,6 +200,7 @@ int main(int argc, char **argv)
     qtest_start(cmdline);
     qtest_irq_intercept_in(global_qtest, "ioapic");
     qtest_add_func("/fdc/media_change", test_media_change);
+    qtest_add_func("/fdc/fuzz-registers", fuzz_registers);

     ret = g_test_run();

-- 
1.7.10

[-- Attachment #2: 0001-qtest-add-a-fuzz-test-to-fdc-test.patch --]
[-- Type: text/x-patch, Size: 1454 bytes --]

From 1ccf05afa5560127b9ccf88348bddf4a2765fe95 Mon Sep 17 00:00:00 2001
Message-Id: <1ccf05afa5560127b9ccf88348bddf4a2765fe95.1337431940.git.blauwirbel@gmail.com>
From: Blue Swirl <blauwirbel@gmail.com>
Date: Thu, 17 May 2012 18:55:58 +0000
Subject: [PATCH] qtest: add a fuzz test to fdc-test

Add a simple register fuzzing test to floppy controller tests.

Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
---
 tests/fdc-test.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/tests/fdc-test.c b/tests/fdc-test.c
index 5b5dd74..5a22a31 100644
--- a/tests/fdc-test.c
+++ b/tests/fdc-test.c
@@ -154,6 +154,22 @@ static void test_media_change(void)
     assert_bit_clear(dir, DSKCHG);
 }
 
+/* success if no crash or abort */
+static void fuzz_registers(void)
+{
+    unsigned int i;
+
+    for (i = 0; i < 1000; i++) {
+        uint8_t reg, val;
+
+        reg = (uint8_t)g_test_rand_int_range(0, 8);
+        val = (uint8_t)g_test_rand_int_range(0, 256);
+
+        outb(FLOPPY_BASE + reg, val);
+        inb(FLOPPY_BASE + reg);
+    }
+}
+
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -184,6 +200,7 @@ int main(int argc, char **argv)
     qtest_start(cmdline);
     qtest_irq_intercept_in(global_qtest, "ioapic");
     qtest_add_func("/fdc/media_change", test_media_change);
+    qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
 
     ret = g_test_run();
 
-- 
1.7.2.5

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Kevin Wolf]

Am 19.05.2012 14:54, schrieb Blue Swirl:
> Add a simple register fuzzing test to floppy controller tests.
> 
> Signed-off-by: Blue Swirl <blauwirbel@gmail.com>
> ---
> There's a lot of output like:
> GTESTER check-qtest-i386
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x1f
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xa8
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x37
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x93
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xe4
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xc1
> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x92
> 
> Maybe they should be fixed first.

What do you mean by fixing? Turning them into DPRINTFs?

Kevin

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Paolo Bonzini]

Il 21/05/2012 09:51, Kevin Wolf ha scritto:
>> > GTESTER check-qtest-i386
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x1f
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xa8
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x37
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x93
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xe4
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xc1
>> > FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x92
>> > 
>> > Maybe they should be fixed first.
> What do you mean by fixing? Turning them into DPRINTFs?

Or trace events?

Paolo

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Kevin Wolf]

Am 21.05.2012 10:11, schrieb Paolo Bonzini:
> Il 21/05/2012 09:51, Kevin Wolf ha scritto:
>>>> GTESTER check-qtest-i386
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x1f
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xa8
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x37
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x93
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xe4
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xc1
>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x92
>>>>
>>>> Maybe they should be fixed first.
>> What do you mean by fixing? Turning them into DPRINTFs?
> 
> Or trace events?

Yeah, you could turn all FLOPPY_DPRINTFs into trace events. But the
point here is that today it's a FLOPPY_ERROR, and except for register
fuzzing they report real problems with the emulation and not just some
debugging information. So I'm not sure if hiding them is really a fix.

Kevin

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Paolo Bonzini]

> >> What do you mean by fixing? Turning them into DPRINTFs?
> > 
> > Or trace events?
> 
> Yeah, you could turn all FLOPPY_DPRINTFs into trace events. But the
> point here is that today it's a FLOPPY_ERROR, and except for register
> fuzzing they report real problems with the emulation and not just
> some debugging information. So I'm not sure if hiding them is really a
> fix.

It depends, "controller not ready for reading" is most likely just caused by
fuzzing.  Most unimplemented commands are also invalid on real hardware too.

Paolo

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Blue Swirl]

On Mon, May 21, 2012 at 8:14 AM, Kevin Wolf <kwolf@redhat.com> wrote:
> Am 21.05.2012 10:11, schrieb Paolo Bonzini:
>> Il 21/05/2012 09:51, Kevin Wolf ha scritto:
>>>>> GTESTER check-qtest-i386
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x1f
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xa8
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x37
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_read_data: controller not ready for reading
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x93
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xe4
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0xc1
>>>>> FLOPPY ERROR: fdctrl_unimplemented: unimplemented command 0x92
>>>>>
>>>>> Maybe they should be fixed first.
>>> What do you mean by fixing? Turning them into DPRINTFs?
>>
>> Or trace events?
>
> Yeah, you could turn all FLOPPY_DPRINTFs into trace events. But the
> point here is that today it's a FLOPPY_ERROR, and except for register
> fuzzing they report real problems with the emulation and not just some
> debugging information. So I'm not sure if hiding them is really a fix.

While not a DoS, letting the guest spam the console at will is not
nice either. Maybe we need a new method to enable a selected set of
printouts, something like '-d unimplemented'. That way no recompiling
would be needed.

>
> Kevin

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Blue Swirl]

On Mon, May 21, 2012 at 8:18 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
>> >> What do you mean by fixing? Turning them into DPRINTFs?
>> >
>> > Or trace events?
>>
>> Yeah, you could turn all FLOPPY_DPRINTFs into trace events. But the
>> point here is that today it's a FLOPPY_ERROR, and except for register
>> fuzzing they report real problems with the emulation and not just
>> some debugging information. So I'm not sure if hiding them is really a
>> fix.
>
> It depends, "controller not ready for reading" is most likely just caused by
> fuzzing.  Most unimplemented commands are also invalid on real hardware too.

Yes, but a malevolent guest could issue the same commands if those
could cause problems to QEMU.

>
> Paolo

Re: [Qemu-devel] [PATCH] qtest: add a fuzz test to fdc-test

[Peter Maydell]

On 21 May 2012 18:30, Blue Swirl <blauwirbel@gmail.com> wrote:
> On Mon, May 21, 2012 at 8:14 AM, Kevin Wolf <kwolf@redhat.com> wrote:
>> Yeah, you could turn all FLOPPY_DPRINTFs into trace events. But the
>> point here is that today it's a FLOPPY_ERROR, and except for register
>> fuzzing they report real problems with the emulation and not just some
>> debugging information. So I'm not sure if hiding them is really a fix.
>
> While not a DoS, letting the guest spam the console at will is not
> nice either. Maybe we need a new method to enable a selected set of
> printouts, something like '-d unimplemented'. That way no recompiling
> would be needed.

+1 for a better set of graduated logging/debug levels and a sensible
command line interface for turning them on and off. Possible severity
levels:
 * debug output
 * guest has done something that suggests it might be buggy, eg
   accessing nonexistent register
 * guest has tried to use something qemu doesn't implement
 * qemu (fatal) error

These should be orthogonal to the "what area should we print logging
for" question, I think.

With a clean API for defining log messages I think we could clean
up a lot of the legacy functions for asserting/aborting in various
ways (in particular a lot of the hw_error() uses).

-- PMM