From: Alexander Bulekov <alxndr@bu.edu>
To: qemu-devel@nongnu.org
Cc: Laurent Vivier <lvivier@redhat.com>,
Thomas Huth <thuth@redhat.com>,
darren.kenny@oracle.com, Alexander Bulekov <alxndr@bu.edu>,
bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com
Subject: [PATCH v9 20/23] fuzz: add i440fx fuzz targets
Date: Tue, 11 Feb 2020 15:35:07 -0500 [thread overview]
Message-ID: <20200211203510.3534-21-alxndr@bu.edu> (raw)
In-Reply-To: <20200211203510.3534-1-alxndr@bu.edu>
These three targets should simply fuzz reads/writes to a couple ioports,
but they mostly serve as examples of different ways to write targets.
They demonstrate using qtest and qos for fuzzing, as well as using
rebooting and forking to reset state, or not resetting it at all.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
---
tests/qtest/fuzz/Makefile.include | 3 +
tests/qtest/fuzz/i440fx_fuzz.c | 193 ++++++++++++++++++++++++++++++
2 files changed, 196 insertions(+)
create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include
index e3bdd33ff4..38b8cdd9f1 100644
--- a/tests/qtest/fuzz/Makefile.include
+++ b/tests/qtest/fuzz/Makefile.include
@@ -6,6 +6,9 @@ fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
+# Targets
+fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o
+
FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
# Linker Script to force coverage-counters into known regions which we can mark
diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
new file mode 100644
index 0000000000..ab5f112584
--- /dev/null
+++ b/tests/qtest/fuzz/i440fx_fuzz.c
@@ -0,0 +1,193 @@
+/*
+ * I440FX Fuzzing Target
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ * Alexander Bulekov <alxndr@bu.edu>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+
+#include "qemu/main-loop.h"
+#include "tests/qtest/libqtest.h"
+#include "tests/qtest/libqos/pci.h"
+#include "tests/qtest/libqos/pci-pc.h"
+#include "fuzz.h"
+#include "fuzz/qos_fuzz.h"
+#include "fuzz/fork_fuzz.h"
+
+
+#define I440FX_PCI_HOST_BRIDGE_CFG 0xcf8
+#define I440FX_PCI_HOST_BRIDGE_DATA 0xcfc
+
+/*
+ * the input to the fuzzing functions below is a buffer of random bytes. we
+ * want to convert these bytes into a sequence of qtest or qos calls. to do
+ * this we define some opcodes:
+ */
+enum action_id {
+ WRITEB,
+ WRITEW,
+ WRITEL,
+ READB,
+ READW,
+ READL,
+ ACTION_MAX
+};
+
+static void i440fx_fuzz_qtest(QTestState *s,
+ const unsigned char *Data, size_t Size) {
+ /*
+ * loop over the Data, breaking it up into actions. each action has an
+ * opcode, address offset and value
+ */
+ typedef struct QTestFuzzAction {
+ uint8_t opcode;
+ uint8_t addr;
+ uint32_t value;
+ } QTestFuzzAction;
+ QTestFuzzAction a;
+
+ while (Size >= sizeof(a)) {
+ /* make a copy of the action so we can normalize the values in-place */
+ memcpy(&a, Data, sizeof(a));
+ /* select between two i440fx Port IO addresses */
+ uint16_t addr = a.addr % 2 ? I440FX_PCI_HOST_BRIDGE_CFG :
+ I440FX_PCI_HOST_BRIDGE_DATA;
+ switch (a.opcode % ACTION_MAX) {
+ case WRITEB:
+ qtest_outb(s, addr, (uint8_t)a.value);
+ break;
+ case WRITEW:
+ qtest_outw(s, addr, (uint16_t)a.value);
+ break;
+ case WRITEL:
+ qtest_outl(s, addr, (uint32_t)a.value);
+ break;
+ case READB:
+ qtest_inb(s, addr);
+ break;
+ case READW:
+ qtest_inw(s, addr);
+ break;
+ case READL:
+ qtest_inl(s, addr);
+ break;
+ }
+ /* Move to the next operation */
+ Size -= sizeof(a);
+ Data += sizeof(a);
+ }
+ flush_events(s);
+}
+
+static void i440fx_fuzz_qos(QTestState *s,
+ const unsigned char *Data, size_t Size) {
+ /*
+ * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the
+ * value written over Port IO
+ */
+ typedef struct QOSFuzzAction {
+ uint8_t opcode;
+ uint8_t offset;
+ int devfn;
+ uint32_t value;
+ } QOSFuzzAction;
+
+ static QPCIBus *bus;
+ if (!bus) {
+ bus = qpci_new_pc(s, fuzz_qos_alloc);
+ }
+
+ QOSFuzzAction a;
+ while (Size >= sizeof(a)) {
+ memcpy(&a, Data, sizeof(a));
+ switch (a.opcode % ACTION_MAX) {
+ case WRITEB:
+ bus->config_writeb(bus, a.devfn, a.offset, (uint8_t)a.value);
+ break;
+ case WRITEW:
+ bus->config_writew(bus, a.devfn, a.offset, (uint16_t)a.value);
+ break;
+ case WRITEL:
+ bus->config_writel(bus, a.devfn, a.offset, (uint32_t)a.value);
+ break;
+ case READB:
+ bus->config_readb(bus, a.devfn, a.offset);
+ break;
+ case READW:
+ bus->config_readw(bus, a.devfn, a.offset);
+ break;
+ case READL:
+ bus->config_readl(bus, a.devfn, a.offset);
+ break;
+ }
+ Size -= sizeof(a);
+ Data += sizeof(a);
+ }
+ flush_events(s);
+}
+
+static void i440fx_fuzz_qos_fork(QTestState *s,
+ const unsigned char *Data, size_t Size) {
+ if (fork() == 0) {
+ i440fx_fuzz_qos(s, Data, Size);
+ _Exit(0);
+ } else {
+ wait(NULL);
+ }
+}
+
+static const char *i440fx_qtest_argv = TARGET_NAME " -machine accel=qtest"
+ "-m 0 -display none";
+static const char *i440fx_argv(FuzzTarget *t)
+{
+ return i440fx_qtest_argv;
+}
+
+static void fork_init(void)
+{
+ counter_shm_init();
+}
+
+static void register_pci_fuzz_targets(void)
+{
+ /* Uses simple qtest commands and reboots to reset state */
+ fuzz_add_target(&(FuzzTarget){
+ .name = "i440fx-qtest-reboot-fuzz",
+ .description = "Fuzz the i440fx using raw qtest commands and"
+ "rebooting after each run",
+ .get_init_cmdline = i440fx_argv,
+ .fuzz = i440fx_fuzz_qtest});
+
+ /* Uses libqos and forks to prevent state leakage */
+ fuzz_add_qos_target(&(FuzzTarget){
+ .name = "i440fx-qos-fork-fuzz",
+ .description = "Fuzz the i440fx using raw qtest commands and"
+ "rebooting after each run",
+ .pre_vm_init = &fork_init,
+ .fuzz = i440fx_fuzz_qos_fork,},
+ "i440FX-pcihost",
+ &(QOSGraphTestOptions){}
+ );
+
+ /*
+ * Uses libqos. Doesn't do anything to reset state. Note that if we were to
+ * reboot after each run, we would also have to redo the qos-related
+ * initialization (qos_init_path)
+ */
+ fuzz_add_qos_target(&(FuzzTarget){
+ .name = "i440fx-qos-noreset-fuzz",
+ .description = "Fuzz the i440fx using raw qtest commands and"
+ "rebooting after each run",
+ .fuzz = i440fx_fuzz_qos,},
+ "i440FX-pcihost",
+ &(QOSGraphTestOptions){}
+ );
+}
+
+fuzz_target_init(register_pci_fuzz_targets);
--
2.25.0
next prev parent reply other threads:[~2020-02-11 20:45 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-11 20:34 [PATCH v9 00/23] Add virtual device fuzzing support Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 01/23] checkpatch: replace vl.c in the top of repo check Alexander Bulekov
2020-02-13 11:55 ` Stefan Hajnoczi
2020-02-11 20:34 ` [PATCH v9 02/23] softmmu: move vl.c to softmmu/ Alexander Bulekov
2020-02-13 11:58 ` Stefan Hajnoczi
2020-02-11 20:34 ` [PATCH v9 03/23] softmmu: split off vl.c:main() into main.c Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 04/23] module: check module wasn't already initialized Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 05/23] fuzz: add FUZZ_TARGET module type Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 06/23] qtest: add qtest_server_send abstraction Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 07/23] libqtest: add a layer of abstraction to send/recv Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 08/23] libqtest: make bufwrite rely on the TransportOps Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 09/23] qtest: add in-process incoming command handler Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 10/23] libqos: rename i2c_send and i2c_recv Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 11/23] libqos: split qos-test and libqos makefile vars Alexander Bulekov
2020-02-11 20:34 ` [PATCH v9 12/23] libqos: move useful qos-test funcs to qos_external Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 13/23] fuzz: add fuzzer skeleton Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 14/23] exec: keep ram block across fork when using qtest Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 15/23] main: keep rcu_atfork callback enabled for qtest Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 16/23] fuzz: support for fork-based fuzzing Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 17/23] fuzz: add support for qos-assisted fuzz targets Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 18/23] fuzz: add target/fuzz makefile rules Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 19/23] fuzz: add configure flag --enable-fuzzing Alexander Bulekov
2020-02-11 20:35 ` Alexander Bulekov [this message]
2020-02-11 20:35 ` [PATCH v9 21/23] fuzz: add virtio-net fuzz target Alexander Bulekov
2020-02-11 20:35 ` [PATCH v9 22/23] fuzz: add virtio-scsi " Alexander Bulekov
2020-02-13 13:42 ` Stefan Hajnoczi
2020-02-11 20:35 ` [PATCH v9 23/23] fuzz: add documentation to docs/devel/ Alexander Bulekov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200211203510.3534-21-alxndr@bu.edu \
--to=alxndr@bu.edu \
--cc=bsd@redhat.com \
--cc=darren.kenny@oracle.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).