[Qemu-devel] [RFC PATCH v2 00/17] Add virtual device fuzzing support

Oleinik, Alexander posted 17 patches 4 years, 7 months ago
Test docker-clang@ubuntu failed
Test s390x passed
Test asan failed
Test docker-mingw@fedora passed
Test FreeBSD passed
Test checkpatch passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20190805071038.32146-1-alxndr@bu.edu
Maintainers: Juan Quintela <quintela@redhat.com>, Thomas Huth <thuth@redhat.com>, Laurent Vivier <lvivier@redhat.com>, Richard Henderson <rth@twiddle.net>, "Dr. David Alan Gilbert" <dgilbert@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, Eduardo Habkost <ehabkost@redhat.com>
There is a newer version of this series
accel/fuzz.c                 |  48 +++++++
configure                    |  15 ++
exec.c                       |   2 +
include/qemu/module.h        |   4 +-
include/sysemu/fuzz.h        |  15 ++
include/sysemu/qtest.h       |   4 +
include/sysemu/sysemu.h      |   5 +
migration/qemu-file.c        |  84 +++++++++++
migration/qemu-file.h        |  11 ++
migration/savevm.c           |   9 +-
migration/savevm.h           |   2 +
qtest.c                      |  14 ++
target/i386/Makefile.objs    |  20 +++
tests/fuzz/fuzz.c            | 245 +++++++++++++++++++++++++++++++++
tests/fuzz/fuzz.h            |  70 ++++++++++
tests/fuzz/fuzzer_hooks.c    |  62 +++++++++
tests/fuzz/fuzzer_hooks.h    |  21 +++
tests/fuzz/qos_fuzz.c        |  58 ++++++++
tests/fuzz/qos_fuzz.h        |  23 ++++
tests/fuzz/qos_helpers.c     | 190 +++++++++++++++++++++++++
tests/fuzz/qos_helpers.h     |  17 +++
tests/fuzz/qtest_fuzz.c      | 260 +++++++++++++++++++++++++++++++++++
tests/fuzz/qtest_fuzz.h      |  37 +++++
tests/fuzz/virtio-net-fuzz.c | 254 ++++++++++++++++++++++++++++++++++
tests/libqos/qos_external.c  | 149 ++++++++++++++++++++
tests/libqos/qos_external.h  |   8 ++
tests/libqtest.c             |  61 +++++++-
tests/libqtest.h             |   6 +
tests/qos-test.c             | 132 +-----------------
util/module.c                |   7 +
vl.c                         |  25 +++-
31 files changed, 1720 insertions(+), 138 deletions(-)
create mode 100644 accel/fuzz.c
create mode 100644 include/sysemu/fuzz.h
create mode 100644 tests/fuzz/fuzz.c
create mode 100644 tests/fuzz/fuzz.h
create mode 100644 tests/fuzz/fuzzer_hooks.c
create mode 100644 tests/fuzz/fuzzer_hooks.h
create mode 100644 tests/fuzz/qos_fuzz.c
create mode 100644 tests/fuzz/qos_fuzz.h
create mode 100644 tests/fuzz/qos_helpers.c
create mode 100644 tests/fuzz/qos_helpers.h
create mode 100644 tests/fuzz/qtest_fuzz.c
create mode 100644 tests/fuzz/qtest_fuzz.h
create mode 100644 tests/fuzz/virtio-net-fuzz.c
create mode 100644 tests/libqos/qos_external.c
create mode 100644 tests/libqos/qos_external.h
[Qemu-devel] [RFC PATCH v2 00/17] Add virtual device fuzzing support
Posted by Oleinik, Alexander 4 years, 7 months ago
Changes since v1
 * Split off changes to qos virtio-net and qtest server to other patches
 * Move vl:main initialization into new func: qemu_init
 * Moved useful functions from qos-test.c to a separate object
 * Use struct of function pointers for add_fuzz_target(), instead of
   arguments
 * Move ramfile to migration/qemu-file
 * Rewrite fork-based fuzzer pending patch to libfuzzer
 * Pass check-patch

Based-on: 20190805032400.8054-1-alxndr@bu.edu
Based-on: 20190805031240.6024-1-alxndr@bu.edu

---
As part of Google Summer of Code 2019, I'm working on integrating
fuzzing of virtual devices into QEMU [1]. This is a highly WIP patchset
adding this functionality.

Fuzzers provide random data to a program and monitor its execution for
errors. Coverage-guided fuzzers also observe the parts of the program
that are exercised by each input, and use this information to
mutate/guide the inputs to reach additional parts of the program. They
are quite effective for finding bugs in a wide range of software. 

Summary:
 - The virtual-device fuzzers use libfuzzer [2] for coverage-guided
   in-process fuzzing.
 - To fuzz a device, create a new fuzz "target" - i.e. a function that
   exercises QEMU based on inputs provided by the fuzzer.
 - Fuzz targets rely on qtest and libqos to turn inputs into actions.
 - Since libfuzzer does in-process fuzzing, the QEMU state needs to be
   reset after each fuzz run. These patches provide three methods for
   resetting state.
 - There are currently few targets, but they have already helped
   discover bugs in the console, and virtio-net, and have reproduced
   previously-reported vulnerabilities.

Alexander Oleinik (17):
  fuzz: Move initialization from main to qemu_init
  fuzz: Add fuzzer configure options
  fuzz: Keep memory mapped for fork-based fuzzer
  fuzz: Skip modules that were already initialized
  fuzz: Add direct receive function for qtest server
  fuzz: Add FUZZ_TARGET module type
  fuzz: Add ramfile qemu-file type
  fuzz: Export the qemu_savevm_live_state function
  fuzz: hardcode needed objects into i386 target
  fuzz: qtest client directly interacts with server
  fuzz: Move useful qos functions to separate object
  fuzz: Add fuzzer skeleton
  fuzz: Add libqos support to the fuzzer
  fuzz: Add forking support to the fuzzer
  fuzz: Add general qtest fuzz-target
  fuzz: Add virtio-net fuzz targets
  fuzz: Add fuzz accelerator type

 accel/fuzz.c                 |  48 +++++++
 configure                    |  15 ++
 exec.c                       |   2 +
 include/qemu/module.h        |   4 +-
 include/sysemu/fuzz.h        |  15 ++
 include/sysemu/qtest.h       |   4 +
 include/sysemu/sysemu.h      |   5 +
 migration/qemu-file.c        |  84 +++++++++++
 migration/qemu-file.h        |  11 ++
 migration/savevm.c           |   9 +-
 migration/savevm.h           |   2 +
 qtest.c                      |  14 ++
 target/i386/Makefile.objs    |  20 +++
 tests/fuzz/fuzz.c            | 245 +++++++++++++++++++++++++++++++++
 tests/fuzz/fuzz.h            |  70 ++++++++++
 tests/fuzz/fuzzer_hooks.c    |  62 +++++++++
 tests/fuzz/fuzzer_hooks.h    |  21 +++
 tests/fuzz/qos_fuzz.c        |  58 ++++++++
 tests/fuzz/qos_fuzz.h        |  23 ++++
 tests/fuzz/qos_helpers.c     | 190 +++++++++++++++++++++++++
 tests/fuzz/qos_helpers.h     |  17 +++
 tests/fuzz/qtest_fuzz.c      | 260 +++++++++++++++++++++++++++++++++++
 tests/fuzz/qtest_fuzz.h      |  37 +++++
 tests/fuzz/virtio-net-fuzz.c | 254 ++++++++++++++++++++++++++++++++++
 tests/libqos/qos_external.c  | 149 ++++++++++++++++++++
 tests/libqos/qos_external.h  |   8 ++
 tests/libqtest.c             |  61 +++++++-
 tests/libqtest.h             |   6 +
 tests/qos-test.c             | 132 +-----------------
 util/module.c                |   7 +
 vl.c                         |  25 +++-
 31 files changed, 1720 insertions(+), 138 deletions(-)
 create mode 100644 accel/fuzz.c
 create mode 100644 include/sysemu/fuzz.h
 create mode 100644 tests/fuzz/fuzz.c
 create mode 100644 tests/fuzz/fuzz.h
 create mode 100644 tests/fuzz/fuzzer_hooks.c
 create mode 100644 tests/fuzz/fuzzer_hooks.h
 create mode 100644 tests/fuzz/qos_fuzz.c
 create mode 100644 tests/fuzz/qos_fuzz.h
 create mode 100644 tests/fuzz/qos_helpers.c
 create mode 100644 tests/fuzz/qos_helpers.h
 create mode 100644 tests/fuzz/qtest_fuzz.c
 create mode 100644 tests/fuzz/qtest_fuzz.h
 create mode 100644 tests/fuzz/virtio-net-fuzz.c
 create mode 100644 tests/libqos/qos_external.c
 create mode 100644 tests/libqos/qos_external.h

-- 
2.20.1


Re: [Qemu-devel] [RFC PATCH v2 00/17] Add virtual device fuzzing support
Posted by no-reply@patchew.org 4 years, 7 months ago
Patchew URL: https://patchew.org/QEMU/20190805071038.32146-1-alxndr@bu.edu/



Hi,

This series failed the asan build test. Please find the testing commands and
their output below. If you have Docker installed, you can probably reproduce it
locally.

=== TEST SCRIPT BEGIN ===
#!/bin/bash
make docker-image-fedora V=1 NETWORK=1
time make docker-test-debug@fedora TARGET_LIST=x86_64-softmmu J=14 NETWORK=1
=== TEST SCRIPT END ===

/usr/bin/ld: tests/qos-test.o: in function `qos_set_machines_devices_available':
/tmp/qemu-test/src/tests/qos-test.c:60: undefined reference to `apply_to_qlist'
/usr/bin/ld: /tmp/qemu-test/src/tests/qos-test.c:72: undefined reference to `apply_to_qlist'
clang-8: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [/tmp/qemu-test/src/rules.mak:124: tests/qos-test] Error 1
make: *** Waiting for unfinished jobs....
PASS 1 check-qdict /public/new
---
PASS 32 test-opts-visitor /visitor/opts/range/beyond
PASS 33 test-opts-visitor /visitor/opts/dict/unvisited
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-coroutine -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-coroutine" 
==12227==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-coroutine /basic/no-dangling-access
PASS 2 test-coroutine /basic/lifecycle
==12227==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7ffc0b8b1000; bottom 0x7fdb398f8000; size: 0x0020d1fb9000 (140961878016)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
PASS 3 test-coroutine /basic/yield
---
PASS 12 test-aio /aio/event/flush
PASS 13 test-aio /aio/event/wait/no-flush-cb
PASS 14 test-aio /aio/timer/schedule
==12246==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 15 test-aio /aio/coroutine/queue-chaining
PASS 16 test-aio /aio-gsource/flush
PASS 17 test-aio /aio-gsource/bh/schedule
---
PASS 28 test-aio /aio-gsource/timer/schedule
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-aio-multithread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-aio-multithread" 
PASS 1 test-aio-multithread /aio/multi/lifecycle
==12252==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 2 test-aio-multithread /aio/multi/schedule
PASS 3 test-aio-multithread /aio/multi/mutex/contended
PASS 4 test-aio-multithread /aio/multi/mutex/handoff
PASS 5 test-aio-multithread /aio/multi/mutex/mcs
PASS 6 test-aio-multithread /aio/multi/mutex/pthread
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-throttle -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-throttle" 
==12288==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-throttle /throttle/leak_bucket
PASS 2 test-throttle /throttle/compute_wait
PASS 3 test-throttle /throttle/init
---
PASS 14 test-throttle /throttle/config/max
PASS 15 test-throttle /throttle/config/iops_size
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-thread-pool -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-thread-pool" 
==12293==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-thread-pool /thread-pool/submit
PASS 2 test-thread-pool /thread-pool/submit-aio
PASS 3 test-thread-pool /thread-pool/submit-co
---
PASS 42 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_1
PASS 43 test-hbitmap /hbitmap/next_dirty_area/next_dirty_area_4
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-bdrv-drain -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-drain" 
==12367==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-bdrv-drain /bdrv-drain/nested
PASS 2 test-bdrv-drain /bdrv-drain/multiparent
PASS 3 test-bdrv-drain /bdrv-drain/set_aio_context
---
PASS 39 test-bdrv-drain /bdrv-drain/detach/driver_cb
PASS 40 test-bdrv-drain /bdrv-drain/attach/drain
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-bdrv-graph-mod -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-bdrv-graph-mod" 
==12407==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-bdrv-graph-mod /bdrv-graph-mod/update-perm-tree
PASS 2 test-bdrv-graph-mod /bdrv-graph-mod/should-update-child
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-blockjob -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob" 
==12412==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-blockjob /blockjob/ids
PASS 2 test-blockjob /blockjob/cancel/created
PASS 3 test-blockjob /blockjob/cancel/running
---
PASS 7 test-blockjob /blockjob/cancel/pending
PASS 8 test-blockjob /blockjob/cancel/concluded
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-blockjob-txn -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-blockjob-txn" 
==12417==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-blockjob-txn /single/success
PASS 2 test-blockjob-txn /single/failure
PASS 3 test-blockjob-txn /single/cancel
---
PASS 6 test-blockjob-txn /pair/cancel
PASS 7 test-blockjob-txn /pair/fail-cancel-race
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-block-backend -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-backend" 
==12422==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-block-backend /block-backend/drain_aio_error
PASS 2 test-block-backend /block-backend/drain_all_aio_error
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-block-iothread -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-block-iothread" 
==12427==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-block-iothread /sync-op/pread
PASS 2 test-block-iothread /sync-op/pwrite
PASS 3 test-block-iothread /sync-op/load_vmstate
---
PASS 15 test-block-iothread /propagate/diamond
PASS 16 test-block-iothread /propagate/mirror
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-image-locking -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-image-locking" 
==12448==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-image-locking /image-locking/basic
PASS 2 test-image-locking /image-locking/set-perm-abort
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-x86-cpuid -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-x86-cpuid" 
---
PASS 1 test-logging /logging/parse_range
PASS 2 test-logging /logging/parse_path
MALLOC_PERTURB_=${MALLOC_PERTURB_:-$(( ${RANDOM:-0} % 255 + 1))}  tests/test-replication -m=quick -k --tap < /dev/null | ./scripts/tap-driver.pl --test-name="test-replication" 
==12865==WARNING: ASan doesn't fully support makecontext/swapcontext functions and may produce false positives in some cases!
PASS 1 test-replication /replication/primary/read
PASS 2 test-replication /replication/primary/write
PASS 3 test-replication /replication/primary/start
---
PASS 6 test-replication /replication/primary/get_error_all
PASS 7 test-replication /replication/secondary/read
PASS 8 test-replication /replication/secondary/write
==12865==WARNING: ASan is ignoring requested __asan_handle_no_return: stack top: 0x7fff78139000; bottom 0x7f04835fc000; size: 0x00faf4b3d000 (1077847248896)
False positive error reports may follow
For details see https://github.com/google/sanitizers/issues/189
PASS 9 test-replication /replication/secondary/start


The full log is available at
http://patchew.org/logs/20190805071038.32146-1-alxndr@bu.edu/testing.asan/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com