From nobody Tue Feb 10 15:28:25 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=bu.edu) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1580276498951240.87378251780797; Tue, 28 Jan 2020 21:41:38 -0800 (PST) Received: from localhost ([::1]:41446 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iwg6b-0004Dj-OF for importer@patchew.org; Wed, 29 Jan 2020 00:41:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:44911) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iwfzh-00087c-30 for qemu-devel@nongnu.org; Wed, 29 Jan 2020 00:34:31 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iwfze-00027S-TI for qemu-devel@nongnu.org; Wed, 29 Jan 2020 00:34:28 -0500 Received: from mail-mw2nam10on2098.outbound.protection.outlook.com ([40.107.94.98]:3168 helo=NAM10-MW2-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iwfze-0001yv-Kz for qemu-devel@nongnu.org; Wed, 29 Jan 2020 00:34:26 -0500 Received: from SN6PR03MB3871.namprd03.prod.outlook.com (52.135.102.32) by SN6PR03MB4206.namprd03.prod.outlook.com (52.135.110.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2665.20; Wed, 29 Jan 2020 05:34:24 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::9c11:10cd:6e97:bbe8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::9c11:10cd:6e97:bbe8%7]) with mapi id 15.20.2665.026; Wed, 29 Jan 2020 05:34:24 +0000 Received: from mozz.bu.edu (128.197.127.33) by MN2PR05CA0029.namprd05.prod.outlook.com (2603:10b6:208:c0::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.19 via Frontend Transport; Wed, 29 Jan 2020 05:34:23 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jucT3AckNWIrH0UC5t4u+0Yu04kWvWBr5nzPYMRUcgYPRPkPbqXOKwhic6QLDgiZEpNU1kwDbIhZjwBCw9wQgcC4XJOqrygD1AR3sgqiLGf2Jh9VN1dO4TafhH0xuKGY7fnBcIn3HI75zcJZcpywqR+sYuDh1JDdWkA4350cpmyxn0EGvOOLjSRDaz2BPTDlTjyqBPm5YzRX8TZzspCjEhpAFfd6O5eziAhd97M+Bb5R3OeZ1cUw0jhlv6ORMy7/kivtv/qzGEL3CA2B3MnslkVExHb8P3z7Bg+1S8ihQ0MRSzQ8XkJkMxYE4xRr5+3ROmS2cll+yyRMxGEBagB9BA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K3/v88HWAuWAPx4PQlybO5l5a9/rWxQ9WHHkxquveJY=; b=UkaP3aicJuaCB1mC6O2kDC/Y56udxNw4shl1SQoN98RvtvQDC1mNKxu4K1OvwDUTtc8ePzWkGfw3V95R3mGtEOth2R4sK1H9Nys5UUM3aB4imM0LRK/fOLAXI034/dVQCtFp2RycOC3xkQ7mxCJN+tgHu32DcVslGS8WvdDncHjPRjEAsJEQPmPWyODh/DeLmdayIz3Y4wxnwi75HdUPSR1RSDktobJuXddCcKbBoveewk+USk0ZzKmIHN7/LhCqQiDI7oUQqv3PM6CVT+yXoUxOa/kgegqFjZLA1myoNeIC/ZUspeNKsex7BOzyAK3/aqbU7fZMF/NfCt3WBx8eaw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K3/v88HWAuWAPx4PQlybO5l5a9/rWxQ9WHHkxquveJY=; b=zMHyxGc8Txmv/VAu49RxrDW1R3J42I2DGbmJybnHBXB6neLmPLyN3hIwSPq5uZRwnL77++oQtZ0KpRpkIKYT4jYca8yEvFMza8RO1BgQhpOM9pgCfd7cALkw+b4e1z1n0Oe5X4Q42Da7SghYeRSBjg2auggsvp9cKtcuKI+2e6U= From: "Bulekov, Alexander" To: "qemu-devel@nongnu.org" Subject: [PATCH v8 15/21] fuzz: add support for qos-assisted fuzz targets Thread-Topic: [PATCH v8 15/21] fuzz: add support for qos-assisted fuzz targets Thread-Index: AQHV1mXDE8vjMKen1EqN8+LEGhj8dQ== Date: Wed, 29 Jan 2020 05:34:24 +0000 Message-ID: <20200129053357.27454-16-alxndr@bu.edu> References: <20200129053357.27454-1-alxndr@bu.edu> In-Reply-To: <20200129053357.27454-1-alxndr@bu.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.23.0 x-originating-ip: [128.197.127.33] x-clientproxiedby: MN2PR05CA0029.namprd05.prod.outlook.com (2603:10b6:208:c0::42) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) authentication-results: spf=none (sender IP is ) smtp.mailfrom=alxndr@bu.edu; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e153f1a4-a56a-4119-3afa-08d7a47ce60b x-ms-traffictypediagnostic: SN6PR03MB4206: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3276; x-forefront-prvs: 02973C87BC x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(376002)(136003)(366004)(346002)(396003)(39860400002)(189003)(199004)(478600001)(75432002)(36756003)(316002)(6916009)(2906002)(786003)(4326008)(54906003)(26005)(186003)(956004)(2616005)(6486002)(7696005)(52116002)(16526019)(1076003)(5660300002)(71200400001)(86362001)(66446008)(66556008)(66946007)(66476007)(8936002)(81156014)(81166006)(64756008)(8676002)(2004002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR03MB4206; H:SN6PR03MB3871.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; received-spf: None (protection.outlook.com: bu.edu does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: TztfalSj1kHD6pBxpxxFozOFvRoX3KkeDyvwhRVpNtca+4Dn1AlbmFeHwwQQhdm1pCw4jDtGtan0O3+xnoM5E7Xz3qRnYJARLUktSiVUPiu8Zm/+XcoODEDKU8lvr9xg1xy45rp18zPVoVVmLgxZIZQtfjt9JuLCagmdivowC0UfxafPP2kHLcQxgvq6cd/K3h0kdTLiXrmpe/j9VqpPfDkgMqIOKQysr/rAVqLx+MU7iOvGVVd7Rc+KRNbmceo7g6VqvP6KtcMUAMYJ3kTQnLE672+MEmZwYXf3WJZmbdkMld/LhZQWeeN14OyLH43BqRHD34vpdEwlMgjfX+UQDkaYBS98uUgpenpYNvYFYzrvOU1nLCD2fqHoEcNvwP6OAX0j6oSOccI4a/523cr88G0XD28gt4s7IbXCYG4muqLQ5aHBvfNN8jkrAVl0EhmxBrNpowHx84YNLY3d1mv5b0+kEp3DAI5do3w9FbjhKh/kfOSma7r+Fj3cpwVNSf/j8K1jkL3blOzFpgnvVTrECQ64itn14aYMsICdWrOS+OkGtLCTQ6PNadG4cEY+OE+T x-ms-exchange-antispam-messagedata: I/thkl3IpRriHs2tg6l1B3fiyg0znUss23bl34ygy76NwqMgeoGeNfOsbEnIAKspCEh8tAgjfbBJEC7oEcl+elTTqycZBoUHty2WFKS47bM0fVk2YTGhsofbXfj/OqmlO5K5ICYRITTFeAj9eBZFtQ== Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: e153f1a4-a56a-4119-3afa-08d7a47ce60b X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2020 05:34:24.0848 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ymzAbrUkmZzhjSsHtyqyj/P6eWUEmJb2PiIJ6B8VRNWMSI6FEAept/srR92YB+p/ X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB4206 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 40.107.94.98 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , "Bulekov, Alexander" , "bsd@redhat.com" , "stefanha@redhat.com" , "pbonzini@redhat.com" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @bushare.onmicrosoft.com) Content-Type: text/plain; charset="utf-8" Signed-off-by: Alexander Bulekov Reviewed-by: Stefan Hajnoczi --- tests/qtest/fuzz/Makefile.include | 2 + tests/qtest/fuzz/qos_fuzz.c | 229 ++++++++++++++++++++++++++++++ tests/qtest/fuzz/qos_fuzz.h | 33 +++++ 3 files changed, 264 insertions(+) create mode 100644 tests/qtest/fuzz/qos_fuzz.c create mode 100644 tests/qtest/fuzz/qos_fuzz.h diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.= include index a90915d56d..e3bdd33ff4 100644 --- a/tests/qtest/fuzz/Makefile.include +++ b/tests/qtest/fuzz/Makefile.include @@ -1,8 +1,10 @@ QEMU_PROG_FUZZ=3Dqemu-fuzz-$(TARGET_NAME)$(EXESUF) =20 fuzz-obj-y +=3D tests/qtest/libqtest.o +fuzz-obj-y +=3D $(libqos-obj-y) fuzz-obj-y +=3D tests/qtest/fuzz/fuzz.o # Fuzzer skeleton fuzz-obj-y +=3D tests/qtest/fuzz/fork_fuzz.o +fuzz-obj-y +=3D tests/qtest/fuzz/qos_fuzz.o =20 FUZZ_CFLAGS +=3D -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest =20 diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c new file mode 100644 index 0000000000..efdcc6e9d3 --- /dev/null +++ b/tests/qtest/fuzz/qos_fuzz.c @@ -0,0 +1,229 @@ +/* + * QOS-assisted fuzzing helpers + * + * Copyright (c) 2018 Emanuele Giuseppe Esposito + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License version 2 as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see + */ + +#include "qemu/osdep.h" +#include "qemu/units.h" +#include "qapi/error.h" +#include "qemu-common.h" +#include "exec/memory.h" +#include "exec/address-spaces.h" +#include "sysemu/sysemu.h" +#include "qemu/main-loop.h" + +#include "tests/qtest/libqtest.h" +#include "tests/qtest/libqos/malloc.h" +#include "tests/qtest/libqos/qgraph.h" +#include "tests/qtest/libqos/qgraph_internal.h" +#include "tests/qtest/libqos/qos_external.h" + +#include "fuzz.h" +#include "qos_fuzz.h" + +#include "qapi/qapi-commands-machine.h" +#include "qapi/qapi-commands-qom.h" +#include "qapi/qmp/qlist.h" + + +void *fuzz_qos_obj; +QGuestAllocator *fuzz_qos_alloc; + +static const char *fuzz_target_name; +static char **fuzz_path_vec; + +/* + * Replaced the qmp commands with direct qmp_marshal calls. + * Probably there is a better way to do this + */ +static void qos_set_machines_devices_available(void) +{ + QDict *req =3D qdict_new(); + QObject *response; + QDict *args =3D qdict_new(); + QList *lst; + Error *err =3D NULL; + + qmp_marshal_query_machines(NULL, &response, &err); + assert(!err); + lst =3D qobject_to(QList, response); + apply_to_qlist(lst, true); + + qobject_unref(response); + + + qdict_put_str(req, "execute", "qom-list-types"); + qdict_put_str(args, "implements", "device"); + qdict_put_bool(args, "abstract", true); + qdict_put_obj(req, "arguments", (QObject *) args); + + qmp_marshal_qom_list_types(args, &response, &err); + assert(!err); + lst =3D qobject_to(QList, response); + apply_to_qlist(lst, false); + qobject_unref(response); + qobject_unref(req); +} + +static char **current_path; + +void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc) +{ + return allocate_objects(qts, current_path + 1, p_alloc); +} + +static const char *qos_build_main_args(void) +{ + char **path =3D fuzz_path_vec; + QOSGraphNode *test_node; + GString *cmd_line =3D g_string_new(path[0]); + void *test_arg; + + /* Before test */ + current_path =3D path; + test_node =3D qos_graph_get_node(path[(g_strv_length(path) - 1)]); + test_arg =3D test_node->u.test.arg; + if (test_node->u.test.before) { + test_arg =3D test_node->u.test.before(cmd_line, test_arg); + } + /* Prepend the arguments that we need */ + g_string_prepend(cmd_line, + TARGET_NAME " -display none -machine accel=3Dqtest -m 64 "); + return cmd_line->str; +} + +/* + * This function is largely a copy of qos-test.c:walk_path. Since walk_path + * is itself a callback, its a little annoying to add another argument/lay= er of + * indirection + */ +static void walk_path(QOSGraphNode *orig_path, int len) +{ + QOSGraphNode *path; + QOSGraphEdge *edge; + + /* etype set to QEDGE_CONSUMED_BY so that machine can add to the comma= nd line */ + QOSEdgeType etype =3D QEDGE_CONSUMED_BY; + + /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */ + char **path_vec =3D g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2)); + int path_vec_size =3D 0; + + char *after_cmd, *before_cmd, *after_device; + GString *after_device_str =3D g_string_new(""); + char *node_name =3D orig_path->name, *path_str; + + GString *cmd_line =3D g_string_new(""); + GString *cmd_line2 =3D g_string_new(""); + + path =3D qos_graph_get_node(node_name); /* root */ + node_name =3D qos_graph_edge_get_dest(path->path_edge); /* machine nam= e */ + + path_vec[path_vec_size++] =3D node_name; + path_vec[path_vec_size++] =3D qos_get_machine_type(node_name); + + for (;;) { + path =3D qos_graph_get_node(node_name); + if (!path->path_edge) { + break; + } + + node_name =3D qos_graph_edge_get_dest(path->path_edge); + + /* append node command line + previous edge command line */ + if (path->command_line && etype =3D=3D QEDGE_CONSUMED_BY) { + g_string_append(cmd_line, path->command_line); + g_string_append(cmd_line, after_device_str->str); + g_string_truncate(after_device_str, 0); + } + + path_vec[path_vec_size++] =3D qos_graph_edge_get_name(path->path_e= dge); + /* detect if edge has command line args */ + after_cmd =3D qos_graph_edge_get_after_cmd_line(path->path_edge); + after_device =3D qos_graph_edge_get_extra_device_opts(path->path_e= dge); + before_cmd =3D qos_graph_edge_get_before_cmd_line(path->path_edge); + edge =3D qos_graph_get_edge(path->name, node_name); + etype =3D qos_graph_edge_get_type(edge); + + if (before_cmd) { + g_string_append(cmd_line, before_cmd); + } + if (after_cmd) { + g_string_append(cmd_line2, after_cmd); + } + if (after_device) { + g_string_append(after_device_str, after_device); + } + } + + path_vec[path_vec_size++] =3D NULL; + g_string_append(cmd_line, after_device_str->str); + g_string_free(after_device_str, true); + + g_string_append(cmd_line, cmd_line2->str); + g_string_free(cmd_line2, true); + + /* + * here position 0 has /, position 1 has . + * The path must not have the , qtest_add_data_func adds it. + */ + path_str =3D g_strjoinv("/", path_vec + 1); + + /* Check that this is the test we care about: */ + char *test_name =3D strrchr(path_str, '/') + 1; + if (strcmp(test_name, fuzz_target_name) =3D=3D 0) { + /* + * put arch/machine in position 1 so run_one_test can do its work + * and add the command line at position 0. + */ + path_vec[1] =3D path_vec[0]; + path_vec[0] =3D g_string_free(cmd_line, false); + + fuzz_path_vec =3D path_vec; + } else { + g_free(path_vec); + } + + g_free(path_str); +} + +static const char *qos_get_cmdline(FuzzTarget *t) +{ + /* + * Set a global variable that we use to identify the qos_path for our + * fuzz_target + */ + fuzz_target_name =3D t->name; + qos_set_machines_devices_available(); + qos_graph_foreach_test_path(walk_path); + return qos_build_main_args(); +} + +void fuzz_add_qos_target( + FuzzTarget *fuzz_opts, + const char *interface, + QOSGraphTestOptions *opts + ) +{ + qos_add_test(fuzz_opts->name, interface, NULL, opts); + fuzz_opts->get_init_cmdline =3D qos_get_cmdline; + fuzz_add_target(fuzz_opts); +} + +void qos_init_path(QTestState *s) +{ + fuzz_qos_obj =3D qos_allocate_objects(s , &fuzz_qos_alloc); +} diff --git a/tests/qtest/fuzz/qos_fuzz.h b/tests/qtest/fuzz/qos_fuzz.h new file mode 100644 index 0000000000..477f11b02b --- /dev/null +++ b/tests/qtest/fuzz/qos_fuzz.h @@ -0,0 +1,33 @@ +/* + * QOS-assisted fuzzing helpers + * + * Copyright Red Hat Inc., 2019 + * + * Authors: + * Alexander Bulekov + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#ifndef _QOS_FUZZ_H_ +#define _QOS_FUZZ_H_ + +#include "tests/qtest/fuzz/fuzz.h" +#include "tests/qtest/libqos/qgraph.h" + +int qos_fuzz(const unsigned char *Data, size_t Size); +void qos_setup(void); + +extern void *fuzz_qos_obj; +extern QGuestAllocator *fuzz_qos_alloc; + +void fuzz_add_qos_target( + FuzzTarget *fuzz_opts, + const char *interface, + QOSGraphTestOptions *opts + ); + +void qos_init_path(QTestState *); + +#endif --=20 2.23.0