From nobody Thu Nov 13 16:20:00 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=fail (BodyHash is different from the expected one) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1581453971049312.85676692918344; Tue, 11 Feb 2020 12:46:11 -0800 (PST) Received: from localhost ([::1]:57190 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j1cQ5-0005KT-M1 for importer@patchew.org; Tue, 11 Feb 2020 15:46:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35484) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j1cG5-0006hP-H8 for qemu-devel@nongnu.org; Tue, 11 Feb 2020 15:35:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j1cG1-00008u-LA for qemu-devel@nongnu.org; Tue, 11 Feb 2020 15:35:49 -0500 Received: from mail-eopbgr690106.outbound.protection.outlook.com ([40.107.69.106]:43233 helo=NAM04-CO1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1j1cG1-0008My-8c for qemu-devel@nongnu.org; Tue, 11 Feb 2020 15:35:45 -0500 Received: from SN6PR03MB3871.namprd03.prod.outlook.com (52.135.102.32) by SN6PR03MB4336.namprd03.prod.outlook.com (20.177.254.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.27; Tue, 11 Feb 2020 20:35:40 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::9c11:10cd:6e97:bbe8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::9c11:10cd:6e97:bbe8%7]) with mapi id 15.20.2707.030; Tue, 11 Feb 2020 20:35:40 +0000 Received: from mozz.bu.edu (128.197.127.33) by BL0PR02CA0124.namprd02.prod.outlook.com (2603:10b6:208:35::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2707.23 via Frontend Transport; Tue, 11 Feb 2020 20:35:39 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aEKgWH6jo7k1em+/8ayvpwCRSzCRIATIhhRH6k+tOuScRO9dMbJPFbT8bn84Neh/ZLKMUvC6TfdC65Duty9m/3DVnqkLx6CpzbW+ee/VNU4KmsXzd45wb1qGF/xjCyjFqM4mbY1f4NfIbkW4+u44ghBsISYhNgGs50Keb24Wg03KIw/Snw5pqIBTRa7h3hGh/LkP7bCA4ItxKgUVgeX6KrBMIAhDZmgRNrW8nhohY6vXNvhGvsvci41De8i8c16u3Qys2xDwIxK/NuvO5zBaC3T5vuFRhoLUShkyBbg3NTGwWs87P+k1SOFcmXYnNNWlI9A4kqGih8p/ch24Geh0zA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IyIAbRvmMQLD2Sd3PBj5IaicBDwUApyRERMIDt1SmF8=; b=db5ZORU0yacurqeZZwH0mK2CUT+Vq/6/G3x0VkrZfQB6QQb+w+hQ2mh8lAv0tiB0aMRuiruSiTuMFF7ChJNHVESn9h4gZaXK8mdzC7Ce+83hORYEHFDX/+N3CcPF3fiCYC60oQBtcntW2zB+R9irbXpj0hTA544bANGM/J5vOZB97bXfP5eAjjMReAW6EVFCHz9eczABtk04O3Qzyvq4e3MWSvKHCshgKq6TBbcfvTO7ZW6YCjtHR9W+nVcZm3obBlWFSEBRP8oXcjhU6KhjClDnnxnmjVFcujE3c2fp5/+qcwtzUdFp9rOXZtLWyIW4XKbJFMAmUdYysZ/5n+xBcA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IyIAbRvmMQLD2Sd3PBj5IaicBDwUApyRERMIDt1SmF8=; b=OHNk5cjYmdpN+u78M3nkuAeyCb/6hFvrgi1nySmyxaAmUrW1xQnQMdPzTS6iFubIQXearCwKU4oCgthdWPHHaFcsWCDEA5lyf6KDo5L1x3fKdewqALWhjnhdpa/hfTG7iwFccG6Bhswr4jCRP4+hs9XHzNhDqlBMLL48Uh1aR2w= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=alxndr@bu.edu; From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v9 20/23] fuzz: add i440fx fuzz targets Date: Tue, 11 Feb 2020 15:35:07 -0500 Message-ID: <20200211203510.3534-21-alxndr@bu.edu> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200211203510.3534-1-alxndr@bu.edu> References: <20200211203510.3534-1-alxndr@bu.edu> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: BL0PR02CA0124.namprd02.prod.outlook.com (2603:10b6:208:35::29) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-Mailer: git-send-email 2.25.0 X-Originating-IP: [128.197.127.33] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 0a0e889d-17f2-4618-611b-08d7af31f538 X-MS-TrafficTypeDiagnostic: SN6PR03MB4336: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4714; X-Forefront-PRVS: 0310C78181 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4636009)(396003)(366004)(136003)(376002)(39860400002)(346002)(199004)(189003)(16526019)(6666004)(1076003)(5660300002)(86362001)(316002)(186003)(786003)(66556008)(54906003)(6916009)(66476007)(6486002)(66946007)(8936002)(478600001)(4326008)(7696005)(52116002)(36756003)(75432002)(2616005)(2906002)(956004)(8676002)(26005)(81166006)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR03MB4336; H:SN6PR03MB3871.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: None (protection.outlook.com: bu.edu does not designate permitted sender hosts) X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: BnyH61gGZsynmMWbYXhctfTeGZBYh2p5EDlWLtAU2u7UO7lVtiwEXXL+1Y0ecRirjyS+yUQ3EXo7Wx7tkFnPkb9Z2gkVJ1nJ06t/z/ZLnSV8IKHQMgnX5HNXAmMawvs0HNthg+wvo6GpNHB1Uiv+qYGhFXye0IIK8rmPreTOsHMdfJV/2UHBboTMzTvuWm1NkEUFcnL2xSkGpVxr839fXH8YCvvM7oGAj6nWX0B2dNlo6GRsS/D8AUIn98MD+Iqq4Q+kLH14BMjhZOim4tve1Dmjmh3Ya4lt2eNvEHnT7qcYu19NjsUyjnqSWn9haP6yToQIRUcBmTtwhZDCMgx6Wu2d7EiRqmwwo67SuG++Bx+rJB21t57LFr2zwAkrWQKKjY05aaag6lUVyoskOZU0x/r0GT7M/0UDBempzew93SXLV7q6cCWP1XqWtZ3x+Im9 X-MS-Exchange-AntiSpam-MessageData: HgxrBT8ecAptumldOhOwLrN19Q1MSVZN9Zd/dlfYjjPzWwPC8aGAUFut+p0FoZraUT6H5iVvWc1/ArSn35d/qBzoJsMxCS7FfcAyBqajQkcpuDYCs4tIiAOL9K5mILudzJPK5jtdqdAMHtYhi87Xhg== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 0a0e889d-17f2-4618-611b-08d7af31f538 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Feb 2020 20:35:40.1603 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Th1Yqmk7jzJOypKyHIcU+uJzz0kgNn6+FfZUYfd1+KMdbEWFRL7mfEwSxfcK7wLO X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB4336 X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Received-From: 40.107.69.106 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , darren.kenny@oracle.com, Alexander Bulekov , bsd@redhat.com, stefanha@redhat.com, pbonzini@redhat.com Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Computed bodyhash is different from the expected one) Content-Type: text/plain; charset="utf-8" These three targets should simply fuzz reads/writes to a couple ioports, but they mostly serve as examples of different ways to write targets. They demonstrate using qtest and qos for fuzzing, as well as using rebooting and forking to reset state, or not resetting it at all. Signed-off-by: Alexander Bulekov Reviewed-by: Stefan Hajnoczi Reviewed-by: Darren Kenny --- tests/qtest/fuzz/Makefile.include | 3 + tests/qtest/fuzz/i440fx_fuzz.c | 193 ++++++++++++++++++++++++++++++ 2 files changed, 196 insertions(+) create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.= include index e3bdd33ff4..38b8cdd9f1 100644 --- a/tests/qtest/fuzz/Makefile.include +++ b/tests/qtest/fuzz/Makefile.include @@ -6,6 +6,9 @@ fuzz-obj-y +=3D tests/qtest/fuzz/fuzz.o # Fuzzer skeleton fuzz-obj-y +=3D tests/qtest/fuzz/fork_fuzz.o fuzz-obj-y +=3D tests/qtest/fuzz/qos_fuzz.o =20 +# Targets +fuzz-obj-y +=3D tests/qtest/fuzz/i440fx_fuzz.o + FUZZ_CFLAGS +=3D -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest =20 # Linker Script to force coverage-counters into known regions which we can= mark diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c new file mode 100644 index 0000000000..ab5f112584 --- /dev/null +++ b/tests/qtest/fuzz/i440fx_fuzz.c @@ -0,0 +1,193 @@ +/* + * I440FX Fuzzing Target + * + * Copyright Red Hat Inc., 2019 + * + * Authors: + * Alexander Bulekov + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" + +#include "qemu/main-loop.h" +#include "tests/qtest/libqtest.h" +#include "tests/qtest/libqos/pci.h" +#include "tests/qtest/libqos/pci-pc.h" +#include "fuzz.h" +#include "fuzz/qos_fuzz.h" +#include "fuzz/fork_fuzz.h" + + +#define I440FX_PCI_HOST_BRIDGE_CFG 0xcf8 +#define I440FX_PCI_HOST_BRIDGE_DATA 0xcfc + +/* + * the input to the fuzzing functions below is a buffer of random bytes. we + * want to convert these bytes into a sequence of qtest or qos calls. to do + * this we define some opcodes: + */ +enum action_id { + WRITEB, + WRITEW, + WRITEL, + READB, + READW, + READL, + ACTION_MAX +}; + +static void i440fx_fuzz_qtest(QTestState *s, + const unsigned char *Data, size_t Size) { + /* + * loop over the Data, breaking it up into actions. each action has an + * opcode, address offset and value + */ + typedef struct QTestFuzzAction { + uint8_t opcode; + uint8_t addr; + uint32_t value; + } QTestFuzzAction; + QTestFuzzAction a; + + while (Size >=3D sizeof(a)) { + /* make a copy of the action so we can normalize the values in-pla= ce */ + memcpy(&a, Data, sizeof(a)); + /* select between two i440fx Port IO addresses */ + uint16_t addr =3D a.addr % 2 ? I440FX_PCI_HOST_BRIDGE_CFG : + I440FX_PCI_HOST_BRIDGE_DATA; + switch (a.opcode % ACTION_MAX) { + case WRITEB: + qtest_outb(s, addr, (uint8_t)a.value); + break; + case WRITEW: + qtest_outw(s, addr, (uint16_t)a.value); + break; + case WRITEL: + qtest_outl(s, addr, (uint32_t)a.value); + break; + case READB: + qtest_inb(s, addr); + break; + case READW: + qtest_inw(s, addr); + break; + case READL: + qtest_inl(s, addr); + break; + } + /* Move to the next operation */ + Size -=3D sizeof(a); + Data +=3D sizeof(a); + } + flush_events(s); +} + +static void i440fx_fuzz_qos(QTestState *s, + const unsigned char *Data, size_t Size) { + /* + * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated int= o the + * value written over Port IO + */ + typedef struct QOSFuzzAction { + uint8_t opcode; + uint8_t offset; + int devfn; + uint32_t value; + } QOSFuzzAction; + + static QPCIBus *bus; + if (!bus) { + bus =3D qpci_new_pc(s, fuzz_qos_alloc); + } + + QOSFuzzAction a; + while (Size >=3D sizeof(a)) { + memcpy(&a, Data, sizeof(a)); + switch (a.opcode % ACTION_MAX) { + case WRITEB: + bus->config_writeb(bus, a.devfn, a.offset, (uint8_t)a.value); + break; + case WRITEW: + bus->config_writew(bus, a.devfn, a.offset, (uint16_t)a.value); + break; + case WRITEL: + bus->config_writel(bus, a.devfn, a.offset, (uint32_t)a.value); + break; + case READB: + bus->config_readb(bus, a.devfn, a.offset); + break; + case READW: + bus->config_readw(bus, a.devfn, a.offset); + break; + case READL: + bus->config_readl(bus, a.devfn, a.offset); + break; + } + Size -=3D sizeof(a); + Data +=3D sizeof(a); + } + flush_events(s); +} + +static void i440fx_fuzz_qos_fork(QTestState *s, + const unsigned char *Data, size_t Size) { + if (fork() =3D=3D 0) { + i440fx_fuzz_qos(s, Data, Size); + _Exit(0); + } else { + wait(NULL); + } +} + +static const char *i440fx_qtest_argv =3D TARGET_NAME " -machine accel=3Dqt= est" + "-m 0 -display none"; +static const char *i440fx_argv(FuzzTarget *t) +{ + return i440fx_qtest_argv; +} + +static void fork_init(void) +{ + counter_shm_init(); +} + +static void register_pci_fuzz_targets(void) +{ + /* Uses simple qtest commands and reboots to reset state */ + fuzz_add_target(&(FuzzTarget){ + .name =3D "i440fx-qtest-reboot-fuzz", + .description =3D "Fuzz the i440fx using raw qtest commands= and" + "rebooting after each run", + .get_init_cmdline =3D i440fx_argv, + .fuzz =3D i440fx_fuzz_qtest}); + + /* Uses libqos and forks to prevent state leakage */ + fuzz_add_qos_target(&(FuzzTarget){ + .name =3D "i440fx-qos-fork-fuzz", + .description =3D "Fuzz the i440fx using raw qtest commands= and" + "rebooting after each run", + .pre_vm_init =3D &fork_init, + .fuzz =3D i440fx_fuzz_qos_fork,}, + "i440FX-pcihost", + &(QOSGraphTestOptions){} + ); + + /* + * Uses libqos. Doesn't do anything to reset state. Note that if we we= re to + * reboot after each run, we would also have to redo the qos-related + * initialization (qos_init_path) + */ + fuzz_add_qos_target(&(FuzzTarget){ + .name =3D "i440fx-qos-noreset-fuzz", + .description =3D "Fuzz the i440fx using raw qtest commands= and" + "rebooting after each run", + .fuzz =3D i440fx_fuzz_qos,}, + "i440FX-pcihost", + &(QOSGraphTestOptions){} + ); +} + +fuzz_target_init(register_pci_fuzz_targets); --=20 2.25.0