From nobody Mon May 6 01:21:27 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1590427676; cv=none; d=zohomail.com; s=zohoarc; b=imQuh/ZimtOql7fuYIfe1JsEdtnvx1OxYJuUA4J4j9GmBYt3iRuIFsQQom/1kiUteH7yqMb2tIshui+GHv4Eco8XAp+/+DvWNGJJHK0Bjz7g+abTehzpyB7Jsh4kTckR/OA648xMAYlD3l9SudynMv+IhsErzds55SVYy18M+zU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1590427676; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=XqZ1EXY6VrW72ffXBXWMYZOAwIAhBSVmFTFpb/NZHrU=; b=m1WFQXX/w7TGHRTsQOVHKpYspuE4Inf56LS1S0qzEf31HJpuKQe8f0GuwzFgYqrO2pfb0lEq63nI9voOQEBSeIdLo7XhIeuItP7Xr3yBTU+25ISYG1LEyX6uPidfABqBE4c6n7RrMUkH5J59x9bjR0SqABlp9Mpe5EXn3sXY9K4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 159042767675758.695764549003; Mon, 25 May 2020 10:27:56 -0700 (PDT) Received: from localhost ([::1]:39488 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jdGtG-00009d-7T for importer@patchew.org; Mon, 25 May 2020 13:27:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40116) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jdGsY-00089y-2W for qemu-devel@nongnu.org; Mon, 25 May 2020 13:27:10 -0400 Received: from mail-wm1-x342.google.com ([2a00:1450:4864:20::342]:38625) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jdGsW-0000wl-P2 for qemu-devel@nongnu.org; Mon, 25 May 2020 13:27:09 -0400 Received: by mail-wm1-x342.google.com with SMTP id u12so656969wmd.3 for ; Mon, 25 May 2020 10:27:08 -0700 (PDT) Received: from localhost.localdomain (71.red-88-21-204.staticip.rima-tde.net. [88.21.204.71]) by smtp.gmail.com with ESMTPSA id h5sm10492148wrw.85.2020.05.25.10.27.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 25 May 2020 10:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=XqZ1EXY6VrW72ffXBXWMYZOAwIAhBSVmFTFpb/NZHrU=; b=QgN1/5GP/bnXUPrFwK5Wse2x3z/KFN93JrS7dsWi9a2hCXewD8O/5Y9n3JXxo2R2QT 8F8c86YCaC/47M6etwyoHNIPajeRIyXLdkDTKyQSGbvpwq13kuvlnyYJapSFIoA6p681 lS542XwoJIIQRIuvgOFWGsJZun4PF+1fdPH94f09nyQq8kddzb8xWbBSNkkdGg+aC48S 5R/vrEVwV+x+ie0YoDkHHjtlb3VxJV9Iy3FBFBVARf6GM4QL75pyzICS62gQNu7rscLg 7H/yWgJeZ/AAf8R7D6lWzNA9jPsVtWkmY+StYdV/LS9mfONvaPqD/L48xznKq19lhKl6 lGKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=XqZ1EXY6VrW72ffXBXWMYZOAwIAhBSVmFTFpb/NZHrU=; b=pLRZfs/Dixe8R1HaXYTo56SVoYH9Fz+XgogHSRmZsfkmzTIB6YMoEvkoRW0EmUAHG9 STjdtLdo6VklIHxXml6WbWWP5T2C58zBHQ/xl1hmSq7Sxs03KZpPtGEGMPuzw/j/pqw9 03z1ZunGF5VLrBpW9Y/sJO9V/ENvMup4yMwsAdlDdjho04uGiPg+1aTIdDNYRgWDZfqT 6qhWdKmA4P3ixvYefubbVSdFXUBF2ioBOTAaME0Pu80lGuS9T+oWkrY31Fu0FeQC86Xx UXjl14TFSnLwYPLijIP1ixIyE/iOYDoULrtZvRuc/cM4VEdc5SRyvjDnsRPXm/kUjI4S +7QA== X-Gm-Message-State: AOAM530UD941J4gcZjs6Qrd/5ut5UzVi+pyRzD1tKnLZkjOi+lLFCn2i Wpt+S1zzfxQiCrmY5CfyjmY0S6y8SpY= X-Google-Smtp-Source: ABdhPJxlCPBLyxgoUJY8HCXpumyVQUKAJ2bo+kUyfQLON0qbIE9eh/Vs4um7vP7Y7pHS0clJ5br5gA== X-Received: by 2002:a1c:2702:: with SMTP id n2mr27024166wmn.107.1590427626500; Mon, 25 May 2020 10:27:06 -0700 (PDT) From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [RFC PATCH] tests/qtest/fuzz: Add direct MemoryRegion fuzzer Date: Mon, 25 May 2020 19:27:04 +0200 Message-Id: <20200525172704.32142-1-f4bug@amsat.org> X-Mailer: git-send-email 2.21.3 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::342; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wm1-x342.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Alexander Bulekov , Bandan Das , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) This is a proof-of-concept fuzzer that resolve a MemoryRegion Object within the fuzzed QEMU process, then directly do memory accesses using memory_region_dispatch_read/write calls. We avoid first the serialization of QTest strings, then the FlatView resolve and AddressSpace dispatch. Various TODO/FIXME left. In particular we need to be able to parse command line argv[] for machine/device/region_name. This PoC will fuzz the e1000e network device on a Q35 machine, bypassing the PCI bus. Run on a single i7-8650U core, it takes less than 1min to find: $ time \ i386-softmmu/qemu-fuzz-i386 --fuzz-target=3Dmr-fuzz \ -detect_leaks=3D0 -max_len=3D64 /tmp/mycorpus [...] #995301 REDUCE cov: 1042 ft: 3262 corp: 622/13348b lim: 64 exec/s: 23697 r= ss: 349Mb L: 10/64 MS: 2 CopyPart-EraseBytes- #999227 REDUCE cov: 1042 ft: 3262 corp: 622/13345b lim: 64 exec/s: 23791 r= ss: 350Mb L: 40/64 MS: 1 EraseBytes- #1024575 REDUCE cov: 1043 ft: 3272 corp: 629/13702b lim: 64 exec/s:= 23827 rss: 353Mb L: 25/64 MS: 1 EraseBytes- #1025436 REDUCE cov: 1043 ft: 3272 corp: 629/13699b lim: 64 exec/s:= 23847 rss: 353Mb L: 39/64 MS: 1 EraseBytes- qemu: hardware error: e1000e: PSRCTL.BSIZE0 cannot be zero CPU #0: EAX=3D00000000 EBX=3D00000000 ECX=3D00000000 EDX=3D00000663 ESI=3D00000000 EDI=3D00000000 EBP=3D00000000 ESP=3D00000000 EIP=3D0000fff0 EFL=3D00000002 [-------] CPL=3D0 II=3D0 A20=3D1 SMM=3D0 HLT= =3D0 ES =3D0000 00000000 0000ffff 00009300 CS =3Df000 ffff0000 0000ffff 00009b00 SS =3D0000 00000000 0000ffff 00009300 DS =3D0000 00000000 0000ffff 00009300 FS =3D0000 00000000 0000ffff 00009300 GS =3D0000 00000000 0000ffff 00009300 LDT=3D0000 00000000 0000ffff 00008200 TR =3D0000 00000000 0000ffff 00008b00 GDT=3D 00000000 0000ffff IDT=3D 00000000 0000ffff CR0=3D60000010 CR2=3D00000000 CR3=3D00000000 CR4=3D00000000 DR0=3D00000000 DR1=3D00000000 DR2=3D00000000 DR3=3D00000000 DR6=3Dffff0ff0 DR7=3D00000400 EFER=3D0000000000000000 FCW=3D037f FSW=3D0000 [ST=3D0] FTW=3D00 MXCSR=3D00001f80 FPR0=3D0000000000000000 0000 FPR1=3D0000000000000000 0000 FPR2=3D0000000000000000 0000 FPR3=3D0000000000000000 0000 FPR4=3D0000000000000000 0000 FPR5=3D0000000000000000 0000 FPR6=3D0000000000000000 0000 FPR7=3D0000000000000000 0000 XMM00=3D00000000000000000000000000000000 XMM01=3D0000000000000000000000000= 0000000 XMM02=3D00000000000000000000000000000000 XMM03=3D0000000000000000000000000= 0000000 XMM04=3D00000000000000000000000000000000 XMM05=3D0000000000000000000000000= 0000000 XMM06=3D00000000000000000000000000000000 XMM07=3D0000000000000000000000000= 0000000 =3D=3D31659=3D=3D ERROR: libFuzzer: deadly signal #0 0x557a8f6f0430 in __sanitizer_print_stack_trace (i386-softmmu/qemu-= fuzz-i386+0xcb1430) #1 0x557a8f5ff421 in fuzzer::PrintStackTrace() (i386-softmmu/qemu-fuzz= -i386+0xbc0421) #2 0x557a8f5dfcaf in fuzzer::Fuzzer::CrashCallback() (i386-softmmu/qem= u-fuzz-i386+0xba0caf) #3 0x557a8f5dfd03 in fuzzer::Fuzzer::StaticCrashSignalCallback() (i386= -softmmu/qemu-fuzz-i386+0xba0d03) #4 0x7ff5aea7fc6f (/lib64/libpthread.so.0+0x12c6f) #5 0x7ff5ae8bee34 in __GI_raise (/lib64/libc.so.6+0x37e34) #6 0x7ff5ae8a9894 in __GI_abort (/lib64/libc.so.6+0x22894) #7 0x557a8f8bb5dd in hw_error (i386-softmmu/qemu-fuzz-i386+0xe7c5dd) #8 0x557a90425f42 in e1000e_set_psrctl (i386-softmmu/qemu-fuzz-i386+0x= 19e6f42) #9 0x557a904144df in e1000e_core_write (i386-softmmu/qemu-fuzz-i386+0x= 19d54df) #10 0x557a9040c796 in e1000e_mmio_write (i386-softmmu/qemu-fuzz-i386+0= x19cd796) #11 0x557a8f8fbc67 in memory_region_write_accessor (i386-softmmu/qemu-= fuzz-i386+0xebcc67) #12 0x557a8f8fb7d3 in access_with_adjusted_size (i386-softmmu/qemu-fuz= z-i386+0xebc7d3) #13 0x557a8f8fa374 in memory_region_dispatch_write (i386-softmmu/qemu-= fuzz-i386+0xebb374) #14 0x557a90ef4e5f in memory_region_fuzz_one (i386-softmmu/qemu-fuzz-i= 386+0x24b5e5f) #15 0x557a90eef1ae in memory_region_fuzz (i386-softmmu/qemu-fuzz-i386+= 0x24b01ae) #16 0x557a90eed0d0 in LLVMFuzzerTestOneInput (i386-softmmu/qemu-fuzz-i= 386+0x24ae0d0) #17 0x557a8f5e01b8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char co= nst*, unsigned long) (i386-softmmu/qemu-fuzz-i386+0xba11b8) #18 0x557a8f5e358e in fuzzer::Fuzzer::MutateAndTestOne() (i386-softmmu= /qemu-fuzz-i386+0xba458e) #19 0x557a8f5e418f in fuzzer::Fuzzer::Loop(std::vector, std::allocator >, fuzzer::f= uzzer_allocator, st= d::allocator > > > const&) (i386-softmmu/qemu-fuzz-i386+0xba518f) #20 0x557a8f5d6f91 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsi= gned char const*, unsigned long)) (i386-softmmu/qemu-fuzz-i386+0xb97f91) #21 0x557a8f5cdc76 in main (i386-softmmu/qemu-fuzz-i386+0xb8ec76) #22 0x7ff5ae8aaf42 in __libc_start_main (/lib64/libc.so.6+0x23f42) #23 0x557a8f5cdccd in _start (i386-softmmu/qemu-fuzz-i386+0xb8eccd) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash = reports. SUMMARY: libFuzzer: deadly signal MS: 1 CopyPart-; base unit: 5ce018d6638e560881cffa145fedad441d5ef356 0x0,0x46,0x0,0x26,0x0,0x1,0xe2,0x67,0x8,0x0,0x0,0x0,0x74,0x27,0x70,0x21,0x= 16,0xe1,0xd8,0x0,0x90,0x59,0x1e,0x0,0x27,0x70,0x21,0x0,0x74,0x27,0x70,0x21,= 0x16,0xe1,0xd8,0x0,0x90,0x59,0x1e,0x0,0x27,0x70,0x21,0x2b,0xe1,0xd8,0x0,0x9= 0,0xd6,0x1e,0x0,0x27,0xa,0x1,0xaa,0xc9,0x1,0xb0,0xc0,0x0,0x0,0xda,0x56,0x68, \x00F\x00&\x00\x01\xe2g\x08\x00\x00\x00t'p!\x16\xe1\xd8\x00\x90Y\x1e\x00'p= !\x00t'p!\x16\xe1\xd8\x00\x90Y\x1e\x00'p!+\xe1\xd8\x00\x90\xd6\x1e\x00'\x0a= \x01\xaa\xc9\x01\xb0\xc0\x00\x00\xdaVh artifact_prefix=3D'./'; Test unit written to ./crash-fafe2e3e3412d9a722b06= f43bd57c3c43fe9ae99 Base64: AEYAJgAB4mcIAAAAdCdwIRbh2ACQWR4AJ3AhAHQncCEW4dgAkFkeACdwISvh2ACQ1h= 4AJwoBqskBsMAAANpWaA=3D=3D real 0m44.191s user 0m43.696s sys 0m0.624s libFuzzer report about 24K executions of resetting device and processing packets in a 64 bytes input payload. Inspired-by: Alexander Bulekov Signed-off-by: Philippe Mathieu-Daud=C3=A9 --- tests/qtest/fuzz/memory_region_fuzz.c | 230 ++++++++++++++++++++++++++ tests/qtest/fuzz/Makefile.include | 1 + 2 files changed, 231 insertions(+) create mode 100644 tests/qtest/fuzz/memory_region_fuzz.c diff --git a/tests/qtest/fuzz/memory_region_fuzz.c b/tests/qtest/fuzz/memor= y_region_fuzz.c new file mode 100644 index 0000000000..4e542d1772 --- /dev/null +++ b/tests/qtest/fuzz/memory_region_fuzz.c @@ -0,0 +1,230 @@ +/* + * MMIO Fuzzing Target + * + * Resolve MemoryRegion Object in process, then directly + * access it using memory_region_dispatch_read/write calls. + * + * Copyright 2020 Philippe Mathieu-Daud=C3=A9 + * + * This work is licensed under the terms of the GNU GPL, version 2 or late= r. + * See the COPYING file in the top-level directory. + */ + +#include "qemu/osdep.h" +#include "exec/memory.h" +#include "hw/qdev-core.h" +#include "fuzz.h" + +enum { + MEM8WRITE8 =3D 0x00, + MEM8WRITE16, + MEM8WRITE32, + MEM8WRITE64, + + MEM16WRITE8, + MEM16WRITE16, + MEM16WRITE32, + MEM16WRITE64, + + MEM32WRITE8, + MEM32WRITE16, + MEM32WRITE32, + MEM32WRITE64, + + MEM8READ8 =3D 0x10, + MEM8READ16, + MEM8READ32, + MEM8READ64, + + MEM16READ8, + MEM16READ16, + MEM16READ32, + MEM16READ64, + + MEM32READ8, + MEM32READ16, + MEM32READ32, + MEM32READ64, + + OP_MASK =3D 0x1f +}; + +/* We interpret the fuzzer input as a sequence of packets */ +typedef struct { + union { + uint8_t opcode; + }; + union { + struct { + uint8_t addr; + union { + uint8_t val8[8]; + uint16_t val16[4]; + uint32_t val32[2]; + uint64_t val64[1]; + }; + } QEMU_PACKED mem8; + struct { + uint16_t addr; + union { + uint8_t val8[8]; + uint16_t val16[4]; + uint32_t val32[2]; + uint64_t val64[1]; + }; + } QEMU_PACKED mem16; + struct { + uint32_t addr; + union { + uint8_t val8[8]; + uint16_t val16[4]; + uint32_t val32[2]; + uint64_t val64[1]; + }; + } QEMU_PACKED mem32; + /* mem64 not supported */ + }; +} QEMU_PACKED pkt; + +static void memory_region_fuzz_one(QTestState *s, + DeviceState *dev, + MemoryRegion *mr, + const unsigned char *Data, + size_t Size, + bool do_not_reset) +{ + pkt *a; + size_t sz; + uint64_t addr; + uint64_t iosize; + uint64_t iomask; + uint64_t rdval; + + /* TODO check .valid.min/max_access_size */ + + iosize =3D memory_region_size(mr); + if (iosize < 0x100) { + /* 8-bit address */ + iosize =3D 0x100; + } else if (iosize < 0x10000) { + /* 16-bit address */ + iosize =3D 0x10000; + } else { + /* 32-bit address */ + assert(is_power_of_2(iosize)); + } + iomask =3D iosize - 1; + + if (!do_not_reset) { + device_cold_reset(dev); + } + + /* process all packets */ + while (Size !=3D 0) { + a =3D (pkt *)Data; + switch (a->opcode & OP_MASK) { + + /* ugly but efficient macros... */ +#define CASE_OP_READ(OP, OPTYPE, ADDRW, DATAW, MR) \ + case OP##ADDRW##READ##DATAW:\ + sz =3D sizeof(a->opcode)\ + + sizeof(a->OPTYPE##ADDRW.addr)\ + + sizeof(uint##DATAW##_t);\ + if (Size < sz) {\ + return;\ + }\ + addr =3D a->OPTYPE##ADDRW.addr & iomask;\ + memory_region_dispatch_read(MR, addr, &rdval,\ + size_memop(sizeof(uint##DATAW##_t)= ),\ + MEMTXATTRS_UNSPECIFIED);\ + break +#define CASE_OP_WRITE(OP, OPTYPE, ADDRW, DATAW, MR) \ + case OP##ADDRW##WRITE##DATAW:\ + sz =3D sizeof(a->opcode)\ + + sizeof(a->OPTYPE##ADDRW.addr)\ + + sizeof(uint##DATAW##_t);\ + if (Size < sz) {\ + return;\ + }\ + addr =3D a->OPTYPE##ADDRW.addr & iomask;\ + memory_region_dispatch_write(MR, addr,\ + a->OPTYPE##ADDRW.val##DATAW[0],\ + size_memop(sizeof(uint##DATAW##_t= )),\ + MEMTXATTRS_UNSPECIFIED);\ + break + + /* ... now the macro make more sense? */ +#define CASE_MEMOP(ADDRW, DATAW) \ + CASE_OP_READ(MEM, mem, ADDRW, DATAW, mr);\ + CASE_OP_WRITE(MEM, mem, ADDRW, DATAW, mr) + CASE_MEMOP(8, 8); + CASE_MEMOP(8, 16); + CASE_MEMOP(8, 32); + CASE_MEMOP(8, 64); + CASE_MEMOP(16, 8); + CASE_MEMOP(16, 16); + CASE_MEMOP(16, 32); + CASE_MEMOP(16, 64); + CASE_MEMOP(32, 8); + CASE_MEMOP(32, 16); + CASE_MEMOP(32, 32); + CASE_MEMOP(32, 64); + default: + return; + } + Size -=3D sz; + Data +=3D sz; + } + flush_events(s); +} + +/* Global context, ideally instead of QTestState *s */ +static struct { + Object *dev; + Object *mr; + bool do_not_reset; +} g_ctx; + +/* FIXME get this from command line ... */ +const char *machine_name =3D "q35"; +const char *type_name =3D "e1000e"; +/* FIXME enumerate and select by index? */ +const char *mr_name =3D "e1000e-mmio[0]"; + +static void memory_region_fuzz(QTestState *s, + const unsigned char *Data, + size_t Size) +{ + + if (!g_ctx.dev || !g_ctx.mr) { + g_ctx.dev =3D object_resolve_path_type("", type_name, NULL); + assert(g_ctx.dev); + g_ctx.mr =3D object_resolve_path_component(g_ctx.dev, mr_name); + assert(g_ctx.mr); + } + memory_region_fuzz_one(s, DEVICE(g_ctx.dev), + MEMORY_REGION(g_ctx.mr), + Data, Size, + g_ctx.do_not_reset); +} + +static const char *memory_region_fuzz_argv(FuzzTarget *t) +{ + return g_strdup_printf("%s -machine %s,accel=3Dqtest " + "-m 0 -display none -seed 42", + t->name, machine_name); +} + +static const FuzzTarget memory_region_fuzz_target =3D { + .name =3D "mr-fuzz", + .description =3D "Fuzz doing I/O access to a MemoryRegion", + .get_init_cmdline =3D memory_region_fuzz_argv, + .fuzz =3D memory_region_fuzz +}; + +static void register_memory_region_fuzz_targets(void) +{ + fuzz_add_target(&memory_region_fuzz_target); +} + +fuzz_target_init(register_memory_region_fuzz_targets); diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.= include index f259d866c9..dd2f6a4474 100644 --- a/tests/qtest/fuzz/Makefile.include +++ b/tests/qtest/fuzz/Makefile.include @@ -7,6 +7,7 @@ fuzz-obj-y +=3D tests/qtest/fuzz/fork_fuzz.o fuzz-obj-y +=3D tests/qtest/fuzz/qos_fuzz.o =20 # Targets +fuzz-obj-y +=3D tests/qtest/fuzz/memory_region_fuzz.o fuzz-obj-$(CONFIG_PCI_I440FX) +=3D tests/qtest/fuzz/i440fx_fuzz.o fuzz-obj-$(CONFIG_VIRTIO_NET) +=3D tests/qtest/fuzz/virtio_net_fuzz.o fuzz-obj-$(CONFIG_SCSI) +=3D tests/qtest/fuzz/virtio_scsi_fuzz.o --=20 2.21.3