exec.c | 17 +- include/exec/memory.h | 8 + include/exec/memory_ldst_cached.inc.h | 9 + include/sysemu/dma.h | 5 +- memory_ldst.inc.c | 12 + tests/qtest/fuzz/Makefile.include | 1 + tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ 7 files changed, 606 insertions(+), 2 deletions(-) create mode 100644 tests/qtest/fuzz/general_fuzz.c
These patches add a generic fuzzer for virtual devices. This should allow us to fuzz devices that accept inputs over MMIO, PIO and DMA without any device-specific code. Example: QEMU_FUZZ_ARGS="-device virtio-net" \ FUZZ_REGION_WHITELIST="virtio pci-" \ ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz The above command will add a virtio-net device to the QEMU arguments and restrict the fuzzer to only interact with MMIO and PIO regions with names that contain "virtio" or "pci-". I find these names using the info mtree monitor command. Basically, the fuzzer splits the input into a series of commands, such as mmio_write, pio_write, etc. Additionally, these patches add "hooks" to functions that are typically used by virtual-devices to read from RAM (DMA). These hooks attempt to populate these DMA regions with fuzzed data, just in time. There are some differences from my reference code that seem to result in performance issues that I am still trying to iron out. I also need to figure out how to add the DMA "hooks" in a neat way. Maybe I can use -Wl,--wrap for this. I appreciate any feedback. Alexander Bulekov (3): fuzz: add a general fuzzer for any qemu arguments fuzz: add support for fuzzing DMA regions fuzz: Add callbacks for dma-access functions exec.c | 17 +- include/exec/memory.h | 8 + include/exec/memory_ldst_cached.inc.h | 9 + include/sysemu/dma.h | 5 +- memory_ldst.inc.c | 12 + tests/qtest/fuzz/Makefile.include | 1 + tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ 7 files changed, 606 insertions(+), 2 deletions(-) create mode 100644 tests/qtest/fuzz/general_fuzz.c -- 2.26.2
On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote: > These patches add a generic fuzzer for virtual devices. This should > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA > without any device-specific code. > > Example: > QEMU_FUZZ_ARGS="-device virtio-net" \ > FUZZ_REGION_WHITELIST="virtio pci-" \ > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz > > The above command will add a virtio-net device to the QEMU arguments and > restrict the fuzzer to only interact with MMIO and PIO regions with > names that contain "virtio" or "pci-". I find these names using the info > mtree monitor command. > > Basically, the fuzzer splits the input into a series of commands, such > as mmio_write, pio_write, etc. Additionally, these patches add "hooks" > to functions that are typically used by virtual-devices to read from RAM > (DMA). These hooks attempt to populate these DMA regions with fuzzed > data, just in time. There are some differences from my reference code > that seem to result in performance issues that I am still trying to iron > out. I also need to figure out how to add the DMA "hooks" in a neat way. > Maybe I can use -Wl,--wrap for this. I appreciate any feedback. > > Alexander Bulekov (3): > fuzz: add a general fuzzer for any qemu arguments > fuzz: add support for fuzzing DMA regions > fuzz: Add callbacks for dma-access functions > > exec.c | 17 +- > include/exec/memory.h | 8 + > include/exec/memory_ldst_cached.inc.h | 9 + > include/sysemu/dma.h | 5 +- > memory_ldst.inc.c | 12 + > tests/qtest/fuzz/Makefile.include | 1 + > tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ > 7 files changed, 606 insertions(+), 2 deletions(-) > create mode 100644 tests/qtest/fuzz/general_fuzz.c CCing Dima in case he is interested in this generic fuzzing approach. Stefan
On Tue, Jun 23, 2020 at 03:16:01PM +0100, Stefan Hajnoczi wrote: > On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote: > > These patches add a generic fuzzer for virtual devices. This should > > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA > > without any device-specific code. > > > > Example: > > QEMU_FUZZ_ARGS="-device virtio-net" \ > > FUZZ_REGION_WHITELIST="virtio pci-" \ > > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz > > > > The above command will add a virtio-net device to the QEMU arguments and > > restrict the fuzzer to only interact with MMIO and PIO regions with > > names that contain "virtio" or "pci-". I find these names using the info > > mtree monitor command. > > > > Basically, the fuzzer splits the input into a series of commands, such > > as mmio_write, pio_write, etc. Additionally, these patches add "hooks" > > to functions that are typically used by virtual-devices to read from RAM > > (DMA). These hooks attempt to populate these DMA regions with fuzzed > > data, just in time. There are some differences from my reference code > > that seem to result in performance issues that I am still trying to iron > > out. I also need to figure out how to add the DMA "hooks" in a neat way. > > Maybe I can use -Wl,--wrap for this. I appreciate any feedback. > > > > Alexander Bulekov (3): > > fuzz: add a general fuzzer for any qemu arguments > > fuzz: add support for fuzzing DMA regions > > fuzz: Add callbacks for dma-access functions > > > > exec.c | 17 +- > > include/exec/memory.h | 8 + > > include/exec/memory_ldst_cached.inc.h | 9 + > > include/sysemu/dma.h | 5 +- > > memory_ldst.inc.c | 12 + > > tests/qtest/fuzz/Makefile.include | 1 + > > tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ > > 7 files changed, 606 insertions(+), 2 deletions(-) > > create mode 100644 tests/qtest/fuzz/general_fuzz.c > > CCing Dima in case he is interested in this generic fuzzing approach. > > Stefan Thanks for adding me, going to look into it on this weekend. Dima.
Patchew URL: https://patchew.org/QEMU/20200611055651.13784-1-alxndr@bu.edu/ Hi, This series seems to have some coding style problems. See output below for more information: Message-id: 20200611055651.13784-1-alxndr@bu.edu Subject: [RFC PATCH 0/3] fuzz: add generic fuzzer Type: series === TEST SCRIPT BEGIN === #!/bin/bash git rev-parse base > /dev/null || exit 0 git config --local diff.renamelimit 0 git config --local diff.renames True git config --local diff.algorithm histogram ./scripts/checkpatch.pl --mailback base.. === TEST SCRIPT END === From https://github.com/patchew-project/qemu * [new tag] patchew/20200611055651.13784-1-alxndr@bu.edu -> patchew/20200611055651.13784-1-alxndr@bu.edu Switched to a new branch 'test' 581b756 fuzz: Add callbacks for dma-access functions efcea82 fuzz: add support for fuzzing DMA regions 03d7012 fuzz: add a general fuzzer for any qemu arguments === OUTPUT BEGIN === 1/3 Checking commit 03d701265206 (fuzz: add a general fuzzer for any qemu arguments) WARNING: added, moved or deleted file(s), does MAINTAINERS need updating? #23: new file mode 100644 ERROR: "foo* bar" should be "foo *bar" #366: FILE: tests/qtest/fuzz/general_fuzz.c:339: + void (*ops[]) (QTestState* s, const unsigned char* , size_t) = { total: 1 errors, 1 warnings, 461 lines checked Patch 1/3 has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. 2/3 Checking commit efcea82301ce (fuzz: add support for fuzzing DMA regions) ERROR: externs should be avoided in .c files #35: FILE: tests/qtest/fuzz/general_fuzz.c:71: +void dma_read_cb(size_t addr, size_t len); total: 1 errors, 0 warnings, 147 lines checked Patch 2/3 has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. 3/3 Checking commit 581b756ff038 (fuzz: Add callbacks for dma-access functions) ERROR: space required before the open parenthesis '(' #20: FILE: exec.c:3251: + if(as->root == get_system_memory()) ERROR: space required before the open parenthesis '(' #31: FILE: exec.c:3563: + if(as->root == get_system_memory() && !is_write) ERROR: braces {} are necessary for all arms of this statement #31: FILE: exec.c:3563: + if(as->root == get_system_memory() && !is_write) [...] ERROR: space required before the open parenthesis '(' #42: FILE: exec.c:3574: + if(as->root == get_system_memory() && !is_write) ERROR: braces {} are necessary for all arms of this statement #42: FILE: exec.c:3574: + if(as->root == get_system_memory() && !is_write) [...] ERROR: space required before the open parenthesis '(' #53: FILE: exec.c:3650: + if(as->root == get_system_memory() && !is_write) ERROR: braces {} are necessary for all arms of this statement #53: FILE: exec.c:3650: + if(as->root == get_system_memory() && !is_write) [...] ERROR: braces {} are necessary for all arms of this statement #128: FILE: include/sysemu/dma.h:109: + if (dir == DMA_DIRECTION_TO_DEVICE) [...] total: 8 errors, 0 warnings, 136 lines checked Patch 3/3 has style problems, please review. If any of these errors are false positives report them to the maintainer, see CHECKPATCH in MAINTAINERS. === OUTPUT END === Test command exited with code: 1 The full log is available at http://patchew.org/logs/20200611055651.13784-1-alxndr@bu.edu/testing.checkpatch/?type=message. --- Email generated automatically by Patchew [https://patchew.org/]. Please send your feedback to patchew-devel@redhat.com
© 2016 - 2024 Red Hat, Inc.