exec.c | 17 +- include/exec/memory.h | 8 + include/exec/memory_ldst_cached.inc.h | 9 + include/sysemu/dma.h | 5 +- memory_ldst.inc.c | 12 + tests/qtest/fuzz/Makefile.include | 1 + tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ 7 files changed, 606 insertions(+), 2 deletions(-) create mode 100644 tests/qtest/fuzz/general_fuzz.c
These patches add a generic fuzzer for virtual devices. This should allow us to fuzz devices that accept inputs over MMIO, PIO and DMA without any device-specific code. Example: QEMU_FUZZ_ARGS="-device virtio-net" \ FUZZ_REGION_WHITELIST="virtio pci-" \ ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz The above command will add a virtio-net device to the QEMU arguments and restrict the fuzzer to only interact with MMIO and PIO regions with names that contain "virtio" or "pci-". I find these names using the info mtree monitor command. Basically, the fuzzer splits the input into a series of commands, such as mmio_write, pio_write, etc. Additionally, these patches add "hooks" to functions that are typically used by virtual-devices to read from RAM (DMA). These hooks attempt to populate these DMA regions with fuzzed data, just in time. There are some differences from my reference code that seem to result in performance issues that I am still trying to iron out. I also need to figure out how to add the DMA "hooks" in a neat way. Maybe I can use -Wl,--wrap for this. I appreciate any feedback. Alexander Bulekov (3): fuzz: add a general fuzzer for any qemu arguments fuzz: add support for fuzzing DMA regions fuzz: Add callbacks for dma-access functions exec.c | 17 +- include/exec/memory.h | 8 + include/exec/memory_ldst_cached.inc.h | 9 + include/sysemu/dma.h | 5 +- memory_ldst.inc.c | 12 + tests/qtest/fuzz/Makefile.include | 1 + tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ 7 files changed, 606 insertions(+), 2 deletions(-) create mode 100644 tests/qtest/fuzz/general_fuzz.c -- 2.26.2
On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote: > These patches add a generic fuzzer for virtual devices. This should > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA > without any device-specific code. > > Example: > QEMU_FUZZ_ARGS="-device virtio-net" \ > FUZZ_REGION_WHITELIST="virtio pci-" \ > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz > > The above command will add a virtio-net device to the QEMU arguments and > restrict the fuzzer to only interact with MMIO and PIO regions with > names that contain "virtio" or "pci-". I find these names using the info > mtree monitor command. > > Basically, the fuzzer splits the input into a series of commands, such > as mmio_write, pio_write, etc. Additionally, these patches add "hooks" > to functions that are typically used by virtual-devices to read from RAM > (DMA). These hooks attempt to populate these DMA regions with fuzzed > data, just in time. There are some differences from my reference code > that seem to result in performance issues that I am still trying to iron > out. I also need to figure out how to add the DMA "hooks" in a neat way. > Maybe I can use -Wl,--wrap for this. I appreciate any feedback. > > Alexander Bulekov (3): > fuzz: add a general fuzzer for any qemu arguments > fuzz: add support for fuzzing DMA regions > fuzz: Add callbacks for dma-access functions > > exec.c | 17 +- > include/exec/memory.h | 8 + > include/exec/memory_ldst_cached.inc.h | 9 + > include/sysemu/dma.h | 5 +- > memory_ldst.inc.c | 12 + > tests/qtest/fuzz/Makefile.include | 1 + > tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ > 7 files changed, 606 insertions(+), 2 deletions(-) > create mode 100644 tests/qtest/fuzz/general_fuzz.c CCing Dima in case he is interested in this generic fuzzing approach. Stefan
On Tue, Jun 23, 2020 at 03:16:01PM +0100, Stefan Hajnoczi wrote: > On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote: > > These patches add a generic fuzzer for virtual devices. This should > > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA > > without any device-specific code. > > > > Example: > > QEMU_FUZZ_ARGS="-device virtio-net" \ > > FUZZ_REGION_WHITELIST="virtio pci-" \ > > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz > > > > The above command will add a virtio-net device to the QEMU arguments and > > restrict the fuzzer to only interact with MMIO and PIO regions with > > names that contain "virtio" or "pci-". I find these names using the info > > mtree monitor command. > > > > Basically, the fuzzer splits the input into a series of commands, such > > as mmio_write, pio_write, etc. Additionally, these patches add "hooks" > > to functions that are typically used by virtual-devices to read from RAM > > (DMA). These hooks attempt to populate these DMA regions with fuzzed > > data, just in time. There are some differences from my reference code > > that seem to result in performance issues that I am still trying to iron > > out. I also need to figure out how to add the DMA "hooks" in a neat way. > > Maybe I can use -Wl,--wrap for this. I appreciate any feedback. > > > > Alexander Bulekov (3): > > fuzz: add a general fuzzer for any qemu arguments > > fuzz: add support for fuzzing DMA regions > > fuzz: Add callbacks for dma-access functions > > > > exec.c | 17 +- > > include/exec/memory.h | 8 + > > include/exec/memory_ldst_cached.inc.h | 9 + > > include/sysemu/dma.h | 5 +- > > memory_ldst.inc.c | 12 + > > tests/qtest/fuzz/Makefile.include | 1 + > > tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ > > 7 files changed, 606 insertions(+), 2 deletions(-) > > create mode 100644 tests/qtest/fuzz/general_fuzz.c > > CCing Dima in case he is interested in this generic fuzzing approach. > > Stefan Thanks for adding me, going to look into it on this weekend. Dima.
Patchew URL: https://patchew.org/QEMU/20200611055651.13784-1-alxndr@bu.edu/
Hi,
This series seems to have some coding style problems. See output below for
more information:
Message-id: 20200611055651.13784-1-alxndr@bu.edu
Subject: [RFC PATCH 0/3] fuzz: add generic fuzzer
Type: series
=== TEST SCRIPT BEGIN ===
#!/bin/bash
git rev-parse base > /dev/null || exit 0
git config --local diff.renamelimit 0
git config --local diff.renames True
git config --local diff.algorithm histogram
./scripts/checkpatch.pl --mailback base..
=== TEST SCRIPT END ===
From https://github.com/patchew-project/qemu
* [new tag] patchew/20200611055651.13784-1-alxndr@bu.edu -> patchew/20200611055651.13784-1-alxndr@bu.edu
Switched to a new branch 'test'
581b756 fuzz: Add callbacks for dma-access functions
efcea82 fuzz: add support for fuzzing DMA regions
03d7012 fuzz: add a general fuzzer for any qemu arguments
=== OUTPUT BEGIN ===
1/3 Checking commit 03d701265206 (fuzz: add a general fuzzer for any qemu arguments)
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#23:
new file mode 100644
ERROR: "foo* bar" should be "foo *bar"
#366: FILE: tests/qtest/fuzz/general_fuzz.c:339:
+ void (*ops[]) (QTestState* s, const unsigned char* , size_t) = {
total: 1 errors, 1 warnings, 461 lines checked
Patch 1/3 has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
2/3 Checking commit efcea82301ce (fuzz: add support for fuzzing DMA regions)
ERROR: externs should be avoided in .c files
#35: FILE: tests/qtest/fuzz/general_fuzz.c:71:
+void dma_read_cb(size_t addr, size_t len);
total: 1 errors, 0 warnings, 147 lines checked
Patch 2/3 has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
3/3 Checking commit 581b756ff038 (fuzz: Add callbacks for dma-access functions)
ERROR: space required before the open parenthesis '('
#20: FILE: exec.c:3251:
+ if(as->root == get_system_memory())
ERROR: space required before the open parenthesis '('
#31: FILE: exec.c:3563:
+ if(as->root == get_system_memory() && !is_write)
ERROR: braces {} are necessary for all arms of this statement
#31: FILE: exec.c:3563:
+ if(as->root == get_system_memory() && !is_write)
[...]
ERROR: space required before the open parenthesis '('
#42: FILE: exec.c:3574:
+ if(as->root == get_system_memory() && !is_write)
ERROR: braces {} are necessary for all arms of this statement
#42: FILE: exec.c:3574:
+ if(as->root == get_system_memory() && !is_write)
[...]
ERROR: space required before the open parenthesis '('
#53: FILE: exec.c:3650:
+ if(as->root == get_system_memory() && !is_write)
ERROR: braces {} are necessary for all arms of this statement
#53: FILE: exec.c:3650:
+ if(as->root == get_system_memory() && !is_write)
[...]
ERROR: braces {} are necessary for all arms of this statement
#128: FILE: include/sysemu/dma.h:109:
+ if (dir == DMA_DIRECTION_TO_DEVICE)
[...]
total: 8 errors, 0 warnings, 136 lines checked
Patch 3/3 has style problems, please review. If any of these errors
are false positives report them to the maintainer, see
CHECKPATCH in MAINTAINERS.
=== OUTPUT END ===
Test command exited with code: 1
The full log is available at
http://patchew.org/logs/20200611055651.13784-1-alxndr@bu.edu/testing.checkpatch/?type=message.
---
Email generated automatically by Patchew [https://patchew.org/].
Please send your feedback to patchew-devel@redhat.com
© 2016 - 2026 Red Hat, Inc.