From nobody Mon Feb 9 15:58:37 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=bu.edu) ARC-Seal: i=2; a=rsa-sha256; t=1604686108; cv=pass; d=zohomail.com; s=zohoarc; b=fjb7E3ZRDqfPB/w/6Vmr+vba2oT4BMi4d5ZehX0PRhP6h58F1i7SqMoQmXBVTvwOxdhiHEmd0gyfEShAMC0z+bl82rTHQT6xNcZie0gkYN3flUhIsHsWlGwkje71OOM6upJgYztkLn0SyQUe/QfaUdSBvled1SlELRxK9n9k4Ps= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604686108; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7yVbIbdl18C4f45HtFVfIfRIsKldg+5gVRRd+GzYd2U=; b=Y56n1IfNaeA12Oy8QKh403oRCY1BJ67NCzYclDoq04CBrRM9d9HTYA0iOb7mMzlTAVx6GaGmpLWmxeMqqPmejrmXCUmagf8XrQdwJXfdwHuLD/p55mCWohY2H8vilx5TmUHlZEFmPJ9NM2gxxlS7IOIq3rKBIS3vRYXfRJh7EBM= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=bu.edu) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1604686108573409.43927418336204; Fri, 6 Nov 2020 10:08:28 -0800 (PST) Received: from localhost ([::1]:38590 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kb69y-00062F-Hc for importer@patchew.org; Fri, 06 Nov 2020 13:08:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:50288) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kb67x-0004MG-Ur for qemu-devel@nongnu.org; Fri, 06 Nov 2020 13:06:21 -0500 Received: from mail-dm6nam08on2113.outbound.protection.outlook.com ([40.107.102.113]:7896 helo=NAM04-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kb67v-0002XB-4u for qemu-devel@nongnu.org; Fri, 06 Nov 2020 13:06:21 -0500 Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN2PR03MB2207.namprd03.prod.outlook.com (2603:10b6:804:e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Fri, 6 Nov 2020 18:06:14 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::d520:4c19:8ce6:7db2]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::d520:4c19:8ce6:7db2%2]) with mapi id 15.20.3499.032; Fri, 6 Nov 2020 18:06:14 +0000 Received: from stormtrooper.vrmnet (72.93.72.163) by MN2PR06CA0004.namprd06.prod.outlook.com (2603:10b6:208:23d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Fri, 6 Nov 2020 18:06:13 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AvY8frrfPMOYXHpaupZdbOYi9e5iZ/MQxRm4WZZoh3jC4Zl/dCIfru3gB6n+NyniIYe9CNtolEdM8Wkrg9zZFMY0q6aomlLlbeKLy4R5IVWsr4kpoivPrivYYGS45iEzWDRR56wYdFufHz7GavQf7C2CsIwIxwosPr6vfnz7looQlCIAxcNWl53wnXAzejVqVFSNwU9LMZKzNX2fsIyqL/B7Z02ccsExsq3WHR0FguxwOaoHxjSiN6BMFRnE03eRvOIuqhkvU6FzAywj0uYiRHwsec8phVwtfXa7WzcabpHsf2C/gTDvQu96rwf2ecDX5xiNiVUGRlKKReyDusJTqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yVbIbdl18C4f45HtFVfIfRIsKldg+5gVRRd+GzYd2U=; b=S//GXRUEsHTl0BV7N4Yv4d6wFyE6lHH4tiCkSo/h8dM2AV9sUGSzDwkFLIBaFeCL4R4yMioSHEOfvsc7wpVL5VUslYZyb7AQybWW3ZcoSnMbc7uk/NsHrGjCSL9J1W14QjATmcnG9zBcw6524BUGI+37Sb/iFyaLcoOmkkGmUKG65QZeI5lVDfPzA5QnflLyjHc6dgRt1+QQ7iH26F1IEd5DGjIAq/xH+h8JKEBTuDdTRzniowSCw5lZEnvyHYos6S2Z/dBd6O2pESalzUOA9zX/BnN6KpUc83yWY0tGMCiWTsDRf7EKa4m64RSDPGs66Y5MsLPb5rlwk7M+j9rOQA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yVbIbdl18C4f45HtFVfIfRIsKldg+5gVRRd+GzYd2U=; b=Xgvr9IMKMOm2wubu59nrhX7b1OjkwlpzE0HklKVKkj9fowlfhg+gM0BBjBQ4Jk+H+BFr8qhXtIgniGY7ddR43pooxA4JdZm9jwD+XVc+L9cBGXXfrDpWJYEn42fk5e6us6tLqxiN2+aLOLqO3askvlTMpwLJBBwn5O3Yp2Sh4do= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=bu.edu; From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH 1/2] docs/fuzz: rST-ify the fuzzing documentation Date: Fri, 6 Nov 2020 13:05:59 -0500 Message-Id: <20201106180600.360110-2-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201106180600.360110-1-alxndr@bu.edu> References: <20201106180600.360110-1-alxndr@bu.edu> Content-Transfer-Encoding: quoted-printable X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: MN2PR06CA0004.namprd06.prod.outlook.com (2603:10b6:208:23d::9) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6e29af97-970e-488e-349d-08d8827ea64a X-MS-TrafficTypeDiagnostic: SN2PR03MB2207: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: A/Be8Qwfm266fONIUctVGJUNGbsTkaHKKwB5qZD79xhq2X5QZp0/VG/fkj9XphxNiK/FmwolmRjsVlji8nxdnTgFLV/S8wUqiLrpkCZ6QtWYMzgpqFbHT1J/4pXczDl4bA+QRWzvDhRJGa0XnSh4EP25w1oymvKXYlilYVoUjG9xZbdep7t2cIctwHizv1zA73BOwwk17orx5oqPaAhm4IaJdcatDenGxPoIC7Cqn8CiI5vI8F+Q0JO0+jGssJGqI5aErm8E5bUajw6tx/X6tfkeQwOPpsRUzbXqEgv1DCkbSEkR6iYUxxRfQ/Elxe6wbpdS8xYItI09FjP/pc9m6w== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(39860400002)(346002)(376002)(366004)(478600001)(83380400001)(956004)(786003)(316002)(54906003)(8676002)(4326008)(66476007)(2906002)(6486002)(186003)(66946007)(36756003)(66556008)(1076003)(52116002)(30864003)(6916009)(86362001)(16526019)(26005)(5660300002)(6506007)(8936002)(75432002)(6512007)(6666004)(2616005); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: vwnO9mzaL9JDO3NNn5ImqS526iA5qn9JccTwnXUbcjWUPBwO/8RtwmxeOG7voUnPoOCc7iMjrdRhlqsZKAhcObaiND9h1/0PwgZCPs+XdUPv9G1JAfkZHUkWM7MqI5gsz6+touGDh4Bhha5tjGe2ySP42RrhCIYw1EjVVXlkrukqLlv/2q1QUeFH6bBXLHLv0CQLkFLiYDfWKqv6iei6NoY8qOA7zs78BsuFpIv1TkLmqzH9n460zLKQY+TtAAiL0NvSo5NDMsuU9QRqFSE8x/tOcLeVkAVtS4d6iDJSfVvyFrtltpo/TbiBigJH5MR7id/+kA265g9/ivlbNVOUTUyFsclctFuzGjVbNq+hn172NkIAP10qZtIrcJ6hqo74iAobyAb06te5Fw3LniLau79mjFZyYPGUxRyPNJ9UUJfh04McjUUzv/YZrmZ5FgjeybBeB5LTDHroEhUZvUW7A/8wjWomehFfOB9Lme7qadV9zhD8NdMavleFE07YHjE68QXoQC/SBXw6cLbNsEDck97WzSHqI0lgeV1WOvWdbN56CpZhUYGMedmU6NC0edhvOVfuEwxsu7OnwPljas5BPv0PNgh/IJywKOqGcIrM/xsyve3C0SR9J9Lvw3S5eX/I8sjEGB+K1g7i/8gDVxfUVQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 6e29af97-970e-488e-349d-08d8827ea64a X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2020 18:06:14.2525 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: IugHKCOM2syZXVowDDy+nWh8oQVslPMKqS2wiSubHzL9xszuHpv0z6IwCInFOZS0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2207 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=40.107.102.113; envelope-from=alxndr@bu.edu; helo=NAM04-DM6-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/06 13:06:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , Bandan Das , Thomas Huth , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @bushare.onmicrosoft.com) Content-Type: text/plain; charset="utf-8" Signed-off-by: Alexander Bulekov --- MAINTAINERS | 2 +- docs/devel/fuzzing.rst | 236 +++++++++++++++++++++++++++++++++++++++++ docs/devel/fuzzing.txt | 214 ------------------------------------- docs/devel/index.rst | 1 + 4 files changed, 238 insertions(+), 215 deletions(-) create mode 100644 docs/devel/fuzzing.rst delete mode 100644 docs/devel/fuzzing.txt diff --git a/MAINTAINERS b/MAINTAINERS index 63223e1183..da1ef68ff1 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2517,7 +2517,7 @@ R: Thomas Huth S: Maintained F: tests/qtest/fuzz/ F: scripts/oss-fuzz/ -F: docs/devel/fuzzing.txt +F: docs/devel/fuzzing.rst =20 Register API M: Alistair Francis diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst new file mode 100644 index 0000000000..f19d75ceff --- /dev/null +++ b/docs/devel/fuzzing.rst @@ -0,0 +1,236 @@ +=3D=3D=3D=3D=3D=3D=3D=3D +Fuzzing +=3D=3D=3D=3D=3D=3D=3D=3D + +This document describes the virtual-device fuzzing infrastructure in QEMU = and +how to use it to implement additional fuzzers. + +Basics +------ + +Fuzzing operates by passing inputs to an entry point/target function. The +fuzzer tracks the code coverage triggered by the input. Based on these +findings, the fuzzer mutates the input and repeats the fuzzing. + +To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libf= uzzer +is an *in-process* fuzzer. For the developer, this means that it is their +responsibility to ensure that state is reset between fuzzing-runs. + +Building the fuzzers +-------------------- + +*NOTE*: If possible, build a 32-bit binary. When forking, the 32-bit fuzze= r is +much faster, since the page-map has a smaller size. This is due to the fac= t that +AddressSanitizer maps ~20TB of memory, as part of its detection. This resu= lts +in a large page-map, and a much slower ``fork()``. + +To build the fuzzers, install a recent version of clang: +Configure with (substitute the clang binaries with the version you install= ed). +Here, enable-sanitizers, is optional but it allows us to reliably detect b= ugs +such as out-of-bounds accesses, use-after-frees, double-frees etc.:: + + CC=3Dclang-8 CXX=3Dclang++-8 /path/to/configure --enable-fuzzing \ + --enable-sanitizers + +Fuzz targets are built similarly to system targets:: + + make i386-softmmu/fuzz + +This builds ``./i386-softmmu/qemu-fuzz-i386`` + +The first option to this command is: ``--fuzz-target=3DFUZZ_NAME`` +To list all of the available fuzzers run ``qemu-fuzz-i386`` with no argume= nts. + +For example:: + + ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=3Dvirtio-scsi-fuzz + +Internally, libfuzzer parses all arguments that do not begin with ``"--"``. +Information about these is available by passing ``-help=3D1`` + +Now the only thing left to do is wait for the fuzzer to trigger potential +crashes. + +Useful libFuzzer flags +---------------------- + +As mentioned above, libFuzzer accepts some arguments. Passing ``-help=3D1`= ` will +list the available arguments. In particular, these arguments might be help= ful: + +* ``CORPUS_DIR/`` : Specify a directory as the last argument to libFuzzer. + libFuzzer stores each "interesting" input in this corpus directory. The = next + time you run libFuzzer, it will read all of the inputs from the corpus, = and + continue fuzzing from there. You can also specify multiple directories. + libFuzzer loads existing inputs from all specified directories, but will= only + write new ones to the first one specified. + +* ``-max_len=3D4096`` : specify the maximum byte-length of the inputs libF= uzzer + will generate. + +* ``-close_fd_mask=3D{1,2,3}`` : close, stderr, or both. Useful for target= s that + trigger many debug/error messages, or create output on the serial consol= e. + +* ``-jobs=3D4 -workers=3D4`` : These arguments configure libFuzzer to run = 4 fuzzers in + parallel (4 fuzzing jobs in 4 worker processes). Alternatively, with only + ``-jobs=3DN``, libFuzzer automatically spawns a number of workers less t= han or equal + to half the available CPU cores. Replace 4 with a number appropriate for= your + machine. Make sure to specify a ``CORPUS_DIR``, which will allow the par= allel + fuzzers to share information about the interesting inputs they find. + +* ``-use_value_profile=3D1`` : For each comparison operation, libFuzzer co= mputes + ``(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)`` and places this in the + coverage table. Useful for targets with "magic" constants. If Arg1 came = from + the fuzzer's input and Arg2 is a magic constant, then each time the Hamm= ing + distance between Arg1 and Arg2 decreases, libFuzzer adds the input to the + corpus. + +* ``-shrink=3D1`` : Tries to make elements of the corpus "smaller". Might = lead to + better coverage performance, depending on the target. + +Note that libFuzzer's exact behavior will depend on the version of +clang and libFuzzer used to build the device fuzzers. + +Generating Coverage Reports +--------------------------- + +Code coverage is a crucial metric for evaluating a fuzzer's performance. +libFuzzer's output provides a "cov: " column that provides a total number = of +unique blocks/edges covered. To examine coverage on a line-by-line basis we +can use Clang coverage: + + 1. Configure libFuzzer to store a corpus of all interesting inputs (see + CORPUS_DIR above) + 2. ``./configure`` the QEMU build with :: + + --enable-fuzzing \ + --extra-cflags=3D"-fprofile-instr-generate -fcoverage-mapping" + + 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling libfu= zzer + to execute all of the inputs in $CORPUS_DIR and exit. Once the process + exits, you should find a file, "default.profraw" in the working direct= ory. + 4. Execute these commands to generate a detailed HTML coverage-report:: + + llvm-profdata merge -output=3Ddefault.profdata default.profraw + llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=3Ddefault.prof= data \ + --format html -output-dir=3D/path/to/output/report + +Adding a new fuzzer +------------------- + +Coverage over virtual devices can be improved by adding additional fuzzers. +Fuzzers are kept in ``tests/qtest/fuzz/`` and should be added to +``tests/qtest/fuzz/Makefile.include`` + +Fuzzers can rely on both qtest and libqos to communicate with virtual devi= ces. + +1. Create a new source file. For example ``tests/qtest/fuzz/foo-device-fuz= z.c``. + +2. Write the fuzzing code using the libqtest/libqos API. See existing fuzz= ers + for reference. + +3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the + corresponding object to fuzz-obj-y + +Fuzzers can be more-or-less thought of as special qtest programs which can +modify the qtest commands and/or qtest command arguments based on inputs +provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly = the +fuzzer loops over the byte-array interpreting it as a list of qtest comman= ds, +addresses, or values. + +The Generic Fuzzer +------------------ + +Writing a fuzz target can be a lot of effort (especially if a device drive= r has +not be built-out within libqos). Many devices can be fuzzed to some degree, +without any device-specific code, using the generic-fuzz target. + +The generic-fuzz target is capable of fuzzing devices over their PIO, MMIO, +and DMA input-spaces. To apply the generic-fuzz to a device, we need to de= fine +two env-variables, at minimum: + +* ``QEMU_FUZZ_ARGS=3D`` is the set of QEMU arguments used to configure a m= achine, with + the device attached. For example, if we want to fuzz the virtio-net devi= ce + attached to a pc-i440fx machine, we can specify:: + + QEMU_FUZZ_ARGS=3D"-M pc -nodefaults -netdev user,id=3Duser0 \ + -device virtio-net,netdev=3Duser0" + +* ``QEMU_FUZZ_OBJECTS=3D`` is a set of space-delimited strings used to ide= ntify + the MemoryRegions that will be fuzzed. These strings are compared against + MemoryRegion names and MemoryRegion owner names, to decide whether each + MemoryRegion should be fuzzed. These strings support globbing. For the + virtio-net example, we could use one of :: + + QEMU_FUZZ_OBJECTS=3D'virtio-net' + QEMU_FUZZ_OBJECTS=3D'virtio*' + QEMU_FUZZ_OBJECTS=3D'virtio* pcspk' # Fuzz the virtio devices and the = speaker + QEMU_FUZZ_OBJECTS=3D'*' # Fuzz the whole machine`` + +The ``"info mtree"`` and ``"info qom-tree"`` monitor commands can be espec= ially +useful for identifying the ``MemoryRegion`` and ``Object`` names used for +matching. + +As a generic rule-of-thumb, the more ``MemoryRegions``/Devices we match, t= he +greater the input-space, and the smaller the probability of finding crashi= ng +inputs for individual devices. As such, it is usually a good idea to limit= the +fuzzer to only a few ``MemoryRegions``. + +To ensure that these env variables have been configured correctly, we can = use:: + + ./qemu-fuzz-i386 --fuzz-target=3Dgeneric-fuzz -runs=3D0 + +The output should contain a complete list of matched MemoryRegions. + +Implementation Details / Fuzzer Lifecycle +----------------------------------------- + +The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it= 's +own ``main()``, which performs some setup, and calls the entrypoints: + +``LLVMFuzzerInitialize``: called prior to fuzzing. Used to initialize all = of the +necessary state + +``LLVMFuzzerTestOneInput``: called for each fuzzing run. Processes the inp= ut and +resets the state at the end of each run. + +In more detail: + +``LLVMFuzzerInitialize`` parses the arguments to the fuzzer (must start wi= th two +dashes, so they are ignored by libfuzzer ``main()``). Currently, the argum= ents +select the fuzz target. Then, the qtest client is initialized. If the targ= et +requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized. +Then the QGraph is walked and the QEMU cmd_line is determined and saved. + +After this, the ``vl.c:qemu_main`` is called to set up the guest. There are +target-specific hooks that can be called before and after qemu_main, for +additional setup(e.g. PCI setup, or VM snapshotting). + +``LLVMFuzzerTestOneInput``: Uses qtest/qos functions to act based on the f= uzz +input. It is also responsible for manually calling ``main_loop_wait`` to e= nsure +that bottom halves are executed and any cleanup required before the next i= nput. + +Since the same process is reused for many fuzzing runs, QEMU state needs to +be reset at the end of each run. There are currently two implemented +options for resetting state: + +- Reboot the guest between runs. + - *Pros*: Straightforward and fast for simple fuzz targets. + + - *Cons*: Depending on the device, does not reset all device state. If t= he + device requires some initialization prior to being ready for fuzzing (= common + for QOS-based targets), this initialization needs to be done after each + reboot. + + - *Example target*: ``i440fx-qtest-reboot-fuzz`` + +- Run each test case in a separate forked process and copy the coverage + information back to the parent. This is fairly similar to AFL's "deferr= ed" + fork-server mode [3] + + - *Pros*: Relatively fast. Devices only need to be initialized once. No = need to + do slow reboots or vmloads. + + - *Cons*: Not officially supported by libfuzzer. Does not work well for + devices that rely on dedicated threads. + + - *Example target*: ``virtio-net-fork-fuzz`` diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt deleted file mode 100644 index 03585c1a9b..0000000000 --- a/docs/devel/fuzzing.txt +++ /dev/null @@ -1,214 +0,0 @@ -=3D Fuzzing =3D - -=3D=3D Introduction =3D=3D - -This document describes the virtual-device fuzzing infrastructure in QEMU = and -how to use it to implement additional fuzzers. - -=3D=3D Basics =3D=3D - -Fuzzing operates by passing inputs to an entry point/target function. The -fuzzer tracks the code coverage triggered by the input. Based on these -findings, the fuzzer mutates the input and repeats the fuzzing. - -To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libf= uzzer -is an _in-process_ fuzzer. For the developer, this means that it is their -responsibility to ensure that state is reset between fuzzing-runs. - -=3D=3D Building the fuzzers =3D=3D - -NOTE: If possible, build a 32-bit binary. When forking, the 32-bit fuzzer = is -much faster, since the page-map has a smaller size. This is due to the fac= t that -AddressSanitizer mmaps ~20TB of memory, as part of its detection. This res= ults -in a large page-map, and a much slower fork(). - -To build the fuzzers, install a recent version of clang: -Configure with (substitute the clang binaries with the version you install= ed). -Here, enable-sanitizers, is optional but it allows us to reliably detect b= ugs -such as out-of-bounds accesses, use-after-frees, double-frees etc. - - CC=3Dclang-8 CXX=3Dclang++-8 /path/to/configure --enable-fuzzing \ - --enable-sanitizers - -Fuzz targets are built similarly to system/softmmu: - - make i386-softmmu/fuzz - -This builds ./i386-softmmu/qemu-fuzz-i386 - -The first option to this command is: --fuzz-target=3DFUZZ_NAME -To list all of the available fuzzers run qemu-fuzz-i386 with no arguments. - -For example: - ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=3Dvirtio-scsi-fuzz - -Internally, libfuzzer parses all arguments that do not begin with "--". -Information about these is available by passing -help=3D1 - -Now the only thing left to do is wait for the fuzzer to trigger potential -crashes. - -=3D=3D Useful libFuzzer flags =3D=3D - -As mentioned above, libFuzzer accepts some arguments. Passing -help=3D1 wi= ll list -the available arguments. In particular, these arguments might be helpful: - -$CORPUS_DIR/ : Specify a directory as the last argument to libFuzzer. libF= uzzer -stores each "interesting" input in this corpus directory. The next time yo= u run -libFuzzer, it will read all of the inputs from the corpus, and continue fu= zzing -from there. You can also specify multiple directories. libFuzzer loads exi= sting -inputs from all specified directories, but will only write new ones to the -first one specified. - --max_len=3D4096 : specify the maximum byte-length of the inputs libFuzzer = will -generate. - --close_fd_mask=3D{1,2,3} : close, stderr, or both. Useful for targets that -trigger many debug/error messages, or create output on the serial console. - --jobs=3D4 -workers=3D4 : These arguments configure libFuzzer to run 4 fuzz= ers in -parallel (4 fuzzing jobs in 4 worker processes). Alternatively, with only --jobs=3DN, libFuzzer automatically spawns a number of workers less than or= equal -to half the available CPU cores. Replace 4 with a number appropriate for y= our -machine. Make sure to specify a $CORPUS_DIR, which will allow the parallel -fuzzers to share information about the interesting inputs they find. - --use_value_profile=3D1 : For each comparison operation, libFuzzer computes=20 -(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12) and places this in the cove= rage -table. Useful for targets with "magic" constants. If Arg1 came from the fu= zzer's -input and Arg2 is a magic constant, then each time the Hamming distance -between Arg1 and Arg2 decreases, libFuzzer adds the input to the corpus. - --shrink=3D1 : Tries to make elements of the corpus "smaller". Might lead to -better coverage performance, depending on the target. - -Note that libFuzzer's exact behavior will depend on the version of -clang and libFuzzer used to build the device fuzzers. - -=3D=3D Generating Coverage Reports =3D=3D -Code coverage is a crucial metric for evaluating a fuzzer's performance. -libFuzzer's output provides a "cov: " column that provides a total number = of -unique blocks/edges covered. To examine coverage on a line-by-line basis we -can use Clang coverage: - - 1. Configure libFuzzer to store a corpus of all interesting inputs (see - CORPUS_DIR above) - 2. ./configure the QEMU build with: - --enable-fuzzing \ - --extra-cflags=3D"-fprofile-instr-generate -fcoverage-mapping" - 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling libfu= zzer - to execute all of the inputs in $CORPUS_DIR and exit. Once the process - exits, you should find a file, "default.profraw" in the working direct= ory. - 4. Execute these commands to generate a detailed HTML coverage-report: - llvm-profdata merge -output=3Ddefault.profdata default.profraw - llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=3Ddefault.profdata \ - --format html -output-dir=3D/path/to/output/report - -=3D=3D Adding a new fuzzer =3D=3D -Coverage over virtual devices can be improved by adding additional fuzzers. -Fuzzers are kept in tests/qtest/fuzz/ and should be added to -tests/qtest/fuzz/Makefile.include - -Fuzzers can rely on both qtest and libqos to communicate with virtual devi= ces. - -1. Create a new source file. For example ``tests/qtest/fuzz/foo-device-fuz= z.c``. - -2. Write the fuzzing code using the libqtest/libqos API. See existing fuzz= ers -for reference. - -3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the -corresponding object to fuzz-obj-y - -Fuzzers can be more-or-less thought of as special qtest programs which can -modify the qtest commands and/or qtest command arguments based on inputs -provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly = the -fuzzer loops over the byte-array interpreting it as a list of qtest comman= ds, -addresses, or values. - -=3D=3D The Generic Fuzzer =3D=3D -Writing a fuzz target can be a lot of effort (especially if a device drive= r has -not be built-out within libqos). Many devices can be fuzzed to some degree, -without any device-specific code, using the generic-fuzz target. - -The generic-fuzz target is capable of fuzzing devices over their PIO, MMIO, -and DMA input-spaces. To apply the generic-fuzz to a device, we need to de= fine -two env-variables, at minimum: - -QEMU_FUZZ_ARGS=3D is the set of QEMU arguments used to configure a machine= , with -the device attached. For example, if we want to fuzz the virtio-net device -attached to a pc-i440fx machine, we can specify: -QEMU_FUZZ_ARGS=3D"-M pc -nodefaults -netdev user,id=3Duser0 \ - -device virtio-net,netdev=3Duser0" - -QEMU_FUZZ_OBJECTS=3D is a set of space-delimited strings used to identify = the -MemoryRegions that will be fuzzed. These strings are compared against -MemoryRegion names and MemoryRegion owner names, to decide whether each -MemoryRegion should be fuzzed. These strings support globbing. For the -virtio-net example, we could use QEMU_FUZZ_OBJECTS=3D - * 'virtio-net' - * 'virtio*' - * 'virtio* pcspk' (Fuzz the virtio devices and the PC speaker...) - * '*' (Fuzz the whole machine) - -The "info mtree" and "info qom-tree" monitor commands can be especially us= eful -for identifying the MemoryRegion and Object names used for matching. - -As a generic rule-of-thumb, the more MemoryRegions/Devices we match, the g= reater -the input-space, and the smaller the probability of finding crashing input= s for -individual devices. As such, it is usually a good idea to limit the fuzzer= to -only a few MemoryRegions. - -To ensure that these env variables have been configured correctly, we can = use: - -./qemu-fuzz-i386 --fuzz-target=3Dgeneric-fuzz -runs=3D0 - -The output should contain a complete list of matched MemoryRegions. - -=3D Implementation Details =3D - -=3D=3D The Fuzzer's Lifecycle =3D=3D - -The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it= 's -own main(), which performs some setup, and calls the entrypoints: - -LLVMFuzzerInitialize: called prior to fuzzing. Used to initialize all of t= he -necessary state - -LLVMFuzzerTestOneInput: called for each fuzzing run. Processes the input a= nd -resets the state at the end of each run. - -In more detail: - -LLVMFuzzerInitialize parses the arguments to the fuzzer (must start with t= wo -dashes, so they are ignored by libfuzzer main()). Currently, the arguments -select the fuzz target. Then, the qtest client is initialized. If the targ= et -requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized. -Then the QGraph is walked and the QEMU cmd_line is determined and saved. - -After this, the vl.c:qemu__main is called to set up the guest. There are -target-specific hooks that can be called before and after qemu_main, for -additional setup(e.g. PCI setup, or VM snapshotting). - -LLVMFuzzerTestOneInput: Uses qtest/qos functions to act based on the fuzz -input. It is also responsible for manually calling the main loop/main_loop= _wait -to ensure that bottom halves are executed and any cleanup required before = the -next input. - -Since the same process is reused for many fuzzing runs, QEMU state needs to -be reset at the end of each run. There are currently two implemented -options for resetting state: -1. Reboot the guest between runs. - Pros: Straightforward and fast for simple fuzz targets. - Cons: Depending on the device, does not reset all device state. If the - device requires some initialization prior to being ready for fuzzing - (common for QOS-based targets), this initialization needs to be done af= ter - each reboot. - Example target: i440fx-qtest-reboot-fuzz -2. Run each test case in a separate forked process and copy the coverage - information back to the parent. This is fairly similar to AFL's "deferr= ed" - fork-server mode [3] - Pros: Relatively fast. Devices only need to be initialized once. No need - to do slow reboots or vmloads. - Cons: Not officially supported by libfuzzer. Does not work well for dev= ices - that rely on dedicated threads. - Example target: virtio-net-fork-fuzz diff --git a/docs/devel/index.rst b/docs/devel/index.rst index 77baae5c77..f10ed77e4c 100644 --- a/docs/devel/index.rst +++ b/docs/devel/index.rst @@ -22,6 +22,7 @@ Contents: stable-process testing qtest + fuzzing decodetree secure-coding-practices tcg --=20 2.28.0 From nobody Mon Feb 9 15:58:37 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=bu.edu) ARC-Seal: i=2; a=rsa-sha256; t=1604686083; cv=pass; d=zohomail.com; s=zohoarc; b=PcTrZgrXX4vIoXxvdwrqgdNLlRYvKgFxALNlmy94cpVyJEiEhGHmHb0VPtgNz9SMGoEQDhgDP/PFBIDQOuOEVwhE5bIhDsKAywkLDtmrj4xAWf2ZyMZX9jEfKIrCH6rxuW4jwl9hFY/dfvZNP6ymHuMELOcQ3/EjKhH1Ft0//oc= ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604686083; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=YyhPZZfzbZ6n8E8xHunr/Hcu9QLMUCKw2cnDIVvxfEs=; b=oFCHd57rGL9FRezVkDufGl/4GaJopFnoX6ZajyIQs1acHYrWor/hKpVX4PrEKV4Aa/JLqeJIsz77YMSDAIxh5XX0G30XoS7pmiaU28SOVwUWPak6Ng0Or5kpeSJDWBk6vVyGKPUZ1u3bdspmgH2AFsKbYJNAW1mlbdN10Q+TrIM= ARC-Authentication-Results: i=2; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; arc=pass (i=1dmarc=pass fromdomain=bu.edu) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1604686083333292.9789596709387; Fri, 6 Nov 2020 10:08:03 -0800 (PST) Received: from localhost ([::1]:37694 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kb69a-0005ej-7e for importer@patchew.org; Fri, 06 Nov 2020 13:08:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:50308) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kb67z-0004OL-KI for qemu-devel@nongnu.org; Fri, 06 Nov 2020 13:06:23 -0500 Received: from mail-dm6nam08on2113.outbound.protection.outlook.com ([40.107.102.113]:7896 helo=NAM04-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kb67y-0002XB-7a for qemu-devel@nongnu.org; Fri, 06 Nov 2020 13:06:23 -0500 Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN2PR03MB2207.namprd03.prod.outlook.com (2603:10b6:804:e::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21; Fri, 6 Nov 2020 18:06:15 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::d520:4c19:8ce6:7db2]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::d520:4c19:8ce6:7db2%2]) with mapi id 15.20.3499.032; Fri, 6 Nov 2020 18:06:15 +0000 Received: from stormtrooper.vrmnet (72.93.72.163) by MN2PR06CA0004.namprd06.prod.outlook.com (2603:10b6:208:23d::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.21 via Frontend Transport; Fri, 6 Nov 2020 18:06:14 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oSPOEkNAUkB3BmOw/enmcfwo1Dy1lIgWaj0/4kK1JQxdVXCz9z+xXywKlocixm+cS893F4HAABr5lW4XvGTdWE5altR+EGF59LL+2H+J09D0D/5bK2v+PUIPkZBnMg1iGW1PChhkdMDCgMpC8amrFS0iZOyWCpY0m5JtPo5H3RxRWBGi3yJdP7abke4alIDBnq6WurCVgZX/NNJlSKkzMeXnSSk3A0tWOvPT9MooXdAvFMVuR3GNo3JS7d3C31+8FderaDITASsNp13o0jqMM/WlikMd7R03q6l0z7xoQQIFpMJjRzj2gDPkSxML87vp1Mm2Z2AIngGtZGY3D1XYJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YyhPZZfzbZ6n8E8xHunr/Hcu9QLMUCKw2cnDIVvxfEs=; b=XpFNKRhnepkfb0SM4JBczjAZdkhA1YlmUYka5+PQ1V8aLCMPUBs6nnQ/UQz8GIHo7PLdYlZwhDb1AWbKfOj09Ckdk36J9GhJ6v/gEpiOn2Fdi4IjqS9H9f1jQaIqsK0oTj5uyatGgUYIQb8lAVBEePCYBnAtLFwYl6AHtZwXtAfejiAHd5dCTasA7HMjLlnBpm8fzPHhfEeiiq2sQnYQ/qqeg3rfx1uD4DvqAG1qo0Tv5aiAiYbK1QNeaVGisFubRbXNF60y5+yeqpTf8vnCFO6i1EF9utCYVZj59jb82WMQtr4z/Z8I8V/kO2xM6UCzjI0mpnLrepdUwYYwY46aBA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YyhPZZfzbZ6n8E8xHunr/Hcu9QLMUCKw2cnDIVvxfEs=; b=QRrCU9i34nxS5c1rlAB9cf9PfGS4Pb+lizNiJZ6ODEhanCAYZVyLVCXkObP8b+JDJLD2n95GmSmhr4K3C9SOJ31Ptd64BuCMXoC319MbE6/sgV6zXjqyQt/sFl29I6q68dJ2lMacpOglkaZgK2WdOWi23VItomtm35eCtmenKoQ= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none;nongnu.org; dmarc=none action=none header.from=bu.edu; From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH 2/2] docs/fuzz: update fuzzing documentation post-meson Date: Fri, 6 Nov 2020 13:06:00 -0500 Message-Id: <20201106180600.360110-3-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20201106180600.360110-1-alxndr@bu.edu> References: <20201106180600.360110-1-alxndr@bu.edu> Content-Transfer-Encoding: quoted-printable X-Originating-IP: [72.93.72.163] X-ClientProxiedBy: MN2PR06CA0004.namprd06.prod.outlook.com (2603:10b6:208:23d::9) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fc658a74-6904-4b5f-0f7c-08d8827ea6ef X-MS-TrafficTypeDiagnostic: SN2PR03MB2207: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1468; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: INJvoQLJ4iUNK8dIvAOzVUN47PNs+RLTKee9t5J972utki6NqrO37db8B6BreS2QNzWc+gKRH23jtSXnE9MqXfthFWGGIQt4ipUeegLTKfDu6wnh9PcutOhMZSezuVkRQhJMpmOISL04FjwCPbNe485iI6QZsEcXwnI5MHJFCchLbDATqlHoCO/tJsY7n23pSxP1HHZ18rS8qYhTMffgT9CgWe8CXeoHIuNothMvLfrRpgDyQSIRnHsQGbkCFJpR4oIcBRRUJUEiW9PyYTLHohS9PwKZy5sC1Lypp3SrCLDBnjDfWFNN7AA+sVNLn5+J/2S3ztsj1ewqRX/emb9neA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(39860400002)(346002)(376002)(366004)(478600001)(83380400001)(956004)(786003)(316002)(54906003)(8676002)(4326008)(66476007)(2906002)(6486002)(186003)(66946007)(36756003)(66556008)(1076003)(52116002)(6916009)(86362001)(16526019)(26005)(5660300002)(6506007)(8936002)(75432002)(6512007)(6666004)(4744005)(2616005); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: AnfmkcqBpKBdsF5Ltovh5smugwCvxBqazTV1e4BqFafbEI4dtjn37Pml1wj6LP8xEUhB1rI3jEgmKp26uSkrGt3zo0QnwtwrfD/+KqsoQbwUioBCTsE1oG3MERH9M6p1xk4yp+2fvU0WzFSm6lnpE1lC2DSslt2RdHNKBgALHkywSXpTguyLcZyTN4Ruyv2mH+ibCb8vxe5AGbwxTFwK36wVmo1n7TdTdTAmdYE98iAW+oH18tXkLHqLvrIq5VsybfEtmBGjhFewrVKkjaCm9yyVT8WJuJstRNzi+oFv88AdNRUs+v5M7u/ZAEP37vNINOq6y8y6qj7HuAq4+mADLphKC5+N5iMO8MsO40QRv+rdZV1IhQQib7Z0TP1KXLd2snhZ5bMhZZeoe1sdNzW3PgYcpx2CVl6ZmBxAsV65TcERvu2MSntPHH92wxHRA/uiF031eBNK+nU0PosMcWexPvt6lDRTp0OyUMaGIW5CEPd/V10lLjOjGMVo8gGwbNRy8lABfOyBl/FPPYoF96Ew80rQ8Kv4fD/UkIHNC/PPff0UxbzMxh4MhyK+5ZFm6w+DHWtIeMyPwxly9NFMM2vwP1z6nBfhxLnsVLxso8DG531XE9oTSpy/IxLWHMMVGgD0nS2cYte3zuJ91w98amb8yQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: fc658a74-6904-4b5f-0f7c-08d8827ea6ef X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2020 18:06:15.6057 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: N3Jada2MnRjmMnnlyVkRH90sprM1jxLC0ujAFqW/qelff+SeVCaNaiYa96gknTAg X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2207 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=40.107.102.113; envelope-from=alxndr@bu.edu; helo=NAM04-DM6-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/06 13:06:14 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , Bandan Das , Thomas Huth , Stefan Hajnoczi , Paolo Bonzini Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @bushare.onmicrosoft.com) Content-Type: text/plain; charset="utf-8" Signed-off-by: Alexander Bulekov --- docs/devel/fuzzing.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst index f19d75ceff..6096242d99 100644 --- a/docs/devel/fuzzing.rst +++ b/docs/devel/fuzzing.rst @@ -34,16 +34,16 @@ such as out-of-bounds accesses, use-after-frees, double= -frees etc.:: =20 Fuzz targets are built similarly to system targets:: =20 - make i386-softmmu/fuzz + make qemu-fuzz-i386 =20 -This builds ``./i386-softmmu/qemu-fuzz-i386`` +This builds ``./qemu-fuzz-i386`` =20 The first option to this command is: ``--fuzz-target=3DFUZZ_NAME`` To list all of the available fuzzers run ``qemu-fuzz-i386`` with no argume= nts. =20 For example:: =20 - ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=3Dvirtio-scsi-fuzz + ./qemu-fuzz-i386 --fuzz-target=3Dvirtio-scsi-fuzz =20 Internally, libfuzzer parses all arguments that do not begin with ``"--"``. Information about these is available by passing ``-help=3D1`` --=20 2.28.0