From nobody Mon Feb 9 04:29:49 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605007269; cv=none; d=zohomail.com; s=zohoarc; b=Juy0l8z0qfCW/LY/6mEpnRTXodbK8z5nrQV2roCwTajkOV43o8pVnkZME5TCN/cuZIXJ4HVxtNJ+8yh6bzp+q69pnR8Zk/2d3lUOPa7dvRtc75iepZrRN9e2/u5DX8bGV1okuPDzy+aE2ZpGPqaanI0/QSkYuy1pNQ5h4uq2t0k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605007269; h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:References:Sender:Subject:To; bh=O7kFa0/iW8j0ZfE462d5WwFvOwvzXtXpsKILwA8DFJU=; b=YCruROV5yfgRZxiQ9BzoEmk8ZrYJgbBGYxGbSXiBz2NveuTrcZ+NRwtqtCkZS3Lf0jclUu0lIQk0xcCGKQWETqNWN4Q0V3ujwVgukELhjj5MbLfoHCRSaqUaSzEDCifABp+J0V1wcYP6cUAdPc0olRg56Gitp0Maht/odBMasOE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1605007269943862.4863357727685; Tue, 10 Nov 2020 03:21:09 -0800 (PST) Received: from localhost ([::1]:51204 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kcRi0-0002tQ-Py for importer@patchew.org; Tue, 10 Nov 2020 06:21:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:44944) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcRZJ-00077Y-DE for qemu-devel@nongnu.org; Tue, 10 Nov 2020 06:12:10 -0500 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:37732) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.90_1) (envelope-from ) id 1kcRZ6-0004as-VO for qemu-devel@nongnu.org; Tue, 10 Nov 2020 06:12:09 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-482-pa7I6I3wMRSgKDCRQ8oLIg-1; Tue, 10 Nov 2020 06:11:53 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E9006801FD4; Tue, 10 Nov 2020 11:11:51 +0000 (UTC) Received: from thuth.com (ovpn-113-192.ams2.redhat.com [10.36.113.192]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8A1F310013D9; Tue, 10 Nov 2020 11:11:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605006715; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type:in-reply-to:in-reply-to: references:references; bh=O7kFa0/iW8j0ZfE462d5WwFvOwvzXtXpsKILwA8DFJU=; b=UVYZUkBPTg/Ui+bYrKXT8X94bO8nGgruQ/jEnNCiye7wpZqfs6S3/iG1q2bv5T5vJCMQoD ROD/l6uppP6XnVTQDWqzcc9Jo0aT90OVMZLjsIHrx4RjGSFSSeEUnj6ILtTPMKTTUUH7KH EUhrFV6/LCn5budMsBD7h+A3gi0GAeQ= X-MC-Unique: pa7I6I3wMRSgKDCRQ8oLIg-1 From: Thomas Huth To: qemu-devel@nongnu.org, Peter Maydell Subject: [PULL 08/19] docs/fuzz: rST-ify the fuzzing documentation Date: Tue, 10 Nov 2020 12:11:21 +0100 Message-Id: <20201110111132.559399-9-thuth@redhat.com> In-Reply-To: <20201110111132.559399-1-thuth@redhat.com> References: <20201110111132.559399-1-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=thuth@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=63.128.21.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/10 00:21:06 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , Cornelia Huck Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: Alexander Bulekov Signed-off-by: Alexander Bulekov Message-Id: <20201106180600.360110-2-alxndr@bu.edu> Signed-off-by: Thomas Huth --- MAINTAINERS | 2 +- docs/devel/fuzzing.rst | 236 +++++++++++++++++++++++++++++++++++++++++ docs/devel/fuzzing.txt | 214 ------------------------------------- docs/devel/index.rst | 1 + 4 files changed, 238 insertions(+), 215 deletions(-) create mode 100644 docs/devel/fuzzing.rst delete mode 100644 docs/devel/fuzzing.txt diff --git a/MAINTAINERS b/MAINTAINERS index 7b34ea0646..6c2df0bef3 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2525,7 +2525,7 @@ R: Thomas Huth S: Maintained F: tests/qtest/fuzz/ F: scripts/oss-fuzz/ -F: docs/devel/fuzzing.txt +F: docs/devel/fuzzing.rst =20 Register API M: Alistair Francis diff --git a/docs/devel/fuzzing.rst b/docs/devel/fuzzing.rst new file mode 100644 index 0000000000..f19d75ceff --- /dev/null +++ b/docs/devel/fuzzing.rst @@ -0,0 +1,236 @@ +=3D=3D=3D=3D=3D=3D=3D=3D +Fuzzing +=3D=3D=3D=3D=3D=3D=3D=3D + +This document describes the virtual-device fuzzing infrastructure in QEMU = and +how to use it to implement additional fuzzers. + +Basics +------ + +Fuzzing operates by passing inputs to an entry point/target function. The +fuzzer tracks the code coverage triggered by the input. Based on these +findings, the fuzzer mutates the input and repeats the fuzzing. + +To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libf= uzzer +is an *in-process* fuzzer. For the developer, this means that it is their +responsibility to ensure that state is reset between fuzzing-runs. + +Building the fuzzers +-------------------- + +*NOTE*: If possible, build a 32-bit binary. When forking, the 32-bit fuzze= r is +much faster, since the page-map has a smaller size. This is due to the fac= t that +AddressSanitizer maps ~20TB of memory, as part of its detection. This resu= lts +in a large page-map, and a much slower ``fork()``. + +To build the fuzzers, install a recent version of clang: +Configure with (substitute the clang binaries with the version you install= ed). +Here, enable-sanitizers, is optional but it allows us to reliably detect b= ugs +such as out-of-bounds accesses, use-after-frees, double-frees etc.:: + + CC=3Dclang-8 CXX=3Dclang++-8 /path/to/configure --enable-fuzzing \ + --enable-sanitizers + +Fuzz targets are built similarly to system targets:: + + make i386-softmmu/fuzz + +This builds ``./i386-softmmu/qemu-fuzz-i386`` + +The first option to this command is: ``--fuzz-target=3DFUZZ_NAME`` +To list all of the available fuzzers run ``qemu-fuzz-i386`` with no argume= nts. + +For example:: + + ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=3Dvirtio-scsi-fuzz + +Internally, libfuzzer parses all arguments that do not begin with ``"--"``. +Information about these is available by passing ``-help=3D1`` + +Now the only thing left to do is wait for the fuzzer to trigger potential +crashes. + +Useful libFuzzer flags +---------------------- + +As mentioned above, libFuzzer accepts some arguments. Passing ``-help=3D1`= ` will +list the available arguments. In particular, these arguments might be help= ful: + +* ``CORPUS_DIR/`` : Specify a directory as the last argument to libFuzzer. + libFuzzer stores each "interesting" input in this corpus directory. The = next + time you run libFuzzer, it will read all of the inputs from the corpus, = and + continue fuzzing from there. You can also specify multiple directories. + libFuzzer loads existing inputs from all specified directories, but will= only + write new ones to the first one specified. + +* ``-max_len=3D4096`` : specify the maximum byte-length of the inputs libF= uzzer + will generate. + +* ``-close_fd_mask=3D{1,2,3}`` : close, stderr, or both. Useful for target= s that + trigger many debug/error messages, or create output on the serial consol= e. + +* ``-jobs=3D4 -workers=3D4`` : These arguments configure libFuzzer to run = 4 fuzzers in + parallel (4 fuzzing jobs in 4 worker processes). Alternatively, with only + ``-jobs=3DN``, libFuzzer automatically spawns a number of workers less t= han or equal + to half the available CPU cores. Replace 4 with a number appropriate for= your + machine. Make sure to specify a ``CORPUS_DIR``, which will allow the par= allel + fuzzers to share information about the interesting inputs they find. + +* ``-use_value_profile=3D1`` : For each comparison operation, libFuzzer co= mputes + ``(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12)`` and places this in the + coverage table. Useful for targets with "magic" constants. If Arg1 came = from + the fuzzer's input and Arg2 is a magic constant, then each time the Hamm= ing + distance between Arg1 and Arg2 decreases, libFuzzer adds the input to the + corpus. + +* ``-shrink=3D1`` : Tries to make elements of the corpus "smaller". Might = lead to + better coverage performance, depending on the target. + +Note that libFuzzer's exact behavior will depend on the version of +clang and libFuzzer used to build the device fuzzers. + +Generating Coverage Reports +--------------------------- + +Code coverage is a crucial metric for evaluating a fuzzer's performance. +libFuzzer's output provides a "cov: " column that provides a total number = of +unique blocks/edges covered. To examine coverage on a line-by-line basis we +can use Clang coverage: + + 1. Configure libFuzzer to store a corpus of all interesting inputs (see + CORPUS_DIR above) + 2. ``./configure`` the QEMU build with :: + + --enable-fuzzing \ + --extra-cflags=3D"-fprofile-instr-generate -fcoverage-mapping" + + 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling libfu= zzer + to execute all of the inputs in $CORPUS_DIR and exit. Once the process + exits, you should find a file, "default.profraw" in the working direct= ory. + 4. Execute these commands to generate a detailed HTML coverage-report:: + + llvm-profdata merge -output=3Ddefault.profdata default.profraw + llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=3Ddefault.prof= data \ + --format html -output-dir=3D/path/to/output/report + +Adding a new fuzzer +------------------- + +Coverage over virtual devices can be improved by adding additional fuzzers. +Fuzzers are kept in ``tests/qtest/fuzz/`` and should be added to +``tests/qtest/fuzz/Makefile.include`` + +Fuzzers can rely on both qtest and libqos to communicate with virtual devi= ces. + +1. Create a new source file. For example ``tests/qtest/fuzz/foo-device-fuz= z.c``. + +2. Write the fuzzing code using the libqtest/libqos API. See existing fuzz= ers + for reference. + +3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the + corresponding object to fuzz-obj-y + +Fuzzers can be more-or-less thought of as special qtest programs which can +modify the qtest commands and/or qtest command arguments based on inputs +provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly = the +fuzzer loops over the byte-array interpreting it as a list of qtest comman= ds, +addresses, or values. + +The Generic Fuzzer +------------------ + +Writing a fuzz target can be a lot of effort (especially if a device drive= r has +not be built-out within libqos). Many devices can be fuzzed to some degree, +without any device-specific code, using the generic-fuzz target. + +The generic-fuzz target is capable of fuzzing devices over their PIO, MMIO, +and DMA input-spaces. To apply the generic-fuzz to a device, we need to de= fine +two env-variables, at minimum: + +* ``QEMU_FUZZ_ARGS=3D`` is the set of QEMU arguments used to configure a m= achine, with + the device attached. For example, if we want to fuzz the virtio-net devi= ce + attached to a pc-i440fx machine, we can specify:: + + QEMU_FUZZ_ARGS=3D"-M pc -nodefaults -netdev user,id=3Duser0 \ + -device virtio-net,netdev=3Duser0" + +* ``QEMU_FUZZ_OBJECTS=3D`` is a set of space-delimited strings used to ide= ntify + the MemoryRegions that will be fuzzed. These strings are compared against + MemoryRegion names and MemoryRegion owner names, to decide whether each + MemoryRegion should be fuzzed. These strings support globbing. For the + virtio-net example, we could use one of :: + + QEMU_FUZZ_OBJECTS=3D'virtio-net' + QEMU_FUZZ_OBJECTS=3D'virtio*' + QEMU_FUZZ_OBJECTS=3D'virtio* pcspk' # Fuzz the virtio devices and the = speaker + QEMU_FUZZ_OBJECTS=3D'*' # Fuzz the whole machine`` + +The ``"info mtree"`` and ``"info qom-tree"`` monitor commands can be espec= ially +useful for identifying the ``MemoryRegion`` and ``Object`` names used for +matching. + +As a generic rule-of-thumb, the more ``MemoryRegions``/Devices we match, t= he +greater the input-space, and the smaller the probability of finding crashi= ng +inputs for individual devices. As such, it is usually a good idea to limit= the +fuzzer to only a few ``MemoryRegions``. + +To ensure that these env variables have been configured correctly, we can = use:: + + ./qemu-fuzz-i386 --fuzz-target=3Dgeneric-fuzz -runs=3D0 + +The output should contain a complete list of matched MemoryRegions. + +Implementation Details / Fuzzer Lifecycle +----------------------------------------- + +The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it= 's +own ``main()``, which performs some setup, and calls the entrypoints: + +``LLVMFuzzerInitialize``: called prior to fuzzing. Used to initialize all = of the +necessary state + +``LLVMFuzzerTestOneInput``: called for each fuzzing run. Processes the inp= ut and +resets the state at the end of each run. + +In more detail: + +``LLVMFuzzerInitialize`` parses the arguments to the fuzzer (must start wi= th two +dashes, so they are ignored by libfuzzer ``main()``). Currently, the argum= ents +select the fuzz target. Then, the qtest client is initialized. If the targ= et +requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized. +Then the QGraph is walked and the QEMU cmd_line is determined and saved. + +After this, the ``vl.c:qemu_main`` is called to set up the guest. There are +target-specific hooks that can be called before and after qemu_main, for +additional setup(e.g. PCI setup, or VM snapshotting). + +``LLVMFuzzerTestOneInput``: Uses qtest/qos functions to act based on the f= uzz +input. It is also responsible for manually calling ``main_loop_wait`` to e= nsure +that bottom halves are executed and any cleanup required before the next i= nput. + +Since the same process is reused for many fuzzing runs, QEMU state needs to +be reset at the end of each run. There are currently two implemented +options for resetting state: + +- Reboot the guest between runs. + - *Pros*: Straightforward and fast for simple fuzz targets. + + - *Cons*: Depending on the device, does not reset all device state. If t= he + device requires some initialization prior to being ready for fuzzing (= common + for QOS-based targets), this initialization needs to be done after each + reboot. + + - *Example target*: ``i440fx-qtest-reboot-fuzz`` + +- Run each test case in a separate forked process and copy the coverage + information back to the parent. This is fairly similar to AFL's "deferr= ed" + fork-server mode [3] + + - *Pros*: Relatively fast. Devices only need to be initialized once. No = need to + do slow reboots or vmloads. + + - *Cons*: Not officially supported by libfuzzer. Does not work well for + devices that rely on dedicated threads. + + - *Example target*: ``virtio-net-fork-fuzz`` diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt deleted file mode 100644 index 03585c1a9b..0000000000 --- a/docs/devel/fuzzing.txt +++ /dev/null @@ -1,214 +0,0 @@ -=3D Fuzzing =3D - -=3D=3D Introduction =3D=3D - -This document describes the virtual-device fuzzing infrastructure in QEMU = and -how to use it to implement additional fuzzers. - -=3D=3D Basics =3D=3D - -Fuzzing operates by passing inputs to an entry point/target function. The -fuzzer tracks the code coverage triggered by the input. Based on these -findings, the fuzzer mutates the input and repeats the fuzzing. - -To fuzz QEMU, we rely on libfuzzer. Unlike other fuzzers such as AFL, libf= uzzer -is an _in-process_ fuzzer. For the developer, this means that it is their -responsibility to ensure that state is reset between fuzzing-runs. - -=3D=3D Building the fuzzers =3D=3D - -NOTE: If possible, build a 32-bit binary. When forking, the 32-bit fuzzer = is -much faster, since the page-map has a smaller size. This is due to the fac= t that -AddressSanitizer mmaps ~20TB of memory, as part of its detection. This res= ults -in a large page-map, and a much slower fork(). - -To build the fuzzers, install a recent version of clang: -Configure with (substitute the clang binaries with the version you install= ed). -Here, enable-sanitizers, is optional but it allows us to reliably detect b= ugs -such as out-of-bounds accesses, use-after-frees, double-frees etc. - - CC=3Dclang-8 CXX=3Dclang++-8 /path/to/configure --enable-fuzzing \ - --enable-sanitizers - -Fuzz targets are built similarly to system/softmmu: - - make i386-softmmu/fuzz - -This builds ./i386-softmmu/qemu-fuzz-i386 - -The first option to this command is: --fuzz-target=3DFUZZ_NAME -To list all of the available fuzzers run qemu-fuzz-i386 with no arguments. - -For example: - ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=3Dvirtio-scsi-fuzz - -Internally, libfuzzer parses all arguments that do not begin with "--". -Information about these is available by passing -help=3D1 - -Now the only thing left to do is wait for the fuzzer to trigger potential -crashes. - -=3D=3D Useful libFuzzer flags =3D=3D - -As mentioned above, libFuzzer accepts some arguments. Passing -help=3D1 wi= ll list -the available arguments. In particular, these arguments might be helpful: - -$CORPUS_DIR/ : Specify a directory as the last argument to libFuzzer. libF= uzzer -stores each "interesting" input in this corpus directory. The next time yo= u run -libFuzzer, it will read all of the inputs from the corpus, and continue fu= zzing -from there. You can also specify multiple directories. libFuzzer loads exi= sting -inputs from all specified directories, but will only write new ones to the -first one specified. - --max_len=3D4096 : specify the maximum byte-length of the inputs libFuzzer = will -generate. - --close_fd_mask=3D{1,2,3} : close, stderr, or both. Useful for targets that -trigger many debug/error messages, or create output on the serial console. - --jobs=3D4 -workers=3D4 : These arguments configure libFuzzer to run 4 fuzz= ers in -parallel (4 fuzzing jobs in 4 worker processes). Alternatively, with only --jobs=3DN, libFuzzer automatically spawns a number of workers less than or= equal -to half the available CPU cores. Replace 4 with a number appropriate for y= our -machine. Make sure to specify a $CORPUS_DIR, which will allow the parallel -fuzzers to share information about the interesting inputs they find. - --use_value_profile=3D1 : For each comparison operation, libFuzzer computes=20 -(caller_pc&4095) | (popcnt(Arg1 ^ Arg2) << 12) and places this in the cove= rage -table. Useful for targets with "magic" constants. If Arg1 came from the fu= zzer's -input and Arg2 is a magic constant, then each time the Hamming distance -between Arg1 and Arg2 decreases, libFuzzer adds the input to the corpus. - --shrink=3D1 : Tries to make elements of the corpus "smaller". Might lead to -better coverage performance, depending on the target. - -Note that libFuzzer's exact behavior will depend on the version of -clang and libFuzzer used to build the device fuzzers. - -=3D=3D Generating Coverage Reports =3D=3D -Code coverage is a crucial metric for evaluating a fuzzer's performance. -libFuzzer's output provides a "cov: " column that provides a total number = of -unique blocks/edges covered. To examine coverage on a line-by-line basis we -can use Clang coverage: - - 1. Configure libFuzzer to store a corpus of all interesting inputs (see - CORPUS_DIR above) - 2. ./configure the QEMU build with: - --enable-fuzzing \ - --extra-cflags=3D"-fprofile-instr-generate -fcoverage-mapping" - 3. Re-run the fuzzer. Specify $CORPUS_DIR/* as an argument, telling libfu= zzer - to execute all of the inputs in $CORPUS_DIR and exit. Once the process - exits, you should find a file, "default.profraw" in the working direct= ory. - 4. Execute these commands to generate a detailed HTML coverage-report: - llvm-profdata merge -output=3Ddefault.profdata default.profraw - llvm-cov show ./path/to/qemu-fuzz-i386 -instr-profile=3Ddefault.profdata \ - --format html -output-dir=3D/path/to/output/report - -=3D=3D Adding a new fuzzer =3D=3D -Coverage over virtual devices can be improved by adding additional fuzzers. -Fuzzers are kept in tests/qtest/fuzz/ and should be added to -tests/qtest/fuzz/Makefile.include - -Fuzzers can rely on both qtest and libqos to communicate with virtual devi= ces. - -1. Create a new source file. For example ``tests/qtest/fuzz/foo-device-fuz= z.c``. - -2. Write the fuzzing code using the libqtest/libqos API. See existing fuzz= ers -for reference. - -3. Register the fuzzer in ``tests/fuzz/Makefile.include`` by appending the -corresponding object to fuzz-obj-y - -Fuzzers can be more-or-less thought of as special qtest programs which can -modify the qtest commands and/or qtest command arguments based on inputs -provided by libfuzzer. Libfuzzer passes a byte array and length. Commonly = the -fuzzer loops over the byte-array interpreting it as a list of qtest comman= ds, -addresses, or values. - -=3D=3D The Generic Fuzzer =3D=3D -Writing a fuzz target can be a lot of effort (especially if a device drive= r has -not be built-out within libqos). Many devices can be fuzzed to some degree, -without any device-specific code, using the generic-fuzz target. - -The generic-fuzz target is capable of fuzzing devices over their PIO, MMIO, -and DMA input-spaces. To apply the generic-fuzz to a device, we need to de= fine -two env-variables, at minimum: - -QEMU_FUZZ_ARGS=3D is the set of QEMU arguments used to configure a machine= , with -the device attached. For example, if we want to fuzz the virtio-net device -attached to a pc-i440fx machine, we can specify: -QEMU_FUZZ_ARGS=3D"-M pc -nodefaults -netdev user,id=3Duser0 \ - -device virtio-net,netdev=3Duser0" - -QEMU_FUZZ_OBJECTS=3D is a set of space-delimited strings used to identify = the -MemoryRegions that will be fuzzed. These strings are compared against -MemoryRegion names and MemoryRegion owner names, to decide whether each -MemoryRegion should be fuzzed. These strings support globbing. For the -virtio-net example, we could use QEMU_FUZZ_OBJECTS=3D - * 'virtio-net' - * 'virtio*' - * 'virtio* pcspk' (Fuzz the virtio devices and the PC speaker...) - * '*' (Fuzz the whole machine) - -The "info mtree" and "info qom-tree" monitor commands can be especially us= eful -for identifying the MemoryRegion and Object names used for matching. - -As a generic rule-of-thumb, the more MemoryRegions/Devices we match, the g= reater -the input-space, and the smaller the probability of finding crashing input= s for -individual devices. As such, it is usually a good idea to limit the fuzzer= to -only a few MemoryRegions. - -To ensure that these env variables have been configured correctly, we can = use: - -./qemu-fuzz-i386 --fuzz-target=3Dgeneric-fuzz -runs=3D0 - -The output should contain a complete list of matched MemoryRegions. - -=3D Implementation Details =3D - -=3D=3D The Fuzzer's Lifecycle =3D=3D - -The fuzzer has two entrypoints that libfuzzer calls. libfuzzer provides it= 's -own main(), which performs some setup, and calls the entrypoints: - -LLVMFuzzerInitialize: called prior to fuzzing. Used to initialize all of t= he -necessary state - -LLVMFuzzerTestOneInput: called for each fuzzing run. Processes the input a= nd -resets the state at the end of each run. - -In more detail: - -LLVMFuzzerInitialize parses the arguments to the fuzzer (must start with t= wo -dashes, so they are ignored by libfuzzer main()). Currently, the arguments -select the fuzz target. Then, the qtest client is initialized. If the targ= et -requires qos, qgraph is set up and the QOM/LIBQOS modules are initialized. -Then the QGraph is walked and the QEMU cmd_line is determined and saved. - -After this, the vl.c:qemu__main is called to set up the guest. There are -target-specific hooks that can be called before and after qemu_main, for -additional setup(e.g. PCI setup, or VM snapshotting). - -LLVMFuzzerTestOneInput: Uses qtest/qos functions to act based on the fuzz -input. It is also responsible for manually calling the main loop/main_loop= _wait -to ensure that bottom halves are executed and any cleanup required before = the -next input. - -Since the same process is reused for many fuzzing runs, QEMU state needs to -be reset at the end of each run. There are currently two implemented -options for resetting state: -1. Reboot the guest between runs. - Pros: Straightforward and fast for simple fuzz targets. - Cons: Depending on the device, does not reset all device state. If the - device requires some initialization prior to being ready for fuzzing - (common for QOS-based targets), this initialization needs to be done af= ter - each reboot. - Example target: i440fx-qtest-reboot-fuzz -2. Run each test case in a separate forked process and copy the coverage - information back to the parent. This is fairly similar to AFL's "deferr= ed" - fork-server mode [3] - Pros: Relatively fast. Devices only need to be initialized once. No need - to do slow reboots or vmloads. - Cons: Not officially supported by libfuzzer. Does not work well for dev= ices - that rely on dedicated threads. - Example target: virtio-net-fork-fuzz diff --git a/docs/devel/index.rst b/docs/devel/index.rst index 77baae5c77..f10ed77e4c 100644 --- a/docs/devel/index.rst +++ b/docs/devel/index.rst @@ -22,6 +22,7 @@ Contents: stable-process testing qtest + fuzzing decodetree secure-coding-practices tcg --=20 2.18.4