1. Patchew
  2. QEMU
  3. [PATCH v2 0/3] fuzz: Add 9p generic-fuzz configs
  4. View patch

[PATCH v2 1/3] fuzz: enable dynamic args for generic-fuzz configs

Alexander Bulekov posted 3 patches 5 years ago
Maintainers: Paolo Bonzini <pbonzini@redhat.com>, Laurent Vivier <lvivier@redhat.com>, Alexander Bulekov <alxndr@bu.edu>, Thomas Huth <thuth@redhat.com>, Bandan Das <bsd@redhat.com>, Stefan Hajnoczi <stefanha@redhat.com>
[PATCH v2 1/3] fuzz: enable dynamic args for generic-fuzz configs
Posted by Alexander Bulekov 5 years ago 
For some device configurations, it is useful to configure some
resources, and adjust QEMU arguments at runtime, prior to fuzzing. This
patch adds an "argfunc" to generic the generic_fuzz_config. When
specified, it is responsible for configuring the resources and returning
a string containing the corresponding QEMU arguments. This can be useful
for targets that rely on e.g.:
 * a temporary qcow2 image
 * a temporary directory
 * an unused TCP port used to bind the VNC server

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
---
 tests/qtest/fuzz/generic_fuzz.c         | 10 +++++++++-
 tests/qtest/fuzz/generic_fuzz_configs.h |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index be76d47d2d..6adf62a5be 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -936,12 +936,20 @@ static GString *generic_fuzz_cmdline(FuzzTarget *t)
 
 static GString *generic_fuzz_predefined_config_cmdline(FuzzTarget *t)
 {
+    gchar *args;
     const generic_fuzz_config *config;
     g_assert(t->opaque);
 
     config = t->opaque;
     setenv("QEMU_AVOID_DOUBLE_FETCH", "1", 1);
-    setenv("QEMU_FUZZ_ARGS", config->args, 1);
+    if (config->argfunc) {
+        args = config->argfunc();
+        setenv("QEMU_FUZZ_ARGS", args, 1);
+        g_free(args);
+    } else {
+        g_assert_nonnull(config->args);
+        setenv("QEMU_FUZZ_ARGS", config->args, 1);
+    }
     setenv("QEMU_FUZZ_OBJECTS", config->objects, 1);
     return generic_fuzz_cmdline(t);
 }
diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h
index 7fed035345..1a133655ee 100644
--- a/tests/qtest/fuzz/generic_fuzz_configs.h
+++ b/tests/qtest/fuzz/generic_fuzz_configs.h
@@ -16,6 +16,7 @@
 
 typedef struct generic_fuzz_config {
     const char *name, *args, *objects;
+    gchar* (*argfunc)(void); /* Result must be freeable by g_free() */
 } generic_fuzz_config;
 
 const generic_fuzz_config predefined_configs[] = {
-- 
2.28.0
Re: [PATCH v2 1/3] fuzz: enable dynamic args for generic-fuzz configs
Posted by Thomas Huth 5 years ago 
On 18/01/2021 00.09, Alexander Bulekov wrote:
> For some device configurations, it is useful to configure some
> resources, and adjust QEMU arguments at runtime, prior to fuzzing. This
> patch adds an "argfunc" to generic the generic_fuzz_config. When
> specified, it is responsible for configuring the resources and returning
> a string containing the corresponding QEMU arguments. This can be useful
> for targets that rely on e.g.:
>   * a temporary qcow2 image
>   * a temporary directory
>   * an unused TCP port used to bind the VNC server
> 
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
>   tests/qtest/fuzz/generic_fuzz.c         | 10 +++++++++-
>   tests/qtest/fuzz/generic_fuzz_configs.h |  1 +
>   2 files changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
> index be76d47d2d..6adf62a5be 100644
> --- a/tests/qtest/fuzz/generic_fuzz.c
> +++ b/tests/qtest/fuzz/generic_fuzz.c
> @@ -936,12 +936,20 @@ static GString *generic_fuzz_cmdline(FuzzTarget *t)
>   
>   static GString *generic_fuzz_predefined_config_cmdline(FuzzTarget *t)
>   {
> +    gchar *args;
>       const generic_fuzz_config *config;
>       g_assert(t->opaque);
>   
>       config = t->opaque;
>       setenv("QEMU_AVOID_DOUBLE_FETCH", "1", 1);
> -    setenv("QEMU_FUZZ_ARGS", config->args, 1);
> +    if (config->argfunc) {
> +        args = config->argfunc();
> +        setenv("QEMU_FUZZ_ARGS", args, 1);
> +        g_free(args);
> +    } else {
> +        g_assert_nonnull(config->args);
> +        setenv("QEMU_FUZZ_ARGS", config->args, 1);
> +    }
>       setenv("QEMU_FUZZ_OBJECTS", config->objects, 1);
>       return generic_fuzz_cmdline(t);
>   }
> diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h b/tests/qtest/fuzz/generic_fuzz_configs.h
> index 7fed035345..1a133655ee 100644
> --- a/tests/qtest/fuzz/generic_fuzz_configs.h
> +++ b/tests/qtest/fuzz/generic_fuzz_configs.h
> @@ -16,6 +16,7 @@
>   
>   typedef struct generic_fuzz_config {
>       const char *name, *args, *objects;
> +    gchar* (*argfunc)(void); /* Result must be free
Reviewed-by: Thomas Huth <thuth@redhat.com>

... would it make sense to also add a cleanup function pointer here, so that 
the resources can also be freed cleanly after a test has succeeded (instead 
of using atexit() like suggested in your third patch)? Well, just an idea, 
it still can be done in a later patch.

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.