diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2020-05-19 13:42:58 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2020-05-19 13:42:58 +0100 |
| commit | f2465433b43fb87766d79f42191607dac4aed5b4 (patch) | |
| tree | 83340a95b6ebe4433c24dbe3fefa9f14346ee351 /tests | |
| parent | bffe88d139ad7447e163e732e423cd767e908dc3 (diff) | |
| parent | ba607ca8bff4d2c2062902f8355657c865ac7c29 (diff) | |
| download | qemu-f2465433b43fb87766d79f42191607dac4aed5b4.zip qemu-f2465433b43fb87766d79f42191607dac4aed5b4.tar.gz qemu-f2465433b43fb87766d79f42191607dac4aed5b4.tar.bz2 | |
Merge remote-tracking branch 'remotes/stefanha/tags/block-pull-request' into staging
Pull request
# gpg: Signature made Tue 19 May 2020 09:00:32 BST
# gpg: using RSA key 8695A8BFD3F97CDAAC35775A9CA4ABB381AB73C8
# gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" [full]
# gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" [full]
# Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8
* remotes/stefanha/tags/block-pull-request:
aio-posix: disable fdmon-io_uring when GSource is used
aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy()
tests/fuzz: Extract ioport_fuzz_qtest() method
tests/fuzz: Extract pciconfig_fuzz_qos() method
tests/fuzz: Remove unuseful/unused typedefs
tests/fuzz: Add missing space in test description
Makefile: List fuzz targets in 'make help'
tests/fuzz/Makefile: Do not link code using unavailable devices
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/qtest/fuzz/Makefile.include | 6 | ||||
| -rw-r--r-- | tests/qtest/fuzz/i440fx_fuzz.c | 47 |
2 files changed, 33 insertions, 20 deletions
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include index cde3e96..f259d86 100644 --- a/tests/qtest/fuzz/Makefile.include +++ b/tests/qtest/fuzz/Makefile.include @@ -7,9 +7,9 @@ fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o # Targets -fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o -fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o -fuzz-obj-y += tests/qtest/fuzz/virtio_scsi_fuzz.o +fuzz-obj-$(CONFIG_PCI_I440FX) += tests/qtest/fuzz/i440fx_fuzz.o +fuzz-obj-$(CONFIG_VIRTIO_NET) += tests/qtest/fuzz/virtio_net_fuzz.o +fuzz-obj-$(CONFIG_SCSI) += tests/qtest/fuzz/virtio_scsi_fuzz.o FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c index ab5f112..bcd6769 100644 --- a/tests/qtest/fuzz/i440fx_fuzz.c +++ b/tests/qtest/fuzz/i440fx_fuzz.c @@ -39,18 +39,17 @@ enum action_id { ACTION_MAX }; -static void i440fx_fuzz_qtest(QTestState *s, +static void ioport_fuzz_qtest(QTestState *s, const unsigned char *Data, size_t Size) { /* * loop over the Data, breaking it up into actions. each action has an * opcode, address offset and value */ - typedef struct QTestFuzzAction { + struct { uint8_t opcode; uint8_t addr; uint32_t value; - } QTestFuzzAction; - QTestFuzzAction a; + } a; while (Size >= sizeof(a)) { /* make a copy of the action so we can normalize the values in-place */ @@ -85,25 +84,26 @@ static void i440fx_fuzz_qtest(QTestState *s, flush_events(s); } -static void i440fx_fuzz_qos(QTestState *s, +static void i440fx_fuzz_qtest(QTestState *s, + const unsigned char *Data, + size_t Size) +{ + ioport_fuzz_qtest(s, Data, Size); +} + +static void pciconfig_fuzz_qos(QTestState *s, QPCIBus *bus, const unsigned char *Data, size_t Size) { /* - * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the + * Same as ioport_fuzz_qtest, but using QOS. devfn is incorporated into the * value written over Port IO */ - typedef struct QOSFuzzAction { + struct { uint8_t opcode; uint8_t offset; int devfn; uint32_t value; - } QOSFuzzAction; - - static QPCIBus *bus; - if (!bus) { - bus = qpci_new_pc(s, fuzz_qos_alloc); - } + } a; - QOSFuzzAction a; while (Size >= sizeof(a)) { memcpy(&a, Data, sizeof(a)); switch (a.opcode % ACTION_MAX) { @@ -132,6 +132,19 @@ static void i440fx_fuzz_qos(QTestState *s, flush_events(s); } +static void i440fx_fuzz_qos(QTestState *s, + const unsigned char *Data, + size_t Size) +{ + static QPCIBus *bus; + + if (!bus) { + bus = qpci_new_pc(s, fuzz_qos_alloc); + } + + pciconfig_fuzz_qos(s, bus, Data, Size); +} + static void i440fx_fuzz_qos_fork(QTestState *s, const unsigned char *Data, size_t Size) { if (fork() == 0) { @@ -159,7 +172,7 @@ static void register_pci_fuzz_targets(void) /* Uses simple qtest commands and reboots to reset state */ fuzz_add_target(&(FuzzTarget){ .name = "i440fx-qtest-reboot-fuzz", - .description = "Fuzz the i440fx using raw qtest commands and" + .description = "Fuzz the i440fx using raw qtest commands and " "rebooting after each run", .get_init_cmdline = i440fx_argv, .fuzz = i440fx_fuzz_qtest}); @@ -167,7 +180,7 @@ static void register_pci_fuzz_targets(void) /* Uses libqos and forks to prevent state leakage */ fuzz_add_qos_target(&(FuzzTarget){ .name = "i440fx-qos-fork-fuzz", - .description = "Fuzz the i440fx using raw qtest commands and" + .description = "Fuzz the i440fx using raw qtest commands and " "rebooting after each run", .pre_vm_init = &fork_init, .fuzz = i440fx_fuzz_qos_fork,}, @@ -182,7 +195,7 @@ static void register_pci_fuzz_targets(void) */ fuzz_add_qos_target(&(FuzzTarget){ .name = "i440fx-qos-noreset-fuzz", - .description = "Fuzz the i440fx using raw qtest commands and" + .description = "Fuzz the i440fx using raw qtest commands and " "rebooting after each run", .fuzz = i440fx_fuzz_qos,}, "i440FX-pcihost", |