diff options
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/qtest/fuzz/Makefile.include | 6 | ||||
| -rw-r--r-- | tests/qtest/fuzz/i440fx_fuzz.c | 47 |
2 files changed, 33 insertions, 20 deletions
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include index cde3e96..f259d86 100644 --- a/tests/qtest/fuzz/Makefile.include +++ b/tests/qtest/fuzz/Makefile.include @@ -7,9 +7,9 @@ fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o # Targets -fuzz-obj-y += tests/qtest/fuzz/i440fx_fuzz.o -fuzz-obj-y += tests/qtest/fuzz/virtio_net_fuzz.o -fuzz-obj-y += tests/qtest/fuzz/virtio_scsi_fuzz.o +fuzz-obj-$(CONFIG_PCI_I440FX) += tests/qtest/fuzz/i440fx_fuzz.o +fuzz-obj-$(CONFIG_VIRTIO_NET) += tests/qtest/fuzz/virtio_net_fuzz.o +fuzz-obj-$(CONFIG_SCSI) += tests/qtest/fuzz/virtio_scsi_fuzz.o FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c index ab5f112..bcd6769 100644 --- a/tests/qtest/fuzz/i440fx_fuzz.c +++ b/tests/qtest/fuzz/i440fx_fuzz.c @@ -39,18 +39,17 @@ enum action_id { ACTION_MAX }; -static void i440fx_fuzz_qtest(QTestState *s, +static void ioport_fuzz_qtest(QTestState *s, const unsigned char *Data, size_t Size) { /* * loop over the Data, breaking it up into actions. each action has an * opcode, address offset and value */ - typedef struct QTestFuzzAction { + struct { uint8_t opcode; uint8_t addr; uint32_t value; - } QTestFuzzAction; - QTestFuzzAction a; + } a; while (Size >= sizeof(a)) { /* make a copy of the action so we can normalize the values in-place */ @@ -85,25 +84,26 @@ static void i440fx_fuzz_qtest(QTestState *s, flush_events(s); } -static void i440fx_fuzz_qos(QTestState *s, +static void i440fx_fuzz_qtest(QTestState *s, + const unsigned char *Data, + size_t Size) +{ + ioport_fuzz_qtest(s, Data, Size); +} + +static void pciconfig_fuzz_qos(QTestState *s, QPCIBus *bus, const unsigned char *Data, size_t Size) { /* - * Same as i440fx_fuzz_qtest, but using QOS. devfn is incorporated into the + * Same as ioport_fuzz_qtest, but using QOS. devfn is incorporated into the * value written over Port IO */ - typedef struct QOSFuzzAction { + struct { uint8_t opcode; uint8_t offset; int devfn; uint32_t value; - } QOSFuzzAction; - - static QPCIBus *bus; - if (!bus) { - bus = qpci_new_pc(s, fuzz_qos_alloc); - } + } a; - QOSFuzzAction a; while (Size >= sizeof(a)) { memcpy(&a, Data, sizeof(a)); switch (a.opcode % ACTION_MAX) { @@ -132,6 +132,19 @@ static void i440fx_fuzz_qos(QTestState *s, flush_events(s); } +static void i440fx_fuzz_qos(QTestState *s, + const unsigned char *Data, + size_t Size) +{ + static QPCIBus *bus; + + if (!bus) { + bus = qpci_new_pc(s, fuzz_qos_alloc); + } + + pciconfig_fuzz_qos(s, bus, Data, Size); +} + static void i440fx_fuzz_qos_fork(QTestState *s, const unsigned char *Data, size_t Size) { if (fork() == 0) { @@ -159,7 +172,7 @@ static void register_pci_fuzz_targets(void) /* Uses simple qtest commands and reboots to reset state */ fuzz_add_target(&(FuzzTarget){ .name = "i440fx-qtest-reboot-fuzz", - .description = "Fuzz the i440fx using raw qtest commands and" + .description = "Fuzz the i440fx using raw qtest commands and " "rebooting after each run", .get_init_cmdline = i440fx_argv, .fuzz = i440fx_fuzz_qtest}); @@ -167,7 +180,7 @@ static void register_pci_fuzz_targets(void) /* Uses libqos and forks to prevent state leakage */ fuzz_add_qos_target(&(FuzzTarget){ .name = "i440fx-qos-fork-fuzz", - .description = "Fuzz the i440fx using raw qtest commands and" + .description = "Fuzz the i440fx using raw qtest commands and " "rebooting after each run", .pre_vm_init = &fork_init, .fuzz = i440fx_fuzz_qos_fork,}, @@ -182,7 +195,7 @@ static void register_pci_fuzz_targets(void) */ fuzz_add_qos_target(&(FuzzTarget){ .name = "i440fx-qos-noreset-fuzz", - .description = "Fuzz the i440fx using raw qtest commands and" + .description = "Fuzz the i440fx using raw qtest commands and " "rebooting after each run", .fuzz = i440fx_fuzz_qos,}, "i440FX-pcihost", |