aboutsummaryrefslogtreecommitdiff
path: root/tests/qtest/fuzz
AgeCommit message (Collapse)AuthorFilesLines
2023-07-03tests/qtests: clean-up and fix leak in generic_fuzzAlex Bennée1-10/+3
An update to the clang tooling detects more issues with the code including a memory leak from the g_string_new() allocation. Clean up the code to avoid the allocation and use ARRAY_SIZE while we are at it. Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Signed-off-by: Alex Bennée <alex.bennee@linaro.org> Message-Id: <20230630180423.558337-9-alex.bennee@linaro.org>
2023-03-10igb: Introduce qtest for igb deviceAkihiko Odaki1-0/+5
This change is derived from qtest for e1000e device. Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Thomas Huth <thuth@redhat.com> [Jason: make qtest work for win32 (only hotplug)] Signed-off-by: Jason Wang <jasowang@redhat.com>
2023-02-16fuzz: remove fork-fuzzing scaffoldingAlexander Bulekov4-123/+3
Fork-fuzzing provides a few pros, but our implementation prevents us from using fuzzers other than libFuzzer, and may be causing issues such as coverage-failure builds on OSS-Fuzz. It is not a great long-term solution as it depends on internal implementation details of libFuzzer (which is no longer in active development). Remove it in favor of other methods of resetting state between inputs. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz/i440fx: remove fork-based fuzzerAlexander Bulekov1-26/+1
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz/virtio-blk: remove fork-based fuzzerAlexander Bulekov1-44/+7
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz/virtio-net: remove fork-based fuzzerAlexander Bulekov1-49/+5
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz/virtio-scsi: remove fork-based fuzzerAlexander Bulekov1-44/+7
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz/generic-fuzz: add a limit on DMA bytes writtenAlexander Bulekov1-0/+5
As we have repplaced fork-based fuzzing, with reboots - we can no longer use a timeout+exit() to avoid slow inputs. Libfuzzer has its own timer that it uses to catch slow inputs, however these timeouts are usually seconds-minutes long: more than enough to bog-down the fuzzing process. However, I found that slow inputs often attempt to fill overly large DMA requests. Thus, we can mitigate most timeouts by setting a cap on the total number of DMA bytes written by an input. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz/generic-fuzz: use reboots instead of forks to reset stateAlexander Bulekov1-92/+22
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2023-02-16fuzz: add fuzz_reset APIAlexander Bulekov2-1/+7
As we are converting most fuzzers to rely on reboots to reset state, introduce an API to make sure reboots are invoked in a consistent manner. Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
2023-01-08include/hw/pci: Split pci_device.h off pci.hMarkus Armbruster1-0/+1
PCIDeviceClass and PCIDevice are defined in pci.h. Many users of the header don't actually need them. Similar structs live in their own headers: PCIBusClass and PCIBus in pci_bus.h, PCIBridge in pci_bridge.h, PCIHostBridgeClass and PCIHostState in pci_host.h, PCIExpressHost in pcie_host.h, and PCIERootPortClass, PCIEPort, and PCIESlot in pcie_port.h. Move PCIDeviceClass and PCIDeviceClass to new pci_device.h, along with the code that needs them. Adjust include directives. This also enables the next commit. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20221222100330.380143-6-armbru@redhat.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2022-12-14qapi qdev qom: Elide redundant has_FOO in generated CMarkus Armbruster1-2/+1
The has_FOO for pointer-valued FOO are redundant, except for arrays. They are also a nuisance to work with. Recent commit "qapi: Start to elide redundant has_FOO in generated C" provided the means to elide them step by step. This is the step for qapi/qdev.json and qapi/qom.json. Said commit explains the transformation in more detail. The invariant violations mentioned there do not occur here. Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Daniel P. Berrangé <berrange@redhat.com> Cc: Eduardo Habkost <eduardo@habkost.net> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20221104160712.3005652-21-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
2022-09-27tests/qtest: virtio_blk_fuzz: Avoid using hardcoded /tmpBin Meng1-2/+2
This case was written to use hardcoded /tmp directory for temporary files. Update to use g_file_open_tmp() for a portable implementation. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220925113032.1949844-12-bmeng.cn@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-09-27tests/qtest: generic_fuzz: Avoid using hardcoded /tmpBin Meng1-2/+2
This case was written to use hardcoded /tmp directory for temporary files. Update to use g_dir_make_tmp() for a portable implementation. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220925113032.1949844-11-bmeng.cn@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-09-23ui/cocoa: Run qemu_init in the main threadAkihiko Odaki1-1/+1
This work is based on: https://patchew.org/QEMU/20220317125534.38706-1-philippe.mathieu.daude@gmail.com/ Simplify the initialization dance by running qemu_init() in the main thread before the Cocoa event loop starts. The secondary thread only runs only qemu_main_loop() and qemu_cleanup(). This fixes a case where addRemovableDevicesMenuItems() calls qmp_query_block() while expecting the main thread to still hold the BQL. Overriding the code after calling qemu_init() is done by dynamically replacing a function pointer variable, qemu_main when initializing ui/cocoa, which unifies the static implementation of main() for builds with ui/cocoa and ones without ui/cocoa. Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <20220819132756.74641-2-akihiko.odaki@gmail.com> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2022-08-29tests/qtest: libqos: Rename malloc.h to libqos-malloc.hXuzhou Cheng1-1/+1
The qtest/libqos directory is included via the "-I" option to search for header files when building qtest. Unfortunately the malloc.h has a name conflict with the standard libc header, leading to a build failure on the Windows host, due to the MinGW libc stdlib.h header file includes malloc.h and it now gets wrongly pointed to the one in the qtest/libqos directory. Rename "qtest/libqos/malloc.h" to "qtest/libqos/libqos-malloc.h" to avoid the namespace pollution. Signed-off-by: Xuzhou Cheng <xuzhou.cheng@windriver.com> Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220824094029.1634519-26-bmeng.cn@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-08-25tests/qtest: Use g_mkdtemp()Bin Meng1-1/+1
Windows does not provide a mkdtemp() API, but glib does. Replace mkdtemp() call with the glib version. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220824094029.1634519-3-bmeng.cn@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-08-25tests/qtest: Use g_setenv()Bin Meng1-4/+4
Windows does not provide a setenv() API, but glib does. Replace setenv() call with the glib version. Signed-off-by: Bin Meng <bin.meng@windriver.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220824094029.1634519-2-bmeng.cn@gmail.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2022-07-13datadir: Use bundle mechanismAkihiko Odaki1-18/+0
softmmu/datadir.c had its own implementation to find files in the build tree, but now bundle mechanism provides the unified implementation which works for datadir and the other files. Signed-off-by: Akihiko Odaki <akihiko.odaki@gmail.com> Message-Id: <20220624145039.49929-4-akihiko.odaki@gmail.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2022-06-15vfio-user: handle PCI BAR accessesJagannathan Raman1-4/+5
Determine the BARs used by the PCI device and register handlers to manage the access to the same. Signed-off-by: Elena Ufimtseva <elena.ufimtseva@oracle.com> Signed-off-by: John G Johnson <john.g.johnson@oracle.com> Signed-off-by: Jagannathan Raman <jag.raman@oracle.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Message-id: 3373e10b5be5f42846f0632d4382466e1698c505.1655151679.git.jag.raman@oracle.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2022-05-28include: move qemu_*_exec_dir() to cutilsMarc-André Lureau1-0/+1
The function is required by get_relocated_path() (already in cutils), and used by qemu-ga and may be generally useful. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20220525144140.591926-2-marcandre.lureau@redhat.com>
2022-05-11Clean up header guards that don't match their file nameMarkus Armbruster1-3/+2
Header guard symbols should match their file name to make guard collisions less likely. Cleaned up with scripts/clean-header-guards.pl, followed by some renaming of new guard symbols picked by the script to better ones. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20220506134911.2856099-2-armbru@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> [Change to generated file ebpf/rss.bpf.skeleton.h backed out]
2022-05-03Replace fcntl(O_NONBLOCK) with g_unix_set_fd_nonblocking()Marc-André Lureau1-1/+1
Suggested-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
2022-05-03tests: move libqtest.h back under qtest/Marc-André Lureau8-8/+8
Since commit a2ce7dbd917 ("meson: convert tests/qtest to meson"), libqtest.h is under libqos/ directory, while libqtest.c is still in qtest/. Move back to its original location to avoid mixing with libqos/. Suggested-by: Thomas Huth <thuth@redhat.com> Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
2022-04-21tests/fuzz: fix warningMarc-André Lureau1-2/+0
../tests/qtest/fuzz/generic_fuzz.c:746:17: warning: variable 'name' set but not used [-Wunused-but-set-variable] Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20220420132624.2439741-42-marcandre.lureau@redhat.com>
2022-04-06Remove qemu-common.h include from most unitsMarc-André Lureau1-1/+0
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20220323155743.1585078-33-marcandre.lureau@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-10-14configure, meson: move fuzzing configuration to MesonPaolo Bonzini1-1/+5
Cc: Alexander Oleinik <alxndr@bu.edu> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Tested-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20211007130829.632254-2-pbonzini@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-09-01fuzz: unblock SIGALRM so the timeout worksAlexander Bulekov1-0/+5
The timeout mechanism won't work if SIGALRM is blocked. This changes unmasks SIGALRM when the timer is installed. This doesn't completely solve the problem, as the fuzzer could trigger some device activity that re-masks SIGALRM. However, there are currently no inputs on OSS-Fuzz that re-mask SIGALRM and timeout. If that turns out to be a real issue, we could try to hook sigmask-type calls, or use a separate timer thread. Based-on: <20210713150037.9297-1-alxndr@bu.edu> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2021-09-01fuzz: use ITIMER_REAL for timeoutsAlexander Bulekov1-1/+1
Using ITIMER_VIRTUAL is a bad idea, if the fuzzer hits a blocking syscall - e.g. ppoll with a NULL timespec. This causes timeout issues while fuzzing some block-device code. Fix that by using wall-clock time. This might cause inputs to timeout sometimes due to scheduling effects/ambient load, but it is better than bringing the entire fuzzing process to a halt. Based-on: <20210713150037.9297-1-alxndr@bu.edu> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
2021-09-01fuzz: make object-name matching case-insensitiveAlexander Bulekov1-4/+20
We have some configs for devices such as the AC97 and ES1370 that were not matching memory-regions correctly, because the configs provided lowercase names. To resolve these problems and prevent them from occurring again in the future, convert both the pattern and names to lower-case, prior to checking for a match. Suggested-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
2021-09-01fuzz: adjust timeout to allow for longer inputsAlexander Bulekov1-4/+9
Using a custom timeout is useful to continue fuzzing complex devices, even after we run into some slow code-path. However, simply adding a fixed timeout to each input effectively caps the maximum input length/number of operations at some artificial value. There are two major problems with this: 1. Some code might only be reachable through long IO sequences. 2. Longer inputs can actually be _better_ for performance. While the raw number of fuzzer executions decreases with larger inputs, the number of MMIO/PIO/DMA operation/second actually increases, since were are speding proportionately less time fork()ing. With this change, we keep the custom-timeout, but we renew it, prior to each MMIO/PIO/DMA operation. Thus, we time-out only when a specific operation takes a long time. Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
2021-09-01fuzz: fix sparse memory access in the DMA callbackAlexander Bulekov1-3/+10
The code mistakenly relied on address_space_translate to store the length remaining until the next memory-region. We care about this because when there is RAM or sparse-memory neighboring on an MMIO region, we should only write up to the border, to prevent inadvertently invoking MMIO handlers within the DMA callback. However address_space_translate_internal only stores the length until the end of the MemoryRegion if memory_region_is_ram(mr). Otherwise the *len is left unmodified. This caused some false-positive issues, where the fuzzer found a way to perform a nested MMIO write through a DMA callback on an [address, length] that started within sparse memory and spanned some device MMIO regions. To fix this, write to sparse memory in small chunks of memory_access_size (similar to the underlying address_space_write code), which will prevent accidentally hitting MMIO handlers through large writes. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-06-21fuzz: Display hexadecimal value with '0x' prefixPhilippe Mathieu-Daudé1-2/+2
Use memory_region_size() to get the MemoryRegion size, and display it with the '0x' prefix. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Laurent Vivier <laurent@vivier.eu> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210612195842.1595999-1-f4bug@amsat.org> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-06-21Remove leading underscores from QEMU definesAhmed Abouzied1-2/+2
Leading underscores followed by a capital letter or underscore are reserved by the C standard. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/369 Signed-off-by: Ahmed Abouzied <email@aabouzied.com> Message-Id: <20210605174938.13782-1-email@aabouzied.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-05-26tests/qtest/fuzz: Fix build failurePhilippe Mathieu-Daudé1-0/+1
On Fedora 32, using clang (version 10.0.1-3.fc32) we get: tests/qtest/fuzz/fuzz.c:237:5: error: implicit declaration of function 'qemu_init' is invalid in C99 [-Werror,-Wimplicit-function-declaration] qemu_init(result.we_wordc, result.we_wordv, NULL); ^ qemu_init() is declared in "sysemu/sysemu.h", include this header to fix. Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com> Message-Id: <20210513162008.3922223-1-philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-05-02Do not include exec/address-spaces.h if it's not really necessaryThomas Huth2-3/+0
Stop including exec/address-spaces.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-5-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-05-02Do not include sysemu/sysemu.h if it's not really necessaryThomas Huth2-2/+0
Stop including sysemu/sysemu.h in files that don't need it. Signed-off-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210416171314.2074665-2-thuth@redhat.com> Signed-off-by: Laurent Vivier <laurent@vivier.eu>
2021-03-23memory: Add offset_in_region to flatview_cb argumentsPeter Maydell1-1/+4
The function flatview_for_each_range() calls a callback for each range in a FlatView. Currently the callback gets the start and length of the range and the MemoryRegion involved, but not the offset within the MemoryRegion. Add this to the callback's arguments; we're going to want it for a new use in the next commit. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20210318174823.18066-4-peter.maydell@linaro.org
2021-03-23memory: Make flatview_cb return bool, not intPeter Maydell1-4/+4
The return value of the flatview_cb callback passed to the flatview_for_each_range() function is zero if the iteration through the ranges should continue, or non-zero to break out of it. Use a bool for this rather than int. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Message-id: 20210318174823.18066-2-peter.maydell@linaro.org
2021-03-19fuzz: Avoid deprecated misuse of -drive if=sdMarkus Armbruster1-1/+1
qemu-fuzz-i386-target-generic-fuzz-sdhci-v3 uses -drive=sd where it should use -drive if=none instead. This prints a deprecation warning: $ ./build-oss-fuzz/DEST_DIR/qemu-fuzz-i386-target-generic-fuzz-sdhci-v3 -runs=1 -seed=1 [ASan warnings snipped...] --> i386: -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive: warning: bogus if=sd is deprecated, use if=none INFO: Seed: 1 [More normal output snipped...] Support for this usage will be gone soon. Adjust the test. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <20210319132008.1830950-1-armbru@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
2021-03-16fuzz: configure a sparse-mem device, by defaultAlexander Bulekov1-3/+11
The generic-fuzzer often provides randomized DMA addresses to virtual-devices. For a 64-bit address-space, the chance of these randomized addresses coinciding with RAM regions, is fairly small. Even though the fuzzer's instrumentation eventually finds valid addresses, this can take some-time, and slows-down fuzzing progress (especially, when multiple DMA buffers are involved). To work around this, create "fake" sparse-memory that spans all of the 64-bit address-space. Adjust the DMA call-back to populate this sparse memory, correspondingly Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-16fuzz: add a am53c974 generic-fuzzer configAlexander Bulekov1-0/+6
Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-16fuzz: don't leave orphan llvm-symbolizers aroundAlexander Bulekov1-0/+15
I noticed that with a sufficiently small timeout, the fuzzer fork-server sometimes locks up. On closer inspection, the issue appeared to be caused by entering our SIGALRM handler, while libfuzzer is in it's crash handlers. Because libfuzzer relies on pipe communication with an external child process to print out stack-traces, we shouldn't exit early, and leave an orphan child. Check for children in the SIGALRM handler to avoid this issue. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Acked-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-03-16fuzz: fix the pro100 generic-fuzzer configAlexander Bulekov1-1/+1
The device-type names for the pro100 network cards, are i8255.. We were matching "eepro", which catches the PCI PIO/MMIO regions for those devices, however misses the actual PCI device, which we use to map the BARs, before fuzzing. Fix that Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2021-02-08fuzz: add virtio-9p configurations for fuzzingAlexander Bulekov1-0/+20
virtio-9p devices are often used to expose a virtual-filesystem to the guest. There have been some bugs reported in this device, such as CVE-2018-19364, and CVE-2021-20181. We should fuzz this device This patch adds two virtio-9p configurations: * One with the widely used -fsdev local driver. This driver leaks some state in the form of files/directories created in the shared dir. * One with the synth driver. While it is not used in the real world, this driver won't leak leak state between fuzz inputs. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20210117230924.449676-4-alxndr@bu.edu>
2021-02-08fuzz: enable dynamic args for generic-fuzz configsAlexander Bulekov2-1/+10
For some device configurations, it is useful to configure some resources, and adjust QEMU arguments at runtime, prior to fuzzing. This patch adds an "argfunc" to generic the generic_fuzz_config. When specified, it is responsible for configuring the resources and returning a string containing the corresponding QEMU arguments. This can be useful for targets that rely on e.g.: * a temporary qcow2 image * a temporary directory * an unused TCP port used to bind the VNC server Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210117230924.449676-2-alxndr@bu.edu>
2021-02-08fuzz: log the arguments used to initialize QEMUAlexander Bulekov1-1/+10
This is useful for building reproducers. Instead checking the code or the QEMU_FUZZ_ARGS, the arguments are at the top of the crash log. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Thomas Huth <thuth@redhat.com> Message-Id: <20210117201014.271610-3-alxndr@bu.edu>
2021-02-08fuzz: refine the ide/ahci fuzzer configsAlexander Bulekov1-1/+19
Disks work differently depending on the x86 machine type (SATA vs PATA). Additionally, we should fuzz the atapi code paths, which might contain vulnerabilities such as CVE-2020-29443. This patch adds hard-disk and cdrom generic-fuzzer configs for both the pc (PATA) and q35 (SATA) machine types. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Acked-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20210120152211.109782-1-alxndr@bu.edu>
2021-02-08fuzz: ignore address_space_map is_write flagAlexander Bulekov1-6/+3
We passed an is_write flag to the fuzz_dma_read_cb function to differentiate between the mapped DMA regions that need to be populated with fuzzed data, and those that don't. We simply passed through the address_space_map is_write parameter. The goal was to cut down on unnecessarily populating mapped DMA regions, when they are not read from. Unfortunately, nothing precludes code from reading from regions mapped with is_write=true. For example, see: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04729.html This patch removes the is_write parameter to fuzz_dma_read_cb. As a result, we will fill all mapped DMA regions with fuzzed data, ignoring the specified transfer direction. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20210120060255.558535-1-alxndr@bu.edu>
2021-01-11fuzz: map all BARs and enable PCI devicesAlexander Bulekov1-0/+24
Prior to this patch, the fuzzer found inputs to map PCI device BARs and enable the device. While it is nice that the fuzzer can do this, it added significant overhead, since the fuzzer needs to map all the BARs (regenerating the memory topology), at the start of each input. With this patch, we do this once, before fuzzing, mitigating some of this overhead. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Message-Id: <20201221181203.1853-1-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>