From patchwork Wed Aug 19 06:10:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276082 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39390C433E1 for ; Wed, 19 Aug 2020 06:12:54 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E418C2063A for ; Wed, 19 Aug 2020 06:12:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="b/VJCvAz" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E418C2063A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:36546 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HLB-0005cW-5U for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:12:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55308) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKA-0003vA-15 for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:50 -0400 Received: from mail-bn8nam11on2094.outbound.protection.outlook.com ([40.107.236.94]:24608 helo=NAM11-BN8-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HK7-0001Y3-Vu for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:49 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ctWiDwctOI1DSsZqoA7vvOSu5Pc/LnKO3BWXu+vqfIutQcDf5/DQmWmPtcG3fslvPhkPhC29d+Yl1xkNTrWFPqpFarS9C2y1t/DNVqfna6lnEdEWSqLEcMP/Prb80VdGfJHvJWdP6Ynvr+Y+zEr4jdtdSlO78dxvSIz+8woJMJzstgsZx/Da6iXTEVFdGYLY/1Xq/6ZIhh1c4DVnIF3OzHJ7Rkz5F72QPKAW/XX1bwLKbu265+mC7pvyXdmDYdwvYnE73coT4/NZJB6n9kdfTMWyLp++C5YC4ARK5GpGC97ks6VFtGjd+v+a1uVvoKcRNwjne7RMaGJBPdRs6D6A3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hCggRrhPh/AAJe2zJp4UEjc0k4DnsBalDqzad0fhcMs=; b=EHyjv9jDThk9rMTOz5cWZUxw1avhVzhFOwENfpf+0bK3poLKwwXGIiW0r94h7JSGOLSy5GIrEaTMnLviPBDzuZH5/pCVGJKW6I04Z2rBELu1IwpuTXgzuNq5yL7BjJMm1EMObke0VRZG0pvNrgBoj1XHTNUkW+9Sjmb3mRHvj4iugQChDFLW8AZx1/YLR03N9kyfGnfeVRu95ejfQ0OvHRnG7YVbm97/4jZ87uHeD877830csnZrVk49zdNMYEIgIA86oY3af25J5ff3Za3KtNT7iQkD3UM4LYr6Oy7f9XT0Nj1gs8z6YGarubetLeYokHVpNNSos6E9n7II6OLAtA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hCggRrhPh/AAJe2zJp4UEjc0k4DnsBalDqzad0fhcMs=; b=b/VJCvAzeztyqu0MfgKEH9sJwr/S3s8sv5E5p+R0Qr2cPNONg2QOO2wKhGaMRUXsO16HnPiu9AvC09/hPtTV4On4kMk8m4NKYaaMzEBgGt/MBetIqMjiKAVLVxHSHOwxeKfizEhyBuHFfxpiZGsD+3F2Z+51X85fiD+2qysoXWc= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3934.namprd03.prod.outlook.com (2603:10b6:805:70::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Wed, 19 Aug 2020 06:11:37 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:37 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 04/15] fuzz: Add DMA support to the generic-fuzzer Date: Wed, 19 Aug 2020 02:10:59 -0400 Message-Id: <20200819061110.1320568-5-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:35 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: fc379912-4cd3-48c7-c7b5-08d84406ba8e X-MS-TrafficTypeDiagnostic: SN6PR03MB3934: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:67; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: y/UfrigJxnsBELpJ1VRkc2wR5k6ksN2ZKRffmPvscow55fRoHgrl+0pXHpH91I5iXWWmBHgFJN5slyaV23Ze3G8YI2E0mefno0+QBID27WavJ1pGUGD0qnBKcJbQKMhUS2u2XM/u7qMo9OSaBXzerCniO13xR9NUTWSC3p9YLBlF2UfzGOy6aIe5D3Fy9iujXYVayYn+gcbhyCvYBTzRfWef62HrFtNSoSXwTyPI2wn+MH5vQk4tWtH7wLnaLKgMjD4+1dRy0HuV3LePK3E5adgOvKjYxIikdU/P+zk8IqlteFoyKkjYe5cl1l/i8FPlqfZC2mYYBgATOrAj/pp7fO3RE4qjeKA0cKXpwSXX/Br/XN2/VGImWzmjMJahvf4t X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(39860400002)(396003)(366004)(376002)(1076003)(8676002)(6666004)(2906002)(6512007)(8936002)(6916009)(83380400001)(6486002)(54906003)(956004)(6506007)(2616005)(36756003)(26005)(52116002)(86362001)(478600001)(786003)(66556008)(316002)(4326008)(75432002)(66946007)(5660300002)(66476007)(186003)(16526019)(41533002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: +1Zk0ZODLb2XwGggO2nFcYhTLrCEUcb6sKp0L7Vbmsr1LtJ14CwDsumvDUGJNbbTK5jDrHosYEeJ0azMbu08ko/N2n++Tp/hZLJLID7NGEGEtsVjhnbbTnSED5guUYaIX92JZ9++/tdHj+s1b1LgX3WKB03B2rlWGNVXmheG/dcHHnZBWjv1dvfDSzi24IS7u/Se8MWWMgbNj+mnRMrlmKKyzUFU/KFlk3OS8RQI3WMT9a6/ZVE2fh/2OpaQHDirvBNMZz45iZdo0qRo/Oc/Im0SD8NoM/WFuXkK0sJdfEe10SPTqXW7wxiizObmDenf6rQD83fbpipWRmUBuJLCEC3OJ4Knu0u3jMEKPpf1xjk/UDKE1AwmE2n0TRM6bqzvCwvzSWoyxRmlzKmmQyxKFzFx035yPlLeNF+sNNQdn+UxFhkM3w2anGzYfboTXdsoqxNpXGoL09YdTRK1FlvxLsXBT6Rd8i61AP4KwctyKcH/dwT2d8Xw9NwPzvssiXBeoUbBEpVFpGoTGdjIuI5nKw0sU3n753/2ZtNN0Tzy5IGUH8lQ+ej1SqnDCGHn7fhLYB09zru6/P4a1ICHRhkg2qR+bQDbbtEuA9wN7FztmQlHLiXB7Jjzyn17OXKL6kg3F3jwotdOcA4llsLnxfYj2w== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: fc379912-4cd3-48c7-c7b5-08d84406ba8e X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:37.0862 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jX+32amdRqkVzkyPVXLec5qetESaqd+9GuB33KBR7NRCN32a9YcqeWaSp12wpVZs X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3934 Received-SPF: pass client-ip=40.107.236.94; envelope-from=alxndr@bu.edu; helo=NAM11-BN8-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:39 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" When a virtual-device tries to access some buffer in memory over DMA, we add call-backs into the fuzzer(next commit). The fuzzer checks verifies that the DMA request maps to a physical RAM address and fills the memory with fuzzer-provided data. The patterns that we use to fill this memory are specified using add_dma_pattern and clear_dma_patterns operations. Signed-off-by: Alexander Bulekov --- tests/qtest/fuzz/general_fuzz.c | 178 ++++++++++++++++++++++++++++++++ 1 file changed, 178 insertions(+) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index 17b572a439..36d41acea0 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -25,6 +25,8 @@ #include "exec/address-spaces.h" #include "hw/qdev-core.h" #include "hw/pci/pci.h" +#include "hw/boards.h" +#include "exec/memory-internal.h" /* * SEPARATOR is used to separate "operations" in the fuzz input @@ -38,12 +40,16 @@ enum cmds{ OP_WRITE, OP_PCI_READ, OP_PCI_WRITE, + OP_ADD_DMA_PATTERN, + OP_CLEAR_DMA_PATTERNS, OP_CLOCK_STEP, }; #define DEFAULT_TIMEOUT_US 100000 #define USEC_IN_SEC 100000000 +#define MAX_DMA_FILL_SIZE 0x10000 + #define PCI_HOST_BRIDGE_CFG 0xcf8 #define PCI_HOST_BRIDGE_DATA 0xcfc @@ -53,6 +59,24 @@ typedef struct { } address_range; static useconds_t timeout = 100000; +/* + * A pattern used to populate a DMA region or perform a memwrite. This is + * useful for e.g. populating tables of unique addresses. + * Example {.index = 1; .stride = 2; .len = 3; .data = "\x00\x01\x02"} + * Renders as: 00 01 02 00 03 03 00 05 03 00 07 03 ... + */ +typedef struct { + uint8_t index; /* Index of a byte to increment by stride */ + uint8_t stride; /* Increment each index'th byte by this amount */ + size_t len; + const uint8_t *data; +} pattern; + +/* Avoid filling the same DMA region between MMIO/PIO commands ? */ +static bool avoid_double_fetches; + +static QTestState *qts_global; /* Need a global for the DMA callback */ + /* * List of memory regions that are children of QOM objects specified by the * user for fuzzing. @@ -60,6 +84,116 @@ static useconds_t timeout = 100000; static GPtrArray *fuzzable_memoryregions; static GPtrArray *fuzzable_pci_devices; +/* + * List of dma regions populated since the last fuzzing command. Used to ensure + * that we only write to each DMA address once, to avoid race conditions when + * building reproducers. + */ +static GArray *dma_regions; + +static GArray *dma_patterns; +static int dma_pattern_index; + +void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); + +/* + * Allocate a block of memory and populate it with a pattern. + */ +static void *pattern_alloc(pattern p, size_t len) +{ + int i; + uint8_t *buf = g_malloc(len); + uint8_t sum = 0; + + for (i = 0; i < len; ++i) { + buf[i] = p.data[i % p.len]; + if ((i % p.len) == p.index) { + buf[i] += sum; + sum += p.stride; + } + } + return buf; +} + +/* + * Call-back for functions that perform DMA reads from guest memory. Confirm + * that the region has not already been populated since the last loop in + * general_fuzz(), avoiding potential race-conditions, which we don't have + * a good way for reproducing right now. + */ +void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write) +{ + /* Are we in the general-fuzzer or are we using another fuzz-target? */ + if (!qts_global) { + return; + } + + /* + * Return immediately if: + * - We have no DMA patterns defined + * - The length of the DMA read request is zero + * - The DMA read is hitting an MR other than the machine's main RAM + * - The DMA request is not a read (what happens for a address_space_map + * with is_write=True? Can the device use the same pointer to do reads?) + * - The DMA request hits past the bounds of our RAM + */ + if (dma_patterns->len == 0 + || len == 0 + || (mr != MACHINE(qdev_get_machine())->ram && !(mr->ops == &unassigned_mem_ops)) + || is_write + || addr > current_machine->ram_size) { + return; + } + + /* + * If we overlap with any existing dma_regions, split the range and only + * populate the non-overlapping parts. + */ + for (int i = 0; i < dma_regions->len && avoid_double_fetches; ++i) { + address_range region = g_array_index(dma_regions, address_range, i); + if (addr < region.addr + region.len && addr + len > region.addr) { + if (addr < region.addr) { + fuzz_dma_read_cb(addr, region.addr - addr, mr, is_write); + } + if (addr + len > region.addr + region.len) { + fuzz_dma_read_cb(region.addr + region.len, + addr + len - (region.addr + region.len), mr, is_write); + } + return; + } + } + + /* Cap the length of the DMA access to something reasonable */ + len = MIN(len, MAX_DMA_FILL_SIZE); + + address_range ar = {addr, len}; + g_array_append_val(dma_regions, ar); + pattern p = g_array_index(dma_patterns, pattern, dma_pattern_index); + void *buf = pattern_alloc(p, ar.len); + if (getenv("QTEST_LOG")) { + /* + * With QTEST_LOG, use a normal, slow QTest memwrite. Prefix the log + * that will be written by qtest.c with a DMA tag, so we can reorder + * the resulting QTest trace so the DMA fills precede the last PIO/MMIO + * command. + */ + fprintf(stderr, "[DMA] "); + fflush(stderr); + qtest_memwrite(qts_global, ar.addr, buf, ar.len); + } else { + /* + * Populate the region using address_space_write_rom to avoid writing to + * any IO MemoryRegions + */ + address_space_write_rom(first_cpu->as, ar.addr, MEMTXATTRS_UNSPECIFIED, + buf, ar.len); + } + free(buf); + + /* Increment the index of the pattern for the next DMA access */ + dma_pattern_index = (dma_pattern_index + 1) % dma_patterns->len; +} + /* * Here we want to convert a fuzzer-provided [io-region-index, offset] to * a physical address. To do this, we iterate over all of the matched @@ -350,6 +484,35 @@ static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) } } +static void op_add_dma_pattern(QTestState *s, + const unsigned char *data, size_t len) +{ + struct { + /* + * index and stride can be used to increment the index-th byte of the + * pattern by the value stride, for each loop of the pattern. + */ + uint8_t index; + uint8_t stride; + } a; + + if (len < sizeof(a) + 1) { + return; + } + memcpy(&a, data, sizeof(a)); + pattern p = {a.index, a.stride, len - sizeof(a), data + sizeof(a)}; + p.index = a.index % p.len; + g_array_append_val(dma_patterns, p); + return; +} + +static void op_clear_dma_patterns(QTestState *s, + const unsigned char *data, size_t len) +{ + g_array_set_size(dma_patterns, 0); + dma_pattern_index = 0; +} + static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) { qtest_clock_step_next(s); @@ -396,6 +559,8 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) [OP_WRITE] = op_write, [OP_PCI_READ] = op_pci_read, [OP_PCI_WRITE] = op_pci_write, + [OP_ADD_DMA_PATTERN] = op_add_dma_pattern, + [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns, [OP_CLOCK_STEP] = op_clock_step, }; const unsigned char *cmd = Data; @@ -425,6 +590,8 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) setitimer(ITIMER_VIRTUAL, &timer, NULL); } + op_clear_dma_patterns(s, NULL, 0); + while (cmd && Size) { /* Get the length until the next command or end of input */ nextcmd = memmem(cmd, Size, SEPARATOR, strlen(SEPARATOR)); @@ -441,6 +608,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) /* Advance to the next command */ cmd = nextcmd ? nextcmd + sizeof(SEPARATOR) - 1 : nextcmd; Size = Size - (cmd_len + sizeof(SEPARATOR) - 1); + g_array_set_size(dma_regions, 0); } _Exit(0); } else { @@ -455,6 +623,9 @@ static void usage(void) printf("QEMU_FUZZ_ARGS= the command line arguments passed to qemu\n"); printf("QEMU_FUZZ_OBJECTS= " "a space separated list of QOM type names for objects to fuzz\n"); + printf("Optionally: QEMU_AVOID_DOUBLE_FETCH= " + "Try to avoid racy DMA double fetch bugs? %d by default\n", + avoid_double_fetches); printf("Optionally: QEMU_FUZZ_TIMEOUT= Specify a custom timeout (us). " "0 to disable. %d by default\n", timeout); exit(0); @@ -522,9 +693,16 @@ static void general_pre_fuzz(QTestState *s) if (!getenv("QEMU_FUZZ_OBJECTS")) { usage(); } + if (getenv("QEMU_AVOID_DOUBLE_FETCH")) { + avoid_double_fetches = 1; + } if (getenv("QEMU_FUZZ_TIMEOUT")) { timeout = g_ascii_strtoll(getenv("QEMU_FUZZ_TIMEOUT"), NULL, 0); } + qts_global = s; + + dma_regions = g_array_new(false, false, sizeof(address_range)); + dma_patterns = g_array_new(false, false, sizeof(pattern)); fuzzable_memoryregions = g_ptr_array_new(); fuzzable_pci_devices = g_ptr_array_new(); From patchwork Wed Aug 19 06:11:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3288AC433DF for ; Wed, 19 Aug 2020 06:14:20 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EFFA92063A for ; Wed, 19 Aug 2020 06:14:19 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="Eqns08QU" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EFFA92063A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:44540 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HMZ-0000Pf-4C for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:14:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55346) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKC-000411-9y for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:52 -0400 Received: from mail-bn8nam11on2094.outbound.protection.outlook.com ([40.107.236.94]:24608 helo=NAM11-BN8-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKA-0001Y3-6q for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:51 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XBY73N0lLc97JvfpxawWZyc5TNNCsDq0ai42Hoh/QR1XdMPFzrnbJ30G2O8VIZ3EPpzJFB3hr9MYy324Y6EAi3aMh2mx/rJQLiREH1o45bSZYJWXuuOulKEfUhn3CiDzTBiuVROYegQDORKemeN2yLxgspi8odyr8BbQ5jfJxH/FsLrCdTqjLIt78JU9MvRMfCFFkm+4BQEQi4CvhYZLZx67GphWg44lpVcmYdAi+ZOwNyK8ER9GKjgh44OzWbJeb5sop8HilWTVgzAXwdIYARTIN6bbCgOa2xNRyAMeu6kmDe+BlLPb/gfgkc0f3Eg2bAhJ03ticnvhnHwWkvLwpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ref5m5sgPAF97HDguwHBZ7XY1CrXwWJNYyIB79SnAaM=; b=RWUN9sFqplWJL0PjzWIiQbanVG2oJ2WzyIiTkfg3H6if0OB4cNLY6hYUIO3ucq6YERr9r3Mw33w5YEzeXw0qQi3DfDNnLxNulKCbq7tHa63vnOAA3g7aWl9kQUDt2Zwg9ndBDAJy1NyU3mtqLFrSmSuYEmeooa+YgJsAEtV6J+enFyEcTdfpO3CrO7FPGqeAKyDWgaSeVtWCHQ1MdlSSJZcyNzdQaG8b91VR/fxSaCPVuYfDUzBJnFb6qxxzPkooUj29lQ6CUMFoJ/xG6311Ddg7QIVKb/4s74kqrQusHDxtTRfdBvASFdHIhzo4HXnhc2FeLP6kvDN820sX29jdRQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ref5m5sgPAF97HDguwHBZ7XY1CrXwWJNYyIB79SnAaM=; b=Eqns08QUbF0FK3eDJ6k1EHENFzBHETX3y6zXhLcLMnsW8pPTNifkS7H5Ju3m9oPZqlHomM5BGNRluZw6C0h4ruCZFR43/Cv5QCzvDl+Xnf1KB1ccu/iNYE6ZQ/iR9h6/PMNVSQowCkCgSq5fhQedsVTbGxFs0mUHJaVif5papGg= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3934.namprd03.prod.outlook.com (2603:10b6:805:70::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Wed, 19 Aug 2020 06:11:38 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:38 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 05/15] fuzz: Declare DMA Read callback function Date: Wed, 19 Aug 2020 02:11:00 -0400 Message-Id: <20200819061110.1320568-6-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:37 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e0da4405-786b-4869-6013-08d84406bb85 X-MS-TrafficTypeDiagnostic: SN6PR03MB3934: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1091; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: GaO4bSIVuJkf7AXXW8F1F6lGaLA/8IImWXWF9tzXg0H2a+Py+68r+lXbNBZoEolsCyizZeN5LrD4/HMr/TjLCTnoE+6IqcVAC2ryZpq3ePc6lSs3pH8noDBzuGBQZ2CYalG0ZfjrFvxWnyk5xBGNYszHNd6/pwpvfha/ip9J4NK5h9ThRCVuefDPgYXIo4hrf+WDl9bYO72BieyhDkZMbrSAd8L1f3iN97DgoxAl8bqgq6jJ+v65jF1fZW0X5OgkyxS9cYFr3sKsXJbdrYddfmlNqxo/v5clZnOyoTLumQkkzLS5Q8m2SaDjV1R3CiBOQtxVDmEJpwlt625Btpo+oA== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(39860400002)(396003)(366004)(376002)(1076003)(8676002)(6666004)(2906002)(6512007)(8936002)(6916009)(6486002)(54906003)(956004)(6506007)(2616005)(36756003)(26005)(52116002)(86362001)(478600001)(786003)(66556008)(316002)(4326008)(75432002)(66946007)(5660300002)(66476007)(186003)(16526019); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: QrIuYD1xYliePOWUt4RynnYB+m56N9ZlQzY72cfc1k1pCoHYrR21G+UeOrusJl1ONyFLDYtTbX1t5Li6j7tu01qmpMPOd1u84pwV6NZz5k/bsy0NdRexdPotOVqumiPRArq6Lm7G/iEOp4GJVIc6ItIcnLIq2lbv7ANWslXApJPqzPerFsgNBjEZfc/oERJOTlnY8TOcTSSMi0I2bCO1VUVR9k8qpUmS30jDslYtVcC/SNVXP1SP6UmAiEDvFcjKNlWbQPtCMYwnJ1otJTmFOhZhcSWpod+IZ7fnYo/RZONHLB2cTOGJR1ZHa0PBZLsbGkLNsFwAJ2SrveqZNy4jfjNpsWqGDYZ8o7jbuHCeS78P38ylSwy2+FM2KNeTeEfeEmkwaMpFNjuRHAVs9zqhr4+WlO8YYVe9vJNBWxrouGPa2V7UIC8x7NtsSfmmNc/MgsbcEy85kO/LyrVhS9GNVeAwcSy275NL3jmzlinkEs1++nKrSkVRZdOVYyMLnQFCl8zdgIUDV4Cmz9i2rc3CtgFIxtvhpcVSqUAn8aJlWhmNsmCHhYvgxZyVzUqODcaoCnyTfMV6hTqaubHeocuiXMnezKADNOq4x5c6TJE9rOYwHYpn2Zq0IpGaKsw1q6QmpDG0BQ0Xkfq3+vvw7QBGMQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: e0da4405-786b-4869-6013-08d84406bb85 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:38.3415 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: +AQR+W+9qMDS/sPkP7aTh5xNigiH3adWqQa2TBkhoIypl/Ln0nACvbfsU8/CM4b1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3934 Received-SPF: pass client-ip=40.107.236.94; envelope-from=alxndr@bu.edu; helo=NAM11-BN8-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:39 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This patch declares the fuzz_dma_read_cb function and uses the preprocessor and linker(weak symbols) to handle these cases: When we build softmmu/all with --enable-fuzzing, there should be no strong symbol defined for fuzz_dma_read_cb, and we link against a weak stub function. When we build softmmu/fuzz with --enable-fuzzing, we link agains the strong symbol in general_fuzz.c When we build softmmu/all without --enable-fuzzing, fuzz_dma_read_cb is an empty, inlined function. As long as we don't call any other functions when building the arguments, there should be no overhead. Signed-off-by: Alexander Bulekov --- include/exec/memory.h | 15 +++++++++++++++ softmmu/memory.c | 13 +++++++++++++ 2 files changed, 28 insertions(+) diff --git a/include/exec/memory.h b/include/exec/memory.h index 307e527835..2ec3b597f1 100644 --- a/include/exec/memory.h +++ b/include/exec/memory.h @@ -47,6 +47,21 @@ OBJECT_GET_CLASS(IOMMUMemoryRegionClass, (obj), \ TYPE_IOMMU_MEMORY_REGION) +#ifdef CONFIG_FUZZ +void fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write); +#else +static inline void fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write) +{ + /* Do Nothing */ +} +#endif + extern bool global_dirty_log; typedef struct MemoryRegionOps MemoryRegionOps; diff --git a/softmmu/memory.c b/softmmu/memory.c index af25987518..b0c2cf2535 100644 --- a/softmmu/memory.c +++ b/softmmu/memory.c @@ -3223,6 +3223,19 @@ void memory_region_init_rom_device(MemoryRegion *mr, vmstate_register_ram(mr, owner_dev); } +/* + * Support softmmu builds with CONFIG_FUZZ using a weak symbol and a stub for + * the fuzz_dma_read_cb callback + */ +#ifdef CONFIG_FUZZ +void __attribute__((weak)) fuzz_dma_read_cb(size_t addr, + size_t len, + MemoryRegion *mr, + bool is_write) +{ +} +#endif + static const TypeInfo memory_region_info = { .parent = TYPE_OBJECT, .name = TYPE_MEMORY_REGION, From patchwork Wed Aug 19 06:11:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276079 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 99A88C433E1 for ; Wed, 19 Aug 2020 06:15:53 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 58E6A20738 for ; Wed, 19 Aug 2020 06:15:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="ayPxOVJ3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 58E6A20738 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:52098 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HO4-0003V9-KU for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:15:52 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55418) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKG-0004BF-BS for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:56 -0400 Received: from mail-bn8nam11on2094.outbound.protection.outlook.com ([40.107.236.94]:24608 helo=NAM11-BN8-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKE-0001Y3-G4 for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:55 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YqxVs/Xe8fC76nuK2olidT+UqwyukPUiIadPEjAruIZnoPFZNOMrDTmsvnEmF4GRoQ4LWD2j60XuoQ08w75c+fyXSnGZEajTk4w+cHs+7zpCrx5klSsuRCfWqyQr3xZQScsElYo4QyqkizEJzI5H4KvFTvogpB8DkjhMUzhKHtmBsbGUrC2v5T2cpQhwCZhfJhpfWtwdhQQItyHsShxGi02uXEHhWTxC+7TVjgxlqp9yGQ0sHLyKvMLaUeW2sszEpwtdQDNJ8Nt8Pu2wGjfRaBHL24kz1P64kXY49tf4mSKnyzjowwCoRLVG0ZzgiPGbsjQ/RLxvlwjJ5aUiW0S8rA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IIe/dnR63JYB8Up+MAS928e1OIoQgKr9JYoMOnC4QsQ=; b=lgDfCj/cONlcBWdmqvl6XvF0sUWScqaW7dmOTrMGIB0n5mx0X61l7FsBOh+6GaGtL5MeQb3eomsZeud7dP1oravjasgQMCVBwwrf7L9UdU26X39YAMhETOSmOlB2fQ6QWIA1CyvK97KY7rp6/UMfF7SvFSYJOsRYGem+p+GLWVjxrMO1d54pBZnRORv6h0hFrOcjkjmsVU7F++XDONOYtacBJu0JHNgUUV/Z7Tro9FzOnxUG0eQDDSa/NtJfYOwvhXNcs7bVikF0F7Qt/1Ouu0OI+kNJJHbLbzdzPysV5ldlXiabHuB1CvRWah2bOiYg2ZDdMcKrCQtCZJE2VcOS9Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IIe/dnR63JYB8Up+MAS928e1OIoQgKr9JYoMOnC4QsQ=; b=ayPxOVJ3fMgf1IsKgAQWfValVB6jhwziw+v2zrGw40/7aQ7Cdjupkd/rR8vhXublUGV8X6loHi3adWfe8QHfrRtklrSaRD5N2Fc/XYG0cKb6MbJHpeq/QW3ARyS/pE17J5sd0nXQqzQahPVQD78moCw0MoKUn8Jag0OGIZ/7Am0= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3934.namprd03.prod.outlook.com (2603:10b6:805:70::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Wed, 19 Aug 2020 06:11:41 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:41 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 07/15] fuzz: Add support for custom crossover functions Date: Wed, 19 Aug 2020 02:11:02 -0400 Message-Id: <20200819061110.1320568-8-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:40 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 25481880-6dc7-4cae-1e39-08d84406bd4e X-MS-TrafficTypeDiagnostic: SN6PR03MB3934: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:7691; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: CGQrUSzht4n2UlEwkpcBcbkzh23HNB51cSY+IVJKPW2c8ys67OVT490OG7mc3yYNktyLas12dgY/dUbBELI/D9aPLEwgYTybuVKdfRtbL9GNd5ZtDatc/JRRjhj11l05Vdss/Z5JhSsy+70hhGBh3+y1CEAEthrDzCbkj2KMN/j2839cW5l8OetBQfhQrLVUh9LpI7KE2YrO15kpPZ7Dfb/1em03bJgyyoEVP4uyob7UVp4slhPof/kPGY6gU1H4l39jkvFDwgDYgDqO4md9JrQcmR8zyGHGSguRdOuoaBiWwoT4RO9VmTwDhUXx38C8FQRmUejRuBx8MIGDDG/HEQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(39860400002)(396003)(366004)(376002)(1076003)(8676002)(6666004)(2906002)(6512007)(8936002)(6916009)(6486002)(54906003)(956004)(6506007)(2616005)(36756003)(26005)(52116002)(86362001)(478600001)(786003)(66556008)(316002)(4326008)(75432002)(66946007)(5660300002)(66476007)(186003)(16526019); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: P1S5rnLSXLtfwAB/A57giw0NKHWBzNfOFqMOzRTTar1SdtAWv1vVANtyp1UaGR+3T1UfCO3pOxibXNGljUtw2LYV4mP85PZVAjfRz+hgSRzBHLUAtCCwLpMgGkgFw07iTi3fasaC+17y88/PPy7Q4gB+y9pWJf0NaNVTiamd8p2s77l/zkZqfRtWJVMIWmgXisDd8uKRjA+cHAnsupBf0igN0vgl7sa1PuTbQp+HCrQ8LfZp7M2BNtieLb3KaVHX+fEKgDbsdaYgrzejTqNqrihKITsOHufnnORBOgsPzN7MoqjCilcWHxkpiBCdfIUZ6cXb9YWq7uYb1dQXHOmILy3dYIvMpbb5Siy3jLQZgbncB2uBKWtiDmy85F6qTSa7obJB20syDB2VEUCktBh20CGCRIOVasmc7xTyjmlASq8kvGdv9/qEG5kETbaaVTWvhnTKV9y6WGoMUifaWZ0q8f8T+Yaj7Bgp77SmiYyZct8knm/T5Fta3y1KGBtLk5tZXJ0poK1vKQN/4DDuHOzoEysC3pB86B5XzbzszuKB8TpUVTjsWb4k+ivig4NLptAnGuuAvphH5HHstJXgP3FSm5Pv3tMzE/jc9rlYjtbL73GCQFaEeeHY2RoJrJ1N4Nltun/+eYKVuwvmunZ3JVWauw== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 25481880-6dc7-4cae-1e39-08d84406bd4e X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:41.2059 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: gA59hEwW3bITOD8XvK2yTwV+1UJG21SOAB2UgV5z72h/R6gGeCB5sejDP/BMl3ep X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3934 Received-SPF: pass client-ip=40.107.236.94; envelope-from=alxndr@bu.edu; helo=NAM11-BN8-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:39 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" libfuzzer supports a "custom crossover function". Libfuzzer often tries to blend two inputs to create a new interesting input. Sometimes, we have a better idea about how to blend inputs together. This change allows fuzzers to specify a custom function for blending two inputs together. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- tests/qtest/fuzz/fuzz.c | 13 +++++++++++++ tests/qtest/fuzz/fuzz.h | 26 ++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/tests/qtest/fuzz/fuzz.c b/tests/qtest/fuzz/fuzz.c index 8234b68754..248fab5f37 100644 --- a/tests/qtest/fuzz/fuzz.c +++ b/tests/qtest/fuzz/fuzz.c @@ -118,6 +118,19 @@ static FuzzTarget *fuzz_get_target(char* name) } +/* Sometimes called by libfuzzer to mutate two inputs into one */ +size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1, + const uint8_t *data2, size_t size2, + uint8_t *out, size_t max_out_size, + unsigned int seed) +{ + if(fuzz_target->crossover) { + return fuzz_target->crossover(data1, size1, data2, size2, out, + max_out_size, seed); + } + return 0; +} + /* Executed for each fuzzing-input */ int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size) { diff --git a/tests/qtest/fuzz/fuzz.h b/tests/qtest/fuzz/fuzz.h index 9ca3d107c5..d36642b5ec 100644 --- a/tests/qtest/fuzz/fuzz.h +++ b/tests/qtest/fuzz/fuzz.h @@ -77,6 +77,28 @@ typedef struct FuzzTarget { */ void(*fuzz)(QTestState *, const unsigned char *, size_t); + /* + * The fuzzer can specify a "Custom Crossover" function for combining two + * inputs from the corpus. This function is sometimes called by libfuzzer + * when mutating inputs. + * + * data1: location of first input + * size1: length of first input + * data1: location of second input + * size1: length of second input + * out: where to place the resulting, mutated input + * max_out_size: the maximum length of the input that can be placed in out + * seed: the seed that should be used to make mutations deterministic, when needed + * + * See libfuzzer's LLVMFuzzerCustomCrossOver API for more info. + * + * Can be NULL + */ + size_t(*crossover)(const uint8_t *data1, size_t size1, + const uint8_t *data2, size_t size2, + uint8_t *out, size_t max_out_size, + unsigned int seed); + } FuzzTarget; void flush_events(QTestState *); @@ -91,6 +113,10 @@ void fuzz_qtest_set_serialize(bool option); */ void fuzz_add_target(const FuzzTarget *target); +size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1, + const uint8_t *data2, size_t size2, + uint8_t *out, size_t max_out_size, + unsigned int seed); int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size); int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp); From patchwork Wed Aug 19 06:11:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BCF52C433E1 for ; Wed, 19 Aug 2020 06:12:50 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8A8E72063A for ; Wed, 19 Aug 2020 06:12:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="yATVM20c" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8A8E72063A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:36208 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HL7-0005UH-Ja for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:12:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55276) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HK7-0003p1-9i for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:47 -0400 Received: from mail-dm6nam08on2119.outbound.protection.outlook.com ([40.107.102.119]:43040 helo=NAM04-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HK5-0001Ya-Du for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:46 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PAwrhRSMSN8gPQv9rsc1SYUr6gh4V71Grjlf04HjO5Qm54qfdlEUtOR/bjM4suEGThV3OvyyXHnLa9XyDh5jxjyJ4fYAkroQdp1Hp3EGAwUqyye1sUUPLUJeZElmZBzIPvHyS0VsjsQzqfdetckwNp1rhtafv3nqfmSC3BMN6ZZ5RriXhL/UDBL9GoRQ8OiPPafi1KyYTzecRNlpUkKSGm3O/sOt6QiWRUb42brJKoKRNafC3tqZs2MuExoHgQbeUWCB/nam5fDfzVtNnK1j5G7uP+3qKFGUSyqfgcM85zaqVOtnELCpJvh8Unlnm6W524Ok/IRZs+lmVtMyrUXl8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2jEEW4n2UfTBJrvMDdGccCjGVukwQQAPAZDCU6cSZao=; b=VbTIDG4uazim9f7LKrysKrQyscH2scAeig8Hb9T6tVNP4EQq4m5cG8fWY6Aad0lOWvBbo9KeImIZsEAFz7oZDa4f8p4tRBkrZ4t80le5rhjXO1o+d/dliogQi4l3A2N8QFMNhVdznnXMj18ey1F+y3wCumIR3+9NqW2jABcHp6C3tyu/9OHWH5YldRw5sHZrH6yO/qPfBmawn4FTd1hXjaMuZVQOJLPMEDQ//CbB0GHGMU67AqKG3cg9rOflEk388YKEy/MgANN+2Fsz0n35QhBXDvioVim0C6rNiodvSrsyFggb0LWqEMmwFJpS9uNxgscDFzrKRAWMzHexpYv6xA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2jEEW4n2UfTBJrvMDdGccCjGVukwQQAPAZDCU6cSZao=; b=yATVM20c4PjH5wsqEnjvcXah2lcEH3ocqTMgp3voDhNuMvqTZX252gOttYdQAUhuYQFgQO2VBKcYmgcKsUjBqW7KVUT84/u8e2bZ9xWkWr8cYQTKnj8ClHOIexZ2eJPYC6CCDru9SUVs3iiLZkmegJdDWq8lOMdcesrrZDu2H94= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3486.namprd03.prod.outlook.com (2603:10b6:805:44::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.18; Wed, 19 Aug 2020 06:11:42 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:42 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 08/15] fuzz: add a DISABLE_PCI op to general-fuzzer Date: Wed, 19 Aug 2020 02:11:03 -0400 Message-Id: <20200819061110.1320568-9-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:41 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 17defa43-83d0-4012-8294-08d84406be04 X-MS-TrafficTypeDiagnostic: SN6PR03MB3486: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:49; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0IqRJUjQVF0c62fikvroKARp/RBk2OsqIgH8HJ4G2J125iarRgyUSeNkkOdAp/otJnMfkk35J/FUl4qbIBoBrCnI/AL4Tun4odz+PT4xgERu5MS5MajhpzfXic/qYaMr+DSLQy2qYEjuZBpU+OOXKVLNLJDGA2memG5cL+PNkQWBVJ1yaKaEKI2ynyxnONM8aI8xTPFNJV2NmIJdwx6fjATG3fuRW/bjU8I4ijhAeGBnIqOm/mZVafJ6K+gSvnEYNCowD8eyMVlB+Nw5Vv3ewBMXOiuaRnccYK4yiW70bG1GGUiPln7qbOfu5eJwJVob9SFiNPxfOzulk3wUu3ZQMw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(346002)(366004)(396003)(376002)(5660300002)(66946007)(1076003)(6666004)(66476007)(8676002)(66556008)(956004)(86362001)(83380400001)(786003)(54906003)(316002)(2616005)(26005)(75432002)(4326008)(6916009)(6512007)(6486002)(8936002)(36756003)(16526019)(186003)(2906002)(478600001)(52116002)(6506007); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: klmv5zGCLlum6WCT5l7+UfnsERz6Dt8c99qkxJgS4V7DngU20ueVWHE9hnTt68Y3Z3yz0FLkhhSTaTRECLHCQqzUyGDGteWQI0RlJhqtv8wgwkFC3GX7wc6hY/ayV193maCqX/nKZNltcqdQ6BqCpiwoAh4LevLIUyXfsHxZsFdNEhkE4vKczgZmaGH2BgRerv43xIFfQNVZkY02EIg8EUylYmlOPL/DgEBUDgRLYrqZQ1D/g25q+lEdC/d1rUeunYF/6d4PW57XHoyjkUS8YCdfWW0CgTkEQrES8FW5/COxmgZez7HA4SsJ7nzzzHoCYqGlBQNhZhlein/d2F7Yqr6tmkRTQp3jTfed5qlPsWuaJbexYr3ps16b96CvRPTLFPp8FRpA51TKwcQHLH5FsfTFdcoXky+a5GVxuGy01nqkvjc4iLWaTxrdpsgQoAcMUtvlcsRYL6nLmxGjWehjddBh8P8Ie/+QZsdfSZ/qm4C3OESgMolSIKoDVXqEOocsSQ7ulAl+csv0GkufvAmJ0RMEUoGfTCoYAFn8JJ7dT4kBEPHy55TMNvEXM+ktHoHJIFY+QWMraiMrvFHdjVOmOrvCKNfnlyKSD6+TyPISWm47Fmrm19tKk9Q+U7kx5mB/3uM3LKQBXzVr4IzRYy9kHA== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 17defa43-83d0-4012-8294-08d84406be04 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:42.3263 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: SbvM6orp3XYWdJOxIfQ0HLt+6pe5KBrqZne26PcSIY1qfCTv61m5/2C5hASCGsGy X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3486 Received-SPF: pass client-ip=40.107.102.119; envelope-from=alxndr@bu.edu; helo=NAM04-DM6-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:44 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Laurent Vivier , Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" This new operation is used in the next commit, which concatenates two fuzzer-generated inputs. With this operation, we can prevent the second input from clobbering the PCI configuration performed by the first. Signed-off-by: Alexander Bulekov --- tests/qtest/fuzz/general_fuzz.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index 36d41acea0..26fcd69e45 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -40,6 +40,7 @@ enum cmds{ OP_WRITE, OP_PCI_READ, OP_PCI_WRITE, + OP_DISABLE_PCI, OP_ADD_DMA_PATTERN, OP_CLEAR_DMA_PATTERNS, OP_CLOCK_STEP, @@ -93,6 +94,7 @@ static GArray *dma_regions; static GArray *dma_patterns; static int dma_pattern_index; +static bool pci_disabled = false; void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); @@ -433,7 +435,7 @@ static void op_pci_read(QTestState *s, const unsigned char * data, size_t len) uint8_t base; uint8_t offset; } a; - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { return; } memcpy(&a, data, sizeof(a)); @@ -463,7 +465,7 @@ static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) uint8_t offset; uint32_t value; } a; - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { return; } memcpy(&a, data, sizeof(a)); @@ -518,6 +520,11 @@ static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) qtest_clock_step_next(s); } +static void op_disable_pci(QTestState *s, const unsigned char *data, size_t len) +{ + pci_disabled = true; +} + static void handle_timeout(int sig) { if (getenv("QTEST_LOG")) { @@ -559,6 +566,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) [OP_WRITE] = op_write, [OP_PCI_READ] = op_pci_read, [OP_PCI_WRITE] = op_pci_write, + [OP_DISABLE_PCI] = op_disable_pci, [OP_ADD_DMA_PATTERN] = op_add_dma_pattern, [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns, [OP_CLOCK_STEP] = op_clock_step, @@ -591,6 +599,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) } op_clear_dma_patterns(s, NULL, 0); + pci_disabled = false; while (cmd && Size) { /* Get the length until the next command or end of input */ From patchwork Wed Aug 19 06:11:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276080 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.9 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, UNWANTED_LANGUAGE_BODY,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0678C433DF for ; Wed, 19 Aug 2020 06:14:23 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A05DA2063A for ; Wed, 19 Aug 2020 06:14:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="Fa1+gooT" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A05DA2063A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:45012 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HMc-0000bG-Rl for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:14:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55388) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKF-00047v-04 for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:55 -0400 Received: from mail-dm6nam08on2119.outbound.protection.outlook.com ([40.107.102.119]:43040 helo=NAM04-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKD-0001Ya-9b for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:54 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nS0wZ1vxXFwH09cMUPT6hfpFt9y4hrDMV0DQSqNO5E7rvbcyqpq1NoZyy05xHXsLRUoS49lDtXj8ZJ9MdBu/s6/hvVj374MeUivu5xTIB2Ztj22qFUTgzM2Rohxa8prqpHyabF3fp/KXpJUnXIbC7/dbhJzutsspOAVmJ/6pNdhEX3d5n9IkY/WN4Q1YZpDyUTACVLULkE4vs7W/soQdxnEdXSuNhmdpeXeI8iwkNZSSYFx1AkagVTdda8wCb33UPuwMU8ccB1gmVrBeJeXHDMMAkiQdUKJDEJ2dLzcQKY3jKj8BqdMa6IUKWRkL8ALiTl2Bm1VIpfn0+FissJP1tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vsvnYrqrAnVDB2Zr7IRC0dE3StgyMFquvqkkkQsDfAI=; b=MY5dGPDP+ZqCr/znFmT9Pslx+H8/Fo14+F4jysEGQThmt4o98bxI5embLpo4cwOhyo2oHFrubIr2Oid5rFf8uOnm+GcGGvPQCCM7pjV4voWQ3QtLGbvoZWEu6dyVOeZezFccRupdRnXqG+OCBife/MQOwhfxGijUdt6ip5Rf8P0tpEbG12++F23zc9zPtQqEeQaV9fYvP6NbCvpdBd9d5a018W8vSzrxDemKrBtqLaxUb3bRQSeJOI9lRYn60ln8EAFYtSOJs/v0STZI+hE5z09s5AW7ank2qi+G4vNThGYs7j0r/D/ecirk9+QlOMovpJLI5w2WM2b+LGRZajX/sg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vsvnYrqrAnVDB2Zr7IRC0dE3StgyMFquvqkkkQsDfAI=; b=Fa1+gooTNcRb2xwKtNwehWBVULFfCdYDkxp2UwQ1jjS8cR+RyidxO6tJsFfOh8gjZJ1kB1w/HPF1j1KGDGOi7T4tK3opiPrjhmcSaGWFD6lqLdk0cKqPvY4RdBGbkyg7PKDfntIgttaEKubJr1ta/4lbk08Zlyi2EbUrXJb9zek= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3486.namprd03.prod.outlook.com (2603:10b6:805:44::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.18; Wed, 19 Aug 2020 06:11:48 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:48 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 12/15] scripts/oss-fuzz: Add general-fuzzer configs for oss-fuzz Date: Wed, 19 Aug 2020 02:11:07 -0400 Message-Id: <20200819061110.1320568-13-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:47 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7565a8dc-5ef7-437b-5e0f-08d84406c15a X-MS-TrafficTypeDiagnostic: SN6PR03MB3486: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2582; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: zYMvHCtUvLYVUadrZA9IDaCWWi2XFy4ShZnUGJ9fPV3W/esOVUj+cyZ15/OT+zhbnMoWPBSv7NYHNdUMcvwgg8ewV1RisXBommJCvN88QGmZn9B8WCNDfH8eQBoIgAg7X9HnCNgFD3B9w1/VfJxid7bEYDtMWdD3f4uUrzyOdyQwgpvYbtVFwi8E5IIh5bXBd3P8eM1AvBjcVhgeGkZwFe7Rdoje2a15b/MnzLDK3AxgO82O0gBBqC8/ubqI9gb7FgIS828Zq+ozbWDCrXljhf2sUK9v0C+gJtnFLOvvH5yckI3UEzDysQQyzHupnX2r X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(346002)(366004)(396003)(376002)(5660300002)(66946007)(1076003)(6666004)(66476007)(8676002)(66556008)(956004)(86362001)(786003)(54906003)(316002)(2616005)(26005)(75432002)(4326008)(6916009)(6512007)(6486002)(8936002)(36756003)(16526019)(186003)(2906002)(478600001)(52116002)(6506007); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: C4hSQz4XsXda+HAM3hsB7asBg2XeovrNArEdXv7P1tfuIX3VhmGBsPR/iIitBEt9Lpdt2A1lZhge9aY3ZtKMJEP75b5pOfVq+VnyXke39338n/76XRkK6gdvVzL/QkhyoSVln/1LZ3S1cyyqZF76r3JLeZtmEUEEGgGqcG9QK0YiyOfEDhPkQ+itb3zCjXox2WTOUNfKmos2LUQ7yoPfOpaBKvUGAZML0l/nbSyCb9/5fYJ8dYdzz5IxuaTlpz9nSPA8SIlNDnKH1qgh2c7W+viat6kIyXyK9sjIR4rgjePdpv//xOqE/4Yqx00cBIi7Ah00eTj3ZoJQxx5jkSYx19ZYurNW8fZw/Ezm7J6SOekee2eORUz7br3mSFje1gV0hZ3vdVISMwg93xhPY5ovJO9I+Ss5qovjChPY8p6YlqLzJG0QgVqHEpi7Wly2/76VcldzGHMv9Tqr2w5iQQhPI6X65FOCge1ID3YJGrR5KiRUUA+2bTZ7sSYq3Z+U+eYrfTj44/u+7z6YX+btC7M4T5EFEGXFzCqtJEJqeaofPZWuKt8BOvlfSriHqfTX4WgjKjmOqCgt/sGIlru/3LVBO/y19RsTPkkhF/VQaDzOVuvK54YwfOMDZJSK3kLkFWh3QeKUEe2Yl2VpVPsRe63NZQ== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 7565a8dc-5ef7-437b-5e0f-08d84406c15a X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:48.0950 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Z4n7+Ou9j4UVJBJGWu6AzUGX2nx0rNO7OglZ0SPgyHVc4C/4PE2zB/2KMEiJ29BL X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3486 Received-SPF: pass client-ip=40.107.102.119; envelope-from=alxndr@bu.edu; helo=NAM04-DM6-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:44 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Each of these entries is built into a wrapper binary that sets the needed environment variables and executes the general virtual-device fuzzer. In the future, we will need additional fields, such as arch=arm, timeout_per_testcase=0, reset=reboot, etc... Signed-off-by: Alexander Bulekov --- scripts/oss-fuzz/general_fuzzer_configs.yml | 103 ++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 scripts/oss-fuzz/general_fuzzer_configs.yml diff --git a/scripts/oss-fuzz/general_fuzzer_configs.yml b/scripts/oss-fuzz/general_fuzzer_configs.yml new file mode 100644 index 0000000000..010e92a2a5 --- /dev/null +++ b/scripts/oss-fuzz/general_fuzzer_configs.yml @@ -0,0 +1,103 @@ +configs: + - name: virtio-net-pci-slirp + args: > + -M q35 -nodefaults + -device virtio-net,netdev=net0 -netdev user,id=net0 + objects: virtio* + + - name: virtio-blk + args: > + -machine q35 -device virtio-blk,drive=disk0 + -drive file=null-co://,id=disk0,if=none,format=raw + objects: virtio* + + - name: virtio-scsi + args: > + -machine q35 -device virtio-scsi,num_queues=8 + -device scsi-hd,drive=disk0 + -drive file=null-co://,id=disk0,if=none,format=raw + objects: scsi* virtio* + + - name: virtio-gpu + args: -machine q35 -nodefaults -device virtio-gpu + objects: virtio* + + - name: virtio-vga + args: -machine q35 -nodefaults -device virtio-vga + objects: virtio* + + - name: virtio-rng + args: -machine q35 -nodefaults -device virtio-rng + objects: virtio* + + - name: virtio-balloon + args: -machine q35 -nodefaults -device virtio-balloon + objects: virtio* + + - name: virtio-serial + args: -machine q35 -nodefaults -device virtio-serial + objects: virtio* + + - name: virtio-mouse + args: -machine q35 -nodefaults -device virtio-mouse + objects: virtio* + + - name: e1000 + args: > + -M q35 -nodefaults + -device e1000,netdev=net0 -netdev user,id=net0 + objects: e1000 + + - name: e1000e + args: > + -M q35 -nodefaults + -device e1000e,netdev=net0 -netdev user,id=net0 + objects: e1000e + + - name: cirrus-vga + args: -machine q35 -nodefaults -device cirrus-vga + objects: cirrus* + + - name: bochs-display + args: -machine q35 -nodefaults -device bochs-display + objects: bochs* + + - name: intel-hda + args: > + -machine q35 -nodefaults -device intel-hda,id=hda0 + -device hda-output,bus=hda0.0 -device hda-micro,bus=hda0.0 + -device hda-duplex,bus=hda0.0 + objects: intel-hda + + - name: ide-hd + args: > + -machine q35 -nodefaults + -drive file=null-co://,if=none,format=raw,id=disk0 + -device ide-hd,drive=disk0 + objects: ahci* + + - name: floppy + args: > + -machine pc -nodefaults -device floppy,id=floppy0 + -drive id=disk0,file=null-co://,file.read-zeroes=on,if=none + -device floppy,drive=disk0,drive-type=288 + objects: fd* floppy* + + - name: xhci + args: > + -machine q35 -nodefaults + -drive file=null-co://,if=none,format=raw,id=disk0 + -device qemu-xhci,id=xhci -device usb-tablet,bus=xhci.0 -device usb-bot + -device usb-storage,drive=disk0 -chardev null,id=cd0 -chardev null,id=cd1 + -device usb-braille,chardev=cd0 -device usb-ccid -device usb-ccid + -device usb-kbd -device usb-mouse -device usb-serial,chardev=cd1 + -device usb-tablet -device usb-wacom-tablet -device usb-audio + objects: "*usb* *uhci* *xhci*" + + - name: pc-i440fx + args: -machine pc + objects: "*" + + - name: pc-q35 + args: -machine q35 + objects: "*" From patchwork Wed Aug 19 06:11:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276077 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D0A60C433E1 for ; Wed, 19 Aug 2020 06:18:08 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9A8B620738 for ; Wed, 19 Aug 2020 06:18:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="qUa3wlSF" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9A8B620738 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:60342 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HQF-0006x7-Se for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:18:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55442) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKJ-0004IC-1r for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:59 -0400 Received: from mail-dm6nam08on2119.outbound.protection.outlook.com ([40.107.102.119]:43040 helo=NAM04-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKH-0001Ya-5O for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:11:58 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J6Yx/XrmB3PrpKpKD4zfnIRXjuu2p+/1lh8s81N3jDwcc7HqEI4HkDQ7k5ZLoNkwyQBx85ABoj3qxSEsp9WUGiYx0lGufcQtCXuSybUwFEf5LrphVmt+h5QeS4frSUu9WU91SDFifzhl53gUbsg/T5w6Ek1UjmIDjAx6z7IO+rGdrQ/iXSbLgfau5wY++L1G4tcssgFkggCZDSLu9xQlYSn0/EE/2+1VkHEjDnMKN1+sCmwAtXOxQ3gqNQ4BYZsey/vasd9VFiNWa1+cADgd1aM1zxsn+iCNw/37OfL84eOTA5GU4JCG1RrvB+2H/TBMOXufDFOy0noxbqpTF1L/sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+KM79cPkTvUzrM+zvLY1mMAUOTr71w0mWHKq6fqwQWw=; b=JJqzjwK2t+79Bo8d7WB4XFGjo7oVQBACwrI+ddwTQVx3zEvNJLoUVqCEKpD7EC0qYuNhXtb0wsL40VCwIcjy3PxRKNq8Yokn7x6avu3n5G1s3IbZSMj0jMEvpJw/MqJyv+0PrmS79JwyEDZE9txhhforK2mMCXYQwef5gssYvdj7bpVQbqTZjj0kp7jyWbzTuGbpUWgGyx9FWio+0qI46gE6iazXEFTaJkQ4DsfctpphYUx/GeuYOn67m4/P7Sj+SW09czwCYKHksDpE2eSiyo7DjxfH2EMbXsY0JpJiWLYhjwgPIjHkLx+sulHxxBhKHr55L2zUlDYA99xjUaElIQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+KM79cPkTvUzrM+zvLY1mMAUOTr71w0mWHKq6fqwQWw=; b=qUa3wlSFnwbCMSIa0i7WdkwTwBAcWDWaK7QfSkv+fY84+w7PZtQk60xDwHMAACIDomrHQEEGmxqPATQrQtIYlf/BARkzL4+1U9OoS3wPIRBxKGzUFMdKFLaRiRBfOo8UyOuoBxKhYZfMFzGhKP7pRVcKWH8OY1X4yTWimFInJDQ= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3486.namprd03.prod.outlook.com (2603:10b6:805:44::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.18; Wed, 19 Aug 2020 06:11:51 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:51 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 14/15] scripts/oss-fuzz: Add script to reorder a general-fuzzer trace Date: Wed, 19 Aug 2020 02:11:09 -0400 Message-Id: <20200819061110.1320568-15-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:50 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d0c63674-3735-4ccc-4c69-08d84406c35c X-MS-TrafficTypeDiagnostic: SN6PR03MB3486: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 2xQVtJOj+gNJ782IzijDZRkydV9CdWJrb+40nPmXoSqODv4d8xUlpsRe0BtBC3BxVN0LPy3exdOkcj8ohGrke+n98MDAXDvDLjv6GUoexP/x479WYh3qtfstAMRyHZDlWcntE0B09VL2OfMN169TH5ZROrHipJ+FXtPQ23mI6Z7m0WN19F6ahHAl+19HY1tfLOKRrkQUWcBNjh/5L+Q/RMC0D5w3LvQQUK/5HW+s6ZDQv3QTZwufxF6etUkpfuJdETEr8BDZHavL40Ol0TixrYVa/VJ78BS15OWrTwKxgz99lkLmdtO7bBgQE/8seDPS/UjCVEiTEdrAKZiPuSMLKQ== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(346002)(366004)(396003)(376002)(5660300002)(66946007)(1076003)(6666004)(66476007)(8676002)(66556008)(956004)(86362001)(83380400001)(786003)(54906003)(316002)(2616005)(26005)(75432002)(4326008)(6916009)(6512007)(6486002)(8936002)(36756003)(16526019)(186003)(2906002)(478600001)(52116002)(6506007); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: RY1qzlb4O7BNvljhlAtqc+MPWPaUses6oRI7/2tXT/cH5krkA4O0Hp14j45p+WmHW+Adv/mT84YGsLD/Pf0VCHrmPC3MdJqwqjdFWJ9ehxK5sjqitlukmUttVNzgOQU94T0yKc+hsLsiqVBXBsct8S6mqCLlJjaoJ2Sk4d7YWmAzbhRmmKQiKIRnxlKuIWkEIU3sARvTemxceY4B3x8sLjJPdFwsMEIlfmEqB3q4z3aI3LLtkgyEi19isIJdn6cZV2btI9/siSfYFmQhn5RTqVd+uBLYRokuX/MzPRuKaMFukMqDVaE3Vl6mfuz2zLiDWA5NhmJp26UlpqFShjWBTm0ZPNeoJbGOFbz/PUMS2E9ffkzXacH2MV2mRma+797p1ZJlYTXj79ZL+NvKAAqG5utf9bua07ml/iPw7W3Ib3Jhtq1nG/Jex5At/ssb8UvZRcfsjGhKIoizk3ku0W/9BhlttB+7HFYKhzVgCg782QgKirDR1NeeN9OiQgNdtsCkN2LYG9Hn7SSDQT3nX/aPaazTPc6avgI3ogwIZ7QmlzxvF/frTgMcS3r/S7grsFZ8jt8o7hSyd4GBh3U7GmczyFOdsElunQ1CrgxVJZjdOQBc9ECUIljaHzfO5fIjMJ6IWE/kwxrKAQb/AIqZXBUf8w== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: d0c63674-3735-4ccc-4c69-08d84406c35c X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:51.5361 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: dS/WMfl2u+xLsTeZlZji/0S9nBoENYaothUZt0ZBf59FQ9xJ5KJCttnILDSbPLGl X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3486 Received-SPF: pass client-ip=40.107.102.119; envelope-from=alxndr@bu.edu; helo=NAM04-DM6-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:44 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" The general-fuzzer uses hooks to fulfill DMA requests just-in-time. This means that if we try to use QTEST_LOG=1 to build a reproducer, the DMA writes will be logged _after_ the in/out/read/write that triggered the DMA read. To work work around this, the general-fuzzer annotates these just-in time DMA fulfilments with a tag that we can use to discern them. This script simply iterates over a raw qtest trace (including log messages, errors, timestamps etc), filters it and re-orders it so that DMA fulfillments are placed directly _before_ the qtest command that will cause the DMA access. Signed-off-by: Alexander Bulekov --- .../oss-fuzz/reorder_fuzzer_qtest_trace.py | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100755 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py diff --git a/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py b/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py new file mode 100755 index 0000000000..9fb7edb6ee --- /dev/null +++ b/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +Use this to convert qtest log info from a generic fuzzer input into a qtest +trace that you can feed into a standard qemu-system process. Example usage: + +QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \ + ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-fuzz +# .. Finds some crash +QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \ +QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \ + ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-fuzz + /path/to/crash 2> qtest_log_output +scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace +./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \ + -qtest stdin < qtest_trace + +### Details ### + +Some fuzzer make use of hooks that allow us to populate some memory range, just +before a DMA read from that range. This means that the fuzzer can produce +activity that looks like: + [start] read from mmio addr + [end] read from mmio addr + [start] write to pio addr + [start] fill a DMA buffer just in time + [end] fill a DMA buffer just in time + [start] fill a DMA buffer just in time + [end] fill a DMA buffer just in time + [end] write to pio addr + [start] read from mmio addr + [end] read from mmio addr + +We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace +might look something like: +[R +0.028431] readw 0x10000 +[R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00 +[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA +[DMA][R +0.034639] write 0xbf00 0x2 0xBBBB +[R +0.028431] readw 0xfc000 + +This script would reorder the above trace so it becomes: +readw 0x10000 +write 0xbeef 0x2 0xAAAA +write 0xbf00 0x2 0xBBBB +outl 0xc000 0xbeef +readw 0xfc000 + +I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already +been set up, removing the need for the DMA hooks. We can simply provide this +reordered trace via -qtest stdio to reproduce the input + +Note: this won't work for traces where the device tries to read from the same +DMA region twice in between MMIO/PIO commands. E.g: + [R +0.028434] outl 0xc000 0xbeef + [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA + [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB +""" + +import sys + +__author__ = "Alexander Bulekov " +__copyright__ = "Copyright (C) 2020, Red Hat, Inc." +__license__ = "GPL version 2 or (at your option) any later version" + +__maintainer__ = "Alexander Bulekov" +__email__ = "alxndr@bu.edu" + + +def usage(): + sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0]))) + + +def main(filename): + with open(filename, "r") as f: + trace = f.readlines() + + # Leave only lines that look like logged qtest commands + trace[:] = [x.strip() for x in trace if "[R +" in x + or "[S +" in x and "CLOSED" not in x] + + for i in range(len(trace)): + if i+1 < len(trace): + if "[DMA]" in trace[i+1]: + trace[i], trace[i+1] = trace[i+1], trace[i] + for line in trace: + print(line.split("]")[-1].strip()) + + +if __name__ == '__main__': + if len(sys.argv) == 1: + usage() + main(sys.argv[1]) From patchwork Wed Aug 19 06:11:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 276078 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS, HK_RANDOM_FROM, INCLUDES_PATCH, MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE261C433DF for ; Wed, 19 Aug 2020 06:17:28 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 75A0520738 for ; Wed, 19 Aug 2020 06:17:28 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="DEAkSWcB" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 75A0520738 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:58384 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k8HPb-00068g-Fa for qemu-devel@archiver.kernel.org; Wed, 19 Aug 2020 02:17:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55458) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKK-0004L3-S4 for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:12:00 -0400 Received: from mail-dm6nam08on2119.outbound.protection.outlook.com ([40.107.102.119]:43040 helo=NAM04-DM6-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k8HKJ-0001Ya-9A for qemu-devel@nongnu.org; Wed, 19 Aug 2020 02:12:00 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Tj6PEN0GYT9389zSedJcJ5CTOuZzeV1GqBQ2bfjfc16jIgOmCHaltA9wtBhVlD81H2mL+OCfZlswpIozuy+qMSHaBaFImOU00Eg7WSDi8hZMHNypnu9n2IaMZYdj4UjlusguN3F3RFhGOonRNKBQjkIHSCeUVKVIZ6IsUSPa/P6zPaSpdPv75jlbQymXP8c7dQdwSQQGs2GQTZpY/HsrSSy0YbT8UKAsuucazkpCcnGxXae9kYLU7hfh3Dcswq7boSy7DfvHvTwUMILghnFumE3GXT7744WeeeDKTRPMJCZvej7tjXoJ/XF+RRUKOYFYcFVisF5ADEZxgXIG+m9SoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lRhs2novFQWQnQokVQCeusPDfBEBhfeP1bRZh7zsdmE=; b=SQNLTrYXTAdmzxAL7UKvAKKTR83RkS1RR++GFQwHX56Gc2DLZqmmrb4FLoZG1A8jkBuC1MqTBr+rwKuKZ0Rg5eCPU+DN1/h+lUchIQi03Cu09tRO5HE4st8WJq5P/7kX/g7HUOrVJb9VeH9MWxNxa02f7UTouTvYTJkmCILAN5DQASNskriLEyD68MxJcHhEtbmzEZT8a42gFQMti7Lmb1Lq1b3B3KZFCHNe3Ts/15MgPfNTCpLsWQwFRfDjSBJrA/DOeNUfPup6vl787zVP3LkWisUEWs/3Uz1HU8H1z3eiGg0UGUXTDqouSkBtldQSTeFmRyLD9TEZ4Tsn/hO6eA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lRhs2novFQWQnQokVQCeusPDfBEBhfeP1bRZh7zsdmE=; b=DEAkSWcBWXTkNFMVjIcttA60QcFwGs9HsJw9SGGvGRD1mZTfWsRbtpGrqQ/Ww2jZfOxnknlY2+JLxnzx3mxZSkWhvDMtAws4NQr2LTsAfiwYGLSljYlFPePoQayGpXiBGW3d5V5AOHEcH3W7kwCXmFJ+PDXuzcYTlfLyRCm5IDU= Authentication-Results: nongnu.org; dkim=none (message not signed) header.d=none; nongnu.org; dmarc=none action=none header.from=bu.edu; Received: from SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) by SN6PR03MB3486.namprd03.prod.outlook.com (2603:10b6:805:44::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3283.18; Wed, 19 Aug 2020 06:11:53 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::61ae:93a8:b26c:77b8%4]) with mapi id 15.20.3283.028; Wed, 19 Aug 2020 06:11:53 +0000 From: Alexander Bulekov To: qemu-devel@nongnu.org Subject: [PATCH v2 15/15] scripts/oss-fuzz: Add crash trace minimization script Date: Wed, 19 Aug 2020 02:11:10 -0400 Message-Id: <20200819061110.1320568-16-alxndr@bu.edu> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200819061110.1320568-1-alxndr@bu.edu> References: <20200819061110.1320568-1-alxndr@bu.edu> X-ClientProxiedBy: BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from stormtrooper.vrmnet (72.93.72.163) by BL0PR1501CA0012.namprd15.prod.outlook.com (2603:10b6:207:17::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24 via Frontend Transport; Wed, 19 Aug 2020 06:11:51 +0000 X-Mailer: git-send-email 2.28.0 X-Originating-IP: [72.93.72.163] X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 4b20200f-80cc-4a75-c0d2-08d84406c425 X-MS-TrafficTypeDiagnostic: SN6PR03MB3486: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1728; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ENXJwSSVD8Jk+0x0taAUEQlrMIZVmmOK1OxH9K13/usXuQW+yy0m5WxtBaD5hgBJarYQMDsF+zVHFq8/lfbMUb/0LEnSyz6DT8UdTx4aQy72lXQKyUjmCRR6rngSWWKfR6blBEHJ9qrQAZBogkmymICzbly/CY6k+6j0/dNuQZcR/nliXKHwPkOjMBIoxSwpzyUDT1qsNZhXRCkhJOTop60UUcyX93zoX6L+wkUdK8ttWqJ5t2vYnZq+fZkEGj7obYWPFR7zegdiJ+lNO7XCWAQttNrvEuZzfbig5C88YejU/Bp/sWSDYLJi03w+awou82JXcUAwpG7AVcEU1/cdnw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SN6PR03MB3871.namprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(346002)(366004)(396003)(376002)(5660300002)(66946007)(1076003)(6666004)(66476007)(8676002)(66556008)(956004)(86362001)(786003)(54906003)(316002)(2616005)(26005)(75432002)(4326008)(6916009)(6512007)(6486002)(8936002)(36756003)(16526019)(186003)(2906002)(478600001)(52116002)(6506007); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData: rkTgH9bnjKP0GAzOC98/o5tlpAz5PAmUmk67EuzTyla7SRDBhv+19GMJHmxtLiGSusqzoXoBp31Im0sH0dedsyw3V0fxc9nRvGtXDJiz+NcyF9FPLz0P5SDv8lWClPDv2pUCnnF7jL0eMdc8sMGbdvrcKVHDXEj2zTRe5V9fWQDJQRh0PyasC/5tQWTyRbQ93TrnUwiMse+MLez7ZIScxM9HJIaI9cbA5t7ZuituskZkY8XGZJvAzSs/Ca3MPup7JF9Pz/Pds3hYk2quS4d4VzNx7H5mcWnFO1Tur7hMnDVKxoRtSrBqNMo7zcptBDASLZAH2MNBsfcINvG0/t4BylNJmE2ibIpoS93FqQ9J+9d4MOHPCW20AatCt5RqnNg7yeRLk8BlBJagrl9w/eB6N1ievt3g2IMfLC98/9f5/G/FbDuj2LuW5XWeHULk3UJbF6Wl55Tmd5hsrCfdz14WwtInlzbDLcry264MKg1Fo/IuATXhjJqYJW8joRkyaRJeBB20aTdUhRNjnnrZ7TJKkMVJxDNoxDDzuS71KgIoBcuq94vIr4F/g7wf3rlsjJJlG7Rzvc3YJerQE5WikA4ACaUg7n3FKhf2fEVX4V4WUEYFxlIPdQPR+DPEUzORGMflqKl0DoDRl0PseOzq5qTqzw== X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 4b20200f-80cc-4a75-c0d2-08d84406c425 X-MS-Exchange-CrossTenant-AuthSource: SN6PR03MB3871.namprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Aug 2020 06:11:52.9313 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: VR7ibrM/2pl+B3zj++UPRUwk6EFtokFQYK3sPAcnFJVEo5+4Pin8cCqVjjNwqYYx X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB3486 Received-SPF: pass client-ip=40.107.102.119; envelope-from=alxndr@bu.edu; helo=NAM04-DM6-obe.outbound.protection.outlook.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/19 02:11:44 X-ACL-Warn: Detected OS = Windows NT kernel [generic] [fuzzy] X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Thomas Huth , Alexander Bulekov , f4bug@amsat.org, darren.kenny@oracle.com, bsd@redhat.com, stefanha@redhat.com, Paolo Bonzini Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Once we find a crash, we can convert it into a QTest trace. Usually this trace will contain many operations that are unneeded to reproduce the crash. This script tries to minimize the crashing trace, by removing operations and trimming QTest bufwrite(write addr len data...) commands. Signed-off-by: Alexander Bulekov Reviewed-by: Darren Kenny --- scripts/oss-fuzz/minimize_qtest_trace.py | 118 +++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100755 scripts/oss-fuzz/minimize_qtest_trace.py diff --git a/scripts/oss-fuzz/minimize_qtest_trace.py b/scripts/oss-fuzz/minimize_qtest_trace.py new file mode 100755 index 0000000000..2f1f4f368e --- /dev/null +++ b/scripts/oss-fuzz/minimize_qtest_trace.py @@ -0,0 +1,118 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +This takes a crashing qtest trace and tries to remove superflous operations +""" + +import sys +import os +import subprocess +import time + +QEMU_ARGS = None +QEMU_PATH = None +TIMEOUT = 5 +CRASH_TOKEN = None + + +def usage(): + sys.exit("""\ +Usage: QEMU_PATH="/path/to/qemu" QEMU_ARGS="args" {} input_trace output_trace +By default, will try to use the second-to-last line in the output to identify +whether the crash occred. Optionally, manually set a string that idenitifes the +crash by setting CRASH_TOKEN= +""".format((sys.argv[0]))) + + +def check_if_trace_crashes(trace, path): + global CRASH_TOKEN + with open(path, "w") as tracefile: + tracefile.write("".join(trace)) + rc = subprocess.Popen("timeout -s 9 {}s {} {} 2>&1 < {}".format(TIMEOUT, + QEMU_PATH, QEMU_ARGS, path), + shell=True, stdin=subprocess.PIPE, + stdout=subprocess.PIPE) + stdo = rc.communicate()[0] + output = stdo.decode('unicode_escape') + if rc.returncode == 137: # Timed Out + return False + if len(output.splitlines()) < 2: + return False + + if CRASH_TOKEN is None: + CRASH_TOKEN = output.splitlines()[-2] + + return CRASH_TOKEN in output + + +def minimize_trace(inpath, outpath): + global TIMEOUT + with open(inpath) as f: + trace = f.readlines() + start = time.time() + if not check_if_trace_crashes(trace, outpath): + sys.exit("The input qtest trace didn't cause a crash...") + end = time.time() + print("Crashed in {} seconds".format(end-start)) + TIMEOUT = (end-start)*5 + print("Setting the timeout for {} seconds".format(TIMEOUT)) + print("Identifying Crashes by this string: {}".format(CRASH_TOKEN)) + + i = 0 + newtrace = trace[:] + while i < len(newtrace): + prior = newtrace[i] + print("Trying to remove {}".format(newtrace[i])) + # Try to remove the line completely + newtrace[i] = "" + if check_if_trace_crashes(newtrace, outpath): + i += 1 + continue + newtrace[i] = prior + # Try to split up writes into multiple commands, each of which can be + # removed. + if newtrace[i].startswith("write "): + addr = int(newtrace[i].split()[1], 16) + length = int(newtrace[i].split()[2], 16) + data = newtrace[i].split()[3][2:] + if length > 1: + leftlength = int(length/2) + rightlength = length - leftlength + newtrace.insert(i+1, "") + while leftlength > 0: + newtrace[i] = "write {} {} 0x{}\n".format( + hex(addr), + hex(leftlength), + data[:leftlength*2]) + newtrace[i+1] = "write {} {} 0x{}\n".format( + hex(addr+leftlength), + hex(rightlength), + data[leftlength*2:]) + if check_if_trace_crashes(newtrace, outpath): + break + else: + leftlength -= 1 + rightlength += 1 + if check_if_trace_crashes(newtrace, outpath): + i -= 1 + else: + newtrace[i] = prior + del newtrace[i+1] + i += 1 + check_if_trace_crashes(newtrace, outpath) + + +if __name__ == '__main__': + if len(sys.argv) < 3: + usage() + + QEMU_PATH = os.getenv("QEMU_PATH") + QEMU_ARGS = os.getenv("QEMU_ARGS") + if QEMU_PATH is None or QEMU_ARGS is None: + usage() + if "accel" not in QEMU_ARGS: + QEMU_ARGS += " -accel qtest" + CRASH_TOKEN = os.getenv("CRASH_TOKEN") + QEMU_ARGS += " -qtest stdio -monitor none -serial none " + minimize_trace(sys.argv[1], sys.argv[2])