Changes since v1 * Split off changes to qos virtio-net and qtest server to other patches * Move vl:main initialization into new func: qemu_init * Moved useful functions from qos-test.c to a separate object * Use struct of function pointers for add_fuzz_target(), instead of arguments * Move ramfile to migration/qemu-file * Rewrite fork-based fuzzer pending patch to libfuzzer * Pass check-patch
Based-on: 20190805032400.8054-1-alx...@bu.edu Based-on: 20190805031240.6024-1-alx...@bu.edu --- As part of Google Summer of Code 2019, I'm working on integrating fuzzing of virtual devices into QEMU [1]. This is a highly WIP patchset adding this functionality. Fuzzers provide random data to a program and monitor its execution for errors. Coverage-guided fuzzers also observe the parts of the program that are exercised by each input, and use this information to mutate/guide the inputs to reach additional parts of the program. They are quite effective for finding bugs in a wide range of software. Summary: - The virtual-device fuzzers use libfuzzer [2] for coverage-guided in-process fuzzing. - To fuzz a device, create a new fuzz "target" - i.e. a function that exercises QEMU based on inputs provided by the fuzzer. - Fuzz targets rely on qtest and libqos to turn inputs into actions. - Since libfuzzer does in-process fuzzing, the QEMU state needs to be reset after each fuzz run. These patches provide three methods for resetting state. - There are currently few targets, but they have already helped discover bugs in the console, and virtio-net, and have reproduced previously-reported vulnerabilities. Alexander Oleinik (17): fuzz: Move initialization from main to qemu_init fuzz: Add fuzzer configure options fuzz: Keep memory mapped for fork-based fuzzer fuzz: Skip modules that were already initialized fuzz: Add direct receive function for qtest server fuzz: Add FUZZ_TARGET module type fuzz: Add ramfile qemu-file type fuzz: Export the qemu_savevm_live_state function fuzz: hardcode needed objects into i386 target fuzz: qtest client directly interacts with server fuzz: Move useful qos functions to separate object fuzz: Add fuzzer skeleton fuzz: Add libqos support to the fuzzer fuzz: Add forking support to the fuzzer fuzz: Add general qtest fuzz-target fuzz: Add virtio-net fuzz targets fuzz: Add fuzz accelerator type accel/fuzz.c | 48 +++++++ configure | 15 ++ exec.c | 2 + include/qemu/module.h | 4 +- include/sysemu/fuzz.h | 15 ++ include/sysemu/qtest.h | 4 + include/sysemu/sysemu.h | 5 + migration/qemu-file.c | 84 +++++++++++ migration/qemu-file.h | 11 ++ migration/savevm.c | 9 +- migration/savevm.h | 2 + qtest.c | 14 ++ target/i386/Makefile.objs | 20 +++ tests/fuzz/fuzz.c | 245 +++++++++++++++++++++++++++++++++ tests/fuzz/fuzz.h | 70 ++++++++++ tests/fuzz/fuzzer_hooks.c | 62 +++++++++ tests/fuzz/fuzzer_hooks.h | 21 +++ tests/fuzz/qos_fuzz.c | 58 ++++++++ tests/fuzz/qos_fuzz.h | 23 ++++ tests/fuzz/qos_helpers.c | 190 +++++++++++++++++++++++++ tests/fuzz/qos_helpers.h | 17 +++ tests/fuzz/qtest_fuzz.c | 260 +++++++++++++++++++++++++++++++++++ tests/fuzz/qtest_fuzz.h | 37 +++++ tests/fuzz/virtio-net-fuzz.c | 254 ++++++++++++++++++++++++++++++++++ tests/libqos/qos_external.c | 149 ++++++++++++++++++++ tests/libqos/qos_external.h | 8 ++ tests/libqtest.c | 61 +++++++- tests/libqtest.h | 6 + tests/qos-test.c | 132 +----------------- util/module.c | 7 + vl.c | 25 +++- 31 files changed, 1720 insertions(+), 138 deletions(-) create mode 100644 accel/fuzz.c create mode 100644 include/sysemu/fuzz.h create mode 100644 tests/fuzz/fuzz.c create mode 100644 tests/fuzz/fuzz.h create mode 100644 tests/fuzz/fuzzer_hooks.c create mode 100644 tests/fuzz/fuzzer_hooks.h create mode 100644 tests/fuzz/qos_fuzz.c create mode 100644 tests/fuzz/qos_fuzz.h create mode 100644 tests/fuzz/qos_helpers.c create mode 100644 tests/fuzz/qos_helpers.h create mode 100644 tests/fuzz/qtest_fuzz.c create mode 100644 tests/fuzz/qtest_fuzz.h create mode 100644 tests/fuzz/virtio-net-fuzz.c create mode 100644 tests/libqos/qos_external.c create mode 100644 tests/libqos/qos_external.h -- 2.20.1