check-patch
Alexander Bulekov (20):
softmmu: split off vl.c:main() into main.c
libqos: Rename i2c_send and i2c_recv
fuzz: Add FUZZ_TARGET module type
qtest: add qtest_server_send abstraction
libqtest: Add a layer of abstraciton to send/recv
module: check module wasn't already initialized
+ *
+ * Copyright Red Hat Inc., 2019
+ *
+ * Authors:
+ * Alexander Bulekov
Bulekov instead of Oleinik?
Yes I changed my last name and the approval from the court finally came
through last week :)
I'll make sure its consistent across v5.
+ *
+ * This work is licensed under the terms of the GNU
On 11/5/19 11:41 AM, Darren Kenny wrote:
On Wed, Oct 30, 2019 at 02:49:48PM +, Oleinik, Alexander wrote:
From: Alexander Oleinik
A program might rely on functions implemented in vl.c, but implement its
own main(). By placing main into a separate source file, there are no
complaints about
On 11/6/19 11:56 AM, Stefan Hajnoczi wrote:
On Wed, Oct 30, 2019 at 02:49:58PM +, Oleinik, Alexander wrote:
From: Alexander Oleinik
Signed-off-by: Alexander Oleinik
---
There's a particularily ugly line here:
qtest_client_set_tx_handler(qts,
(void (*)(QTestState *s, const char*,
On 191107 1221, Jason Wang wrote:
>
> On 2019/7/22 下午9:24, Oleinik, Alexander wrote:
> > Virtual devices should not try to send zero-sized packets. The caller
> > should check the size prior to calling qemu_sendv_packet_async.
> >
> > Signed-off-by: Alexander Oleinik
> > ---
> > v2:
> >*
Signed-off-by: Alexander Bulekov
Reviewed-by: Eric Blake
---
tests/qtest/fuzz/fork_fuzz.ld | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/tests/qtest/fuzz/fork_fuzz.ld b/tests/qtest/fuzz/fork_fuzz.ld
index b23a59f194..e086bba873 100644
--- a/tests/qtest
Signed-off-by: Alexander Bulekov
Reviewed-by: Eric Blake
---
qtest.c | 3 ++-
tests/qtest/fuzz/qos_fuzz.c | 5 -
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/qtest.c b/qtest.c
index 1af4e1b08d..5672b75c35 100644
--- a/qtest.c
+++ b/qtest.c
@@ -794,7
These patches fix some spelling and line-length violations introduced by
the device-fuzzing changes:
https://lists.gnu.org/archive/html/qemu-devel/2020-02/msg05965.html
v2: fixes comment style in the fork_fuzz.ld linker script
Alexander Bulekov (2):
fuzz: fix style/typos in linker-script
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/fork_fuzz.ld | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/qtest/fuzz/fork_fuzz.ld b/tests/qtest/fuzz/fork_fuzz.ld
index b23a59f194..b5aad06f20 100644
--- a/tests/qtest/fuzz/fork_fuzz.ld
+++ b/tests/qtest/fuzz
Signed-off-by: Alexander Bulekov
---
qtest.c | 3 ++-
tests/qtest/fuzz/qos_fuzz.c | 5 -
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/qtest.c b/qtest.c
index 1af4e1b08d..5672b75c35 100644
--- a/qtest.c
+++ b/qtest.c
@@ -794,7 +794,8 @@ void
These patches fix some spelling and line-length violations introduced by
the device-fuzzing changes:
https://lists.gnu.org/archive/html/qemu-devel/2020-02/msg05965.html
Alexander Bulekov (2):
fuzz: fix typos in linker-script comments
qtest: fix fuzzer-related 80-char limit violations
On 200226 2055, Eric Blake wrote:
> On 2/26/20 8:48 PM, Alexander Bulekov wrote:
> > Signed-off-by: Alexander Bulekov
> > ---
> > tests/qtest/fuzz/fork_fuzz.ld | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/tests/qte
On 200224 1135, Stefan Hajnoczi wrote:
> On Sat, Feb 22, 2020 at 05:34:29AM -0600, Eric Blake wrote:
> > On 2/22/20 2:50 AM, Stefan Hajnoczi wrote:
> > > From: Alexander Bulekov
> > >
> > > fork() is a simple way to ensure that state does not leak in betwe
e using qtest and qos for fuzzing, as well as using
> > rebooting and forking to reset state, or not resetting it at all.
> >
> > Signed-off-by: Alexander Bulekov
> > Reviewed-by: Stefan Hajnoczi
>
> Reviewed-by: Darren Kenny
>
> A couple of nit below w.r.
On 200205 1357, Darren Kenny wrote:
> On Wed, Jan 29, 2020 at 05:34:27AM +, Bulekov, Alexander wrote:
> > The virtio-net fuzz target feeds inputs to all three virtio-net
> > virtqueues, and uses forking to avoid leaking state between fuzz runs.
> >
> > Signe
lization, main loop and cleanup.
> >
> > Signed-off-by: Alexander Bulekov
> > ---
>
> > main.c | 53 +
>
> > --- a/Makefile.objs
> > +++ b/Makefile.objs
> > @@ -84,6 +84,8 @@ common-obj-$(CONFIG_F
On 200130 1824, Paolo Bonzini wrote:
> On 30/01/20 15:42, Stefan Hajnoczi wrote:
> >> +
> >> +/*
> >> + * If QTest is enabled, keep the rcu_atfork enabled, since system
> >> processes
> >> + * may be forked testing purposes (e.g. fork-server based fuzzing)
> >> + */
> >> +if
On 200205 1318, Darren Kenny wrote:
> On Wed, Jan 29, 2020 at 05:34:24AM +, Bulekov, Alexander wrote:
> > Signed-off-by: Alexander Bulekov
> > Reviewed-by: Stefan Hajnoczi
> > ---
> >
> > +return allocate_objects(qts, current_path + 1, p_alloc);
&g
Signed-off-by: Alexander Bulekov
---
Makefile.objs | 2 --
Makefile.target | 1 +
softmmu/Makefile.objs | 2 ++
vl.c => softmmu/vl.c | 0
4 files changed, 3 insertions(+), 2 deletions(-)
create mode 100644 softmmu/Makefile.objs
rename vl.c => softmmu/vl.c (100%)
diff
524b4c2c5c moves vl.c into softmmu/ , breaking the checkpatch
top-of-kernel-tree check. Replace with checks for softmmu and linux-user
Signed-off-by: Alexander Bulekov
---
scripts/checkpatch.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/checkpatch.pl b/scripts
* rewrite fork-based fuzzer pending patch to libfuzzer
* pass check-patch
Alexander Bulekov (23):
checkpatch: replace vl.c in the top of repo check
softmmu: move vl.c to softmmu/
softmmu: split off vl.c:main() into main.c
module: check module wasn't already initialized
fuzz: add FUZZ_TARGET
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.txt | 116 +
1 file changed, 116 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
---
Makefile| 15 ++-
Makefile.target | 16
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index f0e1a2fc1d..36ca26f0f5 100644
-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 48 ++
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 76c9f8eade..e5056a1d0f 100644
Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which
execute each test-input in a forked process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
exec.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git
to perform some initialization before running the softmmu
initialization. Now, main simply calls three vl.c functions which
handle the guest initialization, main loop and cleanup.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
Makefile.target | 2
and ones that are qos-test specific into different
variables.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
---
tests/qtest/Makefile.include | 71 ++--
1 file changed, 36 insertions
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
ich should be used to define new fuzz
targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/Makefile.include | 6 +
tests/qtest/fuzz/fuzz.c | 179 ++
tests/qtest/fuzz/fuzz.h
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/sysemu/qtest.h | 1 +
qtest.c| 13
-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/Makefile.include | 3 +
tests/qtest/fuzz/i440fx_fuzz.c| 193 ++
2 files changed, 196 insertions(+)
create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
diff --git a/tests
the benefits of the direct socket_send call, while adding
support for in-process qtest calls.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 71 --
tests/qtest/libqtest.h | 4 +++
2 file
the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 2 +
tests/qtest/fuzz/qos_fuzz.c | 234 ++
tests/qtest/fuzz/qos_fuzz.h | 33 +
3 files changed, 269 insertions(+)
create mode 100644 tests/qtest
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 115dc38085..bd873177ad 100755
module.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Reviewed-by: Philippe Mathieu-Daudé
---
util/module.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/util/module.c b/util/module.c
index 8c5315a7a3..236a7bb52a 100644
--- a/util/module.c
The qtest-based fuzzer makes use of forking to reset-state between
tests. Keep the callback enabled, so the call_rcu thread gets created
within the child process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Acked-by: Stefan Hajnoczi
---
softmmu/vl.c | 12 +++-
1 file
the same process (inproc)
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Acked-by: Thomas Huth
---
include/sysemu/qtest.h | 3 +++
qtest.c| 18 --
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest/fuzz/virtio_net_fuzz.c | 198
to perform some initialization before running the softmmu
initialization. Now, main simply calls three vl.c functions which
handle the guest initialization, main loop and cleanup.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
MAINTAINERS | 1
check-patch
Alexander Bulekov (22):
softmmu: move vl.c to softmmu/
softmmu: split off vl.c:main() into main.c
module: check module wasn't already initialized
fuzz: add FUZZ_TARGET module type
qtest: add qtest_server_send abstraction
libqtest: add a layer of abstraction to send/recv
module.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Reviewed-by: Philippe Mathieu-Daudé
---
util/module.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/util/module.c b/util/module.c
index 8c5315a7a3..236a7bb52a 100644
--- a/util/module.c
Move vl.c to a separate directory, similar to linux-user/
Update the chechpatch and get_maintainer scripts, since they relied on
/vl.c for top_of_tree checks.
Signed-off-by: Alexander Bulekov
---
MAINTAINERS | 2 +-
Makefile.objs | 2 --
Makefile.target | 1
the same process (inproc)
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
Acked-by: Thomas Huth
---
include/sysemu/qtest.h | 3 +++
qtest.c| 18 --
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include
The qtest-based fuzzer makes use of forking to reset-state between
tests. Keep the callback enabled, so the call_rcu thread gets created
within the child process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Acked-by: Stefan Hajnoczi
---
softmmu/vl.c | 12 +++-
1 file
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/qemu/module.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/qemu/module.h b/include/qemu/module.h
index 65ba596e46..684753d808 100644
--- a/include/qemu/module.h
The virtio-scsi fuzz target sets up and fuzzes the available virtio-scsi
queues. After an element is placed on a queue, the fuzzer can select
whether to perform a kick, or continue adding elements.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest
the location of the
counters/coverage bitmap. As a workaround, we rely on a custom linker
script which forces all of the bitmaps we care about to be placed in a
contiguous region, which is easy to locate and mmap over.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest
The handler allows a qtest client to send commands to the server by
directly calling a function, rather than using a file/CharBackend
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
include/sysemu/qtest.h | 1 +
qtest.c| 13
the benefits of the direct socket_send call, while adding
support for in-process qtest calls.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 71 --
tests/qtest/libqtest.h | 4 +++
2 file
The names i2c_send and i2c_recv collide with functions defined in
hw/i2c/core.c. This causes an error when linking against libqos and
softmmu simultaneously (for example when using qtest inproc). Rename the
libqos functions to avoid this.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
---
configure | 39 +++
1 file changed, 39 insertions(+)
diff --git a/configure b/configure
index 115dc38085..bd873177ad 100755
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
docs/devel/fuzzing.txt | 116 +
1 file changed, 116 insertions(+)
create mode 100644 docs/devel/fuzzing.txt
diff --git a/docs/devel/fuzzing.txt b/docs/devel
The virtio-net fuzz target feeds inputs to all three virtio-net
virtqueues, and uses forking to avoid leaking state between fuzz runs.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 1 +
tests/qtest/fuzz/virtio_net_fuzz.c | 198
Ram blocks were marked MADV_DONTFORK breaking fuzzing-tests which
execute each test-input in a forked process.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
exec.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git
-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/libqtest.c | 48 ++
1 file changed, 39 insertions(+), 9 deletions(-)
diff --git a/tests/qtest/libqtest.c b/tests/qtest/libqtest.c
index 76c9f8eade..e5056a1d0f 100644
-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
tests/qtest/fuzz/Makefile.include | 3 +
tests/qtest/fuzz/i440fx_fuzz.c| 193 ++
2 files changed, 196 insertions(+)
create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c
diff --git a/tests
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
tests/qtest/fuzz/Makefile.include | 2 +
tests/qtest/fuzz/qos_fuzz.c | 234 ++
tests/qtest/fuzz/qos_fuzz.h | 33 +
3 files changed, 269 insertions(+)
create mode 100644 tests/qtest
and ones that are qos-test specific into different
variables.
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
---
tests/qtest/Makefile.include | 71 ++--
1 file changed, 36 insertions
The moved functions are not specific to qos-test and might be useful
elsewhere. For example the virtual-device fuzzer makes use of them for
qos-assisted fuzz-targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Philippe Mathieu-Daudé
Reviewed-by: Darren Kenny
Signed-off-by: Alexander Bulekov
Reviewed-by: Darren Kenny
Reviewed-by: Stefan Hajnoczi
---
Makefile| 15 ++-
Makefile.target | 16
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index f0e1a2fc1d..36ca26f0f5 100644
ich should be used to define new fuzz
targets.
Signed-off-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
MAINTAINERS | 8 ++
tests/qtest/fuzz/Makefile.include | 6 +
tests/qtest/fuzz/fuzz.c | 179 +++
asses the TransportOps enabling the call into
> > qtest.c. This change replaces the socket_send calls with ops->send,
> > maintaining the benefits of the direct socket_send call, while adding
> > support for in-process qtest calls.
> >
> > Signed-off-by: Alexan
On 200120 0055, Bulekov, Alexander wrote:
> +if test "$fuzzing" = "yes" ; then
> + if test "$have_fuzzer" = "yes"; then
> +FUZZ_LDFLAGS=" -fsanitize=address,fuzzer"
> +FUZZ_CFLAGS=" -fsanitize=address,fuzzer"
> +CFLAGS=" -fsanitize=address,fuzzer"
This will fail when build standard
On 200103 0958, Stefan Hajnoczi wrote:
> On Fri, Nov 29, 2019 at 09:34:36PM +, Oleinik, Alexander wrote:
> > @@ -3853,7 +3834,7 @@ int main(int argc, char **argv, char **envp)
> > set_memory_options(_slots, _size, machine_class);
> >
> > os_daemonize();
> > -
st libqos and
> > > softmmu simultaneously (for example when using qtest inproc). Rename the
> > > libqos functions to avoid this.
> > >
> > > Signed-off-by: Alexander Bulekov
> > > ---
> > > tests/libqos/i2c.c | 10 +-
> > &g
On 200103 1115, Stefan Hajnoczi wrote:
> On Fri, Nov 29, 2019 at 09:34:47PM +, Oleinik, Alexander wrote:
> > +QTestState *qtest_inproc_init(QTestState **s, bool log, const char* arch,
> > +void (*send)(void*, const char*))
> > +{
> > +QTestState *qts;
> > +qts =
-assert(!err);
> +qmp_marshal_qom_list_types(args, , _abort);
> lst = qobject_to(QList, response);
> apply_to_qlist(lst, false);
> qobject_unref(response);
> --
> 2.21.1
>
Thanks!
Acked-by: Alexander Bulekov
onvert from QObject to the QAPI types.
>
> Signed-off-by: Markus Armbruster
Thank you for looking at this!
Reviewed-by: Alexander Bulekov
> ---
> tests/qtest/libqos/qos_external.h | 8 +++-
> tests/qtest/fuzz/qos_fuzz.c | 34 ---
> tests/qtes
On 200424 0911, Markus Armbruster wrote:
> Target recurse-fuzz depends on pc-bios/optionrom/fuzz, which can't be
> made. It's not used anywhere. Added in commit c621dc3e01c, looks
> like cargo cult. Delete.
>
> Signed-off-by: Markus Armbruster
Reviewed-by: Al
the fuzz target based on this name, rather than the
--fuzz-target argument. This is useful for systems such as oss-fuzz
where we don't have control of the arguments passed to the fuzzer.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/fuzz.c | 19 +++
1 file changed, 11
the fuzz target based on this name, rather than the
--fuzz-target argument. This is useful for systems such as oss-fuzz
where we don't have control of the arguments passed to the fuzzer.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/fuzz.c | 19 +++
1 file changed, 11
Please ignore. I think I misunderstood the issue with the pull-request.
Additionally, this patch still has incorrect spacing and is missing
review tags.
On 200501 0956, Alexander Bulekov wrote:
> The fuzzers are built into a binary (e.g. qemu-fuzz-i386). To select the
> device to fuzz/fuzz
On 200501 1325, Alexander Bulekov wrote:
...
> diff --git a/qemu-options.hx b/qemu-options.hx
> index 292d4e7c0c..bbb091872f 100644
> --- a/qemu-options.hx
> +++ b/qemu-options.hx
> @@ -2938,7 +2938,7 @@ DEF("chardev", HAS_ARG, QEMU_OPTION_chardev,
> "-
On 200512 2259, Philippe Mathieu-Daudé wrote:
> On 5/12/20 9:48 PM, Alexander Bulekov wrote:
> > Oops I realized I posted a bad stacktrace and a bad reproducer :)
> > Fixed stacktrace:
> >
> > ==20527==ERROR: AddressSanitizer: heap-buffer-overflow on addres
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion-failure in usb_detach
/home/alxndr/Development/qemu/hw/usb/core.c:69: void usb_detach(USBPort *):
Assertion `dev->state != USB_STATE_NOTATTACHED' failed.
#3 0x76866092 in __GI___assert_fail
Hello,
While fuzzing, I found an input that triggers this assertion-failure in
usb_ep_get
/home/alxndr/Development/qemu/hw/usb/core.c:723: struct USBEndpoint
*usb_ep_get(USBDevice *, int, int): Assertion `pid == USB_TOKEN_IN || pid ==
USB_TOKEN_OUT' failed.
#3 0x76866092 in
-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
Reviewed-by: Darren Kenny
---
chardev/char-file.c | 5 +
chardev/char.c | 3 +++
qemu-options.hx | 7 +--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/chardev/char-file.c b/chardev/char-file.c
index 2fd80707e5
Signed-off-by: Alexander Bulekov
---
tests/test-char.c | 96 +++
1 file changed, 96 insertions(+)
diff --git a/tests/test-char.c b/tests/test-char.c
index 3afc9b1b8d..6c66fae86a 100644
--- a/tests/test-char.c
+++ b/tests/test-char.c
@@ -1228,6
of the test.
Alexander Bulekov (2):
chardev: enable distinct input for -chardev file
char-file: add test for distinct path= and pathin=
chardev/char-file.c | 5 +++
chardev/char.c | 3 ++
qemu-options.hx | 7 +++-
tests/test-char.c | 96 +
4
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/i440fx_fuzz.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/qtest/fuzz/i440fx_fuzz.c b/tests/qtest/fuzz/i440fx_fuzz.c
index ab5f112584..90e75ffaea 100644
--- a/tests/qtest/fuzz/i440fx_fuzz.c
+++ b/tests/qtest/fuzz
Previously, we relied on "FuzzerTracePC*(.bss*)" to place libfuzzer's
fuzzer::TPC object into our contiguous shared-memory region. This does
not work for some libfuzzer builds, so this addition identifies the
region by its mangled name: *(.bss._ZN6fuzzer3TPCE);
Signed-off-by: Alexand
the timer events do not pile up, over time.
Signed-off-by: Alexander Bulekov
---
tests/qtest/fuzz/i440fx_fuzz.c | 1 +
tests/qtest/fuzz/virtio_net_fuzz.c | 2 ++
tests/qtest/fuzz/virtio_scsi_fuzz.c | 2 ++
3 files changed, 5 insertions(+)
I'm working on another series to abstract away t
in an
invalid argument to qemu_main
* Add an alternate name to resolve libfuzzer's internal fuzzer::TPC
object at link-time
* For all fork-based fuzzers, run the main-loop in the parent, to
prevent the clock from running far-ahead of the previous main-loop.
-Alex
Alexander Bulekov (4):
fuzz
Public bug reported:
Hello,
While fuzzing, I found an input that triggers an assertion failure in
iov_from_buf_full through the e1000e:
size_t iov_from_buf_full(const struct iovec *, unsigned int, size_t,
const void *, size_t): Assertion `offset == 0' failed.
#3 0x76866092 in
On 200514 0055, P J P wrote:
> From: Prasad J Pandit
>
> While in megasas_handle_frame(), megasas_enqueue_frame() may
> set a NULL frame into MegasasCmd object for a given 'frame_addr'
> address. Add check to avoid a NULL pointer dereference issue.
>
> Reported-by: Alexa
ssue.
>
> Also check that 'index' value stays within s->frames[] bounds
> through the while() loop in 'megasas_lookup_frame' to avoid OOB
> access.
>
> Reported-by: Ren Ding
> Reported-by: Hanqing Zhao
> Reported-by: Alexander Bulekov
> Signed-off-by: Prasad J Pan
Public bug reported:
Hello,
While fuzzing, I found an input which triggers an assertion failure in
e1000e_write_rx_descr:
qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1359: void
e1000e_write_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, const
E1000E_RSSInfo *,
Public bug reported:
Hello,
While fuzzing, I found an input which triggers an assertion failure in
e1000e_write_lgcy_rx_descr:
qemu-system-i386: /home/alxndr/Development/qemu/hw/net/e1000e_core.c:1283: void
e1000e_write_lgcy_rx_descr(E1000ECore *, uint8_t *, struct NetRxPkt *, const
Signed-off-by: Alexander Bulekov
---
tests/test-char.c | 83 +++
1 file changed, 83 insertions(+)
diff --git a/tests/test-char.c b/tests/test-char.c
index 3afc9b1b8d..9b3e1e2a9b 100644
--- a/tests/test-char.c
+++ b/tests/test-char.c
@@ -1228,6
-by: Alexander Bulekov
Reviewed-by: Stefan Hajnoczi
---
chardev/char-file.c | 5 +
chardev/char.c | 3 +++
qemu-options.hx | 7 +--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/chardev/char-file.c b/chardev/char-file.c
index 2fd80707e5..031f2aa7d7 100644
--- a/chardev
This adds a pathin= option to -chardev file, which allows specifying
distinct input and output paths for the chardev. This functionaliy was
already available through QMP.
Alexander Bulekov (2):
chardev: enable distinct input for -chardev file
char-file: add test for distinct path= and pathin
Hello,
While fuzzing, I found an input that triggers an assertion failure in
address_space_lduw_le_cached:
void address_space_stw_le_cached(MemoryRegionCache *, hwaddr, uint32_t,
MemTxAttrs, MemTxResult *): Assertion `addr < cache->len && 2 <= cache->len -
addr' failed.
#8 0x7f53dabda091 in
e can't pass the sender check.
>
> Fix by using the peer.
>
> Reported-by: "Alexander Bulekov"
> Fixes: ca77d85e1dbf9 ("net: complete all queued packets on VM stop")
> Cc: qemu-sta...@nongnu.org
> Signed-off-by: Jason Wang
Hi Jason,
With this patch, I can no lo
Hello,
While fuzzing, I found an input that triggers an assertion failure in
pci_bus_get_irq_level through ich9_lpc_update_apic:
int pci_bus_get_irq_level(PCIBus *, int): Assertion `irq_num < bus->nirq'
failed.
#8 0x7fc7d4fa4091 in __assert_fail
Hello,
While fuzzing, I found an input that triggers an assertion failure in
net_tx_pkt_add_raw_fragment through the e1000e:
_Bool net_tx_pkt_add_raw_fragment(struct NetTxPkt *, hwaddr, size_t): Assertion
`pkt->max_raw_frags > pkt->raw_frags' failed.
#8 0x7f2930b0d091 in __assert_fail
Hello,
While fuzzing, I found an input that triggers a null-ptr dereference in
aio_bh_enqueue, through virtio-balloon. Based on the stacktrace below,
I am not positive that this is specific to virtio-balloon, however
I have not encountered the same issue for any of the other virtio
devices I am
1 - 100 of 1114 matches
Mail list logo