Re: [Qemu-devel] [RFC PATCH v2 04/17] fuzz: Skip modules that were already initialized

On Fri, 2019-08-09 at 10:04 +0100, Stefan Hajnoczi wrote: > On Mon, Aug 05, 2019 at 07:11:05AM +0000, Oleinik, Alexander wrote: > > Signed-off-by: Alexander Oleinik > > --- > > util/module.c | 7 +++ > > 1 file changed, 7 insertions(+) > > Why is this

Re: [Qemu-devel] [RFC PATCH v2 02/17] fuzz: Add fuzzer configure options

On Mon, 2019-08-12 at 18:39 -0400, Bandan Das wrote: > "Oleinik, Alexander" writes: > ... > > if test "$supported_cpu" = "no"; then > > echo > > @@ -7306,6 +7310,17 @@ fi > > if test "$sheepdog" = "yes"

[Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support

This series adds a framework for coverage-guided fuzzing of virtual-devices. Fuzzing targets are based on qtest and can make use of the libqos abstractions. Build instructions in docs/devel/fuzzing.txt V3: * Rebased onto v4.1.0+ * Add the fuzzer as a new build-target type in the build-system

[Qemu-devel] [PATCH v3 02/22] libqos: Rename i2c_send and i2c_recv

The names i2c_send and i2c_recv collide with functions defined in hw/i2c/core.c. This causes an error when linking against libqos and softmmu simultaneously (for example when using qtest inproc). Rename the libqos functions to avoid this. Signed-off-by: Alexander Oleinik ---

[Qemu-devel] [PATCH v3 05/22] libqtest: Add a layer of abstraciton to send/recv

This makes it simple to swap the transport functions for qtest commands to and from the qtest client. For example, now it is possible to directly pass qtest commands to a server handler that exists within the same process, without the standard way of writing to a file descriptor. Signed-off-by:

[Qemu-devel] [PATCH v3 03/22] fuzz: Add FUZZ_TARGET module type

Signed-off-by: Alexander Oleinik --- include/qemu/module.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/qemu/module.h b/include/qemu/module.h index 65ba596e46..684753d808 100644 --- a/include/qemu/module.h +++ b/include/qemu/module.h @@ -46,6 +46,7 @@ typedef

[Qemu-devel] [PATCH v3 19/22] fuzz: add support for qos-assisted fuzz targets

Signed-off-by: Alexander Oleinik --- tests/fuzz/qos_fuzz.c | 212 ++ tests/fuzz/qos_fuzz.h | 19 2 files changed, 231 insertions(+) create mode 100644 tests/fuzz/qos_fuzz.c create mode 100644 tests/fuzz/qos_fuzz.h diff --git

[Qemu-devel] [PATCH v3 06/22] fuzz: add configure flag --enable-fuzzing

Signed-off-by: Alexander Oleinik --- configure | 13 + 1 file changed, 13 insertions(+) diff --git a/configure b/configure index 30aad233d1..775f46f55a 100755 --- a/configure +++ b/configure @@ -498,6 +498,7 @@ libxml2="" debug_mutex="no" libpmem="" default_devices="yes"

[Qemu-devel] [PATCH v3 22/22] fuzz: add documentation to docs/devel/

Signed-off-by: Alexander Oleinik --- docs/devel/fuzzing.txt | 114 + 1 file changed, 114 insertions(+) create mode 100644 docs/devel/fuzzing.txt diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt new file mode 100644 index

[Qemu-devel] [PATCH v3 21/22] fuzz: add virtio-net fuzz target

The virtio-net fuzz target feeds inputs to all three virtio-net virtqueues, and uses forking to avoid leaking state between fuzz runs. Signed-off-by: Alexander Oleinik --- tests/fuzz/Makefile.include | 1 + tests/fuzz/virtio_net_fuzz.c | 120 +++ 2 files

[Qemu-devel] [PATCH v3 10/22] tests: provide test variables to other targets

Before, when tests/Makefile.include was included, the contents would be ignored if config-host.mak was defined. Moving the ifneq responsible for this allows a target to depend on both testing-related and host-related objects. For example the virtual-device fuzzer relies on both libqtest/libqos

[Qemu-devel] [PATCH v3 17/22] fuzz: add support for fork-based fuzzing.

fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where the mutation occurs). These

[Qemu-devel] [PATCH v3 12/22] libqos: move useful qos-test funcs to qos_external

The moved functions are not specific to qos-test and might be useful elsewhere. For example the virtual-device fuzzer makes use of them for qos-assisted fuzz-targets. Signed-off-by: Alexander Oleinik --- tests/Makefile.include | 1 + tests/libqos/qos_external.c | 151

[Qemu-devel] [PATCH v3 01/22] softmmu: split off vl.c:main() into main.c

A program might rely on functions implemented in vl.c, but implement its own main(). By placing main into a separate source file, there are no complaints about duplicate main()s when linking against vl.o. For example, the virtual-device fuzzer uses a main() provided by libfuzzer, and needs to

[Qemu-devel] [PATCH v3 08/22] module: check module wasn't already initialized

The virtual-device fuzzer must initialize QOM, prior to running vl:qemu_init, so that it can use the qos_graph to identify the arguments required to initialize a guest for libqos-assisted fuzzing. This change prevents errors when vl:qemu_init tries to (re)initialize the previously initialized QOM

[Qemu-devel] [PATCH v3 11/22] libqos: split qos-test and libqos makefile vars

Most qos-related objects were specified in the qos-test-obj-y variable. qos-test-obj-y also included qos-test.o which defines a main(). This made it difficult to repurpose qos-test-obj-y to link anything beside tests/qos-test against libqos. This change separates objects that are libqos-specific

[Qemu-devel] [PATCH v3 04/22] qtest: add qtest_server_send abstraction

qtest_server_send is a function pointer specifying the handler used to transmit data to the qtest client. In the standard configuration, this calls the CharBackend handler, but now it is possible for other types of handlers, e.g direct-function calls if the qtest client and server exist within the

[Qemu-devel] [PATCH v3 13/22] libqtest: make qtest_bufwrite send "atomic"

When using qtest "in-process" communication, qtest_sendf directly calls a function in the server (qtest.c). Combining the contents of the subsequent socket_sends into the qtest_sendf, makes it so the server can immediately handle the command, without building a local buffer and waiting for a

[Qemu-devel] [PATCH v3 07/22] fuzz: Add target/fuzz makefile rules

Signed-off-by: Alexander Oleinik --- Note that with this you cannot configure with --enable-fuzzing to build /all targets. Even if you could, you would need to clean all of the *.o between builds, since fuzzing adds instrumentation CFLAGS. Makefile| 15 ++-

[Qemu-devel] [PATCH v3 20/22] fuzz: add i440fx fuzz targets

These three targets should simply fuzz reads/writes to a couple ioports, but they mostly serve as examples of different ways to write targets. They demonstrate using qtest and qos for fuzzing, as well as using rebooting and forking to reset state, or not resetting it at all. Signed-off-by:

[Qemu-devel] [PATCH v3 18/22] fuzz: expose fuzz target name

This is needed for the qos-assisted fuzzers which walk the qos tree and need a way to check if the current path matches the name of the fuzz target. Signed-off-by: Alexander Oleinik --- tests/fuzz/fuzz.c | 3 +++ tests/fuzz/fuzz.h | 1 + 2 files changed, 4 insertions(+) diff --git

[Qemu-devel] [PATCH v3 15/22] fuzz: Add target/fuzz makefile rules

Signed-off-by: Alexander Oleinik --- Makefile| 12 +++- Makefile.objs | 6 +- Makefile.target | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 3a43492340..5e5033a500 100644 --- a/Makefile +++ b/Makefile @@ -426,6 +426,7 @@

[Qemu-devel] [PATCH v3 09/22] qtest: add in-process incoming command handler

The handler allows a qtest client to send commands to the server by directly calling a function, rather than using a file/CharBackend Signed-off-by: Alexander Oleinik --- include/sysemu/qtest.h | 1 + qtest.c| 7 +++ 2 files changed, 8 insertions(+) diff --git

[Qemu-devel] [PATCH v3 14/22] libqtest: add in-process qtest.c tx/rx handlers

Signed-off-by: Alexander Oleinik --- tests/libqtest.c | 46 ++ tests/libqtest.h | 5 + 2 files changed, 51 insertions(+) diff --git a/tests/libqtest.c b/tests/libqtest.c index d770462869..fc10322d52 100644 --- a/tests/libqtest.c +++

[Qemu-devel] [PATCH v3 16/22] fuzz: add fuzzer skeleton

tests/fuzz/fuzz.c serves as the entry point for the virtual-device fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and LLVMFuzzerTestOneInput functions, both of which are defined in this file. This change adds a "FuzzTarget" struct, along with the fuzz_add_target function, which should

[Qemu-devel] [PATCH] libqos: Account for the ctrl queue in virtio-net

The number of queues is 2n+1, where n == 1 when multiqueue is disabled Signed-off-by: Alexander Oleinik --- I split this commit out of the fuzz patch-series. tests/libqos/virtio-net.c | 1 + tests/libqos/virtio-net.h | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git

[Qemu-devel] [RFC PATCH v2 14/17] fuzz: Add forking support to the fuzzer

Forking is a simple way of ensuring that state doesn't leak between runs. This patch depends on a modification to libfuzzer: https://reviews.llvm.org/D65672 Signed-off-by: Alexander Oleinik --- tests/fuzz/fuzzer_hooks.c | 62 +++ tests/fuzz/fuzzer_hooks.h |

[Qemu-devel] [RFC PATCH v2 10/17] fuzz: qtest client directly interacts with server

Signed-off-by: Alexander Oleinik --- tests/libqtest.c | 61 ++-- tests/libqtest.h | 6 + 2 files changed, 65 insertions(+), 2 deletions(-) diff --git a/tests/libqtest.c b/tests/libqtest.c index 3c5c3f49d8..a9c1dc4fb6 100644 --- a/tests/libqtest.c

[Qemu-devel] [RFC PATCH v2 08/17] fuzz: Export the qemu_savevm_live_state function

Skip the header when saving device state, as the header isn't handled by qemu_load_device_state Signed-off-by: Alexander Oleinik --- migration/savevm.c | 9 +++-- migration/savevm.h | 2 ++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/migration/savevm.c

[Qemu-devel] [RFC PATCH v2 13/17] fuzz: Add libqos support to the fuzzer

Signed-off-by: Alexander Oleinik --- tests/fuzz/qos_fuzz.c| 58 tests/fuzz/qos_fuzz.h| 23 + tests/fuzz/qos_helpers.c | 190 +++ tests/fuzz/qos_helpers.h | 17 4 files changed, 288 insertions(+) create mode 100644

[Qemu-devel] [RFC PATCH v2 04/17] fuzz: Skip modules that were already initialized

Signed-off-by: Alexander Oleinik --- util/module.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/util/module.c b/util/module.c index 142db7e911..3d4380fd47 100644 --- a/util/module.c +++ b/util/module.c @@ -30,6 +30,7 @@ typedef struct ModuleEntry typedef QTAILQ_HEAD(, ModuleEntry)

[Qemu-devel] [RFC PATCH v2 12/17] fuzz: Add fuzzer skeleton

The code defines the lifecycle of the fuzzer, and provides rebooting, vmload and device_load as means of resetting state between fuzz runs Signed-off-by: Alexander Oleinik --- tests/fuzz/fuzz.c | 245 ++ tests/fuzz/fuzz.h | 70 + 2 files

[Qemu-devel] [RFC PATCH v2 17/17] fuzz: Add fuzz accelerator type

Signed-off-by: Alexander Oleinik --- accel/fuzz.c | 48 +++ include/sysemu/fuzz.h | 15 ++ 2 files changed, 63 insertions(+) create mode 100644 accel/fuzz.c create mode 100644 include/sysemu/fuzz.h diff --git a/accel/fuzz.c

[Qemu-devel] [RFC PATCH v2 11/17] fuzz: Move useful qos functions to separate object

These functions are used by both qos-test.c, and the fuzzer. Signed-off-by: Alexander Oleinik --- tests/libqos/qos_external.c | 149 tests/libqos/qos_external.h | 8 ++ tests/qos-test.c| 132 +--- 3 files changed,

Re: [Qemu-devel] [PATCH] libqos: Account for the ctrl queue in virtio-net

On Mon, 2019-08-05 at 03:24 +, Oleinik, Alexander wrote: > The number of queues is 2n+1, where n == 1 when multiqueue is > disabled > > Signed-off-by: Alexander Oleinik > --- > > I split this commit out of the fuzz patch-series. > > tests/libqos/virtio-net.c |

[Qemu-devel] [RFC PATCH v2 06/17] fuzz: Add FUZZ_TARGET module type

Signed-off-by: Alexander Oleinik --- include/qemu/module.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/qemu/module.h b/include/qemu/module.h index db3065381d..cb37ef647e 100644 --- a/include/qemu/module.h +++ b/include/qemu/module.h @@ -46,6 +46,7 @@ typedef

[Qemu-devel] [RFC PATCH v2 15/17] fuzz: Add general qtest fuzz-target

Signed-off-by: Alexander Oleinik --- tests/fuzz/qtest_fuzz.c | 260 tests/fuzz/qtest_fuzz.h | 37 ++ 2 files changed, 297 insertions(+) create mode 100644 tests/fuzz/qtest_fuzz.c create mode 100644 tests/fuzz/qtest_fuzz.h diff --git

[Qemu-devel] [RFC PATCH v2 16/17] fuzz: Add virtio-net fuzz targets

Signed-off-by: Alexander Oleinik --- tests/fuzz/virtio-net-fuzz.c | 254 +++ 1 file changed, 254 insertions(+) create mode 100644 tests/fuzz/virtio-net-fuzz.c diff --git a/tests/fuzz/virtio-net-fuzz.c b/tests/fuzz/virtio-net-fuzz.c new file mode 100644 index

[Qemu-devel] [PATCH] qtest: Rename qtest.c:qtest_init()

Both the qtest client, libqtest.c, and server, qtest.c, used the same name for initialization functions which can cause confusion. Signed-off-by: Alexander Oleinik --- Thank you, Thomas Huth for the suggestion. include/sysemu/qtest.h | 2 +- qtest.c| 3 +-- vl.c

[Qemu-devel] [RFC PATCH v2 07/17] fuzz: Add ramfile qemu-file type

Signed-off-by: Alexander Oleinik --- migration/qemu-file.c | 84 +++ migration/qemu-file.h | 11 ++ 2 files changed, 95 insertions(+) diff --git a/migration/qemu-file.c b/migration/qemu-file.c index 0431585502..453e2897d5 100644 ---

[Qemu-devel] [RFC PATCH v2 05/17] fuzz: Add direct receive function for qtest server

The direct receive function qtest_server_recv is directly invoked by the qtest client, when the server and client exist within the same process. Signed-off-by: Alexander Oleinik --- include/sysemu/qtest.h | 4 qtest.c| 14 ++ 2 files changed, 18 insertions(+)

[Qemu-devel] [RFC PATCH v2 09/17] fuzz: hardcode needed objects into i386 target

Temporary solution until there is a better build solution for fuzzers in tests/Makefile.include Signed-off-by: Alexander Oleinik --- target/i386/Makefile.objs | 20 1 file changed, 20 insertions(+) diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs index

[Qemu-devel] [RFC PATCH v2 01/17] fuzz: Move initialization from main to qemu_init

Using this, we avoid needing a special case to break out of main(), early, when initializing the fuzzer, as we can just call qemu_init. There is still a #define around main(), since it otherwise conflicts with the libfuzzer main(). Signed-off-by: Alexander Oleinik --- include/sysemu/sysemu.h |

[Qemu-devel] [RFC PATCH v2 03/17] fuzz: Keep memory mapped for fork-based fuzzer

Otherwise, the RAM is unmapped from the child-processes, which breaks any fuzz tests relying on DMA. Signed-off-by: Alexander Oleinik --- exec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/exec.c b/exec.c index 3e78de3b8f..b3b56db8f0 100644 --- a/exec.c +++ b/exec.c @@ -2317,7 +2317,9

[Qemu-devel] [RFC PATCH v2 00/17] Add virtual device fuzzing support

Changes since v1 * Split off changes to qos virtio-net and qtest server to other patches * Move vl:main initialization into new func: qemu_init * Moved useful functions from qos-test.c to a separate object * Use struct of function pointers for add_fuzz_target(), instead of arguments * Move

[Qemu-devel] [RFC PATCH v2 02/17] fuzz: Add fuzzer configure options

This adds sanitizer/fuzzer related cflags and adds tests/ to the include path. This include change is needed for qos to build, and is normally located in tests/Makefile.include, but currently the fuzzer builds from the i386-softmmu target, not anything in tests. Signed-off-by: Alexander Oleinik

Re: [Qemu-devel] [PATCH 1/2] net: assert that tx packets have nonzero size

On Tue, 2019-07-23 at 11:38 +0800, Jason Wang wrote: > On 2019/7/20 上午2:52, Oleinik, Alexander wrote: > > Virtual devices should not try to send zero-sized packets. The > > caller > > should check the size prior to calling qemu_sendv_packet_async. > > > >

[Qemu-devel] [PATCH v2] virtio-net: Always check for guest header length

While fuzzing the virtio-net tx vq, I ran into an assertion failure due to iov_copy offsets larger than the total iov size. Though there is a check to cover this, it does not execute when !n->has_vnet_hdr. This change always copies the guest header into the mhdr buffer and checks its length, even

[Qemu-devel] [PATCH 2/2] virtio-net: check that tx packet has positive size

virtio_net_flush_tx does not check that the packet size is nonzero, which causes q->aysnc_tx.elem to be set. Then, when the device is reset, there is an assertion failure since q->aysnc_tx.elem must be flushed/cleared. Zero-sized packets are unsupported - check packet size, prior to sending.

[Qemu-devel] [PATCH 1/2] net: assert that tx packets have nonzero size

Virtual devices should not try to send zero-sized packets. The caller should check the size prior to calling qemu_sendv_packet_async. Signed-off-by: Alexander Oleinik --- net/net.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/net.c b/net/net.c index 7d4098254f..fad20bc611 100644

[Qemu-devel] [PATCH 0/2] Avoid sending zero-size packets

While fuzzing virtio-net I found that attempting to send a zero-size packet leads to an assertion failure, when resetting the device. These patches add an assertion to net/net.c to ensure that virtual devices do not try to send zero-size packets and change virtio-net to check that packets have

[Qemu-devel] [PATCH 0/1] Add check for header length in virtio-net-tx

While fuzzing the virtio-net tx vq, I ran into an assertion failure due to iov_copy offsets larger than the total iov size. Though there is a check to cover this, it does not execute when !n->has_vnet_hdr. This patch tries to fix this. The call stack for the assertion failure: #8 in

[Qemu-devel] [PATCH 1/1] virtio-net: check guest header length is valid

virtio-net checks that the "out" sg is longer than the guest header, but this check can be skipped if has_net_hdr is 0. Also perform this check if host_hdr_len != guest_hdr_len Signed-off-by: Alexander Oleinik --- hw/net/virtio-net.c | 13 - 1 file changed, 12 insertions(+), 1

[Qemu-devel] [RFC 16/19] fuzz: add general fuzzer entrypoints

Defines LLVMFuzzerInitialize and LLVMFuzzerTestOneInput Signed-off-by: Alexander Oleinik --- tests/fuzz/fuzz.c | 262 ++ tests/fuzz/fuzz.h | 96 + 2 files changed, 358 insertions(+) create mode 100644 tests/fuzz/fuzz.c create mode

[Qemu-devel] [RFC 19/19] fuzz: Add documentation about the fuzzer to docs/

Signed-off-by: Alexander Oleinik --- docs/devel/fuzzing.txt | 145 + 1 file changed, 145 insertions(+) create mode 100644 docs/devel/fuzzing.txt diff --git a/docs/devel/fuzzing.txt b/docs/devel/fuzzing.txt new file mode 100644 index

[Qemu-devel] [RFC 17/19] fuzz: add general qtest fuzz target

These fuzz targets perform a range of qtest operations over mmio and port i/o addresses mapped to devices. Signed-off-by: Alexander Oleinik --- tests/fuzz/qtest_fuzz.c | 261 tests/fuzz/qtest_fuzz.h | 38 ++ 2 files changed, 299 insertions(+)

[Qemu-devel] [RFC 14/19] fuzz: hard-code a main-loop timeout

Signed-off-by: Alexander Oleinik --- util/main-loop.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/util/main-loop.c b/util/main-loop.c index e3eaa55866..708e6be5eb 100644 --- a/util/main-loop.c +++ b/util/main-loop.c @@ -513,6 +513,9 @@ void main_loop_wait(int nonblocking)

[Qemu-devel] [RFC 13/19] fuzz: add ctrl vq support to virtio-net in libqos

Signed-off-by: Alexander Oleinik --- tests/libqos/virtio-net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/libqos/virtio-net.c b/tests/libqos/virtio-net.c index 66405b646e..247a0a17a8 100644 --- a/tests/libqos/virtio-net.c +++ b/tests/libqos/virtio-net.c @@ -51,7

[Qemu-devel] [RFC 18/19] fuzz: Add virtio-net tx and ctrl fuzz targets

These virtio-net fuzz targets use libqos abstractions to virtio-net virtqueues. Signed-off-by: Alexander Oleinik --- tests/fuzz/virtio-net-fuzz.c | 226 +++ 1 file changed, 226 insertions(+) create mode 100644 tests/fuzz/virtio-net-fuzz.c diff --git

[Qemu-devel] [RFC 01/19] fuzz: add configure option and linker objects

Add -Wl,--wraps for the libfuzzer callees that we need to intercept Signed-off-by: Alexander Oleinik --- configure | 11 +++ target/i386/Makefile.objs | 19 +++ 2 files changed, 30 insertions(+) diff --git a/configure b/configure index

[Qemu-devel] [RFC 00/19] Add virtual device fuzzing support

As part of Google Summer of Code 2019, I'm working on integrating fuzzing of virtual devices into QEMU [1]. This is a highly WIP patchset adding this functionality. Fuzzers provide random data to a program and monitor its execution for errors. Coverage-guided fuzzers also observe the parts of the

[Qemu-devel] [RFC 06/19] fuzz: Add ramfile for fast vmstate/vmload

The ramfile allows vmstate to be saved and restored directly onto the heap. Signed-off-by: Alexander Oleinik --- tests/fuzz/ramfile.c | 127 +++ tests/fuzz/ramfile.h | 20 +++ 2 files changed, 147 insertions(+) create mode 100644

[Qemu-devel] [RFC 02/19] fuzz: add FUZZ_TARGET type to qemu module system

Signed-off-by: Alexander Oleinik --- include/qemu/module.h | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/include/qemu/module.h b/include/qemu/module.h index db3065381d..531fe7ae29 100644 --- a/include/qemu/module.h +++ b/include/qemu/module.h @@ -46,6 +46,9 @@ typedef

[Qemu-devel] [RFC 04/19] fuzz: Add qos support to fuzz targets

qos_helpers.c is largely a copy of tests/qos-test.c Signed-off-by: Alexander Oleinik --- tests/fuzz/qos_fuzz.c| 63 + tests/fuzz/qos_fuzz.h| 29 tests/fuzz/qos_helpers.c | 295 +++ tests/fuzz/qos_helpers.h | 17 +++ 4 files changed,

[Qemu-devel] [RFC 05/19] fuzz: expose qemu_savevm_state & skip state header

Signed-off-by: Alexander Oleinik --- migration/savevm.c | 8 ++-- migration/savevm.h | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/migration/savevm.c b/migration/savevm.c index 79ed44d475..80c00ea560 100644 --- a/migration/savevm.c +++ b/migration/savevm.c @@

[Qemu-devel] [RFC 09/19] fuzz: use mtree_info to find mapped addresses

Locate mmio and port i/o addresses that are mapped to devices so we can limit the fuzzer to only these addresses. This should be replaced with a sane way of enumaring these memory regions. Signed-off-by: Alexander Oleinik --- memory.c | 34 ++ 1 file changed, 34

[Qemu-devel] [RFC 03/19] fuzz: add fuzz accelerator

Much like the qtest accelerator, the fuzz accelerator skips the CPU emulation Signed-off-by: Alexander Oleinik --- include/sysemu/qtest.h | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/include/sysemu/qtest.h b/include/sysemu/qtest.h index cd114b8d80..adfbd10d20 100644

[Qemu-devel] [RFC 07/19] fuzz: Modify libqtest to directly invoke qtest.c

libqtest directly invokes the qtest client and exposes a function to accept responses. Signed-off-by: Alexander Oleinik --- tests/libqtest.c | 53 +++- tests/libqtest.h | 6 ++ 2 files changed, 58 insertions(+), 1 deletion(-) diff --git

[Qemu-devel] [RFC 08/19] fuzz: add shims to intercept libfuzzer init

Intercept coverage buffer registration calls and use this information to copy them to shared memory, if using fork() to avoid resetting device state. Signed-off-by: Alexander Oleinik --- tests/fuzz/fuzzer_hooks.c | 106 ++ tests/fuzz/fuzzer_hooks.h | 9

[Qemu-devel] [RFC 15/19] fuzz: add fuzz accelerator type

Signed-off-by: Alexander Oleinik --- accel/fuzz.c | 47 +++ include/sysemu/fuzz.h | 15 ++ 2 files changed, 62 insertions(+) create mode 100644 accel/fuzz.c create mode 100644 include/sysemu/fuzz.h diff --git a/accel/fuzz.c

[Qemu-devel] [RFC 12/19] fuzz: hard-code all of the needed files for build

Once the fuzzer is better-integrated into the build-system, this should go away Signed-off-by: Alexander Oleinik --- target/i386/Makefile.objs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/Makefile.objs b/target/i386/Makefile.objs index 3d646848ef..c8834f6ad1

[Qemu-devel] [RFC 10/19] fuzz: expose real_main (aka regular vl.c:main)

Export normal qemu-system main so it can be called from tests/fuzz/fuzz.c Signed-off-by: Alexander Oleinik --- include/sysemu/sysemu.h | 4 vl.c| 21 - 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/include/sysemu/sysemu.h

[Qemu-devel] [RFC 11/19] fuzz: add direct send/receive in qtest client

Directly interact with tests/libqtest.c functions Signed-off-by: Alexander Oleinik --- qtest.c | 19 ++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/qtest.c b/qtest.c index 15e27e911f..a6134d3ed0 100644 --- a/qtest.c +++ b/qtest.c @@ -31,6 +31,9 @@ #ifdef

Re: [Qemu-devel] [RFC 13/19] fuzz: add ctrl vq support to virtio-net in libqos

On Thu, 2019-07-25 at 12:25 -0400, John Snow wrote: > > On 7/24/19 11:23 PM, Oleinik, Alexander wrote: > > Signed-off-by: Alexander Oleinik > > Is there some explanation for why the below patch does what the > subject > line claims for the uninitiated? When multique

[Qemu-devel] [PATCH v2 2/2] virtio-net: check that tx packet has positive size

virtio_net_flush_tx does not check that the packet size is nonzero, which causes q->aysnc_tx.elem to be set. Then, when the device is reset, there is an assertion failure since q->aysnc_tx.elem must be flushed/cleared. Zero-sized packets are unsupported - check packet size, prior to sending.

[Qemu-devel] [PATCH v2 1/2] net: assert that tx packets have nonzero size

Virtual devices should not try to send zero-sized packets. The caller should check the size prior to calling qemu_sendv_packet_async. Signed-off-by: Alexander Oleinik --- v2: * Improve the comment to explain the rationale for adding the assert. net/net.c | 9 + 1 file changed, 9

[Qemu-devel] [PATCH v2 0/2] Avoid sending zero-size packets

While fuzzing the virtio-net tx vq, I ran into an assertion failure due to iov_copy offsets larger than the total iov size. Though there is a check to cover this, it does not execute when !n->has_vnet_hdr. This patch tries to fix this. The call stack for the assertion failure: #8 in

Re: [Qemu-devel] [RFC 06/19] fuzz: Add ramfile for fast vmstate/vmload

On 7/26/19 8:47 AM, Stefan Hajnoczi wrote: > On Thu, Jul 25, 2019 at 03:23:49AM +0000, Oleinik, Alexander wrote: >> The ramfile allows vmstate to be saved and restored directly onto the >> heap. >> >> Signed-off-by: Alexander Oleinik >> --

Re: [Qemu-devel] [PATCH v3 01/22] softmmu: split off vl.c:main() into main.c

On Thu, 2019-09-19 at 11:03 +0100, Stefan Hajnoczi wrote: > On Wed, Sep 18, 2019 at 11:19:28PM +0000, Oleinik, Alexander wrote: > > #ifdef CONFIG_COCOA > > #undef main > > This looks suspicious. Should the #ifdef CONFIG_COCOA be moved into > main.c? > The re

Re: [Qemu-devel] [PATCH v3 05/22] libqtest: Add a layer of abstraciton to send/recv

On Thu, 2019-09-19 at 13:18 +0200, Paolo Bonzini wrote: > I think you can pass "s" to the tx handler as well, and remove the > send_opaque and recv_opaque fields? Qtest also uses this function to communicate over qmp (different fd). I can probably make the tx handler a wrapper which accepts "s",

Re: [Qemu-devel] [PATCH v3 02/22] libqos: Rename i2c_send and i2c_recv

On Thu, 2019-09-19 at 13:15 +0200, Paolo Bonzini wrote: > On 19/09/19 01:19, Oleinik, Alexander wrote: > > The names i2c_send and i2c_recv collide with functions defined in > > hw/i2c/core.c. This causes an error when linking against libqos and > > softmmu simultaneously (f

Re: [Qemu-devel] [PATCH v3 06/22] fuzz: add configure flag --enable-fuzzing

On Thu, 2019-09-19 at 11:28 +0100, Stefan Hajnoczi wrote: > Is -fsanitize=fuzzer a clang-only option? If yes, then please ensure > that there is a friendly error message when ./configure is run with > gcc. > You could probe if -fsanitize=fuzzer works and then check that > fuzzing=no when this

Re: [Qemu-devel] [PATCH v3 16/22] fuzz: add fuzzer skeleton

On Thu, 2019-09-19 at 13:48 +0100, Stefan Hajnoczi wrote: > > + > > +void reboot(QTestState *s) > > +{ > > +qemu_system_reset(SHUTDOWN_CAUSE_GUEST_RESET); > > +} > > Why does reboot() take an unused argument? It was needed when I had a reset_state(s) pointer which was separate from fuzz().

Re: [Qemu-devel] [PATCH v3 17/22] fuzz: add support for fork-based fuzzing.

On Thu, 2019-09-19 at 13:54 +0100, Stefan Hajnoczi wrote: > On Wed, Sep 18, 2019 at 11:19:44PM +0000, Oleinik, Alexander wrote: > > diff --git a/exec.c b/exec.c > > index 235d6bc883..d3838f4ea4 100644 > > --- a/exec.c > > +++ b/exec.c > > @@ -2295,7 +2295,9 @@ s

Re: [PATCH v3 13/22] libqtest: make qtest_bufwrite send "atomic"

On Thu, 2019-09-19 at 14:56 -0400, John Snow wrote: > > On 9/19/19 6:37 AM, Stefan Hajnoczi wrote: > > On Wed, Sep 18, 2019 at 11:19:40PM +0000, Oleinik, Alexander wrote: > > > When using qtest "in-process" communication, qtest_sendf directly > > > calls

Re: [Qemu-devel] [PATCH v3 14/22] libqtest: add in-process qtest.c tx/rx handlers

On Thu, 2019-09-19 at 11:42 +0100, Stefan Hajnoczi wrote: > On Wed, Sep 18, 2019 at 11:19:41PM +0000, Oleinik, Alexander wrote: > > @@ -830,6 +832,9 @@ char *qtest_hmp(QTestState *s, const char *fmt, > > ...) > > > > const char *qtest_get_arch(void) > > Maybe t

[PATCH v4 14/20] fuzz: Add target/fuzz makefile rules

From: Alexander Oleinik Signed-off-by: Alexander Oleinik --- Makefile| 15 ++- Makefile.objs | 4 +++- Makefile.target | 18 +- tests/fuzz/Makefile.include | 4 4 files changed, 38 insertions(+), 3 deletions(-)

[PATCH v4 15/20] fuzz: add fuzzer skeleton

From: Alexander Oleinik tests/fuzz/fuzz.c serves as the entry point for the virtual-device fuzzer. Namely, libfuzzer invokes the LLVMFuzzerInitialize and LLVMFuzzerTestOneInput functions, both of which are defined in this file. This change adds a "FuzzTarget" struct, along with the

[PATCH v4 12/20] libqtest: add in-process qtest.c tx/rx handlers

From: Alexander Oleinik Signed-off-by: Alexander Oleinik --- There's a particularily ugly line here: qtest_client_set_tx_handler(qts, (void (*)(QTestState *s, const char*, size_t)) send); Since qtest.c has no knowledge of the QTestState, I'm not sure how to avoid doing this, without

[PATCH v4 09/20] libqos: split qos-test and libqos makefile vars

From: Alexander Oleinik Most qos-related objects were specified in the qos-test-obj-y variable. qos-test-obj-y also included qos-test.o which defines a main(). This made it difficult to repurpose qos-test-obj-y to link anything beside tests/qos-test against libqos. This change separates objects

[PATCH v4 06/20] module: check module wasn't already initialized

From: Alexander Oleinik The virtual-device fuzzer must initialize QOM, prior to running vl:qemu_init, so that it can use the qos_graph to identify the arguments required to initialize a guest for libqos-assisted fuzzing. This change prevents errors when vl:qemu_init tries to (re)initialize the

[PATCH v4 03/20] fuzz: Add FUZZ_TARGET module type

From: Alexander Oleinik Signed-off-by: Alexander Oleinik --- include/qemu/module.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/qemu/module.h b/include/qemu/module.h index 65ba596e46..684753d808 100644 --- a/include/qemu/module.h +++ b/include/qemu/module.h @@

[PATCH v4 05/20] libqtest: Add a layer of abstraciton to send/recv

From: Alexander Oleinik This makes it simple to swap the transport functions for qtest commands to and from the qtest client. For example, now it is possible to directly pass qtest commands to a server handler that exists within the same process, without the standard way of writing to a file

[PATCH v4 11/20] libqtest: make qtest_bufwrite send "atomic"

From: Alexander Oleinik When using qtest "in-process" communication, qtest_sendf directly calls a function in the server (qtest.c). Combining the contents of the subsequent socket_sends into the qtest_sendf, makes it so the server can immediately handle the command, without building a local

[PATCH v4 18/20] fuzz: add i440fx fuzz targets

From: Alexander Oleinik These three targets should simply fuzz reads/writes to a couple ioports, but they mostly serve as examples of different ways to write targets. They demonstrate using qtest and qos for fuzzing, as well as using rebooting and forking to reset state, or not resetting it at

[PATCH v4 04/20] qtest: add qtest_server_send abstraction

From: Alexander Oleinik qtest_server_send is a function pointer specifying the handler used to transmit data to the qtest client. In the standard configuration, this calls the CharBackend handler, but now it is possible for other types of handlers, e.g direct-function calls if the qtest client

[PATCH v4 16/20] fuzz: add support for fork-based fuzzing.

From: Alexander Oleinik fork() is a simple way to ensure that state does not leak in between fuzzing runs. Unfortunately, the fuzzer mutation engine relies on bitmaps which contain coverage information for each fuzzing run, and these bitmaps should be copied from the child to the parent(where

[PATCH v4 08/20] tests: provide test variables to other targets

From: Alexander Oleinik Before, when tests/Makefile.include was included, the contents would be ignored if config-host.mak was defined. Moving the ifneq responsible for this allows a target to depend on both testing-related and host-related objects. For example the virtual-device fuzzer relies

[PATCH v4 10/20] libqos: move useful qos-test funcs to qos_external

From: Alexander Oleinik The moved functions are not specific to qos-test and might be useful elsewhere. For example the virtual-device fuzzer makes use of them for qos-assisted fuzz-targets. Signed-off-by: Alexander Oleinik --- tests/Makefile.include | 1 + tests/libqos/qos_external.c

[PATCH v4 13/20] fuzz: add configure flag --enable-fuzzing

From: Alexander Oleinik Signed-off-by: Alexander Oleinik --- configure | 39 +++ 1 file changed, 39 insertions(+) diff --git a/configure b/configure index 3be9e92a24..aeca632dd9 100755 --- a/configure +++ b/configure @@ -501,6 +501,7 @@ libxml2=""

  1   2   >