[Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the

qemu-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the

From:	Peter Maydell
Subject:	[Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the DMA callback
Date:	Fri, 03 Sep 2021 00:27:33 -0700

  Branch: refs/heads/master
  Home:   https://github.com/qemu/qemu
  Commit: af16990a1b3aac7a32a58cd4e3509e9e4d44fe69
      
https://github.com/qemu/qemu/commit/af16990a1b3aac7a32a58cd4e3509e9e4d44fe69
  Author: Alexander Bulekov <alxndr@bu.edu>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M tests/qtest/fuzz/generic_fuzz.c

  Log Message:
  -----------
  fuzz: fix sparse memory access in the DMA callback

The code mistakenly relied on address_space_translate to store the
length remaining until the next memory-region. We care about this
because when there is RAM or sparse-memory neighboring on an MMIO
region, we should only write up to the border, to prevent inadvertently
invoking MMIO handlers within the DMA callback.

However address_space_translate_internal only stores the length until
the end of the MemoryRegion if memory_region_is_ram(mr). Otherwise
the *len is left unmodified. This caused some false-positive issues,
where the fuzzer found a way to perform a nested MMIO write through a
DMA callback on an [address, length] that started within sparse memory
and spanned some device MMIO regions.

To fix this, write to sparse memory in small chunks of
memory_access_size (similar to the underlying address_space_write code),
which will prevent accidentally hitting MMIO handlers through large
writes.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>


  Commit: 993f52f4d43ddcddcb6f68b79a528599f4f099f9
      
https://github.com/qemu/qemu/commit/993f52f4d43ddcddcb6f68b79a528599f4f099f9
  Author: Alexander Bulekov <alxndr@bu.edu>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M tests/qtest/fuzz/generic_fuzz.c

  Log Message:
  -----------
  fuzz: adjust timeout to allow for longer inputs

Using a custom timeout is useful to continue fuzzing complex devices,
even after we run into some slow code-path. However, simply adding a
fixed timeout to each input effectively caps the maximum input
length/number of operations at some artificial value. There are two
major problems with this:
1. Some code might only be reachable through long IO sequences.
2. Longer inputs can actually be _better_ for performance. While the
   raw number of fuzzer executions decreases with larger inputs, the
   number of MMIO/PIO/DMA operation/second actually increases, since
   were are speding proportionately less time fork()ing.

With this change, we keep the custom-timeout, but we renew it, prior to
each MMIO/PIO/DMA operation. Thus, we time-out only when a specific
operation takes a long time.

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>


  Commit: f2e8b87a1afeec13157094909bf129c4b64192ba
      
https://github.com/qemu/qemu/commit/f2e8b87a1afeec13157094909bf129c4b64192ba
  Author: Alexander Bulekov <alxndr@bu.edu>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M tests/qtest/fuzz/generic_fuzz.c

  Log Message:
  -----------
  fuzz: make object-name matching case-insensitive

We have some configs for devices such as the AC97 and ES1370 that were
not matching memory-regions correctly, because the configs provided
lowercase names. To resolve these problems and prevent them from
occurring again in the future, convert both the pattern and names to
lower-case, prior to checking for a match.

Suggested-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>


  Commit: dfc86c0f25126ce3242b317087234c7228418eb2
      
https://github.com/qemu/qemu/commit/dfc86c0f25126ce3242b317087234c7228418eb2
  Author: Alexander Bulekov <alxndr@bu.edu>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M configure
    A scripts/oss-fuzz/instrumentation-filter-template

  Log Message:
  -----------
  fuzz: add an instrumentation filter

By default, -fsanitize=fuzzer instruments all code with coverage
information. However, this means that libfuzzer will track coverage over
hundreds of source files that are unrelated to virtual-devices. This
means that libfuzzer will optimize inputs for coverage observed in timer
code, memory APIs etc. This slows down the fuzzer and stores many inputs
that are not relevant to the actual virtual-devices.

With this change, clang versions that support the
"-fsanitize-coverage-allowlist" will only instrument a subset of the
compiled code, that is directly related to virtual-devices.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>


  Commit: 40c0d963db2a9d4a49c15554817bbaa11e0bed47
      
https://github.com/qemu/qemu/commit/40c0d963db2a9d4a49c15554817bbaa11e0bed47
  Author: Alexander Bulekov <alxndr@bu.edu>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M tests/qtest/fuzz/generic_fuzz.c

  Log Message:
  -----------
  fuzz: use ITIMER_REAL for timeouts

Using ITIMER_VIRTUAL is a bad idea, if the fuzzer hits a blocking
syscall - e.g. ppoll with a NULL timespec. This causes timeout issues
while fuzzing some block-device code. Fix that by using wall-clock time.
This might cause inputs to timeout sometimes due to scheduling
effects/ambient load, but it is better than bringing the entire fuzzing
process to a halt.

Based-on: <20210713150037.9297-1-alxndr@bu.edu>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>


  Commit: aaa94a1b3c7bc834c183ddcc8c4199cccebe58ac
      
https://github.com/qemu/qemu/commit/aaa94a1b3c7bc834c183ddcc8c4199cccebe58ac
  Author: Alexander Bulekov <alxndr@bu.edu>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M tests/qtest/fuzz/generic_fuzz.c

  Log Message:
  -----------
  fuzz: unblock SIGALRM so the timeout works

The timeout mechanism won't work if SIGALRM is blocked. This changes
unmasks SIGALRM when the timer is installed. This doesn't completely
solve the problem, as the fuzzer could trigger some device activity that
re-masks SIGALRM. However, there are currently no inputs on OSS-Fuzz
that re-mask SIGALRM and timeout. If that turns out to be a real issue,
we could try to hook sigmask-type calls, or use a separate timer thread.

Based-on: <20210713150037.9297-1-alxndr@bu.edu>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>


  Commit: 85221b05f8831d816dd5f8945b4733b092519db1
      
https://github.com/qemu/qemu/commit/85221b05f8831d816dd5f8945b4733b092519db1
  Author: Darren Kenny <darren.kenny@oracle.com>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M MAINTAINERS

  Log Message:
  -----------
  MAINTAINERS: Add myself as a reviewer for Device Fuzzing

Should have done this much sooner given the amount of reviewing I'm
already doing in this area.

Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>


  Commit: 5d32fc3b60ffad175cab27dfaf07e0929a4f5755
      
https://github.com/qemu/qemu/commit/5d32fc3b60ffad175cab27dfaf07e0929a4f5755
  Author: Qiuhao Li <Qiuhao.Li@outlook.com>
  Date:   2021-09-01 (Wed, 01 Sep 2021)

  Changed paths:
    M MAINTAINERS

  Log Message:
  -----------
  MAINTAINERS: add fuzzing reviewer

To keep me cc-ed when something changes. Suggested by Alexander.

https://lists.gnu.org/archive/html/qemu-devel/2021-08/msg03631.html

Signed-off-by: Qiuhao Li <Qiuhao.Li@outlook.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>


  Commit: 8664d30a30fd676b56b4c29dbcbdd5c5538acfc1
      
https://github.com/qemu/qemu/commit/8664d30a30fd676b56b4c29dbcbdd5c5538acfc1
  Author: Peter Maydell <peter.maydell@linaro.org>
  Date:   2021-09-02 (Thu, 02 Sep 2021)

  Changed paths:
    M MAINTAINERS
    M configure
    A scripts/oss-fuzz/instrumentation-filter-template
    M tests/qtest/fuzz/generic_fuzz.c

  Log Message:
  -----------
  Merge remote-tracking branch 'remotes/a1xndr/tags/fuzz-pull-2021-09-01' into 
staging

Fuzzing Patches for 2021-09-01

# gpg: Signature made Wed 01 Sep 2021 12:42:00 BST
# gpg:                using RSA key FAD4E2BF871375D6340517C44E661DDE583A964E
# gpg: Good signature from "Alexander Bulekov <alxndr@bu.edu>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: FAD4 E2BF 8713 75D6 3405  17C4 4E66 1DDE 583A 964E

* remotes/a1xndr/tags/fuzz-pull-2021-09-01:
  MAINTAINERS: add fuzzing reviewer
  MAINTAINERS: Add myself as a reviewer for Device Fuzzing
  fuzz: unblock SIGALRM so the timeout works
  fuzz: use ITIMER_REAL for timeouts
  fuzz: add an instrumentation filter
  fuzz: make object-name matching case-insensitive
  fuzz: adjust timeout to allow for longer inputs
  fuzz: fix sparse memory access in the DMA callback

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>


Compare: https://github.com/qemu/qemu/compare/9093028dd48c...8664d30a30fd

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the DMA callback, Peter Maydell, 2021/09/02
- [Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the DMA callback, Peter Maydell <=

Prev by Date: [Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the DMA callback
Next by Date: [Qemu-commits] [qemu/qemu] 97b1d8: hw/9pfs: avoid 'path' copy in v9fs_walk()
Previous by thread: [Qemu-commits] [qemu/qemu] af1699: fuzz: fix sparse memory access in the DMA callback
Next by thread: [Qemu-commits] [qemu/qemu] 97b1d8: hw/9pfs: avoid 'path' copy in v9fs_walk()
Index(es):
- Date
- Thread