Re: [RFC PATCH 0/3] fuzz: add generic fuzzer

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH 0/3] fuzz: add generic fuzzer

From:	Dima Stepanov
Subject:	Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
Date:	Thu, 25 Jun 2020 18:30:32 +0300
User-agent:	Mutt/1.5.24 (2015-08-30)

On Tue, Jun 23, 2020 at 03:16:01PM +0100, Stefan Hajnoczi wrote:
> On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote:
> > These patches add a generic fuzzer for virtual devices. This should
> > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA
> > without any device-specific code.
> > 
> > Example:
> > QEMU_FUZZ_ARGS="-device virtio-net" \
> > FUZZ_REGION_WHITELIST="virtio pci-" \
> > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz
> > 
> > The above command will add a virtio-net device to the QEMU arguments and
> > restrict the fuzzer to only interact with MMIO and PIO regions with
> > names that contain "virtio" or "pci-". I find these names using the info
> > mtree monitor command. 
> > 
> > Basically, the fuzzer splits the input into a series of commands, such
> > as mmio_write, pio_write, etc. Additionally, these patches add "hooks"
> > to functions that are typically used by virtual-devices to read from RAM
> > (DMA). These hooks attempt to populate these DMA regions with fuzzed
> > data, just in time.  There are some differences from my reference code
> > that seem to result in performance issues that I am still trying to iron
> > out. I also need to figure out how to add the DMA "hooks" in a neat way.
> > Maybe I can use -Wl,--wrap for this. I appreciate any feedback.
> > 
> > Alexander Bulekov (3):
> >   fuzz: add a general fuzzer for any qemu arguments
> >   fuzz: add support for fuzzing DMA regions
> >   fuzz: Add callbacks for dma-access functions
> > 
> >  exec.c                                |  17 +-
> >  include/exec/memory.h                 |   8 +
> >  include/exec/memory_ldst_cached.inc.h |   9 +
> >  include/sysemu/dma.h                  |   5 +-
> >  memory_ldst.inc.c                     |  12 +
> >  tests/qtest/fuzz/Makefile.include     |   1 +
> >  tests/qtest/fuzz/general_fuzz.c       | 556 ++++++++++++++++++++++++++
> >  7 files changed, 606 insertions(+), 2 deletions(-)
> >  create mode 100644 tests/qtest/fuzz/general_fuzz.c
> 
> CCing Dima in case he is interested in this generic fuzzing approach.
> 
> Stefan
Thanks for adding me, going to look into it on this weekend.

Dima.

[Prev in Thread]

Current Thread

[Next in Thread]

[RFC PATCH 0/3] fuzz: add generic fuzzer, Alexander Bulekov, 2020/06/11
- [RFC PATCH 1/3] fuzz: add a general fuzzer for any qemu arguments, Alexander Bulekov, 2020/06/11
- [RFC PATCH 2/3] fuzz: add support for fuzzing DMA regions, Alexander Bulekov, 2020/06/11
- [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Alexander Bulekov, 2020/06/11
  - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Stefan Hajnoczi, 2020/06/23
    - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Alexander Bulekov, 2020/06/23
    - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Stefan Hajnoczi, 2020/06/26
  - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Philippe Mathieu-Daudé, 2020/06/24
- Re: [RFC PATCH 0/3] fuzz: add generic fuzzer, no-reply, 2020/06/11
- Re: [RFC PATCH 0/3] fuzz: add generic fuzzer, Stefan Hajnoczi, 2020/06/23
  - Re: [RFC PATCH 0/3] fuzz: add generic fuzzer, Dima Stepanov <=

Prev by Date: Re: [PATCH RESEND 8/9] hw/arm/smmuv3: Get prepared for range invalidation
Next by Date: [PATCH] hw/block/nvme: Align I/O BAR to 4 KiB
Previous by thread: Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
Next by thread: [PATCH v3] fuzz: add oss-fuzz build-script
Index(es):
- Date
- Thread