qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [RFC PATCH v2 00/17] Add virtual device fuzzing support

From: Oleinik, Alexander
Subject: [Qemu-devel] [RFC PATCH v2 00/17] Add virtual device fuzzing support
Date: Mon, 5 Aug 2019 07:11:02 +0000 
Changes since v1
 * Split off changes to qos virtio-net and qtest server to other patches
 * Move vl:main initialization into new func: qemu_init
 * Moved useful functions from qos-test.c to a separate object
 * Use struct of function pointers for add_fuzz_target(), instead of
   arguments
 * Move ramfile to migration/qemu-file
 * Rewrite fork-based fuzzer pending patch to libfuzzer
 * Pass check-patch

Based-on: address@hidden
Based-on: address@hidden

---
As part of Google Summer of Code 2019, I'm working on integrating
fuzzing of virtual devices into QEMU [1]. This is a highly WIP patchset
adding this functionality.

Fuzzers provide random data to a program and monitor its execution for
errors. Coverage-guided fuzzers also observe the parts of the program
that are exercised by each input, and use this information to
mutate/guide the inputs to reach additional parts of the program. They
are quite effective for finding bugs in a wide range of software. 

Summary:
 - The virtual-device fuzzers use libfuzzer [2] for coverage-guided
   in-process fuzzing.
 - To fuzz a device, create a new fuzz "target" - i.e. a function that
   exercises QEMU based on inputs provided by the fuzzer.
 - Fuzz targets rely on qtest and libqos to turn inputs into actions.
 - Since libfuzzer does in-process fuzzing, the QEMU state needs to be
   reset after each fuzz run. These patches provide three methods for
   resetting state.
 - There are currently few targets, but they have already helped
   discover bugs in the console, and virtio-net, and have reproduced
   previously-reported vulnerabilities.

Alexander Oleinik (17):
  fuzz: Move initialization from main to qemu_init
  fuzz: Add fuzzer configure options
  fuzz: Keep memory mapped for fork-based fuzzer
  fuzz: Skip modules that were already initialized
  fuzz: Add direct receive function for qtest server
  fuzz: Add FUZZ_TARGET module type
  fuzz: Add ramfile qemu-file type
  fuzz: Export the qemu_savevm_live_state function
  fuzz: hardcode needed objects into i386 target
  fuzz: qtest client directly interacts with server
  fuzz: Move useful qos functions to separate object
  fuzz: Add fuzzer skeleton
  fuzz: Add libqos support to the fuzzer
  fuzz: Add forking support to the fuzzer
  fuzz: Add general qtest fuzz-target
  fuzz: Add virtio-net fuzz targets
  fuzz: Add fuzz accelerator type

 accel/fuzz.c                 |  48 +++++++
 configure                    |  15 ++
 exec.c                       |   2 +
 include/qemu/module.h        |   4 +-
 include/sysemu/fuzz.h        |  15 ++
 include/sysemu/qtest.h       |   4 +
 include/sysemu/sysemu.h      |   5 +
 migration/qemu-file.c        |  84 +++++++++++
 migration/qemu-file.h        |  11 ++
 migration/savevm.c           |   9 +-
 migration/savevm.h           |   2 +
 qtest.c                      |  14 ++
 target/i386/Makefile.objs    |  20 +++
 tests/fuzz/fuzz.c            | 245 +++++++++++++++++++++++++++++++++
 tests/fuzz/fuzz.h            |  70 ++++++++++
 tests/fuzz/fuzzer_hooks.c    |  62 +++++++++
 tests/fuzz/fuzzer_hooks.h    |  21 +++
 tests/fuzz/qos_fuzz.c        |  58 ++++++++
 tests/fuzz/qos_fuzz.h        |  23 ++++
 tests/fuzz/qos_helpers.c     | 190 +++++++++++++++++++++++++
 tests/fuzz/qos_helpers.h     |  17 +++
 tests/fuzz/qtest_fuzz.c      | 260 +++++++++++++++++++++++++++++++++++
 tests/fuzz/qtest_fuzz.h      |  37 +++++
 tests/fuzz/virtio-net-fuzz.c | 254 ++++++++++++++++++++++++++++++++++
 tests/libqos/qos_external.c  | 149 ++++++++++++++++++++
 tests/libqos/qos_external.h  |   8 ++
 tests/libqtest.c             |  61 +++++++-
 tests/libqtest.h             |   6 +
 tests/qos-test.c             | 132 +-----------------
 util/module.c                |   7 +
 vl.c                         |  25 +++-
 31 files changed, 1720 insertions(+), 138 deletions(-)
 create mode 100644 accel/fuzz.c
 create mode 100644 include/sysemu/fuzz.h
 create mode 100644 tests/fuzz/fuzz.c
 create mode 100644 tests/fuzz/fuzz.h
 create mode 100644 tests/fuzz/fuzzer_hooks.c
 create mode 100644 tests/fuzz/fuzzer_hooks.h
 create mode 100644 tests/fuzz/qos_fuzz.c
 create mode 100644 tests/fuzz/qos_fuzz.h
 create mode 100644 tests/fuzz/qos_helpers.c
 create mode 100644 tests/fuzz/qos_helpers.h
 create mode 100644 tests/fuzz/qtest_fuzz.c
 create mode 100644 tests/fuzz/qtest_fuzz.h
 create mode 100644 tests/fuzz/virtio-net-fuzz.c
 create mode 100644 tests/libqos/qos_external.c
 create mode 100644 tests/libqos/qos_external.h

-- 
2.20.1
reply via email to
[Prev in Thread] Current Thread [Next in Thread]