[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 20/22] fuzz: add i440fx fuzz targets
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [PATCH v3 20/22] fuzz: add i440fx fuzz targets |
Date: |
Thu, 19 Sep 2019 14:08:10 +0100 |
User-agent: |
Mutt/1.12.1 (2019-06-15) |
On Wed, Sep 18, 2019 at 11:19:47PM +0000, Oleinik, Alexander wrote:
> +static void i440fx_fuzz_qtest(QTestState *s,
> + const unsigned char *Data, size_t Size) {
> +
> + typedef struct QTestFuzzAction {
> + uint8_t id;
> + uint8_t addr;
> + uint32_t value;
> + } QTestFuzzAction;
I'm concerned about padding within the struct and struct alignment
causing us to skip some bytes in Data[]. Also, on some architectures
unaligned memory accesses are unsupported so memcpy() is safer than
casting a pointer directly into Data[].
The question is whether skipping bytes in Data[] matters.
Feedback-directed fuzzing should realize that certain offsets in Data[]
are unused and do not affect the input space. Still, I think we should
arrange things so that every bit in Data[] matters as much as possible.
The struct can be arranged to avoid struct field padding:
uint32_t value;
uint8_t id;
uint8_t addr;
> + QTestFuzzAction *a = (QTestFuzzAction *)Data;
> + while (Size >= sizeof(QTestFuzzAction)) {
To avoid struct alignment issues:
QTestFuzzAction a;
while (Size >= sizeof(a)) {
memcpy(&a, Data, sizeof(a));
...
Data += sizeof(a);
}
> + uint16_t addr = a->addr % 2 ? 0xcf8 : 0xcfc;
Please define constants for these magic numbers (e.g.
I440FX_PCI_HOST_BRIDGE_CFG, I440FX_PCI_HOST_BRIDGE_DATA).
> + switch (a->id) {
How about:
switch (a->id % ACTION_MAX) {
This way we always exercise a useful code path instead of just skipping
the input.
signature.asc
Description: PGP signature
[Qemu-devel] [PATCH v3 20/22] fuzz: add i440fx fuzz targets, Oleinik, Alexander, 2019/09/18
- Re: [Qemu-devel] [PATCH v3 20/22] fuzz: add i440fx fuzz targets,
Stefan Hajnoczi <=
[Qemu-devel] [PATCH v3 19/22] fuzz: add support for qos-assisted fuzz targets, Oleinik, Alexander, 2019/09/18
[Qemu-devel] [PATCH v3 21/22] fuzz: add virtio-net fuzz target, Oleinik, Alexander, 2019/09/18
[Qemu-devel] [PATCH v3 22/22] fuzz: add documentation to docs/devel/, Oleinik, Alexander, 2019/09/18
Re: [Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support, Stefan Hajnoczi, 2019/09/19
Re: [Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support, Stefan Hajnoczi, 2019/09/19
Re: [Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support, no-reply, 2019/09/19
Re: [Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support, no-reply, 2019/09/19
Re: [Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support, no-reply, 2019/09/19
Re: [Qemu-devel] [PATCH v3 00/22] Add virtual device fuzzing support, no-reply, 2019/09/19