Re: [RFC PATCH 0/3] fuzz: add generic fuzzer

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC PATCH 0/3] fuzz: add generic fuzzer

From:	Stefan Hajnoczi
Subject:	Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
Date:	Tue, 23 Jun 2020 15:16:01 +0100

On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote:
> These patches add a generic fuzzer for virtual devices. This should
> allow us to fuzz devices that accept inputs over MMIO, PIO and DMA
> without any device-specific code.
> 
> Example:
> QEMU_FUZZ_ARGS="-device virtio-net" \
> FUZZ_REGION_WHITELIST="virtio pci-" \
> ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz
> 
> The above command will add a virtio-net device to the QEMU arguments and
> restrict the fuzzer to only interact with MMIO and PIO regions with
> names that contain "virtio" or "pci-". I find these names using the info
> mtree monitor command. 
> 
> Basically, the fuzzer splits the input into a series of commands, such
> as mmio_write, pio_write, etc. Additionally, these patches add "hooks"
> to functions that are typically used by virtual-devices to read from RAM
> (DMA). These hooks attempt to populate these DMA regions with fuzzed
> data, just in time.  There are some differences from my reference code
> that seem to result in performance issues that I am still trying to iron
> out. I also need to figure out how to add the DMA "hooks" in a neat way.
> Maybe I can use -Wl,--wrap for this. I appreciate any feedback.
> 
> Alexander Bulekov (3):
>   fuzz: add a general fuzzer for any qemu arguments
>   fuzz: add support for fuzzing DMA regions
>   fuzz: Add callbacks for dma-access functions
> 
>  exec.c                                |  17 +-
>  include/exec/memory.h                 |   8 +
>  include/exec/memory_ldst_cached.inc.h |   9 +
>  include/sysemu/dma.h                  |   5 +-
>  memory_ldst.inc.c                     |  12 +
>  tests/qtest/fuzz/Makefile.include     |   1 +
>  tests/qtest/fuzz/general_fuzz.c       | 556 ++++++++++++++++++++++++++
>  7 files changed, 606 insertions(+), 2 deletions(-)
>  create mode 100644 tests/qtest/fuzz/general_fuzz.c

CCing Dima in case he is interested in this generic fuzzing approach.

Stefan

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[RFC PATCH 0/3] fuzz: add generic fuzzer, Alexander Bulekov, 2020/06/11
- [RFC PATCH 1/3] fuzz: add a general fuzzer for any qemu arguments, Alexander Bulekov, 2020/06/11
- [RFC PATCH 2/3] fuzz: add support for fuzzing DMA regions, Alexander Bulekov, 2020/06/11
- [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Alexander Bulekov, 2020/06/11
  - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Stefan Hajnoczi, 2020/06/23
    - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Alexander Bulekov, 2020/06/23
    - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Stefan Hajnoczi, 2020/06/26
  - Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions, Philippe Mathieu-Daudé, 2020/06/24
- Re: [RFC PATCH 0/3] fuzz: add generic fuzzer, no-reply, 2020/06/11
- Re: [RFC PATCH 0/3] fuzz: add generic fuzzer, Stefan Hajnoczi <=
  - Re: [RFC PATCH 0/3] fuzz: add generic fuzzer, Dima Stepanov, 2020/06/25

Prev by Date: Re: [RFC PATCH 3/3] fuzz: Add callbacks for dma-access functions
Next by Date: Re: [PATCH v2] target/i386: reimplement fpatan using floatx80 operations
Previous by thread: Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
Next by thread: Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
Index(es):
- Date
- Thread