mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* add --enable/--disable-libgio to configure (Denis)

Browse Source 
* small fixes (Pavel, myself)
 * fuzzing update (Alexander)
 -----BEGIN PGP SIGNATURE-----
 
 iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAmBQ+U4UHHBib256aW5p
 QHJlZGhhdC5jb20ACgkQv/vSX3jHroNAuAf8DO6soVd8Mtr+a/acTzkoquNfoZPZ
 Xyfi8kvkSfhcPnUObuTfqalzOiP2Gqlddqvtzkh86CGNriaGFc2Wutd708/84GDe
 fh4NmA9aYieo4sn/3PpZOjoqwO4FtV7yAHijRkgA9aYJnG6ijDByup6FCHqTX42z
 jKrHa0ldk41Klj9Z03/yJmIcXTACg1/2fRn2h4W6MVRpbWw4CCwdftA5Id+x0lmh
 JrKsRrdokt4kZG2nIXLJF/eI9QRQMVh1fB5kY9YiG8kHEjMC85IN+YFuDbD8nonp
 PN1DMsTz3Kl/BgnDMeio945TeaqhW3o8jRwd4Ys9K0hRGNrKdPGaiTS6lw==
 =RPSp
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging

* add --enable/--disable-libgio to configure (Denis)
* small fixes (Pavel, myself)
* fuzzing update (Alexander)

# gpg: Signature made Tue 16 Mar 2021 18:30:38 GMT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini-gitlab/tags/for-upstream:
  qemu-timer: allow freeing a NULL timer
  hw/i8254: fix vmstate load
  scsi: fix sense code for EREMOTEIO
  Revert "accel: kvm: Add aligment assert for kvm_log_clear_one_slot"
  configure: add option to explicitly enable/disable libgio
  fuzz: move some DMA hooks
  fuzz: configure a sparse-mem device, by default
  memory: add a sparse memory device for fuzzing
  fuzz: add a am53c974 generic-fuzzer config
  fuzz: add instructions for building reproducers
  fuzz: add a script to build reproducers
  fuzz: don't leave orphan llvm-symbolizers around
  fuzz: fix the pro100 generic-fuzzer config
  MAINTAINERS: Cover fuzzer reproducer tests within 'Device Fuzzing'
  tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available
  tests/qtest: Only run fuzz-megasas-test if megasas device is available

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2021-03-17 22:18:54 +00:00
commit 56b89f4558
19 changed files with 600 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
MAINTAINERS
View File

@ -1773,6 +1773,7 @@ S: Supported
F: include/hw/scsi/*
F: hw/scsi/*
F: tests/qtest/virtio-scsi-test.c
F: tests/qtest/fuzz-virtio-scsi-test.c
T: git https://github.com/bonzini/qemu.git scsi-next
SSI
@ -1984,6 +1985,7 @@ S: Supported
F: hw/scsi/megasas.c
F: hw/scsi/mfi.h
F: tests/qtest/megasas-test.c
F: tests/qtest/fuzz-megasas-test.c
Network packet abstractions
M: Dmitry Fleytman <dmitry.fleytman@gmail.com>
@ -2647,7 +2649,9 @@ R: Stefan Hajnoczi <stefanha@redhat.com>
R: Thomas Huth <thuth@redhat.com>
S: Maintained
F: tests/qtest/fuzz/
F: tests/qtest/fuzz-*test.c
F: scripts/oss-fuzz/
F: hw/mem/sparse-mem.c
F: docs/devel/fuzzing.rst
Register API

7
accel/kvm/kvm-all.c
View File

@ -673,10 +673,6 @@ out:
#define KVM_CLEAR_LOG_ALIGN (qemu_real_host_page_size << KVM_CLEAR_LOG_SHIFT)
#define KVM_CLEAR_LOG_MASK (-KVM_CLEAR_LOG_ALIGN)
/*
* As the granule of kvm dirty log is qemu_real_host_page_size,
* @start and @size are expected and restricted to align to it.
*/
static int kvm_log_clear_one_slot(KVMSlot *mem, int as_id, uint64_t start,
uint64_t size)
{
@ -686,9 +682,6 @@ static int kvm_log_clear_one_slot(KVMSlot *mem, int as_id, uint64_t start,
unsigned long *bmap_clear = NULL, psize = qemu_real_host_page_size;
int ret;
/* Make sure start and size are qemu_real_host_page_size aligned */
assert(QEMU_IS_ALIGNED(start | size, psize));
/*
* We need to extend either the start or the size or both to
* satisfy the KVM interface requirement. Firstly, do the start

62
configure vendored
View File

@ -465,6 +465,7 @@ fuse_lseek="auto"
multiprocess="auto"
malloc_trim="auto"
gio="$default_feature"
# parse CC options second
for opt do
@ -1560,6 +1561,10 @@ for opt do
;;
--disable-multiprocess) multiprocess="disabled"
;;
--enable-gio) gio=yes
;;
--disable-gio) gio=no
;;
*)
echo "ERROR: unknown option $opt"
echo "Try '$0 --help' for more information"
@ -1913,6 +1918,7 @@ disabled with --disable-FEATURE, default is enabled if available
fuse FUSE block device export
fuse-lseek SEEK_HOLE/SEEK_DATA support for FUSE exports
multiprocess Out of process device emulation support
gio libgio support
NOTE: The object files are built at the place where configure is launched
EOF
@ -3319,17 +3325,19 @@ if test "$static" = yes && test "$mingw32" = yes; then
glib_cflags="-DGLIB_STATIC_COMPILATION $glib_cflags"
fi
if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
gio_cflags=$($pkg_config --cflags gio-2.0)
gio_libs=$($pkg_config --libs gio-2.0)
gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0)
if [ ! -x "$gdbus_codegen" ]; then
gdbus_codegen=
fi
# Check that the libraries actually work -- Ubuntu 18.04 ships
# with pkg-config --static --libs data for gio-2.0 that is missing
# -lblkid and will give a link error.
cat > $TMPC <<EOF
if ! test "$gio" = "no"; then
pass=no
if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then
gio_cflags=$($pkg_config --cflags gio-2.0)
gio_libs=$($pkg_config --libs gio-2.0)
gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0)
if [ ! -x "$gdbus_codegen" ]; then
gdbus_codegen=
fi
# Check that the libraries actually work -- Ubuntu 18.04 ships
# with pkg-config --static --libs data for gio-2.0 that is missing
# -lblkid and will give a link error.
cat > $TMPC <<EOF
#include <gio/gio.h>
int main(void)
{
@ -3337,18 +3345,28 @@ int main(void)
return 0;
}
EOF
if compile_prog "$gio_cflags" "$gio_libs" ; then
gio=yes
else
gio=no
fi
else
gio=no
fi
if compile_prog "$gio_cflags" "$gio_libs" ; then
pass=yes
else
pass=no
fi
if $pkg_config --atleast-version=$glib_req_ver gio-unix-2.0; then
gio_cflags="$gio_cflags $($pkg_config --cflags gio-unix-2.0)"
gio_libs="$gio_libs $($pkg_config --libs gio-unix-2.0)"
if test "$pass" = "yes" &&
$pkg_config --atleast-version=$glib_req_ver gio-unix-2.0; then
gio_cflags="$gio_cflags $($pkg_config --cflags gio-unix-2.0)"
gio_libs="$gio_libs $($pkg_config --libs gio-unix-2.0)"
fi
fi
if test "$pass" = "no"; then
if test "$gio" = "yes"; then
feature_not_found "gio" "Install libgio >= 2.0"
else
gio=no
fi
else
gio=yes
fi
fi
# Sanity check that the current size_t matches the

56
docs/devel/fuzzing.rst
View File

@ -210,6 +210,62 @@ Build details:
- The script responsible for building the fuzzers can be found in the
QEMU source tree at ``scripts/oss-fuzz/build.sh``
Building Crash Reproducers
-----------------------------------------
When we find a crash, we should try to create an independent reproducer, that
can be used on a non-fuzzer build of QEMU. This filters out any potential
false-positives, and improves the debugging experience for developers.
Here are the steps for building a reproducer for a crash found by the
generic-fuzz target.
- Ensure the crash reproduces::
qemu-fuzz-i386 --fuzz-target... ./crash-...
- Gather the QTest output for the crash::
QEMU_FUZZ_TIMEOUT=0 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
qemu-fuzz-i386 --fuzz-target... ./crash-... &> /tmp/trace
- Reorder and clean-up the resulting trace::
scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py /tmp/trace > /tmp/reproducer
- Get the arguments needed to start qemu, and provide a path to qemu::
less /tmp/trace # The args should be logged at the top of this file
export QEMU_ARGS="-machine ..."
export QEMU_PATH="path/to/qemu-system"
- Ensure the crash reproduces in qemu-system::
$QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer
- From the crash output, obtain some string that identifies the crash. This
can be a line in the stack-trace, for example::
export CRASH_TOKEN="hw/usb/hcd-xhci.c:1865"
- Minimize the reproducer::
scripts/oss-fuzz/minimize_qtest_trace.py -M1 -M2 \
/tmp/reproducer /tmp/reproducer-minimized
- Confirm that the minimized reproducer still crashes::
$QEMU_PATH $QEMU_ARGS -qtest stdio < /tmp/reproducer-minimized
- Create a one-liner reproducer that can be sent over email::
./scripts/oss-fuzz/output_reproducer.py -bash /tmp/reproducer-minimized
- Output the C source code for a test case that will reproduce the bug::
./scripts/oss-fuzz/output_reproducer.py -owner "John Smith <john@smith.com>"\
-name "test_function_name" /tmp/reproducer-minimized
- Report the bug and send a patch with the C reproducer upstream
Implementation Details / Fuzzer Lifecycle
-----------------------------------------

1
hw/mem/meson.build
View File

@ -1,5 +1,6 @@
mem_ss = ss.source_set()
mem_ss.add(files('memory-device.c'))
mem_ss.add(when: 'CONFIG_FUZZ', if_true: files('sparse-mem.c'))
mem_ss.add(when: 'CONFIG_DIMM', if_true: files('pc-dimm.c'))
mem_ss.add(when: 'CONFIG_NPCM7XX', if_true: files('npcm7xx_mc.c'))
mem_ss.add(when: 'CONFIG_NVDIMM', if_true: files('nvdimm.c'))

151
hw/mem/sparse-mem.c Normal file
View File

@ -0,0 +1,151 @@
/*
* A sparse memory device. Useful for fuzzing
*
* Copyright Red Hat Inc., 2021
*
* Authors:
* Alexander Bulekov <alxndr@bu.edu>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "exec/address-spaces.h"
#include "hw/qdev-properties.h"
#include "hw/sysbus.h"
#include "qapi/error.h"
#include "qemu/units.h"
#include "sysemu/qtest.h"
#include "hw/mem/sparse-mem.h"
#define SPARSE_MEM(obj) OBJECT_CHECK(SparseMemState, (obj), TYPE_SPARSE_MEM)
#define SPARSE_BLOCK_SIZE 0x1000
typedef struct SparseMemState {
SysBusDevice parent_obj;
MemoryRegion mmio;
uint64_t baseaddr;
uint64_t length;
uint64_t size_used;
uint64_t maxsize;
GHashTable *mapped;
} SparseMemState;
typedef struct sparse_mem_block {
uint8_t data[SPARSE_BLOCK_SIZE];
} sparse_mem_block;
static uint64_t sparse_mem_read(void *opaque, hwaddr addr, unsigned int size)
{
SparseMemState *s = opaque;
uint64_t ret = 0;
size_t pfn = addr / SPARSE_BLOCK_SIZE;
size_t offset = addr % SPARSE_BLOCK_SIZE;
sparse_mem_block *block;
block = g_hash_table_lookup(s->mapped, (void *)pfn);
if (block) {
assert(offset + size <= sizeof(block->data));
memcpy(&ret, block->data + offset, size);
}
return ret;
}
static void sparse_mem_write(void *opaque, hwaddr addr, uint64_t v,
unsigned int size)
{
SparseMemState *s = opaque;
size_t pfn = addr / SPARSE_BLOCK_SIZE;
size_t offset = addr % SPARSE_BLOCK_SIZE;
sparse_mem_block *block;
if (!g_hash_table_lookup(s->mapped, (void *)pfn) &&
s->size_used + SPARSE_BLOCK_SIZE < s->maxsize && v) {
g_hash_table_insert(s->mapped, (void *)pfn,
g_new0(sparse_mem_block, 1));
s->size_used += sizeof(block->data);
}
block = g_hash_table_lookup(s->mapped, (void *)pfn);
if (!block) {
return;
}
assert(offset + size <= sizeof(block->data));
memcpy(block->data + offset, &v, size);
}
static const MemoryRegionOps sparse_mem_ops = {
.read = sparse_mem_read,
.write = sparse_mem_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
.min_access_size = 1,
.max_access_size = 8,
.unaligned = false,
},
};
static Property sparse_mem_properties[] = {
/* The base address of the memory */
DEFINE_PROP_UINT64("baseaddr", SparseMemState, baseaddr, 0x0),
/* The length of the sparse memory region */
DEFINE_PROP_UINT64("length", SparseMemState, length, UINT64_MAX),
/* Max amount of actual memory that can be used to back the sparse memory */
DEFINE_PROP_UINT64("maxsize", SparseMemState, maxsize, 10 * MiB),
DEFINE_PROP_END_OF_LIST(),
};
MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length)
{
DeviceState *dev;
dev = qdev_new(TYPE_SPARSE_MEM);
qdev_prop_set_uint64(dev, "baseaddr", addr);
qdev_prop_set_uint64(dev, "length", length);
sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);
sysbus_mmio_map_overlap(SYS_BUS_DEVICE(dev), 0, addr, -10000);
return &SPARSE_MEM(dev)->mmio;
}
static void sparse_mem_realize(DeviceState *dev, Error **errp)
{
SparseMemState *s = SPARSE_MEM(dev);
SysBusDevice *sbd = SYS_BUS_DEVICE(dev);
if (!qtest_enabled()) {
error_setg(errp, "sparse_mem device should only be used "
"for testing with QTest");
return;
}
assert(s->baseaddr + s->length > s->baseaddr);
s->mapped = g_hash_table_new(NULL, NULL);
memory_region_init_io(&s->mmio, OBJECT(s), &sparse_mem_ops, s,
"sparse-mem", s->length);
sysbus_init_mmio(sbd, &s->mmio);
}
static void sparse_mem_class_init(ObjectClass *klass, void *data)
{
DeviceClass *dc = DEVICE_CLASS(klass);
device_class_set_props(dc, sparse_mem_properties);
dc->desc = "Sparse Memory Device";
dc->realize = sparse_mem_realize;
}
static const TypeInfo sparse_mem_types[] = {
{
.name = TYPE_SPARSE_MEM,
.parent = TYPE_SYS_BUS_DEVICE,
.instance_size = sizeof(SparseMemState),
.class_init = sparse_mem_class_init,
},
};
DEFINE_TYPES(sparse_mem_types);

2
hw/timer/i8254.c
View File

@ -324,7 +324,7 @@ static void pit_post_load(PITCommonState *s)
{
PITChannelState *sc = &s->channels[0];
if (sc->next_transition_time != -1) {
if (sc->next_transition_time != -1 && !sc->irq_disabled) {
timer_mod(sc->irq_timer, sc->next_transition_time);
} else {
timer_del(sc->irq_timer);

19
include/hw/mem/sparse-mem.h Normal file
View File

@ -0,0 +1,19 @@
/*
* A sparse memory device. Useful for fuzzing
*
* Copyright Red Hat Inc., 2021
*
* Authors:
* Alexander Bulekov <alxndr@bu.edu>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#ifndef SPARSE_MEM_H
#define SPARSE_MEM_H
#define TYPE_SPARSE_MEM "sparse-mem"
MemoryRegion *sparse_mem_init(uint64_t addr, uint64_t length);
#endif

6
include/qemu/timer.h
View File

@ -629,8 +629,10 @@ void timer_del(QEMUTimer *ts);
*/
static inline void timer_free(QEMUTimer *ts)
{
timer_del(ts);
g_free(ts);
if (ts) {
timer_del(ts);
g_free(ts);
}
}
/**

160
scripts/oss-fuzz/output_reproducer.py Executable file
View File

@ -0,0 +1,160 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Convert plain qtest traces to C or Bash reproducers
Use this to help build bug-reports or create in-tree reproducers for bugs.
Note: This will not format C code for you. Pipe the output through
clang-format -style="{BasedOnStyle: llvm, IndentWidth: 4, ColumnLimit: 90}"
or similar
"""
import sys
import os
import argparse
import textwrap
from datetime import date
__author__ = "Alexander Bulekov <alxndr@bu.edu>"
__copyright__ = "Copyright (C) 2021, Red Hat, Inc."
__license__ = "GPL version 2 or (at your option) any later version"
__maintainer__ = "Alexander Bulekov"
__email__ = "alxndr@bu.edu"
def c_header(owner):
return """/*
* Autogenerated Fuzzer Test Case
*
* Copyright (c) {date} {owner}
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
""".format(date=date.today().year, owner=owner)
def c_comment(s):
""" Return a multi-line C comment. Assume the text is already wrapped """
return "/*\n * " + "\n * ".join(s.splitlines()) + "\n*/"
def print_c_function(s):
print("/* ")
for l in s.splitlines():
print(" * {}".format(l))
def bash_reproducer(path, args, trace):
result = '\\\n'.join(textwrap.wrap("cat << EOF | {} {}".format(path, args),
72, break_on_hyphens=False,
drop_whitespace=False))
for l in trace.splitlines():
result += "\n" + '\\\n'.join(textwrap.wrap(l,72,drop_whitespace=False))
result += "\nEOF"
return result
def c_reproducer(name, args, trace):
result = []
result.append("""static void {}(void)\n{{""".format(name))
# libqtest will add its own qtest args, so get rid of them
args = args.replace("-accel qtest","")
args = args.replace(",accel=qtest","")
args = args.replace("-machine accel=qtest","")
args = args.replace("-qtest stdio","")
result.append("""QTestState *s = qtest_init("{}");""".format(args))
for l in trace.splitlines():
param = l.split()
cmd = param[0]
if cmd == "write":
buf = param[3][2:] #Get the 0x... buffer and trim the "0x"
assert len(buf)%2 == 0
bufbytes = [buf[i:i+2] for i in range(0, len(buf), 2)]
bufstring = '\\x'+'\\x'.join(bufbytes)
addr = param[1]
size = param[2]
result.append("""qtest_bufwrite(s, {}, "{}", {});""".format(
addr, bufstring, size))
elif cmd.startswith("in") or cmd.startswith("read"):
result.append("qtest_{}(s, {});".format(
cmd, param[1]))
elif cmd.startswith("out") or cmd.startswith("write"):
result.append("qtest_{}(s, {}, {});".format(
cmd, param[1], param[2]))
elif cmd == "clock_step":
if len(param) ==1:
result.append("qtest_clock_step_next(s);")
else:
result.append("qtest_clock_step(s, {});".format(param[1]))
result.append("qtest_quit(s);\n}")
return "\n".join(result)
def c_main(name, arch):
return """int main(int argc, char **argv)
{{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "{arch}") == 0) {{
qtest_add_func("fuzz/{name}",{name});
}}
return g_test_run();
}}""".format(name=name, arch=arch)
def main():
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group()
group.add_argument("-bash", help="Only output a copy-pastable bash command",
action="store_true")
group.add_argument("-c", help="Only output a c function",
action="store_true")
parser.add_argument('-owner', help="If generating complete C source code, \
this specifies the Copyright owner",
nargs='?', default="<name of author>")
parser.add_argument("-no_comment", help="Don't include a bash reproducer \
as a comment in the C reproducers",
action="store_true")
parser.add_argument('-name', help="The name of the c function",
nargs='?', default="test_fuzz")
parser.add_argument('input_trace', help="input QTest command sequence \
(stdin by default)",
nargs='?', type=argparse.FileType('r'),
default=sys.stdin)
args = parser.parse_args()
qemu_path = os.getenv("QEMU_PATH")
qemu_args = os.getenv("QEMU_ARGS")
if not qemu_args or not qemu_path:
print("Please set QEMU_PATH and QEMU_ARGS environment variables")
sys.exit(1)
bash_args = qemu_args
if " -qtest stdio" not in qemu_args:
bash_args += " -qtest stdio"
arch = qemu_path.split("-")[-1]
trace = args.input_trace.read().strip()
if args.bash :
print(bash_reproducer(qemu_path, bash_args, trace))
else:
output = ""
if not args.c:
output += c_header(args.owner) + "\n"
if not args.no_comment:
output += c_comment(bash_reproducer(qemu_path, bash_args, trace))
output += c_reproducer(args.name, qemu_args, trace)
if not args.c:
output += c_main(args.name, arch)
print(output)
if __name__ == '__main__':
main()

4
scsi/utils.c
View File

@ -589,7 +589,7 @@ int scsi_sense_from_errno(int errno_value, SCSISense *sense)
return TASK_SET_FULL;
#ifdef CONFIG_LINUX
/* These errno mapping are specific to Linux. For more information:
* - scsi_decide_disposition in drivers/scsi/scsi_error.c
* - scsi_check_sense and scsi_decide_disposition in drivers/scsi/scsi_error.c
* - scsi_result_to_blk_status in drivers/scsi/scsi_lib.c
* - blk_errors[] in block/blk-core.c
*/
@ -599,7 +599,7 @@ int scsi_sense_from_errno(int errno_value, SCSISense *sense)
*sense = SENSE_CODE(READ_ERROR);
return CHECK_CONDITION;
case EREMOTEIO:
*sense = SENSE_CODE(LUN_COMM_FAILURE);
*sense = SENSE_CODE(TARGET_FAILURE);
return CHECK_CONDITION;
#endif
case ENOMEDIUM:

1
softmmu/memory.c
View File

@ -1440,7 +1440,6 @@ MemTxResult memory_region_dispatch_read(MemoryRegion *mr,
unsigned size = memop_size(op);
MemTxResult r;
fuzz_dma_read_cb(addr, size, mr);
if (!memory_region_access_valid(mr, addr, size, false, attrs)) {
*pval = unassigned_mem_read(mr, addr, size);
return MEMTX_DECODE_ERROR;

2
softmmu/physmem.c
View File

@ -2801,6 +2801,7 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
bool release_lock = false;
uint8_t *buf = ptr;
fuzz_dma_read_cb(addr, len, mr);
for (;;) {
if (!memory_access_is_direct(mr, false)) {
/* I/O case */
@ -2811,7 +2812,6 @@ MemTxResult flatview_read_continue(FlatView *fv, hwaddr addr,
stn_he_p(buf, l, val);
} else {
/* RAM case */
fuzz_dma_read_cb(addr, len, mr);
ram_ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l, false);
memcpy(buf, ram_ptr, l);
}

49
tests/qtest/fuzz-megasas-test.c Normal file
View File

@ -0,0 +1,49 @@
/*
* QTest fuzzer-generated testcase for megasas device
*
* Copyright (c) 2020 Li Qiang <liq3ea@gmail.com>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* This used to trigger the assert in scsi_dma_complete
* https://bugs.launchpad.net/qemu/+bug/1878263
*/
static void test_lp1878263_megasas_zero_iov_cnt(void)
{
QTestState *s;
s = qtest_init("-nographic -monitor none -serial none "
"-M q35 -device megasas -device scsi-cd,drive=null0 "
"-blockdev driver=null-co,read-zeroes=on,node-name=null0");
qtest_outl(s, 0xcf8, 0x80001818);
qtest_outl(s, 0xcfc, 0xc101);
qtest_outl(s, 0xcf8, 0x8000181c);
qtest_outl(s, 0xcf8, 0x80001804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x8000186a);
qtest_writeb(s, 0x14, 0xfe);
qtest_writeb(s, 0x0, 0x02);
qtest_outb(s, 0xc1c0, 0x17);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt",
test_lp1878263_megasas_zero_iov_cnt);
}
return g_test_run();
}

76
tests/qtest/fuzz-test.c
View File

@ -11,29 +11,6 @@
#include "libqos/libqtest.h"
/*
* This used to trigger the assert in scsi_dma_complete
* https://bugs.launchpad.net/qemu/+bug/1878263
*/
static void test_lp1878263_megasas_zero_iov_cnt(void)
{
QTestState *s;
s = qtest_init("-nographic -monitor none -serial none "
"-M q35 -device megasas -device scsi-cd,drive=null0 "
"-blockdev driver=null-co,read-zeroes=on,node-name=null0");
qtest_outl(s, 0xcf8, 0x80001818);
qtest_outl(s, 0xcfc, 0xc101);
qtest_outl(s, 0xcf8, 0x8000181c);
qtest_outl(s, 0xcf8, 0x80001804);
qtest_outw(s, 0xcfc, 0x7);
qtest_outl(s, 0xcf8, 0x8000186a);
qtest_writeb(s, 0x14, 0xfe);
qtest_writeb(s, 0x0, 0x02);
qtest_outb(s, 0xc1c0, 0x17);
qtest_quit(s);
}
static void test_lp1878642_pci_bus_get_irq_level_assert(void)
{
QTestState *s;
@ -47,55 +24,6 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
qtest_quit(s);
}
/*
* Here a MemoryRegionCache pointed to an MMIO region but had a
* larger size than the underlying region.
*/
static void test_mmio_oob_from_memory_region_cache(void)
{
QTestState *s;
s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
"-device virtio-scsi,num_queues=8,addr=03.0 ");
qtest_outl(s, 0xcf8, 0x80001811);
qtest_outb(s, 0xcfc, 0x6e);
qtest_outl(s, 0xcf8, 0x80001824);
qtest_outl(s, 0xcf8, 0x80001813);
qtest_outl(s, 0xcfc, 0xa080000);
qtest_outl(s, 0xcf8, 0x80001802);
qtest_outl(s, 0xcfc, 0x5a175a63);
qtest_outb(s, 0x6e08, 0x9e);
qtest_writeb(s, 0x9f003, 0xff);
qtest_writeb(s, 0x9f004, 0x01);
qtest_writeb(s, 0x9e012, 0x0e);
qtest_writeb(s, 0x9e01b, 0x0e);
qtest_writeb(s, 0x9f006, 0x01);
qtest_writeb(s, 0x9f008, 0x01);
qtest_writeb(s, 0x9f00a, 0x01);
qtest_writeb(s, 0x9f00c, 0x01);
qtest_writeb(s, 0x9f00e, 0x01);
qtest_writeb(s, 0x9f010, 0x01);
qtest_writeb(s, 0x9f012, 0x01);
qtest_writeb(s, 0x9f014, 0x01);
qtest_writeb(s, 0x9f016, 0x01);
qtest_writeb(s, 0x9f018, 0x01);
qtest_writeb(s, 0x9f01a, 0x01);
qtest_writeb(s, 0x9f01c, 0x01);
qtest_writeb(s, 0x9f01e, 0x01);
qtest_writeb(s, 0x9f020, 0x01);
qtest_writeb(s, 0x9f022, 0x01);
qtest_writeb(s, 0x9f024, 0x01);
qtest_writeb(s, 0x9f026, 0x01);
qtest_writeb(s, 0x9f028, 0x01);
qtest_writeb(s, 0x9f02a, 0x01);
qtest_writeb(s, 0x9f02c, 0x01);
qtest_writeb(s, 0x9f02e, 0x01);
qtest_writeb(s, 0x9f030, 0x01);
qtest_outb(s, 0x6e10, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
@ -103,12 +31,8 @@ int main(int argc, char **argv)
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
qtest_add_func("fuzz/test_lp1878263_megasas_zero_iov_cnt",
test_lp1878263_megasas_zero_iov_cnt);
qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
test_lp1878642_pci_bus_get_irq_level_assert);
qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
test_mmio_oob_from_memory_region_cache);
}
return g_test_run();

75
tests/qtest/fuzz-virtio-scsi-test.c Normal file
View File

@ -0,0 +1,75 @@
/*
* QTest fuzzer-generated testcase for virtio-scsi device
*
* Copyright (c) 2020 Li Qiang <liq3ea@gmail.com>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
*/
#include "qemu/osdep.h"
#include "libqos/libqtest.h"
/*
* Here a MemoryRegionCache pointed to an MMIO region but had a
* larger size than the underlying region.
*/
static void test_mmio_oob_from_memory_region_cache(void)
{
QTestState *s;
s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
"-device virtio-scsi,num_queues=8,addr=03.0 ");
qtest_outl(s, 0xcf8, 0x80001811);
qtest_outb(s, 0xcfc, 0x6e);
qtest_outl(s, 0xcf8, 0x80001824);
qtest_outl(s, 0xcf8, 0x80001813);
qtest_outl(s, 0xcfc, 0xa080000);
qtest_outl(s, 0xcf8, 0x80001802);
qtest_outl(s, 0xcfc, 0x5a175a63);
qtest_outb(s, 0x6e08, 0x9e);
qtest_writeb(s, 0x9f003, 0xff);
qtest_writeb(s, 0x9f004, 0x01);
qtest_writeb(s, 0x9e012, 0x0e);
qtest_writeb(s, 0x9e01b, 0x0e);
qtest_writeb(s, 0x9f006, 0x01);
qtest_writeb(s, 0x9f008, 0x01);
qtest_writeb(s, 0x9f00a, 0x01);
qtest_writeb(s, 0x9f00c, 0x01);
qtest_writeb(s, 0x9f00e, 0x01);
qtest_writeb(s, 0x9f010, 0x01);
qtest_writeb(s, 0x9f012, 0x01);
qtest_writeb(s, 0x9f014, 0x01);
qtest_writeb(s, 0x9f016, 0x01);
qtest_writeb(s, 0x9f018, 0x01);
qtest_writeb(s, 0x9f01a, 0x01);
qtest_writeb(s, 0x9f01c, 0x01);
qtest_writeb(s, 0x9f01e, 0x01);
qtest_writeb(s, 0x9f020, 0x01);
qtest_writeb(s, 0x9f022, 0x01);
qtest_writeb(s, 0x9f024, 0x01);
qtest_writeb(s, 0x9f026, 0x01);
qtest_writeb(s, 0x9f028, 0x01);
qtest_writeb(s, 0x9f02a, 0x01);
qtest_writeb(s, 0x9f02c, 0x01);
qtest_writeb(s, 0x9f02e, 0x01);
qtest_writeb(s, 0x9f030, 0x01);
qtest_outb(s, 0x6e10, 0x00);
qtest_quit(s);
}
int main(int argc, char **argv)
{
const char *arch = qtest_get_arch();
g_test_init(&argc, &argv, NULL);
if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
test_mmio_oob_from_memory_region_cache);
}
return g_test_run();
}

29
tests/qtest/fuzz/generic_fuzz.c
View File

@ -28,6 +28,7 @@
#include "hw/pci/pci.h"
#include "hw/boards.h"
#include "generic_fuzz_configs.h"
#include "hw/mem/sparse-mem.h"
/*
* SEPARATOR is used to separate "operations" in the fuzz input
@ -64,6 +65,8 @@ static useconds_t timeout = DEFAULT_TIMEOUT_US;
static bool qtest_log_enabled;
MemoryRegion *sparse_mem_mr;
/*
* A pattern used to populate a DMA region or perform a memwrite. This is
* useful for e.g. populating tables of unique addresses.
@ -191,8 +194,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr)
*/
if (dma_patterns->len == 0
|| len == 0
|| mr != current_machine->ram
|| addr > current_machine->ram_size) {
|| (mr != current_machine->ram && mr != sparse_mem_mr)) {
return;
}
@ -238,7 +240,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr)
MEMTXATTRS_UNSPECIFIED);
if (!(memory_region_is_ram(mr1) ||
memory_region_is_romd(mr1))) {
memory_region_is_romd(mr1)) && mr1 != sparse_mem_mr) {
l = memory_access_size(mr1, l, addr1);
} else {
/* ROM/RAM case */
@ -583,6 +585,21 @@ static void handle_timeout(int sig)
fprintf(stderr, "[Timeout]\n");
fflush(stderr);
}
/*
* If there is a crash, libfuzzer/ASAN forks a child to run an
* "llvm-symbolizer" process for printing out a pretty stacktrace. It
* communicates with this child using a pipe. If we timeout+Exit, while
* libfuzzer is still communicating with the llvm-symbolizer child, we will
* be left with an orphan llvm-symbolizer process. Sometimes, this appears
* to lead to a deadlock in the forkserver. Use waitpid to check if there
* are any waitable children. If so, exit out of the signal-handler, and
* let libfuzzer finish communicating with the child, and exit, on its own.
*/
if (waitpid(-1, NULL, WNOHANG) == 0) {
return;
}
_Exit(0);
}
@ -799,6 +816,12 @@ static void generic_pre_fuzz(QTestState *s)
}
qts_global = s;
/*
* Create a special device that we can use to back DMA buffers at very
* high memory addresses
*/
sparse_mem_mr = sparse_mem_init(0, UINT64_MAX);
dma_regions = g_array_new(false, false, sizeof(address_range));
dma_patterns = g_array_new(false, false, sizeof(pattern));

8
tests/qtest/fuzz/generic_fuzz_configs.h
View File

@ -177,7 +177,7 @@ const generic_fuzz_config predefined_configs[] = {
.name = "i82550",
.args = "-machine q35 -nodefaults "
"-device i82550,netdev=net0 -netdev user,id=net0",
.objects = "eepro*"
.objects = "i8255*"
},{
.name = "sdhci-v3",
.args = "-nodefaults -device sdhci-pci,sd-spec-version=3 "
@ -208,6 +208,12 @@ const generic_fuzz_config predefined_configs[] = {
.args = "-machine q35 -nodefaults -device megasas -device scsi-cd,drive=null0 "
"-blockdev driver=null-co,read-zeroes=on,node-name=null0",
.objects = "megasas*",
},{
.name = "am53c974",
.args = "-device am53c974,id=scsi -device scsi-hd,drive=disk0 "
"-drive id=disk0,if=none,file=null-co://,format=raw "
"-nodefaults",
.objects = "*esp* *scsi* *am53c974*",
},{
.name = "ac97",
.args = "-machine q35 -nodefaults "

5
tests/qtest/meson.build
View File

@ -17,7 +17,10 @@ slow_qtests = {
'test-hmp' : 120,
}
qtests_generic = [
qtests_generic = \
(config_all_devices.has_key('CONFIG_MEGASAS_SCSI_PCI') ? ['fuzz-megasas-test'] : []) + \
(config_all_devices.has_key('CONFIG_VIRTIO_SCSI') ? ['fuzz-virtio-scsi-test'] : []) + \
[
'cdrom-test',
'device-introspect-test',
'machine-none-test',