Commit Graph

60 Commits

Author SHA1 Message Date
Alexander Bulekov
b677001d70 fuzz: map all BARs and enable PCI devices
Prior to this patch, the fuzzer found inputs to map PCI device BARs and
enable the device. While it is nice that the fuzzer can do this, it
added significant overhead, since the fuzzer needs to map all the
BARs (regenerating the memory topology), at the start of each input.
With this patch, we do this once, before fuzzing, mitigating some of
this overhead.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20201221181203.1853-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2021-01-11 14:59:21 +01:00
Alexander Bulekov
d61368d1e9 fuzz: fix the generic-fuzz-floppy config
On the pc-i440fx machine, the floppy drive relies on the i8257 DMA
controller. Add this device to the floppy fuzzer config, and silence the
warning about a missing format specifier for the null-co:// drive.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201216203328.41112-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-18 12:05:19 +01:00
Alexander Bulekov
cbe945c74c fuzz: Add more i386 configurations for fuzzing
This adds configurations for fuzzing the following devices on oss-fuzz:

* vmxnet3
CC: Dmitry Fleytman <dmitry.fleytman@gmail.com>
* ne2k
* pcnet
* rtl8139
CC: Jason Wang <jasowang@redhat.com>
* eepro100
CC: Stefan Weil <sw@weilnetz.de>
* sdhci
CC: Philippe Mathieu-Daudé <f4bug@amsat.org>
* ehci
* ohci
* ac97
* cs4231a
* es1370
* sb16
CC: Gerd Hoffmann <kraxel@redhat.com>
* megasas
CC: Hannes Reinecke <hare@suse.com>
* parallel
CC: Michael S. Tsirkin <mst@redhat.com>
CC: Paolo Bonzini <pbonzini@redhat.com>

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201123184352.242907-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-18 12:05:19 +01:00
Peter Maydell
b785d25e91 * Fix for NULL segments (Bin Meng)
* Support for 32768 CPUs on x86 without IOMMU (David)
 * PDEP/PEXT fix and testcase (myself)
 * Remove bios_name and ram_size globals (myself)
 * qemu_init rationalization (myself)
 * Update kernel-doc (myself + upstream patches)
 * Propagate MemTxResult across DMA and PCI functions (Philippe)
 * Remove master/slave when applicable (Philippe)
 * WHPX support for in-kernel irqchip (Sunil)
 -----BEGIN PGP SIGNATURE-----
 
 iQFIBAABCAAyFiEE8TM4V0tmI4mGbHaCv/vSX3jHroMFAl/SWS4UHHBib256aW5p
 QHJlZGhhdC5jb20ACgkQv/vSX3jHroMHLAf8Cr1nOn1ou2S2H9vePeoqRAVGdQBv
 tbQ/nZs+2NZMyhLF7mBj7y6Ym0wNyXzkyiFnN1wR04V5e0tF+q1Y0OOZtihJ+Ntk
 esjzHAzdqS22xI2dNnNDBo69eQQKDq3C0Ug5x6z63tO81AoTNKP+vq+QbZqe7v7K
 2TScroAnhX9zE5Hz1+qJ35w13EMCNFnUPHNcOwxVSGHj4HNoEpIjjcE6rme46jX+
 REsEGKJKIJ88aV2hzOLSrdJ0/mNuWsjfOvcfgtoIYUPbb55hHMykqD+LapoyEp8K
 gjnco6JT6wWFN1+tVxTjY4TaERVw+NGomd2QyHSbanDoRd8igFhxu2gBnQ==
 =yeQi
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging

* Fix for NULL segments (Bin Meng)
* Support for 32768 CPUs on x86 without IOMMU (David)
* PDEP/PEXT fix and testcase (myself)
* Remove bios_name and ram_size globals (myself)
* qemu_init rationalization (myself)
* Update kernel-doc (myself + upstream patches)
* Propagate MemTxResult across DMA and PCI functions (Philippe)
* Remove master/slave when applicable (Philippe)
* WHPX support for in-kernel irqchip (Sunil)

# gpg: Signature made Thu 10 Dec 2020 17:21:50 GMT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini-gitlab/tags/for-upstream: (113 commits)
  scripts: kernel-doc: remove unnecessary change wrt Linux
  Revert "docs: temporarily disable the kernel-doc extension"
  scripts: kernel-doc: use :c:union when needed
  scripts: kernel-doc: split typedef complex regex
  scripts: kernel-doc: fix typedef parsing
  Revert "kernel-doc: Handle function typedefs that return pointers"
  Revert "kernel-doc: Handle function typedefs without asterisks"
  scripts: kernel-doc: try to use c:function if possible
  scripts: kernel-doc: fix line number handling
  scripts: kernel-doc: allow passing desired Sphinx C domain dialect
  scripts: kernel-doc: don't mangle with parameter list
  scripts: kernel-doc: fix typedef identification
  scripts: kernel-doc: reimplement -nofunction argument
  scripts: kernel-doc: fix troubles with line counts
  scripts: kernel-doc: use a less pedantic markup for funcs on Sphinx 3.x
  scripts: kernel-doc: make it more compatible with Sphinx 3.x
  Revert "kernel-doc: Use c:struct for Sphinx 3.0 and later"
  Revert "scripts/kerneldoc: For Sphinx 3 use c:macro for macros with arguments"
  scripts: kernel-doc: add support for typedef enum
  kernel-doc: add support for ____cacheline_aligned attribute
  ...

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2020-12-11 13:50:35 +00:00
Paolo Bonzini
2c65db5e58 vl: extract softmmu/datadir.c
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-12-10 12:15:18 -05:00
Markus Armbruster
4bd802b209 Clean up includes
Clean up includes so that osdep.h is included first and headers
which it implies are not included manually.

This commit was created with scripts/clean-includes, with the changes
to the following files manually reverted:

    contrib/libvhost-user/libvhost-user-glib.h
    contrib/libvhost-user/libvhost-user.c
    contrib/libvhost-user/libvhost-user.h
    contrib/plugins/hotblocks.c
    contrib/plugins/hotpages.c
    contrib/plugins/howvec.c
    contrib/plugins/lockstep.c
    linux-user/mips64/cpu_loop.c
    linux-user/mips64/signal.c
    linux-user/sparc64/cpu_loop.c
    linux-user/sparc64/signal.c
    linux-user/x86_64/cpu_loop.c
    linux-user/x86_64/signal.c
    target/s390x/gen-features.c
    tests/fp/platform.h
    tests/migration/s390x/a-b-bios.c
    tests/plugin/bb.c
    tests/plugin/empty.c
    tests/plugin/insn.c
    tests/plugin/mem.c
    tests/test-rcu-simpleq.c
    tests/test-rcu-slist.c
    tests/test-rcu-tailq.c
    tests/uefi-test-tools/UefiTestToolsPkg/BiosTablesTest/BiosTablesTest.c

contrib/plugins/, tests/plugin/, and tests/test-rcu-slist.c appear not
to include osdep.h intentionally.  The remaining reverts are the same
as in commit bbfff19688.

Signed-off-by: Markus Armbruster <armbru@redhat.com>
Message-Id: <20201113061216.2483385-1-armbru@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Tested-by: Thomas Huth <thuth@redhat.com>
Acked-by: Cornelia Huck <cohuck@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Alexander Bulekov <alxndr@bu.edu>
2020-12-10 17:16:44 +01:00
Alexander Bulekov
b98b9fdef0 fuzz: avoid double-fetches by default
The generic fuzzer can find double-fetch bugs. However:
* We currently have no good way of producing qemu-system reproducers for
  double-fetch bugs. Even if we can get developers to run the binary-blob
  reproducers with the qemu-fuzz builds, we currently don't have a minimizer for
  these reproducers, so they are usually not easy to follow.
* Often times the fuzzer will provide a reproducer containing a
  double-fetch for a bug that can be reproduced without double-fetching.

Until we find a way to build nice double-fetch reproducers that
developers are willing to look at, lets tell OSS-Fuzz to avoid
double-fetches.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201202164214.93867-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-12-09 08:04:34 +01:00
Dima Stepanov
d4e279141b fuzz: add virtio-blk fuzz target
The virtio-blk fuzz target sets up and fuzzes the available virtio-blk
queues. The implementation is based on two files:
  - tests/qtest/fuzz/virtio_scsi_fuzz.c
  - tests/qtest/virtio_blk_test.c

Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <e2405c459302ecaee2555405604975353bfa3837.1604920905.git.dimastep@yandex-team.ru>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-11-10 08:51:30 +01:00
Daniele Buono
aba378dee6 fuzz: Make fork_fuzz.ld compatible with LLVM's LLD
LLVM's linker, LLD, supports the keyword "INSERT AFTER", starting with
version 11.
However, when multiple sections are defined in the same "INSERT AFTER",
they are added in a reversed order, compared to BFD's LD.

This patch makes fork_fuzz.ld generic enough to work with both linkers.
Each section now has its own "INSERT AFTER" keyword, so proper ordering is
defined between the sections added.

Signed-off-by: Daniele Buono <dbuono@linux.vnet.ibm.com>
Message-Id: <20201105221905.1350-2-dbuono@linux.vnet.ibm.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-11-10 08:51:30 +01:00
Alexander Bulekov
953e6d7c0e fuzz: fuzz offsets within pio/mmio regions
The code did not add offsets to FlatRange bases, so we did not fuzz
offsets within device MemoryRegions.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201029172901.534442-4-alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03 13:17:27 -05:00
Alexander Bulekov
cc3d99c741 fuzz: check the MR in the DMA callback
We should be checking that the device is trying to read from RAM, before
filling the region with data. Otherwise, we will try to populate
nonsensical addresses in RAM for callbacks on PIO/MMIO reads. We did
this originally, however the final version I sent had the line commented
out..

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201029172901.534442-3-alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03 13:17:27 -05:00
Alexander Bulekov
a9f67c1d51 fuzz: fix writing DMA patterns
This code had all sorts of issues. We used a loop similar to
address_space_write_rom, but I did not remove a "break" that only made
sense in the context of the switch statement in the original code. Then,
after the loop, we did a separate qtest_memwrite over the entire DMA
access range, defeating the purpose of the loop. Additionally, we
increment the buf pointer, and then try to g_free() it. Fix these
problems.

Reported-by: OSS-Fuzz (Issue 26725)
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reported-by: OSS-Fuzz (Issue 26691)
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201029172901.534442-2-alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03 13:17:27 -05:00
AlexChen
c59c582d56 tests/qtest: Fix potential NULL pointer dereference in qos_build_main_args()
In qos_build_main_args(), the pointer 'path' is dereferenced before
checking it is valid, which may lead to NULL pointer dereference.
So move the assignment to 'cmd_line' after checking 'path' is valid.

Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Message-Id: <5FA16ED5.4000203@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-11-03 10:15:43 -05:00
Alexander Bulekov
7fdb505384 fuzz: register predefined generic-fuzz configs
We call get_generic_fuzz_configs, which fills an array with
predefined {name, args, objects} triples. For each of these, we add a
new FuzzTarget, that uses a small wrapper to set
QEMU_FUZZ_{ARGS,OBJECTS} to the corresponding predefined values.

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-16-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:54 +01:00
Alexander Bulekov
61fc27e0df fuzz: add generic-fuzz configs for oss-fuzz
Predefine some generic-fuzz configs. For each of these, we will create a
separate FuzzTarget that can be selected through argv0 and, therefore,
fuzzed on oss-fuzz.

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-15-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:53 +01:00
Alexander Bulekov
82849bcf30 fuzz: add an "opaque" to the FuzzTarget struct
It can be useful to register FuzzTargets that have nearly-identical
initialization handlers (e.g. for using the same fuzzing code, with
different configuration options). Add an opaque pointer to the
FuzzTarget struct, so that FuzzTargets can hold some data, useful for
storing target-specific configuration options, that can be read by the
get_init_cmdline function.

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-14-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:53 +01:00
Alexander Bulekov
a253932227 fuzz: add a crossover function to generic-fuzzer
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-10-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:53 +01:00
Alexander Bulekov
ccbd4bc8af fuzz: add a DISABLE_PCI op to generic-fuzzer
This new operation is used in the next commit, which concatenates two
fuzzer-generated inputs. With this operation, we can prevent the second
input from clobbering the PCI configuration performed by the first.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-9-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:53 +01:00
Alexander Bulekov
f81cb729be fuzz: Add support for custom crossover functions
libfuzzer supports a "custom crossover function". Libfuzzer often tries
to blend two inputs to create a new interesting input. Sometimes, we
have a better idea about how to blend inputs together. This change
allows fuzzers to specify a custom function for blending two inputs
together.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-8-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:53 +01:00
Alexander Bulekov
20f5a30293 fuzz: Add DMA support to the generic-fuzzer
When a virtual-device tries to access some buffer in memory over DMA, we
add call-backs into the fuzzer(next commit). The fuzzer checks verifies
that the DMA request maps to a physical RAM address and fills the memory
with fuzzer-provided data. The patterns that we use to fill this memory
are specified using add_dma_pattern and clear_dma_patterns operations.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-5-alxndr@bu.edu>
[thuth: Reformatted one comment according to the QEMU coding style]
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-26 09:53:34 +01:00
Alexander Bulekov
05efbf2497 fuzz: Add PCI features to the generic fuzzer
This patch compares TYPE_PCI_DEVICE objects against the user-provided
matching pattern. If there is a match, we use some hacks and leverage
QOS to map each possible BAR for that device. Now fuzzed inputs might be
converted to pci_read/write commands which target specific. This means
that we can fuzz a particular device's PCI configuration space,

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-4-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-24 07:43:48 +02:00
Alexander Bulekov
da9bf53198 fuzz: Add generic virtual-device fuzzer
This is a generic fuzzer designed to fuzz a virtual device's
MemoryRegions, as long as they exist within the Memory or Port IO (if it
exists) AddressSpaces. The fuzzer's input is interpreted into a sequence
of qtest commands (outb, readw, etc). The interpreted commands are
separated by a magic seaparator, which should be easy for the fuzzer to
guess. Without ASan, the separator can be specified as a "dictionary
value" using the -dict argument (see libFuzzer documentation).

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-3-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-10-24 07:43:48 +02:00
Alexander Bulekov
fc69fa216c fuzz: Disable QEMU's SIG{INT,HUP,TERM} handlers
Prior to this patch, the only way I found to terminate the fuzzer was
either to:
 1. Explicitly specify the number of fuzzer runs with the -runs= flag
 2. SIGKILL the process with "pkill -9 qemu-fuzz-*" or similar

In addition to being annoying to deal with, SIGKILLing the process skips
over any exit handlers(e.g. registered with atexit()). This is bad,
since some fuzzers might create temporary files that should ideally be
removed on exit using an exit handler. The only way to achieve a clean
exit now is to specify -runs=N , but the desired "N" is tricky to
identify prior to fuzzing.

Why doesn't the process exit with standard SIGINT,SIGHUP,SIGTERM
signals? QEMU installs its own handlers for these signals in
os-posix.c:os_setup_signal_handling, which notify the main loop that an
exit was requested. The fuzzer, however, does not run qemu_main_loop,
which performs the main_loop_should_exit() check.  This means that the
fuzzer effectively ignores these signals. As we don't really care about
cleanly stopping the disposable fuzzer "VM", this patch uninstalls
QEMU's signal handlers. Thus, we can stop the fuzzer with
SIG{INT,HUP,TERM} and the fuzzing code can optionally use atexit() to
clean up temporary files/resources.

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201014142157.46028-1-alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-10-17 10:45:53 -04:00
Paolo Bonzini
ea1edcd7da vl: relocate paths to data directories
As an additional advantage, the logic is now unified between
POSIX and Win32 systems.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-30 19:11:36 +02:00
Paolo Bonzini
ec986777ac fuzz: use qemu_get_exec_dir
Make things consistent with how softmmu/vl.c uses os_find_datadir.
Initializing the path to the executables will also be needed for
get_relocatable_path to work.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-30 19:11:36 +02:00
Paolo Bonzini
a4c13869f9 oslib: do not call g_strdup from qemu_get_exec_dir
Just return the directory without requiring the caller to free it.
This also removes a bogus check for NULL in os_find_datadir and
module_load_one; g_strdup of a static variable cannot return NULL.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-30 19:11:36 +02:00
Alexander Bulekov
d287961f25 fuzz: Change the way we write qtest log to stderr
Telling QTest to log to /dev/fd/2, essentially results in dup(2). This
is fine, if other code isn't logging to stderr. Otherwise, the order of
the logs is mixed due to buffering issues, since two file-descriptors
are used to write to the same file. We can avoid this, since just
specifying "-qtest" sets the log fd to stderr. If we want to disable
qtest logs, we can just add -qtest-log none.

Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200819061110.1320568-2-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-09-16 08:41:06 +02:00
Alexander Bulekov
54c9e41d47 fuzz: Add support for custom fuzzing library
On oss-fuzz, we must use the LIB_FUZZING_ENGINE and CFLAGS environment
variables, rather than -fsanitize=fuzzer. With this change, when
LIB_FUZZING_ENGINE is set, the --enable-fuzzing configure option will
use that environment variable during the linking stage, rather than
-fsanitize=fuzzer

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200902173652.307222-3-alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-08 11:43:16 +02:00
Alexander Bulekov
c46f76d158 meson: specify fuzz linker script as a project arg
With this change, the fuzzer-linker script should be specified outside
any --start-group/--end-group pairs. We need this on oss-fuzz, where
partially applying the linker-script results in a linker failure

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200902173652.307222-2-alxndr@bu.edu>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-09-08 11:43:16 +02:00
Paolo Bonzini
64ed6f92ff meson: link emulators without Makefile.target
The binaries move to the root directory, e.g. qemu-system-i386 or
qemu-arm.  This requires changes to qtests, CI, etc.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-08-21 06:30:40 -04:00
Paolo Bonzini
a2ce7dbd91 meson: convert tests/qtest to meson
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2020-08-21 06:30:20 -04:00
Alexander Bulekov
bcbad8b05c fuzz: Fix leak when assembling datadir path string
We freed the string containing the final datadir path, but did not free
the path to the executable's directory that we get from
g_path_get_dirname(). Fix that.

Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200717163523.1591-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-21 07:21:54 +02:00
Alexander Bulekov
f5ec79f5e0 fuzz: Expect the cmdline in a freeable GString
In the initial FuzzTarget, get_init_cmdline returned a char *. With this
API, we had no guarantee about where the string came from. For example,
i440fx-qtest-reboot-fuzz simply returned a pointer to a string literal,
while the QOS-based targets build the arguments out in a GString an
return the gchar *str pointer. Since we did not try to free the cmdline,
we have a leak for any targets that do not simply return string
literals. Clean up this mess by forcing fuzz-targets to return
a GString, that we can free.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200714174616.20709-1-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-17 10:44:23 +02:00
Thomas Huth
2c65fefa05 tests/qtest/fuzz: Add missing spaces in description
There should be a space between "forking" and "for".

Message-Id: <20200709083719.22221-1-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-13 11:40:52 +02:00
Alexander Bulekov
230225eaaa fuzz: add missing header for rcu_enable_atfork
In 45222b9a90, I fixed a broken check for rcu_enable_atfork introduced
in d6919e4cb6. I added a call to rcu_enable_atfork after the
call to qemu_init in fuzz.c, but forgot to include the corresponding
header, breaking --enable-fuzzing --enable-werror builds.

Fixes: 45222b9a90 ("fuzz: fix broken qtest check at rcu_disable_atfork")
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200708200104.21978-3-alxndr@bu.edu>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-13 11:40:52 +02:00
Alexander Bulekov
dda2f556c3 fuzz: do not use POSIX shm for coverage bitmap
We used shm_open with mmap to share libfuzzer's coverage bitmap with
child (runner) processes. The same functionality can be achieved with
MAP_SHARED | MAP_ANONYMOUS, since we do not care about naming or
permissioning the shared memory object.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200622165040.15121-1-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-06 07:37:02 +02:00
Alexander Bulekov
45222b9a90 fuzz: fix broken qtest check at rcu_disable_atfork
The qtest_enabled check introduced in d6919e4 always returns false, as
it is called prior to configure_accelerators(). Instead of trying to
skip rcu_disable_atfork in qemu_main, simply call rcu_enable_atfork in
the fuzzer, after qemu_main returns.

Reported-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200618160516.2817-1-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-07-06 07:37:02 +02:00
Thomas Huth
dc0ad02df9 tests/qtest: Fix LGPL information in the file headers
It's either "GNU *Library* General Public License version 2" or "GNU
Lesser General Public License version *2.1*", but there was no "version
2.0" of the "Lesser" license. So assume that version 2.1 is meant here.

Message-Id: <20200605100645.6506-1-thuth@redhat.com>
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-06-15 18:26:46 +02:00
Alexander Bulekov
8efebd4e01 fuzz: Add support for logging QTest commands
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200529221450.26673-3-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-06-15 18:26:46 +02:00
Alexander Bulekov
d92e1b6d54 fuzz: skip QTest serialization
The QTest server usually parses ASCII commands from clients. Since we
fuzz within the QEMU process, skip the QTest serialization and server
for most QTest commands. Leave the option to use the ASCII protocol, to
generate readable traces for crash reproducers.

Inspired-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20200529221450.26673-2-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
2020-06-15 18:26:46 +02:00
Alexander Bulekov
dfd5ddb568 fuzz: run the main-loop in fork-server process
Without this, the time since the last main-loop keeps increasing, as the
fuzzer runs. The forked children need to handle all the "past-due"
timers, slowing them down, over time. With this change, the
parent/fork-server process runs the main-loop, while waiting on the
child, ensuring that the timer events do not pile up, over time.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200512030133.29896-5-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-06-05 09:54:48 +01:00
Alexander Bulekov
3b113229c5 fuzz: add mangled object name to linker script
Previously, we relied on "FuzzerTracePC*(.bss*)" to place libfuzzer's
fuzzer::TPC object into our contiguous shared-memory region. This does
not work for some libfuzzer builds, so this addition identifies the
region by its mangled name: *(.bss._ZN6fuzzer3TPCE);

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200512030133.29896-4-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-06-05 09:54:48 +01:00
Alexander Bulekov
6851803a46 fuzz: fix typo in i440fx-qtest-reboot arguments
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200512030133.29896-3-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-06-05 09:54:48 +01:00
Alexander Bulekov
7a071a96d3 fuzz: add datadir for oss-fuzz compatability
This allows us to keep pc-bios in executable_dir/pc-bios, rather than
executable_dir/../pc-bios, which is incompatible with oss-fuzz' file
structure.

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200512030133.29896-2-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-06-05 09:54:48 +01:00
Philippe Mathieu-Daudé
6fb5f0842a tests/fuzz: Extract ioport_fuzz_qtest() method
Extract generic ioport_fuzz_qtest() method from
i440fx_fuzz_qtest(). This will help to write tests
not specific to the i440FX controller.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200514143433.18569-7-philmd@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-05-15 10:46:40 +01:00
Philippe Mathieu-Daudé
84cb0a6d20 tests/fuzz: Extract pciconfig_fuzz_qos() method
Extract the generic pciconfig_fuzz_qos() method from
i440fx_fuzz_qos(). This will help to write tests not
specific to the i440FX controller.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200514143433.18569-6-philmd@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-05-15 10:46:40 +01:00
Philippe Mathieu-Daudé
79e18a60ab tests/fuzz: Remove unuseful/unused typedefs
These typedefs are not used. Use a simple structure,
remote the typedefs.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200514143433.18569-5-philmd@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-05-15 10:46:40 +01:00
Philippe Mathieu-Daudé
73ee6da45d tests/fuzz: Add missing space in test description
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200514143433.18569-4-philmd@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-05-15 10:46:40 +01:00
Philippe Mathieu-Daudé
a1dcdda827 tests/fuzz/Makefile: Do not link code using unavailable devices
Some devices availability depends on CONFIG options.
Use these options to only link tests when requested device
is available.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200514143433.18569-2-philmd@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-05-15 10:46:40 +01:00
Alexander Bulekov
05509c8e6d fuzz: select fuzz target using executable name
The fuzzers are built into a binary (e.g. qemu-fuzz-i386). To select the
device to fuzz/fuzz target, we usually use the --fuzz-target= argument.
This commit allows the fuzz-target to be specified using the name of the
executable. If the executable name ends with -target-FUZZ_TARGET, then
we select the fuzz target based on this name, rather than the
--fuzz-target argument. This is useful for systems such as oss-fuzz
where we don't have control of the arguments passed to the fuzzer.

[Fixed incorrect indentation.
--Stefan]

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-id: 20200421182230.6313-1-alxndr@bu.edu
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2020-05-04 16:07:33 +01:00