Message ID | 20191113225030.17023-1-alxndr@bu.edu (mailing list archive) |
---|---|
Headers | show |
Series | Add virtual device fuzzing support | expand |
Hi Alexander, A quick comment on the fact that you omitted any Reviewed-by's that you have received so far. Was that intentional? Thanks, Darren. On Wed, Nov 13, 2019 at 10:50:41PM +0000, Oleinik, Alexander wrote: >This series adds a framework for coverage-guided fuzzing of >virtual-devices. Fuzzing targets are based on qtest and can make use of >the libqos abstractions. > >V5: > * misc fixes addressing V4 comments > * cleanup in-process handlers/globals in libqtest.c > * small fixes to fork-based fuzzing and support for multiple workers > * changes to the virtio-net fuzzer to kick after each vq add > >V4: > * add/transfer license headers to new files > * restructure the added QTestClientTransportOps struct > * restructure the FuzzTarget struct and fuzzer skeleton > * fork-based fuzzer now directly mmaps shm over the coverage bitmaps > * fixes to i440 and virtio-net fuzz targets > * undo the changes to qtest_memwrite > * possible to build /fuzz and /all in the same build-dir > * misc fixes to address V3 comments > >V3: > * rebased onto v4.1.0+ > * add the fuzzer as a new build-target type in the build-system > * add indirection to qtest client/server communication functions > * remove ramfile and snapshot-based fuzzing support > * add i440fx fuzz-target as a reference for developers. > * add linker-script to assist with fork-based fuzzer > >V2: > * split off changes to qos virtio-net and qtest server to other patches > * move vl:main initialization into new func: qemu_init > * moved useful functions from qos-test.c to a separate object > * use struct of function pointers for add_fuzz_target(), instead of > arguments > * move ramfile to migration/qemu-file > * rewrite fork-based fuzzer pending patch to libfuzzer > * pass check-patch > >Alexander Bulekov (20): > softmmu: split off vl.c:main() into main.c > libqos: Rename i2c_send and i2c_recv > fuzz: Add FUZZ_TARGET module type > qtest: add qtest_server_send abstraction > libqtest: Add a layer of abstraciton to send/recv > module: check module wasn't already initialized > qtest: add in-process incoming command handler > tests: provide test variables to other targets > libqos: split qos-test and libqos makefile vars > libqos: move useful qos-test funcs to qos_external > libqtest: make bufwrite rely on the TransportOps > libqtest: add in-process qtest.c tx/rx handlers > fuzz: add configure flag --enable-fuzzing > fuzz: Add target/fuzz makefile rules > fuzz: add fuzzer skeleton > fuzz: add support for fork-based fuzzing. > fuzz: add support for qos-assisted fuzz targets > fuzz: add i440fx fuzz targets > fuzz: add virtio-net fuzz target > fuzz: add documentation to docs/devel/ > > Makefile | 16 ++- > Makefile.objs | 4 + > Makefile.target | 18 ++- > configure | 39 ++++++ > docs/devel/fuzzing.txt | 119 ++++++++++++++++++ > exec.c | 12 +- > include/qemu/module.h | 4 +- > include/sysemu/qtest.h | 4 + > include/sysemu/sysemu.h | 4 + > main.c | 53 ++++++++ > qtest.c | 31 ++++- > tests/Makefile.include | 75 +++++------ > tests/fuzz/Makefile.include | 11 ++ > tests/fuzz/fork_fuzz.c | 55 +++++++++ > tests/fuzz/fork_fuzz.h | 23 ++++ > tests/fuzz/fork_fuzz.ld | 37 ++++++ > tests/fuzz/fuzz.c | 179 +++++++++++++++++++++++++++ > tests/fuzz/fuzz.h | 94 ++++++++++++++ > tests/fuzz/i440fx_fuzz.c | 176 ++++++++++++++++++++++++++ > tests/fuzz/qos_fuzz.c | 232 +++++++++++++++++++++++++++++++++++ > tests/fuzz/qos_fuzz.h | 33 +++++ > tests/fuzz/virtio_net_fuzz.c | 100 +++++++++++++++ > tests/libqos/i2c.c | 10 +- > tests/libqos/i2c.h | 4 +- > tests/libqos/qos_external.c | 168 +++++++++++++++++++++++++ > tests/libqos/qos_external.h | 28 +++++ > tests/libqtest.c | 108 ++++++++++++++-- > tests/libqtest.h | 4 + > tests/pca9552-test.c | 10 +- > tests/qos-test.c | 140 +-------------------- > util/module.c | 7 ++ > vl.c | 38 ++---- > 32 files changed, 1607 insertions(+), 229 deletions(-) > create mode 100644 docs/devel/fuzzing.txt > create mode 100644 main.c > create mode 100644 tests/fuzz/Makefile.include > create mode 100644 tests/fuzz/fork_fuzz.c > create mode 100644 tests/fuzz/fork_fuzz.h > create mode 100644 tests/fuzz/fork_fuzz.ld > create mode 100644 tests/fuzz/fuzz.c > create mode 100644 tests/fuzz/fuzz.h > create mode 100644 tests/fuzz/i440fx_fuzz.c > create mode 100644 tests/fuzz/qos_fuzz.c > create mode 100644 tests/fuzz/qos_fuzz.h > create mode 100644 tests/fuzz/virtio_net_fuzz.c > create mode 100644 tests/libqos/qos_external.c > create mode 100644 tests/libqos/qos_external.h > >-- >2.23.0 > >
On 11/14/19 5:55 AM, Darren Kenny wrote: > Hi Alexander, > > A quick comment on the fact that you omitted any Reviewed-by's that > you have received so far. > > Was that intentional? No - I'll find a way to add them. sorry about that -Alex > > Thanks, > > Darren. > > On Wed, Nov 13, 2019 at 10:50:41PM +0000, Oleinik, Alexander wrote: >> This series adds a framework for coverage-guided fuzzing of >> virtual-devices. Fuzzing targets are based on qtest and can make use of >> the libqos abstractions. >> >> V5: >> * misc fixes addressing V4 comments >> * cleanup in-process handlers/globals in libqtest.c >> * small fixes to fork-based fuzzing and support for multiple workers >> * changes to the virtio-net fuzzer to kick after each vq add >> >> V4: >> * add/transfer license headers to new files >> * restructure the added QTestClientTransportOps struct >> * restructure the FuzzTarget struct and fuzzer skeleton >> * fork-based fuzzer now directly mmaps shm over the coverage bitmaps >> * fixes to i440 and virtio-net fuzz targets >> * undo the changes to qtest_memwrite >> * possible to build /fuzz and /all in the same build-dir >> * misc fixes to address V3 comments >> >> V3: >> * rebased onto v4.1.0+ >> * add the fuzzer as a new build-target type in the build-system >> * add indirection to qtest client/server communication functions >> * remove ramfile and snapshot-based fuzzing support >> * add i440fx fuzz-target as a reference for developers. >> * add linker-script to assist with fork-based fuzzer >> >> V2: >> * split off changes to qos virtio-net and qtest server to other patches >> * move vl:main initialization into new func: qemu_init >> * moved useful functions from qos-test.c to a separate object >> * use struct of function pointers for add_fuzz_target(), instead of >> arguments >> * move ramfile to migration/qemu-file >> * rewrite fork-based fuzzer pending patch to libfuzzer >> * pass check-patch >> >> Alexander Bulekov (20): >> softmmu: split off vl.c:main() into main.c >> libqos: Rename i2c_send and i2c_recv >> fuzz: Add FUZZ_TARGET module type >> qtest: add qtest_server_send abstraction >> libqtest: Add a layer of abstraciton to send/recv >> module: check module wasn't already initialized >> qtest: add in-process incoming command handler >> tests: provide test variables to other targets >> libqos: split qos-test and libqos makefile vars >> libqos: move useful qos-test funcs to qos_external >> libqtest: make bufwrite rely on the TransportOps >> libqtest: add in-process qtest.c tx/rx handlers >> fuzz: add configure flag --enable-fuzzing >> fuzz: Add target/fuzz makefile rules >> fuzz: add fuzzer skeleton >> fuzz: add support for fork-based fuzzing. >> fuzz: add support for qos-assisted fuzz targets >> fuzz: add i440fx fuzz targets >> fuzz: add virtio-net fuzz target >> fuzz: add documentation to docs/devel/ >> >> Makefile | 16 ++- >> Makefile.objs | 4 + >> Makefile.target | 18 ++- >> configure | 39 ++++++ >> docs/devel/fuzzing.txt | 119 ++++++++++++++++++ >> exec.c | 12 +- >> include/qemu/module.h | 4 +- >> include/sysemu/qtest.h | 4 + >> include/sysemu/sysemu.h | 4 + >> main.c | 53 ++++++++ >> qtest.c | 31 ++++- >> tests/Makefile.include | 75 +++++------ >> tests/fuzz/Makefile.include | 11 ++ >> tests/fuzz/fork_fuzz.c | 55 +++++++++ >> tests/fuzz/fork_fuzz.h | 23 ++++ >> tests/fuzz/fork_fuzz.ld | 37 ++++++ >> tests/fuzz/fuzz.c | 179 +++++++++++++++++++++++++++ >> tests/fuzz/fuzz.h | 94 ++++++++++++++ >> tests/fuzz/i440fx_fuzz.c | 176 ++++++++++++++++++++++++++ >> tests/fuzz/qos_fuzz.c | 232 +++++++++++++++++++++++++++++++++++ >> tests/fuzz/qos_fuzz.h | 33 +++++ >> tests/fuzz/virtio_net_fuzz.c | 100 +++++++++++++++ >> tests/libqos/i2c.c | 10 +- >> tests/libqos/i2c.h | 4 +- >> tests/libqos/qos_external.c | 168 +++++++++++++++++++++++++ >> tests/libqos/qos_external.h | 28 +++++ >> tests/libqtest.c | 108 ++++++++++++++-- >> tests/libqtest.h | 4 + >> tests/pca9552-test.c | 10 +- >> tests/qos-test.c | 140 +-------------------- >> util/module.c | 7 ++ >> vl.c | 38 ++---- >> 32 files changed, 1607 insertions(+), 229 deletions(-) >> create mode 100644 docs/devel/fuzzing.txt >> create mode 100644 main.c >> create mode 100644 tests/fuzz/Makefile.include >> create mode 100644 tests/fuzz/fork_fuzz.c >> create mode 100644 tests/fuzz/fork_fuzz.h >> create mode 100644 tests/fuzz/fork_fuzz.ld >> create mode 100644 tests/fuzz/fuzz.c >> create mode 100644 tests/fuzz/fuzz.h >> create mode 100644 tests/fuzz/i440fx_fuzz.c >> create mode 100644 tests/fuzz/qos_fuzz.c >> create mode 100644 tests/fuzz/qos_fuzz.h >> create mode 100644 tests/fuzz/virtio_net_fuzz.c >> create mode 100644 tests/libqos/qos_external.c >> create mode 100644 tests/libqos/qos_external.h >> >> -- >> 2.23.0 >> >>