From patchwork Mon Jan 20 05:54:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Bulekov X-Patchwork-Id: 11341027 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6DF8118B8 for ; Mon, 20 Jan 2020 05:56:54 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 321722073D for ; Mon, 20 Jan 2020 05:56:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="2TeSmJpV" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 321722073D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Received: from localhost ([::1]:58880 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1itQ3P-0000iZ-GI for patchwork-qemu-devel@patchwork.kernel.org; Mon, 20 Jan 2020 00:56:51 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35131) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1itQ1L-0006ip-U8 for qemu-devel@nongnu.org; Mon, 20 Jan 2020 00:54:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1itQ1J-0006E1-UY for qemu-devel@nongnu.org; Mon, 20 Jan 2020 00:54:43 -0500 Received: from mail-bn7nam10on2099.outbound.protection.outlook.com ([40.107.92.99]:53408 helo=NAM10-BN7-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1itQ1J-0006Cs-MA for qemu-devel@nongnu.org; Mon, 20 Jan 2020 00:54:41 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y3QfVFIWiDKl2GQYk9ClfAVaVvH0SD6VCmDa/I9bEBWYDqnh2ib9ZWpk5q7I/PWWXC5Jnj2Fyf6nN9ptZfu/zXGL5tvpAefwkvvLa7sJss94UlQMFDV90Ajr5bWmHYcajv82LIcLZf7K4Q8KbImVkm+PmTcyJ83Y5dK7QQqTUF7reGgFIkZLSwn75tTDO6+xPn5yIzjDcwQYZvRIfx/DkeHMt1ZAUFr88WzQsTt8EZNAcrfZkXiKfsmDg4MYjvS1yEEyiPSDfwnrO1jt2siaVjc5CuHIqtw6Ykgr7WkeLVc+z4fR8H6VQxpSQI0qlHRa1dLIDNO0PBnsb1PqzUhW3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5p+vnp0YfLcJ3PMsvU71rd3zLjwt6HcuY0L1Ue0bJ04=; b=JdjZb2nBWXCDaW2h8FR+iPA893xEZDtGDmUL2J3O6uULqH33p5Lg4pH3zeF6C4es4nQKvBc5RZAJk/qPrq1kqTChi4J6OnBBqwLGfy9Yple+Dcovl4Olhzre3cHawIbY6KZf0BS/px2Lfkxdj3hZHATDInCl6MCaj88lqt3xpcme7HPj3pEanA91pneDmIruASFIGWX6HZlKb5jB2TxygxxpZZFBK1lgiP9/nEEiiLvWBZsUG18Gcw1Ocb2xttTUM3cIG+74Guvuuz9RzcknMEAB/1aqCH7ZiXSu1Y4R0ZKSFDADBknyZd9Umr8NjXgS2osgSIuHJU3WuFyUviMsFw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5p+vnp0YfLcJ3PMsvU71rd3zLjwt6HcuY0L1Ue0bJ04=; b=2TeSmJpV9JSuCy+6iErWwPKaVjvdHuMofr0eSDpVkajuKPWozxsrJDG0z7mdh7BATzBdQjWhHMzWIJxuxSBJSbdioTiy/Knify2K5pIttZDMX/DCzYZBPtxGEIVzC9O4lNH5n1DB3Vsh13tC5vWhaMc8QlQMB2JuiRx4uETamSA= Received: from SN6PR03MB3871.namprd03.prod.outlook.com (52.135.102.32) by SN6PR03MB4399.namprd03.prod.outlook.com (20.178.6.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.23; Mon, 20 Jan 2020 05:54:38 +0000 Received: from SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::9c11:10cd:6e97:bbe8]) by SN6PR03MB3871.namprd03.prod.outlook.com ([fe80::9c11:10cd:6e97:bbe8%7]) with mapi id 15.20.2644.024; Mon, 20 Jan 2020 05:54:37 +0000 Received: from mozz.bu.edu (128.197.127.33) by MN2PR20CA0032.namprd20.prod.outlook.com (2603:10b6:208:e8::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.20 via Frontend Transport; Mon, 20 Jan 2020 05:54:35 +0000 From: "Bulekov, Alexander" To: "qemu-devel@nongnu.org" Subject: [PATCH v7 00/20] Add virtual device fuzzing support Thread-Topic: [PATCH v7 00/20] Add virtual device fuzzing support Thread-Index: AQHVz1YY2lxtSCrptUaA4yCliGgtbg== Date: Mon, 20 Jan 2020 05:54:36 +0000 Message-ID: <20200120055410.22322-1-alxndr@bu.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.23.0 x-originating-ip: [128.197.127.33] x-clientproxiedby: MN2PR20CA0032.namprd20.prod.outlook.com (2603:10b6:208:e8::45) To SN6PR03MB3871.namprd03.prod.outlook.com (2603:10b6:805:6d::32) authentication-results: spf=none (sender IP is ) smtp.mailfrom=alxndr@bu.edu; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: dbe01f4a-3fc6-4d85-dd9d-08d79d6d3af5 x-ms-traffictypediagnostic: SN6PR03MB4399: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:608; x-forefront-prvs: 0288CD37D9 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(366004)(39860400002)(346002)(376002)(396003)(189003)(199004)(5660300002)(956004)(2616005)(8936002)(86362001)(6916009)(6486002)(7696005)(1076003)(52116002)(316002)(71200400001)(16526019)(186003)(786003)(478600001)(2906002)(26005)(81166006)(66946007)(66476007)(64756008)(36756003)(8676002)(75432002)(81156014)(66446008)(4326008)(66556008)(54906003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR03MB4399; H:SN6PR03MB3871.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: bu.edu does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: euOHHAvrioJk6S0304yyHQlgy61FOHoAWMfde3cdCHIiTZav2U5JRTR9HRBntJ5MA+IK7PbtnCmRBY+HLYc974YgmkyC6+d15D4uuQPw8iM1fHFsAxq3coqN+O71NLntmsIp0TzIhWrqEOax/gM4Tr1Zl72yv1SZrgy7FAFzbPTOstiXhvTdnC4DUB47Nva0ee13NoJzRZ+WKuK63qfUbxnrF85NH7h/5YcqoI1W257xXyLXh6NJQ+rrA5I9MB1rcajRxMB4JVp0nzwVWQLqnFwXtlpIyQsjsYlBW04CoAqsnrAnEfRwErGVRW5yZZtphxJrPOGlXn8WUHZGfE/xnIl9titfQs74jbeArd0WXDTLVGvNMAQQbrPYfCFBmQ+XBznfxhNkkI9Pae328ntbmFh6MT1mqY6ONbVF30o3+58QkTVRgKXRUIOPXrv9FnB/ Content-ID: MIME-Version: 1.0 X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: dbe01f4a-3fc6-4d85-dd9d-08d79d6d3af5 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2020 05:54:36.9957 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: AWoGlkmJ4XleGfh57J30UEHb47nX7F928EF3jwGyi+pcDpO82gbbUS0C0pqxEnWT X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR03MB4399 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 40.107.92.99 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "pbonzini@redhat.com" , "bsd@redhat.com" , "darren.kenny@oracle.com" , "stefanha@redhat.com" , "Bulekov, Alexander" Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" This series adds a framework for coverage-guided fuzzing of virtual-devices. Fuzzing targets are based on qtest and can make use of the libqos abstractions. This version mostly contains cleanup with some changes to the virtio-net fuzzer. V7: * virtio-net: add virtio-net-check-used which waits for inputs on the tx/ctrl vq by watching the used vring. * virtio-net: add virtio-net-socket which uses the socket backend and can exercise the rx components of virtio-net. * virtio-net: add virtio-net-slirp which uses the user backend and exercises slirp. This may lead to real traffic emitted by qemu so it is best to run in an isolated network environment. * build should succeed after each commit V5/V6: * added virtio-scsi fuzzer * add support for using fork-based fuzzers with multiple libfuzzer workers * misc fixes addressing V4 comments * cleanup in-process handlers/globals in libqtest.c * small fixes to fork-based fuzzing and support for multiple workers * changes to the virtio-net fuzzer to kick after each vq add V4: * add/transfer license headers to new files * restructure the added QTestClientTransportOps struct * restructure the FuzzTarget struct and fuzzer skeleton * fork-based fuzzer now directly mmaps shm over the coverage bitmaps * fixes to i440 and virtio-net fuzz targets * undo the changes to qtest_memwrite * possible to build /fuzz and /all in the same build-dir * misc fixes to address V3 comments V3: * rebased onto v4.1.0+ * add the fuzzer as a new build-target type in the build-system * add indirection to qtest client/server communication functions * remove ramfile and snapshot-based fuzzing support * add i440fx fuzz-target as a reference for developers. * add linker-script to assist with fork-based fuzzer V2: * split off changes to qos virtio-net and qtest server to other patches * move vl:main initialization into new func: qemu_init * moved useful functions from qos-test.c to a separate object * use struct of function pointers for add_fuzz_target(), instead of arguments * move ramfile to migration/qemu-file * rewrite fork-based fuzzer pending patch to libfuzzer * pass check-patch Alexander Bulekov (20): softmmu: split off vl.c:main() into main.c module: check module wasn't already initialized fuzz: add FUZZ_TARGET module type qtest: add qtest_server_send abstraction libqtest: add a layer of abstraction to send/recv libqtest: make bufwrite rely on the TransportOps qtest: add in-process incoming command handler libqos: rename i2c_send and i2c_recv libqos: split qos-test and libqos makefile vars libqos: move useful qos-test funcs to qos_external fuzz: add fuzzer skeleton exec: keep ram block across fork when using qtest fuzz: support for fork-based fuzzing. fuzz: add support for qos-assisted fuzz targets fuzz: add target/fuzz makefile rules fuzz: add configure flag --enable-fuzzing fuzz: add i440fx fuzz targets fuzz: add virtio-net fuzz target fuzz: add virtio-scsi fuzz target fuzz: add documentation to docs/devel/ Makefile | 16 +- Makefile.objs | 2 + Makefile.target | 18 ++- configure | 39 +++++ docs/devel/fuzzing.txt | 116 ++++++++++++++ exec.c | 12 +- include/qemu/module.h | 4 +- include/sysemu/qtest.h | 4 + include/sysemu/sysemu.h | 4 + main.c | 53 +++++++ qtest.c | 31 +++- tests/qtest/Makefile.include | 72 ++++----- tests/qtest/fuzz/Makefile.include | 18 +++ tests/qtest/fuzz/fork_fuzz.c | 55 +++++++ tests/qtest/fuzz/fork_fuzz.h | 23 +++ tests/qtest/fuzz/fork_fuzz.ld | 37 +++++ tests/qtest/fuzz/fuzz.c | 179 ++++++++++++++++++++++ tests/qtest/fuzz/fuzz.h | 95 ++++++++++++ tests/qtest/fuzz/i440fx_fuzz.c | 178 +++++++++++++++++++++ tests/qtest/fuzz/qos_fuzz.c | 229 ++++++++++++++++++++++++++++ tests/qtest/fuzz/qos_fuzz.h | 33 ++++ tests/qtest/fuzz/virtio_net_fuzz.c | 190 +++++++++++++++++++++++ tests/qtest/fuzz/virtio_scsi_fuzz.c | 200 ++++++++++++++++++++++++ tests/qtest/libqos/i2c.c | 10 +- tests/qtest/libqos/i2c.h | 4 +- tests/qtest/libqos/qos_external.c | 168 ++++++++++++++++++++ tests/qtest/libqos/qos_external.h | 28 ++++ tests/qtest/libqtest.c | 119 +++++++++++++-- tests/qtest/libqtest.h | 4 + tests/qtest/pca9552-test.c | 10 +- tests/qtest/qos-test.c | 132 +--------------- util/module.c | 7 + vl.c | 38 ++--- 33 files changed, 1904 insertions(+), 224 deletions(-) create mode 100644 docs/devel/fuzzing.txt create mode 100644 main.c create mode 100644 tests/qtest/fuzz/Makefile.include create mode 100644 tests/qtest/fuzz/fork_fuzz.c create mode 100644 tests/qtest/fuzz/fork_fuzz.h create mode 100644 tests/qtest/fuzz/fork_fuzz.ld create mode 100644 tests/qtest/fuzz/fuzz.c create mode 100644 tests/qtest/fuzz/fuzz.h create mode 100644 tests/qtest/fuzz/i440fx_fuzz.c create mode 100644 tests/qtest/fuzz/qos_fuzz.c create mode 100644 tests/qtest/fuzz/qos_fuzz.h create mode 100644 tests/qtest/fuzz/virtio_net_fuzz.c create mode 100644 tests/qtest/fuzz/virtio_scsi_fuzz.c create mode 100644 tests/qtest/libqos/qos_external.c create mode 100644 tests/qtest/libqos/qos_external.h