| Message ID | 20200819061110.1320568-9-alxndr@bu.edu (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add a General Virtual Device Fuzzer | expand |
On Wednesday, 2020-08-19 at 02:11:03 -04, Alexander Bulekov wrote: > This new operation is used in the next commit, which concatenates two > fuzzer-generated inputs. With this operation, we can prevent the second > input from clobbering the PCI configuration performed by the first. > > Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> > --- > tests/qtest/fuzz/general_fuzz.c | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) > > diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c > index 36d41acea0..26fcd69e45 100644 > --- a/tests/qtest/fuzz/general_fuzz.c > +++ b/tests/qtest/fuzz/general_fuzz.c > @@ -40,6 +40,7 @@ enum cmds{ > OP_WRITE, > OP_PCI_READ, > OP_PCI_WRITE, > + OP_DISABLE_PCI, > OP_ADD_DMA_PATTERN, > OP_CLEAR_DMA_PATTERNS, > OP_CLOCK_STEP, > @@ -93,6 +94,7 @@ static GArray *dma_regions; > > static GArray *dma_patterns; > static int dma_pattern_index; > +static bool pci_disabled = false; > > void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); > > @@ -433,7 +435,7 @@ static void op_pci_read(QTestState *s, const unsigned char * data, size_t len) > uint8_t base; > uint8_t offset; > } a; > - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { > + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { > return; > } > memcpy(&a, data, sizeof(a)); > @@ -463,7 +465,7 @@ static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) > uint8_t offset; > uint32_t value; > } a; > - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { > + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { > return; > } > memcpy(&a, data, sizeof(a)); > @@ -518,6 +520,11 @@ static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) > qtest_clock_step_next(s); > } > > +static void op_disable_pci(QTestState *s, const unsigned char *data, size_t len) > +{ > + pci_disabled = true; > +} > + > static void handle_timeout(int sig) > { > if (getenv("QTEST_LOG")) { > @@ -559,6 +566,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) > [OP_WRITE] = op_write, > [OP_PCI_READ] = op_pci_read, > [OP_PCI_WRITE] = op_pci_write, > + [OP_DISABLE_PCI] = op_disable_pci, > [OP_ADD_DMA_PATTERN] = op_add_dma_pattern, > [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns, > [OP_CLOCK_STEP] = op_clock_step, > @@ -591,6 +599,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) > } > > op_clear_dma_patterns(s, NULL, 0); > + pci_disabled = false; > > while (cmd && Size) { > /* Get the length until the next command or end of input */ > -- > 2.27.0
diff --git a/tests/qtest/fuzz/general_fuzz.c b/tests/qtest/fuzz/general_fuzz.c index 36d41acea0..26fcd69e45 100644 --- a/tests/qtest/fuzz/general_fuzz.c +++ b/tests/qtest/fuzz/general_fuzz.c @@ -40,6 +40,7 @@ enum cmds{ OP_WRITE, OP_PCI_READ, OP_PCI_WRITE, + OP_DISABLE_PCI, OP_ADD_DMA_PATTERN, OP_CLEAR_DMA_PATTERNS, OP_CLOCK_STEP, @@ -93,6 +94,7 @@ static GArray *dma_regions; static GArray *dma_patterns; static int dma_pattern_index; +static bool pci_disabled = false; void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr, bool is_write); @@ -433,7 +435,7 @@ static void op_pci_read(QTestState *s, const unsigned char * data, size_t len) uint8_t base; uint8_t offset; } a; - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { return; } memcpy(&a, data, sizeof(a)); @@ -463,7 +465,7 @@ static void op_pci_write(QTestState *s, const unsigned char * data, size_t len) uint8_t offset; uint32_t value; } a; - if (len < sizeof(a) || fuzzable_pci_devices->len == 0) { + if (len < sizeof(a) || fuzzable_pci_devices->len == 0 || pci_disabled) { return; } memcpy(&a, data, sizeof(a)); @@ -518,6 +520,11 @@ static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) qtest_clock_step_next(s); } +static void op_disable_pci(QTestState *s, const unsigned char *data, size_t len) +{ + pci_disabled = true; +} + static void handle_timeout(int sig) { if (getenv("QTEST_LOG")) { @@ -559,6 +566,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) [OP_WRITE] = op_write, [OP_PCI_READ] = op_pci_read, [OP_PCI_WRITE] = op_pci_write, + [OP_DISABLE_PCI] = op_disable_pci, [OP_ADD_DMA_PATTERN] = op_add_dma_pattern, [OP_CLEAR_DMA_PATTERNS] = op_clear_dma_patterns, [OP_CLOCK_STEP] = op_clock_step, @@ -591,6 +599,7 @@ static void general_fuzz(QTestState *s, const unsigned char *Data, size_t Size) } op_clear_dma_patterns(s, NULL, 0); + pci_disabled = false; while (cmd && Size) { /* Get the length until the next command or end of input */
This new operation is used in the next commit, which concatenates two fuzzer-generated inputs. With this operation, we can prevent the second input from clobbering the PCI configuration performed by the first. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> --- tests/qtest/fuzz/general_fuzz.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)