[RFC,4/8] qtest/fuzz: Restrict CPU I/O instructions

Message ID	20210314232913.2607360-5-f4bug@amsat.org (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=dd/e=IM=nongnu.org=qemu-devel-bounces+qemu-devel=archiver.kernel.org@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7D9A764E69 From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org> To: qemu-devel@nongnu.org Subject: [RFC PATCH 4/8] qtest/fuzz: Restrict CPU I/O instructions Date: Mon, 15 Mar 2021 00:29:09 +0100 Message-Id: <20210314232913.2607360-5-f4bug@amsat.org> In-Reply-To: <20210314232913.2607360-1-f4bug@amsat.org> References: <20210314232913.2607360-1-f4bug@amsat.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::429; envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-x429.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action Precedence: list Cc: Laurent Vivier <lvivier@redhat.com>, Thomas Huth <thuth@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, =?utf-8?q?Philippe_Mathie?= =?utf-8?q?u-Daud=C3=A9?= <f4bug@amsat.org>, Alexander Bulekov <alxndr@bu.edu>, Bandan Das <bsd@redhat.com>, Claudio Fontana <cfontana@suse.de>, Stefan Hajnoczi <stefanha@redhat.com>, Paolo Bonzini <pbonzini@redhat.com> Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
Series	softmmu: Restrict CPU I/O instructions \| expand [RFC,0/8] softmmu: Restrict CPU I/O instructions [RFC,1/8] softmmu/physmem: Rename io_mem_unassigned -> unassigned_mr [RFC,2/8] exec: Extract CPU I/O instructions to "cpu-io.h" [RFC,3/8] target: Introduce TARGET_HAS_IOPORT [RFC,4/8] qtest/fuzz: Restrict CPU I/O instructions [RFC,5/8] qtest/libqos: Restrict CPU I/O instructions [RFC,6/8] qtest: Restrict CPU I/O instructions [RFC,7/8] monitor: Restrict CPU I/O instructions [RFC,8/8] softmmu: Restrict CPU I/O instructions

Message ID

20210314232913.2607360-5-f4bug@amsat.org (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7D9A764E69
From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
To: qemu-devel@nongnu.org
Subject: [RFC PATCH 4/8] qtest/fuzz: Restrict CPU I/O instructions
Date: Mon, 15 Mar 2021 00:29:09 +0100
Message-Id: <20210314232913.2607360-5-f4bug@amsat.org>
In-Reply-To: <20210314232913.2607360-1-f4bug@amsat.org>
References: <20210314232913.2607360-1-f4bug@amsat.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::429;
 envelope-from=philippe.mathieu.daude@gmail.com; helo=mail-wr1-x429.google.com
X-Spam_score_int: -14
X-Spam_score: -1.5
X-Spam_bar: -
X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249,
 FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Laurent Vivier <lvivier@redhat.com>, Thomas Huth <thuth@redhat.com>,
 Richard Henderson <richard.henderson@linaro.org>, =?utf-8?q?Philippe_Mathie?=
	=?utf-8?q?u-Daud=C3=A9?= <f4bug@amsat.org>,
 Alexander Bulekov <alxndr@bu.edu>, Bandan Das <bsd@redhat.com>,
 Claudio Fontana <cfontana@suse.de>, Stefan Hajnoczi <stefanha@redhat.com>,
 Paolo Bonzini <pbonzini@redhat.com>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Series

softmmu: Restrict CPU I/O instructions | expand

Commit Message

Philippe Mathieu-Daudé March 14, 2021, 11:29 p.m. UTC

Restrict CPU I/O instructions to architectures providing
I/O bus.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
---
 tests/qtest/fuzz/generic_fuzz.c   | 16 ++++++++++------
 tests/qtest/fuzz/qtest_wrappers.c |  4 ++++
 2 files changed, 14 insertions(+), 6 deletions(-)

Comments

Alexander Bulekov March 15, 2021, 1:27 a.m. UTC | #1

On 210315 0029, Philippe Mathieu-Daudé wrote:
> Restrict CPU I/O instructions to architectures providing
> I/O bus.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>  tests/qtest/fuzz/generic_fuzz.c   | 16 ++++++++++------
>  tests/qtest/fuzz/qtest_wrappers.c |  4 ++++
>  2 files changed, 14 insertions(+), 6 deletions(-)
> 
> diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
> index ee8c17a04c4..3e0089f4a63 100644
> --- a/tests/qtest/fuzz/generic_fuzz.c
> +++ b/tests/qtest/fuzz/generic_fuzz.c
> @@ -304,6 +304,13 @@ static bool get_io_address(address_range *result, AddressSpace *as,
>      return cb_info.found;
>  }
>  
> +static bool get_mmio_address(address_range *result,
> +                             uint8_t index, uint32_t offset)
> +{
> +    return get_io_address(result, &address_space_memory, index, offset);
> +}
> +
> +#ifdef TARGET_HAS_IOPORT
>  static bool get_pio_address(address_range *result,
>                              uint8_t index, uint16_t offset)
>  {
> @@ -318,12 +325,6 @@ static bool get_pio_address(address_range *result,
>      return result->addr <= 0xFFFF ? found : false;
>  }
>  
> -static bool get_mmio_address(address_range *result,
> -                             uint8_t index, uint32_t offset)
> -{
> -    return get_io_address(result, &address_space_memory, index, offset);
> -}
> -
>  static void op_in(QTestState *s, const unsigned char * data, size_t len)
>  {
>      enum Sizes {Byte, Word, Long, end_sizes};
> @@ -395,6 +396,7 @@ static void op_out(QTestState *s, const unsigned char * data, size_t len)
>          break;
>      }
>  }
> +#endif /* TARGET_HAS_IOPORT */
>  
>  static void op_read(QTestState *s, const unsigned char * data, size_t len)
>  {
> @@ -626,8 +628,10 @@ static void handle_timeout(int sig)
>  static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
>  {
>      void (*ops[]) (QTestState *s, const unsigned char* , size_t) = {
> +#ifdef TARGET_HAS_IOPORT
>          [OP_IN]                 = op_in,
>          [OP_OUT]                = op_out,

I think op_pci_read and op_pci_write would need to be disabled as well
(at least the way they are implemented now).

> +#endif /* TARGET_HAS_IOPORT */
>          [OP_READ]               = op_read,
>          [OP_WRITE]              = op_write,
>          [OP_PCI_READ]           = op_pci_read,
> diff --git a/tests/qtest/fuzz/qtest_wrappers.c b/tests/qtest/fuzz/qtest_wrappers.c
> index 921d1e5ed3a..d56dda9e9b8 100644
> --- a/tests/qtest/fuzz/qtest_wrappers.c
> +++ b/tests/qtest/fuzz/qtest_wrappers.c
> @@ -24,12 +24,14 @@ static bool serialize = true;
>      RET_TYPE __wrap_##NAME_AND_ARGS;\
>      RET_TYPE __real_##NAME_AND_ARGS;
>  
> +#ifdef TARGET_HAS_IOPORT
>  WRAP(uint8_t  , qtest_inb(QTestState *s, uint16_t addr))
>  WRAP(uint16_t , qtest_inw(QTestState *s, uint16_t addr))
>  WRAP(uint32_t , qtest_inl(QTestState *s, uint16_t addr))
>  WRAP(void     , qtest_outb(QTestState *s, uint16_t addr, uint8_t value))
>  WRAP(void     , qtest_outw(QTestState *s, uint16_t addr, uint16_t value))
>  WRAP(void     , qtest_outl(QTestState *s, uint16_t addr, uint32_t value))
> +#endif /* TARGET_HAS_IOPORT */
>  WRAP(uint8_t  , qtest_readb(QTestState *s, uint64_t addr))
>  WRAP(uint16_t , qtest_readw(QTestState *s, uint64_t addr))
>  WRAP(uint32_t , qtest_readl(QTestState *s, uint64_t addr))
> @@ -50,6 +52,7 @@ WRAP(void,      qtest_memset(QTestState *s, uint64_t addr,
>                               uint8_t patt, size_t size))
>  
>  
> +#ifdef TARGET_HAS_IOPORT
>  uint8_t __wrap_qtest_inb(QTestState *s, uint16_t addr)
>  {
>      if (!serialize) {
> @@ -103,6 +106,7 @@ void __wrap_qtest_outl(QTestState *s, uint16_t addr, uint32_t value)
>          __real_qtest_outl(s, addr, value);
>      }
>  }
> +#endif /* TARGET_HAS_IOPORT */
>  
>  uint8_t __wrap_qtest_readb(QTestState *s, uint64_t addr)
>  {
> -- 
> 2.26.2
>

Thomas Huth March 15, 2021, 5:14 a.m. UTC | #2

On 15/03/2021 00.29, Philippe Mathieu-Daudé wrote:
> Restrict CPU I/O instructions to architectures providing
> I/O bus.
> 
> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
> ---
>   tests/qtest/fuzz/generic_fuzz.c   | 16 ++++++++++------
>   tests/qtest/fuzz/qtest_wrappers.c |  4 ++++
>   2 files changed, 14 insertions(+), 6 deletions(-)
> 
> diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
> index ee8c17a04c4..3e0089f4a63 100644
> --- a/tests/qtest/fuzz/generic_fuzz.c
> +++ b/tests/qtest/fuzz/generic_fuzz.c
> @@ -304,6 +304,13 @@ static bool get_io_address(address_range *result, AddressSpace *as,
>       return cb_info.found;
>   }
>   
> +static bool get_mmio_address(address_range *result,
> +                             uint8_t index, uint32_t offset)
> +{
> +    return get_io_address(result, &address_space_memory, index, offset);
> +}
> +
> +#ifdef TARGET_HAS_IOPORT

Sorry, but the qtests are generic code, I don't think we should introduce 
target specific ifdefs here...?

  Thomas

Philippe Mathieu-Daudé March 15, 2021, 10:13 a.m. UTC | #3

On 3/15/21 6:14 AM, Thomas Huth wrote:
> On 15/03/2021 00.29, Philippe Mathieu-Daudé wrote:
>> Restrict CPU I/O instructions to architectures providing
>> I/O bus.
>>
>> Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
>> ---
>>   tests/qtest/fuzz/generic_fuzz.c   | 16 ++++++++++------
>>   tests/qtest/fuzz/qtest_wrappers.c |  4 ++++
>>   2 files changed, 14 insertions(+), 6 deletions(-)
>>
>> diff --git a/tests/qtest/fuzz/generic_fuzz.c
>> b/tests/qtest/fuzz/generic_fuzz.c
>> index ee8c17a04c4..3e0089f4a63 100644
>> --- a/tests/qtest/fuzz/generic_fuzz.c
>> +++ b/tests/qtest/fuzz/generic_fuzz.c
>> @@ -304,6 +304,13 @@ static bool get_io_address(address_range *result,
>> AddressSpace *as,
>>       return cb_info.found;
>>   }
>>   +static bool get_mmio_address(address_range *result,
>> +                             uint8_t index, uint32_t offset)
>> +{
>> +    return get_io_address(result, &address_space_memory, index, offset);
>> +}
>> +
>> +#ifdef TARGET_HAS_IOPORT
> 
> Sorry, but the qtests are generic code, I don't think we should
> introduce target specific ifdefs here...?
My view is if you want to generically access an I/O bus, you need
to do it via its address space, not the CPU architecture-specific
interface.

I.e., if an I/O bus is exposed by the PCI function of a south bridge,
if you use the correct PCI AS view you can run your test on any
architecture providing a PCI bus, not only X86.

So yes you are right, and the current code is abusing it. Yes it is
fixable but is it worthwhile? Apparently nobody cared, so probably
not worthwhile. Let's disregard this series for now.

Regards,

Phil.

Paolo Bonzini March 17, 2021, 5:47 p.m. UTC | #4

On 15/03/21 06:14, Thomas Huth wrote:
>> diff --git a/tests/qtest/fuzz/generic_fuzz.c 
>> b/tests/qtest/fuzz/generic_fuzz.c
>> index ee8c17a04c4..3e0089f4a63 100644
>> --- a/tests/qtest/fuzz/generic_fuzz.c
>> +++ b/tests/qtest/fuzz/generic_fuzz.c
>> @@ -304,6 +304,13 @@ static bool get_io_address(address_range *result, 
>> AddressSpace *as,
>>       return cb_info.found;
>>   }
>> +static bool get_mmio_address(address_range *result,
>> +                             uint8_t index, uint32_t offset)
>> +{
>> +    return get_io_address(result, &address_space_memory, index, offset);
>> +}
>> +
>> +#ifdef TARGET_HAS_IOPORT
> 
> Sorry, but the qtests are generic code, I don't think we should 
> introduce target specific ifdefs here...?

FWIW this is not a qtest, it's a separate emulator executable and this 
file is compiled per-target.

That said, your objection does apply to patch 5 since libqos is compiled 
only once for all targets.

Paolo

diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index ee8c17a04c4..3e0089f4a63 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -304,6 +304,13 @@  static bool get_io_address(address_range *result, AddressSpace *as,
     return cb_info.found;
 }
 
+static bool get_mmio_address(address_range *result,
+                             uint8_t index, uint32_t offset)
+{
+    return get_io_address(result, &address_space_memory, index, offset);
+}
+
+#ifdef TARGET_HAS_IOPORT
 static bool get_pio_address(address_range *result,
                             uint8_t index, uint16_t offset)
 {
@@ -318,12 +325,6 @@  static bool get_pio_address(address_range *result,
     return result->addr <= 0xFFFF ? found : false;
 }
 
-static bool get_mmio_address(address_range *result,
-                             uint8_t index, uint32_t offset)
-{
-    return get_io_address(result, &address_space_memory, index, offset);
-}
-
 static void op_in(QTestState *s, const unsigned char * data, size_t len)
 {
     enum Sizes {Byte, Word, Long, end_sizes};
@@ -395,6 +396,7 @@  static void op_out(QTestState *s, const unsigned char * data, size_t len)
         break;
     }
 }
+#endif /* TARGET_HAS_IOPORT */
 
 static void op_read(QTestState *s, const unsigned char * data, size_t len)
 {
@@ -626,8 +628,10 @@  static void handle_timeout(int sig)
 static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
 {
     void (*ops[]) (QTestState *s, const unsigned char* , size_t) = {
+#ifdef TARGET_HAS_IOPORT
         [OP_IN]                 = op_in,
         [OP_OUT]                = op_out,
+#endif /* TARGET_HAS_IOPORT */
         [OP_READ]               = op_read,
         [OP_WRITE]              = op_write,
         [OP_PCI_READ]           = op_pci_read,
diff --git a/tests/qtest/fuzz/qtest_wrappers.c b/tests/qtest/fuzz/qtest_wrappers.c
index 921d1e5ed3a..d56dda9e9b8 100644
--- a/tests/qtest/fuzz/qtest_wrappers.c
+++ b/tests/qtest/fuzz/qtest_wrappers.c
@@ -24,12 +24,14 @@  static bool serialize = true;
     RET_TYPE __wrap_##NAME_AND_ARGS;\
     RET_TYPE __real_##NAME_AND_ARGS;
 
+#ifdef TARGET_HAS_IOPORT
 WRAP(uint8_t  , qtest_inb(QTestState *s, uint16_t addr))
 WRAP(uint16_t , qtest_inw(QTestState *s, uint16_t addr))
 WRAP(uint32_t , qtest_inl(QTestState *s, uint16_t addr))
 WRAP(void     , qtest_outb(QTestState *s, uint16_t addr, uint8_t value))
 WRAP(void     , qtest_outw(QTestState *s, uint16_t addr, uint16_t value))
 WRAP(void     , qtest_outl(QTestState *s, uint16_t addr, uint32_t value))
+#endif /* TARGET_HAS_IOPORT */
 WRAP(uint8_t  , qtest_readb(QTestState *s, uint64_t addr))
 WRAP(uint16_t , qtest_readw(QTestState *s, uint64_t addr))
 WRAP(uint32_t , qtest_readl(QTestState *s, uint64_t addr))
@@ -50,6 +52,7 @@  WRAP(void,      qtest_memset(QTestState *s, uint64_t addr,
                              uint8_t patt, size_t size))
 
 
+#ifdef TARGET_HAS_IOPORT
 uint8_t __wrap_qtest_inb(QTestState *s, uint16_t addr)
 {
     if (!serialize) {
@@ -103,6 +106,7 @@  void __wrap_qtest_outl(QTestState *s, uint16_t addr, uint32_t value)
         __real_qtest_outl(s, addr, value);
     }
 }
+#endif /* TARGET_HAS_IOPORT */
 
 uint8_t __wrap_qtest_readb(QTestState *s, uint64_t addr)
 {

[RFC,4/8] qtest/fuzz: Restrict CPU I/O instructions

Commit Message

Comments

Patch