[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
From: |
Stefan Hajnoczi |
Subject: |
Re: [RFC PATCH 0/3] fuzz: add generic fuzzer |
Date: |
Tue, 23 Jun 2020 15:16:01 +0100 |
On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote:
> These patches add a generic fuzzer for virtual devices. This should
> allow us to fuzz devices that accept inputs over MMIO, PIO and DMA
> without any device-specific code.
>
> Example:
> QEMU_FUZZ_ARGS="-device virtio-net" \
> FUZZ_REGION_WHITELIST="virtio pci-" \
> ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz
>
> The above command will add a virtio-net device to the QEMU arguments and
> restrict the fuzzer to only interact with MMIO and PIO regions with
> names that contain "virtio" or "pci-". I find these names using the info
> mtree monitor command.
>
> Basically, the fuzzer splits the input into a series of commands, such
> as mmio_write, pio_write, etc. Additionally, these patches add "hooks"
> to functions that are typically used by virtual-devices to read from RAM
> (DMA). These hooks attempt to populate these DMA regions with fuzzed
> data, just in time. There are some differences from my reference code
> that seem to result in performance issues that I am still trying to iron
> out. I also need to figure out how to add the DMA "hooks" in a neat way.
> Maybe I can use -Wl,--wrap for this. I appreciate any feedback.
>
> Alexander Bulekov (3):
> fuzz: add a general fuzzer for any qemu arguments
> fuzz: add support for fuzzing DMA regions
> fuzz: Add callbacks for dma-access functions
>
> exec.c | 17 +-
> include/exec/memory.h | 8 +
> include/exec/memory_ldst_cached.inc.h | 9 +
> include/sysemu/dma.h | 5 +-
> memory_ldst.inc.c | 12 +
> tests/qtest/fuzz/Makefile.include | 1 +
> tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++
> 7 files changed, 606 insertions(+), 2 deletions(-)
> create mode 100644 tests/qtest/fuzz/general_fuzz.c
CCing Dima in case he is interested in this generic fuzzing approach.
Stefan
signature.asc
Description: PGP signature