[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RFC PATCH 0/3] fuzz: add generic fuzzer
From: |
Dima Stepanov |
Subject: |
Re: [RFC PATCH 0/3] fuzz: add generic fuzzer |
Date: |
Thu, 25 Jun 2020 18:30:32 +0300 |
User-agent: |
Mutt/1.5.24 (2015-08-30) |
On Tue, Jun 23, 2020 at 03:16:01PM +0100, Stefan Hajnoczi wrote:
> On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote:
> > These patches add a generic fuzzer for virtual devices. This should
> > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA
> > without any device-specific code.
> >
> > Example:
> > QEMU_FUZZ_ARGS="-device virtio-net" \
> > FUZZ_REGION_WHITELIST="virtio pci-" \
> > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz
> >
> > The above command will add a virtio-net device to the QEMU arguments and
> > restrict the fuzzer to only interact with MMIO and PIO regions with
> > names that contain "virtio" or "pci-". I find these names using the info
> > mtree monitor command.
> >
> > Basically, the fuzzer splits the input into a series of commands, such
> > as mmio_write, pio_write, etc. Additionally, these patches add "hooks"
> > to functions that are typically used by virtual-devices to read from RAM
> > (DMA). These hooks attempt to populate these DMA regions with fuzzed
> > data, just in time. There are some differences from my reference code
> > that seem to result in performance issues that I am still trying to iron
> > out. I also need to figure out how to add the DMA "hooks" in a neat way.
> > Maybe I can use -Wl,--wrap for this. I appreciate any feedback.
> >
> > Alexander Bulekov (3):
> > fuzz: add a general fuzzer for any qemu arguments
> > fuzz: add support for fuzzing DMA regions
> > fuzz: Add callbacks for dma-access functions
> >
> > exec.c | 17 +-
> > include/exec/memory.h | 8 +
> > include/exec/memory_ldst_cached.inc.h | 9 +
> > include/sysemu/dma.h | 5 +-
> > memory_ldst.inc.c | 12 +
> > tests/qtest/fuzz/Makefile.include | 1 +
> > tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++
> > 7 files changed, 606 insertions(+), 2 deletions(-)
> > create mode 100644 tests/qtest/fuzz/general_fuzz.c
>
> CCing Dima in case he is interested in this generic fuzzing approach.
>
> Stefan
Thanks for adding me, going to look into it on this weekend.
Dima.