[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] fuzz: Add more i386 configurations for fuzzing
|
From: |
Alexander Bulekov |
|
Subject: |
Re: [PATCH] fuzz: Add more i386 configurations for fuzzing |
|
Date: |
Wed, 2 Dec 2020 11:40:02 -0500 |
On 201123 1343, Alexander Bulekov wrote:
> This adds configurations for fuzzing the following devices on oss-fuzz:
>
> * vmxnet3
> CC: Dmitry Fleytman <dmitry.fleytman@gmail.com>
> * ne2k
> * pcnet
> * rtl8139
> CC: Jason Wang <jasowang@redhat.com>
> * eepro100
> CC: Stefan Weil <sw@weilnetz.de>
> * sdhci
> CC: Philippe Mathieu-Daudé <f4bug@amsat.org>
> * ehci
> * ohci
> * ac97
> * cs4231a
> * es1370
> * sb16
> CC: Gerd Hoffmann <kraxel@redhat.com>
> * megasas
> CC: Hannes Reinecke <hare@suse.com>
> * parallel
> CC: Michael S. Tsirkin <mst@redhat.com>
> CC: Paolo Bonzini <pbonzini@redhat.com>
>
> Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> ---
>
> Hello,
> If you are CC-ed on this email, this patch will likely enable continuous
> fuzzing for a device that you are listed under in MAINTAINERS. If this is
> accepted, these devices will be continuously fuzzed over their PCI, PIO,
> MMIO and DMA interfaces. The fuzzer will start qemu with the arguments
> specified by ".args" and we will use the globs specified under
> ".objects" to match the Object/MemoryRegion names that we should fuzz.
> The fuzzer will find and report issues such as memory-corruptions and
> aborts. For now, I am manually reproducing each issue and opening a
> bug-report with a qtest-based reproducer, so the process is still quite
> flexible.
>
> The current code-coverage achieved by fuzzing using the
> existing-configurations is available here:
> https://storage.googleapis.com/oss-fuzz-coverage/qemu/reports/20201122/linux/src/qemu/hw/report.html
> I am slowly trying to fill in the blanks.
>
> I have little context for how useful these configurations are for
> fuzzing. I appreciate if you can Ack/Nack them or provide feedback if
> the devices should be configured differently. Of course, if you think
> we should be fuzzing some additional device configurations, you can also
> submit a patch adding the necessary lines to this generic_fuzz_configs.h
> file.
> Thanks
> -Alex
>
Ping. We could just add all of these configurations and, later, remove
any that produce too many useless reports.
-Alex
> tests/qtest/fuzz/generic_fuzz_configs.h | 80 +++++++++++++++++++++++++
> 1 file changed, 80 insertions(+)
>
> diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h
> b/tests/qtest/fuzz/generic_fuzz_configs.h
> index c4d925f9e6..0b1fe0f836 100644
> --- a/tests/qtest/fuzz/generic_fuzz_configs.h
> +++ b/tests/qtest/fuzz/generic_fuzz_configs.h
> @@ -115,6 +115,86 @@ const generic_fuzz_config predefined_configs[] = {
> .name = "pc-q35",
> .args = "-machine q35",
> .objects = "*",
> + },{
> + .name = "vmxnet3",
> + .args = "-machine q35 -nodefaults "
> + "-device vmxnet3,netdev=net0 -netdev user,id=net0",
> + .objects = "vmxnet3"
> + },{
> + .name = "ne2k_pci",
> + .args = "-machine q35 -nodefaults "
> + "-device ne2k_pci,netdev=net0 -netdev user,id=net0",
> + .objects = "ne2k*"
> + },{
> + .name = "pcnet",
> + .args = "-machine q35 -nodefaults "
> + "-device pcnet,netdev=net0 -netdev user,id=net0",
> + .objects = "pcnet"
> + },{
> + .name = "rtl8139",
> + .args = "-machine q35 -nodefaults "
> + "-device rtl8139,netdev=net0 -netdev user,id=net0",
> + .objects = "rtl8139"
> + },{
> + .name = "i82550",
> + .args = "-machine q35 -nodefaults "
> + "-device i82550,netdev=net0 -netdev user,id=net0",
> + .objects = "eepro*"
> + },{
> + .name = "sdhci-v3",
> + .args = "-nodefaults -device sdhci-pci,sd-spec-version=3 "
> + "-device sd-card,drive=mydrive "
> + "-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive
> -nographic",
> + .objects = "sd*"
> + },{
> + .name = "ehci",
> + .args = "-machine q35 -nodefaults "
> + "-device ich9-usb-ehci1,bus=pcie.0,addr=1d.7,"
> + "multifunction=on,id=ich9-ehci-1 "
> + "-device ich9-usb-uhci1,bus=pcie.0,addr=1d.0,"
> + "multifunction=on,masterbus=ich9-ehci-1.0,firstport=0 "
> + "-device ich9-usb-uhci2,bus=pcie.0,addr=1d.1,"
> + "multifunction=on,masterbus=ich9-ehci-1.0,firstport=2 "
> + "-device ich9-usb-uhci3,bus=pcie.0,addr=1d.2,"
> + "multifunction=on,masterbus=ich9-ehci-1.0,firstport=4 "
> + "-drive if=none,id=usbcdrom,media=cdrom "
> + "-device usb-tablet,bus=ich9-ehci-1.0,port=1,usb_version=1 "
> + "-device usb-storage,bus=ich9-ehci-1.0,port=2,drive=usbcdrom",
> + .objects = "*usb* *hci*",
> + },{
> + .name = "ohci",
> + .args = "-machine q35 -nodefaults -device pci-ohci -device usb-kbd",
> + .objects = "*usb* *ohci*",
> + },{
> + .name = "megaraid",
> + .args = "-machine q35 -nodefaults -device megasas -device
> scsi-cd,drive=null0 "
> + "-blockdev driver=null-co,read-zeroes=on,node-name=null0",
> + .objects = "megasas*",
> + },{
> + .name = "ac97",
> + .args = "-machine q35 -nodefaults "
> + "-device ac97,audiodev=snd0 -audiodev none,id=snd0 -nodefaults",
> + .objects = "ac97*",
> + },{
> + .name = "cs4231a",
> + .args = "-machine q35 -nodefaults "
> + "-device cs4231a,audiodev=snd0 -audiodev none,id=snd0 -nodefaults",
> + .objects = "cs4231a* i8257*",
> + },{
> + .name = "es1370",
> + .args = "-machine q35 -nodefaults "
> + "-device es1370,audiodev=snd0 -audiodev none,id=snd0 -nodefaults",
> + .objects = "es1370*",
> + },{
> + .name = "sb16",
> + .args = "-machine q35 -nodefaults "
> + "-device sb16,audiodev=snd0 -audiodev none,id=snd0 -nodefaults",
> + .objects = "sb16* i8257*",
> + },{
> + .name = "parallel",
> + .args = "-machine q35 -nodefaults "
> + "-parallel file:/dev/null",
> + .objects = "parallel*",
> }
> };
>
> --
> 2.28.0
>
- Re: [PATCH] fuzz: Add more i386 configurations for fuzzing,
Alexander Bulekov <=