Message ID | 20200129053357.27454-16-alxndr@bu.edu |
---|---|
State | New |
Headers | show |
Series | [v8,01/21] softmmu: split off vl.c:main() into main.c | expand |
On Wed, Jan 29, 2020 at 05:34:24AM +0000, Bulekov, Alexander wrote: >Signed-off-by: Alexander Bulekov <alxndr@bu.edu> >Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> >--- > tests/qtest/fuzz/Makefile.include | 2 + > tests/qtest/fuzz/qos_fuzz.c | 229 ++++++++++++++++++++++++++++++ > tests/qtest/fuzz/qos_fuzz.h | 33 +++++ > 3 files changed, 264 insertions(+) > create mode 100644 tests/qtest/fuzz/qos_fuzz.c > create mode 100644 tests/qtest/fuzz/qos_fuzz.h > >diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include >index a90915d56d..e3bdd33ff4 100644 >--- a/tests/qtest/fuzz/Makefile.include >+++ b/tests/qtest/fuzz/Makefile.include >@@ -1,8 +1,10 @@ > QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF) > > fuzz-obj-y += tests/qtest/libqtest.o >+fuzz-obj-y += $(libqos-obj-y) > fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton > fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o >+fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o > > FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest > >diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c >new file mode 100644 >index 0000000000..efdcc6e9d3 >--- /dev/null >+++ b/tests/qtest/fuzz/qos_fuzz.c >@@ -0,0 +1,229 @@ >+/* >+ * QOS-assisted fuzzing helpers >+ * >+ * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com> >+ * >+ * This library is free software; you can redistribute it and/or >+ * modify it under the terms of the GNU Lesser General Public >+ * License version 2 as published by the Free Software Foundation. >+ * >+ * This library is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU >+ * Lesser General Public License for more details. >+ * >+ * You should have received a copy of the GNU Lesser General Public >+ * License along with this library; if not, see <http://www.gnu.org/licenses/> >+ */ >+ >+#include "qemu/osdep.h" >+#include "qemu/units.h" >+#include "qapi/error.h" >+#include "qemu-common.h" >+#include "exec/memory.h" >+#include "exec/address-spaces.h" >+#include "sysemu/sysemu.h" >+#include "qemu/main-loop.h" >+ >+#include "tests/qtest/libqtest.h" >+#include "tests/qtest/libqos/malloc.h" >+#include "tests/qtest/libqos/qgraph.h" >+#include "tests/qtest/libqos/qgraph_internal.h" >+#include "tests/qtest/libqos/qos_external.h" >+ >+#include "fuzz.h" >+#include "qos_fuzz.h" >+ >+#include "qapi/qapi-commands-machine.h" >+#include "qapi/qapi-commands-qom.h" >+#include "qapi/qmp/qlist.h" >+ >+ >+void *fuzz_qos_obj; >+QGuestAllocator *fuzz_qos_alloc; >+ >+static const char *fuzz_target_name; >+static char **fuzz_path_vec; >+ >+/* >+ * Replaced the qmp commands with direct qmp_marshal calls. >+ * Probably there is a better way to do this >+ */ >+static void qos_set_machines_devices_available(void) >+{ >+ QDict *req = qdict_new(); >+ QObject *response; >+ QDict *args = qdict_new(); >+ QList *lst; >+ Error *err = NULL; >+ >+ qmp_marshal_query_machines(NULL, &response, &err); >+ assert(!err); >+ lst = qobject_to(QList, response); >+ apply_to_qlist(lst, true); >+ >+ qobject_unref(response); >+ >+ >+ qdict_put_str(req, "execute", "qom-list-types"); >+ qdict_put_str(args, "implements", "device"); >+ qdict_put_bool(args, "abstract", true); >+ qdict_put_obj(req, "arguments", (QObject *) args); >+ >+ qmp_marshal_qom_list_types(args, &response, &err); >+ assert(!err); >+ lst = qobject_to(QList, response); >+ apply_to_qlist(lst, false); >+ qobject_unref(response); >+ qobject_unref(req); >+} >+ >+static char **current_path; >+ >+void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc) >+{ >+ return allocate_objects(qts, current_path + 1, p_alloc); >+} >+ >+static const char *qos_build_main_args(void) >+{ >+ char **path = fuzz_path_vec; Is it possible that fuzz_path_vec is not valid here? Specifically, how likely is it that walk_path() won't ever set it, or that it results in a possible previous value being used since we don't reset it before calling qos_graph_foreach_test_path() in qos_get_cmdline(). Thanks, Darren. >+ QOSGraphNode *test_node; >+ GString *cmd_line = g_string_new(path[0]); >+ void *test_arg; >+ >+ /* Before test */ >+ current_path = path; >+ test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]); >+ test_arg = test_node->u.test.arg; >+ if (test_node->u.test.before) { >+ test_arg = test_node->u.test.before(cmd_line, test_arg); >+ } >+ /* Prepend the arguments that we need */ >+ g_string_prepend(cmd_line, >+ TARGET_NAME " -display none -machine accel=qtest -m 64 "); >+ return cmd_line->str; >+} >+ >+/* >+ * This function is largely a copy of qos-test.c:walk_path. Since walk_path >+ * is itself a callback, its a little annoying to add another argument/layer of >+ * indirection >+ */ >+static void walk_path(QOSGraphNode *orig_path, int len) >+{ >+ QOSGraphNode *path; >+ QOSGraphEdge *edge; >+ >+ /* etype set to QEDGE_CONSUMED_BY so that machine can add to the command line */ >+ QOSEdgeType etype = QEDGE_CONSUMED_BY; >+ >+ /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */ >+ char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2)); >+ int path_vec_size = 0; >+ >+ char *after_cmd, *before_cmd, *after_device; >+ GString *after_device_str = g_string_new(""); >+ char *node_name = orig_path->name, *path_str; >+ >+ GString *cmd_line = g_string_new(""); >+ GString *cmd_line2 = g_string_new(""); >+ >+ path = qos_graph_get_node(node_name); /* root */ >+ node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */ >+ >+ path_vec[path_vec_size++] = node_name; >+ path_vec[path_vec_size++] = qos_get_machine_type(node_name); >+ >+ for (;;) { >+ path = qos_graph_get_node(node_name); >+ if (!path->path_edge) { >+ break; >+ } >+ >+ node_name = qos_graph_edge_get_dest(path->path_edge); >+ >+ /* append node command line + previous edge command line */ >+ if (path->command_line && etype == QEDGE_CONSUMED_BY) { >+ g_string_append(cmd_line, path->command_line); >+ g_string_append(cmd_line, after_device_str->str); >+ g_string_truncate(after_device_str, 0); >+ } >+ >+ path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge); >+ /* detect if edge has command line args */ >+ after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge); >+ after_device = qos_graph_edge_get_extra_device_opts(path->path_edge); >+ before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge); >+ edge = qos_graph_get_edge(path->name, node_name); >+ etype = qos_graph_edge_get_type(edge); >+ >+ if (before_cmd) { >+ g_string_append(cmd_line, before_cmd); >+ } >+ if (after_cmd) { >+ g_string_append(cmd_line2, after_cmd); >+ } >+ if (after_device) { >+ g_string_append(after_device_str, after_device); >+ } >+ } >+ >+ path_vec[path_vec_size++] = NULL; >+ g_string_append(cmd_line, after_device_str->str); >+ g_string_free(after_device_str, true); >+ >+ g_string_append(cmd_line, cmd_line2->str); >+ g_string_free(cmd_line2, true); >+ >+ /* >+ * here position 0 has <arch>/<machine>, position 1 has <machine>. >+ * The path must not have the <arch>, qtest_add_data_func adds it. >+ */ >+ path_str = g_strjoinv("/", path_vec + 1); >+ >+ /* Check that this is the test we care about: */ >+ char *test_name = strrchr(path_str, '/') + 1; >+ if (strcmp(test_name, fuzz_target_name) == 0) { >+ /* >+ * put arch/machine in position 1 so run_one_test can do its work >+ * and add the command line at position 0. >+ */ >+ path_vec[1] = path_vec[0]; >+ path_vec[0] = g_string_free(cmd_line, false); >+ >+ fuzz_path_vec = path_vec; >+ } else { >+ g_free(path_vec); >+ } >+ >+ g_free(path_str); >+} >+ >+static const char *qos_get_cmdline(FuzzTarget *t) >+{ >+ /* >+ * Set a global variable that we use to identify the qos_path for our >+ * fuzz_target >+ */ >+ fuzz_target_name = t->name; >+ qos_set_machines_devices_available(); >+ qos_graph_foreach_test_path(walk_path); >+ return qos_build_main_args(); >+} >+ >+void fuzz_add_qos_target( >+ FuzzTarget *fuzz_opts, >+ const char *interface, >+ QOSGraphTestOptions *opts >+ ) >+{ >+ qos_add_test(fuzz_opts->name, interface, NULL, opts); >+ fuzz_opts->get_init_cmdline = qos_get_cmdline; >+ fuzz_add_target(fuzz_opts); >+} >+ >+void qos_init_path(QTestState *s) >+{ >+ fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc); >+} >diff --git a/tests/qtest/fuzz/qos_fuzz.h b/tests/qtest/fuzz/qos_fuzz.h >new file mode 100644 >index 0000000000..477f11b02b >--- /dev/null >+++ b/tests/qtest/fuzz/qos_fuzz.h >@@ -0,0 +1,33 @@ >+/* >+ * QOS-assisted fuzzing helpers >+ * >+ * Copyright Red Hat Inc., 2019 >+ * >+ * Authors: >+ * Alexander Bulekov <alxndr@bu.edu> >+ * >+ * This work is licensed under the terms of the GNU GPL, version 2 or later. >+ * See the COPYING file in the top-level directory. >+ */ >+ >+#ifndef _QOS_FUZZ_H_ >+#define _QOS_FUZZ_H_ >+ >+#include "tests/qtest/fuzz/fuzz.h" >+#include "tests/qtest/libqos/qgraph.h" >+ >+int qos_fuzz(const unsigned char *Data, size_t Size); >+void qos_setup(void); >+ >+extern void *fuzz_qos_obj; >+extern QGuestAllocator *fuzz_qos_alloc; >+ >+void fuzz_add_qos_target( >+ FuzzTarget *fuzz_opts, >+ const char *interface, >+ QOSGraphTestOptions *opts >+ ); >+ >+void qos_init_path(QTestState *); >+ >+#endif >-- >2.23.0 > >
On 200205 1318, Darren Kenny wrote: > On Wed, Jan 29, 2020 at 05:34:24AM +0000, Bulekov, Alexander wrote: > > Signed-off-by: Alexander Bulekov <alxndr@bu.edu> > > Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> > > --- > > <snip> > > + return allocate_objects(qts, current_path + 1, p_alloc); > > +} > > + > > +static const char *qos_build_main_args(void) > > +{ > > + char **path = fuzz_path_vec; > > Is it possible that fuzz_path_vec is not valid here? Specifically, > how likely is it that walk_path() won't ever set it, or that it > results in a possible previous value being used since we don't reset > it before calling qos_graph_foreach_test_path() in > qos_get_cmdline(). Hi Darren, Maybe this can happen if the target doesn't support a particular device. I added a check -Alex > Thanks, > > Darren. >
diff --git a/tests/qtest/fuzz/Makefile.include b/tests/qtest/fuzz/Makefile.include index a90915d56d..e3bdd33ff4 100644 --- a/tests/qtest/fuzz/Makefile.include +++ b/tests/qtest/fuzz/Makefile.include @@ -1,8 +1,10 @@ QEMU_PROG_FUZZ=qemu-fuzz-$(TARGET_NAME)$(EXESUF) fuzz-obj-y += tests/qtest/libqtest.o +fuzz-obj-y += $(libqos-obj-y) fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o +fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest diff --git a/tests/qtest/fuzz/qos_fuzz.c b/tests/qtest/fuzz/qos_fuzz.c new file mode 100644 index 0000000000..efdcc6e9d3 --- /dev/null +++ b/tests/qtest/fuzz/qos_fuzz.c @@ -0,0 +1,229 @@ +/* + * QOS-assisted fuzzing helpers + * + * Copyright (c) 2018 Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License version 2 as published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see <http://www.gnu.org/licenses/> + */ + +#include "qemu/osdep.h" +#include "qemu/units.h" +#include "qapi/error.h" +#include "qemu-common.h" +#include "exec/memory.h" +#include "exec/address-spaces.h" +#include "sysemu/sysemu.h" +#include "qemu/main-loop.h" + +#include "tests/qtest/libqtest.h" +#include "tests/qtest/libqos/malloc.h" +#include "tests/qtest/libqos/qgraph.h" +#include "tests/qtest/libqos/qgraph_internal.h" +#include "tests/qtest/libqos/qos_external.h" + +#include "fuzz.h" +#include "qos_fuzz.h" + +#include "qapi/qapi-commands-machine.h" +#include "qapi/qapi-commands-qom.h" +#include "qapi/qmp/qlist.h" + + +void *fuzz_qos_obj; +QGuestAllocator *fuzz_qos_alloc; + +static const char *fuzz_target_name; +static char **fuzz_path_vec; + +/* + * Replaced the qmp commands with direct qmp_marshal calls. + * Probably there is a better way to do this + */ +static void qos_set_machines_devices_available(void) +{ + QDict *req = qdict_new(); + QObject *response; + QDict *args = qdict_new(); + QList *lst; + Error *err = NULL; + + qmp_marshal_query_machines(NULL, &response, &err); + assert(!err); + lst = qobject_to(QList, response); + apply_to_qlist(lst, true); + + qobject_unref(response); + + + qdict_put_str(req, "execute", "qom-list-types"); + qdict_put_str(args, "implements", "device"); + qdict_put_bool(args, "abstract", true); + qdict_put_obj(req, "arguments", (QObject *) args); + + qmp_marshal_qom_list_types(args, &response, &err); + assert(!err); + lst = qobject_to(QList, response); + apply_to_qlist(lst, false); + qobject_unref(response); + qobject_unref(req); +} + +static char **current_path; + +void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc) +{ + return allocate_objects(qts, current_path + 1, p_alloc); +} + +static const char *qos_build_main_args(void) +{ + char **path = fuzz_path_vec; + QOSGraphNode *test_node; + GString *cmd_line = g_string_new(path[0]); + void *test_arg; + + /* Before test */ + current_path = path; + test_node = qos_graph_get_node(path[(g_strv_length(path) - 1)]); + test_arg = test_node->u.test.arg; + if (test_node->u.test.before) { + test_arg = test_node->u.test.before(cmd_line, test_arg); + } + /* Prepend the arguments that we need */ + g_string_prepend(cmd_line, + TARGET_NAME " -display none -machine accel=qtest -m 64 "); + return cmd_line->str; +} + +/* + * This function is largely a copy of qos-test.c:walk_path. Since walk_path + * is itself a callback, its a little annoying to add another argument/layer of + * indirection + */ +static void walk_path(QOSGraphNode *orig_path, int len) +{ + QOSGraphNode *path; + QOSGraphEdge *edge; + + /* etype set to QEDGE_CONSUMED_BY so that machine can add to the command line */ + QOSEdgeType etype = QEDGE_CONSUMED_BY; + + /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */ + char **path_vec = g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2)); + int path_vec_size = 0; + + char *after_cmd, *before_cmd, *after_device; + GString *after_device_str = g_string_new(""); + char *node_name = orig_path->name, *path_str; + + GString *cmd_line = g_string_new(""); + GString *cmd_line2 = g_string_new(""); + + path = qos_graph_get_node(node_name); /* root */ + node_name = qos_graph_edge_get_dest(path->path_edge); /* machine name */ + + path_vec[path_vec_size++] = node_name; + path_vec[path_vec_size++] = qos_get_machine_type(node_name); + + for (;;) { + path = qos_graph_get_node(node_name); + if (!path->path_edge) { + break; + } + + node_name = qos_graph_edge_get_dest(path->path_edge); + + /* append node command line + previous edge command line */ + if (path->command_line && etype == QEDGE_CONSUMED_BY) { + g_string_append(cmd_line, path->command_line); + g_string_append(cmd_line, after_device_str->str); + g_string_truncate(after_device_str, 0); + } + + path_vec[path_vec_size++] = qos_graph_edge_get_name(path->path_edge); + /* detect if edge has command line args */ + after_cmd = qos_graph_edge_get_after_cmd_line(path->path_edge); + after_device = qos_graph_edge_get_extra_device_opts(path->path_edge); + before_cmd = qos_graph_edge_get_before_cmd_line(path->path_edge); + edge = qos_graph_get_edge(path->name, node_name); + etype = qos_graph_edge_get_type(edge); + + if (before_cmd) { + g_string_append(cmd_line, before_cmd); + } + if (after_cmd) { + g_string_append(cmd_line2, after_cmd); + } + if (after_device) { + g_string_append(after_device_str, after_device); + } + } + + path_vec[path_vec_size++] = NULL; + g_string_append(cmd_line, after_device_str->str); + g_string_free(after_device_str, true); + + g_string_append(cmd_line, cmd_line2->str); + g_string_free(cmd_line2, true); + + /* + * here position 0 has <arch>/<machine>, position 1 has <machine>. + * The path must not have the <arch>, qtest_add_data_func adds it. + */ + path_str = g_strjoinv("/", path_vec + 1); + + /* Check that this is the test we care about: */ + char *test_name = strrchr(path_str, '/') + 1; + if (strcmp(test_name, fuzz_target_name) == 0) { + /* + * put arch/machine in position 1 so run_one_test can do its work + * and add the command line at position 0. + */ + path_vec[1] = path_vec[0]; + path_vec[0] = g_string_free(cmd_line, false); + + fuzz_path_vec = path_vec; + } else { + g_free(path_vec); + } + + g_free(path_str); +} + +static const char *qos_get_cmdline(FuzzTarget *t) +{ + /* + * Set a global variable that we use to identify the qos_path for our + * fuzz_target + */ + fuzz_target_name = t->name; + qos_set_machines_devices_available(); + qos_graph_foreach_test_path(walk_path); + return qos_build_main_args(); +} + +void fuzz_add_qos_target( + FuzzTarget *fuzz_opts, + const char *interface, + QOSGraphTestOptions *opts + ) +{ + qos_add_test(fuzz_opts->name, interface, NULL, opts); + fuzz_opts->get_init_cmdline = qos_get_cmdline; + fuzz_add_target(fuzz_opts); +} + +void qos_init_path(QTestState *s) +{ + fuzz_qos_obj = qos_allocate_objects(s , &fuzz_qos_alloc); +} diff --git a/tests/qtest/fuzz/qos_fuzz.h b/tests/qtest/fuzz/qos_fuzz.h new file mode 100644 index 0000000000..477f11b02b --- /dev/null +++ b/tests/qtest/fuzz/qos_fuzz.h @@ -0,0 +1,33 @@ +/* + * QOS-assisted fuzzing helpers + * + * Copyright Red Hat Inc., 2019 + * + * Authors: + * Alexander Bulekov <alxndr@bu.edu> + * + * This work is licensed under the terms of the GNU GPL, version 2 or later. + * See the COPYING file in the top-level directory. + */ + +#ifndef _QOS_FUZZ_H_ +#define _QOS_FUZZ_H_ + +#include "tests/qtest/fuzz/fuzz.h" +#include "tests/qtest/libqos/qgraph.h" + +int qos_fuzz(const unsigned char *Data, size_t Size); +void qos_setup(void); + +extern void *fuzz_qos_obj; +extern QGuestAllocator *fuzz_qos_alloc; + +void fuzz_add_qos_target( + FuzzTarget *fuzz_opts, + const char *interface, + QOSGraphTestOptions *opts + ); + +void qos_init_path(QTestState *); + +#endif