On Tue, Jun 23, 2020 at 03:16:01PM +0100, Stefan Hajnoczi wrote: > On Thu, Jun 11, 2020 at 01:56:48AM -0400, Alexander Bulekov wrote: > > These patches add a generic fuzzer for virtual devices. This should > > allow us to fuzz devices that accept inputs over MMIO, PIO and DMA > > without any device-specific code. > > > > Example: > > QEMU_FUZZ_ARGS="-device virtio-net" \ > > FUZZ_REGION_WHITELIST="virtio pci-" \ > > ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=general-pci-enum-fuzz > > > > The above command will add a virtio-net device to the QEMU arguments and > > restrict the fuzzer to only interact with MMIO and PIO regions with > > names that contain "virtio" or "pci-". I find these names using the info > > mtree monitor command. > > > > Basically, the fuzzer splits the input into a series of commands, such > > as mmio_write, pio_write, etc. Additionally, these patches add "hooks" > > to functions that are typically used by virtual-devices to read from RAM > > (DMA). These hooks attempt to populate these DMA regions with fuzzed > > data, just in time. There are some differences from my reference code > > that seem to result in performance issues that I am still trying to iron > > out. I also need to figure out how to add the DMA "hooks" in a neat way. > > Maybe I can use -Wl,--wrap for this. I appreciate any feedback. > > > > Alexander Bulekov (3): > > fuzz: add a general fuzzer for any qemu arguments > > fuzz: add support for fuzzing DMA regions > > fuzz: Add callbacks for dma-access functions > > > > exec.c | 17 +- > > include/exec/memory.h | 8 + > > include/exec/memory_ldst_cached.inc.h | 9 + > > include/sysemu/dma.h | 5 +- > > memory_ldst.inc.c | 12 + > > tests/qtest/fuzz/Makefile.include | 1 + > > tests/qtest/fuzz/general_fuzz.c | 556 ++++++++++++++++++++++++++ > > 7 files changed, 606 insertions(+), 2 deletions(-) > > create mode 100644 tests/qtest/fuzz/general_fuzz.c > > CCing Dima in case he is interested in this generic fuzzing approach. > > Stefan Thanks for adding me, going to look into it on this weekend.
Dima.
