From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,HK_RANDOM_FROM,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 03AB7C4CEC9 for ; Wed, 18 Sep 2019 23:25:40 +0000 (UTC) Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AE232218AF for ; Wed, 18 Sep 2019 23:25:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=bushare.onmicrosoft.com header.i=@bushare.onmicrosoft.com header.b="kp5ZsuvG" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AE232218AF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bu.edu Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Received: from localhost ([::1]:35980 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iAjKM-0006Md-0y for qemu-devel@archiver.kernel.org; Wed, 18 Sep 2019 19:25:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33400) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iAjEj-0000b6-TR for qemu-devel@nongnu.org; Wed, 18 Sep 2019 19:19:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iAjEh-0002ia-Vs for qemu-devel@nongnu.org; Wed, 18 Sep 2019 19:19:49 -0400 Received: from mail-eopbgr700099.outbound.protection.outlook.com ([40.107.70.99]:57953 helo=NAM04-SN1-obe.outbound.protection.outlook.com) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iAjEh-0002fm-QH for qemu-devel@nongnu.org; Wed, 18 Sep 2019 19:19:47 -0400 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XzP4mBA/FBJgqORvvbsh6JFiIchBtDgRHNKAw5G1iWvE1mHfRkJ+iOQHwpLwXVg5w2ZjH0ADpwVsLpodE+5IDYPr5JRv2fMOmLA0symTvrD+zTJkVImsBuQrvGlAtBoGMJymsCkShkwdVzdJJuTQXaiqIWTY5hdMkrefsowvo5V3fcwVe25S48mutdPPqL/+zEz/zgg67JVHRwxV3pcs8Oy2HeBcJWyVWMGFzTyyPfa+2dDBZ7dk5ps6ZH51zIFYazEv9Cevt7b/BcDsJguK3IoatkVOQ1YIrSZdviPMD//qUFSweXG1rw818lomryW2jaHkOBJ8OjJYx4C0NSPLjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zY9UORQvxGmDQrQOP5oxJUKIsHyBDXXdgY5bwuNdkhI=; b=HfzVgpkgDiUD7O7HIOHt7fhQCilh+rFdIIi0c74QjPySEw84UEqu52/ZYxpuwbZg2+U2JNJrpjwHmsp08yDGsWIu1JshNsnBeGA4S495FJWmt0EHAZ9BBEfWRI5PVdvQSg4WtvEIjf/vHQBjok7UifC5HBRA8O6CdtR/xs4JpAnZFrJSAgDLbuwJdGO9aa/WDI4PiVsCZ3pJhJQrkKOSs7to0mVlEm9n7NNgt77uVSA11T0mtNGSx7GGkbPgS0GJIJUCAtGJ3RKkSq9Qttrh7BZHrcfMEsVInTa5MmsqmWoGWjDID16ST/nPZv945L/Mtv1mOi9T1O38ibkjlhQG5Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=bu.edu; dmarc=pass action=none header.from=bu.edu; dkim=pass header.d=bu.edu; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bushare.onmicrosoft.com; s=selector2-bushare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zY9UORQvxGmDQrQOP5oxJUKIsHyBDXXdgY5bwuNdkhI=; b=kp5ZsuvGHvn356bf7lSmZ+aJx9SZAXSdh8vEn8CxymK1CuJ1Hxg88A4KldASdNfEWvUEr7r8wL8oZUU2V76n242SH/mgAeB+r+TCfPqFDawrdd5y0oH8BFcjesKo7xr32JGmhF6o9B2AFaDmO5m8OnCOxy7wJgTBeXDJSohnorU= Received: from CY4PR03MB2872.namprd03.prod.outlook.com (10.175.118.17) by CY4PR03MB3016.namprd03.prod.outlook.com (10.175.117.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.20; Wed, 18 Sep 2019 23:19:46 +0000 Received: from CY4PR03MB2872.namprd03.prod.outlook.com ([fe80::6d88:c5bd:41ad:b107]) by CY4PR03MB2872.namprd03.prod.outlook.com ([fe80::6d88:c5bd:41ad:b107%3]) with mapi id 15.20.2263.023; Wed, 18 Sep 2019 23:19:46 +0000 From: "Oleinik, Alexander" To: "qemu-devel@nongnu.org" Thread-Topic: [PATCH v3 19/22] fuzz: add support for qos-assisted fuzz targets Thread-Index: AQHVbnePnuUAaE8OSkmnvUPaB22v4Q== Date: Wed, 18 Sep 2019 23:19:46 +0000 Message-ID: <20190918231846.22538-20-alxndr@bu.edu> References: <20190918231846.22538-1-alxndr@bu.edu> In-Reply-To: <20190918231846.22538-1-alxndr@bu.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.23.0 x-originating-ip: [128.197.127.33] x-clientproxiedby: BL0PR02CA0124.namprd02.prod.outlook.com (2603:10b6:208:35::29) To CY4PR03MB2872.namprd03.prod.outlook.com (2603:10b6:903:134::17) authentication-results: spf=none (sender IP is ) smtp.mailfrom=alxndr@bu.edu; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 8e1acde4-107c-46ad-6eda-08d73c8eb1be x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:CY4PR03MB3016; x-ms-traffictypediagnostic: CY4PR03MB3016: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:295; x-forefront-prvs: 01644DCF4A x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(39860400002)(366004)(376002)(136003)(346002)(396003)(199004)(189003)(66066001)(86362001)(52116002)(478600001)(2616005)(7736002)(71190400001)(8676002)(36756003)(71200400001)(14454004)(54906003)(316002)(786003)(6486002)(14444005)(81156014)(75432002)(256004)(6436002)(305945005)(6916009)(6512007)(5640700003)(386003)(486006)(26005)(11346002)(186003)(102836004)(99286004)(76176011)(66946007)(446003)(476003)(66476007)(66556008)(64756008)(66446008)(6506007)(5660300002)(4326008)(2501003)(2351001)(6116002)(81166006)(50226002)(25786009)(1076003)(2906002)(88552002)(8936002)(3846002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR03MB3016; H:CY4PR03MB2872.namprd03.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: bu.edu does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: o3ciTkwwKUzQD1fBlZhViDhfPBhNzIsbigLSM/DgibhHgX5b9oWqAlBaUBSO+iBOkj2FEcr/Cyg8F2jL+kWl8dhjS6PyTudpcji0TVltqpDJk6aVn3jpgNiDBsZaL1wLk+reFXM0Tuw+l7LMqz0afF+ZZW5p7lKv1sGX4OmKO5U5X9qW2rcFpSZJLfGyaP+V768C4gbMk3ebZoUC1fM92Kb13OLdf8Ihttpu7aEPR3C+/D5QurvFqEYRI6zzU1WEXA8hUjmJ8+WQcxIhq4HLUuH09hHvwL8tm6jVQlEJK6ZGkeE2Q79oOu/8Uslb9JuhyHMvF40EXqOsoEpk+vobSEvDWI1Brb+rHdYfawA+g4qFqwG5O6/vVdDv+uXJcg4YUI9GtjGBd1Y3l+oWy7YaDpryYaaWfPAKSB6L7MjX1oU= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: bu.edu X-MS-Exchange-CrossTenant-Network-Message-Id: 8e1acde4-107c-46ad-6eda-08d73c8eb1be X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2019 23:19:46.2773 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d57d32cc-c121-488f-b07b-dfe705680c71 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: OOh0d1FeC8Rmv31I4UHmVusv60mfXKIJAIiXa6EpdsX4QVXnkv1QglEIlf7zlpR8 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR03MB3016 X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy] X-Received-From: 40.107.70.99 Subject: [Qemu-devel] [PATCH v3 19/22] fuzz: add support for qos-assisted fuzz targets X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "pbonzini@redhat.com" , "bsd@redhat.com" , "stefanha@redhat.com" , "Oleinik, Alexander" Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: "Qemu-devel" Signed-off-by: Alexander Oleinik --- tests/fuzz/qos_fuzz.c | 212 ++++++++++++++++++++++++++++++++++++++++++ tests/fuzz/qos_fuzz.h | 19 ++++ 2 files changed, 231 insertions(+) create mode 100644 tests/fuzz/qos_fuzz.c create mode 100644 tests/fuzz/qos_fuzz.h diff --git a/tests/fuzz/qos_fuzz.c b/tests/fuzz/qos_fuzz.c new file mode 100644 index 0000000000..b08c8b37ba --- /dev/null +++ b/tests/fuzz/qos_fuzz.c @@ -0,0 +1,212 @@ +#include "qemu/osdep.h" +#include "qemu/units.h" +#include "qapi/error.h" +#include "qemu-common.h" +#include "exec/memory.h" +#include "exec/address-spaces.h" +#include "sysemu/sysemu.h" +#include "qemu/main-loop.h" + +#include + +#include "libqos/malloc.h" +#include "libqos/qgraph.h" +#include "libqos/qgraph_internal.h" + +#include "fuzz.h" +#include "qos_fuzz.h" +#include "tests/libqos/qgraph.h" +#include "tests/libqos/qos_external.h" +#include "tests/libqtest.h" + +#include "qapi/qapi-commands-machine.h" +#include "qapi/qapi-commands-qom.h" +#include "qapi/qmp/qlist.h" + +/* + * Replaced the qmp commands with direct qmp_marshal calls. + * Probably there is a better way to do this + */ +static void qos_set_machines_devices_available(void) +{ + QDict *req =3D qdict_new(); + QObject *response; + QDict *args =3D qdict_new(); + QList *lst; + Error *err =3D NULL; + + qmp_marshal_query_machines(NULL, &response, &err); + assert(!err); + lst =3D qobject_to(QList, response); + apply_to_qlist(lst, true); + + qobject_unref(response); + + + qdict_put_str(req, "execute", "qom-list-types"); + qdict_put_str(args, "implements", "device"); + qdict_put_bool(args, "abstract", true); + qdict_put_obj(req, "arguments", (QObject *) args); + + qmp_marshal_qom_list_types(args, &response, &err); + assert(!err); + lst =3D qobject_to(QList, response); + apply_to_qlist(lst, false); + qobject_unref(response); + qobject_unref(req); +} + +void *fuzz_qos_obj; +QGuestAllocator *fuzz_qos_alloc; + +static char **fuzz_path_vec; +static char **current_path; + + +void *qos_allocate_objects(QTestState *qts, QGuestAllocator **p_alloc) +{ + return allocate_objects(qts, current_path + 1, p_alloc); +} + + +static void qos_build_main_args() +{ + char **path =3D fuzz_path_vec; + QOSGraphNode *test_node; + GString *cmd_line =3D g_string_new(path[0]); + void *test_arg; + + /* Before test */ + current_path =3D path; + test_node =3D qos_graph_get_node(path[(g_strv_length(path) - 1)]); + test_arg =3D test_node->u.test.arg; + if (test_node->u.test.before) { + test_arg =3D test_node->u.test.before(cmd_line, test_arg); + } + /* Prepend the arguments that we need */ + g_string_prepend(cmd_line, + "qemu-system-i386 -display none -machine accel=3Dqtest -m 128 = "); + wordexp_t result; + wordexp(cmd_line->str, &result, 0); + set_fuzz_target_args(result.we_wordc, result.we_wordv); + + g_string_free(cmd_line, true); +} + +/* + * This function is largely a copy of qos-test.c:walk_path. Since walk_pat= h + * is itself a callback, its a little annoying to add another argument/lay= er of + * indirection + */ +static void walk_path(QOSGraphNode *orig_path, int len) +{ + QOSGraphNode *path; + QOSGraphEdge *edge; + + /* etype set to QEDGE_CONSUMED_BY so that machine can add to the comma= nd line */ + QOSEdgeType etype =3D QEDGE_CONSUMED_BY; + + /* twice QOS_PATH_MAX_ELEMENT_SIZE since each edge can have its arg */ + char **path_vec =3D g_new0(char *, (QOS_PATH_MAX_ELEMENT_SIZE * 2)); + int path_vec_size =3D 0; + + char *after_cmd, *before_cmd, *after_device; + GString *after_device_str =3D g_string_new(""); + char *node_name =3D orig_path->name, *path_str; + + GString *cmd_line =3D g_string_new(""); + GString *cmd_line2 =3D g_string_new(""); + + path =3D qos_graph_get_node(node_name); /* root */ + node_name =3D qos_graph_edge_get_dest(path->path_edge); /* machine nam= e */ + + path_vec[path_vec_size++] =3D node_name; + path_vec[path_vec_size++] =3D qos_get_machine_type(node_name); + + for (;;) { + path =3D qos_graph_get_node(node_name); + if (!path->path_edge) { + break; + } + + node_name =3D qos_graph_edge_get_dest(path->path_edge); + + /* append node command line + previous edge command line */ + if (path->command_line && etype =3D=3D QEDGE_CONSUMED_BY) { + g_string_append(cmd_line, path->command_line); + g_string_append(cmd_line, after_device_str->str); + g_string_truncate(after_device_str, 0); + } + + path_vec[path_vec_size++] =3D qos_graph_edge_get_name(path->path_e= dge); + /* detect if edge has command line args */ + after_cmd =3D qos_graph_edge_get_after_cmd_line(path->path_edge); + after_device =3D qos_graph_edge_get_extra_device_opts(path->path_e= dge); + before_cmd =3D qos_graph_edge_get_before_cmd_line(path->path_edge)= ; + edge =3D qos_graph_get_edge(path->name, node_name); + etype =3D qos_graph_edge_get_type(edge); + + if (before_cmd) { + g_string_append(cmd_line, before_cmd); + } + if (after_cmd) { + g_string_append(cmd_line2, after_cmd); + } + if (after_device) { + g_string_append(after_device_str, after_device); + } + } + + path_vec[path_vec_size++] =3D NULL; + g_string_append(cmd_line, after_device_str->str); + g_string_free(after_device_str, true); + + g_string_append(cmd_line, cmd_line2->str); + g_string_free(cmd_line2, true); + + /* + * here position 0 has /, position 1 has . + * The path must not have the , qtest_add_data_func adds it. + */ + path_str =3D g_strjoinv("/", path_vec + 1); + + /* Check that this is the test we care about: */ + char *test_name =3D strrchr(path_str, '/') + 1; + if (strcmp(test_name, get_fuzz_target_name()) =3D=3D 0) { + /* + * put arch/machine in position 1 so run_one_test can do its work + * and add the command line at position 0. + */ + path_vec[1] =3D path_vec[0]; + path_vec[0] =3D g_string_free(cmd_line, false); + + fuzz_path_vec =3D path_vec; + } else { + g_free(path_vec); + } + + g_free(path_str); +} + +void fuzz_add_qos_target(const char *name, + const char *description, + const char *interface, + QOSGraphTestOptions *opts, + FuzzTarget *fuzz_opts + ) +{ + qos_add_test(name, interface, NULL, opts); + fuzz_add_target(name, description, fuzz_opts); +} + +/* Do what is normally done in qos_test.c:main */ +void qos_setup(void){ + qos_set_machines_devices_available(); + qos_graph_foreach_test_path(walk_path); + qos_build_main_args(); +} + +void qos_init_path(QTestState *s) +{ + fuzz_qos_obj =3D qos_allocate_objects(s , &fuzz_qos_alloc); +} diff --git a/tests/fuzz/qos_fuzz.h b/tests/fuzz/qos_fuzz.h new file mode 100644 index 0000000000..4ae775972a --- /dev/null +++ b/tests/fuzz/qos_fuzz.h @@ -0,0 +1,19 @@ +#ifndef _QOS_FUZZ_H_ +#define _QOS_FUZZ_H_ + +#include "tests/libqos/qgraph.h" + +int qos_fuzz(const unsigned char *Data, size_t Size); +void qos_setup(void); + +extern void *fuzz_qos_obj; +extern QGuestAllocator *fuzz_qos_alloc; + +void fuzz_add_qos_target(const char *name, + const char *description, + const char *interface, + QOSGraphTestOptions *opts, + FuzzTarget *fuzz_opts); + +void qos_init_path(QTestState *); +#endif --=20 2.23.0