Re: [Qemu-devel] Internship idea: virtio-blk oss-fuzz support

[Paolo Bonzini <pbonzini@redhat.com>]

On 10/01/19 17:07, Max Moroz via Qemu-devel wrote:
> +Oliver and Jonathan
> 
> I'm a little confused. Do you want to fuzz QEMU or to fuzz something else
> using QEMU? In case of the latter, there was some discussion on OSS-Fuzz
> and (I think) even a build support was (sort of) added:
> https://github.com/google/oss-fuzz/issues/1754

We want to fuzz QEMU.

The input is a sequence of operations on a PCI device or on guest
memory, and you try and crash QEMU by passing it crazy operations.

The qtest mode that Stefan mentioned provides something like a "JTAG
over ASCII" where a testcase can inject elementary I/O operations into
QEMU.  However, that is certainly too much for AFL to fuzz effectively;
it would have to "learn" the qtest protocol, how to drive the PCI host
bridge, how to setup a PCI device, and only then it would be able to
find bugs.  So one idea would be to build another layer on top of qtest,
that accepts higher-level operations and builds the qtest ASCII input
from those.

However, compared to LLVM/Clang that were the motivation for
libprotobuf-mutator, in our case the underlying operands to the
operations are still binary.  So it may also be possible to use the
usual AFL binary mutator, and encode the operations in a way that has
very high entropy.  This way AFL can just throw crap at the qtest input
generator, and the resulting input qtest will always represent some kind
of interaction with a PCI device.

Thanks,

Paolo

> In any case, it would probably be "integrate QEMU into OSS-Fuzz" and not
> vice versa, since OSS-Fuzz is an infrastructure and you can't integrate it
> into QEMU.