[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v7 03/17] fuzz: Add PCI features to the generic fuzzer
From: |
Alexander Bulekov |
Subject: |
[PATCH v7 03/17] fuzz: Add PCI features to the generic fuzzer |
Date: |
Fri, 23 Oct 2020 11:07:32 -0400 |
This patch compares TYPE_PCI_DEVICE objects against the user-provided
matching pattern. If there is a match, we use some hacks and leverage
QOS to map each possible BAR for that device. Now fuzzed inputs might be
converted to pci_read/write commands which target specific. This means
that we can fuzz a particular device's PCI configuration space,
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
---
tests/qtest/fuzz/generic_fuzz.c | 81 +++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 6e3faf4e92..483d41fb2c 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -24,6 +24,7 @@
#include "exec/ramblock.h"
#include "exec/address-spaces.h"
#include "hw/qdev-core.h"
+#include "hw/pci/pci.h"
/*
* SEPARATOR is used to separate "operations" in the fuzz input
@@ -35,12 +36,17 @@ enum cmds {
OP_OUT,
OP_READ,
OP_WRITE,
+ OP_PCI_READ,
+ OP_PCI_WRITE,
OP_CLOCK_STEP,
};
#define DEFAULT_TIMEOUT_US 100000
#define USEC_IN_SEC 1000000000
+#define PCI_HOST_BRIDGE_CFG 0xcf8
+#define PCI_HOST_BRIDGE_DATA 0xcfc
+
typedef struct {
ram_addr_t addr;
ram_addr_t size; /* The number of bytes until the end of the I/O region */
@@ -55,6 +61,7 @@ static bool qtest_log_enabled;
* user for fuzzing.
*/
static GHashTable *fuzzable_memoryregions;
+static GPtrArray *fuzzable_pci_devices;
struct get_io_cb_info {
int index;
@@ -283,6 +290,65 @@ static void op_write(QTestState *s, const unsigned char *
data, size_t len)
}
}
+static void op_pci_read(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint8_t offset;
+ } a;
+ if (len < sizeof(a) || fuzzable_pci_devices->len == 0) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
+ a.base % fuzzable_pci_devices->len);
+ int devfn = dev->devfn;
+ qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_inb(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ case Word:
+ qtest_inw(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ case Long:
+ qtest_inl(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ }
+}
+
+static void op_pci_write(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint8_t offset;
+ uint32_t value;
+ } a;
+ if (len < sizeof(a) || fuzzable_pci_devices->len == 0) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
+ a.base % fuzzable_pci_devices->len);
+ int devfn = dev->devfn;
+ qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_outb(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFF);
+ break;
+ case Word:
+ qtest_outw(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFF);
+ break;
+ case Long:
+ qtest_outl(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFFFFFF);
+ break;
+ }
+}
+
static void op_clock_step(QTestState *s, const unsigned char *data, size_t len)
{
qtest_clock_step_next(s);
@@ -341,6 +407,8 @@ static void generic_fuzz(QTestState *s, const unsigned char
*Data, size_t Size)
[OP_OUT] = op_out,
[OP_READ] = op_read,
[OP_WRITE] = op_write,
+ [OP_PCI_READ] = op_pci_read,
+ [OP_PCI_WRITE] = op_pci_write,
[OP_CLOCK_STEP] = op_clock_step,
};
const unsigned char *cmd = Data;
@@ -432,6 +500,18 @@ static int locate_fuzz_objects(Object *child, void *opaque)
/* Find and save ptrs to any child MemoryRegions */
object_child_foreach_recursive(child, locate_fuzz_memory_regions,
NULL);
+ /*
+ * We matched an object. If its a PCI device, store a pointer to it so
+ * we can map BARs and fuzz its config space.
+ */
+ if (object_dynamic_cast(OBJECT(child), TYPE_PCI_DEVICE)) {
+ /*
+ * Don't want duplicate pointers to the same PCIDevice, so remove
+ * copies of the pointer, before adding it.
+ */
+ g_ptr_array_remove_fast(fuzzable_pci_devices, PCI_DEVICE(child));
+ g_ptr_array_add(fuzzable_pci_devices, PCI_DEVICE(child));
+ }
} else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) {
if (g_pattern_match_simple(pattern,
object_get_canonical_path_component(child))) {
@@ -464,6 +544,7 @@ static void generic_pre_fuzz(QTestState *s)
}
fuzzable_memoryregions = g_hash_table_new(NULL, NULL);
+ fuzzable_pci_devices = g_ptr_array_new();
result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1);
for (int i = 0; result[i] != NULL; i++) {
--
2.28.0
- [PATCH v7 00/17] Add a Generic Virtual Device Fuzzer, Alexander Bulekov, 2020/10/23
- [PATCH v7 06/17] fuzz: Add fuzzer callbacks to DMA-read functions, Alexander Bulekov, 2020/10/23
- [PATCH v7 07/17] fuzz: Add support for custom crossover functions, Alexander Bulekov, 2020/10/23
- [PATCH v7 08/17] fuzz: add a DISABLE_PCI op to generic-fuzzer, Alexander Bulekov, 2020/10/23
- [PATCH v7 01/17] memory: Add FlatView foreach function, Alexander Bulekov, 2020/10/23
- [PATCH v7 02/17] fuzz: Add generic virtual-device fuzzer, Alexander Bulekov, 2020/10/23
- [PATCH v7 09/17] fuzz: add a crossover function to generic-fuzzer, Alexander Bulekov, 2020/10/23
- [PATCH v7 03/17] fuzz: Add PCI features to the generic fuzzer,
Alexander Bulekov <=
- [PATCH v7 10/17] scripts/oss-fuzz: Add script to reorder a generic-fuzzer trace, Alexander Bulekov, 2020/10/23
- [PATCH v7 04/17] fuzz: Add DMA support to the generic-fuzzer, Alexander Bulekov, 2020/10/23
- [PATCH v7 11/17] scripts/oss-fuzz: Add crash trace minimization script, Alexander Bulekov, 2020/10/23
- [PATCH v7 05/17] fuzz: Declare DMA Read callback function, Alexander Bulekov, 2020/10/23
- [PATCH v7 13/17] fuzz: add an "opaque" to the FuzzTarget struct, Alexander Bulekov, 2020/10/23
- [PATCH v7 12/17] fuzz: Add instructions for using generic-fuzz, Alexander Bulekov, 2020/10/23
- [PATCH v7 14/17] fuzz: add generic-fuzz configs for oss-fuzz, Alexander Bulekov, 2020/10/23
- [PATCH v7 15/17] fuzz: register predefined generic-fuzz configs, Alexander Bulekov, 2020/10/23
- [PATCH v7 16/17] scripts/oss-fuzz: use hardlinks instead of copying, Alexander Bulekov, 2020/10/23