SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fuzz: Add PCI features to the generic fuzzer

Browse Source 
This patch compares TYPE_PCI_DEVICE objects against the user-provided
matching pattern. If there is a match, we use some hacks and leverage
QOS to map each possible BAR for that device. Now fuzzed inputs might be
converted to pci_read/write commands which target specific. This means
that we can fuzz a particular device's PCI configuration space,

Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-4-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
This commit is contained in:
Alexander Bulekov 2020-10-23 11:07:32 -04:00 committed by Thomas Huth
parent da9bf53198
commit 05efbf2497
1 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
tests/qtest/fuzz/generic_fuzz.c
View File

@ -24,6 +24,7 @@
#include "exec/ramblock.h" #include "exec/ramblock.h"
#include "exec/address-spaces.h" #include "exec/address-spaces.h"
#include "hw/qdev-core.h" #include "hw/qdev-core.h"
#include "hw/pci/pci.h"
/* /*
* SEPARATOR is used to separate "operations" in the fuzz input * SEPARATOR is used to separate "operations" in the fuzz input
@ -35,12 +36,17 @@ enum cmds {
OP_OUT, OP_OUT,
OP_READ, OP_READ,
OP_WRITE, OP_WRITE,
OP_PCI_READ,
OP_PCI_WRITE,
OP_CLOCK_STEP, OP_CLOCK_STEP,
}; };
#define DEFAULT_TIMEOUT_US 100000 #define DEFAULT_TIMEOUT_US 100000
#define USEC_IN_SEC 1000000000 #define USEC_IN_SEC 1000000000
#define PCI_HOST_BRIDGE_CFG 0xcf8
#define PCI_HOST_BRIDGE_DATA 0xcfc
typedef struct { typedef struct {
ram_addr_t addr; ram_addr_t addr;
ram_addr_t size; /* The number of bytes until the end of the I/O region */ ram_addr_t size; /* The number of bytes until the end of the I/O region */
@ -55,6 +61,7 @@ static bool qtest_log_enabled;
* user for fuzzing. * user for fuzzing.
*/ */
static GHashTable *fuzzable_memoryregions; static GHashTable *fuzzable_memoryregions;
static GPtrArray *fuzzable_pci_devices;
struct get_io_cb_info { struct get_io_cb_info {
int index; int index;
@ -283,6 +290,65 @@ static void op_write(QTestState *s, const unsigned char * data, size_t len)
} }
} }
static void op_pci_read(QTestState *s, const unsigned char * data, size_t len)
{
enum Sizes {Byte, Word, Long, end_sizes};
struct {
uint8_t size;
uint8_t base;
uint8_t offset;
} a;
if (len < sizeof(a) || fuzzable_pci_devices->len == 0) {
return;
}
memcpy(&a, data, sizeof(a));
PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
a.base % fuzzable_pci_devices->len);
int devfn = dev->devfn;
qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
switch (a.size %= end_sizes) {
case Byte:
qtest_inb(s, PCI_HOST_BRIDGE_DATA);
break;
case Word:
qtest_inw(s, PCI_HOST_BRIDGE_DATA);
break;
case Long:
qtest_inl(s, PCI_HOST_BRIDGE_DATA);
break;
}
}
static void op_pci_write(QTestState *s, const unsigned char * data, size_t len)
{
enum Sizes {Byte, Word, Long, end_sizes};
struct {
uint8_t size;
uint8_t base;
uint8_t offset;
uint32_t value;
} a;
if (len < sizeof(a) || fuzzable_pci_devices->len == 0) {
return;
}
memcpy(&a, data, sizeof(a));
PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
a.base % fuzzable_pci_devices->len);
int devfn = dev->devfn;
qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
switch (a.size %= end_sizes) {
case Byte:
qtest_outb(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFF);
break;
case Word:
qtest_outw(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFF);
break;
case Long:
qtest_outl(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFFFFFF);
break;
}
}
static void op_clock_step(QTestState *s, const unsigned char *data, size_t len) static void op_clock_step(QTestState *s, const unsigned char *data, size_t len)
{ {
qtest_clock_step_next(s); qtest_clock_step_next(s);
@ -341,6 +407,8 @@ static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
[OP_OUT] = op_out, [OP_OUT] = op_out,
[OP_READ] = op_read, [OP_READ] = op_read,
[OP_WRITE] = op_write, [OP_WRITE] = op_write,
[OP_PCI_READ] = op_pci_read,
[OP_PCI_WRITE] = op_pci_write,
[OP_CLOCK_STEP] = op_clock_step, [OP_CLOCK_STEP] = op_clock_step,
}; };
const unsigned char *cmd = Data; const unsigned char *cmd = Data;
@ -432,6 +500,18 @@ static int locate_fuzz_objects(Object *child, void *opaque)
/* Find and save ptrs to any child MemoryRegions */ /* Find and save ptrs to any child MemoryRegions */
object_child_foreach_recursive(child, locate_fuzz_memory_regions, NULL); object_child_foreach_recursive(child, locate_fuzz_memory_regions, NULL);
/*
* We matched an object. If its a PCI device, store a pointer to it so
* we can map BARs and fuzz its config space.
*/
if (object_dynamic_cast(OBJECT(child), TYPE_PCI_DEVICE)) {
/*
* Don't want duplicate pointers to the same PCIDevice, so remove
* copies of the pointer, before adding it.
*/
g_ptr_array_remove_fast(fuzzable_pci_devices, PCI_DEVICE(child));
g_ptr_array_add(fuzzable_pci_devices, PCI_DEVICE(child));
}
} else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) { } else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) {
if (g_pattern_match_simple(pattern, if (g_pattern_match_simple(pattern,
object_get_canonical_path_component(child))) { object_get_canonical_path_component(child))) {
@ -464,6 +544,7 @@ static void generic_pre_fuzz(QTestState *s)
} }
fuzzable_memoryregions = g_hash_table_new(NULL, NULL); fuzzable_memoryregions = g_hash_table_new(NULL, NULL);
fuzzable_pci_devices = g_ptr_array_new();
result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1); result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1);
for (int i = 0; result[i] != NULL; i++) { for (int i = 0; result[i] != NULL; i++) {