summaryrefslogtreecommitdiffstats
path: root/tests/qtest
diff options
context:
space:
mode:
authorAlexander Bulekov2020-10-23 17:07:38 +0200
committerThomas Huth2020-10-26 09:53:53 +0100
commita25393222764c26658a98dbfc20f78c80765bca4 (patch)
tree8b018027eaadc4f31831f8f040b939c9141be89a /tests/qtest
parentfuzz: add a DISABLE_PCI op to generic-fuzzer (diff)
downloadqemu-a25393222764c26658a98dbfc20f78c80765bca4.tar.gz
qemu-a25393222764c26658a98dbfc20f78c80765bca4.tar.xz
qemu-a25393222764c26658a98dbfc20f78c80765bca4.zip
fuzz: add a crossover function to generic-fuzzer
Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20201023150746.107063-10-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com>
Diffstat (limited to 'tests/qtest')
-rw-r--r--tests/qtest/fuzz/generic_fuzz.c86
1 files changed, 86 insertions, 0 deletions
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index 6ec20464bd..592b78ffe2 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -810,6 +810,91 @@ static void generic_pre_fuzz(QTestState *s)
counter_shm_init();
}
+/*
+ * When libfuzzer gives us two inputs to combine, return a new input with the
+ * following structure:
+ *
+ * Input 1 (data1)
+ * SEPARATOR
+ * Clear out the DMA Patterns
+ * SEPARATOR
+ * Disable the pci_read/write instructions
+ * SEPARATOR
+ * Input 2 (data2)
+ *
+ * The idea is to collate the core behaviors of the two inputs.
+ * For example:
+ * Input 1: maps a device's BARs, sets up three DMA patterns, and triggers
+ * device functionality A
+ * Input 2: maps a device's BARs, sets up one DMA pattern, and triggers device
+ * functionality B
+ *
+ * This function attempts to produce an input that:
+ * Ouptut: maps a device's BARs, set up three DMA patterns, triggers
+ * functionality A device, replaces the DMA patterns with a single
+ * patten, and triggers device functionality B.
+ */
+static size_t generic_fuzz_crossover(const uint8_t *data1, size_t size1, const
+ uint8_t *data2, size_t size2, uint8_t *out,
+ size_t max_out_size, unsigned int seed)
+{
+ size_t copy_len = 0, size = 0;
+
+ /* Check that we have enough space for data1 and at least part of data2 */
+ if (max_out_size <= size1 + strlen(SEPARATOR) * 3 + 2) {
+ return 0;
+ }
+
+ /* Copy_Len in the first input */
+ copy_len = size1;
+ memcpy(out + size, data1, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Append a separator */
+ copy_len = strlen(SEPARATOR);
+ memcpy(out + size, SEPARATOR, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Clear out the DMA Patterns */
+ copy_len = 1;
+ if (copy_len) {
+ out[size] = OP_CLEAR_DMA_PATTERNS;
+ }
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Append a separator */
+ copy_len = strlen(SEPARATOR);
+ memcpy(out + size, SEPARATOR, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Disable PCI ops. Assume data1 took care of setting up PCI */
+ copy_len = 1;
+ if (copy_len) {
+ out[size] = OP_DISABLE_PCI;
+ }
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Append a separator */
+ copy_len = strlen(SEPARATOR);
+ memcpy(out + size, SEPARATOR, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ /* Copy_Len over the second input */
+ copy_len = MIN(size2, max_out_size);
+ memcpy(out + size, data2, copy_len);
+ size += copy_len;
+ max_out_size -= copy_len;
+
+ return size;
+}
+
+
static GString *generic_fuzz_cmdline(FuzzTarget *t)
{
GString *cmd_line = g_string_new(TARGET_NAME);
@@ -830,6 +915,7 @@ static void register_generic_fuzz_targets(void)
.get_init_cmdline = generic_fuzz_cmdline,
.pre_fuzz = generic_pre_fuzz,
.fuzz = generic_fuzz,
+ .crossover = generic_fuzz_crossover
});
}