summary refs log tree commit diff stats
path: root/tests/qtest/fuzz/generic_fuzz.c
diff options
context:
space:
mode:
authorPeter Maydell <peter.maydell@linaro.org>2021-03-17 22:18:54 +0000
committerPeter Maydell <peter.maydell@linaro.org>2021-03-17 22:18:54 +0000
commit56b89f455894e4628ad7994fe5dd348145d1a9c5 (patch)
tree63092421a2db4aa8d6405072a74cef28f76192b4 /tests/qtest/fuzz/generic_fuzz.c
parent571d413b5da6bc6f1c2aaca8484717642255ddb0 (diff)
parent8b858f9998a9d59a9a7188f2c5c6ffb99eff6115 (diff)
downloadfocaccia-qemu-56b89f455894e4628ad7994fe5dd348145d1a9c5.tar.gz
focaccia-qemu-56b89f455894e4628ad7994fe5dd348145d1a9c5.zip
Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging
* add --enable/--disable-libgio to configure (Denis)
* small fixes (Pavel, myself)
* fuzzing update (Alexander)

# gpg: Signature made Tue 16 Mar 2021 18:30:38 GMT
# gpg:                using RSA key F13338574B662389866C7682BFFBD25F78C7AE83
# gpg:                issuer "pbonzini@redhat.com"
# gpg: Good signature from "Paolo Bonzini <bonzini@gnu.org>" [full]
# gpg:                 aka "Paolo Bonzini <pbonzini@redhat.com>" [full]
# Primary key fingerprint: 46F5 9FBD 57D6 12E7 BFD4  E2F7 7E15 100C CD36 69B1
#      Subkey fingerprint: F133 3857 4B66 2389 866C  7682 BFFB D25F 78C7 AE83

* remotes/bonzini-gitlab/tags/for-upstream:
  qemu-timer: allow freeing a NULL timer
  hw/i8254: fix vmstate load
  scsi: fix sense code for EREMOTEIO
  Revert "accel: kvm: Add aligment assert for kvm_log_clear_one_slot"
  configure: add option to explicitly enable/disable libgio
  fuzz: move some DMA hooks
  fuzz: configure a sparse-mem device, by default
  memory: add a sparse memory device for fuzzing
  fuzz: add a am53c974 generic-fuzzer config
  fuzz: add instructions for building reproducers
  fuzz: add a script to build reproducers
  fuzz: don't leave orphan llvm-symbolizers around
  fuzz: fix the pro100 generic-fuzzer config
  MAINTAINERS: Cover fuzzer reproducer tests within 'Device Fuzzing'
  tests/qtest: Only run fuzz-virtio-scsi when virtio-scsi is available
  tests/qtest: Only run fuzz-megasas-test if megasas device is available

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'tests/qtest/fuzz/generic_fuzz.c')
-rw-r--r--tests/qtest/fuzz/generic_fuzz.c29
1 files changed, 26 insertions, 3 deletions
diff --git a/tests/qtest/fuzz/generic_fuzz.c b/tests/qtest/fuzz/generic_fuzz.c
index ee8c17a04c..b5fe27aae1 100644
--- a/tests/qtest/fuzz/generic_fuzz.c
+++ b/tests/qtest/fuzz/generic_fuzz.c
@@ -28,6 +28,7 @@
 #include "hw/pci/pci.h"
 #include "hw/boards.h"
 #include "generic_fuzz_configs.h"
+#include "hw/mem/sparse-mem.h"
 
 /*
  * SEPARATOR is used to separate "operations" in the fuzz input
@@ -64,6 +65,8 @@ static useconds_t timeout = DEFAULT_TIMEOUT_US;
 
 static bool qtest_log_enabled;
 
+MemoryRegion *sparse_mem_mr;
+
 /*
  * A pattern used to populate a DMA region or perform a memwrite. This is
  * useful for e.g. populating tables of unique addresses.
@@ -191,8 +194,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr)
      */
     if (dma_patterns->len == 0
         || len == 0
-        || mr != current_machine->ram
-        || addr > current_machine->ram_size) {
+        || (mr != current_machine->ram && mr != sparse_mem_mr)) {
         return;
     }
 
@@ -238,7 +240,7 @@ void fuzz_dma_read_cb(size_t addr, size_t len, MemoryRegion *mr)
                                       MEMTXATTRS_UNSPECIFIED);
 
         if (!(memory_region_is_ram(mr1) ||
-              memory_region_is_romd(mr1))) {
+              memory_region_is_romd(mr1)) && mr1 != sparse_mem_mr) {
             l = memory_access_size(mr1, l, addr1);
         } else {
             /* ROM/RAM case */
@@ -583,6 +585,21 @@ static void handle_timeout(int sig)
         fprintf(stderr, "[Timeout]\n");
         fflush(stderr);
     }
+
+    /*
+     * If there is a crash, libfuzzer/ASAN forks a child to run an
+     * "llvm-symbolizer" process for printing out a pretty stacktrace. It
+     * communicates with this child using a pipe.  If we timeout+Exit, while
+     * libfuzzer is still communicating with the llvm-symbolizer child, we will
+     * be left with an orphan llvm-symbolizer process. Sometimes, this appears
+     * to lead to a deadlock in the forkserver. Use waitpid to check if there
+     * are any waitable children. If so, exit out of the signal-handler, and
+     * let libfuzzer finish communicating with the child, and exit, on its own.
+     */
+    if (waitpid(-1, NULL, WNOHANG) == 0) {
+        return;
+    }
+
     _Exit(0);
 }
 
@@ -799,6 +816,12 @@ static void generic_pre_fuzz(QTestState *s)
     }
     qts_global = s;
 
+    /*
+     * Create a special device that we can use to back DMA buffers at very
+     * high memory addresses
+     */
+    sparse_mem_mr = sparse_mem_init(0, UINT64_MAX);
+
     dma_regions = g_array_new(false, false, sizeof(address_range));
     dma_patterns = g_array_new(false, false, sizeof(pattern));