qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] fuzz: Add virtio-9p configurations for fuzzing

From: Alexander Bulekov
Subject: Re: [PATCH] fuzz: Add virtio-9p configurations for fuzzing
Date: Fri, 15 Jan 2021 10:32:35 -0500 
On 210115 1323, Greg Kurz wrote:
> On Thu, 14 Jan 2021 17:17:48 -0500
> Alexander Bulekov <alxndr@bu.edu> wrote:
> 
> > Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
> > ---
> 
> No changelog at all ? 
> 
> >  tests/qtest/fuzz/generic_fuzz_configs.h | 12 ++++++++++++
> >  1 file changed, 12 insertions(+)
> > 
> > diff --git a/tests/qtest/fuzz/generic_fuzz_configs.h 
> > b/tests/qtest/fuzz/generic_fuzz_configs.h
> > index 7fed035345..ffdb590c58 100644
> > --- a/tests/qtest/fuzz/generic_fuzz_configs.h
> > +++ b/tests/qtest/fuzz/generic_fuzz_configs.h
> > @@ -59,6 +59,18 @@ const generic_fuzz_config predefined_configs[] = {
> >          .name = "virtio-mouse",
> >          .args = "-machine q35 -nodefaults -device virtio-mouse",
> >          .objects = "virtio*",
> > +    },{
> > +        .name = "virtio-9p",
> > +        .args = "-machine q35 -nodefaults "
> > +        "-device virtio-9p,fsdev=hshare,mount_tag=hshare "
> > +        "-fsdev local,id=hshare,path=/tmp/,security_model=none",
> 
> Sharing a general purpose directory like "/tmp" is definitely not a
> recommended practice. This is typically the kind of thing that I'd
> like to see documented in the changelog to help me understand ;-)

Hi Greg,
Yes it is not a great solution. The fuzzers in this file are mainly
configured to run on OSS-Fuzz (https://github.com/google/oss-fuzz),
where fuzzers are executed in individual containers, and there shouldn't
be anything sensitive in /tmp/. In v2, I'll use a safer solution.

> 
> What operations does the fuzz test perform on the device ?

The generic-fuzzer will interact with the Port IO/MMIO and PCI Config
Space regions associated with the virtio-9p device. When the
device tries to access some guest memory using DMA, the fuzzer will
place some fuzzed data at the corresponding location. For many devices,
this is sufficient to achieve high coverage. If this doesn't work well
for the virtio-9p, we can add a tailored fuzzer based on the libqos
interface, in the future.

> 
> > +        .objects = "virtio*",
> > +    },{
> > +        .name = "virtio-9p-synth",
> > +        .args = "-machine q35 -nodefaults "
> > +        "-device virtio-9p,fsdev=hshare,mount_tag=hshare "
> > +        "-fsdev synth,id=hshare",
> > +        .objects = "virtio*",
> 
> Not sure this is super useful since the only known use case for
> the synth fsdev driver is running the virtio-9p qtest, but
> it looks fine anyway.

My hope here was is that this configureation will cut down on syscalls
(improve fuzzing speed) and avoid leaky state (files left in the /tmp/
directory between individual fuzzer inputs).
-Alex

> 
> >      },{
> >          .name = "e1000",
> >          .args = "-M q35 -nodefaults "
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]