The current URL on cdn.netbsd.org is failing - using archive.netbsd.org
instead seems to be fine.
Message-Id: <20201023073351.251332-2-thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
generic-fuzz is not a standalone fuzzer - it requires some env variables
to be set. On oss-fuzz, we set these with some predefined
generic-fuzz-{...} targets, that are thin wrappers around generic-fuzz.
Do not make a link for the generic-fuzz from the oss-fuzz build, so
oss-fuzz does not treat it as a standalone fuzzer.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-18-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
[thuth: Reformatted one comment to stay within the 80 columns limit]
Signed-off-by: Thomas Huth <thuth@redhat.com>
Prior to this, fuzzers in the output oss-fuzz directory were exactly
the same executable, with a different name to do argv[0]-based
fuzz-target selection. This is a waste of space, especially since these
binaries can weigh many MB.
Instead of copying, use hard links, to cut down on wasted space. We need
to place the primary copy of the executable into DEST_DIR, since this is
a separate file-system on oss-fuzz. We should not place it directly into
$DEST_DIR, since oss-fuzz will treat it as an independent fuzzer and try
to run it for fuzzing. Instead, we create a DEST_DIR/bin directory to
store the primary copy.
Suggested-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-17-alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
We call get_generic_fuzz_configs, which fills an array with
predefined {name, args, objects} triples. For each of these, we add a
new FuzzTarget, that uses a small wrapper to set
QEMU_FUZZ_{ARGS,OBJECTS} to the corresponding predefined values.
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-16-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Predefine some generic-fuzz configs. For each of these, we will create a
separate FuzzTarget that can be selected through argv0 and, therefore,
fuzzed on oss-fuzz.
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-15-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
It can be useful to register FuzzTargets that have nearly-identical
initialization handlers (e.g. for using the same fuzzing code, with
different configuration options). Add an opaque pointer to the
FuzzTarget struct, so that FuzzTargets can hold some data, useful for
storing target-specific configuration options, that can be read by the
get_init_cmdline function.
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-14-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-13-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Once we find a crash, we can convert it into a QTest trace. Usually this
trace will contain many operations that are unneeded to reproduce the
crash. This script tries to minimize the crashing trace, by removing
operations and trimming QTest bufwrite(write addr len data...) commands.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-12-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
The generic-fuzzer uses hooks to fulfill DMA requests just-in-time.
This means that if we try to use QTEST_LOG=1 to build a reproducer, the
DMA writes will be logged _after_ the in/out/read/write that triggered
the DMA read. To work work around this, the generic-fuzzer annotates
these just-in time DMA fulfilments with a tag that we can use to
discern them. This script simply iterates over a raw qtest
trace (including log messages, errors, timestamps etc), filters it and
re-orders it so that DMA fulfillments are placed directly _before_ the
qtest command that will cause the DMA access.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-11-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-10-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
This new operation is used in the next commit, which concatenates two
fuzzer-generated inputs. With this operation, we can prevent the second
input from clobbering the PCI configuration performed by the first.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-9-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
libfuzzer supports a "custom crossover function". Libfuzzer often tries
to blend two inputs to create a new interesting input. Sometimes, we
have a better idea about how to blend inputs together. This change
allows fuzzers to specify a custom function for blending two inputs
together.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-8-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
We should be careful to not call any functions besides fuzz_dma_read_cb.
Without --enable-fuzzing, fuzz_dma_read_cb is an empty inlined function.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-7-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
This patch declares the fuzz_dma_read_cb function and uses the
preprocessor and linker(weak symbols) to handle these cases:
When we build softmmu/all with --enable-fuzzing, there should be no
strong symbol defined for fuzz_dma_read_cb, and we link against a weak
stub function.
When we build softmmu/fuzz with --enable-fuzzing, we link against the
strong symbol in generic_fuzz.c
When we build softmmu/all without --enable-fuzzing, fuzz_dma_read_cb is
an empty, inlined function. As long as we don't call any other functions
when building the arguments, there should be no overhead.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-6-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
When a virtual-device tries to access some buffer in memory over DMA, we
add call-backs into the fuzzer(next commit). The fuzzer checks verifies
that the DMA request maps to a physical RAM address and fills the memory
with fuzzer-provided data. The patterns that we use to fill this memory
are specified using add_dma_pattern and clear_dma_patterns operations.
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-5-alxndr@bu.edu>
[thuth: Reformatted one comment according to the QEMU coding style]
Signed-off-by: Thomas Huth <thuth@redhat.com>
This patch compares TYPE_PCI_DEVICE objects against the user-provided
matching pattern. If there is a match, we use some hacks and leverage
QOS to map each possible BAR for that device. Now fuzzed inputs might be
converted to pci_read/write commands which target specific. This means
that we can fuzz a particular device's PCI configuration space,
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Message-Id: <20201023150746.107063-4-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
This is a generic fuzzer designed to fuzz a virtual device's
MemoryRegions, as long as they exist within the Memory or Port IO (if it
exists) AddressSpaces. The fuzzer's input is interpreted into a sequence
of qtest commands (outb, readw, etc). The interpreted commands are
separated by a magic seaparator, which should be easy for the fuzzer to
guess. Without ASan, the separator can be specified as a "dictionary
value" using the -dict argument (see libFuzzer documentation).
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-3-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201023150746.107063-2-alxndr@bu.edu>
Signed-off-by: Thomas Huth <thuth@redhat.com>
The g_list_remove_link doesn't free the link element,
opposed to what I thought.
Switch to g_list_delete_link that does free it.
Also refactor the code a bit.
Thanks for Max Reitz for helping me with this.
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Message-Id: <20201019163702.471239-4-mlevitsk@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
By a mistake I added the pending events in a wrong order.
Fix this by using g_list_append.
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Message-Id: <20201019163702.471239-3-mlevitsk@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
This test won't work if qemu was compiled without CONFIG_NPCM7XX, as
pointed out by Thomas Huth on a different patch.
Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com>
Message-Id: <20201023210637.351238-2-hskinnemoen@google.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Xen was broken by commit 1583a38988 ("cpus: extract out qtest-specific
code to accel/qtest"). Xen relied on qemu_init_vcpu() calling
qemu_dummy_start_vcpu() in the default case, but that was replaced by
g_assert_not_reached().
Add a minimal "CpusAccel" for Xen using the dummy-cpus implementation
used by qtest.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Message-Id: <20201013140511.5681-4-jandryuk@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Claudio Fontana <cfontana@suse.de>
Acked-by: Anthony PERARD <anthony.perard@citrix.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Move and rename accel/qtest/qtest-cpus.c files to accel/dummy-cpus.c so
it can be re-used by Xen.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Message-Id: <20201013140511.5681-3-jandryuk@gmail.com>
Reviewed-by: Claudio Fontana <cfontana@suse.de>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
dummy-cpus.c is only compiled with CONFIG_POSIX, so the _WIN32 condition
will never evaluate true. Remove it.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Message-Id: <20201013140511.5681-2-jandryuk@gmail.com>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Claudio Fontana <cfontana@suse.de>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
The qtests can be run directly by specifying the QEMU binary with the
QTEST_QEMU_BINARY environment variable, for example:
$ QTEST_QEMU_BINARY=x86_64-softmmu/qemu-system-x86_64 tests/qtest/test-hmp
However, if you specify a binary without a path, for example with
QTEST_QEMU_BINARY=qemu-system-x86_64 if the QEMU binary is in your
$PATH, then the test currently simply crashes.
Let's try a little bit smarter here by looking for the final '-'
instead of the slash.
Message-Id: <20201012114816.43546-1-thuth@redhat.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Fix two heap-overflow reported by Alexander Bulekov while fuzzing:
- https://bugs.launchpad.net/qemu/+bug/1892960
- https://bugs.launchpad.net/qemu/+bug/1895310
CI jobs results:
. https://cirrus-ci.com/build/6399328187056128
. https://gitlab.com/philmd/qemu/-/pipelines/205701966
. https://travis-ci.org/github/philmd/qemu/builds/737708930
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE+qvnXhKRciHc/Wuy4+MsLN6twN4FAl+QcNQACgkQ4+MsLN6t
wN5Bng/8C2xAFjxnXGbyDq3KKNX6+ag82pZc1+wI4PiYvjCNwQ3BL3FMU6Itu/xE
8bqI5UMlVQGJ0npS8YL4AYdU1wuyk5kb30oXubj+uKreMLd7gVgZSi6rM0C3xDu1
6atNYZK3BDbIdbKKoSx9cOAGnvsI0/gjei+OcmPRzyqQff7RLrOdIW0OaGqrKkjc
ovvtV2gWxTo16HSe2pji4lfw6WkE4H8EshU1YA5ZgIhyQ6HvVz9qLd9QC3zyu9pl
GfeHqEj9BQCnwGTpISewJVCAWdEQyygQxdbTpSEMYyN9A52WB3+Ne/AFESfoDYU4
dc3lefUEjim+EiddB2cGtMjXER8m0Xrl3Z9raRLj5Mrb9bVx+gso1/0L9utQLCy6
eVOGwSFZQ0Va64ng3z5w0tliLEB61B3nDNsIQSU2WLjQxGUVwli6YhHaGXbW9F39
hU0yuqch2cHpUtlvZREymsTkV1cTr1NXmyXN/fzIiDyi8GQZ54AP16eVW/jrj1Bn
Rf1Q0ywe0zb/+bFK/oq6tN9zIoV1/DaJlKQSjmDFdIUBqaSxcUrj53yUHsno/slh
U7cj2ItvlpOljpUrKgV4bVbP7UWsOPC9RX9j5YbkwpHevyWdk/XNlzxoEJAe8Zj1
3AdWsCtnxFdgLLEF3Y2tOENbVUI6Axo7If1oz83X0N782YZMbW8=
=9A05
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/philmd-gitlab/tags/sd-next-20201021' into staging
SD/MMC patches
Fix two heap-overflow reported by Alexander Bulekov while fuzzing:
- https://bugs.launchpad.net/qemu/+bug/1892960
- https://bugs.launchpad.net/qemu/+bug/1895310
CI jobs results:
. https://cirrus-ci.com/build/6399328187056128
. https://gitlab.com/philmd/qemu/-/pipelines/205701966
. https://travis-ci.org/github/philmd/qemu/builds/737708930
# gpg: Signature made Wed 21 Oct 2020 18:33:08 BST
# gpg: using RSA key FAABE75E12917221DCFD6BB2E3E32C2CDEADC0DE
# gpg: Good signature from "Philippe Mathieu-Daudé (F4BUG) <f4bug@amsat.org>" [full]
# Primary key fingerprint: FAAB E75E 1291 7221 DCFD 6BB2 E3E3 2C2C DEAD C0DE
* remotes/philmd-gitlab/tags/sd-next-20201021:
hw/sd/sdcard: Assert if accessing an illegal group
hw/sd/sdcard: Do not attempt to erase out of range addresses
hw/sd/sdcard: Reset both start/end addresses on error
hw/sd/sdcard: Do not use legal address '0' for INVALID_ADDRESS
hw/sd/sdcard: Introduce the INVALID_ADDRESS definition
hw/sd/sdcard: Add trace event for ERASE command (CMD38)
hw/sd/sdhci: Yield if interrupt delivered during multiple transfer
hw/sd/sdhci: Let sdhci_update_irq() return if IRQ was delivered
hw/sd/sdhci: Resume pending DMA transfers on MMIO accesses
hw/sd/sdhci: Stop multiple transfers when block count is cleared
hw/sd/sdhci: Fix DMA Transfer Block Size field
hw/sd/sdhci: Document the datasheet used
hw/sd/sdhci: Fix qemu_log_mask() format string
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Removes opengl dependency from core qemu. The number of shared
libraries for qemu-system-x86_64 goes down from 66 to 60 on my system.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-15-kraxel@redhat.com
Build spice core code as module. This removes libspice-server and a
handful of indirect dependencies from core qemu. The number of shared
libraries for qemu-system-x86_64 goes down from 73 to 66 on my system.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-13-kraxel@redhat.com
Allow modules depending on other modules.
module_load_file() gets the option to export symbols (by not adding the
G_MODULE_BIND_LOCAL flag).
module_load_one() will check the module dependency list to figure (a)
whenever are other modules must be loaded first, or (b) the module
should export the symbols.
The dependencies are specificed as static list in the source code for
now as I expect the list will stay small.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-11-kraxel@redhat.com
In case the spice opts are not registered, try loading the spice module.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-10-kraxel@redhat.com
Rename qmp_query_spice() to qmp_query_spice_real(), add to QemuSpiceOps.
Add new qmp_query_spice() function which calls the real function via
QemuSpiceOps if available, otherwise return SpiceInfo.enabled = false.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-9-kraxel@redhat.com
Add QemuSpiceOps struct. This struct holds function pointers to the
spice functions. It will be initialized with pointers to the stub
functions. When spice gets initialized the function pointers will
be re-written to the real functions.
The spice stubs will move from qemu-spice.h to spice-module.c for that,
because they will be needed for both "CONFIG_SPICE=n" and "CONFIG_SPICE=y
but spice module not loaded" cases.
This patch adds the infrastructure and starts with moving
qemu_spice_migrate_info() to QemuSpiceOps.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-3-kraxel@redhat.com
Add new spice-module.c + qemu-spice-module.h files. The code needed to
support modular spice will be there. For starters this will be only the
using_spice variable, more will follow ...
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 20201019075224.14803-2-kraxel@redhat.com
We can not have more group than 'wpgrps_size'.
Assert if we are accessing a group above this limit.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-7-f4bug@amsat.org>
While the Spec v3 is not very clear, v6 states:
If the host provides an out of range address as an argument
to CMD32 or CMD33, the card shall indicate OUT_OF_RANGE error
in R1 (ERX) for CMD38.
If an address is out of range, do not attempt to erase it:
return R1 with the error bit set.
Buglink: https://bugs.launchpad.net/qemu/+bug/1895310
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-6-f4bug@amsat.org>
From the Spec "4.3.5 Erase":
The host should adhere to the following command
sequence: ERASE_WR_BLK_START, ERASE_WR_BLK_END and
ERASE (CMD38).
If an erase (CMD38) or address setting (CMD32, 33)
command is received out of sequence, the card shall
set the ERASE_SEQ_ERROR bit in the status register
and reset the whole sequence.
Reset both addresses if the ERASE command occured
out of sequence (one of the start/end address is
not set).
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-5-f4bug@amsat.org>
As it is legal to WRITE/ERASE the address/block 0,
change the value of this definition to an illegal
address: UINT32_MAX.
Unfortunately this break the migration stream, so
bump the VMState version number. This affects some
ARM boards and the SDHCI_PCI device (which is only
used for testing).
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-4-f4bug@amsat.org>
'0' is used as a value to indicate an invalid (or unset)
address. Use a definition instead of a magic value.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-3-f4bug@amsat.org>
Trace addresses provided to the ERASE command.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Tested-by: Alexander Bulekov <alxndr@bu.edu>
Message-Id: <20201015063824.212980-2-f4bug@amsat.org>
