@@ -5,6 +5,7 @@ fuzz-obj-y += $(libqos-obj-y)
fuzz-obj-y += tests/qtest/fuzz/fuzz.o # Fuzzer skeleton
fuzz-obj-y += tests/qtest/fuzz/fork_fuzz.o
fuzz-obj-y += tests/qtest/fuzz/qos_fuzz.o
+fuzz-obj-y += tests/qtest/fuzz/qtest_wrappers.o
# Targets
fuzz-obj-$(CONFIG_PCI_I440FX) += tests/qtest/fuzz/i440fx_fuzz.o
@@ -16,3 +17,23 @@ FUZZ_CFLAGS += -I$(SRC_PATH)/tests -I$(SRC_PATH)/tests/qtest
# Linker Script to force coverage-counters into known regions which we can mark
# shared
FUZZ_LDFLAGS += -Xlinker -T$(SRC_PATH)/tests/qtest/fuzz/fork_fuzz.ld
+
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_inb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_inw
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_inl
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_outb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_outw
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_outl
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readw
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readl
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_readq
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writeb
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writew
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writel
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_writeq
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_memread
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_bufread
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_memwrite
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_bufwrite
+FUZZ_LDFLAGS += -Wl,-wrap,qtest_memset
@@ -91,7 +91,10 @@ static void usage(char *path)
printf(" * %s : %s\n", tmp->target->name,
tmp->target->description);
}
- printf("Alternatively, add -target-FUZZ_TARGET to the executable name\n");
+ printf("Alternatively, add -target-FUZZ_TARGET to the executable name\n\n"
+ "Set the environment variable FUZZ_SERIALIZE_QTEST=1 to serialize\n"
+ "QTest commands into an ASCII protocol. Useful for building crash\n"
+ "reproducers, but slows down execution.\n");
exit(0);
}
@@ -137,6 +140,8 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
{
char *target_name;
+ char *dir;
+ bool serialize = false;
/* Initialize qgraph and modules */
qos_graph_init();
@@ -157,6 +162,13 @@ int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp)
usage(**argv);
}
+ /* Should we always serialize qtest commands? */
+ if (getenv("FUZZ_SERIALIZE_QTEST")) {
+ serialize = true;
+ }
+
+ fuzz_qtest_set_serialize(serialize);
+
/* Identify the fuzz target */
fuzz_target = fuzz_get_target(target_name);
if (!fuzz_target) {
@@ -82,6 +82,9 @@ typedef struct FuzzTarget {
void flush_events(QTestState *);
void reboot(QTestState *);
+/* Use the QTest ASCII protocol or call address_space API directly?*/
+void fuzz_qtest_set_serialize(bool option);
+
/*
* makes a copy of *target and adds it to the target-list.
* i.e. fine to set up target on the caller's stack
The QTest server usually parses ASCII commands from clients. Since we fuzz within the QEMU process, skip the QTest serialization and server for most QTest commands. Leave the option to use the ASCII protocol, to generate readable traces for crash reproducers. Inspired-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Signed-off-by: Alexander Bulekov <alxndr@bu.edu> --- tests/qtest/fuzz/Makefile.include | 21 +++++++++++++++++++++ tests/qtest/fuzz/fuzz.c | 14 +++++++++++++- tests/qtest/fuzz/fuzz.h | 3 +++ 3 files changed, 37 insertions(+), 1 deletion(-)