@@ -24,6 +24,7 @@
#include "exec/ramblock.h"
#include "exec/address-spaces.h"
#include "hw/qdev-core.h"
+#include "hw/pci/pci.h"
/*
* SEPARATOR is used to separate "operations" in the fuzz input
@@ -35,12 +36,17 @@ enum cmds {
OP_OUT,
OP_READ,
OP_WRITE,
+ OP_PCI_READ,
+ OP_PCI_WRITE,
OP_CLOCK_STEP,
};
#define DEFAULT_TIMEOUT_US 100000
#define USEC_IN_SEC 1000000000
+#define PCI_HOST_BRIDGE_CFG 0xcf8
+#define PCI_HOST_BRIDGE_DATA 0xcfc
+
typedef struct {
ram_addr_t addr;
ram_addr_t size; /* The number of bytes until the end of the I/O region */
@@ -55,6 +61,7 @@ static bool qtest_log_enabled;
* user for fuzzing.
*/
static GHashTable *fuzzable_memoryregions;
+static GPtrArray *fuzzable_pci_devices;
struct get_io_cb_info {
int index;
@@ -280,6 +287,65 @@ static void op_write(QTestState *s, const unsigned char * data, size_t len)
break;
}
}
+static void op_pci_read(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint8_t offset;
+ } a;
+ if (len < sizeof(a) || fuzzable_pci_devices->len == 0) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
+ a.base % fuzzable_pci_devices->len);
+ int devfn = dev->devfn;
+ qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_inb(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ case Word:
+ qtest_inw(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ case Long:
+ qtest_inl(s, PCI_HOST_BRIDGE_DATA);
+ break;
+ }
+}
+
+static void op_pci_write(QTestState *s, const unsigned char * data, size_t len)
+{
+ enum Sizes {Byte, Word, Long, end_sizes};
+ struct {
+ uint8_t size;
+ uint8_t base;
+ uint8_t offset;
+ uint32_t value;
+ } a;
+ if (len < sizeof(a) || fuzzable_pci_devices->len == 0) {
+ return;
+ }
+ memcpy(&a, data, sizeof(a));
+ PCIDevice *dev = g_ptr_array_index(fuzzable_pci_devices,
+ a.base % fuzzable_pci_devices->len);
+ int devfn = dev->devfn;
+ qtest_outl(s, PCI_HOST_BRIDGE_CFG, (1U << 31) | (devfn << 8) | a.offset);
+ switch (a.size %= end_sizes) {
+ case Byte:
+ qtest_outb(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFF);
+ break;
+ case Word:
+ qtest_outw(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFF);
+ break;
+ case Long:
+ qtest_outl(s, PCI_HOST_BRIDGE_DATA, a.value & 0xFFFFFFFF);
+ break;
+ }
+}
+
static void op_clock_step(QTestState *s, const unsigned char *data, size_t len)
{
qtest_clock_step_next(s);
@@ -338,6 +404,8 @@ static void generic_fuzz(QTestState *s, const unsigned char *Data, size_t Size)
[OP_OUT] = op_out,
[OP_READ] = op_read,
[OP_WRITE] = op_write,
+ [OP_PCI_READ] = op_pci_read,
+ [OP_PCI_WRITE] = op_pci_write,
[OP_CLOCK_STEP] = op_clock_step,
};
const unsigned char *cmd = Data;
@@ -428,6 +496,18 @@ static int locate_fuzz_objects(Object *child, void *opaque)
/* Find and save ptrs to any child MemoryRegions */
object_child_foreach_recursive(child, locate_fuzz_memory_regions, NULL);
+ /*
+ * We matched an object. If its a PCI device, store a pointer to it so
+ * we can map BARs and fuzz its config space.
+ */
+ if (object_dynamic_cast(OBJECT(child), TYPE_PCI_DEVICE)) {
+ /*
+ * Don't want duplicate pointers to the same PCIDevice, so remove
+ * copies of the pointer, before adding it.
+ */
+ g_ptr_array_remove_fast(fuzzable_pci_devices, PCI_DEVICE(child));
+ g_ptr_array_add(fuzzable_pci_devices, PCI_DEVICE(child));
+ }
} else if (object_dynamic_cast(OBJECT(child), TYPE_MEMORY_REGION)) {
if (g_pattern_match_simple(pattern,
object_get_canonical_path_component(child))) {
@@ -460,6 +540,7 @@ static void generic_pre_fuzz(QTestState *s)
}
fuzzable_memoryregions = g_hash_table_new(NULL, NULL);
+ fuzzable_pci_devices = g_ptr_array_new();
result = g_strsplit(getenv("QEMU_FUZZ_OBJECTS"), " ", -1);
for (int i = 0; result[i] != NULL; i++) {