1#!/usr/bin/env python3 2# -*- coding: utf-8 -*- 3 4""" 5Use this to convert qtest log info from a generic fuzzer input into a qtest 6trace that you can feed into a standard qemu-system process. Example usage: 7 8QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \ 9 ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz 10# .. Finds some crash 11QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \ 12QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \ 13 ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz 14 /path/to/crash 2> qtest_log_output 15scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace 16./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \ 17 -qtest stdin < qtest_trace 18 19### Details ### 20 21Some fuzzer make use of hooks that allow us to populate some memory range, just 22before a DMA read from that range. This means that the fuzzer can produce 23activity that looks like: 24 [start] read from mmio addr 25 [end] read from mmio addr 26 [start] write to pio addr 27 [start] fill a DMA buffer just in time 28 [end] fill a DMA buffer just in time 29 [start] fill a DMA buffer just in time 30 [end] fill a DMA buffer just in time 31 [end] write to pio addr 32 [start] read from mmio addr 33 [end] read from mmio addr 34 35We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace 36might look something like: 37[R +0.028431] readw 0x10000 38[R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00 39[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA 40[DMA][R +0.034639] write 0xbf00 0x2 0xBBBB 41[R +0.028431] readw 0xfc000 42 43This script would reorder the above trace so it becomes: 44readw 0x10000 45write 0xbeef 0x2 0xAAAA 46write 0xbf00 0x2 0xBBBB 47outl 0xc000 0xbeef 48readw 0xfc000 49 50I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already 51been set up, removing the need for the DMA hooks. We can simply provide this 52reordered trace via -qtest stdio to reproduce the input 53 54Note: this won't work for traces where the device tries to read from the same 55DMA region twice in between MMIO/PIO commands. E.g: 56 [R +0.028434] outl 0xc000 0xbeef 57 [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA 58 [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB 59 60The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This 61script looks for these tags and warns the users that the resulting trace might 62not reproduce the bug. 63""" 64 65import sys 66 67__author__ = "Alexander Bulekov <alxndr@bu.edu>" 68__copyright__ = "Copyright (C) 2020, Red Hat, Inc." 69__license__ = "GPL version 2 or (at your option) any later version" 70 71__maintainer__ = "Alexander Bulekov" 72__email__ = "alxndr@bu.edu" 73 74 75def usage(): 76 sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0]))) 77 78 79def main(filename): 80 with open(filename, "r") as f: 81 trace = f.readlines() 82 83 # Leave only lines that look like logged qtest commands 84 trace[:] = [x.strip() for x in trace if "[R +" in x 85 or "[S +" in x and "CLOSED" not in x] 86 87 for i in range(len(trace)): 88 if i+1 < len(trace): 89 if "[DMA]" in trace[i+1]: 90 if "[DOUBLE-FETCH]" in trace[i+1]: 91 sys.stderr.write("Warning: Likely double fetch on line" 92 "{}.\n There will likely be problems " 93 "reproducing behavior with the " 94 "resulting qtest trace\n\n".format(i+1)) 95 trace[i], trace[i+1] = trace[i+1], trace[i] 96 for line in trace: 97 print(line.split("]")[-1].strip()) 98 99 100if __name__ == '__main__': 101 if len(sys.argv) == 1: 102 usage() 103 main(sys.argv[1]) 104