1 /* 2 * virtio-serial Fuzzing Target 3 * 4 * Copyright Red Hat Inc., 2019 5 * 6 * Authors: 7 * Alexander Bulekov <alxndr@bu.edu> 8 * 9 * This work is licensed under the terms of the GNU GPL, version 2 or later. 10 * See the COPYING file in the top-level directory. 11 */ 12 13 #include "qemu/osdep.h" 14 15 #include "tests/qtest/libqos/libqtest.h" 16 #include "tests/qtest/libqos/virtio-scsi.h" 17 #include "tests/qtest/libqos/virtio.h" 18 #include "tests/qtest/libqos/virtio-pci.h" 19 #include "standard-headers/linux/virtio_ids.h" 20 #include "standard-headers/linux/virtio_pci.h" 21 #include "standard-headers/linux/virtio_scsi.h" 22 #include "fuzz.h" 23 #include "fork_fuzz.h" 24 #include "qos_fuzz.h" 25 26 #define PCI_SLOT 0x02 27 #define PCI_FN 0x00 28 #define QVIRTIO_SCSI_TIMEOUT_US (1 * 1000 * 1000) 29 30 #define MAX_NUM_QUEUES 64 31 32 /* Based on tests/virtio-scsi-test.c */ 33 typedef struct { 34 int num_queues; 35 QVirtQueue *vq[MAX_NUM_QUEUES + 2]; 36 } QVirtioSCSIQueues; 37 38 static QVirtioSCSIQueues *qvirtio_scsi_init(QVirtioDevice *dev, uint64_t mask) 39 { 40 QVirtioSCSIQueues *vs; 41 uint64_t feat; 42 int i; 43 44 vs = g_new0(QVirtioSCSIQueues, 1); 45 46 feat = qvirtio_get_features(dev); 47 if (mask) { 48 feat &= ~QVIRTIO_F_BAD_FEATURE | mask; 49 } else { 50 feat &= ~(QVIRTIO_F_BAD_FEATURE | (1ull << VIRTIO_RING_F_EVENT_IDX)); 51 } 52 qvirtio_set_features(dev, feat); 53 54 vs->num_queues = qvirtio_config_readl(dev, 0); 55 56 for (i = 0; i < vs->num_queues + 2; i++) { 57 vs->vq[i] = qvirtqueue_setup(dev, fuzz_qos_alloc, i); 58 } 59 60 qvirtio_set_driver_ok(dev); 61 62 return vs; 63 } 64 65 static void virtio_scsi_fuzz(QTestState *s, QVirtioSCSIQueues* queues, 66 const unsigned char *Data, size_t Size) 67 { 68 /* 69 * Data is a sequence of random bytes. We split them up into "actions", 70 * followed by data: 71 * [vqa][dddddddd][vqa][dddd][vqa][dddddddddddd] ... 72 * The length of the data is specified by the preceding vqa.length 73 */ 74 typedef struct vq_action { 75 uint8_t queue; 76 uint8_t length; 77 uint8_t write; 78 uint8_t next; 79 uint8_t kick; 80 } vq_action; 81 82 /* Keep track of the free head for each queue we interact with */ 83 bool vq_touched[MAX_NUM_QUEUES + 2] = {0}; 84 uint32_t free_head[MAX_NUM_QUEUES + 2]; 85 86 QGuestAllocator *t_alloc = fuzz_qos_alloc; 87 88 QVirtioSCSI *scsi = fuzz_qos_obj; 89 QVirtioDevice *dev = scsi->vdev; 90 QVirtQueue *q; 91 vq_action vqa; 92 while (Size >= sizeof(vqa)) { 93 /* Copy the action, so we can normalize length, queue and flags */ 94 memcpy(&vqa, Data, sizeof(vqa)); 95 96 Data += sizeof(vqa); 97 Size -= sizeof(vqa); 98 99 vqa.queue = vqa.queue % queues->num_queues; 100 /* Cap length at the number of remaining bytes in data */ 101 vqa.length = vqa.length >= Size ? Size : vqa.length; 102 vqa.write = vqa.write & 1; 103 vqa.next = vqa.next & 1; 104 vqa.kick = vqa.kick & 1; 105 106 107 q = queues->vq[vqa.queue]; 108 109 /* Copy the data into ram, and place it on the virtqueue */ 110 uint64_t req_addr = guest_alloc(t_alloc, vqa.length); 111 qtest_memwrite(s, req_addr, Data, vqa.length); 112 if (vq_touched[vqa.queue] == 0) { 113 vq_touched[vqa.queue] = 1; 114 free_head[vqa.queue] = qvirtqueue_add(s, q, req_addr, vqa.length, 115 vqa.write, vqa.next); 116 } else { 117 qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next); 118 } 119 120 if (vqa.kick) { 121 qvirtqueue_kick(s, dev, q, free_head[vqa.queue]); 122 free_head[vqa.queue] = 0; 123 } 124 Data += vqa.length; 125 Size -= vqa.length; 126 } 127 /* In the end, kick each queue we interacted with */ 128 for (int i = 0; i < MAX_NUM_QUEUES + 2; i++) { 129 if (vq_touched[i]) { 130 qvirtqueue_kick(s, dev, queues->vq[i], free_head[i]); 131 } 132 } 133 } 134 135 static void virtio_scsi_fork_fuzz(QTestState *s, 136 const unsigned char *Data, size_t Size) 137 { 138 QVirtioSCSI *scsi = fuzz_qos_obj; 139 static QVirtioSCSIQueues *queues; 140 if (!queues) { 141 queues = qvirtio_scsi_init(scsi->vdev, 0); 142 } 143 if (fork() == 0) { 144 virtio_scsi_fuzz(s, queues, Data, Size); 145 flush_events(s); 146 _Exit(0); 147 } else { 148 flush_events(s); 149 wait(NULL); 150 } 151 } 152 153 static void virtio_scsi_with_flag_fuzz(QTestState *s, 154 const unsigned char *Data, size_t Size) 155 { 156 QVirtioSCSI *scsi = fuzz_qos_obj; 157 static QVirtioSCSIQueues *queues; 158 159 if (fork() == 0) { 160 if (Size >= sizeof(uint64_t)) { 161 queues = qvirtio_scsi_init(scsi->vdev, *(uint64_t *)Data); 162 virtio_scsi_fuzz(s, queues, 163 Data + sizeof(uint64_t), Size - sizeof(uint64_t)); 164 flush_events(s); 165 } 166 _Exit(0); 167 } else { 168 flush_events(s); 169 wait(NULL); 170 } 171 } 172 173 static void virtio_scsi_pre_fuzz(QTestState *s) 174 { 175 qos_init_path(s); 176 counter_shm_init(); 177 } 178 179 static void *virtio_scsi_test_setup(GString *cmd_line, void *arg) 180 { 181 g_string_append(cmd_line, 182 " -drive file=blkdebug::null-co://," 183 "file.image.read-zeroes=on," 184 "if=none,id=dr1,format=raw,file.align=4k " 185 "-device scsi-hd,drive=dr1,lun=0,scsi-id=1"); 186 return arg; 187 } 188 189 190 static void register_virtio_scsi_fuzz_targets(void) 191 { 192 fuzz_add_qos_target(&(FuzzTarget){ 193 .name = "virtio-scsi-fuzz", 194 .description = "Fuzz the virtio-scsi virtual queues, forking " 195 "for each fuzz run", 196 .pre_vm_init = &counter_shm_init, 197 .pre_fuzz = &virtio_scsi_pre_fuzz, 198 .fuzz = virtio_scsi_fork_fuzz,}, 199 "virtio-scsi", 200 &(QOSGraphTestOptions){.before = virtio_scsi_test_setup} 201 ); 202 203 fuzz_add_qos_target(&(FuzzTarget){ 204 .name = "virtio-scsi-flags-fuzz", 205 .description = "Fuzz the virtio-scsi virtual queues, forking " 206 "for each fuzz run (also fuzzes the virtio flags)", 207 .pre_vm_init = &counter_shm_init, 208 .pre_fuzz = &virtio_scsi_pre_fuzz, 209 .fuzz = virtio_scsi_with_flag_fuzz,}, 210 "virtio-scsi", 211 &(QOSGraphTestOptions){.before = virtio_scsi_test_setup} 212 ); 213 } 214 215 fuzz_target_init(register_virtio_scsi_fuzz_targets); 216