2 # -*- coding: utf-8 -*-
5 Use this to convert qtest log info from a generic fuzzer input into a qtest
6 trace that you can feed into a standard qemu-system process. Example usage:
8 QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
9 ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
11 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
12 QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
13 ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
14 /path/to/crash 2> qtest_log_output
15 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace
16 ./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \
17 -qtest stdin < qtest_trace
21 Some fuzzer make use of hooks that allow us to populate some memory range, just
22 before a DMA read from that range. This means that the fuzzer can produce
23 activity that looks like:
24 [start] read from mmio addr
25 [end] read from mmio addr
26 [start] write to pio addr
27 [start] fill a DMA buffer just in time
28 [end] fill a DMA buffer just in time
29 [start] fill a DMA buffer just in time
30 [end] fill a DMA buffer just in time
31 [end] write to pio addr
32 [start] read from mmio addr
33 [end] read from mmio addr
35 We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace
36 might look something like:
37 [R +0.028431] readw 0x10000
38 [R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00
39 [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
40 [DMA][R +0.034639] write 0xbf00 0x2 0xBBBB
41 [R +0.028431] readw 0xfc000
43 This script would reorder the above trace so it becomes:
45 write 0xbeef 0x2 0xAAAA
46 write 0xbf00 0x2 0xBBBB
50 I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already
51 been set up, removing the need for the DMA hooks. We can simply provide this
52 reordered trace via -qtest stdio to reproduce the input
54 Note: this won't work for traces where the device tries to read from the same
55 DMA region twice in between MMIO/PIO commands. E.g:
56 [R +0.028434] outl 0xc000 0xbeef
57 [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
58 [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB
60 The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This
61 script looks for these tags and warns the users that the resulting trace might
62 not reproduce the bug.
67 __author__
= "Alexander Bulekov <alxndr@bu.edu>"
68 __copyright__
= "Copyright (C) 2020, Red Hat, Inc."
69 __license__
= "GPL version 2 or (at your option) any later version"
71 __maintainer__
= "Alexander Bulekov"
72 __email__
= "alxndr@bu.edu"
76 sys
.exit("Usage: {} /path/to/qtest_log_output".format((sys
.argv
[0])))
80 with
open(filename
, "r") as f
:
83 # Leave only lines that look like logged qtest commands
84 trace
[:] = [x
.strip() for x
in trace
if "[R +" in x
85 or "[S +" in x
and "CLOSED" not in x
]
87 for i
in range(len(trace
)):
89 if "[DMA]" in trace
[i
+1]:
90 if "[DOUBLE-FETCH]" in trace
[i
+1]:
91 sys
.stderr
.write("Warning: Likely double fetch on line"
92 "{}.\n There will likely be problems "
93 "reproducing behavior with the "
94 "resulting qtest trace\n\n".format(i
+1))
95 trace
[i
], trace
[i
+1] = trace
[i
+1], trace
[i
]
97 print(line
.split("]")[-1].strip())
100 if __name__
== '__main__':
101 if len(sys
.argv
) == 1: