search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'remotes/kraxel/tags/ui-20210311-pull-request' into...
[qemu/ar7.git] / tests / qtest / fuzz / virtio_net_fuzz.c
blob0e873ab8e25ffc63ba9fb3f765d569f037cd0c86
1 /*
2 * virtio-net Fuzzing Target
3 *
4 * Copyright Red Hat Inc., 2019
5 *
6 * Authors:
7 * Alexander Bulekov <alxndr@bu.edu>
8 *
9 * This work is licensed under the terms of the GNU GPL, version 2 or later.
10 * See the COPYING file in the top-level directory.
11 */
12
13 #include "qemu/osdep.h"
14
15 #include "standard-headers/linux/virtio_config.h"
16 #include "tests/qtest/libqos/libqtest.h"
17 #include "tests/qtest/libqos/virtio-net.h"
18 #include "fuzz.h"
19 #include "fork_fuzz.h"
20 #include "qos_fuzz.h"
21
22
23 #define QVIRTIO_NET_TIMEOUT_US (30 * 1000 * 1000)
24 #define QVIRTIO_RX_VQ 0
25 #define QVIRTIO_TX_VQ 1
26 #define QVIRTIO_CTRL_VQ 2
27
28 static int sockfds[2];
29 static bool sockfds_initialized;
30
31 static void virtio_net_fuzz_multi(QTestState *s,
32 const unsigned char *Data, size_t Size, bool check_used)
33 {
34 typedef struct vq_action {
35 uint8_t queue;
36 uint8_t length;
37 uint8_t write;
38 uint8_t next;
39 uint8_t rx;
40 } vq_action;
41
42 uint32_t free_head = 0;
43
44 QGuestAllocator *t_alloc = fuzz_qos_alloc;
45
46 QVirtioNet *net_if = fuzz_qos_obj;
47 QVirtioDevice *dev = net_if->vdev;
48 QVirtQueue *q;
49 vq_action vqa;
50 while (Size >= sizeof(vqa)) {
51 memcpy(&vqa, Data, sizeof(vqa));
52 Data += sizeof(vqa);
53 Size -= sizeof(vqa);
54
55 q = net_if->queues[vqa.queue % 3];
56
57 vqa.length = vqa.length >= Size ? Size : vqa.length;
58
59 /*
60 * Only attempt to write incoming packets, when using the socket
61 * backend. Otherwise, always place the input on a virtqueue.
62 */
63 if (vqa.rx && sockfds_initialized) {
64 int ignored = write(sockfds[0], Data, vqa.length);
65 (void) ignored;
66 } else {
67 vqa.rx = 0;
68 uint64_t req_addr = guest_alloc(t_alloc, vqa.length);
69 /*
70 * If checking used ring, ensure that the fuzzer doesn't trigger
71 * trivial asserion failure on zero-zied buffer
72 */
73 qtest_memwrite(s, req_addr, Data, vqa.length);
74
75
76 free_head = qvirtqueue_add(s, q, req_addr, vqa.length,
77 vqa.write, vqa.next);
78 qvirtqueue_add(s, q, req_addr, vqa.length, vqa.write , vqa.next);
79 qvirtqueue_kick(s, dev, q, free_head);
80 }
81
82 /* Run the main loop */
83 qtest_clock_step(s, 100);
84 flush_events(s);
85
86 /* Wait on used descriptors */
87 if (check_used && !vqa.rx) {
88 gint64 start_time = g_get_monotonic_time();
89 /*
90 * normally, we could just use qvirtio_wait_used_elem, but since we
91 * must manually run the main-loop for all the bhs to run, we use
92 * this hack with flush_events(), to run the main_loop
93 */
94 while (!vqa.rx && q != net_if->queues[QVIRTIO_RX_VQ]) {
95 uint32_t got_desc_idx;
96 /* Input led to a virtio_error */
97 if (dev->bus->get_status(dev) & VIRTIO_CONFIG_S_NEEDS_RESET) {
98 break;
99 }
100 if (dev->bus->get_queue_isr_status(dev, q) &&
101 qvirtqueue_get_buf(s, q, &got_desc_idx, NULL)) {
102 g_assert_cmpint(got_desc_idx, ==, free_head);
103 break;
104 }
105 g_assert(g_get_monotonic_time() - start_time
106 <= QVIRTIO_NET_TIMEOUT_US);
107
108 /* Run the main loop */
109 qtest_clock_step(s, 100);
110 flush_events(s);
111 }
112 }
113 Data += vqa.length;
114 Size -= vqa.length;
115 }
116 }
117
118 static void virtio_net_fork_fuzz(QTestState *s,
119 const unsigned char *Data, size_t Size)
120 {
121 if (fork() == 0) {
122 virtio_net_fuzz_multi(s, Data, Size, false);
123 flush_events(s);
124 _Exit(0);
125 } else {
126 flush_events(s);
127 wait(NULL);
128 }
129 }
130
131 static void virtio_net_fork_fuzz_check_used(QTestState *s,
132 const unsigned char *Data, size_t Size)
133 {
134 if (fork() == 0) {
135 virtio_net_fuzz_multi(s, Data, Size, true);
136 flush_events(s);
137 _Exit(0);
138 } else {
139 flush_events(s);
140 wait(NULL);
141 }
142 }
143
144 static void virtio_net_pre_fuzz(QTestState *s)
145 {
146 qos_init_path(s);
147 counter_shm_init();
148 }
149
150 static void *virtio_net_test_setup_socket(GString *cmd_line, void *arg)
151 {
152 int ret = socketpair(PF_UNIX, SOCK_STREAM, 0, sockfds);
153 g_assert_cmpint(ret, !=, -1);
154 fcntl(sockfds[0], F_SETFL, O_NONBLOCK);
155 sockfds_initialized = true;
156 g_string_append_printf(cmd_line, " -netdev socket,fd=%d,id=hs0 ",
157 sockfds[1]);
158 return arg;
159 }
160
161 static void *virtio_net_test_setup_user(GString *cmd_line, void *arg)
162 {
163 g_string_append_printf(cmd_line, " -netdev user,id=hs0 ");
164 return arg;
165 }
166
167 static void register_virtio_net_fuzz_targets(void)
168 {
169 fuzz_add_qos_target(&(FuzzTarget){
170 .name = "virtio-net-socket",
171 .description = "Fuzz the virtio-net virtual queues. Fuzz incoming "
172 "traffic using the socket backend",
173 .pre_fuzz = &virtio_net_pre_fuzz,
174 .fuzz = virtio_net_fork_fuzz,},
175 "virtio-net",
176 &(QOSGraphTestOptions){.before = virtio_net_test_setup_socket}
177 );
178
179 fuzz_add_qos_target(&(FuzzTarget){
180 .name = "virtio-net-socket-check-used",
181 .description = "Fuzz the virtio-net virtual queues. Wait for the "
182 "descriptors to be used. Timeout may indicate improperly handled "
183 "input",
184 .pre_fuzz = &virtio_net_pre_fuzz,
185 .fuzz = virtio_net_fork_fuzz_check_used,},
186 "virtio-net",
187 &(QOSGraphTestOptions){.before = virtio_net_test_setup_socket}
188 );
189 fuzz_add_qos_target(&(FuzzTarget){
190 .name = "virtio-net-slirp",
191 .description = "Fuzz the virtio-net virtual queues with the slirp "
192 " backend. Warning: May result in network traffic emitted from the "
193 " process. Run in an isolated network environment.",
194 .pre_fuzz = &virtio_net_pre_fuzz,
195 .fuzz = virtio_net_fork_fuzz,},
196 "virtio-net",
197 &(QOSGraphTestOptions){.before = virtio_net_test_setup_user}
198 );
199 }
200
201 fuzz_target_init(register_virtio_net_fuzz_targets);
AR7 emulation for QEMU