qemu/scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
Use this to convert qtest log info from a generic fuzzer input into a qtest
trace that you can feed into a standard qemu-system process. Example usage:

QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
        ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
# .. Finds some crash
QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
        ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
        /path/to/crash 2> qtest_log_output
scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace
./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \
        -qtest stdio < qtest_trace

### Details ###

Some fuzzer make use of hooks that allow us to populate some memory range, just
before a DMA read from that range. This means that the fuzzer can produce
activity that looks like:
    [start] read from mmio addr
    [end]   read from mmio addr
    [start] write to pio addr
        [start] fill a DMA buffer just in time
        [end]   fill a DMA buffer just in time
        [start] fill a DMA buffer just in time
        [end]   fill a DMA buffer just in time
    [end]   write to pio addr
    [start] read from mmio addr
    [end]   read from mmio addr

We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace
might look something like:
[R +0.028431] readw 0x10000
[R +0.028434] outl 0xc000 0xbeef  # Triggers a DMA read from 0xbeef and 0xbf00
[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
[DMA][R +0.034639] write 0xbf00 0x2 0xBBBB
[R +0.028431] readw 0xfc000

This script would reorder the above trace so it becomes:
readw 0x10000
write 0xbeef 0x2 0xAAAA
write 0xbf00 0x2 0xBBBB
outl 0xc000 0xbeef
readw 0xfc000

I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already
been set up, removing the need for the DMA hooks. We can simply provide this
reordered trace via -qtest stdio to reproduce the input

Note: this won't work for traces where the device tries to read from the same
DMA region twice in between MMIO/PIO commands. E.g:
    [R +0.028434] outl 0xc000 0xbeef
    [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
    [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB

The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This
script looks for these tags and warns the users that the resulting trace might
not reproduce the bug.
"""

import sys

__author__     = "Alexander Bulekov <alxndr@bu.edu>"
__copyright__  = "Copyright (C) 2020, Red Hat, Inc."
__license__    = "GPL version 2 or (at your option) any later version"

__maintainer__ = "Alexander Bulekov"
__email__      = "alxndr@bu.edu"


def usage():
    sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0])))


def main(filename):
    with open(filename, "r") as f:
        trace = f.readlines()

    # Leave only lines that look like logged qtest commands
    trace[:] = [x.strip() for x in trace if "[R +" in x
                or "[S +" in x and "CLOSED" not in x]

    for i in range(len(trace)):
        if i+1 < len(trace):
            if "[DMA]" in trace[i+1]:
                if "[DOUBLE-FETCH]" in trace[i+1]:
                    sys.stderr.write("Warning: Likely double fetch on line"
                                     "{}.\n There will likely be problems "
                                     "reproducing behavior with the "
                                     "resulting qtest trace\n\n".format(i+1))
                trace[i], trace[i+1] = trace[i+1], trace[i]
    for line in trace:
        print(line.split("]")[-1].strip())


if __name__ == '__main__':
    if len(sys.argv) == 1:
        usage()
    main(sys.argv[1])
scripts/oss-fuzz: Add script to reorder a generic-fuzzer trace The generic-fuzzer uses hooks to fulfill DMA requests just-in-time. This means that if we try to use QTEST_LOG=1 to build a reproducer, the DMA writes will be logged _after_ the in/out/read/write that triggered the DMA read. To work work around this, the generic-fuzzer annotates these just-in time DMA fulfilments with a tag that we can use to discern them. This script simply iterates over a raw qtest trace (including log messages, errors, timestamps etc), filters it and re-orders it so that DMA fulfillments are placed directly _before_ the qtest command that will cause the DMA access. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201023150746.107063-11-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com> 2020-10-23 11:07:39 -04:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`

			`"""`
			`Use this to convert qtest log info from a generic fuzzer input into a qtest`
			`trace that you can feed into a standard qemu-system process. Example usage:`

			`QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \`
			`./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz`
			`# .. Finds some crash`
			`QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \`
			`QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \`
			`./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz`
			`/path/to/crash 2> qtest_log_output`
			`scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace`
			`./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \`
scripts/oss-fuzz: Fix typo in documentation While we only use stdin, the chardev is named 'stdio'. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Alexander Bulekov <alxndr@bu.edu> Message-Id: <20210602170759.2500248-4-f4bug@amsat.org> Signed-off-by: Laurent Vivier <laurent@vivier.eu> 2021-06-02 19:07:59 +02:00			`-qtest stdio < qtest_trace`
scripts/oss-fuzz: Add script to reorder a generic-fuzzer trace The generic-fuzzer uses hooks to fulfill DMA requests just-in-time. This means that if we try to use QTEST_LOG=1 to build a reproducer, the DMA writes will be logged _after_ the in/out/read/write that triggered the DMA read. To work work around this, the generic-fuzzer annotates these just-in time DMA fulfilments with a tag that we can use to discern them. This script simply iterates over a raw qtest trace (including log messages, errors, timestamps etc), filters it and re-orders it so that DMA fulfillments are placed directly _before_ the qtest command that will cause the DMA access. Signed-off-by: Alexander Bulekov <alxndr@bu.edu> Reviewed-by: Darren Kenny <darren.kenny@oracle.com> Message-Id: <20201023150746.107063-11-alxndr@bu.edu> Signed-off-by: Thomas Huth <thuth@redhat.com> 2020-10-23 11:07:39 -04:00
			`### Details ###`

			`Some fuzzer make use of hooks that allow us to populate some memory range, just`
			`before a DMA read from that range. This means that the fuzzer can produce`
			`activity that looks like:`
			`[start] read from mmio addr`
			`[end] read from mmio addr`
			`[start] write to pio addr`
			`[start] fill a DMA buffer just in time`
			`[end] fill a DMA buffer just in time`
			`[start] fill a DMA buffer just in time`
			`[end] fill a DMA buffer just in time`
			`[end] write to pio addr`
			`[start] read from mmio addr`
			`[end] read from mmio addr`

			`We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace`
			`might look something like:`
			`[R +0.028431] readw 0x10000`
			`[R +0.028434] outl 0xc000 0xbeef # Triggers a DMA read from 0xbeef and 0xbf00`
			`[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA`
			`[DMA][R +0.034639] write 0xbf00 0x2 0xBBBB`
			`[R +0.028431] readw 0xfc000`

			`This script would reorder the above trace so it becomes:`
			`readw 0x10000`
			`write 0xbeef 0x2 0xAAAA`
			`write 0xbf00 0x2 0xBBBB`
			`outl 0xc000 0xbeef`
			`readw 0xfc000`

			`I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already`
			`been set up, removing the need for the DMA hooks. We can simply provide this`
			`reordered trace via -qtest stdio to reproduce the input`

			`Note: this won't work for traces where the device tries to read from the same`
			`DMA region twice in between MMIO/PIO commands. E.g:`
			`[R +0.028434] outl 0xc000 0xbeef`
			`[DMA][R +0.034639] write 0xbeef 0x2 0xAAAA`
			`[DMA][R +0.034639] write 0xbeef 0x2 0xBBBB`

			`The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This`
			`script looks for these tags and warns the users that the resulting trace might`
			`not reproduce the bug.`
			`"""`

			`import sys`

			`__author__ = "Alexander Bulekov <alxndr@bu.edu>"`
			`__copyright__ = "Copyright (C) 2020, Red Hat, Inc."`
			`__license__ = "GPL version 2 or (at your option) any later version"`

			`__maintainer__ = "Alexander Bulekov"`
			`__email__ = "alxndr@bu.edu"`


			`def usage():`
			`sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0])))`


			`def main(filename):`
			`with open(filename, "r") as f:`
			`trace = f.readlines()`

			`# Leave only lines that look like logged qtest commands`
			`trace[:] = [x.strip() for x in trace if "[R +" in x`
			`or "[S +" in x and "CLOSED" not in x]`

			`for i in range(len(trace)):`
			`if i+1 < len(trace):`
			`if "[DMA]" in trace[i+1]:`
			`if "[DOUBLE-FETCH]" in trace[i+1]:`
			`sys.stderr.write("Warning: Likely double fetch on line"`
			`"{}.\n There will likely be problems "`
			`"reproducing behavior with the "`
			`"resulting qtest trace\n\n".format(i+1))`
			`trace[i], trace[i+1] = trace[i+1], trace[i]`
			`for line in trace:`
			`print(line.split("]")[-1].strip())`


			`if __name__ == '__main__':`
			`if len(sys.argv) == 1:`
			`usage()`
			`main(sys.argv[1])`