qemu

reorder_fuzzer_qtest_trace.py (3736B)

---

 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 
 """
 Use this to convert qtest log info from a generic fuzzer input into a qtest
 trace that you can feed into a standard qemu-system process. Example usage:
 
 QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
         ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
 # .. Finds some crash
 QTEST_LOG=1 FUZZ_SERIALIZE_QTEST=1 \
 QEMU_FUZZ_ARGS="-machine q35,accel=qtest" QEMU_FUZZ_OBJECTS="*" \
         ./i386-softmmu/qemu-fuzz-i386 --fuzz-target=generic-pci-fuzz
         /path/to/crash 2> qtest_log_output
 scripts/oss-fuzz/reorder_fuzzer_qtest_trace.py qtest_log_output > qtest_trace
 ./i386-softmmu/qemu-fuzz-i386 -machine q35,accel=qtest \
         -qtest stdio < qtest_trace
 
 ### Details ###
 
 Some fuzzer make use of hooks that allow us to populate some memory range, just
 before a DMA read from that range. This means that the fuzzer can produce
 activity that looks like:
     [start] read from mmio addr
     [end]   read from mmio addr
     [start] write to pio addr
         [start] fill a DMA buffer just in time
         [end]   fill a DMA buffer just in time
         [start] fill a DMA buffer just in time
         [end]   fill a DMA buffer just in time
     [end]   write to pio addr
     [start] read from mmio addr
     [end]   read from mmio addr
 
 We annotate these "nested" DMA writes, so with QTEST_LOG=1 the QTest trace
 might look something like:
 [R +0.028431] readw 0x10000
 [R +0.028434] outl 0xc000 0xbeef  # Triggers a DMA read from 0xbeef and 0xbf00
 [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
 [DMA][R +0.034639] write 0xbf00 0x2 0xBBBB
 [R +0.028431] readw 0xfc000
 
 This script would reorder the above trace so it becomes:
 readw 0x10000
 write 0xbeef 0x2 0xAAAA
 write 0xbf00 0x2 0xBBBB
 outl 0xc000 0xbeef
 readw 0xfc000
 
 I.e. by the time, 0xc000 tries to read from DMA, those DMA buffers have already
 been set up, removing the need for the DMA hooks. We can simply provide this
 reordered trace via -qtest stdio to reproduce the input
 
 Note: this won't work for traces where the device tries to read from the same
 DMA region twice in between MMIO/PIO commands. E.g:
     [R +0.028434] outl 0xc000 0xbeef
     [DMA][R +0.034639] write 0xbeef 0x2 0xAAAA
     [DMA][R +0.034639] write 0xbeef 0x2 0xBBBB
 
 The fuzzer will annotate suspected double-fetches with [DOUBLE-FETCH]. This
 script looks for these tags and warns the users that the resulting trace might
 not reproduce the bug.
 """
 
 import sys
 
 __author__     = "Alexander Bulekov <alxndr@bu.edu>"
 __copyright__  = "Copyright (C) 2020, Red Hat, Inc."
 __license__    = "GPL version 2 or (at your option) any later version"
 
 __maintainer__ = "Alexander Bulekov"
 __email__      = "alxndr@bu.edu"
 
 
 def usage():
     sys.exit("Usage: {} /path/to/qtest_log_output".format((sys.argv[0])))
 
 
 def main(filename):
     with open(filename, "r") as f:
         trace = f.readlines()
 
     # Leave only lines that look like logged qtest commands
     trace[:] = [x.strip() for x in trace if "[R +" in x
                 or "[S +" in x and "CLOSED" not in x]
 
     for i in range(len(trace)):
         if i+1 < len(trace):
             if "[DMA]" in trace[i+1]:
                 if "[DOUBLE-FETCH]" in trace[i+1]:
                     sys.stderr.write("Warning: Likely double fetch on line"
                                      "{}.\n There will likely be problems "
                                      "reproducing behavior with the "
                                      "resulting qtest trace\n\n".format(i+1))
                 trace[i], trace[i+1] = trace[i+1], trace[i]
     for line in trace:
         print(line.split("]")[-1].strip())
 
 
 if __name__ == '__main__':
     if len(sys.argv) == 1:
         usage()
     main(sys.argv[1])