[mirror_qemu.git] / tests / qtest / fuzz / fuzz.h

/*
 * fuzzing driver
 *
 * Copyright Red Hat Inc., 2019
 *
 * Authors:
 *  Alexander Bulekov   <alxndr@bu.edu>
 *
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 *
 */

#ifndef QTEST_FUZZ_H
#define QTEST_FUZZ_H

#include "qemu/units.h"
#include "qapi/error.h"

#include "tests/qtest/libqtest.h"

/**
 * A libfuzzer fuzzing target
 *
 * The QEMU fuzzing binary is built with all available targets, each
 * with a unique @name that can be specified on the command-line to
 * select which target should run.
 *
 * A target must implement ->fuzz() to process a random input.  If QEMU
 * crashes in ->fuzz() then libfuzzer will record a failure.
 *
 * Fuzzing targets are registered with fuzz_add_target():
 *
 *   static const FuzzTarget fuzz_target = {
 *       .name = "my-device-fifo",
 *       .description = "Fuzz the FIFO buffer registers of my-device",
 *       ...
 *   };
 *
 *   static void register_fuzz_target(void)
 *   {
 *       fuzz_add_target(&fuzz_target);
 *   }
 *   fuzz_target_init(register_fuzz_target);
 */
typedef struct FuzzTarget {
    const char *name;         /* target identifier (passed to --fuzz-target=)*/
    const char *description;  /* help text */


    /*
     * Returns the arguments that are passed to qemu/system init(). Freed by
     * the caller.
     */
    GString *(*get_init_cmdline)(struct FuzzTarget *);

    /*
     * will run once, prior to running qemu/system init.
     * eg: set up shared-memory for communication with the child-process
     * Can be NULL
     */
    void(*pre_vm_init)(void);

    /*
     * will run once, after QEMU has been initialized, prior to the fuzz-loop.
     * eg: detect the memory map
     * Can be NULL
     */
    void(*pre_fuzz)(QTestState *);

    /*
     * accepts and executes an input from libfuzzer. this is repeatedly
     * executed during the fuzzing loop. Its should handle setup, input
     * execution and cleanup.
     * Cannot be NULL
     */
    void(*fuzz)(QTestState *, const unsigned char *, size_t);

    /*
     * The fuzzer can specify a "Custom Crossover" function for combining two
     * inputs from the corpus. This function is sometimes called by libfuzzer
     * when mutating inputs.
     *
     * data1: location of first input
     * size1: length of first input
     * data1: location of second input
     * size1: length of second input
     * out: where to place the resulting, mutated input
     * max_out_size: the maximum length of the input that can be placed in out
     * seed: the seed that should be used to make mutations deterministic, when
     *       needed
     *
     * See libfuzzer's LLVMFuzzerCustomCrossOver API for more info.
     *
     * Can be NULL
     */
    size_t(*crossover)(const uint8_t *data1, size_t size1,
                       const uint8_t *data2, size_t size2,
                       uint8_t *out, size_t max_out_size,
                       unsigned int seed);

    void *opaque;
} FuzzTarget;

void flush_events(QTestState *);
void fuzz_reset(QTestState *);

/* Use the QTest ASCII protocol or call address_space API directly?*/
void fuzz_qtest_set_serialize(bool option);

/*
 * makes a copy of *target and adds it to the target-list.
 * i.e. fine to set up target on the caller's stack
 */
void fuzz_add_target(const FuzzTarget *target);

size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
                                 const uint8_t *data2, size_t size2,
                                 uint8_t *out, size_t max_out_size,
                                 unsigned int seed);
int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
int LLVMFuzzerInitialize(int *argc, char ***argv, char ***envp);

#endif
Commit	Line	Data
5f6fd09a AB	1	/*
	2	* fuzzing driver
	3	*
	4	* Copyright Red Hat Inc., 2019
	5	*
	6	* Authors:
	7	* Alexander Bulekov <alxndr@bu.edu>
	8	*
	9	* This work is licensed under the terms of the GNU GPL, version 2 or later.
	10	* See the COPYING file in the top-level directory.
	11	*
	12	*/
	13
52581c71 MA	14	#ifndef QTEST_FUZZ_H
52581c71 MA	15	#define QTEST_FUZZ_H
5f6fd09a	16
5f6fd09a AB	17	#include "qemu/units.h"
	18	#include "qapi/error.h"
	19
907b5105	20	#include "tests/qtest/libqtest.h"
5f6fd09a AB	21
	22	/**
	23	* A libfuzzer fuzzing target
	24	*
	25	* The QEMU fuzzing binary is built with all available targets, each
	26	* with a unique @name that can be specified on the command-line to
	27	* select which target should run.
	28	*
	29	* A target must implement ->fuzz() to process a random input. If QEMU
	30	* crashes in ->fuzz() then libfuzzer will record a failure.
	31	*
	32	* Fuzzing targets are registered with fuzz_add_target():
	33	*
	34	* static const FuzzTarget fuzz_target = {
	35	* .name = "my-device-fifo",
	36	* .description = "Fuzz the FIFO buffer registers of my-device",
	37	* ...
	38	* };
	39	*
	40	* static void register_fuzz_target(void)
	41	* {
	42	* fuzz_add_target(&fuzz_target);
	43	* }
	44	* fuzz_target_init(register_fuzz_target);
	45	*/
	46	typedef struct FuzzTarget {
	47	const char name; / target identifier (passed to --fuzz-target=)*/
	48	const char description; / help text */
	49
	50
	51	/*
c2646d49	52	* Returns the arguments that are passed to qemu/system init(). Freed by
f5ec79f5	53	* the caller.
5f6fd09a	54	*/
f5ec79f5	55	GString (get_init_cmdline)(struct FuzzTarget *);
5f6fd09a AB	56
5f6fd09a AB	57	/*
c2646d49	58	* will run once, prior to running qemu/system init.
5f6fd09a AB	59	* eg: set up shared-memory for communication with the child-process
	60	* Can be NULL
	61	*/
	62	void(*pre_vm_init)(void);
	63
	64	/*
	65	* will run once, after QEMU has been initialized, prior to the fuzz-loop.
	66	* eg: detect the memory map
	67	* Can be NULL
	68	*/
	69	void(pre_fuzz)(QTestState );
	70
	71	/*
	72	* accepts and executes an input from libfuzzer. this is repeatedly
	73	* executed during the fuzzing loop. Its should handle setup, input
	74	* execution and cleanup.
	75	* Cannot be NULL
	76	*/
	77	void(fuzz)(QTestState , const unsigned char *, size_t);
	78
f81cb729 AB	79	/*
	80	* The fuzzer can specify a "Custom Crossover" function for combining two
	81	* inputs from the corpus. This function is sometimes called by libfuzzer
	82	* when mutating inputs.
	83	*
	84	* data1: location of first input
	85	* size1: length of first input
	86	* data1: location of second input
	87	* size1: length of second input
	88	* out: where to place the resulting, mutated input
	89	* max_out_size: the maximum length of the input that can be placed in out
	90	* seed: the seed that should be used to make mutations deterministic, when
	91	* needed
	92	*
	93	* See libfuzzer's LLVMFuzzerCustomCrossOver API for more info.
	94	*
	95	* Can be NULL
	96	*/
	97	size_t(crossover)(const uint8_t data1, size_t size1,
	98	const uint8_t *data2, size_t size2,
	99	uint8_t *out, size_t max_out_size,
	100	unsigned int seed);
	101
82849bcf	102	void *opaque;
5f6fd09a AB	103	} FuzzTarget;
	104
	105	void flush_events(QTestState *);
8d1e76b3	106	void fuzz_reset(QTestState *);
5f6fd09a	107
d92e1b6d AB	108	/* Use the QTest ASCII protocol or call address_space API directly?*/
	109	void fuzz_qtest_set_serialize(bool option);
	110
5f6fd09a AB	111	/*
	112	* makes a copy of *target and adds it to the target-list.
	113	* i.e. fine to set up target on the caller's stack
	114	*/
	115	void fuzz_add_target(const FuzzTarget *target);
	116
f81cb729 AB	117	size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
	118	const uint8_t *data2, size_t size2,
	119	uint8_t *out, size_t max_out_size,
	120	unsigned int seed);
5f6fd09a AB	121	int LLVMFuzzerTestOneInput(const unsigned char *Data, size_t Size);
	122	int LLVMFuzzerInitialize(int argc, char argv, char *envp);
	123
	124	#endif