On 210216 0855, Bin Meng wrote: > Hi Alex, > > On Tue, Feb 16, 2021 at 12:48 AM Alexander Bulekov <alx...@bu.edu> wrote: > > > > Hi Bin, > > Thank you for this. I ran through the OSS-Fuzz tests again, and it found > > one thing: > > Thanks for testing. Are there instructions to run OSS-Fuzz tests myself?
Yes we have some documentation in docs/devel/fuzzing.rst, but it doesn't talk about using the OSS-Fuzz corpus. The OSS-Fuzz corpus is private, by default, but I uploaded a copy of the current sdhci corpus here: https://drive.google.com/file/d/1PcwFbY9YXPdaJ3aapIV2BI-bN5mbBgif/view?usp=sharing To build the fuzzer, you need clang: build the fuzzers $ CC=clang CXX=clang++ ../configure --enable-fuzzing --enable-sanitizers \ --disable-werror $ ninja -j`nproc` qemu-fuzz-i386 untar the corpus somewhere (~300 MB uncompressed) $ tar -xvf sdhci-corpus.tar.gz run through all the inputs once $ ./qemu-fuzz-i386 --fuzz-target=generic-fuzz-sdhci-v3 \ ~/path/to/corpus/qemu_qemu-fuzz-i386-target-generic-fuzz-sdhci-v3/* &> out That will take some minutes, but you can look at the out file and search for "ERROR" to find crashing inputs. -Alex > > > Maybe this is already much better than the current state of the code, so > > this one can be fixed in a later patch? > > Depend on when Philippe can pick up this sereis, but I can also try to > have a quick look :) > > > > > cat << EOF | ./qemu-system-i386 -display none -machine accel=qtest \ > > -m 512M -nodefaults -device sdhci-pci,sd-spec-version=3 \ > > -device sd-card,drive=mydrive \ > > -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \ > > -nographic -qtest stdio > > outl 0xcf8 0x80001010 > > outl 0xcfc 0xe0000000 > > outl 0xcf8 0x80001001 > > outl 0xcfc 0x06000000 > > write 0xe000002c 0x1 0x05 > > write 0xe0000005 0x1 0x02 > > write 0xe0000007 0x1 0x01 > > write 0xe0000028 0x1 0x10 > > write 0x0 0x1 0x23 > > write 0x2 0x1 0x08 > > write 0xe000000c 0x1 0x01 > > write 0xe000000e 0x1 0x20 > > write 0xe000000f 0x1 0x00 > > write 0xe000000c 0x1 0x32 > > write 0xe0000004 0x2 0x0200 > > write 0xe0000028 0x1 0x00 > > write 0xe0000003 0x1 0x40 > > EOF > > > > > > ==1730971==ERROR: AddressSanitizer: heap-buffer-overflow on address > > 0x615000031880 at pc 0x55d070f2c6d9 bp 0x7ffdcb63f130 sp 0x7ffdcb63f128 > > READ of size 4 at 0x615000031880 thread T0 > > #0 0x55d070f2c6d8 in ldl_he_p bswap.h:347:5 > > #1 0x55d070f2c6d8 in ldn_he_p bswap.h:546:1 > > #2 0x55d070f2c6d8 in flatview_write_continue > > build/../softmmu/physmem.c:2775:19 > > #3 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 > > #4 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 > > #5 0x55d07040de4a in dma_memory_rw_relaxed include/sysemu/dma.h:88:12 > > #6 0x55d07040de4a in dma_memory_rw include/sysemu/dma.h:127:12 > > #7 0x55d07040de4a in dma_memory_write include/sysemu/dma.h:163:12 > > #8 0x55d07040de4a in sdhci_sdma_transfer_multi_blocks > > build/../hw/sd/sdhci.c:619:13 > > #9 0x55d07041d15b in sdhci_write build/../hw/sd/sdhci.c:1134:21 > > #10 0x55d07123b1ac in memory_region_write_accessor > > build/../softmmu/memory.c:491:5 > > #11 0x55d07123acab in access_with_adjusted_size > > build/../softmmu/memory.c:552:18 > > #12 0x55d07123a4b0 in memory_region_dispatch_write build/../softmmu/memory.c > > #13 0x55d070f2c29b in flatview_write_continue > > build/../softmmu/physmem.c:2776:23 > > #14 0x55d070f219eb in flatview_write build/../softmmu/physmem.c:2816:14 > > #15 0x55d070f219eb in address_space_write build/../softmmu/physmem.c:2908:18 > > Regards, > Bin
