[RFC PATCH 4/5] tests: add another sdhci reproducer

Thu, 18 Feb 2021 13:16:57 -0800 

This patch serves as an example of a file generated with the
./scripts/oss-fuzz/output_reproducer.py script:
The source file in this patch was generated like this:

$ wget https://paste.debian.net/plain/1185141 -O /tmp/trace
$ export QEMU_ARGS="-nographic -machine accel=qtest -m 512M \
-nodefaults -device sdhci-pci,sd-spec-version=3 -drive \
if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-device sd-card,drive=mydrive -qtest stdio"
$ export QEMU_PATH=./qemu-system-i386
$ ./scripts/oss-fuzz/output_reproducer.py -c \
-owner "Alexander Bulekov <alx...@bu.edu>" -name "fixed_crash" /tmp/trace |
clang-format -style="{BasedOnStyle: llvm, IndentWidth: 4, \
ColumnLimit: 90, BreakBeforeBraces: Linux}"

Since there is already an fuzz-sdhci.c (added in the previous commit), I
passed -c to the script and manually copied the output function into
fuzz-sdhci.c.

Signed-off-by: Alexander Bulekov <alx...@bu.edu>
---
 tests/qtest/fuzz-sdhci.c | 332 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 332 insertions(+)

diff --git a/tests/qtest/fuzz-sdhci.c b/tests/qtest/fuzz-sdhci.c
index 0ce7378c69..b529c2bfe9 100644
--- a/tests/qtest/fuzz-sdhci.c
+++ b/tests/qtest/fuzz-sdhci.c
@@ -76,6 +76,337 @@ static void test_fuzz(void)
     qtest_bufwrite(s, 0xfbefff03, "\x01", 0x1);
     qtest_quit(s);
 }
+
+/*
+ * cat << EOF | ./qemu-system-i386 -nographic -machine accel=qtest -m 512M \
+ * -nodefaults -device sdhci-pci,sd-spec-version=3 -drive \
+ * if=sd,index=0,file=null-co://,format=raw,id=mydrive -device \
+ * sd-card,drive=mydrive -qtest stdio
+ * outl 0xcf8 0x80001013
+ * outl 0xcfc 0x91
+ * outl 0xcf8 0x80001001
+ * outl 0xcfc 0x06000000
+ * write 0x9100002c 0x1 0x05
+ * write 0x9100000f 0x1 0x37
+ * write 0x9100000a 0x1 0x01
+ * write 0x9100000f 0x1 0x29
+ * write 0x9100000f 0x1 0x02
+ * write 0x9100000f 0x1 0x03
+ * write 0x0 0x1 0x01
+ * write 0x8 0x1 0x01
+ * write 0x10 0x1 0x01
+ * write 0x18 0x1 0x01
+ * write 0x20 0x1 0x01
+ * write 0x28 0x1 0x01
+ * write 0x30 0x1 0x01
+ * write 0x38 0x1 0x01
+ * write 0x40 0x1 0x01
+ * write 0x48 0x1 0x01
+ * write 0x50 0x1 0x01
+ * write 0x58 0x1 0x01
+ * write 0x60 0x1 0x01
+ * write 0x68 0x1 0x01
+ * write 0x70 0x1 0x01
+ * write 0x91000005 0x1 0x02
+ * write 0x91000007 0x1 0x20
+ * write 0x78 0x1 0x01
+ * write 0x80 0x1 0x01
+ * write 0x88 0x1 0x01
+ * write 0x90 0x1 0x01
+ * write 0x98 0x1 0x01
+ * write 0xa0 0x1 0x01
+ * write 0xa8 0x1 0x01
+ * write 0xb0 0x1 0x01
+ * write 0xb8 0x1 0x01
+ * write 0xc0 0x1 0x01
+ * write 0x9100000e 0x1 0x21
+ * write 0x91000028 0x1 0x10
+ * write 0x9100000c 0x1 0x01
+ * write 0x9100000f 0x1 0x06
+ * write 0xc8 0x1 0x01
+ * write 0xd0 0x1 0x01
+ * write 0xd8 0x1 0x01
+ * write 0xe0 0x1 0x01
+ * write 0xe8 0x1 0x01
+ * write 0xf0 0x1 0x01
+ * write 0xf8 0x1 0x01
+ * write 0x100 0x1 0x01
+ * write 0x108 0x1 0x01
+ * write 0x110 0x1 0x01
+ * write 0x118 0x1 0x01
+ * write 0x120 0x1 0x01
+ * write 0x128 0x1 0x01
+ * write 0x130 0x1 0x01
+ * write 0x138 0x1 0x01
+ * write 0x140 0x1 0x01
+ * write 0x148 0x1 0x01
+ * write 0x150 0x1 0x01
+ * write 0x158 0x1 0x01
+ * write 0x160 0x1 0x01
+ * write 0x168 0x1 0x01
+ * write 0x170 0x1 0x01
+ * write 0x178 0x1 0x01
+ * write 0x180 0x1 0x01
+ * write 0x188 0x1 0x01
+ * write 0x190 0x1 0x01
+ * write 0x198 0x1 0x01
+ * write 0x1a0 0x1 0x01
+ * write 0x1a8 0x1 0x01
+ * write 0x1b0 0x1 0x01
+ * write 0x91000037 0x1 0x00
+ * write 0x91000038 0x1 0x00
+ * write 0x1b8 0x1 0x01
+ * write 0x1c0 0x1 0x01
+ * write 0x1c8 0x1 0x01
+ * write 0x1d0 0x1 0x01
+ * write 0x1d8 0x1 0x01
+ * write 0x1e0 0x1 0x01
+ * write 0x1e8 0x1 0x01
+ * write 0x1f0 0x1 0x01
+ * write 0x1f8 0x1 0x01
+ * write 0x200 0x1 0x01
+ * write 0x208 0x1 0x01
+ * write 0x210 0x1 0x01
+ * write 0x218 0x1 0x01
+ * write 0x220 0x1 0x01
+ * write 0x228 0x1 0x01
+ * write 0x9100000d 0x1 0x00
+ * write 0x9100000f 0x1 0x10
+ * write 0x91000011 0x1 0x00
+ * write 0x230 0x1 0x01
+ * write 0x238 0x1 0x01
+ * write 0x240 0x1 0x01
+ * write 0x248 0x1 0x01
+ * write 0x250 0x1 0x01
+ * write 0x258 0x1 0x01
+ * write 0x260 0x1 0x01
+ * write 0x268 0x1 0x01
+ * write 0x270 0x1 0x01
+ * write 0x278 0x1 0x01
+ * write 0x280 0x1 0x01
+ * write 0x288 0x1 0x01
+ * write 0x290 0x1 0x01
+ * write 0x298 0x1 0x01
+ * write 0x2a0 0x1 0x01
+ * write 0x9100000a 0x2 0x0000
+ * write 0x9100000c 0x6 0x010000
+ * write 0x2a8 0x1 0x01
+ * write 0x2b0 0x1 0x01
+ * write 0x2b8 0x1 0x01
+ * write 0x2c0 0x1 0x01
+ * write 0x2c8 0x1 0x01
+ * write 0x2d0 0x1 0x01
+ * write 0x2d8 0x1 0x01
+ * write 0x2e0 0x1 0x01
+ * write 0x2e8 0x1 0x01
+ * write 0x2f0 0x1 0x01
+ * write 0x2f8 0x1 0x01
+ * write 0x300 0x1 0x01
+ * write 0x308 0x1 0x01
+ * write 0x310 0x1 0x01
+ * write 0x318 0x1 0x01
+ * write 0x320 0x1 0x01
+ * write 0x328 0x1 0x01
+ * write 0x330 0x1 0x01
+ * write 0x338 0x1 0x01
+ * write 0x340 0x1 0x01
+ * write 0x348 0x1 0x01
+ * write 0x350 0x1 0x01
+ * write 0x358 0x1 0x01
+ * write 0x360 0x1 0x01
+ * write 0x368 0x1 0x01
+ * write 0x370 0x1 0x01
+ * write 0x378 0x1 0x01
+ * write 0x380 0x1 0x01
+ * write 0x388 0x1 0x01
+ * write 0x390 0x1 0x01
+ * write 0x9100000f 0x1 0x00
+ * write 0x91000011 0x1 0x00
+ * write 0x398 0x1 0x01
+ * write 0x3a0 0x1 0x01
+ * write 0x3a8 0x1 0x01
+ * write 0x3b0 0x1 0x01
+ * write 0x3b8 0x1 0x21
+ * write 0x3bb 0x1 0x01
+ * write 0x3c0 0x1 0x21
+ * write 0x9100000a 0x2 0x0000
+ * write 0x9100000c 0x6 0x010000
+ * write 0x9100000a 0x2 0x00
+ * write 0x9100000c 0x6 0x01
+ * write 0x9100000a 0x2 0x0000
+ * write 0x9100000c 0x6 0x010000
+ * write 0x9100000a 0x2 0x00
+ * write 0x9100000c 0x6 0x010000
+ * write 0x91000005 0x1 0x00
+ * write 0x9100000c 0x1 0x00
+ * EOF
+ */
+static void fixed_crash(void)
+{
+    QTestState *s =
+        qtest_init("-nographic  -m 512M -nodefaults -device 
sdhci-pci,sd-spec-version=3 "
+                   "-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive 
-device "
+                   "sd-card,drive=mydrive ");
+    qtest_outl(s, 0xcf8, 0x80001013);
+    qtest_outl(s, 0xcfc, 0x91);
+    qtest_outl(s, 0xcf8, 0x80001001);
+    qtest_outl(s, 0xcfc, 0x06000000);
+    qtest_bufwrite(s, 0x9100002c, "\x05", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x37", 0x1);
+    qtest_bufwrite(s, 0x9100000a, "\x01", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x29", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x02", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x03", 0x1);
+    qtest_bufwrite(s, 0x0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x10, "\x01", 0x1);
+    qtest_bufwrite(s, 0x18, "\x01", 0x1);
+    qtest_bufwrite(s, 0x20, "\x01", 0x1);
+    qtest_bufwrite(s, 0x28, "\x01", 0x1);
+    qtest_bufwrite(s, 0x30, "\x01", 0x1);
+    qtest_bufwrite(s, 0x38, "\x01", 0x1);
+    qtest_bufwrite(s, 0x40, "\x01", 0x1);
+    qtest_bufwrite(s, 0x48, "\x01", 0x1);
+    qtest_bufwrite(s, 0x50, "\x01", 0x1);
+    qtest_bufwrite(s, 0x58, "\x01", 0x1);
+    qtest_bufwrite(s, 0x60, "\x01", 0x1);
+    qtest_bufwrite(s, 0x68, "\x01", 0x1);
+    qtest_bufwrite(s, 0x70, "\x01", 0x1);
+    qtest_bufwrite(s, 0x91000005, "\x02", 0x1);
+    qtest_bufwrite(s, 0x91000007, "\x20", 0x1);
+    qtest_bufwrite(s, 0x78, "\x01", 0x1);
+    qtest_bufwrite(s, 0x80, "\x01", 0x1);
+    qtest_bufwrite(s, 0x88, "\x01", 0x1);
+    qtest_bufwrite(s, 0x90, "\x01", 0x1);
+    qtest_bufwrite(s, 0x98, "\x01", 0x1);
+    qtest_bufwrite(s, 0xa0, "\x01", 0x1);
+    qtest_bufwrite(s, 0xa8, "\x01", 0x1);
+    qtest_bufwrite(s, 0xb0, "\x01", 0x1);
+    qtest_bufwrite(s, 0xb8, "\x01", 0x1);
+    qtest_bufwrite(s, 0xc0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x9100000e, "\x21", 0x1);
+    qtest_bufwrite(s, 0x91000028, "\x10", 0x1);
+    qtest_bufwrite(s, 0x9100000c, "\x01", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x06", 0x1);
+    qtest_bufwrite(s, 0xc8, "\x01", 0x1);
+    qtest_bufwrite(s, 0xd0, "\x01", 0x1);
+    qtest_bufwrite(s, 0xd8, "\x01", 0x1);
+    qtest_bufwrite(s, 0xe0, "\x01", 0x1);
+    qtest_bufwrite(s, 0xe8, "\x01", 0x1);
+    qtest_bufwrite(s, 0xf0, "\x01", 0x1);
+    qtest_bufwrite(s, 0xf8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x100, "\x01", 0x1);
+    qtest_bufwrite(s, 0x108, "\x01", 0x1);
+    qtest_bufwrite(s, 0x110, "\x01", 0x1);
+    qtest_bufwrite(s, 0x118, "\x01", 0x1);
+    qtest_bufwrite(s, 0x120, "\x01", 0x1);
+    qtest_bufwrite(s, 0x128, "\x01", 0x1);
+    qtest_bufwrite(s, 0x130, "\x01", 0x1);
+    qtest_bufwrite(s, 0x138, "\x01", 0x1);
+    qtest_bufwrite(s, 0x140, "\x01", 0x1);
+    qtest_bufwrite(s, 0x148, "\x01", 0x1);
+    qtest_bufwrite(s, 0x150, "\x01", 0x1);
+    qtest_bufwrite(s, 0x158, "\x01", 0x1);
+    qtest_bufwrite(s, 0x160, "\x01", 0x1);
+    qtest_bufwrite(s, 0x168, "\x01", 0x1);
+    qtest_bufwrite(s, 0x170, "\x01", 0x1);
+    qtest_bufwrite(s, 0x178, "\x01", 0x1);
+    qtest_bufwrite(s, 0x180, "\x01", 0x1);
+    qtest_bufwrite(s, 0x188, "\x01", 0x1);
+    qtest_bufwrite(s, 0x190, "\x01", 0x1);
+    qtest_bufwrite(s, 0x198, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1a0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1a8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1b0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x91000037, "\x00", 0x1);
+    qtest_bufwrite(s, 0x91000038, "\x00", 0x1);
+    qtest_bufwrite(s, 0x1b8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1c0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1c8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1d0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1d8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1e0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1e8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1f0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x1f8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x200, "\x01", 0x1);
+    qtest_bufwrite(s, 0x208, "\x01", 0x1);
+    qtest_bufwrite(s, 0x210, "\x01", 0x1);
+    qtest_bufwrite(s, 0x218, "\x01", 0x1);
+    qtest_bufwrite(s, 0x220, "\x01", 0x1);
+    qtest_bufwrite(s, 0x228, "\x01", 0x1);
+    qtest_bufwrite(s, 0x9100000d, "\x00", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x10", 0x1);
+    qtest_bufwrite(s, 0x91000011, "\x00", 0x1);
+    qtest_bufwrite(s, 0x230, "\x01", 0x1);
+    qtest_bufwrite(s, 0x238, "\x01", 0x1);
+    qtest_bufwrite(s, 0x240, "\x01", 0x1);
+    qtest_bufwrite(s, 0x248, "\x01", 0x1);
+    qtest_bufwrite(s, 0x250, "\x01", 0x1);
+    qtest_bufwrite(s, 0x258, "\x01", 0x1);
+    qtest_bufwrite(s, 0x260, "\x01", 0x1);
+    qtest_bufwrite(s, 0x268, "\x01", 0x1);
+    qtest_bufwrite(s, 0x270, "\x01", 0x1);
+    qtest_bufwrite(s, 0x278, "\x01", 0x1);
+    qtest_bufwrite(s, 0x280, "\x01", 0x1);
+    qtest_bufwrite(s, 0x288, "\x01", 0x1);
+    qtest_bufwrite(s, 0x290, "\x01", 0x1);
+    qtest_bufwrite(s, 0x298, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2a0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x9100000a, "\x00\x00", 0x2);
+    qtest_bufwrite(s, 0x9100000c, "\x01\x00\x00", 0x6);
+    qtest_bufwrite(s, 0x2a8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2b0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2b8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2c0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2c8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2d0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2d8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2e0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2e8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2f0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x2f8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x300, "\x01", 0x1);
+    qtest_bufwrite(s, 0x308, "\x01", 0x1);
+    qtest_bufwrite(s, 0x310, "\x01", 0x1);
+    qtest_bufwrite(s, 0x318, "\x01", 0x1);
+    qtest_bufwrite(s, 0x320, "\x01", 0x1);
+    qtest_bufwrite(s, 0x328, "\x01", 0x1);
+    qtest_bufwrite(s, 0x330, "\x01", 0x1);
+    qtest_bufwrite(s, 0x338, "\x01", 0x1);
+    qtest_bufwrite(s, 0x340, "\x01", 0x1);
+    qtest_bufwrite(s, 0x348, "\x01", 0x1);
+    qtest_bufwrite(s, 0x350, "\x01", 0x1);
+    qtest_bufwrite(s, 0x358, "\x01", 0x1);
+    qtest_bufwrite(s, 0x360, "\x01", 0x1);
+    qtest_bufwrite(s, 0x368, "\x01", 0x1);
+    qtest_bufwrite(s, 0x370, "\x01", 0x1);
+    qtest_bufwrite(s, 0x378, "\x01", 0x1);
+    qtest_bufwrite(s, 0x380, "\x01", 0x1);
+    qtest_bufwrite(s, 0x388, "\x01", 0x1);
+    qtest_bufwrite(s, 0x390, "\x01", 0x1);
+    qtest_bufwrite(s, 0x9100000f, "\x00", 0x1);
+    qtest_bufwrite(s, 0x91000011, "\x00", 0x1);
+    qtest_bufwrite(s, 0x398, "\x01", 0x1);
+    qtest_bufwrite(s, 0x3a0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x3a8, "\x01", 0x1);
+    qtest_bufwrite(s, 0x3b0, "\x01", 0x1);
+    qtest_bufwrite(s, 0x3b8, "\x21", 0x1);
+    qtest_bufwrite(s, 0x3bb, "\x01", 0x1);
+    qtest_bufwrite(s, 0x3c0, "\x21", 0x1);
+    qtest_bufwrite(s, 0x9100000a, "\x00\x00", 0x2);
+    qtest_bufwrite(s, 0x9100000c, "\x01\x00\x00", 0x6);
+    qtest_bufwrite(s, 0x9100000a, "\x00", 0x2);
+    qtest_bufwrite(s, 0x9100000c, "\x01", 0x6);
+    qtest_bufwrite(s, 0x9100000a, "\x00\x00", 0x2);
+    qtest_bufwrite(s, 0x9100000c, "\x01\x00\x00", 0x6);
+    qtest_bufwrite(s, 0x9100000a, "\x00", 0x2);
+    qtest_bufwrite(s, 0x9100000c, "\x01\x00\x00", 0x6);
+    qtest_bufwrite(s, 0x91000005, "\x00", 0x1);
+    qtest_bufwrite(s, 0x9100000c, "\x00", 0x1);
+    qtest_quit(s);
+}
+
 int main(int argc, char **argv)
 {
     const char *arch = qtest_get_arch();
@@ -84,6 +415,7 @@ int main(int argc, char **argv)
 
     if (strcmp(arch, "i386") == 0) {
         qtest_add_func("fuzz/test_fuzz", test_fuzz);
+        qtest_add_func("fuzz/fixed_crash", fixed_crash);
     }
 
     return g_test_run();
-- 
2.28.0

Reply via email to