On 10/01/19 17:07, Max Moroz via Qemu-devel wrote: > +Oliver and Jonathan > > I'm a little confused. Do you want to fuzz QEMU or to fuzz something else > using QEMU? In case of the latter, there was some discussion on OSS-Fuzz > and (I think) even a build support was (sort of) added: > https://github.com/google/oss-fuzz/issues/1754
We want to fuzz QEMU. The input is a sequence of operations on a PCI device or on guest memory, and you try and crash QEMU by passing it crazy operations. The qtest mode that Stefan mentioned provides something like a "JTAG over ASCII" where a testcase can inject elementary I/O operations into QEMU. However, that is certainly too much for AFL to fuzz effectively; it would have to "learn" the qtest protocol, how to drive the PCI host bridge, how to setup a PCI device, and only then it would be able to find bugs. So one idea would be to build another layer on top of qtest, that accepts higher-level operations and builds the qtest ASCII input from those. However, compared to LLVM/Clang that were the motivation for libprotobuf-mutator, in our case the underlying operands to the operations are still binary. So it may also be possible to use the usual AFL binary mutator, and encode the operations in a way that has very high entropy. This way AFL can just throw crap at the qtest input generator, and the resulting input qtest will always represent some kind of interaction with a PCI device. Thanks, Paolo > In any case, it would probably be "integrate QEMU into OSS-Fuzz" and not > vice versa, since OSS-Fuzz is an infrastructure and you can't integrate it > into QEMU.
