On 8/11/20 4:59 PM, Alexander Bulekov wrote: > Hi Paolo, > I looked through the code changes related to fuzzing and tested the > following builds: > - qemu-fuzz-i386 > - qemu-fuzz-arm > - qemu-system-i386 (with --enable-fuzzing) > - configure --enable-fuzzing with GCC (should fail) > - ./scripts/oss-fuzz/build.sh (in my local environment) > - ./scripts/oss-fuzz/build.sh (in the oss-fuzz Docker) > I examined the symbols to ensure that the fuzzer linker-script is doing what > it > needs to be doing. The sizes of the binaries have roughly stayed the same, and > there are no major differences between the symbols. > Only the oss-fuzz Docker build failed with a complaint about the > linker-script, > but it fails for the current master, too! I think the problem might be related > to the fact that the docker uses a bleeding edge clang-12 compiler. I'll have > to look into it more. > I ran the existing fuzzers for a couple thousand runs. It looks like there is > some problem with the virtio-scsi arguments, but it's not specific to > fuzzing. It will probably be caught once this runs through CI: > > ./qemu-system-i386 -display none -machine accel=qtest -m 64 -M pc \ > -drive id=drv0,if=none,file=null-co://,file.read-zeroes=on,format=raw \ > -device virtio-scsi-pci,id=vs0,addr=04.0 \ > -device scsi-hd,bus=vs0.0,drive=drv0 \ > -drive > file=blkdebug::null-co://,file.image.read-zeroes=on,if=none,id=dr1,format=raw,file.align=4k > \ > -device scsi-hd,drive=dr1,lun=0,scsi-id=1 -qtest /dev/null -qtest-log > /dev/null > > Immediately crashes with: > ../block.c:442:10: runtime error: index 0 out of bounds for type 'const char > *[0]' > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block.c:442:10 in > ../block.c:442:10: runtime error: load of address 0x5581a17161e0 with > insufficient space for an object of type 'const char *' > 0x5581a17161e0: note: pointer points here > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > 00 00 00 00 00 00 00 00 > ^ > SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block.c:442:10 in > ================================================================= > ==26813==ERROR: AddressSanitizer: global-buffer-overflow on address > 0x5581a17161e0 at pc 0x55819e05f1bd bp 0x7ffed60bdcc0 sp 0x7ffed60bdcb8 > READ of size 8 at 0x5581a17161e0 thread T0 > #0 0x55819e05f1bc in bdrv_format_is_whitelisted > /tmp/qemu/build/../block.c:442:10 > #1 0x55819e05f1bc in bdrv_is_whitelisted /tmp/qemu/build/../block.c:463:12 > #2 0x55819e075e5f in bdrv_open_common /tmp/qemu/build/../block.c:1680:32 > #3 0x55819e075e5f in bdrv_open_inherit /tmp/qemu/build/../block.c:3420:11 > #4 0x55819e07d1db in bdrv_open_child_bs /tmp/qemu/build/../block.c:3053:10 > #5 0x55819e074b61 in bdrv_open_inherit /tmp/qemu/build/../block.c:3367:19 > #6 0x55819e07dac4 in bdrv_open /tmp/qemu/build/../block.c:3513:12 > #7 0x55819e2d78c5 in blk_new_open > /tmp/qemu/build/../block/block-backend.c:421:10 > #8 0x55819d4242ee in blockdev_init /tmp/qemu/build/../blockdev.c:617:15 > #9 0x55819d4242ee in drive_new /tmp/qemu/build/../blockdev.c:1005:11 > #10 0x55819da17085 in drive_init_func > /tmp/qemu/build/../softmmu/vl.c:1000:12 > #11 0x55819e61bd4c in qemu_opts_foreach > /tmp/qemu/build/../util/qemu-option.c:1172:14 > #12 0x55819da0aab2 in configure_blockdev > /tmp/qemu/build/../softmmu/vl.c:1067:9 > #13 0x55819da0aab2 in qemu_init /tmp/qemu/build/../softmmu/vl.c:4145:5 > #14 0x55819c72a5b8 in main /tmp/qemu/build/../softmmu/main.c:48:5 > #15 0x7faba3b86e0a in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x26e0a) > #16 0x55819c680659 in _start (/tmp/qemu/build/qemu-system-i386+0x254d659) > > 0x5581a17161e0 is located 32 bytes to the left of global variable > 'whitelist_ro' defined in '../block.c:437:24' (0x5581a1716200) of size 0 > 'whitelist_ro' is ascii string '' > 0x5581a17161e0 is located 0 bytes to the right of global variable > 'whitelist_rw' defined in '../block.c:434:24' (0x5581a17161e0) of size 0 > 'whitelist_rw' is ascii string '' > SUMMARY: AddressSanitizer: global-buffer-overflow > /tmp/qemu/build/../block.c:442:10 in bdrv_format_is_whitelisted > > This doesn't happen on master.
The problem is in "[PATCH 139/147] meson: replace create-config with meson configure_file".
