You are looking at the HTML representation of the XML format.
HTML is good for debugging, but is unsuitable for application use.
Specify the format parameter to change the output format.
To see the non HTML representation of the XML format, set format=xml.
See the complete documentation, or API help for more information.
<?xml version="1.0"?>
    <allpages gapcontinue="Testing/CCWTestDevice" />
      <page pageid="951" ns="0" title="SecurityProcess">
          <rev contentformat="text/x-wiki" contentmodel="wikitext" xml:space="preserve">QEMU takes security very seriously, and we aim to take immediate action to address serious security-related problems that involve our product.

Please report any suspected security vulnerability in QEMU to the following addresses.
You can use GPG keys for respective receipients to communicate with us securely.
If you do, please upload your GPG public key or supply it to us in some other way, so
that we can communicate to you in a secure way, too!
Please include the tag [QEMU-SECURITY] on the subject line to help us identify your message
as security-related.

|+ QEMU Security Contact List: please copy everyone on this list.
|Contact Person(s) || Contact Address || Company || GPG key || GPG key fingerprint
|Michael S. Tsirkin || || Red Hat Inc. || [[ GPG key ]] || Fingerprint=0270 606B 6F3C DF3D 0B17  0970 C350 3912 AFBE 8E67
|Petr Matousek || || Red Hat Inc. || [[;search=0x3E786F42C44977CA GPG key ]] || Fingerprint=8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA
|Stefano Stabellini || || Independent || [[ GPG key ]] || Fingerprint=D04E 33AB A51F 67BA 07D3  0AEA 894F 8F48 70E1 AE90
| Security Response Team || || Red Hat Inc. || [[ GPG key]]
|Michael Roth || || IBM || [[ GPG key ]] || Fingerprint=CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584
|Prasad J Pandit || || Red Hat Inc. || [[;search=0xDD133D32FE5B041F GPG key]] || Fingerprint=47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

=== How to Contact Us Securely ===

We use a GNU Privacy Guard (GnuPG or GPG) keys to secure communications. Mail sent to members of the list can be encrypted with public keys of all members of the list. We expect to change some of the keys we use from time to time. Should we change the key, the previous keys will be revoked.

=== How we respond ===
Maintainers listed on the security reporting list operate a
policy of responsible disclosure.  As such they agree that any
information you share with them about security issues that are not
public knowledge is kept confidential within respective affiliated companies.
It is not passed on to any third-party, including Xen Security Project, without your

Email sent to us is read and acknowledged with a non-automated response. For issues that are complicated and require significant attention, we will open an investigation and keep you informed of our progress. We might take one or more of the following steps:

==== Publication embargo ====

As a security issue reported, that is not already publically disclosed elsewhere, has an embargo date assigned and communicated to reporter. Embargo periods will be negotiated by mutual agreement between members of the security team and other relevant parties to the problem. Members of the security contact list agree not to publically disclose any details of the security issue until the embargo date expires.

==== CVE allocation ====

An security issue is assigned with a CVE number. The CVE numbers will usually be allocated by one of the vendor security engineers on the security contact list.

=== When to Contact the QEMU Security Contact List ===

You should contact the Security Contact List if:
*    You think there may be a security vulnerability in QEMU.
*    You are unsure about how a known vulnerability affects QEMU.
*    You can contact us in English. We are unable to respond in other languages.

=== When '''not''' to Contact the QEMU Security Contact List ===
*   You need assistance in a language other than English.
*   You require technical assistance (for example, &quot;how do I configure QEMU?&quot;).
*   You need help upgrading QEMU due to security alerts.
*   Your issue is not security related.

=== How impact and severity of a bug is decided ===

All  security issues in QEMU are not equal. Based on the parts of the QEMU sources wherein the bug is found, its impact and severity could vary.

In particular, QEMU is used in many different scenarios; some of them assume that the guest is trusted, some of them don't. General considerations to triage QEMU issues and decide whether a configuration is security sensitive include:

* Is there any feasible way for a malicious party to exploit this flaw and cause real damage? (e.g. from a guest or via downloadable images)
* Does the flaw require access to the management interface? Would the management interface be accessible in the scenario where the flaw could cause real damage?
* Is QEMU used in conjunction with a hypervisor, as opposed to TCG binary translation TCG)?
* Is QEMU used to offer virtualised production services, as opposed to usage as a development platform?

Whenever some or all of these questions have negative answers, what appears to be a genuine security flaw might be considered of low severity because it could only be exercised in use cases where QEMU and everything interacting with it is trusted.

For  example, consider upstream commit [;a=commit;h=9201bb9 9201bb9 &quot;sdhci.c: Limit the maximum block size&quot;],  an of out of bounds (OOB) memory  access (ie. buffer overflow) issue that was found and fixed in the SD Host  Controller emulation (hw/sd/sdhci.c).

Prima  facie, this bug appears to be a genuine security flaw, with potentially  severe implications. But digging further down, it shows that there are  only two ways to use SD Host Controller emulation, one is via 'sdhci-pci' interface and the other is via 'generic-sdhci' interface.

Of these two, the 'sdhci-pci'  interface is relatively new and had actually been disabled by default in the  upstream QEMU releases (commit [;a=commit;h=1910913 1910913 &quot;sdhci: Make device &quot;sdhci-pci&quot; unavailable with -device&quot;]) at the time the flaw was reported; therefore, guests could not possibly use 'sdhci-pci' for any  purpose.

The 'generic-sdhci' interface, instead, had only one user in 'Xilinx Zynq Baseboard emulation' (hw/arm/xilinx_zynq.c). Xilinx Zynq is a programmable systems on chip (SoC) device. While QEMU does emulate this device, in practice it is used to  facilitate cross-platform developmental efforts. i.e. QEMU is used to write programs for the SoC device. In such developer environments, it is generally assumed that the guest is trusted.

And thus, this buffer overflow turned out to be a security non-issue.

=== What to Send to the QEMU Security Contact List ===

Please provide as much information about your system and the issue as possible when contacting the list.</rev>
      <page pageid="375" ns="0" title="Testing">
          <rev contentformat="text/x-wiki" contentmodel="wikitext" xml:space="preserve">== Tests included in the QEMU source ==

QEMU includes a test suite comprising:

* [[Testing/UnitTests|unit tests]] for library code
* [[Features/QTest|QTest]]-based tests, which inject predefined stimuli into the device emulation code.
* [[Testing/QemuIoTests|qemu-iotests]], a regression test suite for the block layer code.

=== &lt;tt&gt;make check&lt;/tt&gt; ===

The unit tests and QTest-based can be run with &quot;&lt;tt&gt;make check&lt;/tt&gt;&quot;. Use &quot;&lt;tt&gt;make check-help&lt;/tt&gt;&quot; to see a list of other available test targets and parameters (for example, you can use &quot;&lt;tt&gt;make check SPEED=slow V=1&lt;/tt&gt;&quot; for a verbose, more thorough test run). These unit tests are used in [[#Continuous Integration|our continuous integration]] systems, based on [[Testing/Travis|Travis]] and [[Testing/Patchew|Patchew]].

=== qemu-iotests ===

&lt;blockquote&gt;''Main article: [[Testing/QemuIoTests]]''&lt;/blockquote&gt;

qemu-iotests is run from the toplevel build directory with &lt;tt&gt;make check-block&lt;/tt&gt;. A full version of the testsuite, taking around half an hour to run, is run with &lt;tt&gt;sh ../tests/;/tt&gt;.

=== &lt;tt&gt;make docker&lt;/tt&gt; ===

The build system supports a number of Docker build targets which allow the source tree to be built and tested on a number of different Linux distributions regardless of your host. See [[Testing/DockerBuild]] for more information.

=== device-crash-test script ===

The &lt;tt&gt;scripts/device-crash-test&lt;/tt&gt; script can be used to run QEMU with multiple
&lt;tt&gt;-machine&lt;/tt&gt; and &lt;tt&gt;-device&lt;/tt&gt; combinations, to look for obvious crashes machine or
device code.

== System emulation ==

We have [[Testing/System Images|a collection of links to disk images]] which can be used to test system emulation.

== User mode emulation ==

Here are some links to executables that can be used to test Linux user mode emulation:

* [ linux-user-busyboxes-0.1.tar.xz] - Collection of static busybox binaries for almost all Linux target architectures that QEMU simulates. For quick smoke testing of Linux user mode emulation.

It is also possible to [[Testing/LTP|run the Linux Test Project's syscall test suite under the Linux user mode emulation]].

== Dynamic code analysis ==

This includes any test to detect memory leaks, reads of uninitialised memory,
buffer overflows or other forms of illegal memory access, that needs QEMU to be run, not merely compiled.

=== Valgrind ===

Typically these kind of tests are done using [[Documentation/Debugging with Valgrind|Valgrind]] on a Linux host.
Any of the disk images and executables listed above can be used in such tests.

 # Simple i386 boot test (BIOS only) with Valgrind.
 valgrind --leak-check=full --track-origins=yes --verbose qemu-system-i386

=== clang UBSan ===

The [[ clang undefined behavior sanitizer]] can be used to warn about accidental uses of C undefined behavior when QEMU is run. To use it you first need to configure and build QEMU with a clang compiler with the right options:

 mkdir build/clang
 (cd build/clang &amp;&amp; ../../configure --cc=clang --cxx=clang++ \
    '--extra-cflags=-fsanitize=undefined -fno-sanitize=shift-base -Wno-address-of-packed-member -Werror')
 make -C build/clang -j8

(The -fno-sanitize=shift-base is a workaround for [[ LLVM bug 25552]] where it did not correctly suppress some shift-related warnings when -fwrapv was in use. If you're using a clang where that bug is fixed, likely 3.9 or better, you can drop it.)

Then when you run the resulting QEMU binaries messages will be printed when UB is invoked:

 hw/core/loader.c:67:15: runtime error: null pointer passed as argument 1, which is declared to never be null

See the clang documentation for more information including how to produce stack backtraces on errors.

== Static code analysis ==

There are a number of tools which analyse C code and try to detect typical
errors. None of these tools is perfect, so using different tools with QEMU
will detect more bugs. Be prepared to also get lots of false warnings!

=== ccc-analyzer (clang) ===

This is an example used on Debian. It needs package clang.

 # Start from the root directory with QEMU code.
 mkdir -f bin/debug/ccc-analyzer
 cd bin/debug/ccc-analyzer
 ../../../configure --enable-debug --enable-trace-backend=stderr \
      --cc=/usr/share/clang/scan-build/ccc-analyzer --disable-docs

At least on my Linux host (1 GiB RAM, 2 GiB swap), make hangs when
ccc-analyzer analyzes target-mips/translate.c: function decode_opc
is too complex for the analyzer and takes all memory. Killing the
clang process helps in this situation. It's needed 6 times because
there are 4 MIPS system emulations and 2 Linux MIPS user emulations.

I guess this is because target-mips/translate.c contains switches with
cases covering a very large range; assuming ccc-analyzer expands these
case ranges somehow, it probably blows up memory completely.

=== smatch ===

Here is a typical example using smatch (from git://

 # Start from the root directory with QEMU code.
 mkdir -f bin/debug/smatch
 cd bin/debug/smatch
 CHECK=&quot;smatch&quot; ../../../configure --enable-debug --cc=cgcc --host-cc=cgcc

This example expects that smatch and cgcc are installed in your PATH
(if not, you must add absolute paths to the example).

=== Coverity ===

Periodic scans of QEMU are done on the public Coverity Scan service (  You can request access on their website, and the administrator will grant it if you are an active participant in QEMU development.

Coverity is confused slightly by multiple definitions of functions with the same name. For this reason, Coverity scans are done as follows:

 mkdir cov-int
 ./configure --audio-drv-list=oss,alsa,sdl,pa --disable-werror
 make libqemustub.a
 cov-build --dir cov-int make
 tar cvf - cov-int | xz &gt; cov-int.tar.xz

Notice that libqemustub.a is ignored by Coverity.  This is because some stubs call &lt;tt&gt;abort()&lt;/tt&gt; and this causes dead-code false positives. The file cov-int.tar.xz can then be uploaded to [ Coverity Scan's &quot;Submit build&quot; page]. Customarily, the &quot;project version&quot; is set to the output of &lt;tt&gt;git describe HEAD&lt;/tt&gt; and the &quot;description/tag&quot; is set to &quot;commit XYZ&quot; where XYZ is the '''full''' SHA1 hash of the commit.

== Avocado and Avocado-VT ==

Avocado is a generic testing framework, while Avocado-VT adds support for Virtualization testing, including first level support for testing QEMU.

To get started with Avocado-VT please visit:

To learn more about Avocado please visit:

After installing it, you can use Avocado-VT tests with your own build of QEMU:

 avocado run boot --vt-qemu-bin /path/to/qemu-system-x86_64

== Continuous Integration ==

There is no central point of Continuous Integration for the QEMU project. Instead various individuals and companies have set-up various automated systems that attempt to build and test QEMU to various degrees.


== See Also ==

* [ gdb-qemu], a set of scripts that look for compatibility bugs by poking at QEMU internal data structures using GDB

The following sub-pages exist: