fuzz: Add virtio-fs server fuzzer

Add a fuzzer for the virtio-fs server, which is responsible for decoding
a byte stream into FUSE messages.

BUG=none
TEST=run it with cros_fuzz

Change-Id: Ic7695f2106d3f81e6cf09b98ffedc51831238f1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1865272
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>

4 files changed, 75 insertions, 0 deletions

diff --git a/devices/src/virtio/fs/fuzzing.rs b/devices/src/virtio/fs/fuzzing.rs
new file mode 100644
index 0000000..6bb4a8f
--- /dev/null
+++ b/devices/src/virtio/fs/fuzzing.rs
@@ -0,0 +1,21 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+use crate::virtio::fs::filesystem::FileSystem;
+use crate::virtio::fs::server::Server;
+use crate::virtio::{Reader, Writer};
+
+// Use a file system that does nothing since we are fuzzing the server implementation.
+struct NullFs;
+impl FileSystem for NullFs {
+    type Inode = u64;
+    type Handle = u64;
+}
+
+/// Fuzz the server implementation.
+pub fn fuzz_server(r: Reader, w: Writer) {
+    let server = Server::new(NullFs);
+
+    let _ = server.handle_message(r, w);
+}
diff --git a/devices/src/virtio/fs/mod.rs b/devices/src/virtio/fs/mod.rs
index ff71dc1..5e8ac41 100644
--- a/devices/src/virtio/fs/mod.rs
+++ b/devices/src/virtio/fs/mod.rs
@@ -23,6 +23,8 @@ use crate::virtio::{
 mod filesystem;
 #[allow(dead_code)]
 mod fuse;
+#[cfg(fuzzing)]
+pub mod fuzzing;
 mod multikey;
 pub mod passthrough;
 mod server;
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
index 3ec2f2b..47d3bf2 100644
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -24,6 +24,10 @@ name = "crosvm_block_fuzzer"
 path = "block_fuzzer.rs"
 
 [[bin]]
+name = "crosvm_fs_server_fuzzer"
+path = "fs_server_fuzzer.rs"
+
+[[bin]]
 name = "crosvm_qcow_fuzzer"
 path = "qcow_fuzzer.rs"
 
diff --git a/fuzz/fs_server_fuzzer.rs b/fuzz/fs_server_fuzzer.rs
new file mode 100644
index 0000000..c824a0a
--- /dev/null
+++ b/fuzz/fs_server_fuzzer.rs
@@ -0,0 +1,48 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#![no_main]
+
+use std::convert::TryInto;
+
+use cros_fuzz::fuzz_target;
+use devices::virtio::fs::fuzzing::fuzz_server;
+use devices::virtio::{create_descriptor_chain, DescriptorType, Reader, Writer};
+use sys_util::{GuestAddress, GuestMemory};
+
+const MEM_SIZE: u64 = 256 * 1024 * 1024;
+const BUFFER_ADDR: GuestAddress = GuestAddress(0x100);
+
+thread_local! {
+    static GUEST_MEM: GuestMemory = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
+}
+
+fuzz_target!(|data| {
+    use DescriptorType::*;
+
+    GUEST_MEM.with(|mem| {
+        mem.write_all_at_addr(data, BUFFER_ADDR).unwrap();
+
+        let chain = create_descriptor_chain(
+            mem,
+            GuestAddress(0),
+            BUFFER_ADDR,
+            vec![
+                (Readable, data.len().try_into().unwrap()),
+                (
+                    Writable,
+                    (MEM_SIZE as u32)
+                        .saturating_sub(data.len().try_into().unwrap())
+                        .saturating_sub(0x100),
+                ),
+            ],
+            0,
+        )
+        .unwrap();
+
+        let r = Reader::new(mem, chain.clone()).unwrap();
+        let w = Writer::new(mem, chain).unwrap();
+        fuzz_server(r, w);
+    });
+});