diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2019-10-16 04:43:33 +0900 |
---|---|---|
committer | Manoj Gupta <manojgupta@chromium.org> | 2019-10-24 15:23:29 +0000 |
commit | 1955fd1fb317841ecdf31666a5d88021670ae035 (patch) | |
tree | e134cf11b2746d6128805dc8865dd03b140bcf49 | |
parent | f60d367467496c38a4a599e467d717d16358dab1 (diff) | |
download | crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.tar crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.tar.gz crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.tar.bz2 crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.tar.lz crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.tar.xz crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.tar.zst crosvm-1955fd1fb317841ecdf31666a5d88021670ae035.zip |
fuzz: Add virtqueue fuzzer
BUG=none TEST=Run it with cros_fuzz Cq-Depend: chromium:1863177, chromium:1863178 Change-Id: I1a989d7b90116e210a8aae63205c5e8cf6b70faa Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1863889 Reviewed-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: Chirantan Ekbote <chirantan@chromium.org> Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org> Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
-rw-r--r-- | fuzz/Cargo.toml | 7 | ||||
-rw-r--r-- | fuzz/virtqueue_fuzzer.rs | 54 |
2 files changed, 61 insertions, 0 deletions
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index af6a8b4..3ec2f2b 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -5,10 +5,13 @@ authors = ["The Chromium OS Authors"] edition = "2018" [dependencies] +cros_fuzz = "*" +data_model = { path = "../data_model" } devices = { path = "../devices" } kernel_loader = { path = "../kernel_loader" } libc = "*" qcow = { path = "../qcow" } +rand = "0.6" sys_util = { path = "../sys_util" } usb_util = { path = "../usb_util" } @@ -29,5 +32,9 @@ name = "crosvm_usb_descriptor_fuzzer" path = "usb_descriptor_fuzzer.rs" [[bin]] +name = "crosvm_virtqueue_fuzzer" +path = "virtqueue_fuzzer.rs" + +[[bin]] name = "crosvm_zimage_fuzzer" path = "zimage_fuzzer.rs" diff --git a/fuzz/virtqueue_fuzzer.rs b/fuzz/virtqueue_fuzzer.rs new file mode 100644 index 0000000..6e7b735 --- /dev/null +++ b/fuzz/virtqueue_fuzzer.rs @@ -0,0 +1,54 @@ +// Copyright 2019 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#![no_main] + +use cros_fuzz::fuzz_target; +use cros_fuzz::rand::FuzzRng; +use data_model::VolatileMemory; +use devices::virtio::Queue; +use rand::Rng; +use sys_util::{GuestAddress, GuestMemory}; + +const MAX_QUEUE_SIZE: u16 = 512; +const MEM_SIZE: u64 = 256 * 1024 * 1024; + +thread_local! { + static GUEST_MEM: GuestMemory = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap(); +} + +fuzz_target!(|data: &[u8]| { + let mut q = Queue::new(MAX_QUEUE_SIZE); + let mut rng = FuzzRng::new(data); + q.max_size = rng.gen(); + q.size = rng.gen(); + q.ready = true; + q.desc_table = GuestAddress(rng.gen_range(0, MEM_SIZE)); + q.avail_ring = GuestAddress(rng.gen_range(0, MEM_SIZE)); + q.used_ring = GuestAddress(rng.gen_range(0, MEM_SIZE)); + + let back = rng.into_inner(); + GUEST_MEM.with(|mem| { + // First zero out all of the memory. + let vs = mem.get_slice(0, MEM_SIZE).unwrap(); + vs.write_bytes(0); + + // Then fill in the descriptor table. + let mut off = mem.write_at_addr(back, q.desc_table).unwrap(); + + // If there's any more data left, then fill in the available ring. + if off < back.len() { + off += mem.write_at_addr(&back[off..], q.avail_ring).unwrap(); + } + + // If there's still more put it in the used ring. + if off < back.len() { + mem.write_at_addr(&back[off..], q.used_ring).unwrap(); + } + + while let Some(desc_chain) = q.pop(mem) { + let _ = desc_chain.into_iter().count(); + } + }); +}); |