Add kernel_loader fuzzing

Add a top level fuzz directory. Other fuzz tests will be added here in
subsequent commits.

For now fuzzing must be run manually. Soon there will be a way to
extract the fuzz artifacts and upload them to cluster fuzz.

Change-Id: Iddfb55af78af6f412927b2221f22acb882069d36
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/850851
Reviewed-by: Zach Reizner <zachr@chromium.org>

3 files changed, 43 insertions, 0 deletions

diff --git a/fuzz/.gitignore b/fuzz/.gitignore
new file mode 100644
index 0000000..a092511
--- /dev/null
+++ b/fuzz/.gitignore
@@ -0,0 +1,3 @@
+target
+corpus
+artifacts
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
new file mode 100644
index 0000000..91c4bcb
--- /dev/null
+++ b/fuzz/Cargo.toml
@@ -0,0 +1,25 @@
+[package]
+name = "crosvm-fuzz"
+version = "0.0.1"
+authors = ["Automatically generated"]
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies.kernel_loader]
+path = "../kernel_loader"
+[dependencies.libfuzzer-sys]
+git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+
+[dependencies]
+libc = "*"
+sys_util = { path = "../sys_util" }
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "fuzz_zimage"
+path = "fuzzers/fuzz_zimage.rs"
diff --git a/fuzz/fuzzers/fuzz_zimage.rs b/fuzz/fuzzers/fuzz_zimage.rs
new file mode 100644
index 0000000..1ff75e3
--- /dev/null
+++ b/fuzz/fuzzers/fuzz_zimage.rs
@@ -0,0 +1,15 @@
+#![no_main]
+#[macro_use] extern crate libfuzzer_sys;
+extern crate kernel_loader;
+extern crate libc;
+extern crate sys_util;
+
+use sys_util::{GuestAddress, GuestMemory};
+
+use std::io::Cursor;
+
+fuzz_target!(|data: &[u8]| { // fuzzed code goes here
+    let mut kimage = Cursor::new(data);
+    let mem = GuestMemory::new(&[(GuestAddress(0), data.len() + 0x1000)]).unwrap();
+    let _ = kernel_loader::load_kernel(&mem, GuestAddress(0), &mut kimage);
+});