diff options
author | Chirantan Ekbote <chirantan@chromium.org> | 2019-10-16 12:08:13 +0900 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-11-08 03:06:15 +0000 |
commit | cfabb882f14db178cd6490371f3944052f7b4c27 (patch) | |
tree | 75ac3cfddebb79fa961f27d03c75dc2c5d72bd09 /fuzz | |
parent | 18655cc1247c31717b2bd2cfdf114f0acb93a610 (diff) | |
download | crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.gz crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.bz2 crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.lz crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.xz crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.zst crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.zip |
fuzz: Add virtio-fs server fuzzer
Add a fuzzer for the virtio-fs server, which is responsible for decoding a byte stream into FUSE messages. BUG=none TEST=run it with cros_fuzz Change-Id: Ic7695f2106d3f81e6cf09b98ffedc51831238f1e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1865272 Tested-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Chirantan Ekbote <chirantan@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
Diffstat (limited to 'fuzz')
-rw-r--r-- | fuzz/Cargo.toml | 4 | ||||
-rw-r--r-- | fuzz/fs_server_fuzzer.rs | 48 |
2 files changed, 52 insertions, 0 deletions
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index 3ec2f2b..47d3bf2 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -24,6 +24,10 @@ name = "crosvm_block_fuzzer" path = "block_fuzzer.rs" [[bin]] +name = "crosvm_fs_server_fuzzer" +path = "fs_server_fuzzer.rs" + +[[bin]] name = "crosvm_qcow_fuzzer" path = "qcow_fuzzer.rs" diff --git a/fuzz/fs_server_fuzzer.rs b/fuzz/fs_server_fuzzer.rs new file mode 100644 index 0000000..c824a0a --- /dev/null +++ b/fuzz/fs_server_fuzzer.rs @@ -0,0 +1,48 @@ +// Copyright 2019 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#![no_main] + +use std::convert::TryInto; + +use cros_fuzz::fuzz_target; +use devices::virtio::fs::fuzzing::fuzz_server; +use devices::virtio::{create_descriptor_chain, DescriptorType, Reader, Writer}; +use sys_util::{GuestAddress, GuestMemory}; + +const MEM_SIZE: u64 = 256 * 1024 * 1024; +const BUFFER_ADDR: GuestAddress = GuestAddress(0x100); + +thread_local! { + static GUEST_MEM: GuestMemory = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap(); +} + +fuzz_target!(|data| { + use DescriptorType::*; + + GUEST_MEM.with(|mem| { + mem.write_all_at_addr(data, BUFFER_ADDR).unwrap(); + + let chain = create_descriptor_chain( + mem, + GuestAddress(0), + BUFFER_ADDR, + vec![ + (Readable, data.len().try_into().unwrap()), + ( + Writable, + (MEM_SIZE as u32) + .saturating_sub(data.len().try_into().unwrap()) + .saturating_sub(0x100), + ), + ], + 0, + ) + .unwrap(); + + let r = Reader::new(mem, chain.clone()).unwrap(); + let w = Writer::new(mem, chain).unwrap(); + fuzz_server(r, w); + }); +}); |