fuzz: Add virtio-fs server fuzzer

Add a fuzzer for the virtio-fs server, which is responsible for decoding a byte stream into FUSE messages. BUG=none TEST=run it with cros_fuzz Change-Id: Ic7695f2106d3f81e6cf09b98ffedc51831238f1e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1865272 Tested-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Chirantan Ekbote <chirantan@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
author: Chirantan Ekbote <chirantan@chromium.org> 2019-10-16 12:08:13 +0900
committer: Commit Bot <commit-bot@chromium.org> 2019-11-08 03:06:15 +0000
commit: cfabb882f14db178cd6490371f3944052f7b4c27 (patch)
tree: 75ac3cfddebb79fa961f27d03c75dc2c5d72bd09 /fuzz
parent: 18655cc1247c31717b2bd2cfdf114f0acb93a610 (diff)
download: crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar
crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.gz
crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.bz2
crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.lz
crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.xz
crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.zst
crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.zip
2 files changed, 52 insertions, 0 deletions
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
index 3ec2f2b..47d3bf2 100644
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -24,6 +24,10 @@ name = "crosvm_block_fuzzer"
 path = "block_fuzzer.rs"
 
 [[bin]]
+name = "crosvm_fs_server_fuzzer"
+path = "fs_server_fuzzer.rs"
+
+[[bin]]
 name = "crosvm_qcow_fuzzer"
 path = "qcow_fuzzer.rs"
 
diff --git a/fuzz/fs_server_fuzzer.rs b/fuzz/fs_server_fuzzer.rs
new file mode 100644
index 0000000..c824a0a
--- /dev/null
+++ b/fuzz/fs_server_fuzzer.rs
@@ -0,0 +1,48 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#![no_main]
+
+use std::convert::TryInto;
+
+use cros_fuzz::fuzz_target;
+use devices::virtio::fs::fuzzing::fuzz_server;
+use devices::virtio::{create_descriptor_chain, DescriptorType, Reader, Writer};
+use sys_util::{GuestAddress, GuestMemory};
+
+const MEM_SIZE: u64 = 256 * 1024 * 1024;
+const BUFFER_ADDR: GuestAddress = GuestAddress(0x100);
+
+thread_local! {
+    static GUEST_MEM: GuestMemory = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
+}
+
+fuzz_target!(|data| {
+    use DescriptorType::*;
+
+    GUEST_MEM.with(|mem| {
+        mem.write_all_at_addr(data, BUFFER_ADDR).unwrap();
+
+        let chain = create_descriptor_chain(
+            mem,
+            GuestAddress(0),
+            BUFFER_ADDR,
+            vec![
+                (Readable, data.len().try_into().unwrap()),
+                (
+                    Writable,
+                    (MEM_SIZE as u32)
+                        .saturating_sub(data.len().try_into().unwrap())
+                        .saturating_sub(0x100),
+                ),
+            ],
+            0,
+        )
+        .unwrap();
+
+        let r = Reader::new(mem, chain.clone()).unwrap();
+        let w = Writer::new(mem, chain).unwrap();
+        fuzz_server(r, w);
+    });
+});
author	Chirantan Ekbote <chirantan@chromium.org>	2019-10-16 12:08:13 +0900
committer	Commit Bot <commit-bot@chromium.org>	2019-11-08 03:06:15 +0000
commit	cfabb882f14db178cd6490371f3944052f7b4c27 (patch)
tree	75ac3cfddebb79fa961f27d03c75dc2c5d72bd09 /fuzz
parent	18655cc1247c31717b2bd2cfdf114f0acb93a610 (diff)
download	crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.gz crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.bz2 crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.lz crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.xz crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.tar.zst crosvm-cfabb882f14db178cd6490371f3944052f7b4c27.zip