Coverage Report

Created: 2024-09-08 06:35

/src/crosvm/fuzz/fuzz_targets/block_fuzzer.rs
Line
Count
Source
1
// Copyright 2018 The ChromiumOS Authors
2
// Use of this source code is governed by a BSD-style license that can be
3
// found in the LICENSE file.
4
5
#![cfg(not(test))]
6
#![no_main]
7
8
use std::collections::BTreeMap;
9
use std::io::Cursor;
10
use std::io::Read;
11
use std::io::Seek;
12
use std::io::SeekFrom;
13
use std::mem::size_of;
14
15
use base::Event;
16
use crosvm_fuzz::fuzz_target;
17
use devices::virtio::base_features;
18
use devices::virtio::block::DiskOption;
19
use devices::virtio::BlockAsync;
20
use devices::virtio::Interrupt;
21
use devices::virtio::QueueConfig;
22
use devices::virtio::VirtioDevice;
23
use devices::IrqLevelEvent;
24
use hypervisor::ProtectionType;
25
use vm_memory::GuestAddress;
26
use vm_memory::GuestMemory;
27
28
const MEM_SIZE: u64 = 256 * 1024 * 1024;
29
const DESC_SIZE: u64 = 16; // Bytes in one virtio descriptor.
30
const QUEUE_SIZE: u16 = 16; // Max entries in the queue.
31
const CMD_SIZE: usize = 16; // Bytes in the command.
32
33
fuzz_target!(|bytes| {
34
    let size_u64 = size_of::<u64>();
35
    let mem = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
36
37
    // The fuzz data is interpreted as:
38
    // starting index 8 bytes
39
    // command location 8 bytes
40
    // command 16 bytes
41
    // descriptors circular buffer 16 bytes * 3
42
    if bytes.len() < 4 * size_u64 {
43
        // Need an index to start.
44
        return;
45
    }
46
47
    let mut data_image = Cursor::new(bytes);
48
49
    let first_index = read_u64(&mut data_image);
50
    if first_index > MEM_SIZE / DESC_SIZE {
51
        return;
52
    }
53
    let first_offset = first_index * DESC_SIZE;
54
    if first_offset as usize + size_u64 > bytes.len() {
55
        return;
56
    }
57
58
    let command_addr = read_u64(&mut data_image);
59
    if command_addr > MEM_SIZE - CMD_SIZE as u64 {
60
        return;
61
    }
62
    if mem
63
        .write_all_at_addr(
64
            &bytes[2 * size_u64..(2 * size_u64) + CMD_SIZE],
65
            GuestAddress(command_addr),
66
        )
67
        .is_err()
68
    {
69
        return;
70
    }
71
72
    data_image.seek(SeekFrom::Start(first_offset)).unwrap();
73
    let desc_table = read_u64(&mut data_image);
74
75
    if mem
76
        .write_all_at_addr(&bytes[32..], GuestAddress(desc_table))
77
        .is_err()
78
    {
79
        return;
80
    }
81
82
    let interrupt = Interrupt::new(
83
        IrqLevelEvent::new().unwrap(),
84
        None,   // msix_config
85
        0xFFFF, // VIRTIO_MSI_NO_VECTOR
86
        #[cfg(target_arch = "x86_64")]
87
        None,
88
    );
89
90
    let mut q = QueueConfig::new(QUEUE_SIZE, 0);
91
    q.set_size(QUEUE_SIZE / 2);
92
    q.set_ready(true);
93
    let q = q
94
        .activate(&mem, Event::new().unwrap(), interrupt.clone())
95
        .expect("QueueConfig::activate");
96
    let queue_evt = q.event().try_clone().unwrap();
97
98
    let features = base_features(ProtectionType::Unprotected);
99
100
    let disk_file = tempfile::tempfile().unwrap();
101
    let disk_option = DiskOption::default();
102
    let mut block = BlockAsync::new(
103
        features,
104
        Box::new(disk_file),
105
        &disk_option,
106
        None,
107
        None,
108
        None,
109
    )
110
    .unwrap();
111
112
    block
113
        .activate(mem, interrupt, BTreeMap::from([(0, q)]))
114
        .unwrap();
115
116
    queue_evt.signal().unwrap(); // Rings the doorbell
117
});
118
119
1.54k
fn read_u64<T: Read>(readable: &mut T) -> u64 {
120
1.54k
    let mut buf = [0u8; size_of::<u64>()];
121
1.54k
    readable.read_exact(&mut buf[..]).unwrap();
122
1.54k
    u64::from_le_bytes(buf)
123
1.54k
}