/src/crosvm/fuzz/fuzz_targets/block_fuzzer.rs
Line | Count | Source |
1 | | // Copyright 2018 The ChromiumOS Authors |
2 | | // Use of this source code is governed by a BSD-style license that can be |
3 | | // found in the LICENSE file. |
4 | | |
5 | | #![cfg(not(test))] |
6 | | #![no_main] |
7 | | |
8 | | use std::collections::BTreeMap; |
9 | | use std::io::Cursor; |
10 | | use std::io::Read; |
11 | | use std::io::Seek; |
12 | | use std::io::SeekFrom; |
13 | | use std::mem::size_of; |
14 | | |
15 | | use base::Event; |
16 | | use crosvm_fuzz::fuzz_target; |
17 | | use devices::virtio::base_features; |
18 | | use devices::virtio::block::DiskOption; |
19 | | use devices::virtio::BlockAsync; |
20 | | use devices::virtio::Interrupt; |
21 | | use devices::virtio::QueueConfig; |
22 | | use devices::virtio::VirtioDevice; |
23 | | use devices::IrqLevelEvent; |
24 | | use hypervisor::ProtectionType; |
25 | | use vm_memory::GuestAddress; |
26 | | use vm_memory::GuestMemory; |
27 | | |
28 | | const MEM_SIZE: u64 = 256 * 1024 * 1024; |
29 | | const DESC_SIZE: u64 = 16; // Bytes in one virtio descriptor. |
30 | | const QUEUE_SIZE: u16 = 16; // Max entries in the queue. |
31 | | const CMD_SIZE: usize = 16; // Bytes in the command. |
32 | | |
33 | | fuzz_target!(|bytes| { |
34 | | let size_u64 = size_of::<u64>(); |
35 | | let mem = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap(); |
36 | | |
37 | | // The fuzz data is interpreted as: |
38 | | // starting index 8 bytes |
39 | | // command location 8 bytes |
40 | | // command 16 bytes |
41 | | // descriptors circular buffer 16 bytes * 3 |
42 | | if bytes.len() < 4 * size_u64 { |
43 | | // Need an index to start. |
44 | | return; |
45 | | } |
46 | | |
47 | | let mut data_image = Cursor::new(bytes); |
48 | | |
49 | | let first_index = read_u64(&mut data_image); |
50 | | if first_index > MEM_SIZE / DESC_SIZE { |
51 | | return; |
52 | | } |
53 | | let first_offset = first_index * DESC_SIZE; |
54 | | if first_offset as usize + size_u64 > bytes.len() { |
55 | | return; |
56 | | } |
57 | | |
58 | | let command_addr = read_u64(&mut data_image); |
59 | | if command_addr > MEM_SIZE - CMD_SIZE as u64 { |
60 | | return; |
61 | | } |
62 | | if mem |
63 | | .write_all_at_addr( |
64 | | &bytes[2 * size_u64..(2 * size_u64) + CMD_SIZE], |
65 | | GuestAddress(command_addr), |
66 | | ) |
67 | | .is_err() |
68 | | { |
69 | | return; |
70 | | } |
71 | | |
72 | | data_image.seek(SeekFrom::Start(first_offset)).unwrap(); |
73 | | let desc_table = read_u64(&mut data_image); |
74 | | |
75 | | if mem |
76 | | .write_all_at_addr(&bytes[32..], GuestAddress(desc_table)) |
77 | | .is_err() |
78 | | { |
79 | | return; |
80 | | } |
81 | | |
82 | | let interrupt = Interrupt::new( |
83 | | IrqLevelEvent::new().unwrap(), |
84 | | None, // msix_config |
85 | | 0xFFFF, // VIRTIO_MSI_NO_VECTOR |
86 | | #[cfg(target_arch = "x86_64")] |
87 | | None, |
88 | | ); |
89 | | |
90 | | let mut q = QueueConfig::new(QUEUE_SIZE, 0); |
91 | | q.set_size(QUEUE_SIZE / 2); |
92 | | q.set_ready(true); |
93 | | let q = q |
94 | | .activate(&mem, Event::new().unwrap(), interrupt.clone()) |
95 | | .expect("QueueConfig::activate"); |
96 | | let queue_evt = q.event().try_clone().unwrap(); |
97 | | |
98 | | let features = base_features(ProtectionType::Unprotected); |
99 | | |
100 | | let disk_file = tempfile::tempfile().unwrap(); |
101 | | let disk_option = DiskOption::default(); |
102 | | let mut block = BlockAsync::new( |
103 | | features, |
104 | | Box::new(disk_file), |
105 | | &disk_option, |
106 | | None, |
107 | | None, |
108 | | None, |
109 | | ) |
110 | | .unwrap(); |
111 | | |
112 | | block |
113 | | .activate(mem, interrupt, BTreeMap::from([(0, q)])) |
114 | | .unwrap(); |
115 | | |
116 | | queue_evt.signal().unwrap(); // Rings the doorbell |
117 | | }); |
118 | | |
119 | 1.54k | fn read_u64<T: Read>(readable: &mut T) -> u64 { |
120 | 1.54k | let mut buf = [0u8; size_of::<u64>()]; |
121 | 1.54k | readable.read_exact(&mut buf[..]).unwrap(); |
122 | 1.54k | u64::from_le_bytes(buf) |
123 | 1.54k | } |