/src/qubes-os/qubes-core-qrexec/fuzz/fuzz.c

Source (jump to first uncovered line)
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <stdbool.h>
#include <stdlib.h>
#include <errno.h>

#include "fuzz.h"

#define MAX_FILES 16

#define MARKER_SIZE 4

static fuzz_file_t files[MAX_FILES];

static void panic(const char *msg) {
    fprintf(stderr, "%s\n", msg);
    abort();
}

static void file_read(fuzz_file_t *file, void *buf, size_t count) {
    assert (count <= file->input_size);
    memcpy(buf, file->input_data, count);
    file->input_data += count;
    file->input_size -= count;
}

static bool file_input_eof(fuzz_file_t *file) {
    return file->input_size == 0;
}

fuzz_file_t *fuzz_file_create(int fd, const void *input_data, size_t input_size) {
    fuzz_file_t *file = &files[fd];
    if (file->allocated) {
        panic("fuzz_file_create: file already allocated");
    }

    file->allocated = true;
    file->fd = fd;
    file->open_read = true;
    file->open_write = true;

    file->input_data = input_data;
    file->input_size = input_size;
    return file;
}

void fuzz_file_destroy(fuzz_file_t *file) {
    file->allocated = false;
}

int fuzz_libvchan_write(fuzz_file_t *file, const void *data, size_t size) {
    return fuzz_write(file->fd, data, size);
}

int fuzz_libvchan_send(fuzz_file_t *file, const void *data, size_t size) {
    return fuzz_write(file->fd, data, size);
}

int fuzz_libvchan_read(fuzz_file_t *file, void *data, size_t size) {
    if (!file->allocated || !file->open_read)
        panic("libvchan_read() from a closed file");

    if (size == 0)
        return 0;

    if (file_input_eof(file))
        return -1;

    if (size > file->input_size)
        size = file->input_size;
    file_read(file, data, size);
    return size;
}

int fuzz_libvchan_recv(fuzz_file_t *file, void *data, size_t size) {
    return fuzz_libvchan_read(file, data, size);
}

int fuzz_libvchan_wait(fuzz_file_t *file) {
    return 0;
}

void fuzz_libvchan_close(fuzz_file_t *file) {
    file->open_read = false;
    file->open_write = false;
}

int fuzz_libvchan_fd_for_select(fuzz_file_t *file) {
    return file->fd;
}

int fuzz_libvchan_is_open(fuzz_file_t *file) {
    return file->open_read && file->open_write;
}

int fuzz_libvchan_data_ready(fuzz_file_t *file) {
    return file->input_size;
}

int fuzz_libvchan_buffer_space(fuzz_file_t *file) {
    return 1024;
}

ssize_t fuzz_read(int fd, void *buf, size_t count) {
    if (!files[fd].allocated || !files[fd].open_read)
        panic("invalid read()");

    if (count == 0)
        return 0;

    if (file_input_eof(&files[fd]))
        return 0;

    if (count > files[fd].input_size)
        count = files[fd].input_size;

    if (count > 0)
        file_read(&files[fd], buf, count);

    return count;
}

static volatile char output[256];

ssize_t fuzz_write(int fd, const void *buf, size_t count) {
    if (!files[fd].allocated || !files[fd].open_write)
        panic("invalid write()");

    if (count == 0)
        return 0;

    // Ensure all bytes of buf are accessed
    for (int i = 0; i < count; i += sizeof(output)) {
        size_t n = count - i < sizeof(output) ? count - i : sizeof(output);
        memcpy((void*) output, buf, n);
    }

    return count;
}

fuzz_file_t *fuzz_libvchan_client_init(int domain, int port) {
    /* not implemented yet */
    abort();
}

Line	Count	Source (jump to first uncovered line)
1		#include <assert.h>
2		#include <stdio.h>
3		#include <string.h>
4		#include <sys/socket.h>
5		#include <stdbool.h>
6		#include <stdlib.h>
7		#include <errno.h>
8
9		#include "fuzz.h"
10
11		#define MAX_FILES 16
12
13		#define MARKER_SIZE 4
14
15		static fuzz_file_t files[MAX_FILES];
16
17	0	static void panic(const char *msg) {
18	0	fprintf(stderr, "%s\n", msg);
19	0	abort();
20	0	}
21
22	1.96k	static void file_read(fuzz_file_t file, void buf, size_t count) {
23	1.96k	assert (count <= file->input_size);
24	0	memcpy(buf, file->input_data, count);
25	1.96k	file->input_data += count;
26	1.96k	file->input_size -= count;
27	1.96k	}
28
29	2.00k	static bool file_input_eof(fuzz_file_t *file) {
30	2.00k	return file->input_size == 0;
31	2.00k	}
32
33	889	fuzz_file_t fuzz_file_create(int fd, const void input_data, size_t input_size) {
34	889	fuzz_file_t *file = &files[fd];
35	889	if (file->allocated) {
36	0	panic("fuzz_file_create: file already allocated");
37	0	}
38
39	889	file->allocated = true;
40	889	file->fd = fd;
41	889	file->open_read = true;
42	889	file->open_write = true;
43
44	889	file->input_data = input_data;
45	889	file->input_size = input_size;
46	889	return file;
47	889	}
48
49	889	void fuzz_file_destroy(fuzz_file_t *file) {
50	889	file->allocated = false;
51	889	}
52
53	0	int fuzz_libvchan_write(fuzz_file_t file, const void data, size_t size) {
54	0	return fuzz_write(file->fd, data, size);
55	0	}
56
57	740	int fuzz_libvchan_send(fuzz_file_t file, const void data, size_t size) {
58	740	return fuzz_write(file->fd, data, size);
59	740	}
60
61	2.00k	int fuzz_libvchan_read(fuzz_file_t file, void data, size_t size) {
62	2.00k	if (!file->allocated \|\| !file->open_read)
63	0	panic("libvchan_read() from a closed file");
64
65	2.00k	if (size == 0)
66	0	return 0;
67
68	2.00k	if (file_input_eof(file))
69	35	return -1;
70
71	1.96k	if (size > file->input_size)
72	53	size = file->input_size;
73	1.96k	file_read(file, data, size);
74	1.96k	return size;
75	2.00k	}
76
77	2.00k	int fuzz_libvchan_recv(fuzz_file_t file, void data, size_t size) {
78	2.00k	return fuzz_libvchan_read(file, data, size);
79	2.00k	}
80
81	0	int fuzz_libvchan_wait(fuzz_file_t *file) {
82	0	return 0;
83	0	}
84
85	0	void fuzz_libvchan_close(fuzz_file_t *file) {
86	0	file->open_read = false;
87	0	file->open_write = false;
88	0	}
89
90	0	int fuzz_libvchan_fd_for_select(fuzz_file_t *file) {
91	0	return file->fd;
92	0	}
93
94	0	int fuzz_libvchan_is_open(fuzz_file_t *file) {
95	0	return file->open_read && file->open_write;
96	0	}
97
98	0	int fuzz_libvchan_data_ready(fuzz_file_t *file) {
99	0	return file->input_size;
100	0	}
101
102	0	int fuzz_libvchan_buffer_space(fuzz_file_t *file) {
103	0	return 1024;
104	0	}
105
106	0	ssize_t fuzz_read(int fd, void *buf, size_t count) {
107	0	if (!files[fd].allocated \|\| !files[fd].open_read)
108	0	panic("invalid read()");
109
110	0	if (count == 0)
111	0	return 0;
112
113	0	if (file_input_eof(&files[fd]))
114	0	return 0;
115
116	0	if (count > files[fd].input_size)
117	0	count = files[fd].input_size;
118
119	0	if (count > 0)
120	0	file_read(&files[fd], buf, count);
121
122	0	return count;
123	0	}
124
125		static volatile char output[256];
126
127	740	ssize_t fuzz_write(int fd, const void *buf, size_t count) {
128	740	if (!files[fd].allocated \|\| !files[fd].open_write)
129	0	panic("invalid write()");
130
131	740	if (count == 0)
132	0	return 0;
133
134		// Ensure all bytes of buf are accessed
135	1.48k	for (int i = 0; i < count; i += sizeof(output)) {
136	740	size_t n = count - i < sizeof(output) ? count - i : sizeof(output);
137	740	memcpy((void*) output, buf, n);
138	740	}
139
140	740	return count;
141	740	}
142
143	0	fuzz_file_t *fuzz_libvchan_client_init(int domain, int port) {
144		/* not implemented yet */
145	0	abort();
146	0	}

Coverage Report

Created: 2023-09-25 06:33