xref: /aosp_15_r20/external/crosvm/fuzz/fuzz_targets/block_fuzzer.rs (revision bb4ee6a4ae7042d18b07a98463b9c8b875e44b39) 
1 // Copyright 2018 The ChromiumOS Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #![cfg(not(test))]
6 #![no_main]
7 
8 use std::collections::BTreeMap;
9 use std::io::Cursor;
10 use std::io::Read;
11 use std::io::Seek;
12 use std::io::SeekFrom;
13 use std::mem::size_of;
14 
15 use base::Event;
16 use crosvm_fuzz::fuzz_target;
17 use devices::virtio::base_features;
18 use devices::virtio::block::DiskOption;
19 use devices::virtio::BlockAsync;
20 use devices::virtio::Interrupt;
21 use devices::virtio::QueueConfig;
22 use devices::virtio::VirtioDevice;
23 use devices::IrqLevelEvent;
24 use hypervisor::ProtectionType;
25 use vm_memory::GuestAddress;
26 use vm_memory::GuestMemory;
27 
28 const MEM_SIZE: u64 = 256 * 1024 * 1024;
29 const DESC_SIZE: u64 = 16; // Bytes in one virtio descriptor.
30 const QUEUE_SIZE: u16 = 16; // Max entries in the queue.
31 const CMD_SIZE: usize = 16; // Bytes in the command.
32 
33 fuzz_target!(|bytes| {
34     let size_u64 = size_of::<u64>();
35     let mem = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
36 
37     // The fuzz data is interpreted as:
38     // starting index 8 bytes
39     // command location 8 bytes
40     // command 16 bytes
41     // descriptors circular buffer 16 bytes * 3
42     if bytes.len() < 4 * size_u64 {
43         // Need an index to start.
44         return;
45     }
46 
47     let mut data_image = Cursor::new(bytes);
48 
49     let first_index = read_u64(&mut data_image);
50     if first_index > MEM_SIZE / DESC_SIZE {
51         return;
52     }
53     let first_offset = first_index * DESC_SIZE;
54     if first_offset as usize + size_u64 > bytes.len() {
55         return;
56     }
57 
58     let command_addr = read_u64(&mut data_image);
59     if command_addr > MEM_SIZE - CMD_SIZE as u64 {
60         return;
61     }
62     if mem
63         .write_all_at_addr(
64             &bytes[2 * size_u64..(2 * size_u64) + CMD_SIZE],
65             GuestAddress(command_addr),
66         )
67         .is_err()
68     {
69         return;
70     }
71 
72     data_image.seek(SeekFrom::Start(first_offset)).unwrap();
73     let desc_table = read_u64(&mut data_image);
74 
75     if mem
76         .write_all_at_addr(&bytes[32..], GuestAddress(desc_table))
77         .is_err()
78     {
79         return;
80     }
81 
82     let interrupt = Interrupt::new(
83         IrqLevelEvent::new().unwrap(),
84         None,   // msix_config
85         0xFFFF, // VIRTIO_MSI_NO_VECTOR
86         #[cfg(target_arch = "x86_64")]
87         None,
88     );
89 
90     let mut q = QueueConfig::new(QUEUE_SIZE, 0);
91     q.set_size(QUEUE_SIZE / 2);
92     q.set_ready(true);
93     let q = q
94         .activate(&mem, Event::new().unwrap(), interrupt.clone())
95         .expect("QueueConfig::activate");
96     let queue_evt = q.event().try_clone().unwrap();
97 
98     let features = base_features(ProtectionType::Unprotected);
99 
100     let disk_file = tempfile::tempfile().unwrap();
101     let disk_option = DiskOption::default();
102     let mut block = BlockAsync::new(
103         features,
104         Box::new(disk_file),
105         &disk_option,
106         None,
107         None,
108         None,
109     )
110     .unwrap();
111 
112     block
113         .activate(mem, interrupt, BTreeMap::from([(0, q)]))
114         .unwrap();
115 
116     queue_evt.signal().unwrap(); // Rings the doorbell
117 });
118 
read_u64<T: Read>(readable: &mut T) -> u64119 fn read_u64<T: Read>(readable: &mut T) -> u64 {
120     let mut buf = [0u8; size_of::<u64>()];
121     readable.read_exact(&mut buf[..]).unwrap();
122     u64::from_le_bytes(buf)
123 }
124