• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2018 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #![no_main]
6 
7 use std::io::{Cursor, Read, Seek, SeekFrom};
8 use std::mem::size_of;
9 use std::sync::atomic::AtomicUsize;
10 use std::sync::Arc;
11 
12 use base::Event;
13 use cros_fuzz::fuzz_target;
14 use devices::virtio::{base_features, Block, Interrupt, Queue, VirtioDevice};
15 use devices::ProtectionType;
16 use tempfile;
17 use vm_memory::{GuestAddress, GuestMemory};
18 
19 const MEM_SIZE: u64 = 256 * 1024 * 1024;
20 const DESC_SIZE: u64 = 16; // Bytes in one virtio descriptor.
21 const QUEUE_SIZE: u16 = 16; // Max entries in the queue.
22 const CMD_SIZE: usize = 16; // Bytes in the command.
23 
24 fuzz_target!(|bytes| {
25     let size_u64 = size_of::<u64>();
26     let mem = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
27 
28     // The fuzz data is interpreted as:
29     // starting index 8 bytes
30     // command location 8 bytes
31     // command 16 bytes
32     // descriptors circular buffer 16 bytes * 3
33     if bytes.len() < 4 * size_u64 {
34         // Need an index to start.
35         return;
36     }
37 
38     let mut data_image = Cursor::new(bytes);
39 
40     let first_index = read_u64(&mut data_image);
41     if first_index > MEM_SIZE / DESC_SIZE {
42         return;
43     }
44     let first_offset = first_index * DESC_SIZE;
45     if first_offset as usize + size_u64 > bytes.len() {
46         return;
47     }
48 
49     let command_addr = read_u64(&mut data_image);
50     if command_addr > MEM_SIZE - CMD_SIZE as u64 {
51         return;
52     }
53     if mem
54         .write_all_at_addr(
55             &bytes[2 * size_u64..(2 * size_u64) + CMD_SIZE],
56             GuestAddress(command_addr as u64),
57         )
58         .is_err()
59     {
60         return;
61     }
62 
63     data_image.seek(SeekFrom::Start(first_offset)).unwrap();
64     let desc_table = read_u64(&mut data_image);
65 
66     if mem
67         .write_all_at_addr(&bytes[32..], GuestAddress(desc_table as u64))
68         .is_err()
69     {
70         return;
71     }
72 
73     let mut q = Queue::new(QUEUE_SIZE);
74     q.ready = true;
75     q.size = QUEUE_SIZE / 2;
76     q.max_size = QUEUE_SIZE;
77 
78     let queue_evts: Vec<Event> = vec![Event::new().unwrap()];
79     let queue_evt = queue_evts[0].try_clone().unwrap();
80 
81     let features = base_features(ProtectionType::Unprotected);
82 
83     let disk_file = tempfile::tempfile().unwrap();
84     let mut block =
85         Block::new(features, Box::new(disk_file), false, true, 512, None, None).unwrap();
86 
87     block.activate(
88         mem,
89         Interrupt::new(
90             Arc::new(AtomicUsize::new(0)),
91             Event::new().unwrap(),
92             Event::new().unwrap(),
93             None,   // msix_config
94             0xFFFF, // VIRTIO_MSI_NO_VECTOR
95         ),
96         vec![q],
97         queue_evts,
98     );
99 
100     queue_evt.write(77).unwrap(); // Rings the doorbell, any byte will do.
101 });
102 
read_u64<T: Read>(readable: &mut T) -> u64103 fn read_u64<T: Read>(readable: &mut T) -> u64 {
104     let mut buf = [0u8; size_of::<u64>()];
105     readable.read_exact(&mut buf[..]).unwrap();
106     u64::from_le_bytes(buf)
107 }
108