fuzz: update to use new cros fuzzing

There is now infrastructure for running fuzzers in cros, use it. Change-Id: I53ec9e195b7062fdcc38b5186c1f3194031037f3 Signed-off-by: Dylan Reid <dgreid@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1521667 Tested-by: kokoro <noreply+kokoro@google.com> Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
2025-02-05 18:20:34 +00:00 · 2019-03-13 14:21:44 -07:00 · 2019-03-13 14:21:44 -07:00 · 3a42190cc4
commit 3a42190cc4
parent db4721d870
4 changed files with 38 additions and 29 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -1,19 +1,11 @@
 [package]
 name = "crosvm-fuzz"
 version = "0.0.1"
-authors = ["Automatically generated"]
-publish = false
-
-[package.metadata]
-cargo-fuzz = true
-
-[dependencies.kernel_loader]
-path = "../kernel_loader"
-[dependencies.libfuzzer-sys]
-git = "https://github.com/rust-fuzz/libfuzzer-sys.git"
+authors = ["The Chromium OS Authors"]

 [dependencies]
 libc = "*"
+kernel_loader = { path = "../kernel_loader" }
 sys_util = { path = "../sys_util" }

 # Prevent this from interfering with workspaces
@ -21,5 +13,5 @@ sys_util = { path = "../sys_util" }
 members = ["."]

 [[bin]]
-name = "fuzz_zimage"
-path = "fuzzers/fuzz_zimage.rs"
+name = "crosvm_zimage_fuzzer"
+path = "zimage_fuzzer.rs"
--- a/fuzz/OWNERS
+++ b/fuzz/OWNERS
@ -0,0 +1 @@
+dgreid@chromium.org
--- a/fuzz/fuzzers/fuzz_zimage.rs
+++ b/fuzz/fuzzers/fuzz_zimage.rs
@ -1,17 +0,0 @@
-#![no_main]
-#[macro_use]
-extern crate libfuzzer_sys;
-extern crate kernel_loader;
-extern crate libc;
-extern crate sys_util;
-
-use sys_util::{GuestAddress, GuestMemory};
-
-use std::io::Cursor;
-
-fuzz_target!(|data: &[u8]| {
-    // fuzzed code goes here
-    let mut kimage = Cursor::new(data);
-    let mem = GuestMemory::new(&[(GuestAddress(0), data.len() + 0x1000)]).unwrap();
-    let _ = kernel_loader::load_kernel(&mem, GuestAddress(0), &mut kimage);
-});
--- a/fuzz/zimage_fuzzer.rs
+++ b/fuzz/zimage_fuzzer.rs
@ -0,0 +1,33 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#![no_main]
+extern crate kernel_loader;
+extern crate libc;
+extern crate sys_util;
+
+use sys_util::{GuestAddress, GuestMemory};
+
+use std::io::Cursor;
+use std::panic;
+use std::process;
+use std::slice;
+
+#[export_name = "LLVMFuzzerTestOneInput"]
+pub fn test_one_input(data: *const u8, size: usize) -> i32 {
+    // We cannot unwind past ffi boundaries.
+    panic::catch_unwind(|| {
+        // Safe because the libfuzzer runtime will guarantee that `data` is at least
+        // `size` bytes long and that it will be valid for the lifetime of this
+        // function.
+        let bytes = unsafe { slice::from_raw_parts(data, size) };
+        let mut kimage = Cursor::new(bytes);
+        let mem = GuestMemory::new(&[(GuestAddress(0), bytes.len() as u64 + 0x1000)]).unwrap();
+        let _ = kernel_loader::load_kernel(&mem, GuestAddress(0), &mut kimage);
+    })
+    .err()
+    .map(|_| process::abort());
+
+    0
+}