From 3a42190cc40bc910d402b6207b26f2b4081d200a Mon Sep 17 00:00:00 2001 From: Dylan Reid Date: Wed, 13 Mar 2019 14:21:44 -0700 Subject: [PATCH] fuzz: update to use new cros fuzzing There is now infrastructure for running fuzzers in cros, use it. Change-Id: I53ec9e195b7062fdcc38b5186c1f3194031037f3 Signed-off-by: Dylan Reid Reviewed-on: https://chromium-review.googlesource.com/1521667 Tested-by: kokoro Reviewed-by: Chirantan Ekbote --- fuzz/Cargo.toml | 16 ++++------------ fuzz/OWNERS | 1 + fuzz/fuzzers/fuzz_zimage.rs | 17 ----------------- fuzz/zimage_fuzzer.rs | 33 +++++++++++++++++++++++++++++++++ 4 files changed, 38 insertions(+), 29 deletions(-) create mode 100644 fuzz/OWNERS delete mode 100644 fuzz/fuzzers/fuzz_zimage.rs create mode 100644 fuzz/zimage_fuzzer.rs diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index 91c4bcbe7b..3b09eb6017 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -1,19 +1,11 @@ [package] name = "crosvm-fuzz" version = "0.0.1" -authors = ["Automatically generated"] -publish = false - -[package.metadata] -cargo-fuzz = true - -[dependencies.kernel_loader] -path = "../kernel_loader" -[dependencies.libfuzzer-sys] -git = "https://github.com/rust-fuzz/libfuzzer-sys.git" +authors = ["The Chromium OS Authors"] [dependencies] libc = "*" +kernel_loader = { path = "../kernel_loader" } sys_util = { path = "../sys_util" } # Prevent this from interfering with workspaces @@ -21,5 +13,5 @@ sys_util = { path = "../sys_util" } members = ["."] [[bin]] -name = "fuzz_zimage" -path = "fuzzers/fuzz_zimage.rs" +name = "crosvm_zimage_fuzzer" +path = "zimage_fuzzer.rs" diff --git a/fuzz/OWNERS b/fuzz/OWNERS new file mode 100644 index 0000000000..8c53fc5780 --- /dev/null +++ b/fuzz/OWNERS @@ -0,0 +1 @@ +dgreid@chromium.org diff --git a/fuzz/fuzzers/fuzz_zimage.rs b/fuzz/fuzzers/fuzz_zimage.rs deleted file mode 100644 index 2d8958b6e3..0000000000 --- a/fuzz/fuzzers/fuzz_zimage.rs +++ /dev/null @@ -1,17 +0,0 @@ -#![no_main] -#[macro_use] -extern crate libfuzzer_sys; -extern crate kernel_loader; -extern crate libc; -extern crate sys_util; - -use sys_util::{GuestAddress, GuestMemory}; - -use std::io::Cursor; - -fuzz_target!(|data: &[u8]| { - // fuzzed code goes here - let mut kimage = Cursor::new(data); - let mem = GuestMemory::new(&[(GuestAddress(0), data.len() + 0x1000)]).unwrap(); - let _ = kernel_loader::load_kernel(&mem, GuestAddress(0), &mut kimage); -}); diff --git a/fuzz/zimage_fuzzer.rs b/fuzz/zimage_fuzzer.rs new file mode 100644 index 0000000000..13b67b35ab --- /dev/null +++ b/fuzz/zimage_fuzzer.rs @@ -0,0 +1,33 @@ +// Copyright 2019 The Chromium OS Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#![no_main] +extern crate kernel_loader; +extern crate libc; +extern crate sys_util; + +use sys_util::{GuestAddress, GuestMemory}; + +use std::io::Cursor; +use std::panic; +use std::process; +use std::slice; + +#[export_name = "LLVMFuzzerTestOneInput"] +pub fn test_one_input(data: *const u8, size: usize) -> i32 { + // We cannot unwind past ffi boundaries. + panic::catch_unwind(|| { + // Safe because the libfuzzer runtime will guarantee that `data` is at least + // `size` bytes long and that it will be valid for the lifetime of this + // function. + let bytes = unsafe { slice::from_raw_parts(data, size) }; + let mut kimage = Cursor::new(bytes); + let mem = GuestMemory::new(&[(GuestAddress(0), bytes.len() as u64 + 0x1000)]).unwrap(); + let _ = kernel_loader::load_kernel(&mem, GuestAddress(0), &mut kimage); + }) + .err() + .map(|_| process::abort()); + + 0 +}