crosvm-fuzz: Migrate crosvm-fuzz to cargo fuzz

Fuzzer targets can be ran with
cargo +nightly fuzz run --fuzz-dir crosvm-fuzz --features
upstream-fuzz <target>

This should enable us to move fuzzing to anywhere including
ClusterFuzz while maintain compatibility with cros infra.

TEST=`cargo fuzz` won't crash in first 30s,
`USE="asan fuzzer" emerge-hatch crosvm` builds,
`/build/hatch/usr/libexec/fuzzers/crosvm_qcow_fuzzer` won't
crash in first 30s
FIXED=b:245007212
BUG=b:244631591

Change-Id: I4b262ee1a6a90247dea96347c55a3849af793bec
Reviewed-on: https://chromium-review.googlesource.com/c/crosvm/crosvm/+/3905095
Auto-Submit: Zihan Chen <zihanchen@google.com>
Commit-Queue: Dennis Kempin <denniskempin@google.com>
Reviewed-by: Dennis Kempin <denniskempin@google.com>

Cargo.lock

@@ -67,6 +67,12 @@ version = "1.0.58"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bb07d2053ccdbe10e2af2995a2f116c1330396493dc1269f6a91d0ae82e19704"
 
+[[package]]
+name = "arbitrary"
+version = "1.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f44124848854b941eafdb34f05b3bcf59472f643c7e151eba7c2b69daa469ed5"
+
 [[package]]
 name = "arch"
 version = "0.1.0"
@@ -293,6 +299,9 @@ name = "cc"
 version = "1.0.73"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"
+dependencies = [
+ "jobserver",
+]
 
 [[package]]
 name = "cfg-if"
@@ -389,6 +398,7 @@ dependencies = [
 name = "cros_fuzz"
 version = "0.1.0"
 dependencies = [
+ "libfuzzer-sys",
  "rand_core",
 ]
 
@@ -1002,6 +1012,15 @@ version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d"
 
+[[package]]
+name = "jobserver"
+version = "0.1.24"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "af25a77299a7f711a01975c35a6a424eb6862092cc2d6c72c4ed6cbc56dfc1fa"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "kernel_cmdline"
 version = "0.1.0"
@@ -1075,6 +1094,17 @@ dependencies = [
  "pkg-config",
 ]
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae185684fe19814afd066da15a7cc41e126886c21282934225d9fc847582da58"
+dependencies = [
+ "arbitrary",
+ "cc",
+ "once_cell",
+]
+
 [[package]]
 name = "libslirp-sys"
 version = "4.2.1"

common/cros-fuzz/Cargo.lock

@@ -2,6 +2,21 @@
 # It is not intended for manual editing.
 version = 3
 
+[[package]]
+name = "arbitrary"
+version = "1.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f44124848854b941eafdb34f05b3bcf59472f643c7e151eba7c2b69daa469ed5"
+
+[[package]]
+name = "cc"
+version = "1.0.73"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11"
+dependencies = [
+ "jobserver",
+]
+
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
@@ -12,6 +27,7 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 name = "cros_fuzz"
 version = "0.1.0"
 dependencies = [
+ "libfuzzer-sys",
  "rand_core",
 ]
 
@@ -26,12 +42,38 @@ dependencies = [
  "wasi",
 ]
 
+[[package]]
+name = "jobserver"
+version = "0.1.25"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "068b1ee6743e4d11fb9c6a1e6064b3693a1b600e7f5f5988047d98b3dc9fb90b"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "libc"
 version = "0.2.126"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836"
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ae185684fe19814afd066da15a7cc41e126886c21282934225d9fc847582da58"
+dependencies = [
+ "arbitrary",
+ "cc",
+ "once_cell",
+]
+
+[[package]]
+name = "once_cell"
+version = "1.15.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1"
+
 [[package]]
 name = "rand_core"
 version = "0.6.3"

common/cros-fuzz/Cargo.toml

@@ -7,5 +7,9 @@ include = ["Cargo.toml", "src/*.rs"]
 
 [dependencies]
 rand_core = {version = "0.6", features = ["std"]}
+libfuzzer-sys = { version = "*", optional = true }
+
+[features]
+upstream-fuzz = ["dep:libfuzzer-sys"]
 
 [workspace]

common/cros-fuzz/src/lib.rs

@@ -66,6 +66,7 @@ pub mod rand;
 /// # }
 /// ```
 #[macro_export]
+#[cfg(not(feature = "upstream-fuzz"))]
 macro_rules! fuzz_target {
     (|$bytes:ident| $body:block) => {
         use std::panic;
@@ -93,3 +94,6 @@ macro_rules! fuzz_target {
         fuzz_target!(|$bytes| $body);
     };
 }
+
+#[cfg(feature = "upstream-fuzz")]
+pub use libfuzzer_sys::fuzz_target;

crosvm-fuzz/Cargo.toml

@@ -4,8 +4,11 @@ version = "0.0.1"
 authors = ["The Chromium OS Authors"]
 edition = "2021"
 
+[package.metadata]
+cargo-fuzz = true
+
 [dependencies]
-cros_fuzz = "*"
+cros_fuzz = { path = "../common/cros-fuzz" }
 data_model = { path = "../common/data_model" }
 devices = { path = "../devices" }
 disk = { path = "../disk" }
@@ -20,6 +23,7 @@ usb_util = { path = "../usb_util" }
 vm_memory = { path = "../vm_memory" }
 
 [features]
+upstream-fuzz = ["cros_fuzz/upstream-fuzz"]
 default = ["disk/qcow"]
 
 [[bin]]

crosvm-fuzz/fs_server_fuzzer.rs

@@ -6,14 +6,13 @@
 
 #[cfg(fuzzing)]
 mod fs_server_fuzzer {
-    use std::convert::TryInto;
-
     use cros_fuzz::fuzz_target;
     use devices::virtio::create_descriptor_chain;
     use devices::virtio::DescriptorType;
     use devices::virtio::Reader;
     use devices::virtio::Writer;
     use fuse::fuzzing::fuzz_server;
+    use std::convert::TryInto;
     use vm_memory::GuestAddress;
     use vm_memory::GuestMemory;
 

crosvm-fuzz/virtqueue_fuzzer.rs

@@ -4,14 +4,13 @@
 
 #![no_main]
 
-use std::mem::size_of;
-
 use cros_fuzz::fuzz_target;
 use cros_fuzz::rand::FuzzRng;
 use devices::virtio::DescriptorChain;
 use devices::virtio::Queue;
 use rand::Rng;
 use rand::RngCore;
+use std::mem::size_of;
 use vm_memory::GuestAddress;
 use vm_memory::GuestMemory;
 

crosvm-fuzz/zimage_fuzzer.rs

@@ -4,10 +4,9 @@
 
 #![no_main]
 
+use cros_fuzz::fuzz_target;
 use std::fs::File;
 use std::io::Write;
-
-use cros_fuzz::fuzz_target;
 use vm_memory::GuestAddress;
 use vm_memory::GuestMemory;
 

tools/impl/test_config.py

@@ -97,6 +97,7 @@ CRATE_OPTIONS: Dict[str, List[TestOption]] = {
     "disk": [TestOption.DO_NOT_RUN_AARCH64, TestOption.DO_NOT_RUN_ARMHF],  # b/202294155
     # FFmpeg 5.0 not available on Debian Bullseye used in container images.
     "ffmpeg": [TestOption.DO_NOT_BUILD],
+    "cros-fuzz": [TestOption.DO_NOT_BUILD],
     "fuzz": [TestOption.DO_NOT_BUILD],
     "hypervisor": [
         TestOption.DO_NOT_RUN_AARCH64,