fuzz: Add virtio-fs server fuzzer

Add a fuzzer for the virtio-fs server, which is responsible for decoding a byte stream into FUSE messages. BUG=none TEST=run it with cros_fuzz Change-Id: Ic7695f2106d3f81e6cf09b98ffedc51831238f1e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1865272 Tested-by: Chirantan Ekbote <chirantan@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Chirantan Ekbote <chirantan@chromium.org> Reviewed-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-by: Stephen Barber <smbarber@chromium.org>
2025-02-11 04:26:38 +00:00 · 2019-10-16 12:08:13 +09:00 · 2019-10-16 12:08:13 +09:00 · cfabb882f1
commit cfabb882f1
parent 18655cc124
4 changed files with 75 additions and 0 deletions
--- a/devices/src/virtio/fs/fuzzing.rs
+++ b/devices/src/virtio/fs/fuzzing.rs
@ -0,0 +1,21 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+use crate::virtio::fs::filesystem::FileSystem;
+use crate::virtio::fs::server::Server;
+use crate::virtio::{Reader, Writer};
+
+// Use a file system that does nothing since we are fuzzing the server implementation.
+struct NullFs;
+impl FileSystem for NullFs {
+    type Inode = u64;
+    type Handle = u64;
+}
+
+/// Fuzz the server implementation.
+pub fn fuzz_server(r: Reader, w: Writer) {
+    let server = Server::new(NullFs);
+
+    let _ = server.handle_message(r, w);
+}
--- a/devices/src/virtio/fs/mod.rs
+++ b/devices/src/virtio/fs/mod.rs
@ -23,6 +23,8 @@ use crate::virtio::{
 mod filesystem;
 #[allow(dead_code)]
 mod fuse;
+#[cfg(fuzzing)]
+pub mod fuzzing;
 mod multikey;
 pub mod passthrough;
 mod server;
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -23,6 +23,10 @@ members = ["."]
 name = "crosvm_block_fuzzer"
 path = "block_fuzzer.rs"

+[[bin]]
+name = "crosvm_fs_server_fuzzer"
+path = "fs_server_fuzzer.rs"
+
 [[bin]]
 name = "crosvm_qcow_fuzzer"
 path = "qcow_fuzzer.rs"
--- a/fuzz/fs_server_fuzzer.rs
+++ b/fuzz/fs_server_fuzzer.rs
@ -0,0 +1,48 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#![no_main]
+
+use std::convert::TryInto;
+
+use cros_fuzz::fuzz_target;
+use devices::virtio::fs::fuzzing::fuzz_server;
+use devices::virtio::{create_descriptor_chain, DescriptorType, Reader, Writer};
+use sys_util::{GuestAddress, GuestMemory};
+
+const MEM_SIZE: u64 = 256 * 1024 * 1024;
+const BUFFER_ADDR: GuestAddress = GuestAddress(0x100);
+
+thread_local! {
+    static GUEST_MEM: GuestMemory = GuestMemory::new(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
+}
+
+fuzz_target!(|data| {
+    use DescriptorType::*;
+
+    GUEST_MEM.with(|mem| {
+        mem.write_all_at_addr(data, BUFFER_ADDR).unwrap();
+
+        let chain = create_descriptor_chain(
+            mem,
+            GuestAddress(0),
+            BUFFER_ADDR,
+            vec![
+                (Readable, data.len().try_into().unwrap()),
+                (
+                    Writable,
+                    (MEM_SIZE as u32)
+                        .saturating_sub(data.len().try_into().unwrap())
+                        .saturating_sub(0x100),
+                ),
+            ],
+            0,
+        )
+        .unwrap();
+
+        let r = Reader::new(mem, chain.clone()).unwrap();
+        let w = Writer::new(mem, chain).unwrap();
+        fuzz_server(r, w);
+    });
+});