fuzz: add USB descriptor parsing fuzzer

The new USB descriptor parsing code is a nice candidate for a fuzzer, since it takes an arbitrary stream of bytes as input and parses it. BUG=chromium:987833 TEST=`USE='asan fuzzer' emerge-nami crosvm` Cq-Depend: chromium:1863465 Change-Id: I3bbdbf081e9a9dd590c781467f8bd44fa1dcab64 Signed-off-by: Daniel Verkamp <dverkamp@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1862117 Reviewed-by: Zach Reizner <zachr@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com>
2025-02-05 18:20:34 +00:00 · 2019-10-15 10:06:09 -07:00 · 2019-10-15 10:06:09 -07:00 · cfb7db44eb
commit cfb7db44eb
parent 92568c9c27
3 changed files with 35 additions and 1 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -10,6 +10,7 @@ kernel_loader = { path = "../kernel_loader" }
 libc = "*"
 qcow = { path = "../qcow" }
 sys_util = { path = "../sys_util" }
+usb_util = { path = "../usb_util" }

 # Prevent this from interfering with workspaces
 [workspace]
@ -23,6 +24,10 @@ path = "block_fuzzer.rs"
 name = "crosvm_qcow_fuzzer"
 path = "qcow_fuzzer.rs"

+[[bin]]
+name = "crosvm_usb_descriptor_fuzzer"
+path = "usb_descriptor_fuzzer.rs"
+
 [[bin]]
 name = "crosvm_zimage_fuzzer"
 path = "zimage_fuzzer.rs"
--- a/fuzz/usb_descriptor_fuzzer.rs
+++ b/fuzz/usb_descriptor_fuzzer.rs
@ -0,0 +1,27 @@
+// Copyright 2019 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#![no_main]
+
+use std::panic;
+use std::process;
+use std::slice;
+
+use usb_util::parse_usbfs_descriptors;
+
+#[export_name = "LLVMFuzzerTestOneInput"]
+pub fn test_one_input(data: *const u8, size: usize) -> i32 {
+    // We cannot unwind past ffi boundaries.
+    panic::catch_unwind(|| {
+        // Safe because the libfuzzer runtime will guarantee that `data` is at least
+        // `size` bytes long and that it will be valid for the lifetime of this
+        // function.
+        let bytes = unsafe { slice::from_raw_parts(data, size) };
+        let _ = parse_usbfs_descriptors(bytes);
+    })
+    .err()
+    .map(|_| process::abort());
+
+    0
+}
--- a/usb_util/src/lib.rs
+++ b/usb_util/src/lib.rs
@ -7,7 +7,9 @@ mod device;
 mod error;
 mod types;

-pub use self::descriptor::{ConfigDescriptorTree, DeviceDescriptorTree, InterfaceDescriptorTree};
+pub use self::descriptor::{
+    parse_usbfs_descriptors, ConfigDescriptorTree, DeviceDescriptorTree, InterfaceDescriptorTree,
+};
 pub use self::device::{Device, Transfer, TransferStatus};
 pub use self::error::{Error, Result};
 pub use self::types::{