fuzz: Add fuzzer for virtio-watchdog

Signed-off-by: Bo Chen <chen.bo@intel.com>
2025-01-21 20:15:21 +00:00 · 2022-09-15 16:16:16 -07:00 · 2022-09-15 16:16:16 -07:00 · f815fcbb5d
commit f815fcbb5d
parent 6a67675442
2 changed files with 105 additions and 0 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -80,3 +80,9 @@ name = "vhdx"
 path = "fuzz_targets/vhdx.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "watchdog"
+path = "fuzz_targets/watchdog.rs"
+test = false
+doc = false
--- a/fuzz/fuzz_targets/watchdog.rs
+++ b/fuzz/fuzz_targets/watchdog.rs
@ -0,0 +1,99 @@
+// Copyright © 2022 Intel Corporation
+//
+// SPDX-License-Identifier: Apache-2.0
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use seccompiler::SeccompAction;
+use std::os::unix::io::{AsRawFd, FromRawFd};
+use std::sync::Arc;
+use virtio_devices::{VirtioDevice, VirtioInterrupt, VirtioInterruptType};
+use virtio_queue::{Queue, QueueT};
+use vm_memory::{bitmap::AtomicBitmap, Bytes, GuestAddress, GuestMemoryAtomic};
+use vmm_sys_util::eventfd::{EventFd, EFD_NONBLOCK};
+
+type GuestMemoryMmap = vm_memory::GuestMemoryMmap<AtomicBitmap>;
+
+const QUEUE_DATA_SIZE: usize = 4;
+const MEM_SIZE: usize = 256 * 1024 * 1024;
+// Max entries in the queue.
+const QUEUE_SIZE: u16 = 256;
+// Guest physical address for descriptor table.
+const DESC_TABLE_ADDR: u64 = 0;
+const DESC_TABLE_SIZE: u64 = 16_u64 * QUEUE_SIZE as u64;
+// Guest physical address for available ring
+const AVAIL_RING_ADDR: u64 = DESC_TABLE_ADDR + DESC_TABLE_SIZE;
+const AVAIL_RING_SIZE: u64 = 6_u64 + 2 * QUEUE_SIZE as u64;
+// Guest physical address for used ring (requires to 4-bytes aligned)
+const USED_RING_ADDR: u64 = (AVAIL_RING_ADDR + AVAIL_RING_SIZE + 3) & !3_u64;
+
+fuzz_target!(|bytes| {
+    if bytes.len() < QUEUE_DATA_SIZE || bytes.len() > (QUEUE_DATA_SIZE + MEM_SIZE) {
+        return;
+    }
+
+    let mut watchdog = virtio_devices::Watchdog::new(
+        "fuzzer_watchdog".to_owned(),
+        EventFd::new(EFD_NONBLOCK).unwrap(),
+        SeccompAction::Allow,
+        EventFd::new(EFD_NONBLOCK).unwrap(),
+    )
+    .unwrap();
+
+    let queue_data = &bytes[..QUEUE_DATA_SIZE];
+    let mem_bytes = &bytes[QUEUE_DATA_SIZE..];
+
+    // Setup the virt queue with the input bytes
+    let q = setup_virt_queue(queue_data.try_into().unwrap());
+
+    // Setup the guest memory with the input bytes
+    let mem = GuestMemoryMmap::from_ranges(&[(GuestAddress(0), MEM_SIZE)]).unwrap();
+    if mem.write_slice(mem_bytes, GuestAddress(0 as u64)).is_err() {
+        return;
+    }
+    let guest_memory = GuestMemoryAtomic::new(mem);
+
+    let evt = EventFd::new(0).unwrap();
+    let queue_evt = unsafe { EventFd::from_raw_fd(libc::dup(evt.as_raw_fd())) };
+
+    // Kick the 'queue' event before activate the watchdog device
+    queue_evt.write(1).unwrap();
+
+    watchdog
+        .activate(
+            guest_memory,
+            Arc::new(NoopVirtioInterrupt {}),
+            vec![(0, q, evt)],
+        )
+        .ok();
+
+    // Wait for the events to finish and watchdog device worker thread to return
+    watchdog.reset();
+});
+
+pub struct NoopVirtioInterrupt {}
+
+impl VirtioInterrupt for NoopVirtioInterrupt {
+    fn trigger(&self, _int_type: VirtioInterruptType) -> std::result::Result<(), std::io::Error> {
+        Ok(())
+    }
+}
+
+fn setup_virt_queue(bytes: &[u8; QUEUE_DATA_SIZE]) -> Queue {
+    let mut q = Queue::new(QUEUE_SIZE).unwrap();
+    q.set_next_avail(bytes[0] as u16); // 'u8' is enough given the 'QUEUE_SIZE' is small
+    q.set_next_used(bytes[1] as u16);
+    q.set_event_idx(bytes[2] % 2 != 0);
+    q.set_size(bytes[3] as u16 % QUEUE_SIZE);
+
+    q.try_set_desc_table_address(GuestAddress(DESC_TABLE_ADDR))
+        .unwrap();
+    q.try_set_avail_ring_address(GuestAddress(AVAIL_RING_ADDR))
+        .unwrap();
+    q.try_set_used_ring_address(GuestAddress(USED_RING_ADDR))
+        .unwrap();
+    q.set_ready(true);
+
+    q
+}