mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-07 21:35:23 +00:00
6fd5b0f696
When the main fuzzer function returns (), it is equivalent to returning Corpus::Keep. In some of the return paths, we want to reject the input so that the libfuzzer won't spend more time mutating them. The should make fuzzing more efficient. No functional change intended. Signed-off-by: Wei Liu <liuwe@microsoft.com>
55 lines
1.8 KiB
Rust
55 lines
1.8 KiB
Rust
// Copyright 2018 The Chromium OS Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE-BSD-3-Clause file.
|
|
//
|
|
// SPDX-License-Identifier: Apache-2.0 AND BSD-3-Clause
|
|
|
|
#![no_main]
|
|
use std::ffi;
|
|
use std::fs::File;
|
|
use std::io::{self, Cursor, Read, Seek, SeekFrom, Write};
|
|
use std::mem::size_of;
|
|
use std::os::unix::io::{FromRawFd, RawFd};
|
|
|
|
use block::qcow::{QcowFile, RawFile};
|
|
use libfuzzer_sys::{fuzz_target, Corpus};
|
|
|
|
// Take the first 64 bits of data as an address and the next 64 bits as data to
|
|
// store there. The rest of the data is used as a qcow image.
|
|
fuzz_target!(|bytes: &[u8]| -> Corpus {
|
|
if bytes.len() < 16 {
|
|
// Need an address and data, each are 8 bytes.
|
|
return Corpus::Reject;
|
|
}
|
|
let mut disk_image = Cursor::new(bytes);
|
|
let addr = read_u64(&mut disk_image);
|
|
let value = read_u64(&mut disk_image);
|
|
let shm = memfd_create(&ffi::CString::new("fuzz").unwrap(), 0).unwrap();
|
|
let mut disk_file: File = unsafe { File::from_raw_fd(shm) };
|
|
disk_file.write_all(&bytes[16..]).unwrap();
|
|
disk_file.seek(SeekFrom::Start(0)).unwrap();
|
|
if let Ok(mut qcow) = QcowFile::from(RawFile::new(disk_file, false)) {
|
|
if qcow.seek(SeekFrom::Start(addr)).is_ok() {
|
|
let _ = qcow.write_all(&value.to_le_bytes());
|
|
}
|
|
}
|
|
|
|
Corpus::Keep
|
|
});
|
|
|
|
fn read_u64<T: Read>(readable: &mut T) -> u64 {
|
|
let mut buf = [0u8; size_of::<u64>()];
|
|
readable.read_exact(&mut buf[..]).unwrap();
|
|
u64::from_le_bytes(buf)
|
|
}
|
|
|
|
fn memfd_create(name: &ffi::CStr, flags: u32) -> Result<RawFd, io::Error> {
|
|
let res = unsafe { libc::syscall(libc::SYS_memfd_create, name.as_ptr(), flags) };
|
|
|
|
if res < 0 {
|
|
Err(io::Error::last_os_error())
|
|
} else {
|
|
Ok(res as RawFd)
|
|
}
|
|
}
|