mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2025-01-12 15:42:57 +00:00
a00d29867c
With the addition of the spinning waiting for the exit event to be received in the CMOS device a regression was introduced into the CMOS fuzzer. Since there is nothing to receive the event in the fuzzer and there is nothing to update the bit the that the device is looping on; introducing an infinite loop. Use an Option<> type so that when running the device in the fuzzer no Arc<AtomicBool> is provided effectively disabling the spinning logic. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61165 Signed-off-by: Rob Bradford <rbradford@rivosinc.com>
52 lines
1.3 KiB
Rust
52 lines
1.3 KiB
Rust
// Copyright © 2022 Intel Corporation
|
|
//
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
#![no_main]
|
|
use devices::legacy::Cmos;
|
|
use libc::EFD_NONBLOCK;
|
|
use libfuzzer_sys::fuzz_target;
|
|
use std::sync::atomic::AtomicBool;
|
|
use std::sync::Arc;
|
|
use vm_device::BusDevice;
|
|
use vmm_sys_util::eventfd::EventFd;
|
|
|
|
fuzz_target!(|bytes| {
|
|
// Need at least 16 bytes for the test
|
|
if bytes.len() < 16 {
|
|
return;
|
|
}
|
|
|
|
let mut below_4g = [0u8; 8];
|
|
let mut above_4g = [0u8; 8];
|
|
|
|
below_4g.copy_from_slice(&bytes[0..8]);
|
|
above_4g.copy_from_slice(&bytes[8..16]);
|
|
|
|
let mut cmos = Cmos::new(
|
|
u64::from_le_bytes(below_4g),
|
|
u64::from_le_bytes(above_4g),
|
|
EventFd::new(EFD_NONBLOCK).unwrap(),
|
|
None,
|
|
);
|
|
|
|
let mut i = 16;
|
|
while i < bytes.len() {
|
|
let read = bytes.get(i).unwrap_or(&0) % 2 == 0;
|
|
i += 1;
|
|
|
|
if read {
|
|
let offset = (bytes.get(i).unwrap_or(&0) % 2) as u64;
|
|
i += 1;
|
|
let mut out_bytes = vec![0];
|
|
cmos.read(0, offset, &mut out_bytes);
|
|
} else {
|
|
let offset = (bytes.get(i).unwrap_or(&0) % 2) as u64;
|
|
i += 1;
|
|
let data = vec![*bytes.get(i).unwrap_or(&0)];
|
|
i += 1;
|
|
cmos.write(0, offset, &data);
|
|
}
|
|
}
|
|
});
|