When compiling a new-enough crosvm for fuzzing (after
https://crrev.com/c/1749950), the build would fail with an error about
importing two different version of sys_util:
expected struct `sys_util::shm::SharedMemory`, found a different struct
`sys_util::shm::SharedMemory`
expected reference `sys_util::shm::SharedMemory (struct
`sys_util::shm::SharedMemory`)
found reference sys_util::shm::SharedMemory (struct
`sys_util::shm::SharedMemory`)
perhaps two different versions of crate `sys_util` are being used?
Fix this by patching the version of sys_util used by audio_streams
so that it also uses the path dependency instead of the sys_util from
the dev-rust/sys_util ebuild in the fuzz-specific Cargo.toml.
BUG=chromium:1057532
TEST=`USE='asan fuzzer' emerge-nami crosvm`
Change-Id: I38252465a1111a9a8f643a59e36733016c5db99d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2086401
Reviewed-by: Zach Reizner <zachr@chromium.org>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Manoj Gupta <manojgupta@chromium.org>
Move qcow from being its own crate into a module of the disk crate,
similar to the composite disk module.
This will allow use of qcow from disk and vice versa without introducing
a circular crate dependency.
BUG=None
TEST=./build_test.py
TEST=USE='asan fuzzer' emerge-nami crosvm
Change-Id: I77512bbe4b94faff1b5460f9796ee56505135580
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1972477
Reviewed-by: Cody Schuffelen <schuffelen@google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Fix the build of block_fuzzer after "devices: block: add block_size
option for disks".
It might be nice to generate the block size from the random fuzz data,
but that would complicate things (we'd have to handle failure of
Block::new due to invalid sizes), so let's leave that as a future
improvement for now and just use a block_size of 512 to match previous
behavior.
BUG=chromium:942700
TEST=`USE='asan fuzzer' emerge-nami crosvm`
Change-Id: Ia16ef6a57fc8ce4407f8ec9dda0e708302916c4c
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1962535
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Fix the block_fuzzer build after CL:1906750, which added a new parameter
to the Block::new() function without updating the fuzzer.
This change passes `true` for sparse in order to keep previous behavior
and maximize the available commands for fuzzing.
BUG=chromium:1025757
TEST=`USE='asan fuzzer' emerge-nami crosvm`
Change-Id: I29ed9945077936aee9636ddee20b59729eb78c85
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1922065
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Add handling of the virtio device MSI-X configuration change vector by
using the signal function that was previously factored out.
BUG=chromium:854765
TEST=./build_test
TEST=trigger disk config change with `crosvm disk resize ...`
Change-Id: I462c23e10d152f896586bb70b95634a53088d480
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1898269
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Zide Chen <zide.chen@intel.corp-partner.google.com>
Reviewed-by: Zach Reizner <zachr@chromium.org>
Factor out the common creation of struct Interrupt.
No functional change.
BUG=chromium:854765
TEST=./build_test
Change-Id: Idf8804771ba1af5181818f643e15e1b42918258a
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1898268
Tested-by: kokoro <noreply+kokoro@google.com>
Add a fuzzer for the virtio-fs server, which is responsible for decoding
a byte stream into FUSE messages.
BUG=none
TEST=run it with cros_fuzz
Change-Id: Ic7695f2106d3f81e6cf09b98ffedc51831238f1e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1865272
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Improve the virtqueue_fuzzer's performance by reducing the maximum queue
size as well as the size of the guest memory. Zeroing out 256MB of
memory on every iteration was slowing things down quite a bit and we
don't actually need that much memory to fuzz the virtqueue code.
Additionally, refactor the fuzzer to use the virtqueue structs from the
virtio spec to fill out the guest memory. This should give us more
targeted fuzzing compared to the previous implementation, while also
removing cases where the fuzzer would spin for thousands of iterations
without making any progress.
BUG=chromium:1018267
TEST=`cros_fuzz reproduce` and also run the fuzzer manually
Change-Id: Ibf71aa83c31f16b7f58b23045a0919f7f6824c77
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1886533
Tested-by: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Commit-Queue: Sean Abraham <seanabraham@chromium.org>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
This eliminates the boilerplate for catching panics and creating a Rust
slice from the fuzzer input data.
BUG=None
TEST=`USE='asan fuzzer' emerge-nami crosvm`
Change-Id: I49666a344b02e3333ad6823bfa7dace08b66b290
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1879495
Reviewed-by: Dylan Reid <dgreid@chromium.org>
This looks like it's copied from the qcow fuzzer, and it doesn't apply
to the block fuzzer. The actual behavior of the block fuzzer is
correctly described by the comment later in the file.
BUG=None
TEST=`USE='asan fuzzer' emerge-nami crosvm`
Change-Id: I9ccd6deba44af8b8df471ee0078ace385696151f
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1853698
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
The new USB descriptor parsing code is a nice candidate for a fuzzer,
since it takes an arbitrary stream of bytes as input and parses it.
BUG=chromium:987833
TEST=`USE='asan fuzzer' emerge-nami crosvm`
Cq-Depend: chromium:1863465
Change-Id: I3bbdbf081e9a9dd590c781467f8bd44fa1dcab64
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1862117
Reviewed-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
The new constructors are shorter and omit the bare `None` in the `anon`
call sites which gave no clues to the reader what the effect of that
`None` was. This should improve readability.
TEST=./build_test
BUG=None
Change-Id: I2e34e7df9a4ccc5da50edf4e963a6a42e3d84b22
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1797188
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Commit-Queue: Zach Reizner <zachr@chromium.org>
Tested-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
GuestMemory::new returns an error if the requested size is not divisible
by the page size. The zimage fuzzer was using a GuestMemory size based
on the size of the fuzzer input; however, it doesn't necessarily make
sense to limit the guest memory to the size of the input. Pick an
arbitrary 256 MB (matching the block fuzzer), which is also a page size
multiple to resolve the original issue.
BUG=chromium:977883
TEST=/usr/libexec/fuzzers/crosvm_zimage_fuzzer in cros_fuzz shell
Change-Id: I08c6be9d920bede18d67f8a1c5c39b9d37fb839c
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1645040
Tested-by: kokoro <noreply+kokoro@google.com>
When the input's length is not page aligned, round it up. This allows
the fuzzer to provide more random inputs without causing the `unwrap`
call to trigger false positives when creating guest memory.
BUG=chromium:972172
TEST=run fuzz case from the bug
Change-Id: Iaf8f2ba943f38b90e168301dbb8c15dee5ee45c8
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1659626
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
After CL:1636685, the kernel_loader API is different - we need to pass a
File instead of just a slice to load_kernel().
Borrow and adapt the make_elf_bin() function from the kernel_loader
tests to create a shared memory file from a slice of bytes to fix the
fuzzer.
BUG=chromium:970981
TEST=USE='asan fuzzer' emerge-nami crosvm
Change-Id: Ic17f6479fb355d45063ce6292552cb1e5664831a
Signed-off-by: Daniel Verkamp <dverkamp@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1645039
Reviewed-by: Zach Reizner <zachr@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
In Rust 2018 edition, `extern crate` is no longer required for importing
from other crates. Instead of writing:
extern crate dep;
use dep::Thing;
we write:
use dep::Thing;
In this approach, macros are imported individually from the declaring
crate rather than through #[macro_use]. Before:
#[macro_use]
extern crate sys_util;
After:
use sys_util::{debug, error};
The only place that `extern crate` continues to be required is in
importing the compiler's proc_macro API into a procedural macro crate.
This will hopefully be fixed in a future Rust release.
extern crate proc_macro;
TEST=cargo check
TEST=cargo check --all-features
TEST=cargo check --target aarch64-unknown-linux-gnu
TEST=local kokoro
Change-Id: I0b43768c0d81f2a250b1959fb97ba35cbac56293
Reviewed-on: https://chromium-review.googlesource.com/1565302
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: David Tolnay <dtolnay@chromium.org>
This may help reduce cases of conflicts between independent CLs each
appending a dependency at the bottom of the list, of which I hit two
today rebasing some of my open CLs.
TEST=cargo check --all-features
Change-Id: Ief10bb004cc7b44b107dc3841ce36c6b23632aed
Reviewed-on: https://chromium-review.googlesource.com/1557172
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Separated out of CL:1513058 to make it possible to land parts
individually while the affected crate has no other significant CLs
pending. This avoids repeatedly introducing non-textual conflicts with
new code that adds `use` statements.
TEST=cargo check
TEST=cargo check --all-features
TEST=cargo check --target aarch64-unknown-linux-gnu
Change-Id: I355014ebd08bc2a655e1a1bbff56ecc90aa99ece
Reviewed-on: https://chromium-review.googlesource.com/1519695
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: David Tolnay <dtolnay@chromium.org>
Fuzz using the data as a qcow image with an offset and value to write to
the image.
Change-Id: Iff8f2971ba716c93d978e33338ad62b5d487c115
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/871132
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
There is now infrastructure for running fuzzers in cros, use it.
Change-Id: I53ec9e195b7062fdcc38b5186c1f3194031037f3
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1521667
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Chirantan Ekbote <chirantan@chromium.org>
These are each their own workspace so I guess `cargo fmt` at the top
level of the repo does not hit them.
I checked that none of the other workspace roots currently need to be
reformatted.
TEST=cargo check
Change-Id: I734cbc0f909fd3c2138513d9539b917bce80c0a8
Reviewed-on: https://chromium-review.googlesource.com/1477496
Commit-Ready: David Tolnay <dtolnay@chromium.org>
Tested-by: David Tolnay <dtolnay@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Add a top level fuzz directory. Other fuzz tests will be added here in
subsequent commits.
For now fuzzing must be run manually. Soon there will be a way to
extract the fuzz artifacts and upload them to cluster fuzz.
Change-Id: Iddfb55af78af6f412927b2221f22acb882069d36
Signed-off-by: Dylan Reid <dgreid@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/850851
Reviewed-by: Zach Reizner <zachr@chromium.org>
