From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BCFD7C433EF for ; Thu, 7 Apr 2022 09:43:58 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4353F83DA2; Thu, 7 Apr 2022 11:43:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="bMGY/pQs"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E8DF283CC0; Thu, 7 Apr 2022 11:42:19 +0200 (CEST) Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0022383CAF for ; Thu, 7 Apr 2022 11:41:53 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=34bFOYgYKBpg2K4MDD8GG8D6.4GEM-3GGLDAKLK.56FP.56@flex--ascull.bounces.google.com Received: by mail-wm1-x34a.google.com with SMTP id n19-20020a05600c305300b0038e72cfc391so2711157wmh.9 for ; Thu, 07 Apr 2022 02:41:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=iMN4T3ZuBsbq8uS0K2FG5c/O3f+SaDfeeMJWY0RhvCs=; b=bMGY/pQsZtgWBwT+vmcNG1Wc47+S38gxA0ErIeO2PQVwEgXYNJBqtZiKay4rXVbOOq uBX3qLtjGfuqd3/Hu4EcMpH7y73WPQgt2kNwrpRoRWVoJpwBUZVkUwaUWPoxAq6xs1fh fPZX9vH5m8nBJCE0QIdLoHjKf+SKCH8jvx4fTLPK7txdpSN1ditsphpnu0DnD5edtSvt j7PmoOq5o0sFZlv8BhQfO5QE992t+i9Oakv0rlm97D5vZVGPzOnljX7+EwDtPBdpx1Z1 p+VR/W42XkOxh620VIqUQOSm6G+o5Eqie+MTxOb1cPf+QPoP4WkrgsBzp+r4ZUj6hqv7 3zbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=iMN4T3ZuBsbq8uS0K2FG5c/O3f+SaDfeeMJWY0RhvCs=; b=43Iz28T+hcjQbQzQW0kqpLVZrh5IEN6bGuuH/SjBgSmrOfriSeXl9FNYpH1fg7QseL PZ+s9Qi8eVWA27Gapjm9LicL7c26jWSmMbKH+6t8J3RQaUQtizkGUP9OoQWIIAl7imRu mXdBIZdPCJKDD/ar9tJSjTYhVPbJjkd7lJdRcvLMGWSc+MHZuuETiVljoj9HuCb9OvnS lEGpnWOYBwDxAGzkxe15v23WrMLVOG3+izxMfegc6tcpQmXYf9SGUPLMkTKGPQZ3rJbh yL58n2vAnBYQTIxQYuPUP7PtBZNZOS1t6jCXDCVGdM9ZFBTVEYNvET0Tx3KaReIfu8my FkDw== X-Gm-Message-State: AOAM532tB8Q1VbdAJztFDhlRjENLIJMI1wXgB09ql1KahdzDAe+DSGIS 8OCIFuewif2wtFu9Jn7J9vpXe+FHmPPkXZ7TRug/fFHw7DI1QiBVYjel8afveBq9pK9ZdeNn/yt vmUWXPYqAgtxeOwUnix4c3qbDA+0n4GhUfP3X+2tQKLXadbmLShr/3Zd14oo= X-Google-Smtp-Source: ABdhPJwdCKdIud9CQLKUURVUkFFeXjydW6oQmaG8hISQ25UyVgH2Trl8q9lFlZyaJgl/kttt8EiGcaEuuzI= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:adf:fd4d:0:b0:204:ec5:bd62 with SMTP id h13-20020adffd4d000000b002040ec5bd62mr9800874wrs.403.1649324513465; Thu, 07 Apr 2022 02:41:53 -0700 (PDT) Date: Thu, 7 Apr 2022 09:41:22 +0000 In-Reply-To: <20220407094123.1752236-1-ascull@google.com> Message-Id: <20220407094123.1752236-11-ascull@google.com> Mime-Version: 1.0 References: <20220407094123.1752236-1-ascull@google.com> X-Mailer: git-send-email 2.35.1.1094.g7c7d902a7c-goog Subject: [PATCH 10/11] fuzz: virtio: Add fuzzer for vring From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, seanga2@gmail.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add a fuzzer to test the vring handling code against unexpected mutations from the virtio device. After building the sandbox with CONFIG_FUZZ=y, the fuzzer can be invoked with by: UBOOT_SB_FUZZ_TEST=fuzz_vring ./u-boot This fuzzer finds unvalidated inputs in the vring driver that allow a buggy or malicious device to make the driver chase wild pointers. Signed-off-by: Andrew Scull --- test/fuzz/Makefile | 1 + test/fuzz/virtio.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 test/fuzz/virtio.c diff --git a/test/fuzz/Makefile b/test/fuzz/Makefile index 03eeeeb497..663b79ce80 100644 --- a/test/fuzz/Makefile +++ b/test/fuzz/Makefile @@ -5,3 +5,4 @@ # obj-$(CONFIG_$(SPL_)CMDLINE) += cmd_fuzz.o +obj-$(CONFIG_VIRTIO_SANDBOX) += virtio.o diff --git a/test/fuzz/virtio.c b/test/fuzz/virtio.c new file mode 100644 index 0000000000..e5363d5638 --- /dev/null +++ b/test/fuzz/virtio.c @@ -0,0 +1,72 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2022 Google, Inc. + * Written by Andrew Scull + */ + +#include +#include +#include +#include +#include + +static int fuzz_vring(const uint8_t *data, size_t size) +{ + struct udevice *bus, *dev; + struct virtio_dev_priv *uc_priv; + struct virtqueue *vq; + struct virtio_sg sg[2]; + struct virtio_sg *sgs[2]; + unsigned int len; + u8 buffer[2][32]; + + /* hackily hardcode vring sizes */ + size_t num = 4; + size_t desc_size = (sizeof(struct vring_desc) * num); + size_t avail_size = (3 + num) * sizeof(u16); + size_t used_size = (3 * sizeof(u16)) + (sizeof(struct vring_used_elem) * num); + + if (size < (desc_size + avail_size + used_size)) + return 0; + + /* check probe success */ + if (uclass_first_device(UCLASS_VIRTIO, &bus) || !bus) + panic("Could not find virtio bus\n"); + + /* check the child virtio-rng device is bound */ + if (device_find_first_child(bus, &dev) || !dev) + panic("Could not find virtio device\n"); + + /* + * fake the virtio device probe by filling in uc_priv->vdev + * which is used by virtio_find_vqs/virtio_del_vqs. + */ + uc_priv = dev_get_uclass_priv(bus); + uc_priv->vdev = dev; + + /* prepare the scatter-gather buffer */ + sg[0].addr = buffer[0]; + sg[0].length = sizeof(buffer[0]); + sg[1].addr = buffer[1]; + sg[1].length = sizeof(buffer[1]); + sgs[0] = &sg[0]; + sgs[1] = &sg[1]; + + if (virtio_find_vqs(dev, 1, &vq)) + panic("Could not find vqs\n"); + if (virtqueue_add(vq, sgs, 0, 1)) + panic("Could not add to virtqueue\n"); + /* Simulate device writing to vring */ + memcpy(vq->vring.desc, data, desc_size); + memcpy(vq->vring.avail, data + desc_size, avail_size); + memcpy(vq->vring.used, data + desc_size + avail_size, used_size); + /* Make sure there is a response */ + if (vq->vring.used->idx == 0) + vq->vring.used->idx = 1; + virtqueue_get_buf(vq, &len); + if (virtio_del_vqs(dev)) + panic("Could not delete vqs\n"); + + return 0; +} +FUZZ_TEST(fuzz_vring, 0); -- 2.35.1.1094.g7c7d902a7c-goog