From: Andrew Scull <ascull@google.com>
To: u-boot@lists.denx.de
Cc: sjg@chromium.org, xypron.glpk@gmx.de, Andrew Scull <ascull@google.com>
Subject: [PATCH v2 11/12] fuzz: virtio: Add fuzzer for vring
Date: Thu, 14 Apr 2022 13:59:40 +0000 [thread overview]
Message-ID: <20220414135941.1732585-12-ascull@google.com> (raw)
In-Reply-To: <20220414135941.1732585-1-ascull@google.com>
Add a fuzzer to test the vring handling code against unexpected
mutations from the virtio device.
After building the sandbox with CONFIG_FUZZ=y, the fuzzer can be invoked
with by:
UBOOT_SB_FUZZ_TEST=fuzz_vring ./u-boot
This fuzzer finds unvalidated inputs in the vring driver that allow a
buggy or malicious device to make the driver chase wild pointers.
Signed-off-by: Andrew Scull <ascull@google.com>
---
test/fuzz/Makefile | 1 +
test/fuzz/virtio.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 73 insertions(+)
create mode 100644 test/fuzz/virtio.c
diff --git a/test/fuzz/Makefile b/test/fuzz/Makefile
index 03eeeeb497..663b79ce80 100644
--- a/test/fuzz/Makefile
+++ b/test/fuzz/Makefile
@@ -5,3 +5,4 @@
#
obj-$(CONFIG_$(SPL_)CMDLINE) += cmd_fuzz.o
+obj-$(CONFIG_VIRTIO_SANDBOX) += virtio.o
diff --git a/test/fuzz/virtio.c b/test/fuzz/virtio.c
new file mode 100644
index 0000000000..e5363d5638
--- /dev/null
+++ b/test/fuzz/virtio.c
@@ -0,0 +1,72 @@
+/* SPDX-License-Identifier: GPL-2.0+ */
+/*
+ * Copyright (c) 2022 Google, Inc.
+ * Written by Andrew Scull <ascull@google.com>
+ */
+
+#include <common.h>
+#include <dm.h>
+#include <virtio.h>
+#include <virtio_ring.h>
+#include <test/fuzz.h>
+
+static int fuzz_vring(const uint8_t *data, size_t size)
+{
+ struct udevice *bus, *dev;
+ struct virtio_dev_priv *uc_priv;
+ struct virtqueue *vq;
+ struct virtio_sg sg[2];
+ struct virtio_sg *sgs[2];
+ unsigned int len;
+ u8 buffer[2][32];
+
+ /* hackily hardcode vring sizes */
+ size_t num = 4;
+ size_t desc_size = (sizeof(struct vring_desc) * num);
+ size_t avail_size = (3 + num) * sizeof(u16);
+ size_t used_size = (3 * sizeof(u16)) + (sizeof(struct vring_used_elem) * num);
+
+ if (size < (desc_size + avail_size + used_size))
+ return 0;
+
+ /* check probe success */
+ if (uclass_first_device(UCLASS_VIRTIO, &bus) || !bus)
+ panic("Could not find virtio bus\n");
+
+ /* check the child virtio-rng device is bound */
+ if (device_find_first_child(bus, &dev) || !dev)
+ panic("Could not find virtio device\n");
+
+ /*
+ * fake the virtio device probe by filling in uc_priv->vdev
+ * which is used by virtio_find_vqs/virtio_del_vqs.
+ */
+ uc_priv = dev_get_uclass_priv(bus);
+ uc_priv->vdev = dev;
+
+ /* prepare the scatter-gather buffer */
+ sg[0].addr = buffer[0];
+ sg[0].length = sizeof(buffer[0]);
+ sg[1].addr = buffer[1];
+ sg[1].length = sizeof(buffer[1]);
+ sgs[0] = &sg[0];
+ sgs[1] = &sg[1];
+
+ if (virtio_find_vqs(dev, 1, &vq))
+ panic("Could not find vqs\n");
+ if (virtqueue_add(vq, sgs, 0, 1))
+ panic("Could not add to virtqueue\n");
+ /* Simulate device writing to vring */
+ memcpy(vq->vring.desc, data, desc_size);
+ memcpy(vq->vring.avail, data + desc_size, avail_size);
+ memcpy(vq->vring.used, data + desc_size + avail_size, used_size);
+ /* Make sure there is a response */
+ if (vq->vring.used->idx == 0)
+ vq->vring.used->idx = 1;
+ virtqueue_get_buf(vq, &len);
+ if (virtio_del_vqs(dev))
+ panic("Could not delete vqs\n");
+
+ return 0;
+}
+FUZZ_TEST(fuzz_vring, 0);
--
2.35.1.1178.g4f1659d476-goog
next prev parent reply other threads:[~2022-04-14 14:02 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-14 13:59 [PATCH 00/11] Fuzzing and ASAN for sandbox Andrew Scull
2022-04-14 13:59 ` [PATCH v2 01/12] sandbox: Fix EFI runtime symbol placement Andrew Scull
2022-04-14 13:59 ` [PATCH v2 02/12] sandbox: Rename EFI runtime sections Andrew Scull
2022-04-14 13:59 ` [PATCH v2 03/12] sandbox: Migrate getopt section to linker list Andrew Scull
2022-04-29 15:11 ` Tom Rini
2022-05-02 16:24 ` Andrew Scull
2022-05-02 16:27 ` Tom Rini
2022-05-15 20:37 ` Andrew Scull
2022-05-16 10:47 ` Andrew Scull
2022-04-14 13:59 ` [PATCH v2 04/12] linker_lists: Rename sections to remove . prefix Andrew Scull
2022-05-17 8:06 ` Heinrich Schuchardt
2022-05-18 7:02 ` Andrew Scull
2022-04-14 13:59 ` [PATCH v2 05/12] sandbox: Add support for Address Sanitizer Andrew Scull
2022-04-14 13:59 ` [PATCH v2 06/12] fuzzing_engine: Add fuzzing engine uclass Andrew Scull
2022-04-14 13:59 ` [PATCH v2 07/12] test: fuzz: Add framework for fuzzing Andrew Scull
2022-04-14 13:59 ` [PATCH v2 08/12] sandbox: Decouple program entry from sandbox init Andrew Scull
2022-04-14 13:59 ` [PATCH v2 09/12] sandbox: Add libfuzzer integration Andrew Scull
2022-04-14 13:59 ` [PATCH v2 10/12] sandbox: Implement fuzzing engine driver Andrew Scull
2022-04-14 13:59 ` Andrew Scull [this message]
2022-04-14 13:59 ` [PATCH v2 12/12] virtio_ring: Reduce logging noise Andrew Scull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220414135941.1732585-12-ascull@google.com \
--to=ascull@google.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox