From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id CE88EC433F5 for ; Mon, 30 May 2022 10:03:39 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A57D0843ED; Mon, 30 May 2022 12:02:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="AGMW9Oaj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id DC690843D2; Mon, 30 May 2022 12:01:16 +0200 (CEST) Received: from mail-wm1-x34a.google.com (mail-wm1-x34a.google.com [IPv6:2a00:1450:4864:20::34a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6A183843E6 for ; Mon, 30 May 2022 12:00:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=315WUYgYKBnAOgQiZZUccUZS.Qcai-PcchZWghg.RSbl.RS@flex--ascull.bounces.google.com Received: by mail-wm1-x34a.google.com with SMTP id o2-20020a05600c510200b0039747b0216fso9478107wms.0 for ; Mon, 30 May 2022 03:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=M+QjK+rKBEdD4mzLczRnxIT4cnTlQGrBAv8RK8LOPWY=; b=AGMW9OajETzblwtc2dm5urzTnnpxoUTKUooxDWreBYuJf+eS4Ckp/I6EapcPh4meh4 Ptmr2pLvqewHNdAFgcODS2fZ0hun0HWeF4pXo7et5fIuhK34iHkgs4gTjEToHhdcrHiT Sq+4hdldaMyPQbK0ozK8Sa9la/OI6IpMkwVWs4a6k15J+RCEyUtMBtGPt6MqXa/rMI9j rBWg93yx3y3pTVGDY0ZKjtkptR7KVUyi5vvuw8F2oAQwJa7d2OmV2YAskSLaYje4u0J9 yCIeAcWQlqOuw+oVJ7VHJUVEraRsBkT81stQL38HF5ktSFxEDUGtbLajkhRo8OLcuQEs Y2YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=M+QjK+rKBEdD4mzLczRnxIT4cnTlQGrBAv8RK8LOPWY=; b=45jNE9vBo6q2C/OKxpGN++g97DOQs0uiJSA1yWbjBbW4e7m6ndJcSPflg1KS/exLkP zUrGJFrn06F4rCV0tpvAqcUJQ2aQmwIloIxiTui0JCCT0KC1g7j91x2+PCvjJhUpx3kF KRmz1GDyQfsbkKHzzHr1rNpUo9rxbzCF4vvzXA5sHtvpnS9v8SJ3q39/FuYGuUXNxsZQ DKPWO6n1HREmrcAhfUHBuq3AmmNU+hYroouJPkaOj7HyFArATE3GZlTwGQZpJqSMuCJN kPWu6WPS0R/69xWn6tnJOrxZ/mCytyCr6T/zhOKYXBSF/DRrDr6sbbOnzMmwB2aKv7VY dpBg== X-Gm-Message-State: AOAM533MJe47mkU2MqD43/bSqfyJfx7lCCn9vmO9m47vKesnwOD4EYZt fHl0kDK4jGWEHCVFn3wfUBUqv1WpeJWgGB/JQW8N8P4xECv1KbiEVW8HRaI3okGT+ohpXy0UY7/ kxX6CCGEwGnbAcVnCixP7PQAmTApyh5p3J2H5Sopa4UwBHYgcdeMT7rCuyr0= X-Google-Smtp-Source: ABdhPJyktB3Yd85bPIqG6/H0bak6x2itY9RUKrXq3d+yqB7OxS8VfppmvlD+tXMNSSPCoJskvWnhTmEeZ3I= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a05:600c:27c7:b0:397:63b8:32d2 with SMTP id l7-20020a05600c27c700b0039763b832d2mr18947888wmb.148.1653904855046; Mon, 30 May 2022 03:00:55 -0700 (PDT) Date: Mon, 30 May 2022 10:00:13 +0000 In-Reply-To: <20220530100013.3753780-1-ascull@google.com> Message-Id: <20220530100013.3753780-14-ascull@google.com> Mime-Version: 1.0 References: <20220530100013.3753780-1-ascull@google.com> X-Mailer: git-send-email 2.36.1.124.g0e6072fb45-goog Subject: [PATCH v3 13/13] fuzz: virtio: Add fuzzer for vring From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, trini@konsulko.com, xypron.glpk@gmx.de, jonbottarini@google.com, seanga2@gmail.com, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add a fuzzer to test the vring handling code against unexpected mutations from the virtio device. After building the sandbox with CONFIG_FUZZ=y, the fuzzer can be invoked with by: UBOOT_SB_FUZZ_TEST=fuzz_vring ./u-boot This fuzzer finds unvalidated inputs in the vring driver that allow a buggy or malicious device to make the driver chase wild pointers. Signed-off-by: Andrew Scull --- test/fuzz/Makefile | 1 + test/fuzz/virtio.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 test/fuzz/virtio.c diff --git a/test/fuzz/Makefile b/test/fuzz/Makefile index 03eeeeb497..663b79ce80 100644 --- a/test/fuzz/Makefile +++ b/test/fuzz/Makefile @@ -5,3 +5,4 @@ # obj-$(CONFIG_$(SPL_)CMDLINE) += cmd_fuzz.o +obj-$(CONFIG_VIRTIO_SANDBOX) += virtio.o diff --git a/test/fuzz/virtio.c b/test/fuzz/virtio.c new file mode 100644 index 0000000000..e5363d5638 --- /dev/null +++ b/test/fuzz/virtio.c @@ -0,0 +1,72 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2022 Google, Inc. + * Written by Andrew Scull + */ + +#include +#include +#include +#include +#include + +static int fuzz_vring(const uint8_t *data, size_t size) +{ + struct udevice *bus, *dev; + struct virtio_dev_priv *uc_priv; + struct virtqueue *vq; + struct virtio_sg sg[2]; + struct virtio_sg *sgs[2]; + unsigned int len; + u8 buffer[2][32]; + + /* hackily hardcode vring sizes */ + size_t num = 4; + size_t desc_size = (sizeof(struct vring_desc) * num); + size_t avail_size = (3 + num) * sizeof(u16); + size_t used_size = (3 * sizeof(u16)) + (sizeof(struct vring_used_elem) * num); + + if (size < (desc_size + avail_size + used_size)) + return 0; + + /* check probe success */ + if (uclass_first_device(UCLASS_VIRTIO, &bus) || !bus) + panic("Could not find virtio bus\n"); + + /* check the child virtio-rng device is bound */ + if (device_find_first_child(bus, &dev) || !dev) + panic("Could not find virtio device\n"); + + /* + * fake the virtio device probe by filling in uc_priv->vdev + * which is used by virtio_find_vqs/virtio_del_vqs. + */ + uc_priv = dev_get_uclass_priv(bus); + uc_priv->vdev = dev; + + /* prepare the scatter-gather buffer */ + sg[0].addr = buffer[0]; + sg[0].length = sizeof(buffer[0]); + sg[1].addr = buffer[1]; + sg[1].length = sizeof(buffer[1]); + sgs[0] = &sg[0]; + sgs[1] = &sg[1]; + + if (virtio_find_vqs(dev, 1, &vq)) + panic("Could not find vqs\n"); + if (virtqueue_add(vq, sgs, 0, 1)) + panic("Could not add to virtqueue\n"); + /* Simulate device writing to vring */ + memcpy(vq->vring.desc, data, desc_size); + memcpy(vq->vring.avail, data + desc_size, avail_size); + memcpy(vq->vring.used, data + desc_size + avail_size, used_size); + /* Make sure there is a response */ + if (vq->vring.used->idx == 0) + vq->vring.used->idx = 1; + virtqueue_get_buf(vq, &len); + if (virtio_del_vqs(dev)) + panic("Could not delete vqs\n"); + + return 0; +} +FUZZ_TEST(fuzz_vring, 0); -- 2.36.1.124.g0e6072fb45-goog