From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E4253C43217 for ; Thu, 14 Apr 2022 14:02:26 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9DE1D83F01; Thu, 14 Apr 2022 16:00:48 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="bcXksIJ8"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 290A083EA1; Thu, 14 Apr 2022 16:00:20 +0200 (CEST) Received: from mail-wr1-x44a.google.com (mail-wr1-x44a.google.com [IPv6:2a00:1450:4864:20::44a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6173183ECD for ; Thu, 14 Apr 2022 16:00:09 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=35yhYYgYKBrISkUmddYggYdW.Ugem-Tggldaklk.VWfp.VW@flex--ascull.bounces.google.com Received: by mail-wr1-x44a.google.com with SMTP id h61-20020adf9043000000b002079bbaa5d3so847239wrh.16 for ; Thu, 14 Apr 2022 07:00:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=y3xMvkVcGauJva/qH9sx4I1o7K20tTWl8VZ3Gkcugq4=; b=bcXksIJ8YBU/iUGeZ6zpdQrJGIkL1e5DXZAz6xG1BoEP9pqaImNItfvJd9gO3GWoqB ifjTdt3XR6NfOtao9qtkFCqMmxBIFcLxOKYjiGp7B109UtANdF2Xnq+b9Bw6BPlj70Dt x+Z8/eNzyc1GLX2oyVUKHr/fBxC7Qv0DlYDkSFvs/huRW3KTaWnqhvL8I2FM7/8eEuUp 4dl4RhZ2C/gfptN0iHThly227mxyFJn2w+HF6rjaQ5KewbPwKT+DNH/+ltdDg4Ngg/eD dGCMBVYNtWQnMMSLwCGO+NLmsqODPu3ZyqGojIw4RzNQkzqB+B0LGuNuomTNo4PAnERd QITw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=y3xMvkVcGauJva/qH9sx4I1o7K20tTWl8VZ3Gkcugq4=; b=NWv6xlwJL22g7SKvpm43frZ8DdVS5O7iMw5j+u4OOY3m7foento0MhzGcLhu+61b3/ n/Xr42+sEfgqM/OGr3krEEJlAFP9ngiW0K/5u2hJT8BrhKelJGrN8B/g8U4ypLcby22K d6iZ/Mh2MbTZK3oxg99JD9C1EnnERt2OZ2za/NdtIyr5wJwdifUSLAFNwzHV0/KLkqz0 JiVIH8m2F1YuTV2UI4G2nOb/ss0HKhEGfdHJoOleyogYipfF8I9gVj8Wf5rP0bzojbP0 Z8BQvbiwGikM2gj4YwILLEyFs6WcCT/ZzvtE4jcjADMAb5BembhvUzBTRFzG7wzlUjMt aU9Q== X-Gm-Message-State: AOAM530UWs+wEVersBKV0msc7Vt2+RF8L/hnRgI2ZWtgSOlnZ1LwGq5x F4WlsOnzH9UbqUGg7luFlB6FerlanhgIGe26wkloxEn+ySEDdHX7NGJ58M5h6S9/mcWyaX+tYt1 nR8Qet0SKzPB8vx6VMjSctdnh+2ATy43cgmvEy9qCFdKUK5qT+FsXJrF6eCQ= X-Google-Smtp-Source: ABdhPJxu3w9+F7vxlVOIPVkej4Fd6Z3tZhHaBKhwRXTMEhMAd756TivUWheedyybVXQqNcPoaAzJ+7/FzZo= X-Received: from ascull.c.googlers.com ([fda3:e722:ac3:cc00:28:9cb1:c0a8:1510]) (user=ascull job=sendgmr) by 2002:a05:6000:1f0c:b0:207:a457:38d3 with SMTP id bv12-20020a0560001f0c00b00207a45738d3mr2173805wrb.103.1649944807786; Thu, 14 Apr 2022 07:00:07 -0700 (PDT) Date: Thu, 14 Apr 2022 13:59:40 +0000 In-Reply-To: <20220414135941.1732585-1-ascull@google.com> Message-Id: <20220414135941.1732585-12-ascull@google.com> Mime-Version: 1.0 References: <20220414135941.1732585-1-ascull@google.com> X-Mailer: git-send-email 2.35.1.1178.g4f1659d476-goog Subject: [PATCH v2 11/12] fuzz: virtio: Add fuzzer for vring From: Andrew Scull To: u-boot@lists.denx.de Cc: sjg@chromium.org, xypron.glpk@gmx.de, Andrew Scull Content-Type: text/plain; charset="UTF-8" X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.5 at phobos.denx.de X-Virus-Status: Clean Add a fuzzer to test the vring handling code against unexpected mutations from the virtio device. After building the sandbox with CONFIG_FUZZ=y, the fuzzer can be invoked with by: UBOOT_SB_FUZZ_TEST=fuzz_vring ./u-boot This fuzzer finds unvalidated inputs in the vring driver that allow a buggy or malicious device to make the driver chase wild pointers. Signed-off-by: Andrew Scull --- test/fuzz/Makefile | 1 + test/fuzz/virtio.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 test/fuzz/virtio.c diff --git a/test/fuzz/Makefile b/test/fuzz/Makefile index 03eeeeb497..663b79ce80 100644 --- a/test/fuzz/Makefile +++ b/test/fuzz/Makefile @@ -5,3 +5,4 @@ # obj-$(CONFIG_$(SPL_)CMDLINE) += cmd_fuzz.o +obj-$(CONFIG_VIRTIO_SANDBOX) += virtio.o diff --git a/test/fuzz/virtio.c b/test/fuzz/virtio.c new file mode 100644 index 0000000000..e5363d5638 --- /dev/null +++ b/test/fuzz/virtio.c @@ -0,0 +1,72 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* + * Copyright (c) 2022 Google, Inc. + * Written by Andrew Scull + */ + +#include +#include +#include +#include +#include + +static int fuzz_vring(const uint8_t *data, size_t size) +{ + struct udevice *bus, *dev; + struct virtio_dev_priv *uc_priv; + struct virtqueue *vq; + struct virtio_sg sg[2]; + struct virtio_sg *sgs[2]; + unsigned int len; + u8 buffer[2][32]; + + /* hackily hardcode vring sizes */ + size_t num = 4; + size_t desc_size = (sizeof(struct vring_desc) * num); + size_t avail_size = (3 + num) * sizeof(u16); + size_t used_size = (3 * sizeof(u16)) + (sizeof(struct vring_used_elem) * num); + + if (size < (desc_size + avail_size + used_size)) + return 0; + + /* check probe success */ + if (uclass_first_device(UCLASS_VIRTIO, &bus) || !bus) + panic("Could not find virtio bus\n"); + + /* check the child virtio-rng device is bound */ + if (device_find_first_child(bus, &dev) || !dev) + panic("Could not find virtio device\n"); + + /* + * fake the virtio device probe by filling in uc_priv->vdev + * which is used by virtio_find_vqs/virtio_del_vqs. + */ + uc_priv = dev_get_uclass_priv(bus); + uc_priv->vdev = dev; + + /* prepare the scatter-gather buffer */ + sg[0].addr = buffer[0]; + sg[0].length = sizeof(buffer[0]); + sg[1].addr = buffer[1]; + sg[1].length = sizeof(buffer[1]); + sgs[0] = &sg[0]; + sgs[1] = &sg[1]; + + if (virtio_find_vqs(dev, 1, &vq)) + panic("Could not find vqs\n"); + if (virtqueue_add(vq, sgs, 0, 1)) + panic("Could not add to virtqueue\n"); + /* Simulate device writing to vring */ + memcpy(vq->vring.desc, data, desc_size); + memcpy(vq->vring.avail, data + desc_size, avail_size); + memcpy(vq->vring.used, data + desc_size + avail_size, used_size); + /* Make sure there is a response */ + if (vq->vring.used->idx == 0) + vq->vring.used->idx = 1; + virtqueue_get_buf(vq, &len); + if (virtio_del_vqs(dev)) + panic("Could not delete vqs\n"); + + return 0; +} +FUZZ_TEST(fuzz_vring, 0); -- 2.35.1.1178.g4f1659d476-goog