Skip to content

Commit 477abe8

Browse files
committed
feat(virtq): add virtio-villain inspired packed virtq coverage
Map applicable packed ring cases into deterministic in process virtq tests, add high-level producer/consumer safety coverage, and add a packed-ring fuzz target with binary seed inputs. See: https://github.com/weltling/virtio-villain/tree/main/tests/vring Signed-off-by: Tomasz Andrzejak <andreiltd@gmail.com>
1 parent 66a2913 commit 477abe8

17 files changed

Lines changed: 1168 additions & 6 deletions

File tree

.github/workflows/Fuzzing.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
strategy:
2323
fail-fast: false
2424
matrix:
25-
target: ['fuzz_host_print', 'fuzz_guest_call', 'fuzz_host_call', 'fuzz_guest_estimate_trace_event', 'fuzz_guest_trace']
25+
target: ['fuzz_host_print', 'fuzz_guest_call', 'fuzz_host_call', 'fuzz_guest_estimate_trace_event', 'fuzz_guest_trace', 'fuzz_virtq_packed_ring']
2626
uses: ./.github/workflows/dep_fuzzing.yml
2727
with:
2828
target: ${{ matrix.target }}

.github/workflows/ValidatePullRequest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,7 @@ jobs:
214214
if: ${{ !cancelled() && !failure() }}
215215
strategy:
216216
matrix:
217-
target: ['fuzz_host_print', 'fuzz_guest_call', 'fuzz_host_call', 'fuzz_guest_estimate_trace_event', 'fuzz_guest_trace']
217+
target: ['fuzz_host_print', 'fuzz_guest_call', 'fuzz_host_call', 'fuzz_guest_estimate_trace_event', 'fuzz_guest_trace', 'fuzz_virtq_packed_ring']
218218
arch:
219219
- X64
220220
# arm64 fuzzing runs on the daily schedule (DailyArm64.yml) instead of on

Justfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -218,6 +218,7 @@ like-ci config=default-target hypervisor="kvm":
218218
just fuzz-like-ci fuzz_host_call {{config}} {{hypervisor}}
219219
just fuzz-like-ci fuzz_guest_estimate_trace_event {{config}} {{hypervisor}}
220220
just fuzz-like-ci fuzz_guest_trace {{config}} {{hypervisor}}
221+
just fuzz-like-ci fuzz_virtq_packed_ring {{config}} {{hypervisor}}
221222

222223
@# spelling
223224
typos

fuzz/.gitignore

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
target
2-
corpus
2+
corpus/*
3+
!corpus/fuzz_virtq_packed_ring/
4+
corpus/fuzz_virtq_packed_ring/*
5+
!corpus/fuzz_virtq_packed_ring/*.bin
36
artifacts
47
coverage

fuzz/Cargo.toml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,13 @@ test = false
4848
doc = false
4949
bench = false
5050

51+
[[bin]]
52+
name = "fuzz_virtq_packed_ring"
53+
path = "fuzz_targets/virtq_packed_ring.rs"
54+
test = false
55+
doc = false
56+
bench = false
57+
5158
[features]
5259
default = []
5360
trace = ["hyperlight-host/trace_guest", "hyperlight-common/trace_guest"]

fuzz/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ which evaluates to the following command `cargo +nightly fuzz run fuzz_host_prin
1010

1111
As per Microsoft's Offensive Research & Security Engineering (MORSE) team, all host exposed functions that receive or interact with guest data must be continuously fuzzed for, at least, 500 million fuzz test cases without any crashes. Because `cargo-fuzz` doesn't support setting a maximum number of iterations; instead, we use the `--max_total_time` flag to set a maximum time to run the fuzzer. We have a GitHub action (acting like a CRON job) that runs the fuzzers for 24 hours every week.
1212

13-
Currently, we fuzz the parameters and return type to a hardcoded `PrintOutput` guest function, and the `HostPrint` host function. We plan to add more fuzzers in the future.
13+
Currently, we fuzz the parameters and return type to a hardcoded `PrintOutput` guest function, the `HostPrint` host function, and the packed virtqueue ring parser. We plan to add more fuzzers in the future.
1414

1515
## On Failure
1616

28 Bytes
Binary file not shown.
28 Bytes
Binary file not shown.
160 Bytes
Binary file not shown.
28 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)