1 /*
2 * Copyright 2021 Google LLC
3 * SPDX-License-Identifier: MIT
4 */
5
6 #include <stdbool.h>
7 #include <stddef.h>
8 #include <stdint.h>
9 #include <stdlib.h>
10
11 #include "util/macros.h"
12 #include "virglrenderer.h"
13 #include "virglrenderer_hw.h"
14
15 int
16 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
17
18 struct fuzz_renderer {
19 bool initialized;
20 };
21
22 static void
fuzz_atexit_callback(void)23 fuzz_atexit_callback(void)
24 {
25 virgl_renderer_cleanup(NULL);
26 }
27
28 static void
fuzz_debug_callback(UNUSED const char * fmt,UNUSED va_list ap)29 fuzz_debug_callback(UNUSED const char *fmt, UNUSED va_list ap)
30 {
31 /* no logging */
32 }
33
34 static void
fuzz_write_context_fence(UNUSED void * cookie,UNUSED uint32_t ctx_id,UNUSED uint32_t ring_idx,UNUSED uint64_t fence_id)35 fuzz_write_context_fence(UNUSED void *cookie,
36 UNUSED uint32_t ctx_id,
37 UNUSED uint32_t ring_idx,
38 UNUSED uint64_t fence_id)
39 {
40
41 }
42
43
44 static struct virgl_renderer_callbacks callbacks = {
45 .version = 3,
46 .write_context_fence = fuzz_write_context_fence,
47 };
48
49 static struct fuzz_renderer *
fuzz_renderer_get(void)50 fuzz_renderer_get(void)
51 {
52 static struct fuzz_renderer renderer;
53 if (renderer.initialized)
54 return &renderer;
55
56 int flags = VIRGL_RENDERER_NO_VIRGL | VIRGL_RENDERER_DRM |
57 VIRGL_RENDERER_ASYNC_FENCE_CB;
58 int ret =
59 virgl_renderer_init(NULL, flags, &callbacks);
60 if (ret)
61 abort();
62
63 virgl_set_debug_callback(fuzz_debug_callback);
64
65 atexit(fuzz_atexit_callback);
66
67 renderer.initialized = true;
68 return &renderer;
69 }
70
71 static uint32_t
fuzz_context_create(UNUSED struct fuzz_renderer * renderer)72 fuzz_context_create(UNUSED struct fuzz_renderer *renderer)
73 {
74 const uint32_t ctx_id = 1;
75 const char name[] = "virgl_drm_fuzzer";
76 int ret = virgl_renderer_context_create_with_flags(ctx_id, VIRGL_RENDERER_CAPSET_DRM,
77 sizeof(name), name);
78 if (ret)
79 abort();
80
81 return ctx_id;
82 }
83
84 static void
fuzz_context_destroy(UNUSED struct fuzz_renderer * renderer,uint32_t ctx_id)85 fuzz_context_destroy(UNUSED struct fuzz_renderer *renderer, uint32_t ctx_id)
86 {
87 virgl_renderer_context_destroy(ctx_id);
88 }
89
90 static void
fuzz_context_submit(UNUSED struct fuzz_renderer * renderer,uint32_t ctx_id,const uint8_t * data,size_t size)91 fuzz_context_submit(UNUSED struct fuzz_renderer *renderer,
92 uint32_t ctx_id,
93 const uint8_t *data,
94 size_t size)
95 {
96 /* We'll not be able to hit some codepaths without shmem buffer setup..
97 * but we'd also like to hit any potential errors that could come from
98 * malicious input before shmem is setup. So run the same input twice,
99 * once before and once after shmem setup.
100 */
101 virgl_renderer_submit_cmd((void *)data, ctx_id, size / 4);
102 virgl_renderer_resource_create_blob(&(struct virgl_renderer_resource_create_blob_args){
103 .res_handle = 1,
104 .ctx_id = ctx_id,
105 .size = 0x1000,
106 });
107 virgl_renderer_submit_cmd((void *)data, ctx_id, size / 4);
108 }
109
110 int
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)111 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
112 {
113 struct fuzz_renderer *renderer = fuzz_renderer_get();
114
115 const uint32_t ctx_id = fuzz_context_create(renderer);
116 fuzz_context_submit(renderer, ctx_id, data, size);
117 fuzz_context_destroy(renderer, ctx_id);
118
119 return 0;
120 }
121