vtest: set a maximum cmd length to avoid fuzzer memory errors

Signed-off-by: David Riley <davidriley@chromium.org> Reviewed-By: Gert Wollny <gert.wollny@collabora.com>
6 years ago · 1fdc471e29
parent a4ae3e4a2b
commit 1fdc471e29
3 changed files with 32 additions and 1 deletions
--- a/vtest/vtest.h
+++ b/vtest/vtest.h
@ -71,5 +71,7 @@ int vtest_protocol_version(uint32_t length_dw);

 void vtest_destroy_renderer(void);

+void vtest_set_max_length(uint32_t length);
+
 #endif

--- a/vtest/vtest_fuzzer.c
+++ b/vtest/vtest_fuzzer.c
@ -140,6 +140,9 @@ static void vtest_fuzzer_run_renderer(int out_fd, struct vtest_input *input,

 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 {
+   /* Limit unbounded allocations under fuzzer default limits. */
+   vtest_set_max_length(256 * 1024 * 1024);
+
   int out_fd = open("/dev/null", O_WRONLY);

   struct vtest_buffer buffer;
--- a/vtest/vtest_renderer.c
+++ b/vtest/vtest_renderer.c
@ -49,6 +49,7 @@

 static int ctx_id = 1;
 static int fence_id = 1;
+static uint32_t max_length = UINT_MAX;

 static int last_fence;
 static void vtest_write_fence(UNUSED void *cookie, uint32_t fence_id_in)
@ -221,6 +222,10 @@ int vtest_create_renderer(struct vtest_input *input, int out_fd, uint32_t length
      return -1;
   }

+   if (length > 1024 * 1024) {
+      return -1;
+   }
+
   vtestname = calloc(1, length + 1);
   if (!vtestname) {
      return -1;
@ -520,7 +525,7 @@ int vtest_submit_cmd(uint32_t length_dw)
   uint32_t *cbuf;
   int ret;

-   if (length_dw > UINT_MAX / 4) {
+   if (length_dw > max_length / 4) {
      return -1;
   }

@ -576,6 +581,10 @@ int vtest_transfer_get(UNUSED uint32_t length_dw)

   DECODE_TRANSFER;

+   if (data_size > max_length) {
+      return -ENOMEM;
+   }
+
   ptr = malloc(data_size);
   if (!ptr) {
      return -ENOMEM;
@ -619,6 +628,10 @@ int vtest_transfer_get_nop(UNUSED uint32_t length_dw)

   DECODE_TRANSFER;

+   if (data_size > max_length) {
+      return -ENOMEM;
+   }
+
   ptr = malloc(data_size);
   if (!ptr) {
      return -ENOMEM;
@ -651,6 +664,10 @@ int vtest_transfer_put(UNUSED uint32_t length_dw)

   DECODE_TRANSFER;

+   if (data_size > max_length) {
+      return -ENOMEM;
+   }
+
   ptr = malloc(data_size);
   if (!ptr) {
      return -ENOMEM;
@ -697,6 +714,10 @@ int vtest_transfer_put_nop(UNUSED uint32_t length_dw)

   DECODE_TRANSFER;

+   if (data_size > max_length) {
+      return -ENOMEM;
+   }
+
   ptr = malloc(data_size);
   if (!ptr) {
      return -ENOMEM;
@ -924,3 +945,8 @@ int vtest_poll(void)
   virgl_renderer_poll();
   return 0;
 }
+
+void vtest_set_max_length(uint32_t length)
+{
+   max_length = length;
+}