rmm: Add more RMI fuzzing harnesses

Signed-off-by: Rayhan Faizel <rayhan.faizel@gmail.com>

Author: Skryptonyte

rmm/fuzz/Cargo.toml

@@ -24,3 +24,101 @@ path = "fuzz_targets/rmi_features_fuzz.rs"
 test = false
 doc = false
 bench = false
+
+[[bin]]
+name = "rmi_granule_delegate_fuzz"
+path = "fuzz_targets/rmi_granule_delegate_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_granule_undelegate_fuzz"
+path = "fuzz_targets/rmi_granule_undelegate_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_realm_create_fuzz"
+path = "fuzz_targets/rmi_realm_create_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rec_create_fuzz"
+path = "fuzz_targets/rmi_rec_create_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rtt_create_fuzz"
+path = "fuzz_targets/rmi_rtt_create_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rtt_read_entry_fuzz"
+path = "fuzz_targets/rmi_rtt_read_entry_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_data_create_fuzz"
+path = "fuzz_targets/rmi_data_create_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_data_create_unknown_fuzz"
+path = "fuzz_targets/rmi_data_create_unknown_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rtt_map_unprotected_fuzz"
+path = "fuzz_targets/rmi_rtt_map_unprotected_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rtt_init_ripas_fuzz"
+path = "fuzz_targets/rmi_rtt_init_ripas_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rtt_set_ripas_fuzz"
+path = "fuzz_targets/rmi_rtt_set_ripas_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rec_enter_fuzz"
+path = "fuzz_targets/rmi_rec_enter_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_psci_complete_fuzz"
+path = "fuzz_targets/rmi_psci_complete_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "rmi_rtt_fold_fuzz"
+path = "fuzz_targets/rmi_rtt_fold_fuzz.rs"
+test = false
+doc = false
+bench = false

rmm/fuzz/fuzz_targets/rmi_data_create_fuzz.rs

@@ -0,0 +1,70 @@
+#![no_main]
+
+use islet_rmm::rmi::{DATA_CREATE, DATA_DESTROY, GRANULE_DELEGATE, GRANULE_UNDELEGATE,
+                     RTT_INIT_RIPAS, RTT_READ_ENTRY, SUCCESS};
+use islet_rmm::rmi::rtt_entry_state::{RMI_UNASSIGNED, RMI_ASSIGNED};
+use islet_rmm::test_utils::{mock, *};
+
+use libfuzzer_sys::{arbitrary, fuzz_target, Corpus};
+
+
+#[derive(Debug, arbitrary::Arbitrary)]
+struct DataCreateFuzz {
+    ipa: u64,
+    flags: u64,
+}
+
+fuzz_target!(|data: DataCreateFuzz| -> Corpus {
+    let ipa = data.ipa as usize;
+    let flags = data.flags as usize;
+    let base = (ipa / L3_SIZE) * L3_SIZE;
+    let data_granule = alloc_granule(IDX_DATA1);
+    let src = alloc_granule(IDX_SRC1);
+
+    let top = match (base as usize).checked_add(L3_SIZE) {
+        Some(x) => x,
+        None => {
+            return Corpus::Reject;
+        }
+    };
+
+    let rd = realm_create();
+
+    /* Reject IPAs which cannot be mapped */
+    let ret = rmi::<RTT_READ_ENTRY>(&[rd, ipa, MAP_LEVEL]);
+    if (ret[0] != SUCCESS) {
+        realm_destroy(rd);
+        return Corpus::Reject;
+    }
+
+    mock::host::map(rd, ipa);
+
+    let ret = rmi::<RTT_INIT_RIPAS>(&[rd, base, top]);
+    if ret[0] != SUCCESS {
+        mock::host::unmap(rd, ipa, false);
+        realm_destroy(rd);
+        return Corpus::Reject;
+    }
+
+    let _ret = rmi::<GRANULE_DELEGATE>(&[data_granule]);
+
+    let ret = rmi::<DATA_CREATE>(&[rd, data_granule, ipa, src, flags]);
+
+    if ret[0] == SUCCESS {
+        let ret = rmi::<RTT_READ_ENTRY>(&[rd, ipa, MAP_LEVEL]);
+        assert_eq!(ret[2], RMI_ASSIGNED);
+
+        let ret = rmi::<DATA_DESTROY>(&[rd, ipa]);
+        assert_eq!(ret[0], SUCCESS);
+
+        let ret = rmi::<RTT_READ_ENTRY>(&[rd, ipa, MAP_LEVEL]);
+        assert_eq!(ret[2], RMI_UNASSIGNED);
+    }
+
+    let _ret = rmi::<GRANULE_UNDELEGATE>(&[data_granule]);
+
+    mock::host::unmap(rd, ipa, false);
+    realm_destroy(rd);
+
+    Corpus::Keep
+});

rmm/fuzz/fuzz_targets/rmi_data_create_unknown_fuzz.rs

@@ -0,0 +1,50 @@
+#![no_main]
+
+use islet_rmm::rmi::{DATA_CREATE_UNKNOWN, DATA_DESTROY, GRANULE_DELEGATE,
+                     GRANULE_UNDELEGATE, RTT_READ_ENTRY, SUCCESS};
+use islet_rmm::rmi::rtt_entry_state::{RMI_UNASSIGNED, RMI_ASSIGNED};
+use islet_rmm::test_utils::{mock, *};
+
+use libfuzzer_sys::{arbitrary, fuzz_target, Corpus};
+
+#[derive(Debug, arbitrary::Arbitrary)]
+struct DataCreateFuzz {
+    ipa: u64,
+}
+
+fuzz_target!(|data: DataCreateFuzz| -> Corpus {
+    let rd = realm_create();
+    let ipa = data.ipa as usize;
+    let data_granule = alloc_granule(IDX_DATA1);
+
+    /* Reject IPAs which cannot be mapped */
+    let ret = rmi::<RTT_READ_ENTRY>(&[rd, ipa, MAP_LEVEL]);
+    if (ret[0] != SUCCESS) {
+        realm_destroy(rd);
+        return Corpus::Reject;
+    }
+
+    mock::host::map(rd, ipa);
+
+    let _ret = rmi::<GRANULE_DELEGATE>(&[data_granule]);
+
+    let ret = rmi::<DATA_CREATE_UNKNOWN>(&[rd, data_granule, ipa]);
+
+    if ret[0] == SUCCESS {
+        let ret = rmi::<RTT_READ_ENTRY>(&[rd, ipa, MAP_LEVEL]);
+        assert_eq!(ret[2], RMI_ASSIGNED);
+
+        let ret = rmi::<DATA_DESTROY>(&[rd, ipa]);
+        assert_eq!(ret[0], SUCCESS);
+
+        let ret = rmi::<RTT_READ_ENTRY>(&[rd, ipa, MAP_LEVEL]);
+        assert_eq!(ret[2], RMI_UNASSIGNED);
+    }
+
+    let _ret = rmi::<GRANULE_UNDELEGATE>(&[data_granule]);
+
+    mock::host::unmap(rd, ipa, false);
+    realm_destroy(rd);
+
+    Corpus::Keep
+});

rmm/fuzz/fuzz_targets/rmi_granule_delegate_fuzz.rs

@@ -0,0 +1,26 @@
+#![no_main]
+
+use islet_rmm::rmi::{GRANULE_DELEGATE, GRANULE_UNDELEGATE, SUCCESS};
+use islet_rmm::granule::GRANULE_STATUS_TABLE_SIZE;
+use islet_rmm::test_utils::{mock, *};
+
+use libfuzzer_sys::{arbitrary, fuzz_target};
+
+#[derive(Debug, arbitrary::Arbitrary)]
+enum GranuleAddress {
+    GranuleRegion(u16),
+    RandomAddress(u64)
+}
+
+fuzz_target!(|data: GranuleAddress| {
+    let addr: usize = match data {
+        GranuleAddress::GranuleRegion(idx) => alloc_granule((idx as usize) % GRANULE_STATUS_TABLE_SIZE),
+        GranuleAddress::RandomAddress(addr) => addr as usize
+    };
+
+    let ret = rmi::<GRANULE_DELEGATE>(&[addr]);
+
+    if ret[0] == SUCCESS {
+        let _ret = rmi::<GRANULE_UNDELEGATE>(&[addr]);
+    }
+});

rmm/fuzz/fuzz_targets/rmi_granule_undelegate_fuzz.rs

@@ -0,0 +1,22 @@
+#![no_main]
+
+use islet_rmm::rmi::{GRANULE_UNDELEGATE, SUCCESS};
+use islet_rmm::granule::GRANULE_STATUS_TABLE_SIZE;
+use islet_rmm::test_utils::{mock, *};
+
+use libfuzzer_sys::{arbitrary, fuzz_target};
+
+#[derive(Debug, arbitrary::Arbitrary)]
+enum GranuleAddress {
+    GranuleRegion(u16),
+    RandomAddress(u64)
+}
+
+fuzz_target!(|data: GranuleAddress| {
+    let addr: usize = match data {
+        GranuleAddress::GranuleRegion(idx) => alloc_granule((idx as usize) % GRANULE_STATUS_TABLE_SIZE),
+        GranuleAddress::RandomAddress(addr) => addr as usize
+    };
+
+    let _ret = rmi::<GRANULE_UNDELEGATE>(&[addr]);
+});

rmm/fuzz/fuzz_targets/rmi_psci_complete_fuzz.rs

@@ -0,0 +1,52 @@
+#![no_main]
+
+use islet_rmm::rmi::{REC_ENTER, PSCI_COMPLETE, SUCCESS};
+use islet_rmm::rec::Rec;
+use islet_rmm::rec::context::set_reg;
+use islet_rmm::rsi::{PSCI_CPU_ON, PSCI_AFFINITY_INFO};
+use islet_rmm::test_utils::{mock, *};
+
+use libfuzzer_sys::{arbitrary, fuzz_target, Corpus};
+
+#[derive(Debug, arbitrary::Arbitrary)]
+enum PSCICommandFuzz {
+    PSCI_CPU_ON,
+    PSCI_AFFINITY_INFO,
+}
+
+#[derive(Debug, arbitrary::Arbitrary)]
+struct PSCICompleteFuzz {
+    status: usize,
+    psci_command: PSCICommandFuzz,
+    target_runnable: bool,
+}
+
+fuzz_target!(|data: PSCICompleteFuzz| {
+    let rd = mock::host::realm_setup();
+    let status = data.status;
+    let psci_command = data.psci_command;
+    let target_runnable = data.target_runnable as u64;
+
+    let (rec1, run1) = (alloc_granule(IDX_REC1), alloc_granule(IDX_REC1_RUN));
+
+    let _ret = rmi::<REC_ENTER>(&[rec1, run1]);
+
+    let rec2 = alloc_granule(IDX_REC2);
+
+    unsafe {
+        let rec = &mut *(rec1 as *mut Rec<'_>);
+        let target_rec = &mut *(rec2 as *mut Rec<'_>);
+
+        match psci_command {
+            PSCICommandFuzz::PSCI_CPU_ON => { set_reg(rec, 0, PSCI_CPU_ON).unwrap() },
+            PSCICommandFuzz::PSCI_AFFINITY_INFO => { set_reg(rec, 0, PSCI_AFFINITY_INFO).unwrap() },
+            _ => { unreachable!() }
+        }
+
+        target_rec.set_runnable(target_runnable);
+    }
+
+    let _ret = rmi::<PSCI_COMPLETE>(&[rec1, rec2, status]);
+
+    mock::host::realm_teardown(rd);
+});

rmm/fuzz/fuzz_targets/rmi_realm_create_fuzz.rs

@@ -0,0 +1,62 @@
+#![no_main]
+
+use islet_rmm::rmi::{REALM_CREATE, REALM_DESTROY, REALM_ACTIVATE, GRANULE_DELEGATE, GRANULE_UNDELEGATE, SUCCESS};
+use islet_rmm::granule::GRANULE_STATUS_TABLE_SIZE;
+use islet_rmm::rmi::realm::params::Params as RealmParams;
+use islet_rmm::test_utils::{mock, *};
+
+use libfuzzer_sys::{arbitrary, fuzz_target};
+
+#[derive(Debug, arbitrary::Arbitrary)]
+struct RealmParamsFuzz {
+    flags: u64,
+    s2sz: u8,
+    sve_vl: u8,
+    num_bps: u8,
+    num_wps: u8,
+    pmu_num_ctrs: u8,
+    hash_algo: u8,
+    rpv: [u8; 64],
+    vmid: u16,
+    rtt_level_start: i64,
+    rtt_num_start: u32
+}
+
+fuzz_target!(|data: RealmParamsFuzz| {
+    let (rd, rtt, params_ptr) = (
+        alloc_granule(IDX_RD),
+        alloc_granule(IDX_RTT_LEVEL0),
+        alloc_granule(IDX_REALM_PARAMS),
+    );
+
+    let _ret = rmi::<GRANULE_DELEGATE>(&[rd]);
+    let _ret = rmi::<GRANULE_DELEGATE>(&[rtt]);
+
+    unsafe {
+        let params = &mut *(params_ptr as *mut RealmParams);
+
+        params.flags = data.flags;
+        params.s2sz = data.s2sz;
+        params.sve_vl = data.sve_vl;
+        params.num_bps = data.num_bps;
+        params.num_wps = data.num_wps;
+        params.pmu_num_ctrs = data.pmu_num_ctrs;
+        params.hash_algo = data.hash_algo;
+        params.rpv = data.rpv;
+        params.vmid = data.vmid;
+        params.rtt_base = rtt as u64;
+        params.rtt_level_start = data.rtt_level_start;
+        params.rtt_num_start = data.rtt_num_start;
+    }
+
+    let ret = rmi::<REALM_CREATE>(&[rd, params_ptr]);
+
+    if ret[0] == SUCCESS {
+        let _ret = rmi::<REALM_ACTIVATE>(&[rd]);
+
+        let _ret = rmi::<REALM_DESTROY>(&[rd]);
+    }
+
+    let _ret = rmi::<GRANULE_UNDELEGATE>(&[rd]);
+    let _ret = rmi::<GRANULE_UNDELEGATE>(&[rtt]);
+});