Open
Conversation
smalis-msft
reviewed
Mar 18, 2026
smalis-msft
reviewed
Mar 18, 2026
smalis-msft
reviewed
Mar 18, 2026
Why is this change being made? - The [`pcie`](https://openvmm.dev/rustdoc/linux/pcie/index.html) crate handles untrusted guest input through ECAM MMIO accesses and had no fuzz coverage. - Config space routing through root ports and switches is a trust boundary worth exercising with malformed inputs. What changed? - New fuzz target `fuzz_pcie` in `vm/devices/pci/pcie/fuzz/`. - Exercises MMIO reads/writes at arbitrary ECAM offsets with valid (1/2/4) and invalid (3/8/16) access sizes across four topology variants: root ports only, with endpoint, with switch hierarchy, and with hotplug-enabled ports. - Programs bus numbers before fuzzing so config forwarding and switch routing code is reachable (without this, all downstream accesses hit the uninitialized bus range early return). - Made `pcie::test_helpers` available under `cfg(any(test, fuzzing))` so the fuzzer reuses `TestPcieMmioRegistration` instead of duplicating it. - Added `cfg(fuzzing)` to the workspace `check-cfg` list. How was the change tested? - ✅ `cargo +nightly xtask fuzz build fuzz_pcie` — builds clean, zero warnings - ✅ 60-second fuzzing runs with no crashes (~330K executions) - ✅ Coverage: port.rs 92%, switch.rs 77%, root.rs 77% - ✅ `cargo clippy --all-targets -p pcie` — clean - ✅ `cargo xtask fmt --fix` — clean
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new in-tree cargo-fuzz target to exercise the pcie crate’s ECAM MMIO handling and routing logic under malformed/untrusted guest inputs, increasing coverage at a key trust boundary.
Changes:
- Introduces new fuzz crate/target
fuzz_pciethat drivesGenericPcieRootComplexMMIO reads/writes across multiple PCIe topology variants. - Exposes
pcie::test_helpersundercfg(any(test, fuzzing))so the fuzzer can reuse existing MMIO registration helpers. - Updates workspace configuration to include the new fuzz crate and allow
cfg(fuzzing)underunexpected_cfgscheck-cfg.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/devices/pci/pcie/src/lib.rs | Exposes test_helpers for fuzz builds to share existing harness utilities. |
| vm/devices/pci/pcie/fuzz/fuzz_pcie.rs | New libFuzzer target that constructs small PCIe topologies and slams ECAM MMIO accesses (including invalid sizes). |
| vm/devices/pci/pcie/fuzz/Cargo.toml | Defines the new fuzz crate, dependencies, and OneFuzz allowlist. |
| Cargo.toml | Adds the fuzz crate to workspace members and registers cfg(fuzzing) for check-cfg. |
| Cargo.lock | Records the new fuzz crate in the lockfile. |
| .github/skills/fuzzing/SKILL.md | Adds a repository fuzzing how-to skill doc (run/build/repro/coverage/debug guidance). |
smalis-msft
reviewed
Mar 18, 2026
- Replace cfg(fuzzing) with feature = "fuzz" gate (matches storvsp pattern) - Remove cfg(fuzzing) from workspace check-cfg - Use #[expect] instead of #[allow] for missing_docs - Remove unused PciConfigSpace import - Handle add_pcie_device Results instead of dropping them - Remove misleading let _ = on mmio_write (returns unit) - Use glob for OneFuzz allowlist instead of listing files - Clarify AccessSize doc comments for ECAM rejection behavior - Revert duplicate SKILL.md to main version Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new fuzzing harness for the pcie crate to exercise ECAM MMIO config-space routing logic (root ports/switches/hotplug) against malformed guest-driven accesses, and exposes existing PCIe test helpers to the fuzzer via a crate feature.
Changes:
- Added a new
fuzz_pciecargo-fuzz target undervm/devices/pci/pcie/fuzz/. - Exposed
pcie::test_helpersundercfg(any(test, feature = "fuzz"))and introduced afuzzfeature in thepciecrate. - Added a repository skill doc describing how to run/debug/measure fuzzers.
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/devices/pci/pcie/src/lib.rs | Makes test_helpers available to fuzz builds behind a feature gate. |
| vm/devices/pci/pcie/fuzz/fuzz_pcie.rs | New fuzz harness driving ECAM MMIO reads/writes + reset across topology variants. |
| vm/devices/pci/pcie/fuzz/Cargo.toml | New fuzz crate wiring (cargo-fuzz metadata + dependencies). |
| vm/devices/pci/pcie/Cargo.toml | Adds fuzz feature to expose test helpers for the fuzz harness. |
| Cargo.toml | Registers the new fuzz crate as a workspace member. |
| Cargo.lock | Adds lockfile entry for the new fuzz_pcie package. |
| .github/skills/fuzzing/SKILL.md | New “fuzzing” skill guide for running/debugging fuzzers and coverage workflows. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds an in-tree cargo-fuzz target for the pcie crate to exercise ECAM MMIO/config-space routing logic (a guest-input trust boundary) across several PCIe topology variants.
Changes:
- Introduces a new fuzz crate/target (
fuzz_pcie) that drives arbitrary ECAM MMIO reads/writes and reset operations. - Exposes
pcie::test_helpersundercfg(test)or the newpciefeaturefuzzso the fuzzer can reuse existing MMIO registration helpers. - Registers the fuzz crate in the workspace and lockfile.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/devices/pci/pcie/src/lib.rs | Exposes test_helpers when testing or fuzzing feature is enabled. |
| vm/devices/pci/pcie/fuzz/fuzz_pcie.rs | New fuzz harness implementing topology setup, MMIO action driving, and reset handling. |
| vm/devices/pci/pcie/fuzz/Cargo.toml | Defines the fuzz_pcie fuzz crate and its dependencies/metadata. |
| vm/devices/pci/pcie/Cargo.toml | Adds a fuzz feature to allow exporting fuzz-only helpers. |
| Cargo.toml | Adds the new fuzz crate to workspace members. |
| Cargo.lock | Records the new fuzz_pcie package entry. |
jackschefer-msft
approved these changes
Mar 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
pcie: add PCIe emulator fuzz target
Why is this change being made?
pciecrate handlesuntrusted guest input through ECAM MMIO accesses and had no fuzz coverage.
worth exercising with malformed inputs.
What changed?
fuzz_pcieinvm/devices/pci/pcie/fuzz/.invalid (3/8/16) access sizes across four topology variants: root ports only,
with endpoint, with switch hierarchy, and with hotplug-enabled ports.
code is reachable (without this, all downstream accesses hit the uninitialized
bus range early return).
pcie::test_helpersavailable undercfg(any(test, fuzzing))so thefuzzer reuses
TestPcieMmioRegistrationinstead of duplicating it.How was the change tested?
cargo +nightly xtask fuzz build fuzz_pcie— builds clean, zero warningscargo clippy --all-targets -p pcie— cleancargo xtask fmt --fix— clean