fix: store bitvec as Vec<bool> to prevent fuzzer crashes

When the fuzzer generates an invalid bitvec state, the serde code
crashes with an assertion error.
To avoid these crashes, just store it as a plain Vec<bool> as we don't
expect these vecs to be too big (for a 10GB hotpluggable area with 2MiB
blocks it would require 5kB for the Vec<bool> compared to 640B with
BitVec).

Signed-off-by: Riccardo Mancini <[email protected]>

Author: Manciukic

src/vmm/src/devices/virtio/mem/persist.rs

@@ -28,7 +28,7 @@ pub struct VirtioMemState {
     usable_region_size: u64,
     requested_size: u64,
     slot_size: usize,
-    plugged_blocks: BitVec,
+    plugged_blocks: Vec<bool>,
 }
 
 #[derive(Debug)]
@@ -62,7 +62,7 @@ impl Persist<'_> for VirtioMem {
             region_size: self.config.region_size,
             block_size: self.config.block_size,
             usable_region_size: self.config.usable_region_size,
-            plugged_blocks: self.plugged_blocks.clone(),
+            plugged_blocks: self.plugged_blocks.iter().by_vals().collect(),
             requested_size: self.config.requested_size,
             slot_size: self.slot_size,
         }
@@ -79,12 +79,14 @@ impl Persist<'_> for VirtioMem {
             FIRECRACKER_MAX_QUEUE_SIZE,
         )?;
 
+        let plugged_blocks = BitVec::from_iter(state.plugged_blocks.iter());
+
         let config = virtio_mem_config {
             addr: state.addr,
             region_size: state.region_size,
             block_size: state.block_size,
             usable_region_size: state.usable_region_size,
-            plugged_size: usize_to_u64(state.plugged_blocks.count_ones()) * state.block_size,
+            plugged_size: usize_to_u64(plugged_blocks.count_ones()) * state.block_size,
             requested_size: state.requested_size,
             ..Default::default()
         };
@@ -94,7 +96,7 @@ impl Persist<'_> for VirtioMem {
             queues,
             config,
             state.slot_size,
-            state.plugged_blocks.clone(),
+            plugged_blocks,
         )?;
         virtio_mem.set_avail_features(state.virtio_state.avail_features);
         virtio_mem.set_acked_features(state.virtio_state.acked_features);
@@ -119,7 +121,10 @@ mod tests {
         assert_eq!(state.region_size, dev.config.region_size);
         assert_eq!(state.block_size, dev.config.block_size);
         assert_eq!(state.usable_region_size, dev.config.usable_region_size);
-        assert_eq!(state.plugged_blocks, dev.plugged_blocks);
+        assert_eq!(
+            state.plugged_blocks.iter().collect::<BitVec>(),
+            dev.plugged_blocks
+        );
         assert_eq!(state.requested_size, dev.config.requested_size);
         assert_eq!(state.slot_size, dev.slot_size);
     }

src/vmm/src/persist.rs

@@ -571,7 +571,6 @@ fn send_uffd_handshake(
 mod tests {
     use std::os::unix::net::UnixListener;
 
-    use bitvec::vec::BitVec;
     use vmm_sys_util::tempfile::TempFile;
 
     use super::*;
@@ -695,7 +694,7 @@ mod tests {
                 base_address: 0,
                 size: 0x20000,
                 region_type: GuestRegionType::Dram,
-                plugged: BitVec::repeat(true, 1),
+                plugged: vec![true],
             }],
         };
 

src/vmm/src/vstate/memory.rs

@@ -240,7 +240,7 @@ impl GuestRegionMmapExt {
             slot_size,
             region_type: state.region_type,
             slot_from,
-            plugged: Mutex::new(state.plugged.clone()),
+            plugged: Mutex::new(BitVec::from_iter(state.plugged.iter())),
         })
     }
 
@@ -596,7 +596,7 @@ pub struct GuestMemoryRegionState {
     /// Region type
     pub region_type: GuestRegionType,
     /// Plugged/unplugged status of each slot
-    pub plugged: BitVec,
+    pub plugged: Vec<bool>,
 }
 
 /// Describes guest memory regions and their snapshot file mappings.
@@ -625,7 +625,7 @@ impl GuestMemoryExtension for GuestMemoryMmap {
                 base_address: region.start_addr().0,
                 size: u64_to_usize(region.len()),
                 region_type: region.region_type,
-                plugged: region.plugged.lock().unwrap().clone(),
+                plugged: region.plugged.lock().unwrap().iter().by_vals().collect(),
             });
         });
         guest_memory_state
@@ -997,13 +997,13 @@ mod tests {
                     base_address: 0,
                     size: page_size,
                     region_type: GuestRegionType::Dram,
-                    plugged: BitVec::repeat(true, 1),
+                    plugged: vec![true],
                 },
                 GuestMemoryRegionState {
                     base_address: page_size as u64 * 2,
                     size: page_size,
                     region_type: GuestRegionType::Dram,
-                    plugged: BitVec::repeat(true, 1),
+                    plugged: vec![true],
                 },
             ],
         };
@@ -1026,13 +1026,13 @@ mod tests {
                     base_address: 0,
                     size: page_size * 3,
                     region_type: GuestRegionType::Dram,
-                    plugged: BitVec::repeat(true, 1),
+                    plugged: vec![true],
                 },
                 GuestMemoryRegionState {
                     base_address: page_size as u64 * 4,
                     size: page_size * 3,
                     region_type: GuestRegionType::Dram,
-                    plugged: BitVec::repeat(true, 1),
+                    plugged: vec![true],
                 },
             ],
         };