From 1ba4f8a8396da9d7e47c4034f050548f84d14034 Mon Sep 17 00:00:00 2001 From: Alice Wang Date: Mon, 23 Jan 2023 13:49:39 +0000 Subject: [PATCH] [avb][fuzzer] Fuzz pvmfw payload_verify for kernel without footer Bug: 260574387 Test: Run fuzzer. Change-Id: Ie2ce843000976829f3f7783cca956cf5a4089bb7 --- pvmfw/avb/fuzz/Android.bp | 34 +++++++++++++++++++ .../avb/fuzz/without_footer_verify_fuzzer.rs | 28 +++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 pvmfw/avb/fuzz/Android.bp create mode 100644 pvmfw/avb/fuzz/without_footer_verify_fuzzer.rs diff --git a/pvmfw/avb/fuzz/Android.bp b/pvmfw/avb/fuzz/Android.bp new file mode 100644 index 00000000..451fd8a0 --- /dev/null +++ b/pvmfw/avb/fuzz/Android.bp @@ -0,0 +1,34 @@ +// Copyright 2023, The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +rust_fuzz { + name: "avb_kernel_without_footer_verify_fuzzer", + srcs: ["without_footer_verify_fuzzer.rs"], + rustlibs: [ + "libpvmfw_avb_nostd", + ], + fuzz_config: { + cc: [ + "android-kvm@google.com", + ], + fuzz_on_haiku_device: true, + fuzz_on_haiku_host: true, + }, +} + +// TODO(b/260574387): Add avb_kernel_with_footer_verify_fuzzer diff --git a/pvmfw/avb/fuzz/without_footer_verify_fuzzer.rs b/pvmfw/avb/fuzz/without_footer_verify_fuzzer.rs new file mode 100644 index 00000000..fc8fa85b --- /dev/null +++ b/pvmfw/avb/fuzz/without_footer_verify_fuzzer.rs @@ -0,0 +1,28 @@ +// Copyright 2023, The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#![allow(missing_docs)] +#![no_main] + +use libfuzzer_sys::fuzz_target; +use pvmfw_avb::verify_payload; + +fuzz_target!(|kernel: &[u8]| { + // This fuzzer is mostly supposed to catch the memory corruption in + // AVB footer parsing. It is unlikely that the randomly generated + // kernel can pass the kernel verification, so the value of `initrd` + // is not so important as we won't reach initrd verification with + // this fuzzer. + let _ = verify_payload(kernel, /*initrd=*/ None, &[0u8; 64]); +});