trusty: Apploader fuzzer
Bug: 181630912 Test: trusty_apploader_tipc_fuzzer Test: trusty_apploader_app_fuzzer Change-Id: I1cc2329ca2a4e983f6ded45810d4c34e1433c5b0
This commit is contained in:
parent
ce519b8a97
commit
5c1d2e1dff
|
@ -0,0 +1,40 @@
|
|||
// Copyright (C) 2021 The Android Open Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package {
|
||||
default_applicable_licenses: ["Android-Apache-2.0"],
|
||||
}
|
||||
|
||||
// Fuzz Trusty IPC messages sent to apploader.
|
||||
cc_fuzz {
|
||||
name: "trusty_apploader_tipc_fuzzer",
|
||||
defaults: ["trusty_fuzzer_defaults"],
|
||||
srcs: [":trusty_tipc_fuzzer"],
|
||||
cflags: [
|
||||
"-DTRUSTY_APP_PORT=\"com.android.trusty.apploader\"",
|
||||
"-DTRUSTY_APP_UUID=\"081ba88f-f1ee-452e-b5e8-a7e9ef173a97\"",
|
||||
"-DTRUSTY_APP_FILENAME=\"apploader.syms.elf\"",
|
||||
]
|
||||
}
|
||||
|
||||
// Fuzz app package sent to apploader.
|
||||
cc_fuzz {
|
||||
name: "trusty_apploader_app_fuzzer",
|
||||
defaults: ["trusty_fuzzer_defaults"],
|
||||
srcs: ["app_fuzzer.cpp"],
|
||||
include_dirs: ["system/core/trusty/apploader"],
|
||||
shared_libs: [
|
||||
"libdmabufheap",
|
||||
],
|
||||
}
|
|
@ -0,0 +1,134 @@
|
|||
/*
|
||||
* Copyright (C) 2021 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <BufferAllocator/BufferAllocator.h>
|
||||
#include <android-base/unique_fd.h>
|
||||
#include <apploader_ipc.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <trusty/coverage/coverage.h>
|
||||
#include <trusty/fuzz/counters.h>
|
||||
#include <trusty/fuzz/utils.h>
|
||||
#include <trusty/tipc.h>
|
||||
#include <unistd.h>
|
||||
#include <iostream>
|
||||
|
||||
using android::base::unique_fd;
|
||||
using android::trusty::coverage::CoverageRecord;
|
||||
using android::trusty::fuzz::ExtraCounters;
|
||||
using android::trusty::fuzz::TrustyApp;
|
||||
|
||||
#define TIPC_DEV "/dev/trusty-ipc-dev0"
|
||||
#define APPLOADER_PORT "com.android.trusty.apploader"
|
||||
#define APPLOADER_MODULE_NAME "apploader.syms.elf"
|
||||
|
||||
/* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */
|
||||
static struct uuid apploader_uuid = {
|
||||
0x081ba88f,
|
||||
0xf1ee,
|
||||
0x452e,
|
||||
{0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97},
|
||||
};
|
||||
|
||||
static inline uintptr_t RoundPageUp(uintptr_t val) {
|
||||
return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
|
||||
}
|
||||
|
||||
static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) {
|
||||
apploader_header hdr = {
|
||||
.cmd = APPLOADER_CMD_LOAD_APPLICATION,
|
||||
};
|
||||
apploader_load_app_req req = {
|
||||
.package_size = static_cast<uint64_t>(dma_buf_size),
|
||||
};
|
||||
iovec iov[] = {
|
||||
{
|
||||
.iov_base = &hdr,
|
||||
.iov_len = sizeof(hdr),
|
||||
},
|
||||
{
|
||||
.iov_base = &req,
|
||||
.iov_len = sizeof(req),
|
||||
},
|
||||
};
|
||||
trusty_shm shm = {
|
||||
.fd = dma_buf,
|
||||
.transfer = TRUSTY_SHARE,
|
||||
};
|
||||
|
||||
int rc = tipc_send(chan, iov, 2, &shm, 1);
|
||||
if (rc != static_cast<int>(sizeof(hdr) + sizeof(req))) {
|
||||
std::cerr << "Failed to send request" << std::endl;
|
||||
return false;
|
||||
}
|
||||
|
||||
apploader_resp resp;
|
||||
rc = read(chan, &resp, sizeof(resp));
|
||||
if (rc != static_cast<int>(sizeof(resp))) {
|
||||
std::cerr << "Failed to receive response" << std::endl;
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME);
|
||||
|
||||
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
|
||||
auto ret = record.Open();
|
||||
if (!ret.ok()) {
|
||||
std::cerr << ret.error() << std::endl;
|
||||
exit(-1);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||
ExtraCounters counters(&record);
|
||||
counters.Reset();
|
||||
|
||||
android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT);
|
||||
auto ret = ta.Connect();
|
||||
if (!ret.ok()) {
|
||||
std::cerr << ret.error() << std::endl;
|
||||
android::trusty::fuzz::Abort();
|
||||
}
|
||||
|
||||
uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE;
|
||||
BufferAllocator alloc;
|
||||
unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len));
|
||||
if (dma_buf < 0) {
|
||||
std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl;
|
||||
android::trusty::fuzz::Abort();
|
||||
}
|
||||
|
||||
void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
|
||||
if (shm_base == MAP_FAILED) {
|
||||
std::cerr << "Failed to mmap() dmabuf" << std::endl;
|
||||
android::trusty::fuzz::Abort();
|
||||
}
|
||||
|
||||
memcpy(shm_base, data, size);
|
||||
|
||||
bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len);
|
||||
if (!success) {
|
||||
std::cerr << "Failed to send load message" << std::endl;
|
||||
android::trusty::fuzz::Abort();
|
||||
}
|
||||
|
||||
munmap(shm_base, shm_len);
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue