From f41fee58799ee694abb2e792c88bff938c38cfc9 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Fri, 26 Feb 2021 15:55:13 -0800
Subject: [PATCH] trusty: Generic parameterizable TIPC fuzzer

Bug: 171750250
Test: trusty_test_fuzzer
Change-Id: I57c4aacc6725689d16dd88db2faa8ead59bcc49a
---
 trusty/fuzz/Android.bp                        |  9 ++++
 trusty/fuzz/test/Android.bp                   |  7 ++-
 .../fuzz/{test/fuzz.cpp => tipc_fuzzer.cpp}   | 47 +++++++++++++------
 3 files changed, 47 insertions(+), 16 deletions(-)
 rename trusty/fuzz/{test/fuzz.cpp => tipc_fuzzer.cpp} (59%)

diff --git a/trusty/fuzz/Android.bp b/trusty/fuzz/Android.bp
index 99156f428..d1477673a 100644
--- a/trusty/fuzz/Android.bp
+++ b/trusty/fuzz/Android.bp
@@ -52,3 +52,12 @@ cc_library {
         "libtrusty",
     ],
 }
+
+// Generic TIPC fuzzer, must parameterized using:
+//  -DTRUSTY_APP_PORT=<port name of TA being fuzzed>
+//  -DTRUSTY_APP_UUID=<UUID of TA being fuzzed>
+//  -DTRUSTY_APP_FILENAME=<name of symbolized elf binary of the TA>
+filegroup {
+    name: "trusty_tipc_fuzzer",
+    srcs: ["tipc_fuzzer.cpp"],
+}
diff --git a/trusty/fuzz/test/Android.bp b/trusty/fuzz/test/Android.bp
index 932121a9d..7d7491392 100644
--- a/trusty/fuzz/test/Android.bp
+++ b/trusty/fuzz/test/Android.bp
@@ -19,5 +19,10 @@ package {
 cc_fuzz {
     name: "trusty_test_fuzzer",
     defaults: ["trusty_fuzzer_defaults"],
-    srcs: ["fuzz.cpp"],
+    srcs: [":trusty_tipc_fuzzer"],
+    cflags: [
+        "-DTRUSTY_APP_PORT=\"com.android.trusty.sancov.test.srv\"",
+        "-DTRUSTY_APP_UUID=\"77f68803-c514-43ba-bdce-3254531c3d24\"",
+        "-DTRUSTY_APP_FILENAME=\"srv.syms.elf\"",
+    ]
 }
diff --git a/trusty/fuzz/test/fuzz.cpp b/trusty/fuzz/tipc_fuzzer.cpp
similarity index 59%
rename from trusty/fuzz/test/fuzz.cpp
rename to trusty/fuzz/tipc_fuzzer.cpp
index e7913db40..24b0f98d2 100644
--- a/trusty/fuzz/test/fuzz.cpp
+++ b/trusty/fuzz/tipc_fuzzer.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,30 +16,48 @@
 
 #include <stdlib.h>
 #include <trusty/coverage/coverage.h>
+#include <trusty/coverage/uuid.h>
 #include <trusty/fuzz/counters.h>
 #include <trusty/fuzz/utils.h>
 #include <unistd.h>
 #include <iostream>
+#include <memory>
 
 using android::trusty::coverage::CoverageRecord;
 using android::trusty::fuzz::ExtraCounters;
 using android::trusty::fuzz::TrustyApp;
 
 #define TIPC_DEV "/dev/trusty-ipc-dev0"
-#define TEST_SRV_PORT "com.android.trusty.sancov.test.srv"
 
-/* Test server's UUID is 77f68803-c514-43ba-bdce-3254531c3d24 */
-static struct uuid test_srv_uuid = {
-        0x77f68803,
-        0xc514,
-        0x43ba,
-        {0xbd, 0xce, 0x32, 0x54, 0x53, 0x1c, 0x3d, 0x24},
-};
+#ifndef TRUSTY_APP_PORT
+#error "Port name must be parameterized using -DTRUSTY_APP_PORT."
+#endif
 
-static CoverageRecord record(TIPC_DEV, &test_srv_uuid);
+#ifndef TRUSTY_APP_UUID
+#error "UUID must be parameterized using -DTRUSTY_APP_UUID."
+#endif
+
+#ifndef TRUSTY_APP_FILENAME
+#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
+#endif
+
+static std::unique_ptr<CoverageRecord> record;
 
 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
-    auto ret = record.Open();
+    uuid module_uuid;
+
+    if (!str_to_uuid(TRUSTY_APP_UUID, &module_uuid)) {
+        std::cerr << "Failed to parse UUID: " << TRUSTY_APP_UUID << std::endl;
+        exit(-1);
+    }
+
+    record = std::make_unique<CoverageRecord>(TIPC_DEV, &module_uuid, TRUSTY_APP_FILENAME);
+    if (!record) {
+        std::cerr << "Failed to allocate coverage record" << std::endl;
+        exit(-1);
+    }
+
+    auto ret = record->Open();
     if (!ret.ok()) {
         std::cerr << ret.error() << std::endl;
         exit(-1);
@@ -50,22 +68,21 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     static uint8_t buf[TIPC_MAX_MSG_SIZE];
 
-    ExtraCounters counters(&record);
+    ExtraCounters counters(record.get());
     counters.Reset();
 
-    TrustyApp ta(TIPC_DEV, TEST_SRV_PORT);
+    TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
     auto ret = ta.Connect();
     if (!ret.ok()) {
+        std::cerr << ret.error() << std::endl;
         android::trusty::fuzz::Abort();
     }
 
-    /* Send message to test server */
     ret = ta.Write(data, size);
     if (!ret.ok()) {
         return -1;
     }
 
-    /* Read message from test server */
     ret = ta.Read(&buf, sizeof(buf));
     if (!ret.ok()) {
         return -1;