trusty: Generic parameterizable TIPC fuzzer
Bug: 171750250 Test: trusty_test_fuzzer Change-Id: I57c4aacc6725689d16dd88db2faa8ead59bcc49a
This commit is contained in:
parent
3c8a004a8d
commit
f41fee5879
|
@ -52,3 +52,12 @@ cc_library {
|
||||||
"libtrusty",
|
"libtrusty",
|
||||||
],
|
],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Generic TIPC fuzzer, must parameterized using:
|
||||||
|
// -DTRUSTY_APP_PORT=<port name of TA being fuzzed>
|
||||||
|
// -DTRUSTY_APP_UUID=<UUID of TA being fuzzed>
|
||||||
|
// -DTRUSTY_APP_FILENAME=<name of symbolized elf binary of the TA>
|
||||||
|
filegroup {
|
||||||
|
name: "trusty_tipc_fuzzer",
|
||||||
|
srcs: ["tipc_fuzzer.cpp"],
|
||||||
|
}
|
||||||
|
|
|
@ -19,5 +19,10 @@ package {
|
||||||
cc_fuzz {
|
cc_fuzz {
|
||||||
name: "trusty_test_fuzzer",
|
name: "trusty_test_fuzzer",
|
||||||
defaults: ["trusty_fuzzer_defaults"],
|
defaults: ["trusty_fuzzer_defaults"],
|
||||||
srcs: ["fuzz.cpp"],
|
srcs: [":trusty_tipc_fuzzer"],
|
||||||
|
cflags: [
|
||||||
|
"-DTRUSTY_APP_PORT=\"com.android.trusty.sancov.test.srv\"",
|
||||||
|
"-DTRUSTY_APP_UUID=\"77f68803-c514-43ba-bdce-3254531c3d24\"",
|
||||||
|
"-DTRUSTY_APP_FILENAME=\"srv.syms.elf\"",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2020 The Android Open Source Project
|
* Copyright (C) 2021 The Android Open Source Project
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -16,30 +16,48 @@
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <trusty/coverage/coverage.h>
|
#include <trusty/coverage/coverage.h>
|
||||||
|
#include <trusty/coverage/uuid.h>
|
||||||
#include <trusty/fuzz/counters.h>
|
#include <trusty/fuzz/counters.h>
|
||||||
#include <trusty/fuzz/utils.h>
|
#include <trusty/fuzz/utils.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <iostream>
|
#include <iostream>
|
||||||
|
#include <memory>
|
||||||
|
|
||||||
using android::trusty::coverage::CoverageRecord;
|
using android::trusty::coverage::CoverageRecord;
|
||||||
using android::trusty::fuzz::ExtraCounters;
|
using android::trusty::fuzz::ExtraCounters;
|
||||||
using android::trusty::fuzz::TrustyApp;
|
using android::trusty::fuzz::TrustyApp;
|
||||||
|
|
||||||
#define TIPC_DEV "/dev/trusty-ipc-dev0"
|
#define TIPC_DEV "/dev/trusty-ipc-dev0"
|
||||||
#define TEST_SRV_PORT "com.android.trusty.sancov.test.srv"
|
|
||||||
|
|
||||||
/* Test server's UUID is 77f68803-c514-43ba-bdce-3254531c3d24 */
|
#ifndef TRUSTY_APP_PORT
|
||||||
static struct uuid test_srv_uuid = {
|
#error "Port name must be parameterized using -DTRUSTY_APP_PORT."
|
||||||
0x77f68803,
|
#endif
|
||||||
0xc514,
|
|
||||||
0x43ba,
|
|
||||||
{0xbd, 0xce, 0x32, 0x54, 0x53, 0x1c, 0x3d, 0x24},
|
|
||||||
};
|
|
||||||
|
|
||||||
static CoverageRecord record(TIPC_DEV, &test_srv_uuid);
|
#ifndef TRUSTY_APP_UUID
|
||||||
|
#error "UUID must be parameterized using -DTRUSTY_APP_UUID."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef TRUSTY_APP_FILENAME
|
||||||
|
#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static std::unique_ptr<CoverageRecord> record;
|
||||||
|
|
||||||
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
|
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
|
||||||
auto ret = record.Open();
|
uuid module_uuid;
|
||||||
|
|
||||||
|
if (!str_to_uuid(TRUSTY_APP_UUID, &module_uuid)) {
|
||||||
|
std::cerr << "Failed to parse UUID: " << TRUSTY_APP_UUID << std::endl;
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
record = std::make_unique<CoverageRecord>(TIPC_DEV, &module_uuid, TRUSTY_APP_FILENAME);
|
||||||
|
if (!record) {
|
||||||
|
std::cerr << "Failed to allocate coverage record" << std::endl;
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
auto ret = record->Open();
|
||||||
if (!ret.ok()) {
|
if (!ret.ok()) {
|
||||||
std::cerr << ret.error() << std::endl;
|
std::cerr << ret.error() << std::endl;
|
||||||
exit(-1);
|
exit(-1);
|
||||||
|
@ -50,22 +68,21 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
|
||||||
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
||||||
static uint8_t buf[TIPC_MAX_MSG_SIZE];
|
static uint8_t buf[TIPC_MAX_MSG_SIZE];
|
||||||
|
|
||||||
ExtraCounters counters(&record);
|
ExtraCounters counters(record.get());
|
||||||
counters.Reset();
|
counters.Reset();
|
||||||
|
|
||||||
TrustyApp ta(TIPC_DEV, TEST_SRV_PORT);
|
TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
|
||||||
auto ret = ta.Connect();
|
auto ret = ta.Connect();
|
||||||
if (!ret.ok()) {
|
if (!ret.ok()) {
|
||||||
|
std::cerr << ret.error() << std::endl;
|
||||||
android::trusty::fuzz::Abort();
|
android::trusty::fuzz::Abort();
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Send message to test server */
|
|
||||||
ret = ta.Write(data, size);
|
ret = ta.Write(data, size);
|
||||||
if (!ret.ok()) {
|
if (!ret.ok()) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Read message from test server */
|
|
||||||
ret = ta.Read(&buf, sizeof(buf));
|
ret = ta.Read(&buf, sizeof(buf));
|
||||||
if (!ret.ok()) {
|
if (!ret.ok()) {
|
||||||
return -1;
|
return -1;
|
Loading…
Reference in New Issue