trusty: Generic parameterizable TIPC fuzzer

Bug: 171750250
Test: trusty_test_fuzzer
Change-Id: I57c4aacc6725689d16dd88db2faa8ead59bcc49a
This commit is contained in:
Tri Vo 2021-02-26 15:55:13 -08:00
parent 3c8a004a8d
commit f41fee5879
3 changed files with 47 additions and 16 deletions

View File

@ -52,3 +52,12 @@ cc_library {
"libtrusty", "libtrusty",
], ],
} }
// Generic TIPC fuzzer, must parameterized using:
// -DTRUSTY_APP_PORT=<port name of TA being fuzzed>
// -DTRUSTY_APP_UUID=<UUID of TA being fuzzed>
// -DTRUSTY_APP_FILENAME=<name of symbolized elf binary of the TA>
filegroup {
name: "trusty_tipc_fuzzer",
srcs: ["tipc_fuzzer.cpp"],
}

View File

@ -19,5 +19,10 @@ package {
cc_fuzz { cc_fuzz {
name: "trusty_test_fuzzer", name: "trusty_test_fuzzer",
defaults: ["trusty_fuzzer_defaults"], defaults: ["trusty_fuzzer_defaults"],
srcs: ["fuzz.cpp"], srcs: [":trusty_tipc_fuzzer"],
cflags: [
"-DTRUSTY_APP_PORT=\"com.android.trusty.sancov.test.srv\"",
"-DTRUSTY_APP_UUID=\"77f68803-c514-43ba-bdce-3254531c3d24\"",
"-DTRUSTY_APP_FILENAME=\"srv.syms.elf\"",
]
} }

View File

@ -1,5 +1,5 @@
/* /*
* Copyright (C) 2020 The Android Open Source Project * Copyright (C) 2021 The Android Open Source Project
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -16,30 +16,48 @@
#include <stdlib.h> #include <stdlib.h>
#include <trusty/coverage/coverage.h> #include <trusty/coverage/coverage.h>
#include <trusty/coverage/uuid.h>
#include <trusty/fuzz/counters.h> #include <trusty/fuzz/counters.h>
#include <trusty/fuzz/utils.h> #include <trusty/fuzz/utils.h>
#include <unistd.h> #include <unistd.h>
#include <iostream> #include <iostream>
#include <memory>
using android::trusty::coverage::CoverageRecord; using android::trusty::coverage::CoverageRecord;
using android::trusty::fuzz::ExtraCounters; using android::trusty::fuzz::ExtraCounters;
using android::trusty::fuzz::TrustyApp; using android::trusty::fuzz::TrustyApp;
#define TIPC_DEV "/dev/trusty-ipc-dev0" #define TIPC_DEV "/dev/trusty-ipc-dev0"
#define TEST_SRV_PORT "com.android.trusty.sancov.test.srv"
/* Test server's UUID is 77f68803-c514-43ba-bdce-3254531c3d24 */ #ifndef TRUSTY_APP_PORT
static struct uuid test_srv_uuid = { #error "Port name must be parameterized using -DTRUSTY_APP_PORT."
0x77f68803, #endif
0xc514,
0x43ba,
{0xbd, 0xce, 0x32, 0x54, 0x53, 0x1c, 0x3d, 0x24},
};
static CoverageRecord record(TIPC_DEV, &test_srv_uuid); #ifndef TRUSTY_APP_UUID
#error "UUID must be parameterized using -DTRUSTY_APP_UUID."
#endif
#ifndef TRUSTY_APP_FILENAME
#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
#endif
static std::unique_ptr<CoverageRecord> record;
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
auto ret = record.Open(); uuid module_uuid;
if (!str_to_uuid(TRUSTY_APP_UUID, &module_uuid)) {
std::cerr << "Failed to parse UUID: " << TRUSTY_APP_UUID << std::endl;
exit(-1);
}
record = std::make_unique<CoverageRecord>(TIPC_DEV, &module_uuid, TRUSTY_APP_FILENAME);
if (!record) {
std::cerr << "Failed to allocate coverage record" << std::endl;
exit(-1);
}
auto ret = record->Open();
if (!ret.ok()) { if (!ret.ok()) {
std::cerr << ret.error() << std::endl; std::cerr << ret.error() << std::endl;
exit(-1); exit(-1);
@ -50,22 +68,21 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
static uint8_t buf[TIPC_MAX_MSG_SIZE]; static uint8_t buf[TIPC_MAX_MSG_SIZE];
ExtraCounters counters(&record); ExtraCounters counters(record.get());
counters.Reset(); counters.Reset();
TrustyApp ta(TIPC_DEV, TEST_SRV_PORT); TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
auto ret = ta.Connect(); auto ret = ta.Connect();
if (!ret.ok()) { if (!ret.ok()) {
std::cerr << ret.error() << std::endl;
android::trusty::fuzz::Abort(); android::trusty::fuzz::Abort();
} }
/* Send message to test server */
ret = ta.Write(data, size); ret = ta.Write(data, size);
if (!ret.ok()) { if (!ret.ok()) {
return -1; return -1;
} }
/* Read message from test server */
ret = ta.Read(&buf, sizeof(buf)); ret = ta.Read(&buf, sizeof(buf));
if (!ret.ok()) { if (!ret.ok()) {
return -1; return -1;