Merge changes from topic "libmtpFuzzers" am: f9d7ef89 am: 744263bf am:...

    ],

    ],

}

}

cc_library_shared {

cc_defaults {

    name: "libmtp",

    name: "libmtp_defaults",

    srcs: [

    srcs: [

        "MtpDataPacket.cpp",

        "MtpDataPacket.cpp",

        "MtpDebug.cpp",

        "MtpDebug.cpp",

    ],

    ],

    header_libs: ["libcutils_headers"],

    header_libs: ["libcutils_headers"],

}

}

cc_library_shared {

    name: "libmtp",

    defaults: ["libmtp_defaults"],

}

cc_library_shared {

    name: "libmtp_fuzz",

    defaults: ["libmtp_defaults"],

    cflags: ["-DMTP_FUZZER"],

}

namespace android {

namespace android {

#ifdef MTP_FUZZER

constexpr char FFS_MTP_EP0[] = "/data/local/tmp/usb-ffs/mtp/ep0";

constexpr char FFS_MTP_EP_IN[] = "/data/local/tmp/usb-ffs/mtp/ep1";

constexpr char FFS_MTP_EP_OUT[] = "/data/local/tmp/usb-ffs/mtp/ep2";

constexpr char FFS_MTP_EP_INTR[] = "/data/local/tmp/usb-ffs/mtp/ep3";

constexpr char FFS_PTP_EP0[] = "/data/local/tmp/usb-ffs/ptp/ep0";

constexpr char FFS_PTP_EP_IN[] = "/data/local/tmp/usb-ffs/ptp/ep1";

constexpr char FFS_PTP_EP_OUT[] = "/data/local/tmp/usb-ffs/ptp/ep2";

constexpr char FFS_PTP_EP_INTR[] = "/data/local/tmp/usb-ffs/ptp/ep3";

#else

constexpr char FFS_MTP_EP0[] = "/dev/usb-ffs/mtp/ep0";

constexpr char FFS_MTP_EP0[] = "/dev/usb-ffs/mtp/ep0";

constexpr char FFS_MTP_EP_IN[] = "/dev/usb-ffs/mtp/ep1";

constexpr char FFS_MTP_EP_IN[] = "/dev/usb-ffs/mtp/ep1";

constexpr char FFS_MTP_EP_OUT[] = "/dev/usb-ffs/mtp/ep2";

constexpr char FFS_MTP_EP_OUT[] = "/dev/usb-ffs/mtp/ep2";

constexpr char FFS_PTP_EP_IN[] = "/dev/usb-ffs/ptp/ep1";

constexpr char FFS_PTP_EP_IN[] = "/dev/usb-ffs/ptp/ep1";

constexpr char FFS_PTP_EP_OUT[] = "/dev/usb-ffs/ptp/ep2";

constexpr char FFS_PTP_EP_OUT[] = "/dev/usb-ffs/ptp/ep2";

constexpr char FFS_PTP_EP_INTR[] = "/dev/usb-ffs/ptp/ep3";

constexpr char FFS_PTP_EP_INTR[] = "/dev/usb-ffs/ptp/ep3";

#endif

constexpr int MAX_PACKET_SIZE_FS = 64;

constexpr int MAX_PACKET_SIZE_FS = 64;

constexpr int MAX_PACKET_SIZE_HS = 512;

constexpr int MAX_PACKET_SIZE_HS = 512;

    dictionary: "mtp_fuzzer.dict",

    dictionary: "mtp_fuzzer.dict",

    corpus: ["corpus/*"],

    corpus: ["corpus/*"],

}

}

cc_defaults {

    name: "mtp_property_fuzzer_defaults",

    srcs: ["mtp_property_fuzzer.cpp"],

    shared_libs: [

        "libmtp",

        "libasyncio",

        "libusbhost",

    ],

    defaults: ["mtp_fuzzer_defaults"],

}

cc_fuzz {

     name: "mtp_device_property_fuzzer",

     defaults: ["mtp_property_fuzzer_defaults"],

     cflags: [

         "-DMTP_DEVICE",

     ],

}

cc_fuzz {

     name: "mtp_host_property_fuzzer",

     defaults: ["mtp_property_fuzzer_defaults"],

     cflags: [

         "-DMTP_HOST",

     ],

}

cc_fuzz {

    name: "mtp_handle_fuzzer",

    srcs: ["mtp_handle_fuzzer.cpp"],

    shared_libs: ["libmtp_fuzz"],

    defaults: ["mtp_fuzzer_defaults"],

    cflags: ["-DMTP_FUZZER"],

}

cc_defaults  {

     name: "mtp_packet_defaults",

     shared_libs: [

        "libmtp",

        "libasyncio",

        "libusbhost",

     ],

     defaults: ["mtp_fuzzer_defaults"],

     cflags: [

         "-DMTP_HOST",

         "-DMTP_DEVICE",

     ],

}

cc_fuzz {

     name: "mtp_packet_fuzzer",

     srcs: ["mtp_packet_fuzzer.cpp"],

     defaults: ["mtp_packet_defaults"],

}

cc_fuzz {

     name: "mtp_device_fuzzer",

     srcs: ["mtp_device_fuzzer.cpp"],

     shared_libs: [

        "libmtp",

        "libusbhost",

     ],

     defaults: ["mtp_fuzzer_defaults"],

     cflags: [

         "-DMTP_DEVICE",

     ],

}

cc_fuzz {

     name: "mtp_request_packet_fuzzer",

     srcs: ["mtp_request_packet_fuzzer.cpp"],

     defaults: ["mtp_packet_defaults"],

}

cc_fuzz {

     name: "mtp_event_packet_fuzzer",

     srcs: ["mtp_event_packet_fuzzer.cpp"],

     defaults: ["mtp_packet_defaults"],

}

cc_fuzz {

     name: "mtp_response_packet_fuzzer",

     srcs: ["mtp_response_packet_fuzzer.cpp"],

     defaults: ["mtp_packet_defaults"],

}

cc_fuzz {

     name: "mtp_data_packet_fuzzer",

     srcs: ["mtp_data_packet_fuzzer.cpp"],

     defaults: ["mtp_packet_defaults"],

}

/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#include <MtpStringBuffer.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <linux/usbdevice_fs.h>

#include <sys/mman.h>

#include <usbhost/usbhost.h>

#include <MtpTypes.h>

using namespace android;

constexpr UrbPacketDivisionMode kUrbPacketDivisionModes[] = {FIRST_PACKET_ONLY_HEADER,

                                                             FIRST_PACKET_HAS_PAYLOAD};

constexpr size_t kMinSize = 0;

constexpr size_t kMaxSize = 1000;

constexpr size_t kMaxLength = 1000;

class MtpPacketFuzzerUtils {

  protected:

    struct usb_request mUsbRequest;

    struct usbdevfs_urb* mUsbDevFsUrb;

    std::string mPath;

    void fillFd(int32_t& fd, FuzzedDataProvider* fdp) {

        if (fdp->ConsumeBool()) {

            std::string text = fdp->ConsumeRandomLengthString(kMaxLength);

            write(fd, text.c_str(), text.length());

        }

    };

    void fillFilePath(FuzzedDataProvider* fdp) {

       mPath= fdp->ConsumeRandomLengthString(kMaxLength);

    };

    void fillUsbDevFsUrb(FuzzedDataProvider* fdp) {

        mUsbDevFsUrb->type = fdp->ConsumeIntegral<unsigned char>();

        mUsbDevFsUrb->endpoint = fdp->ConsumeIntegral<unsigned char>();

        mUsbDevFsUrb->flags = fdp->ConsumeIntegral<uint32_t>();

        std::vector<uint8_t> buffer =

                fdp->ConsumeBytes<uint8_t>(fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize));

        mUsbDevFsUrb->buffer = static_cast<void*>(buffer.data());

        mUsbDevFsUrb->buffer_length = buffer.size();

        mUsbDevFsUrb->actual_length = fdp->ConsumeIntegral<uint32_t>();

        mUsbDevFsUrb->start_frame = fdp->ConsumeIntegral<uint32_t>();

        mUsbDevFsUrb->number_of_packets = fdp->ConsumeIntegral<uint32_t>();

        mUsbDevFsUrb->stream_id = fdp->ConsumeIntegral<uint32_t>();

        mUsbDevFsUrb->error_count = fdp->ConsumeIntegral<size_t>();

        mUsbDevFsUrb->signr = fdp->ConsumeIntegral<uint32_t>();

        std::vector<uint8_t> userBuffer = (fdp->ConsumeBytes<uint8_t>(

                fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize)));

        mUsbDevFsUrb->usercontext = static_cast<void*>(userBuffer.data());

        mUsbDevFsUrb->iso_frame_desc[0].length = fdp->ConsumeIntegral<uint32_t>();

        mUsbDevFsUrb->iso_frame_desc[0].actual_length = fdp->ConsumeIntegral<uint32_t>();

    };

    void fillUsbRequest(int32_t& fd, FuzzedDataProvider* fdp) {

        fillUsbDevFsUrb(fdp);

        fillFd(fd, fdp);

        std::vector<uint8_t> buffer =

                fdp->ConsumeBytes<uint8_t>(fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize));

        mUsbRequest.buffer = static_cast<void*>(buffer.data());

        mUsbRequest.buffer_length = buffer.size();

        mUsbRequest.actual_length = fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize);

        mUsbRequest.max_packet_size = fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize);

        mUsbRequest.private_data = static_cast<void*>(mUsbDevFsUrb);

        mUsbRequest.endpoint = fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize);

        std::vector<uint8_t> clientBuffer = (fdp->ConsumeBytes<uint8_t>(

                fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize)));

        mUsbRequest.client_data = static_cast<void*>(clientBuffer.data());

    };

    template <typename Object>

    void writeHandle(Object obj, FuzzedDataProvider* fdp) {

        MtpDevHandle handle;

        std::vector<uint8_t> initData =

                fdp->ConsumeBytes<uint8_t>(fdp->ConsumeIntegralInRange<size_t>(kMinSize, kMaxSize));

        handle.write(initData.data(), initData.size());

        obj->write(&handle);

    };

};

## Table of contents

## Table of contents

+ [mtp_fuzzer](#MtpServer)

+ [mtp_fuzzer](#MtpServer)

+ [mtp_host_property_fuzzer](#MtpHostProperty)

+ [mtp_device_property_fuzzer](#MtpDeviceProperty)

+ [mtp_handle_fuzzer](#MtpHandle)

+ [mtp_packet_fuzzer](#MtpPacket)

 + [mtp_device_fuzzer](#MtpDevice)

+ [mtp_request_packet_fuzzer](#MtpRequestPacket)

+ [mtp_event_packet_fuzzer](#MtpEventPacket)

+ [mtp_response_packet_fuzzer](#MtpResponsePacket)

+ [mtp_data_packet_fuzzer](#MtpDataPacket)

# <a name="MtpServer"></a> Fuzzer for MtpServer

# <a name="MtpServer"></a> Fuzzer for MtpServer

  $ adb sync data

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_fuzzer/mtp_fuzzer corpus/ -dict=mtp_fuzzer.dict

  $ adb shell /data/fuzz/arm64/mtp_fuzzer/mtp_fuzzer corpus/ -dict=mtp_fuzzer.dict

```

```

# <a name="MtpHostProperty"></a> Fuzzer for MtpHostProperty

MtpHostProperty supports the following parameters:

1. Feasible Type (parameter name: "kFeasibleTypes")

2. UrbPacket Division Mode (parameter name: "kUrbPacketDivisionModes")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

| `kFeasibleType`| 1. `MTP_TYPE_UNDEFINED`, 2. `MTP_TYPE_INT8`, 3.`MTP_TYPE_UINT8`, 4.`MTP_TYPE_INT16`, 5.`MTP_TYPE_UINT16`, 6.`MTP_TYPE_INT32`, 7.`MTP_TYPE_UINT32`, 8.`MTP_TYPE_INT64`, 9.`MTP_TYPE_UINT64`, 10.`MTP_TYPE_INT128`, 11.`MTP_TYPE_UINT128`, 12.`MTP_TYPE_AINT8`, 13.`MTP_TYPE_AUINT8`, 14.`MTP_TYPE_AINT16`, 15.`MTP_TYPE_AUINT16`, 16.`MTP_TYPE_AINT32`, 17.`MTP_TYPE_AUINT32`, 18.`MTP_TYPE_AINT64`, 19.`MTP_TYPE_AUINT64`, 20.`MTP_TYPE_AINT128`, 21.`MTP_TYPE_AUINT128`, 22.`MTP_TYPE_STR`,| Value obtained from FuzzedDataProvider|

|`kUrbPacketDivisionMode`| 1. `FIRST_PACKET_ONLY_HEADER`, 2. `FIRST_PACKET_HAS_PAYLOAD`, |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_host_property_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_host_property_fuzzer/mtp_host_property_fuzzer

```

# <a name="MtpDeviceProperty"></a> Fuzzer for MtpDeviceProperty

MtpDeviceProperty supports the following parameters:

1. Feasible Type (parameter name: "kFeasibleType")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

| `kFeasibleType`| 1. `MTP_TYPE_UNDEFINED`, 2. `MTP_TYPE_INT8`, 3.`MTP_TYPE_UINT8`, 4.`MTP_TYPE_INT16`, 5.`MTP_TYPE_UINT16`, 6.`MTP_TYPE_INT32`, 7.`MTP_TYPE_UINT32`, 8.`MTP_TYPE_INT64`, 9.`MTP_TYPE_UINT64`, 10.`MTP_TYPE_INT128`, 11.`MTP_TYPE_UINT128`, 12.`MTP_TYPE_AINT8`, 13.`MTP_TYPE_AUINT8`, 14.`MTP_TYPE_AINT16`, 15.`MTP_TYPE_AUINT16`, 16.`MTP_TYPE_AINT32`, 17.`MTP_TYPE_AUINT32`, 18.`MTP_TYPE_AINT64`, 19.`MTP_TYPE_AUINT64`, 20.`MTP_TYPE_AINT128`, 21.`MTP_TYPE_AUINT128`, 22.`MTP_TYPE_STR`,| Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_device_property_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_device_property_fuzzer/mtp_device_property_fuzzer

```

# <a name="MtpHandle"></a>Fuzzer for MtpHandle

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_handle_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_handle_fuzzer/mtp_handle_fuzzer

```

# <a name="MtpPacket"></a> Fuzzer for MtpPacket

MtpPacket supports the following parameters:

1. bufferSize (parameter name: "size")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

|`bufferSize`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_packet_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_packet_fuzzer/mtp_packet_fuzzer

```

# <a name="MtpDevice"></a> Fuzzer for MtpDevice

MtpDevice supports the following parameters:

1. Device Name (parameter name: "deviceName")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

|`deviceName`| `String` |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_device_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_device_fuzzer/mtp_device_fuzzer

```

# <a name="MtpRequestPacket"></a> Fuzzer for MtpRequestPacket

MtpRequestPacket supports the following parameters:

1. Data (parameter name: "data")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

|`data`| Vector of positive Integer |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_request_packet_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_request_packet_fuzzer/mtp_request_packet_fuzzer

```

# <a name="MtpEventPacket"></a> Fuzzer for MtpEventPacket

MtpEventPacket supports the following parameters:

1. Size (parameter name: "size")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

|`size`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_event_packet_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_event_packet_fuzzer/mtp_event_packet_fuzzer

```

# <a name="MtpResponsePacket"></a> Fuzzer for MtpResponsePacket

MtpResponsePacket supports the following parameters:

1. Size (parameter name: "size")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

|`size`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_response_packet_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_response_packet_fuzzer/mtp_response_packet_fuzzer

```

# <a name="MtpDataPacket"></a> Fuzzer for MtpDataPacket

MtpDataPacket supports the following parameters:

1. UrbPacket Division Mode (parameter name: "kUrbPacketDivisionModes")

2. Size (parameter name: "size")

| Parameter| Valid Values |Configured Value|

|-------------|----------|----- |

|`kUrbPacketDivisionMode`| 1. `FIRST_PACKET_ONLY_HEADER`, 2. `FIRST_PACKET_HAS_PAYLOAD`, |Value obtained from FuzzedDataProvider|

|`size`| Integer `1` to `1000`, |Value obtained from FuzzedDataProvider|

#### Steps to run

1. Build the fuzzer

```

  $ mm -j$(nproc) mtp_data_packet_fuzzer

```

2. Run on device

```

  $ adb sync data

  $ adb shell /data/fuzz/arm64/mtp_data_packet_fuzzer/mtp_data_packet_fuzzer

```