Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 256da5a3 authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

Add fuzzer for rewritten CursorWindow. 

We recently rewrote CursorWindow, so let's get a fuzzer wired up
to see if it has any bugs.

This change creates a separate "libandroidfw_fuzz" library, since we
can't link to libbinder when building Windows host-side binaries;
the fuzzer doesn't need Window support.

And fix our first vulnerability where getFieldSlot() could be
tricked into reading out of bounds data.

The included corpus seed was generated using this example code:

    CursorWindow* w = nullptr;
    CursorWindow::create(android::String8("test"), 1 << 21, &w);
    w->setNumColumns(3);

    w->allocRow();
    w->putLong(0,0,0xcafe);
    w->putLong(0,1,0xcafe);
    w->putLong(0,2,0xcafe);

    // Row purposefully left empty
    w->allocRow();

    w->allocRow();
    w->putNull(2,0);
    w->putNull(2,1);
    w->putNull(2,2);

    w->allocRow();
    w->putString(3,0,"cafe",5);
    w->putString(3,1,"cafe",5);
    w->putString(3,2,"cafe",5);

    w->allocRow();
    w->putDouble(4,0,3.14159f);
    w->putDouble(4,1,3.14159f);
    w->putDouble(4,2,3.14159f);

    Parcel p;
    w->writeToParcel(&p);

Bug: 169251528
Test: atest libandroidfw_tests:CursorWindowTest
Test: SANITIZE_HOST=address make ${FUZZER_NAME} && ${ANDROID_HOST_OUT}/fuzz/$(get_build_var HOST_ARCH)/${FUZZER_NAME}/${FUZZER_NAME}
Change-Id: I405d377900943de0ad732d3f1a1a0970e17d5140
parent ae2d88a6

libs/androidfw/Android.bp

+18 −0
Original line number Diff line number Diff line
@@ -193,3 +193,21 @@ cc_benchmark { 
    shared_libs: common_test_libs,

    data: ["tests/data/**/*.apk"],

}



cc_library {

    name: "libandroidfw_fuzzer_lib",

    defaults: ["libandroidfw_defaults"],

    host_supported: true,

    srcs: [

        "CursorWindow.cpp",

    ],

    export_include_dirs: ["include"],

    target: {

        android: {

            shared_libs: common_test_libs + ["libbinder", "liblog"],

        },

        host: {

            static_libs: common_test_libs + ["libbinder", "liblog"],

        },

    },

}

libs/androidfw/CursorWindow.cpp

+12 −9
Original line number Diff line number Diff line
@@ -251,7 +251,8 @@ status_t CursorWindow::clear() { 
}



void CursorWindow::updateSlotsData() {

    mSlotsData = static_cast<uint8_t*>(mData) + mSize - kSlotSizeBytes;

    mSlotsStart = static_cast<uint8_t*>(mData) + mSize - kSlotSizeBytes;

    mSlotsEnd = static_cast<uint8_t*>(mData) + mSlotsOffset;

}



void* CursorWindow::offsetToPtr(uint32_t offset, uint32_t bufferSize = 0) {
@@ -300,6 +301,7 @@ status_t CursorWindow::allocRow() { 
    }

    memset(offsetToPtr(newOffset), 0, size);

    mSlotsOffset = newOffset;

    updateSlotsData();

    mNumRows++;

    return OK;

}
@@ -314,6 +316,7 @@ status_t CursorWindow::freeLastRow() { 
        return NO_MEMORY;

    }

    mSlotsOffset = newOffset;

    updateSlotsData();

    mNumRows--;

    return OK;

}
@@ -337,19 +340,19 @@ status_t CursorWindow::alloc(size_t size, uint32_t* outOffset) { 
}



CursorWindow::FieldSlot* CursorWindow::getFieldSlot(uint32_t row, uint32_t column) {

    if (row >= mNumRows || column >= mNumColumns) {

        LOG(ERROR) << "Failed to read row " << row << ", column " << column

                << " from a window with " << mNumRows << " rows, " << mNumColumns << " columns";

        return nullptr;

    }



    // This is carefully tuned to use as few cycles as

    // possible, since this is an extremely hot code path;

    // see CursorWindow_bench.cpp for more details

    void *result = static_cast<uint8_t*>(mSlotsData)

    void *result = static_cast<uint8_t*>(mSlotsStart)

            - (((row * mNumColumns) + column) << kSlotShift);

    if (result < mSlotsEnd || column >= mNumColumns) {

        LOG(ERROR) << "Failed to read row " << row << ", column " << column

                << " from a window with " << mNumRows << " rows, " << mNumColumns << " columns";

        return nullptr;

    } else {

        return static_cast<FieldSlot*>(result);

    }

}



status_t CursorWindow::putBlob(uint32_t row, uint32_t column, const void* value, size_t size) {

    return putBlobOrString(row, column, value, size, FIELD_TYPE_BLOB);

libs/androidfw/fuzz/cursorwindow_fuzzer/Android.bp

0 → 100644
+31 −0
Original line number Diff line number Diff line 
cc_fuzz {

    name: "cursorwindow_fuzzer",

    srcs: [

        "cursorwindow_fuzzer.cpp",

    ],

    host_supported: true,

    corpus: ["corpus/*"],

    static_libs: ["libgmock"],

    target: {

        android: {

            shared_libs: [

                "libandroidfw_fuzzer_lib",

                "libbase",

                "libbinder",

                "libcutils",

                "liblog",

                "libutils",

            ],

        },

        host: {

            static_libs: [

                "libandroidfw_fuzzer_lib",

                "libbase",

                "libbinder",

                "libcutils",

                "liblog",

                "libutils",

            ],

        },

    },

}

libs/androidfw/fuzz/cursorwindow_fuzzer/corpus/typical.bin

0 → 100644
+292 B

File added.

No diff preview for this file type.

View file

libs/androidfw/fuzz/cursorwindow_fuzzer/cursorwindow_fuzzer.cpp

0 → 100644
+78 −0
Original line number Diff line number Diff line 
/*

 * Copyright (C) 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#include <stddef.h>

#include <stdint.h>

#include <string.h>

#include <string>

#include <memory>



#include "android-base/logging.h"

#include "androidfw/CursorWindow.h"

#include "binder/Parcel.h"



#include <fuzzer/FuzzedDataProvider.h>



using android::CursorWindow;

using android::Parcel;



extern "C" int LLVMFuzzerInitialize(int *, char ***) {

    setenv("ANDROID_LOG_TAGS", "*:s", 1);

    android::base::InitLogging(nullptr, &android::base::StderrLogger);

    return 0;

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

    Parcel p;

    p.setData(data, size);



    CursorWindow* w = nullptr;

    if (!CursorWindow::createFromParcel(&p, &w)) {

        LOG(WARNING) << "Valid cursor with " << w->getNumRows() << " rows, "

                << w->getNumColumns() << " cols";



        // Try obtaining heap allocations for most items; we trim the

        // search space to speed things up

        auto rows = std::min(w->getNumRows(), static_cast<uint32_t>(128));

        auto cols = std::min(w->getNumColumns(), static_cast<uint32_t>(128));

        for (auto row = 0; row < rows; row++) {

            for (auto col = 0; col < cols; col++) {

                auto field = w->getFieldSlot(row, col);

                if (!field) continue;

                switch (w->getFieldSlotType(field)) {

                case CursorWindow::FIELD_TYPE_STRING: {

                    size_t size;

                    w->getFieldSlotValueString(field, &size);

                    break;

                }

                case CursorWindow::FIELD_TYPE_BLOB: {

                    size_t size;

                    w->getFieldSlotValueBlob(field, &size);

                    break;

                }

                }

            }

        }



        // Finally, try obtaining the furthest valid field

        if (rows > 0 && cols > 0) {

            w->getFieldSlot(w->getNumRows() - 1, w->getNumColumns() - 1);

        }

    }

    delete w;



    return 0;

}