Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ceddb6f3 authored by kfcchen's avatar kfcchen
Browse files

Add fuzzing test on function resolv_getaddrinfo for DnsResolver. 

Bug: 240913174

Test: sees go/android-fuzzing-run or uses commands below

 # Build & run
FUZZER_NAME=resolv_getaddrinfo_fuzzer
DEVICE_TRACE_PATH=/data/fuzz/$(get_build_var TARGET_ARCH)/${FUZZER_NAME}/data.profraw
CLANG_COVERAGE=true NATIVE_COVERAGE_PATHS='*' make ${FUZZER_NAME}
adb sync data && adb shell LLVM_PROFILE_FILE=${DEVICE_TRACE_PATH} /data/fuzz/$(get_build_var TARGET_ARCH)/${FUZZER_NAME}/${FUZZER_NAME} -runs=10000

 # Check results
adb pull ${DEVICE_TRACE_PATH} data.profraw
llvm-profdata merge --sparse data.profraw --output data.profdata
llvm-cov show --format=html --instr-profile=data.profdata ${ANDROID_PRODUCT_OUT}/symbols/data/fuzz/$(get_build_var TARGET_ARCH)/${FUZZER_NAME}/${FUZZER_NAME} --ignore-filename-regex='\/frameworks\/' --ignore-filename-regex='\/rust\/crates\/' --ignore-filename-regex='\/system\/' --ignore-filename-regex='\/external\/' --ignore-filename-regex='\/\.intermediates\/' --output-dir=coverage-html

Change-Id: I02545dbe615d64345825a99ccaac2f1df0ef9431
parent d3dd6915

tests/Android.bp

+6 −0
Original line number Diff line number Diff line
@@ -384,3 +384,9 @@ cc_fuzz { 
    defaults: ["resolv_fuzzer_defaults"],

    srcs: ["fuzzer/resolv_gethostbyaddr_fuzzer.cpp"],

}



cc_fuzz {

    name: "resolv_getaddrinfo_fuzzer",

    defaults: ["resolv_fuzzer_defaults"],

    srcs: ["fuzzer/resolv_getaddrinfo_fuzzer.cpp"],

}

tests/fuzzer/resolv_getaddrinfo_fuzzer.cpp

0 → 100644
+52 −0
Original line number Diff line number Diff line 
#include "resolv_fuzzer_utils.h"



namespace android::net {

namespace {



// Tests resolv_getaddrinfo.

void TestResolvGetaddrinfo(FuzzedDataProvider& fdp) {

    std::string hostname = fdp.ConsumeRandomLengthString(MAXHOSTNAMELEN);

    std::string servname = fdp.ConsumeRandomLengthString(MAXHOSTNAMELEN);

    // All valid address families in socket.h, e.g. AF_INET.

    int af = fdp.ConsumeIntegralInRange<int>(0, AF_MAX);

    int socktype = RandomSocketType(fdp);

    addrinfo hints = {.ai_family = af, .ai_socktype = socktype};

    addrinfo* result;

    NetworkDnsEventReported event;



    resolv_getaddrinfo(hostname.c_str(), fdp.ConsumeBool() ? servname.c_str() : nullptr,

                       fdp.ConsumeBool() ? &hints : nullptr, &mNetContext, &result, &event);

}



}  // namespace



// Entry point of fuzzing test.

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    [[maybe_unused]] static bool initialized = DoInit();

    // Sets delayQueries to let DnsTlsFrontend handle 2 queries at once.

    // If the Address Family is AF_UNSPEC, the frontend will receive both ipv4 and ipv6 queries.

    // Without setting delayQueries, the second query's connection between the dns_tls_frontend and

    // the fuzzing test may be closed and cause SSL_ERROR_SYSCALL. Then, the service will crash

    // after calling SSL_shutdown.

    // TODO: Make the test work without seeing delayQueries.

    dot.setDelayQueries(2);

    dot.setDelayQueriesTimeout(1000);

    FuzzedDataProvider fdp(data, size);



    // Chooses doh or dot.

    std::string flag = fdp.PickValueInArray({"0", "1"});

    ScopedSystemProperties sp(kDohFlag, flag);

    android::net::Experiments::getInstance()->update();



    auto parcel = DnsResponderClient::GetDefaultResolverParamsParcel();

    // Chooses private DNS or not.

    if (fdp.ConsumeBool()) parcel.tlsServers = {};

    resolverCtrl.setResolverConfiguration(parcel);



    TestResolvGetaddrinfo(fdp);



    CleanUp();

    return 0;

}



}  // namespace android::net