Loading system/gd/hal/fuzz/fuzz_hci_hal.cc +16 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ namespace bluetooth { namespace hal { namespace fuzz { using bluetooth::fuzz::GetArbitraryBytes; void FuzzHciHal::registerIncomingPacketCallback(HciHalCallbacks* callbacks) { callbacks_ = callbacks; Loading @@ -30,6 +31,21 @@ void FuzzHciHal::unregisterIncomingPacketCallback() { callbacks_ = nullptr; } void FuzzHciHal::injectArbitrary(FuzzedDataProvider& fdp) { const uint8_t action = fdp.ConsumeIntegralInRange(0, 3); switch (action) { case 1: injectAclData(GetArbitraryBytes(&fdp)); break; case 2: injectHciEvent(GetArbitraryBytes(&fdp)); break; case 3: injectScoData(GetArbitraryBytes(&fdp)); break; } } void FuzzHciHal::sendHciCommand(HciPacket packet) { hci::CommandPacketView command = hci::CommandPacketView::FromBytes(packet); if (!command.IsValid()) { Loading system/gd/hal/fuzz/fuzz_hci_hal.h +5 −3 Original line number Diff line number Diff line Loading @@ -33,9 +33,7 @@ class FuzzHciHal : public HciHal { void sendAclData(HciPacket packet) override {} void sendScoData(HciPacket packet) override {} void injectAclData(std::vector<uint8_t> data); void injectHciEvent(std::vector<uint8_t> data); void injectScoData(std::vector<uint8_t> data); void injectArbitrary(FuzzedDataProvider& fdp); std::string ToString() const override { return "HciHalFuzz"; Loading @@ -49,6 +47,10 @@ class FuzzHciHal : public HciHal { void Stop() override {} private: void injectAclData(std::vector<uint8_t> data); void injectHciEvent(std::vector<uint8_t> data); void injectScoData(std::vector<uint8_t> data); HciHalCallbacks* callbacks_; hci::OpCode waiting_opcode_; bool waiting_for_status_; Loading system/gd/hci/fuzz/acl_manager_fuzz_test.cc +2 −2 Original line number Diff line number Diff line Loading @@ -43,13 +43,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { moduleRegistry.Start<AclManager>(); while (dataProvider.remaining_bytes() > 0) { const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 12); const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 2); switch (action) { case 1: fake_timerfd_advance(dataProvider.ConsumeIntegral<uint64_t>()); break; case 2: fuzzHci->injectAclData(GetArbitraryBytes(&dataProvider)); fuzzHci->injectArbitrary(dataProvider); break; } } Loading system/gd/hci/fuzz/fuzz_hci_layer.cc +11 −0 Original line number Diff line number Diff line Loading @@ -15,12 +15,14 @@ */ #include "hci/fuzz/fuzz_hci_layer.h" #include "fuzz/helpers.h" namespace bluetooth { namespace hci { namespace fuzz { using bluetooth::common::ContextualCallback; using bluetooth::fuzz::GetArbitraryBytes; common::BidiQueueEnd<hci::AclPacketBuilder, hci::AclPacketView>* FuzzHciLayer::GetAclQueueEnd() { return acl_queue_.GetUpEnd(); Loading Loading @@ -70,6 +72,15 @@ void FuzzHciLayer::Stop() { delete acl_inject_; } void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) { const uint8_t action = fdp.ConsumeIntegralInRange(0, 1); switch (action) { case 1: injectAclData(GetArbitraryBytes(&fdp)); break; } } void FuzzHciLayer::injectAclData(std::vector<uint8_t> data) { hci::AclPacketView aclPacket = hci::AclPacketView::FromBytes(data); if (!aclPacket.IsValid()) { Loading system/gd/hci/fuzz/fuzz_hci_layer.h +5 −1 Original line number Diff line number Diff line Loading @@ -21,6 +21,8 @@ #include "os/fuzz/dev_null_queue.h" #include "os/fuzz/fuzz_inject_queue.h" #include <fuzzer/FuzzedDataProvider.h> namespace bluetooth { namespace hci { namespace fuzz { Loading Loading @@ -75,7 +77,7 @@ class FuzzHciLayer : public HciLayer { hci::LeScanningInterface* GetLeScanningInterface( common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; void injectAclData(std::vector<uint8_t> data); void injectArbitrary(FuzzedDataProvider& fdp); std::string ToString() const override { return "FuzzHciLayer"; Loading @@ -89,6 +91,8 @@ class FuzzHciLayer : public HciLayer { void Stop() override; private: void injectAclData(std::vector<uint8_t> data); common::BidiQueue<hci::AclPacketView, hci::AclPacketBuilder> acl_queue_{3}; os::fuzz::DevNullQueue<AclPacketBuilder>* acl_dev_null_; os::fuzz::FuzzInjectQueue<AclPacketView>* acl_inject_; Loading Loading
system/gd/hal/fuzz/fuzz_hci_hal.cc +16 −0 Original line number Diff line number Diff line Loading @@ -21,6 +21,7 @@ namespace bluetooth { namespace hal { namespace fuzz { using bluetooth::fuzz::GetArbitraryBytes; void FuzzHciHal::registerIncomingPacketCallback(HciHalCallbacks* callbacks) { callbacks_ = callbacks; Loading @@ -30,6 +31,21 @@ void FuzzHciHal::unregisterIncomingPacketCallback() { callbacks_ = nullptr; } void FuzzHciHal::injectArbitrary(FuzzedDataProvider& fdp) { const uint8_t action = fdp.ConsumeIntegralInRange(0, 3); switch (action) { case 1: injectAclData(GetArbitraryBytes(&fdp)); break; case 2: injectHciEvent(GetArbitraryBytes(&fdp)); break; case 3: injectScoData(GetArbitraryBytes(&fdp)); break; } } void FuzzHciHal::sendHciCommand(HciPacket packet) { hci::CommandPacketView command = hci::CommandPacketView::FromBytes(packet); if (!command.IsValid()) { Loading
system/gd/hal/fuzz/fuzz_hci_hal.h +5 −3 Original line number Diff line number Diff line Loading @@ -33,9 +33,7 @@ class FuzzHciHal : public HciHal { void sendAclData(HciPacket packet) override {} void sendScoData(HciPacket packet) override {} void injectAclData(std::vector<uint8_t> data); void injectHciEvent(std::vector<uint8_t> data); void injectScoData(std::vector<uint8_t> data); void injectArbitrary(FuzzedDataProvider& fdp); std::string ToString() const override { return "HciHalFuzz"; Loading @@ -49,6 +47,10 @@ class FuzzHciHal : public HciHal { void Stop() override {} private: void injectAclData(std::vector<uint8_t> data); void injectHciEvent(std::vector<uint8_t> data); void injectScoData(std::vector<uint8_t> data); HciHalCallbacks* callbacks_; hci::OpCode waiting_opcode_; bool waiting_for_status_; Loading
system/gd/hci/fuzz/acl_manager_fuzz_test.cc +2 −2 Original line number Diff line number Diff line Loading @@ -43,13 +43,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { moduleRegistry.Start<AclManager>(); while (dataProvider.remaining_bytes() > 0) { const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 12); const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 2); switch (action) { case 1: fake_timerfd_advance(dataProvider.ConsumeIntegral<uint64_t>()); break; case 2: fuzzHci->injectAclData(GetArbitraryBytes(&dataProvider)); fuzzHci->injectArbitrary(dataProvider); break; } } Loading
system/gd/hci/fuzz/fuzz_hci_layer.cc +11 −0 Original line number Diff line number Diff line Loading @@ -15,12 +15,14 @@ */ #include "hci/fuzz/fuzz_hci_layer.h" #include "fuzz/helpers.h" namespace bluetooth { namespace hci { namespace fuzz { using bluetooth::common::ContextualCallback; using bluetooth::fuzz::GetArbitraryBytes; common::BidiQueueEnd<hci::AclPacketBuilder, hci::AclPacketView>* FuzzHciLayer::GetAclQueueEnd() { return acl_queue_.GetUpEnd(); Loading Loading @@ -70,6 +72,15 @@ void FuzzHciLayer::Stop() { delete acl_inject_; } void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) { const uint8_t action = fdp.ConsumeIntegralInRange(0, 1); switch (action) { case 1: injectAclData(GetArbitraryBytes(&fdp)); break; } } void FuzzHciLayer::injectAclData(std::vector<uint8_t> data) { hci::AclPacketView aclPacket = hci::AclPacketView::FromBytes(data); if (!aclPacket.IsValid()) { Loading
system/gd/hci/fuzz/fuzz_hci_layer.h +5 −1 Original line number Diff line number Diff line Loading @@ -21,6 +21,8 @@ #include "os/fuzz/dev_null_queue.h" #include "os/fuzz/fuzz_inject_queue.h" #include <fuzzer/FuzzedDataProvider.h> namespace bluetooth { namespace hci { namespace fuzz { Loading Loading @@ -75,7 +77,7 @@ class FuzzHciLayer : public HciLayer { hci::LeScanningInterface* GetLeScanningInterface( common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override; void injectAclData(std::vector<uint8_t> data); void injectArbitrary(FuzzedDataProvider& fdp); std::string ToString() const override { return "FuzzHciLayer"; Loading @@ -89,6 +91,8 @@ class FuzzHciLayer : public HciLayer { void Stop() override; private: void injectAclData(std::vector<uint8_t> data); common::BidiQueue<hci::AclPacketView, hci::AclPacketBuilder> acl_queue_{3}; os::fuzz::DevNullQueue<AclPacketBuilder>* acl_dev_null_; os::fuzz::FuzzInjectQueue<AclPacketView>* acl_inject_; Loading
