Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 69f13a67 authored by Zach Johnson's avatar Zach Johnson
Browse files

Reorganize fuzz tests to use injectArbitrary 

Have each test fixture do it's own arbitrary fuzzing
based on it's API surface, instead of requiring
fuzz tests themselves to know what the surface is
and keep up to date.

This will allow us to reuse test fixtures in multiple
fuzz tests without needing to manually keep all of them
up to date with surface changes.

Test: fuzz/run --host bluetooth_gd_acl_manager_fuzz_test
Test: fuzz/run --host bluetooth_gd_hci_layer_fuzz_test
Change-Id: Ibf4958fecc98fdf1f6526b0439a36d69b0f6286e
parent 3e8854a1

system/gd/hal/fuzz/fuzz_hci_hal.cc

+16 −0
Original line number Diff line number Diff line
@@ -21,6 +21,7 @@ 
namespace bluetooth {

namespace hal {

namespace fuzz {

using bluetooth::fuzz::GetArbitraryBytes;



void FuzzHciHal::registerIncomingPacketCallback(HciHalCallbacks* callbacks) {

  callbacks_ = callbacks;
@@ -30,6 +31,21 @@ void FuzzHciHal::unregisterIncomingPacketCallback() { 
  callbacks_ = nullptr;

}



void FuzzHciHal::injectArbitrary(FuzzedDataProvider& fdp) {

  const uint8_t action = fdp.ConsumeIntegralInRange(0, 3);

  switch (action) {

    case 1:

      injectAclData(GetArbitraryBytes(&fdp));

      break;

    case 2:

      injectHciEvent(GetArbitraryBytes(&fdp));

      break;

    case 3:

      injectScoData(GetArbitraryBytes(&fdp));

      break;

  }

}



void FuzzHciHal::sendHciCommand(HciPacket packet) {

  hci::CommandPacketView command = hci::CommandPacketView::FromBytes(packet);

  if (!command.IsValid()) {

system/gd/hal/fuzz/fuzz_hci_hal.h

+5 −3
Original line number Diff line number Diff line
@@ -33,9 +33,7 @@ class FuzzHciHal : public HciHal { 
  void sendAclData(HciPacket packet) override {}

  void sendScoData(HciPacket packet) override {}



  void injectAclData(std::vector<uint8_t> data);

  void injectHciEvent(std::vector<uint8_t> data);

  void injectScoData(std::vector<uint8_t> data);

  void injectArbitrary(FuzzedDataProvider& fdp);



  std::string ToString() const override {

    return "HciHalFuzz";
@@ -49,6 +47,10 @@ class FuzzHciHal : public HciHal { 
  void Stop() override {}



 private:

  void injectAclData(std::vector<uint8_t> data);

  void injectHciEvent(std::vector<uint8_t> data);

  void injectScoData(std::vector<uint8_t> data);



  HciHalCallbacks* callbacks_;

  hci::OpCode waiting_opcode_;

  bool waiting_for_status_;

system/gd/hci/fuzz/acl_manager_fuzz_test.cc

+2 −2
Original line number Diff line number Diff line
@@ -43,13 +43,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { 
  moduleRegistry.Start<AclManager>();



  while (dataProvider.remaining_bytes() > 0) {

    const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 12);

    const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 2);

    switch (action) {

      case 1:

        fake_timerfd_advance(dataProvider.ConsumeIntegral<uint64_t>());

        break;

      case 2:

        fuzzHci->injectAclData(GetArbitraryBytes(&dataProvider));

        fuzzHci->injectArbitrary(dataProvider);

        break;

    }

  }

system/gd/hci/fuzz/fuzz_hci_layer.cc

+11 −0
Original line number Diff line number Diff line
@@ -15,12 +15,14 @@ 
 */



#include "hci/fuzz/fuzz_hci_layer.h"

#include "fuzz/helpers.h"



namespace bluetooth {

namespace hci {

namespace fuzz {



using bluetooth::common::ContextualCallback;

using bluetooth::fuzz::GetArbitraryBytes;



common::BidiQueueEnd<hci::AclPacketBuilder, hci::AclPacketView>* FuzzHciLayer::GetAclQueueEnd() {

  return acl_queue_.GetUpEnd();
@@ -70,6 +72,15 @@ void FuzzHciLayer::Stop() { 
  delete acl_inject_;

}



void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) {

  const uint8_t action = fdp.ConsumeIntegralInRange(0, 1);

  switch (action) {

    case 1:

      injectAclData(GetArbitraryBytes(&fdp));

      break;

  }

}



void FuzzHciLayer::injectAclData(std::vector<uint8_t> data) {

  hci::AclPacketView aclPacket = hci::AclPacketView::FromBytes(data);

  if (!aclPacket.IsValid()) {

system/gd/hci/fuzz/fuzz_hci_layer.h

+5 −1
Original line number Diff line number Diff line
@@ -21,6 +21,8 @@ 
#include "os/fuzz/dev_null_queue.h"

#include "os/fuzz/fuzz_inject_queue.h"



#include <fuzzer/FuzzedDataProvider.h>



namespace bluetooth {

namespace hci {

namespace fuzz {
@@ -75,7 +77,7 @@ class FuzzHciLayer : public HciLayer { 
  hci::LeScanningInterface* GetLeScanningInterface(

      common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override;



  void injectAclData(std::vector<uint8_t> data);

  void injectArbitrary(FuzzedDataProvider& fdp);



  std::string ToString() const override {

    return "FuzzHciLayer";
@@ -89,6 +91,8 @@ class FuzzHciLayer : public HciLayer { 
  void Stop() override;



 private:

  void injectAclData(std::vector<uint8_t> data);



  common::BidiQueue<hci::AclPacketView, hci::AclPacketBuilder> acl_queue_{3};

  os::fuzz::DevNullQueue<AclPacketBuilder>* acl_dev_null_;

  os::fuzz::FuzzInjectQueue<AclPacketView>* acl_inject_;