Reorganize fuzz tests to use injectArbitrary (69f13a67) · Commits · e / os / android_packages_modules_Bluetooth

system/gd/hal/fuzz/fuzz_hci_hal.cc

+16 −0

Original line number	Original line	Diff line number	Diff line
	@@ -21,6 +21,7 @@
	namespace bluetooth {		namespace bluetooth {
	namespace hal {		namespace hal {
	namespace fuzz {		namespace fuzz {
			using bluetooth::fuzz::GetArbitraryBytes;

	void FuzzHciHal::registerIncomingPacketCallback(HciHalCallbacks* callbacks) {		void FuzzHciHal::registerIncomingPacketCallback(HciHalCallbacks* callbacks) {
	callbacks_ = callbacks;		callbacks_ = callbacks;
	@@ -30,6 +31,21 @@ void FuzzHciHal::unregisterIncomingPacketCallback() {
	callbacks_ = nullptr;		callbacks_ = nullptr;
	}		}

			void FuzzHciHal::injectArbitrary(FuzzedDataProvider& fdp) {
			const uint8_t action = fdp.ConsumeIntegralInRange(0, 3);
			switch (action) {
			case 1:
			injectAclData(GetArbitraryBytes(&fdp));
			break;
			case 2:
			injectHciEvent(GetArbitraryBytes(&fdp));
			break;
			case 3:
			injectScoData(GetArbitraryBytes(&fdp));
			break;
			}
			}

	void FuzzHciHal::sendHciCommand(HciPacket packet) {		void FuzzHciHal::sendHciCommand(HciPacket packet) {
	hci::CommandPacketView command = hci::CommandPacketView::FromBytes(packet);		hci::CommandPacketView command = hci::CommandPacketView::FromBytes(packet);
	if (!command.IsValid()) {		if (!command.IsValid()) {

+5 −3

Original line number	Original line	Diff line number	Diff line
	@@ -33,9 +33,7 @@ class FuzzHciHal : public HciHal {
	void sendAclData(HciPacket packet) override {}		void sendAclData(HciPacket packet) override {}
	void sendScoData(HciPacket packet) override {}		void sendScoData(HciPacket packet) override {}

	void injectAclData(std::vector<uint8_t> data);		void injectArbitrary(FuzzedDataProvider& fdp);
	void injectHciEvent(std::vector<uint8_t> data);
	void injectScoData(std::vector<uint8_t> data);

	std::string ToString() const override {		std::string ToString() const override {
	return "HciHalFuzz";		return "HciHalFuzz";
	@@ -49,6 +47,10 @@ class FuzzHciHal : public HciHal {
	void Stop() override {}		void Stop() override {}

	private:		private:
			void injectAclData(std::vector<uint8_t> data);
			void injectHciEvent(std::vector<uint8_t> data);
			void injectScoData(std::vector<uint8_t> data);

	HciHalCallbacks* callbacks_;		HciHalCallbacks* callbacks_;
	hci::OpCode waiting_opcode_;		hci::OpCode waiting_opcode_;
	bool waiting_for_status_;		bool waiting_for_status_;

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -43,13 +43,13 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
	moduleRegistry.Start<AclManager>();		moduleRegistry.Start<AclManager>();

	while (dataProvider.remaining_bytes() > 0) {		while (dataProvider.remaining_bytes() > 0) {
	const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 12);		const uint8_t action = dataProvider.ConsumeIntegralInRange(0, 2);
	switch (action) {		switch (action) {
	case 1:		case 1:
	fake_timerfd_advance(dataProvider.ConsumeIntegral<uint64_t>());		fake_timerfd_advance(dataProvider.ConsumeIntegral<uint64_t>());
	break;		break;
	case 2:		case 2:
	fuzzHci->injectAclData(GetArbitraryBytes(&dataProvider));		fuzzHci->injectArbitrary(dataProvider);
	break;		break;
	}		}
	}		}

+11 −0

Original line number	Original line	Diff line number	Diff line
	@@ -15,12 +15,14 @@
	*/		*/

	#include "hci/fuzz/fuzz_hci_layer.h"		#include "hci/fuzz/fuzz_hci_layer.h"
			#include "fuzz/helpers.h"

	namespace bluetooth {		namespace bluetooth {
	namespace hci {		namespace hci {
	namespace fuzz {		namespace fuzz {

	using bluetooth::common::ContextualCallback;		using bluetooth::common::ContextualCallback;
			using bluetooth::fuzz::GetArbitraryBytes;

	common::BidiQueueEnd<hci::AclPacketBuilder, hci::AclPacketView>* FuzzHciLayer::GetAclQueueEnd() {		common::BidiQueueEnd<hci::AclPacketBuilder, hci::AclPacketView>* FuzzHciLayer::GetAclQueueEnd() {
	return acl_queue_.GetUpEnd();		return acl_queue_.GetUpEnd();
	@@ -70,6 +72,15 @@ void FuzzHciLayer::Stop() {
	delete acl_inject_;		delete acl_inject_;
	}		}

			void FuzzHciLayer::injectArbitrary(FuzzedDataProvider& fdp) {
			const uint8_t action = fdp.ConsumeIntegralInRange(0, 1);
			switch (action) {
			case 1:
			injectAclData(GetArbitraryBytes(&fdp));
			break;
			}
			}

	void FuzzHciLayer::injectAclData(std::vector<uint8_t> data) {		void FuzzHciLayer::injectAclData(std::vector<uint8_t> data) {
	hci::AclPacketView aclPacket = hci::AclPacketView::FromBytes(data);		hci::AclPacketView aclPacket = hci::AclPacketView::FromBytes(data);
	if (!aclPacket.IsValid()) {		if (!aclPacket.IsValid()) {

+5 −1

Original line number	Original line	Diff line number	Diff line
	@@ -21,6 +21,8 @@
	#include "os/fuzz/dev_null_queue.h"		#include "os/fuzz/dev_null_queue.h"
	#include "os/fuzz/fuzz_inject_queue.h"		#include "os/fuzz/fuzz_inject_queue.h"

			#include <fuzzer/FuzzedDataProvider.h>

	namespace bluetooth {		namespace bluetooth {
	namespace hci {		namespace hci {
	namespace fuzz {		namespace fuzz {
	@@ -75,7 +77,7 @@ class FuzzHciLayer : public HciLayer {
	hci::LeScanningInterface* GetLeScanningInterface(		hci::LeScanningInterface* GetLeScanningInterface(
	common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override;		common::ContextualCallback<void(hci::LeMetaEventView)> event_handler) override;

	void injectAclData(std::vector<uint8_t> data);		void injectArbitrary(FuzzedDataProvider& fdp);

	std::string ToString() const override {		std::string ToString() const override {
	return "FuzzHciLayer";		return "FuzzHciLayer";
	@@ -89,6 +91,8 @@ class FuzzHciLayer : public HciLayer {
	void Stop() override;		void Stop() override;

	private:		private:
			void injectAclData(std::vector<uint8_t> data);

	common::BidiQueue<hci::AclPacketView, hci::AclPacketBuilder> acl_queue_{3};		common::BidiQueue<hci::AclPacketView, hci::AclPacketBuilder> acl_queue_{3};
	os::fuzz::DevNullQueue<AclPacketBuilder>* acl_dev_null_;		os::fuzz::DevNullQueue<AclPacketBuilder>* acl_dev_null_;
	os::fuzz::FuzzInjectQueue<AclPacketView>* acl_inject_;		os::fuzz::FuzzInjectQueue<AclPacketView>* acl_inject_;