Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5f0df42 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge changes Idf9e6f2f,Ibd145e12,Ibc258ebb,Ie1b3c077,I9897edd3, ... 

* changes:
  Add bluetooth_gd_hci_fuzz_test
  Add FuzzingHciHal, to inject fuzzed input up the stack
  Add DevNullHci, to facilitate fuzzing the hci layer
  Add SentinelWorkItem, to allow posting a work item and waiting for completion
  Add gd/fuzzing/helpers
  Add DevNullQueue, a fuzzing helper to drop stuff
parents c1b2d6a3 4058ed00

system/gd/Android.bp

+22 −5
Original line number Diff line number Diff line
@@ -290,13 +290,11 @@ cc_test { 
    },

}



cc_fuzz {

  name: "bluetooth_gd_fuzz_test",

cc_defaults {

  name: "gd_fuzz_defaults",

  defaults: ["gd_defaults"],

  srcs: [

    "fuzz_test.cc",

    ":BluetoothHciFuzzTestSources",

    ":BluetoothL2capFuzzTestSources",

    ":BluetoothFuzzingHelperSources",

  ],

  static_libs: [

    "libbluetooth_gd",
@@ -322,6 +320,25 @@ cc_fuzz { 
  },

}



cc_fuzz {

  name: "bluetooth_gd_fuzz_test",

  defaults: ["gd_fuzz_defaults"],

  srcs: [

    "fuzz_test.cc",

    ":BluetoothHciFuzzTestSources",

    ":BluetoothL2capFuzzTestSources",

  ],

}



cc_fuzz {

  name: "bluetooth_gd_hci_fuzz_test",

  defaults: ["gd_fuzz_defaults"],

  srcs: [

    "hci/fuzzing/hci_layer_fuzz_test.cc",

    ":BluetoothHalFuzzingSources",

  ],

}



cc_benchmark {

    name: "bluetooth_benchmark_gd",

    defaults: ["gd_defaults"],

system/gd/fuzzing/Android.bp

0 → 100644
+6 −0
Original line number Diff line number Diff line 
filegroup {

    name: "BluetoothFuzzingHelperSources",

    srcs: [

        "helpers.cc",

    ],

}

system/gd/fuzzing/helpers.cc

0 → 100644
+52 −0
Original line number Diff line number Diff line 
/*

 * Copyright 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#include "fuzzing/helpers.h"

#include "common/bind.h"



namespace bluetooth {

namespace fuzzing {



// cribbed from https://github.com/google/fuzzing/blob/master/docs/split-inputs.md#magic-separator

std::vector<std::vector<uint8_t>> SplitInput(const uint8_t* data, size_t size, const uint8_t* separator,

                                             size_t separatorSize) {

  std::vector<std::vector<uint8_t>> result;

  assert(SeparatorSize > 0);

  auto beg = data;

  auto end = data + size;

  while (const uint8_t* pos = (const uint8_t*)memmem(beg, end - beg, separator, separatorSize)) {

    result.push_back({beg, pos});

    beg = pos + separatorSize;

  }

  if (beg < end) {

    result.push_back({beg, end});

  }

  return result;

}



void SentinelWorkItem::notify_handler_quiesced() {

  quiesce_promise_->set_value();

}



void SentinelWorkItem::WaitUntilFinishedOn(os::Handler* handler) {

  quiesce_promise_ = std::make_unique<std::promise<void>>();

  handler->Post(common::Bind(&SentinelWorkItem::notify_handler_quiesced, common::Unretained(this)));

  quiesce_promise_->get_future().wait_for(std::chrono::milliseconds(300));

  quiesce_promise_ = nullptr;

}



}  // namespace fuzzing

}  // namespace bluetooth

system/gd/fuzzing/helpers.h

0 → 100644
+38 −0
Original line number Diff line number Diff line 
/*

 * Copyright 2020 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */



#pragma once



#include <cstdint>

#include <vector>

#include "os/handler.h"



namespace bluetooth {

namespace fuzzing {



std::vector<std::vector<uint8_t>> SplitInput(const uint8_t* data, size_t size, const uint8_t* separator,

                                             size_t separatorSize);



class SentinelWorkItem {

 public:

  void WaitUntilFinishedOn(os::Handler* handler);



 private:

  void notify_handler_quiesced();

  std::unique_ptr<std::promise<void>> quiesce_promise_;

};

}

}  // namespace bluetooth

system/gd/hal/Android.bp

+7 −0
Original line number Diff line number Diff line
@@ -39,3 +39,10 @@ filegroup { 
        "facade.cc",

    ],

}



filegroup {

    name: "BluetoothHalFuzzingSources",

    srcs: [

        "fuzzing/fuzzing_hci_hal.cc",

    ],

}