Merge changes Iad1713e1,Iaee2c74b,I6bd1c8b2,I067dd077 (3c651c27) · Commits · e / os / android_system_core

trusty/coverage/Android.bp

+2 −0

Original line number	Diff line number	Diff line
		@@ -28,6 +28,7 @@ cc_library {
		shared_libs: [
		"libbase",
		"liblog",
		"libdmabufheap",
		],
		}

		@@ -43,6 +44,7 @@ cc_test {
		shared_libs: [
		"libbase",
		"liblog",
		"libdmabufheap",
		],
		require_root: true,
		}

trusty/coverage/coverage.cpp

+28 −9

Original line number	Diff line number	Diff line
		@@ -16,10 +16,12 @@

		#define LOG_TAG "coverage"

		#include <BufferAllocator/BufferAllocator.h>
		#include <android-base/file.h>
		#include <android-base/logging.h>
		#include <android-base/unique_fd.h>
		#include <assert.h>
		#include <log/log.h>
		#include <stdio.h>
		#include <sys/mman.h>
		#include <sys/uio.h>
		@@ -37,6 +39,7 @@ namespace coverage {
		using android::base::ErrnoError;
		using android::base::Error;
		using std::string;
		using std::unique_ptr;

		static inline uintptr_t RoundPageUp(uintptr_t val) {
		return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
		@@ -46,12 +49,29 @@ CoverageRecord::CoverageRecord(string tipc_dev, struct uuid* uuid)
		: tipc_dev_(std::move(tipc_dev)),
		coverage_srv_fd_(-1),
		uuid_(*uuid),
		sancov_filename_(),
		record_len_(0),
		shm_(NULL),
		shm_len_(0) {}

		CoverageRecord::CoverageRecord(string tipc_dev, struct uuid* uuid, string sancov_filename)
		: tipc_dev_(std::move(tipc_dev)),
		coverage_srv_fd_(-1),
		uuid_(*uuid),
		sancov_filename_(sancov_filename),
		record_len_(0),
		shm_(NULL),
		shm_len_(0) {}

		CoverageRecord::~CoverageRecord() {
		if (shm_) {
		if (sancov_filename_) {
		auto res = SaveSancovFile(*sancov_filename_);
		if (!res.ok()) {
		ALOGE("Could not write sancov file for module: %s\n", sancov_filename_->c_str());
		}
		}

		munmap((void*)shm_, shm_len_);
		}
		}
		@@ -114,24 +134,23 @@ Result<void> CoverageRecord::Open() {
		record_len_ = resp.open_args.record_len;
		shm_len_ = RoundPageUp(record_len_);

		fd = memfd_create("trusty-coverage", 0);
		if (fd < 0) {
		return ErrnoError() << "failed to create memfd: ";
		}
		unique_fd memfd(fd);
		BufferAllocator allocator;

		if (ftruncate(memfd, shm_len_) < 0) {
		return ErrnoError() << "failed to resize memfd: ";
		fd = allocator.Alloc("system", shm_len_);
		if (fd < 0) {
		return ErrnoError() << "failed to create dmabuf of size " << shm_len_
		<< " err code: " << fd;
		}
		unique_fd dma_buf(fd);

		void* shm = mmap(0, shm_len_, PROT_READ \| PROT_WRITE, MAP_SHARED, memfd, 0);
		void* shm = mmap(0, shm_len_, PROT_READ \| PROT_WRITE, MAP_SHARED, dma_buf, 0);
		if (shm == MAP_FAILED) {
		return ErrnoError() << "failed to map memfd: ";
		}

		req.hdr.cmd = COVERAGE_CLIENT_CMD_SHARE_RECORD;
		req.share_record_args.shm_len = shm_len_;
		ret = Rpc(&req, memfd, &resp);
		ret = Rpc(&req, dma_buf, &resp);
		if (!ret.ok()) {
		return Error() << "failed to send shared memory: ";
		}

trusty/coverage/include/trusty/coverage/coverage.h

+13 −0

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@

		#pragma once

		#include <optional>
		#include <string>

		#include <android-base/result.h>
		@@ -32,7 +33,18 @@ using android::base::unique_fd;

		class CoverageRecord {
		public:
		/**
		* Create a coverage record interface. Coverage will not be written to a
		* sancov output file on completion.
		*/
		CoverageRecord(std::string tipc_dev, struct uuid* uuid);

		/**
		* Create a coverage record interface. On destruction, write this coverage
		* to the given sancov filename.
		*/
		CoverageRecord(std::string tipc_dev, struct uuid* uuid, std::string sancov_filename);

		~CoverageRecord();
		Result<void> Open();
		void ResetFullRecord();
		@@ -58,6 +70,7 @@ class CoverageRecord {
		std::string tipc_dev_;
		unique_fd coverage_srv_fd_;
		struct uuid uuid_;
		std::optional<std::string> sancov_filename_;
		size_t record_len_;
		volatile void* shm_;
		size_t shm_len_;

trusty/fuzz/counters.cpp

+11 −1

Original line number	Diff line number	Diff line
		@@ -21,6 +21,7 @@
		#include <trusty/fuzz/counters.h>

		#include <android-base/logging.h>
		#include <log/log.h>
		#include <trusty/coverage/coverage.h>
		#include <trusty/coverage/tipc.h>

		@@ -32,7 +33,8 @@ using android::base::Result;
		* We don't know how many counters the coverage record will contain. So, eyeball
		* the size of this section.
		*/
		__attribute__((section("__libfuzzer_extra_counters"))) volatile uint8_t counters[PAGE_SIZE];
		static const size_t kMaxNumCounters = 0x4000;
		__attribute__((section("__libfuzzer_extra_counters"))) volatile uint8_t counters[kMaxNumCounters];

		namespace android {
		namespace trusty {
		@@ -62,8 +64,16 @@ void ExtraCounters::Flush() {
		volatile uint8_t* end = NULL;

		record_->GetRawCounts(&begin, &end);
		if (!begin \|\| !end) {
		ALOGE("Could not get raw counts from coverage record\n");
		return;
		}

		size_t num_counters = end - begin;
		if (num_counters > kMaxNumCounters) {
		ALOGE("Too many counters (%zu) to fit in the extra counters section!\n", num_counters);
		num_counters = kMaxNumCounters;
		}
		for (size_t i = 0; i < num_counters; i++) {
		(counters + i) = (begin + i);
		}

trusty/gatekeeper/fuzz/fuzz.cpp

+2 −1

Original line number	Diff line number	Diff line
		@@ -30,6 +30,7 @@ using android::trusty::fuzz::TrustyApp;

		#define TIPC_DEV "/dev/trusty-ipc-dev0"
		#define GATEKEEPER_PORT "com.android.trusty.gatekeeper"
		#define GATEKEEPER_MODULE_NAME "gatekeeper.syms.elf"

		/* Gatekeeper TA's UUID is 38ba0cdc-df0e-11e4-9869-233fb6ae4795 */
		static struct uuid gatekeeper_uuid = {
		@@ -39,7 +40,7 @@ static struct uuid gatekeeper_uuid = {
		{0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95},
		};

		static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid);
		static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid, GATEKEEPER_MODULE_NAME);

		extern "C" int LLVMFuzzerInitialize(int* /* argc /, char** /* argv */) {
		auto ret = record.Open();