Revert "rpc_binder: Change `trusty_tipc_fuzzer` to support multiple connections and messages" (b1105589) · Commits · e / os / android_system_core

trusty/fuzz/tipc_fuzzer.cpp

+18 −61

Original line number	Diff line number	Diff line
		@@ -14,8 +14,6 @@
		* limitations under the License.
		*/

		#include <android-base/result.h>
		#include <fuzzer/FuzzedDataProvider.h>
		#include <stdlib.h>
		#include <trusty/coverage/coverage.h>
		#include <trusty/coverage/uuid.h>
		@@ -25,7 +23,6 @@
		#include <iostream>
		#include <memory>

		using android::base::Result;
		using android::trusty::coverage::CoverageRecord;
		using android::trusty::fuzz::ExtraCounters;
		using android::trusty::fuzz::TrustyApp;
		@@ -44,14 +41,7 @@ using android::trusty::fuzz::TrustyApp;
		#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
		#endif

		#ifdef TRUSTY_APP_MAX_CONNECTIONS
		constexpr size_t MAX_CONNECTIONS = TRUSTY_APP_MAX_CONNECTIONS;
		#else
		constexpr size_t MAX_CONNECTIONS = 1;
		#endif

		static_assert(MAX_CONNECTIONS >= 1);

		static TrustyApp kTrustyApp(TIPC_DEV, TRUSTY_APP_PORT);
		static std::unique_ptr<CoverageRecord> record;

		extern "C" int LLVMFuzzerInitialize(int* /* argc /, char** /* argv */) {
		@@ -63,8 +53,7 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc /, char** /* argv */) {
		}

		/* Make sure lazy-loaded TAs have started and connected to coverage service. */
		TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
		auto ret = ta.Connect();
		auto ret = kTrustyApp.Connect();
		if (!ret.ok()) {
		std::cerr << ret.error() << std::endl;
		exit(-1);
		@@ -84,56 +73,24 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc /, char** /* argv */) {
		return 0;
		}

		Result<void> testOneInput(FuzzedDataProvider& provider) {
		std::vector<TrustyApp> trustyApps;

		while (provider.remaining_bytes() > 0) {
		if (trustyApps.size() < MAX_CONNECTIONS && provider.ConsumeBool()) {
		auto& ta = trustyApps.emplace_back(TIPC_DEV, TRUSTY_APP_PORT);
		const auto result = ta.Connect();
		if (!result.ok()) {
		return result;
		}
		} else {
		const auto i = provider.ConsumeIntegralInRange<size_t>(0, trustyApps.size());
		std::swap(trustyApps[i], trustyApps.back());

		if (provider.ConsumeBool()) {
		auto& ta = trustyApps.back();
		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		static uint8_t buf[TIPC_MAX_MSG_SIZE];

		const auto data = provider.ConsumeRandomLengthString();
		auto result = ta.Write(data.data(), data.size());
		if (!result.ok()) {
		return result;
		}
		ExtraCounters counters(record.get());
		counters.Reset();

		std::array<uint8_t, TIPC_MAX_MSG_SIZE> buf;
		result = ta.Read(buf.data(), buf.size());
		if (!result.ok()) {
		return result;
		auto ret = kTrustyApp.Write(data, size);
		if (ret.ok()) {
		ret = kTrustyApp.Read(&buf, sizeof(buf));
		}

		// Reconnect to ensure that the service is still up.
		ta.Disconnect();
		result = ta.Connect();
		if (!result.ok()) {
		std::cerr << result.error() << std::endl;
		// Reconnect to ensure that the service is still up
		kTrustyApp.Disconnect();
		ret = kTrustyApp.Connect();
		if (!ret.ok()) {
		std::cerr << ret.error() << std::endl;
		android::trusty::fuzz::Abort();
		return result;
		}
		} else {
		trustyApps.pop_back();
		}
		}
		}
		return {};
		}

		extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
		ExtraCounters counters(record.get());
		counters.Reset();

		FuzzedDataProvider provider(data, size);
		const auto result = testOneInput(provider);
		return result.ok() ? 0 : -1;
		return ret.ok() ? 0 : -1;
		}