Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d3bf149e authored by Khyber Sen's avatar Khyber Sen
Browse files

Reapply "rpc_binder: Change `trusty_tipc_fuzzer` to support multiple connections and messages" 

This reverts commit b1105589.

This redoes change I9692e4d0295052a8da2204f63be9e52939e70ac3,
fixing the crash and simplifying the logic so it's
more obvious something similar won't happen again.

Bug: 380142627
Bug: 319144781
Test: build.py qemu-generic-arm64-fuzz-test-debug &&
    ./build-root/build-qemu-generic-arm64-fuzz-test-debug/run.py &&
    lunch aosp_lynx-trunk_staging-userdebug &&
    m trusty_binder_rpc_fuzzer_multi_connection &&
    adb root &&
    adb sync data &&
    adb shell /data/fuzz/arm64/trusty_binder_rpc_fuzzer_multi_connection/trusty_binder_rpc_fuzzer_multi_connection -seed=1727807641/data/fuzz/arm64/trusty_binder_rpc_fuzzer_multi_connection/input
Change-Id: I049e94c87083a4e212aaf7edb1eca421dc1e76ed
parent 20f62340

trusty/fuzz/tipc_fuzzer.cpp

+77 −18
Original line number Original line Diff line number Diff line
@@ -14,6 +14,8 @@ 
 * limitations under the License.

 * limitations under the License.

 */

 */





#include <android-base/result.h>

#include <fuzzer/FuzzedDataProvider.h>

#include <stdlib.h>

#include <stdlib.h>

#include <trusty/coverage/coverage.h>

#include <trusty/coverage/coverage.h>

#include <trusty/coverage/uuid.h>

#include <trusty/coverage/uuid.h>
@@ -23,6 +25,7 @@ 
#include <iostream>

#include <iostream>

#include <memory>

#include <memory>





using android::base::Result;

using android::trusty::coverage::CoverageRecord;

using android::trusty::coverage::CoverageRecord;

using android::trusty::fuzz::ExtraCounters;

using android::trusty::fuzz::ExtraCounters;

using android::trusty::fuzz::TrustyApp;

using android::trusty::fuzz::TrustyApp;
@@ -41,7 +44,12 @@ using android::trusty::fuzz::TrustyApp; 
#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."

#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."

#endif

#endif





static TrustyApp kTrustyApp(TIPC_DEV, TRUSTY_APP_PORT);

#ifdef TRUSTY_APP_MAX_CONNECTIONS

constexpr size_t MAX_CONNECTIONS = TRUSTY_APP_MAX_CONNECTIONS;

#else

constexpr size_t MAX_CONNECTIONS = 1;

#endif



static std::unique_ptr<CoverageRecord> record;

static std::unique_ptr<CoverageRecord> record;





extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {

extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
@@ -53,7 +61,8 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { 
    }

    }





    /* Make sure lazy-loaded TAs have started and connected to coverage service. */

    /* Make sure lazy-loaded TAs have started and connected to coverage service. */

    auto ret = kTrustyApp.Connect();

    TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);

    auto ret = ta.Connect();

    if (!ret.ok()) {

    if (!ret.ok()) {

        std::cerr << ret.error() << std::endl;

        std::cerr << ret.error() << std::endl;

        exit(-1);

        exit(-1);
@@ -73,24 +82,74 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { 
    return 0;

    return 0;

}

}





extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

void abortResult(Result<void> result) {

    static uint8_t buf[TIPC_MAX_MSG_SIZE];

    if (result.ok()) {



        return;

    ExtraCounters counters(record.get());

    }

    counters.Reset();

    std::cerr << result.error() << std::endl;

    android::trusty::fuzz::Abort();

}





    auto ret = kTrustyApp.Write(data, size);

void testOneInput(FuzzedDataProvider& provider) {

    if (ret.ok()) {

    std::vector<TrustyApp> trustyApps;

        ret = kTrustyApp.Read(&buf, sizeof(buf));



    while (provider.remaining_bytes() > 0) {

        static_assert(MAX_CONNECTIONS >= 1);



        // Either

        // 1. Add a new TA and connect.

        // 2. Remove a TA.

        // 3. Send a random message to a random TA.

        const std::function<void()> options[] = {

                // Add a new TA and connect.

                [&]() {

                    if (trustyApps.size() >= MAX_CONNECTIONS) {

                        return;

                    }

                    auto& ta = trustyApps.emplace_back(TIPC_DEV, TRUSTY_APP_PORT);

                    abortResult(ta.Connect());

                },

                // Remove a TA.

                [&]() {

                    if (trustyApps.empty()) {

                        return;

                    }

                    trustyApps.pop_back();

                },

                // Send a random message to a random TA.

                [&]() {

                    if (trustyApps.empty()) {

                        return;

                    }

                    }





    // Reconnect to ensure that the service is still up

                    // Choose a random TA.

    kTrustyApp.Disconnect();

                    const auto i =

    ret = kTrustyApp.Connect();

                            provider.ConsumeIntegralInRange<size_t>(0, trustyApps.size() - 1);

    if (!ret.ok()) {

                    std::swap(trustyApps[i], trustyApps.back());

        std::cerr << ret.error() << std::endl;

                    auto& ta = trustyApps.back();

        android::trusty::fuzz::Abort();



                    // Send a random message.

                    const auto data = provider.ConsumeRandomLengthString();

                    abortResult(ta.Write(data.data(), data.size()));



                    std::array<uint8_t, TIPC_MAX_MSG_SIZE> buf;

                    abortResult(ta.Read(buf.data(), buf.size()));



                    // Reconnect to ensure that the service is still up.

                    ta.Disconnect();

                    abortResult(ta.Connect());

                },

        };



        provider.PickValueInArray(options)();

    }

    }

}



extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

    ExtraCounters counters(record.get());

    counters.Reset();





    return ret.ok() ? 0 : -1;

    FuzzedDataProvider provider(data, size);

    testOneInput(provider);

    return 0;

}
 
}