Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f4cd49af authored by Yifan Hong's avatar Yifan Hong Committed by Gerrit Code Review
Browse files

Merge changes from topic "snapshot_fuzz" 

* changes:
  Enable automatic libsnapshot fuzzer runs
  Also log corpus when aborted through libbase.
  libsnapshot_fuzzer: Fuzz MapUpdateSnapshot.
  libsnapshot_fuzzer: construct valid super partition metadata.
  libsnapshot_fuzzer: Fuzz CreateUpdateSnapshots
  libsnapshot_fuzzer: add additional tests for more APIs
  libsnapshot_fuzzer: use protobuf
  libsnapshot_fuzzer: map super image
parents 09647273 c43f513c

fs_mgr/libsnapshot/Android.bp

+19 −6
Original line number Diff line number Diff line
@@ -254,34 +254,47 @@ cc_fuzz { 


    native_coverage : true,

    srcs: [

        // Compile the protobuf definition again with type full.

        "android/snapshot/snapshot_fuzz.proto",

        "update_engine/update_metadata.proto",

        "fuzz_utils.cpp",

        "snapshot_fuzz.cpp",

        "snapshot_fuzz_utils.cpp",

        "fuzz_utils.cpp",



        // Compile libsnapshot sources directly to avoid dependency

        // to update_metadata-protos

        ":libsnapshot_sources",

    ],

    static_libs: [

        "libbase",

        "libcrypto_static",

        "libcutils",

        "libext2_uuid",

        "libext4_utils",

        "libfstab",

        "libfs_mgr",

        "libgtest", // from libsnapshot_test_helpers

        "libgmock", // from libsnapshot_test_helpers

        "liblog",

        "liblp",

        "libsnapshot_init", // don't use binder or hwbinder

        "libsnapshot_test_helpers",

        "libprotobuf-cpp-lite",

        "update_metadata-protos",

        "libprotobuf-mutator",

    ],

    header_libs: [

        "libfiemap_headers",

        "libstorage_literals_headers",

    ],

    proto: {

        type: "full",

        canonical_path_from_root: false,

        local_include_dirs: ["."],

    },



    fuzz_config: {

        cc: ["android-virtual-ab+bugs@google.com"],

        componentid: 30545,

        hotlists: ["1646452"],

        fuzz_on_haiku_host: false,

        // TODO(b/154633114): set to true to run this automatically.

        fuzz_on_haiku_device: false,

        fuzz_on_haiku_device: true,

    },

}

fs_mgr/libsnapshot/android/snapshot/snapshot_fuzz.proto

0 → 100644
+103 −0
Original line number Diff line number Diff line 
// Copyright (C) 2020 The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//      http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.



syntax = "proto3";

package android.snapshot;



import "update_engine/update_metadata.proto";



// Controls the behavior of IDeviceInfo.

// Next: 6

message FuzzDeviceInfoData {

    bool slot_suffix_is_a = 1;

    bool is_overlayfs_setup = 2;

    bool allow_set_boot_control_merge_status = 3;

    bool allow_set_slot_as_unbootable = 4;

    bool is_recovery = 5;

}



// Controls the behavior of the test SnapshotManager.

// Next: 2

message FuzzSnapshotManagerData {

    bool is_local_image_manager = 1;

}



// A simplified version of CreateLogicalPartitionParams for fuzzing.

// Next: 9

message CreateLogicalPartitionParamsProto {

    bool use_correct_super = 1;

    string block_device = 2;

    bool has_metadata_slot = 3;

    uint32 metadata_slot = 4;

    string partition_name = 5;

    bool force_writable = 6;

    int64 timeout_millis = 7;

    string device_name = 8;

}



// Mimics the API of ISnapshotManager. Defines one action on the snapshot

// manager.

// Next: 18

message SnapshotManagerActionProto {

    message NoArgs {}

    message ProcessUpdateStateArgs {

        bool has_before_cancel = 1;

        bool fail_before_cancel = 2;

    }

    message CreateLogicalAndSnapshotPartitionsArgs {

        bool use_correct_super = 1;

        string super = 2;

        int64 timeout_millis = 3;

    }

    message RecoveryCreateSnapshotDevicesArgs {

        bool has_metadata_device_object = 1;

        bool metadata_mounted = 2;

    }

    oneof value {

        NoArgs begin_update = 1;

        NoArgs cancel_update = 2;

        bool finished_snapshot_writes = 3;

        NoArgs initiate_merge = 4;

        ProcessUpdateStateArgs process_update_state = 5;

        bool get_update_state = 6;

        chromeos_update_engine.DeltaArchiveManifest create_update_snapshots = 7;

        CreateLogicalPartitionParamsProto map_update_snapshot = 8;

        string unmap_update_snapshot = 9;

        NoArgs need_snapshots_in_first_stage_mount = 10;

        CreateLogicalAndSnapshotPartitionsArgs create_logical_and_snapshot_partitions = 11;

        bool handle_imminent_data_wipe = 12;

        NoArgs recovery_create_snapshot_devices = 13;

        RecoveryCreateSnapshotDevicesArgs recovery_create_snapshot_devices_with_metadata = 14;

        NoArgs dump = 15;

        NoArgs ensure_metadata_mounted = 16;

        NoArgs get_snapshot_merge_stats_instance = 17;

    }

}



// Includes all data that needs to be fuzzed.

message SnapshotFuzzData {

    FuzzDeviceInfoData device_info_data = 1;

    FuzzSnapshotManagerData manager_data = 2;



    // If true:

    // - if super_data is empty, create empty super partition metadata.

    // - otherwise, create super partition metadata accordingly.

    // If false, no valid super partition metadata (it is zeroed)

    bool is_super_metadata_valid = 3;

    chromeos_update_engine.DeltaArchiveManifest super_data = 4;



    // More data used to prep the test before running actions.

    reserved 5 to 9999;

    repeated SnapshotManagerActionProto actions = 10000;

}

fs_mgr/libsnapshot/fuzz.sh

+2 −2
Original line number Diff line number Diff line
@@ -18,8 +18,8 @@ build_normal() ( 


build_cov() {

    pushd $(gettop)

    ret=$?

    NATIVE_COVERAGE="true" NATIVE_LINE_COVERAGE="true" COVERAGE_PATHS="${PROJECT_PATH}" m ${FUZZ_TARGET}

    ret=$?

    popd

    return ${ret}

}
@@ -46,7 +46,7 @@ prepare_host() { 
}



# run_snapshot_fuzz -runs=10000

generate_corpse() {

generate_corpus() {

    [[ "$@" ]] || { echo "run with -runs=X"; return 1; }



    prepare_device &&

fs_mgr/libsnapshot/fuzz_utils.cpp

+13 −0
Original line number Diff line number Diff line
@@ -22,4 +22,17 @@ void CheckInternal(bool value, std::string_view msg) { 
    CHECK(value) << msg;

}



const google::protobuf::OneofDescriptor* GetProtoValueDescriptor(

        const google::protobuf::Descriptor* action_desc) {

    CHECK(action_desc);

    CHECK(action_desc->oneof_decl_count() == 1)

            << action_desc->oneof_decl_count() << " oneof fields found in " << action_desc->name()

            << "; only one is expected.";

    auto* oneof_value_desc = action_desc->oneof_decl(0);

    CHECK(oneof_value_desc);

    CHECK(oneof_value_desc->name() == "value")

            << "oneof field has name " << oneof_value_desc->name();

    return oneof_value_desc;

}



}  // namespace android::fuzz

fs_mgr/libsnapshot/fuzz_utils.h

+212 −214

File changed.

Preview size limit exceeded, changes collapsed.