Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f4cd49af authored by Yifan Hong's avatar Yifan Hong Committed by Gerrit Code Review
Browse files

Merge changes from topic "snapshot_fuzz"

* changes:
  Enable automatic libsnapshot fuzzer runs
  Also log corpus when aborted through libbase.
  libsnapshot_fuzzer: Fuzz MapUpdateSnapshot.
  libsnapshot_fuzzer: construct valid super partition metadata.
  libsnapshot_fuzzer: Fuzz CreateUpdateSnapshots
  libsnapshot_fuzzer: add additional tests for more APIs
  libsnapshot_fuzzer: use protobuf
  libsnapshot_fuzzer: map super image
parents 09647273 c43f513c
Loading
Loading
Loading
Loading
+19 −6
Original line number Diff line number Diff line
@@ -254,34 +254,47 @@ cc_fuzz {

    native_coverage : true,
    srcs: [
        // Compile the protobuf definition again with type full.
        "android/snapshot/snapshot_fuzz.proto",
        "update_engine/update_metadata.proto",
        "fuzz_utils.cpp",
        "snapshot_fuzz.cpp",
        "snapshot_fuzz_utils.cpp",
        "fuzz_utils.cpp",

        // Compile libsnapshot sources directly to avoid dependency
        // to update_metadata-protos
        ":libsnapshot_sources",
    ],
    static_libs: [
        "libbase",
        "libcrypto_static",
        "libcutils",
        "libext2_uuid",
        "libext4_utils",
        "libfstab",
        "libfs_mgr",
        "libgtest", // from libsnapshot_test_helpers
        "libgmock", // from libsnapshot_test_helpers
        "liblog",
        "liblp",
        "libsnapshot_init", // don't use binder or hwbinder
        "libsnapshot_test_helpers",
        "libprotobuf-cpp-lite",
        "update_metadata-protos",
        "libprotobuf-mutator",
    ],
    header_libs: [
        "libfiemap_headers",
        "libstorage_literals_headers",
    ],
    proto: {
        type: "full",
        canonical_path_from_root: false,
        local_include_dirs: ["."],
    },

    fuzz_config: {
        cc: ["android-virtual-ab+bugs@google.com"],
        componentid: 30545,
        hotlists: ["1646452"],
        fuzz_on_haiku_host: false,
        // TODO(b/154633114): set to true to run this automatically.
        fuzz_on_haiku_device: false,
        fuzz_on_haiku_device: true,
    },
}
+103 −0
Original line number Diff line number Diff line
// Copyright (C) 2020 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";
package android.snapshot;

import "update_engine/update_metadata.proto";

// Controls the behavior of IDeviceInfo.
// Next: 6
message FuzzDeviceInfoData {
    bool slot_suffix_is_a = 1;
    bool is_overlayfs_setup = 2;
    bool allow_set_boot_control_merge_status = 3;
    bool allow_set_slot_as_unbootable = 4;
    bool is_recovery = 5;
}

// Controls the behavior of the test SnapshotManager.
// Next: 2
message FuzzSnapshotManagerData {
    bool is_local_image_manager = 1;
}

// A simplified version of CreateLogicalPartitionParams for fuzzing.
// Next: 9
message CreateLogicalPartitionParamsProto {
    bool use_correct_super = 1;
    string block_device = 2;
    bool has_metadata_slot = 3;
    uint32 metadata_slot = 4;
    string partition_name = 5;
    bool force_writable = 6;
    int64 timeout_millis = 7;
    string device_name = 8;
}

// Mimics the API of ISnapshotManager. Defines one action on the snapshot
// manager.
// Next: 18
message SnapshotManagerActionProto {
    message NoArgs {}
    message ProcessUpdateStateArgs {
        bool has_before_cancel = 1;
        bool fail_before_cancel = 2;
    }
    message CreateLogicalAndSnapshotPartitionsArgs {
        bool use_correct_super = 1;
        string super = 2;
        int64 timeout_millis = 3;
    }
    message RecoveryCreateSnapshotDevicesArgs {
        bool has_metadata_device_object = 1;
        bool metadata_mounted = 2;
    }
    oneof value {
        NoArgs begin_update = 1;
        NoArgs cancel_update = 2;
        bool finished_snapshot_writes = 3;
        NoArgs initiate_merge = 4;
        ProcessUpdateStateArgs process_update_state = 5;
        bool get_update_state = 6;
        chromeos_update_engine.DeltaArchiveManifest create_update_snapshots = 7;
        CreateLogicalPartitionParamsProto map_update_snapshot = 8;
        string unmap_update_snapshot = 9;
        NoArgs need_snapshots_in_first_stage_mount = 10;
        CreateLogicalAndSnapshotPartitionsArgs create_logical_and_snapshot_partitions = 11;
        bool handle_imminent_data_wipe = 12;
        NoArgs recovery_create_snapshot_devices = 13;
        RecoveryCreateSnapshotDevicesArgs recovery_create_snapshot_devices_with_metadata = 14;
        NoArgs dump = 15;
        NoArgs ensure_metadata_mounted = 16;
        NoArgs get_snapshot_merge_stats_instance = 17;
    }
}

// Includes all data that needs to be fuzzed.
message SnapshotFuzzData {
    FuzzDeviceInfoData device_info_data = 1;
    FuzzSnapshotManagerData manager_data = 2;

    // If true:
    // - if super_data is empty, create empty super partition metadata.
    // - otherwise, create super partition metadata accordingly.
    // If false, no valid super partition metadata (it is zeroed)
    bool is_super_metadata_valid = 3;
    chromeos_update_engine.DeltaArchiveManifest super_data = 4;

    // More data used to prep the test before running actions.
    reserved 5 to 9999;
    repeated SnapshotManagerActionProto actions = 10000;
}
+2 −2
Original line number Diff line number Diff line
@@ -18,8 +18,8 @@ build_normal() (

build_cov() {
    pushd $(gettop)
    ret=$?
    NATIVE_COVERAGE="true" NATIVE_LINE_COVERAGE="true" COVERAGE_PATHS="${PROJECT_PATH}" m ${FUZZ_TARGET}
    ret=$?
    popd
    return ${ret}
}
@@ -46,7 +46,7 @@ prepare_host() {
}

# run_snapshot_fuzz -runs=10000
generate_corpse() {
generate_corpus() {
    [[ "$@" ]] || { echo "run with -runs=X"; return 1; }

    prepare_device &&
+13 −0
Original line number Diff line number Diff line
@@ -22,4 +22,17 @@ void CheckInternal(bool value, std::string_view msg) {
    CHECK(value) << msg;
}

const google::protobuf::OneofDescriptor* GetProtoValueDescriptor(
        const google::protobuf::Descriptor* action_desc) {
    CHECK(action_desc);
    CHECK(action_desc->oneof_decl_count() == 1)
            << action_desc->oneof_decl_count() << " oneof fields found in " << action_desc->name()
            << "; only one is expected.";
    auto* oneof_value_desc = action_desc->oneof_decl(0);
    CHECK(oneof_value_desc);
    CHECK(oneof_value_desc->name() == "value")
            << "oneof field has name " << oneof_value_desc->name();
    return oneof_value_desc;
}

}  // namespace android::fuzz
+212 −214

File changed.

Preview size limit exceeded, changes collapsed.

Loading