ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge changes I1e1e2c70,I9c86a12c

Browse source 
* changes:
  trusty: Fuzzer for ConfirmationUI messages
  trusty: Use a simple TIPC fuzzer for ConfirmationUI
This commit is contained in:
Tri Vo 2021-03-03 00:05:02 +00:00 committed by Gerrit Code Review
commit 24ad66e3db
97 changed files with 194 additions and 98 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
trusty/confirmationui/fuzz/Android.bp
View file

@ -17,11 +17,27 @@ package {
}
cc_fuzz {
name: "trusty_confirmationui_fuzzer",
name: "trusty_confirmationui_tipc_fuzzer",
defaults: ["trusty_fuzzer_defaults"],
srcs: ["fuzz.cpp"],
srcs: [":trusty_tipc_fuzzer"],
cflags: [
"-DTRUSTY_APP_PORT=\"com.android.trusty.confirmationui\"",
"-DTRUSTY_APP_UUID=\"7dee2364-c036-425b-b086-df0f6c233c1b\"",
"-DTRUSTY_APP_FILENAME=\"confirmationui.syms.elf\"",
],
// The initial corpus for this fuzzer was derived by dumping bytes from
// ConfirmationUI VTS.
corpus: ["corpus/*"],
}
cc_fuzz {
name: "trusty_confirmationui_msg_fuzzer",
defaults: ["trusty_fuzzer_defaults"],
srcs: ["msg_fuzzer.cpp"],
include_dirs: ["system/core/trusty/confirmationui/include"],
shared_libs: [
"libdmabufheap",
],
// The initial corpus for this fuzzer was derived by dumping messages from/to
// HAL to/from TA triggered by VtsHalConfirmationUIV1_0TargetTest.
corpus: ["msg_corpus/*"],
}

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-globJV
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
View file

Binary file not shown.

93
trusty/confirmationui/fuzz/fuzz.cpp
View file

@ -1,93 +0,0 @@
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <iostream>
#include <stdlib.h>
#include <trusty/coverage/coverage.h>
#include <trusty/fuzz/counters.h>
#include <trusty/fuzz/utils.h>
#include <unistd.h>
using android::trusty::coverage::CoverageRecord;
using android::trusty::fuzz::ExtraCounters;
using android::trusty::fuzz::TrustyApp;
#define TIPC_DEV "/dev/trusty-ipc-dev0"
#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
static struct uuid confirmationui_uuid = {
0x7dee2364,
0xc036,
0x425b,
{0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
};
/* The format of the packets is as following:
* 16 bits (uint16_t, header) + payload bytes
* The 16 bits header spicify the number of bytes of payload (header excluded).
*/
struct data_packet {
uint16_t header;
uint8_t payload[];
};
static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
auto ret = record.Open();
if (!ret.ok()) {
std::cerr << ret.error() << std::endl;
exit(-1);
}
return 0;
}
/* Each corpus contains one or more data packets. */
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
static uint8_t buf[TIPC_MAX_MSG_SIZE];
size_t data_idx = 0;
ExtraCounters counters(&record);
counters.Reset();
TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
auto ret = ta.Connect();
if (!ret.ok()) {
android::trusty::fuzz::Abort();
}
while (data_idx < size) {
struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx];
size_t payload_size = data_packet_ptr->header;
data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header);
/* Write message to confirmationui server */
ret = ta.Write(data_packet_ptr->payload, payload_size);
if (!ret.ok()) {
return -1;
}
/* Read message from confirmationui server */
ret = ta.Read(&buf, sizeof(buf));
if (!ret.ok()) {
return -1;
}
}
return 0;
}

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0 Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0 Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8 Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5 Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP Normal file
View file

Binary file not shown.

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB Normal file
View file

0
trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj Normal file
View file

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f → trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30 Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6 Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0 Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14 Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5 Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH Normal file
View file

Binary file not shown.

BIN
trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC Normal file
View file

Binary file not shown.

173
trusty/confirmationui/fuzz/msg_fuzzer.cpp Normal file
View file

@ -0,0 +1,173 @@
/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <BufferAllocator/BufferAllocator.h>
#include <TrustyIpc.h>
#include <iostream>
#include <stdlib.h>
#include <sys/mman.h>
#include <time.h>
#include <trusty/coverage/coverage.h>
#include <trusty/fuzz/counters.h>
#include <trusty/fuzz/utils.h>
#include <trusty/tipc.h>
#include <unistd.h>
using android::trusty::coverage::CoverageRecord;
using android::trusty::fuzz::ExtraCounters;
using android::trusty::fuzz::TrustyApp;
#define countof(arr) (sizeof(arr) / sizeof(arr[0]))
#define TIPC_DEV "/dev/trusty-ipc-dev0"
#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
/* A request to render to screen may take a while. */
const size_t kTimeoutSeconds = 30;
/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
static struct uuid confirmationui_uuid = {
0x7dee2364,
0xc036,
0x425b,
{0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
};
static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
static android::base::unique_fd dma_buf;
static void* shm_base;
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
auto ret = record.Open();
if (!ret.ok()) {
std::cerr << ret.error() << std::endl;
exit(-1);
}
BufferAllocator allocator;
dma_buf.reset(allocator.Alloc(kDmabufSystemHeapName, CONFIRMATIONUI_MAX_MSG_SIZE));
if (dma_buf < 0) {
std::cerr << "Failed to allocate dma_buf" << std::endl;
exit(-1);
}
shm_base = mmap(0, CONFIRMATIONUI_MAX_MSG_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
if (shm_base == MAP_FAILED) {
std::cerr << "Failed to mmap() dma_buf" << std::endl;
exit(-1);
}
return 0;
}
static bool Init(int chan, int dma_buf) {
confirmationui_hdr hdr = {
.cmd = CONFIRMATIONUI_CMD_INIT,
};
confirmationui_init_req args = {
.shm_len = CONFIRMATIONUI_MAX_MSG_SIZE,
};
iovec iov[] = {
{
.iov_base = &hdr,
.iov_len = sizeof(hdr),
},
{
.iov_base = &args,
.iov_len = sizeof(args),
},
};
trusty_shm shm = {
.fd = dma_buf,
.transfer = TRUSTY_SHARE,
};
int rc = tipc_send(chan, iov, countof(iov), &shm, 1);
if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
return false;
}
rc = read(chan, &hdr, sizeof(hdr));
if (rc != static_cast<int>(sizeof(hdr))) {
return false;
}
return true;
}
static bool Msg(int chan, const uint8_t* data, size_t size) {
confirmationui_hdr hdr = {
.cmd = CONFIRMATIONUI_CMD_MSG,
};
confirmationui_msg_args args = {
.msg_len = static_cast<uint32_t>(size),
};
iovec iov[] = {
{
.iov_base = &hdr,
.iov_len = sizeof(hdr),
},
{
.iov_base = &args,
.iov_len = sizeof(args),
},
};
memset(shm_base, 0, CONFIRMATIONUI_MAX_MSG_SIZE);
memcpy(shm_base, data, size);
int rc = tipc_send(chan, iov, countof(iov), NULL, 0);
if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
return false;
}
rc = readv(chan, iov, countof(iov));
if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
return false;
}
return true;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
ExtraCounters counters(&record);
counters.Reset();
TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
auto ret = ta.Connect();
if (!ret.ok()) {
android::trusty::fuzz::Abort();
}
int chan = *ta.GetRawFd();
alarm(kTimeoutSeconds);
bool success = Init(chan, dma_buf);
alarm(0);
if (!success) {
android::trusty::fuzz::Abort();
}
alarm(kTimeoutSeconds);
success = Msg(chan, data, size);
alarm(0);
if (!success) {
android::trusty::fuzz::Abort();
}
return 0;
}