Merge changes I57c4aacc,I8430579f

* changes: trusty: Generic parameterizable TIPC fuzzer trusty: coverage: Add UUID helpers
2021-03-01 23:26:35 +00:00 · 2021-03-01 23:26:35 +00:00 · 5060516c6f
commit 5060516c6f
parent 71a17ff717 f41fee5879
7 changed files with 129 additions and 23 deletions
--- a/trusty/coverage/Android.bp
+++ b/trusty/coverage/Android.bp
@ -21,12 +21,14 @@ cc_library {
    vendor_available: true,
    srcs: [
        "coverage.cpp",
+        "uuid.cpp",
    ],
    export_include_dirs: [
        "include",
    ],
    shared_libs: [
        "libbase",
+        "libext2_uuid",
        "liblog",
        "libdmabufheap",
        "libtrusty",
--- a/trusty/coverage/include/trusty/coverage/tipc.h
+++ b/trusty/coverage/include/trusty/coverage/tipc.h
@ -19,16 +19,10 @@
 #pragma once

 #include <stdint.h>
+#include <trusty/coverage/uuid.h>

 #define COVERAGE_CLIENT_PORT "com.android.trusty.coverage.client"

-struct uuid {
-    uint32_t time_low;
-    uint16_t time_mid;
-    uint16_t time_hi_and_version;
-    uint8_t clock_seq_and_node[8];
-};
-
 enum coverage_client_cmd {
    COVERAGE_CLIENT_CMD_RESP_BIT = 1U,
    COVERAGE_CLIENT_CMD_SHIFT = 1U,
--- a/trusty/coverage/include/trusty/coverage/uuid.h
+++ b/trusty/coverage/include/trusty/coverage/uuid.h
@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <stdint.h>
+
+struct uuid {
+    uint32_t time_low;
+    uint16_t time_mid;
+    uint16_t time_hi_and_version;
+    uint8_t clock_seq_and_node[8];
+};
+
+/**
+ * str_to_uuid() - Converts a C string into a uuid
+ * @str: C-string representation of the uuid
+ * @uuid: &struct uuid to fill with the converted uuid
+ *
+ * Return: true on success, false otherwise
+ */
+bool str_to_uuid(const char* str, struct uuid* uuid);
--- a/trusty/coverage/uuid.cpp
+++ b/trusty/coverage/uuid.cpp
@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2021 The Android Open Sourete Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string.h>
+#include <trusty/coverage/uuid.h>
+#include <uuid.h>
+
+#include <stdio.h>
+
+static uint16_t reverse_u16(uint16_t u) {
+    return u << 8 | u >> 8;
+}
+
+static uint32_t reverse_u32(uint32_t u) {
+    return reverse_u16((uint16_t)u) << 16 | reverse_u16(u >> 16);
+}
+
+bool str_to_uuid(const char* str, struct uuid* uuid) {
+    uuid_t uu;
+    static_assert(sizeof(uu) == sizeof(*uuid));
+
+    if (uuid_parse(str, uu)) {
+        return false;
+    }
+
+    memcpy(uuid, uu, sizeof(*uuid));
+    uuid->time_low = reverse_u32(uuid->time_low);
+    uuid->time_mid = reverse_u16(uuid->time_mid);
+    uuid->time_hi_and_version = reverse_u16(uuid->time_hi_and_version);
+    return true;
+}
--- a/trusty/fuzz/Android.bp
+++ b/trusty/fuzz/Android.bp
@ -52,3 +52,12 @@ cc_library {
        "libtrusty",
    ],
 }
+
+// Generic TIPC fuzzer, must parameterized using:
+//  -DTRUSTY_APP_PORT=<port name of TA being fuzzed>
+//  -DTRUSTY_APP_UUID=<UUID of TA being fuzzed>
+//  -DTRUSTY_APP_FILENAME=<name of symbolized elf binary of the TA>
+filegroup {
+    name: "trusty_tipc_fuzzer",
+    srcs: ["tipc_fuzzer.cpp"],
+}
--- a/trusty/fuzz/test/Android.bp
+++ b/trusty/fuzz/test/Android.bp
@ -19,5 +19,10 @@ package {
 cc_fuzz {
    name: "trusty_test_fuzzer",
    defaults: ["trusty_fuzzer_defaults"],
-    srcs: ["fuzz.cpp"],
+    srcs: [":trusty_tipc_fuzzer"],
+    cflags: [
+        "-DTRUSTY_APP_PORT=\"com.android.trusty.sancov.test.srv\"",
+        "-DTRUSTY_APP_UUID=\"77f68803-c514-43ba-bdce-3254531c3d24\"",
+        "-DTRUSTY_APP_FILENAME=\"srv.syms.elf\"",
+    ]
 }
--- a/trusty/fuzz/tipc_fuzzer.cpp
+++ b/trusty/fuzz/tipc_fuzzer.cpp
@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2020 The Android Open Source Project
+ * Copyright (C) 2021 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -16,30 +16,48 @@

 #include <stdlib.h>
 #include <trusty/coverage/coverage.h>
+#include <trusty/coverage/uuid.h>
 #include <trusty/fuzz/counters.h>
 #include <trusty/fuzz/utils.h>
 #include <unistd.h>
 #include <iostream>
+#include <memory>

 using android::trusty::coverage::CoverageRecord;
 using android::trusty::fuzz::ExtraCounters;
 using android::trusty::fuzz::TrustyApp;

 #define TIPC_DEV "/dev/trusty-ipc-dev0"
-#define TEST_SRV_PORT "com.android.trusty.sancov.test.srv"

-/* Test server's UUID is 77f68803-c514-43ba-bdce-3254531c3d24 */
-static struct uuid test_srv_uuid = {
-        0x77f68803,
-        0xc514,
-        0x43ba,
-        {0xbd, 0xce, 0x32, 0x54, 0x53, 0x1c, 0x3d, 0x24},
-};
+#ifndef TRUSTY_APP_PORT
+#error "Port name must be parameterized using -DTRUSTY_APP_PORT."
+#endif

-static CoverageRecord record(TIPC_DEV, &test_srv_uuid);
+#ifndef TRUSTY_APP_UUID
+#error "UUID must be parameterized using -DTRUSTY_APP_UUID."
+#endif
+
+#ifndef TRUSTY_APP_FILENAME
+#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
+#endif
+
+static std::unique_ptr<CoverageRecord> record;

 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
-    auto ret = record.Open();
+    uuid module_uuid;
+
+    if (!str_to_uuid(TRUSTY_APP_UUID, &module_uuid)) {
+        std::cerr << "Failed to parse UUID: " << TRUSTY_APP_UUID << std::endl;
+        exit(-1);
+    }
+
+    record = std::make_unique<CoverageRecord>(TIPC_DEV, &module_uuid, TRUSTY_APP_FILENAME);
+    if (!record) {
+        std::cerr << "Failed to allocate coverage record" << std::endl;
+        exit(-1);
+    }
+
+    auto ret = record->Open();
    if (!ret.ok()) {
        std::cerr << ret.error() << std::endl;
        exit(-1);
@ -50,22 +68,21 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    static uint8_t buf[TIPC_MAX_MSG_SIZE];

-    ExtraCounters counters(&record);
+    ExtraCounters counters(record.get());
    counters.Reset();

-    TrustyApp ta(TIPC_DEV, TEST_SRV_PORT);
+    TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
    auto ret = ta.Connect();
    if (!ret.ok()) {
+        std::cerr << ret.error() << std::endl;
        android::trusty::fuzz::Abort();
    }

-    /* Send message to test server */
    ret = ta.Write(data, size);
    if (!ret.ok()) {
        return -1;
    }

-    /* Read message from test server */
    ret = ta.Read(&buf, sizeof(buf));
    if (!ret.ok()) {
        return -1;