From 5e3a3ce0112d38fce565e6ec66bebf4197d94ce8 Mon Sep 17 00:00:00 2001
From: Stephen Crane <sjc@immunant.com>
Date: Fri, 30 Oct 2020 15:04:38 -0700
Subject: [PATCH] trusty: fuzz: dump trusty kernel logs on crash

Adds an Abort() function to the fuzzer utils library that grabs and
prints the relevant trusty kernel logs before exiting the fuzzer.

Test: /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7741c7e5e0ffdc402e3d3dd9a7e5856e2a640dd2
---
 trusty/fuzz/include/trusty/fuzz/utils.h |  2 ++
 trusty/fuzz/utils.cpp                   | 45 ++++++++++++++++++++++++-
 trusty/gatekeeper/fuzz/fuzz.cpp         |  4 ++-
 3 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/trusty/fuzz/include/trusty/fuzz/utils.h b/trusty/fuzz/include/trusty/fuzz/utils.h
index 7418927ad..bca84e96d 100644
--- a/trusty/fuzz/include/trusty/fuzz/utils.h
+++ b/trusty/fuzz/include/trusty/fuzz/utils.h
@@ -43,6 +43,8 @@ class TrustyApp {
     android::base::unique_fd ta_fd_;
 };
 
+void Abort();
+
 }  // namespace fuzz
 }  // namespace trusty
 }  // namespace android
diff --git a/trusty/fuzz/utils.cpp b/trusty/fuzz/utils.cpp
index a389e0b61..240afe705 100644
--- a/trusty/fuzz/utils.cpp
+++ b/trusty/fuzz/utils.cpp
@@ -23,6 +23,9 @@
 #include <linux/ioctl.h>
 #include <linux/types.h>
 #include <linux/uio.h>
+#include <log/log_read.h>
+#include <time.h>
+#include <iostream>
 
 using android::base::ErrnoError;
 using android::base::Error;
@@ -32,7 +35,42 @@ using android::base::unique_fd;
 #define TIPC_IOC_MAGIC 'r'
 #define TIPC_IOC_CONNECT _IOW(TIPC_IOC_MAGIC, 0x80, char*)
 
-static const size_t kTimeoutSeconds = 5;
+namespace {
+
+const size_t kTimeoutSeconds = 5;
+const std::string kTrustyLogTag = "trusty-log";
+
+const time_t kInitialTime = time(nullptr);
+
+void PrintTrustyLog() {
+    auto logger_list = android_logger_list_open(LOG_ID_KERNEL, ANDROID_LOG_NONBLOCK, 1000, 0);
+    if (logger_list == nullptr) {
+        std::cerr << "Could not open android kernel log\n";
+        return;
+    }
+
+    while (true) {
+        log_msg log_msg;
+        int rc = android_logger_list_read(logger_list, &log_msg);
+        if (rc < 0) {
+            break;
+        }
+        if (log_msg.entry.sec < kInitialTime) {
+            continue;
+        }
+        char* msg = log_msg.msg();
+        if (msg) {
+            std::string line(msg, log_msg.entry.len);
+            if (line.find(kTrustyLogTag) != std::string::npos) {
+                std::cerr << line.substr(kTrustyLogTag.length() + 2) << std::endl;
+            }
+        }
+    }
+
+    android_logger_list_free(logger_list);
+}
+
+}  // namespace
 
 namespace android {
 namespace trusty {
@@ -104,6 +142,11 @@ Result<int> TrustyApp::GetRawFd() {
     return ta_fd_;
 }
 
+void Abort() {
+    PrintTrustyLog();
+    exit(-1);
+}
+
 }  // namespace fuzz
 }  // namespace trusty
 }  // namespace android
diff --git a/trusty/gatekeeper/fuzz/fuzz.cpp b/trusty/gatekeeper/fuzz/fuzz.cpp
index b1f643f94..f8ec93131 100644
--- a/trusty/gatekeeper/fuzz/fuzz.cpp
+++ b/trusty/gatekeeper/fuzz/fuzz.cpp
@@ -35,7 +35,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
      * If we can't connect, then assume TA crashed.
      * TODO: Get some more info, e.g. stacks, to help Haiku dedup crashes.
      */
-    assert(ret.ok());
+    if (!ret.ok()) {
+        android::trusty::fuzz::Abort();
+    }
 
     /* Send message to test server */
     ret = ta.Write(data, size);