trusty: Adapt to Confirmationui Corpus Format

The corpus of Confirmationui usually contains multiple data packets to be transfered from Android side to Trusty side. Therefore we adjust the Confirmationui fuzzer so that it can send data to Confirmationui TA several times through a same tipc channel. Bug: 174402999 Bug: 171750250 Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer Change-Id: Ib6ae831e6a19c98eb62a1c75f77eb00f914e2f5c
2020-12-29 18:50:30 -08:00 · 2020-12-29 18:50:30 -08:00 · dc45de0553
commit dc45de0553
parent ff5f4cc734
25 changed files with 30 additions and 9 deletions
--- a/trusty/confirmationui/fuzz/Android.bp
+++ b/trusty/confirmationui/fuzz/Android.bp
@ -16,4 +16,8 @@ cc_fuzz {
    name: "trusty_confirmationui_fuzzer",
    defaults: ["trusty_fuzzer_defaults"],
    srcs: ["fuzz.cpp"],
+
+    // The initial corpus for this fuzzer was derived by dumping bytes from
+    // ConfirmationUI VTS.
+    corpus: ["corpus/*"],
 }
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
--- a/trusty/confirmationui/fuzz/fuzz.cpp
+++ b/trusty/confirmationui/fuzz/fuzz.cpp
@ -39,6 +39,15 @@ static struct uuid confirmationui_uuid = {
    {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
 };

+/* The format of the packets is as following:
+ * 16 bits (uint16_t, header) + payload bytes
+ * The 16 bits header spicify the number of bytes of payload (header excluded).
+ */
+struct data_packet {
+    uint16_t header;
+    uint8_t payload[];
+};
+
 static CoverageRecord record(TIPC_DEV, &confirmationui_uuid);

 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
@ -47,8 +56,10 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
    return 0;
 }

+/* Each corpus contains one or more data packets. */
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    static uint8_t buf[TIPC_MAX_MSG_SIZE];
+    size_t data_idx = 0;

    ExtraCounters counters(&record);
    counters.Reset();
@ -59,16 +70,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
        android::trusty::fuzz::Abort();
    }

-    /* Write message to confirmationui server */
-    ret = ta.Write(data, size);
-    if (!ret.ok()) {
-        return -1;
-    }
+    while (data_idx < size) {
+        struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx];
+        size_t payload_size = data_packet_ptr->header;
+        data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header);

-    /* Read message from confirmationui server */
-    ret = ta.Read(&buf, sizeof(buf));
-    if (!ret.ok()) {
-        return -1;
+        /* Write message to confirmationui server */
+        ret = ta.Write(data_packet_ptr->payload, payload_size);
+        if (!ret.ok()) {
+            return -1;
+        }
+
+        /* Read message from confirmationui server */
+        ret = ta.Read(&buf, sizeof(buf));
+        if (!ret.ok()) {
+            return -1;
+        }
    }

    return 0;