From dc45de05536d7e707ded3e41d9756413dc2c82c3 Mon Sep 17 00:00:00 2001 From: Wenhao Wang Date: Tue, 29 Dec 2020 18:50:30 -0800 Subject: [PATCH] trusty: Adapt to Confirmationui Corpus Format The corpus of Confirmationui usually contains multiple data packets to be transfered from Android side to Trusty side. Therefore we adjust the Confirmationui fuzzer so that it can send data to Confirmationui TA several times through a same tipc channel. Bug: 174402999 Bug: 171750250 Test: /data/fuzz/arm64/trusty_confirmationui_fuzzer/trusty_confirmationui_fuzzer Change-Id: Ib6ae831e6a19c98eb62a1c75f77eb00f914e2f5c --- trusty/confirmationui/fuzz/Android.bp | 4 ++ .../fuzz/corpus/confirmationui-2ekYc2 | Bin 0 -> 168 bytes .../fuzz/corpus/confirmationui-5yTG3f | Bin 0 -> 6222 bytes .../fuzz/corpus/confirmationui-6l8Soq | Bin 0 -> 160 bytes .../fuzz/corpus/confirmationui-7kFpGO | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-92m2f3 | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-ALYIzO | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-AcIMhR | Bin 0 -> 68 bytes .../fuzz/corpus/confirmationui-AieaIi | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-BdqX5j | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-JBPIGs | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-MWHw4T | Bin 0 -> 156 bytes .../fuzz/corpus/confirmationui-TZzVLO | Bin 0 -> 60 bytes .../fuzz/corpus/confirmationui-WwdA3B | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-globJV | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-hzUgjD | Bin 0 -> 84 bytes .../fuzz/corpus/confirmationui-jXC78o | Bin 0 -> 164 bytes .../fuzz/corpus/confirmationui-kykxni | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-npHe8t | Bin 0 -> 84 bytes .../fuzz/corpus/confirmationui-rPgnyI | Bin 0 -> 84 bytes .../fuzz/corpus/confirmationui-uCJ1Me | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-wAQEjK | Bin 0 -> 28 bytes .../fuzz/corpus/confirmationui-xjtOks | Bin 0 -> 60 bytes .../fuzz/corpus/confirmationui-zKFIjN | Bin 0 -> 28 bytes trusty/confirmationui/fuzz/fuzz.cpp | 35 +++++++++++++----- 25 files changed, 30 insertions(+), 9 deletions(-) create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-globJV create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-kykxni create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks create mode 100644 trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN diff --git a/trusty/confirmationui/fuzz/Android.bp b/trusty/confirmationui/fuzz/Android.bp index 0819c213b..635966fef 100644 --- a/trusty/confirmationui/fuzz/Android.bp +++ b/trusty/confirmationui/fuzz/Android.bp @@ -16,4 +16,8 @@ cc_fuzz { name: "trusty_confirmationui_fuzzer", defaults: ["trusty_fuzzer_defaults"], srcs: ["fuzz.cpp"], + + // The initial corpus for this fuzzer was derived by dumping bytes from + // ConfirmationUI VTS. + corpus: ["corpus/*"], } diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 new file mode 100644 index 0000000000000000000000000000000000000000..53fe0c99fab48e154270a1ba7eedae8be89a30d0 GIT binary patch literal 168 zcmbQk00L9MBm)B@luifI;YdIMi5*T|4%kL!Aj!zY%)kVsQ}Y-YSU`Lr=775h0Q}@6 A1poj5 literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f b/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f new file mode 100644 index 0000000000000000000000000000000000000000..d627b01a0ee40a1e993c0f93b610f1d15973fb5a GIT binary patch literal 6222 zcmeI%F%Ezr5Jb_D#Dvb4*2>mHcnC`y5-Pm1M{yDK448b1oor|(uia~sy)~364K*}c zZp)eGwyXWWD~SLC2q1s}0tg_000IagfB*u02^_xk*`L{0Guj}400IagfWW^5oYjrF JcJ|-h;0C0~1YZCE literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq new file mode 100644 index 0000000000000000000000000000000000000000..bda80fdbc2d38b914bf5c9ec9d6a9ce4d3204143 GIT binary patch literal 160 scmbQj00KQ=l7WE{N~Zwna5?~HpgoLC%nVFGIyH}hfd#||Vh*@V05jYqZU6uP literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR new file mode 100644 index 0000000000000000000000000000000000000000..f5854f8335c788a64679b02c1459cd379a12e2f8 GIT binary patch literal 68 qcmcCu009Fq$-uw}rCEXWk0v01@|l4&BNH~aMnSq#*iJ5^3NT=oj2_WErs{#N$ngRj< literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD new file mode 100644 index 0000000000000000000000000000000000000000..87870ca7eb1f0a1e4fa4377813422b08b30ccff1 GIT binary patch literal 84 zcmeZZ009Ru$-uw}rNw}>Z>mCCW>Im8jzW57Zf+`sRD>vC22zYn%nVFGIyDa>#sSw2 E0ITl_EC2ui literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o new file mode 100644 index 0000000000000000000000000000000000000000..0b274bf90281aca0447f3029112a8d01dcba3121 GIT binary patch literal 164 xcmbQi00I-hBm)B@luifI;YdIMi5*T|4%kL!Aj!zY%)kVsQ}e(=3>Z>mCCW>Im8jzW57Zf+`sRD>vC22zYn%nVFGIyDa>#sSw2 E0ITl_EC2ui literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI new file mode 100644 index 0000000000000000000000000000000000000000..87870ca7eb1f0a1e4fa4377813422b08b30ccff1 GIT binary patch literal 84 zcmeZZ009Ru$-uw}rNw}>Z>mCCW>Im8jzW57Zf+`sRD>vC22zYn%nVFGIyDa>#sSw2 E0ITl_EC2ui literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks new file mode 100644 index 0000000000000000000000000000000000000000..b4a1c49efa4e671820ab38721355466c45500703 GIT binary patch literal 60 ncmXqD009j!$-uw}rI~^Bfu?2#5Y5QM%)kVsQ}ZB_9B@?tUkC#U literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN new file mode 100644 index 0000000000000000000000000000000000000000..5adf9051357d72803499c0841892d59edf824cb5 GIT binary patch literal 28 UcmWe&009m#$-uw@W-~&000SHVCIA2c literal 0 HcmV?d00001 diff --git a/trusty/confirmationui/fuzz/fuzz.cpp b/trusty/confirmationui/fuzz/fuzz.cpp index aa132e8af..9d3008b2b 100644 --- a/trusty/confirmationui/fuzz/fuzz.cpp +++ b/trusty/confirmationui/fuzz/fuzz.cpp @@ -39,6 +39,15 @@ static struct uuid confirmationui_uuid = { {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b}, }; +/* The format of the packets is as following: + * 16 bits (uint16_t, header) + payload bytes + * The 16 bits header spicify the number of bytes of payload (header excluded). + */ +struct data_packet { + uint16_t header; + uint8_t payload[]; +}; + static CoverageRecord record(TIPC_DEV, &confirmationui_uuid); extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { @@ -47,8 +56,10 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { return 0; } +/* Each corpus contains one or more data packets. */ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { static uint8_t buf[TIPC_MAX_MSG_SIZE]; + size_t data_idx = 0; ExtraCounters counters(&record); counters.Reset(); @@ -59,16 +70,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { android::trusty::fuzz::Abort(); } - /* Write message to confirmationui server */ - ret = ta.Write(data, size); - if (!ret.ok()) { - return -1; - } + while (data_idx < size) { + struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx]; + size_t payload_size = data_packet_ptr->header; + data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header); - /* Read message from confirmationui server */ - ret = ta.Read(&buf, sizeof(buf)); - if (!ret.ok()) { - return -1; + /* Write message to confirmationui server */ + ret = ta.Write(data_packet_ptr->payload, payload_size); + if (!ret.ok()) { + return -1; + } + + /* Read message from confirmationui server */ + ret = ta.Read(&buf, sizeof(buf)); + if (!ret.ok()) { + return -1; + } } return 0;