Trusty: Move tipc fuzzer connection to end of iteration
We detect a TA crash by not being able to reconnect to its channel. We were previously connecting to the TA at the beginning of each fuzz iteration, but this results in only detecting a crash on the following iteration. By moving this connection to the end of the fuzz iteration, we can detect a crash corresponding to the correct fuzz iteration and libFuzzer will produce the correct crashing input. Test: /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer Bug: 185407818 Change-Id: I6808c72611fcabab5b314218f8b588dd7d944188
This commit is contained in:
Stephen Crane
parent
a2b662cf23
commit
e54e8d4ebf
3 changed files with 16 additions and 15 deletions
|
|
@ -34,6 +34,7 @@ class TrustyApp {
|
|||
android::base::Result<void> Connect();
|
||||
android::base::Result<void> Read(void* buf, size_t len);
|
||||
android::base::Result<void> Write(const void* buf, size_t len);
|
||||
void Disconnect();
|
||||
|
||||
android::base::Result<int> GetRawFd();
|
||||
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ using android::trusty::fuzz::TrustyApp;
|
|||
#error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
|
||||
#endif
|
||||
|
||||
static TrustyApp kTrustyApp(TIPC_DEV, TRUSTY_APP_PORT);
|
||||
static std::unique_ptr<CoverageRecord> record;
|
||||
|
||||
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
|
||||
|
|
@ -52,8 +53,7 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
|
|||
}
|
||||
|
||||
/* Make sure lazy-loaded TAs have started and connected to coverage service. */
|
||||
TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
|
||||
auto ret = ta.Connect();
|
||||
auto ret = kTrustyApp.Connect();
|
||||
if (!ret.ok()) {
|
||||
std::cerr << ret.error() << std::endl;
|
||||
exit(-1);
|
||||
|
|
@ -79,22 +79,18 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
|
|||
ExtraCounters counters(record.get());
|
||||
counters.Reset();
|
||||
|
||||
TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
|
||||
auto ret = ta.Connect();
|
||||
auto ret = kTrustyApp.Write(data, size);
|
||||
if (ret.ok()) {
|
||||
ret = kTrustyApp.Read(&buf, sizeof(buf));
|
||||
}
|
||||
|
||||
// Reconnect to ensure that the service is still up
|
||||
kTrustyApp.Disconnect();
|
||||
ret = kTrustyApp.Connect();
|
||||
if (!ret.ok()) {
|
||||
std::cerr << ret.error() << std::endl;
|
||||
android::trusty::fuzz::Abort();
|
||||
}
|
||||
|
||||
ret = ta.Write(data, size);
|
||||
if (!ret.ok()) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret = ta.Read(&buf, sizeof(buf));
|
||||
if (!ret.ok()) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
return ret.ok() ? 0 : -1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -127,6 +127,10 @@ Result<int> TrustyApp::GetRawFd() {
|
|||
return ta_fd_;
|
||||
}
|
||||
|
||||
void TrustyApp::Disconnect() {
|
||||
ta_fd_.reset();
|
||||
}
|
||||
|
||||
void Abort() {
|
||||
PrintTrustyLog();
|
||||
exit(-1);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue