ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_system_core/init/fuzzer
History
Michael Bestas ffe39e16d3 Android 15.0.0 Release 6 (AP4A.241205.013) 
-----BEGIN PGP SIGNATURE-----
 
 iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ1IsswAKCRDorT+BmrEO
 eHLxAJ9VFRJgjolHUwxeYIHRrAxp7WFw0wCeIiUvtF763IeQx6Ri6gz3/i1V9mY=
 =uE+H
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEHrBYPudH862glXQBzJUERRm+ZmkFAmdYsU0XHG1rYmVzdGFz
 QGxpbmVhZ2Vvcy5vcmcACgkQzJUERRm+ZmlzEhAAkyT+qSieZv1roFs6MW0sBnjP
 60eSCsj/eVetsK91ExBdm+NPHmpFG1XUcwxxiWzlPweIYA+eaECdoP9qngwxH/fy
 7m6lxzVx2C9JbSCRWuBmyFWfsm7l+cjDoO8a5QnummBNobhV6/z680+CPzhsXXp5
 wQ8cRYLlZEwSMGlgW5KufhbEQISZK1rxWGcx7C0MwoAZybm0V7bcv9ot9XWVZdBI
 0uvpZEAYuLqMTTOxd1HNZBKA+cMmWLE+0ALfydGqdHxTkpDXY17Ek4/R3H7KTcy0
 mhp6rLQHMKn/atDUsYGvDp/wGs+PWHl9QPXprwj9g9XBNRaAcw/ANi+I/Gc17Qsc
 X/5DeC0ycGBljhjnl7ZoXAPwLyN+tYZi+ekwBs0E4+uQCLG5AMSLGZHGHcZafXB1
 s0pR1u85BxC/7CoVB22J5utjsLdJT0G8bIgfyrKVVIA9iIe9zO/rsMN+9kffrQ9W
 xPohc1XyVrsQ2b6xk/PyqbAI5mk7+IKKhxhX+Vv2Fczp2OCPuefa1aS1lIv4bZBL
 rRPlVyodLWsEqxGNhiCo5Hh24uufJGuBTL2w6Rn5/UkqUkvUQZbsRNTg7WQIfcWh
 sNvuNNxpgsilXFJC0/aoLE557MjCWq4eolPLnyrz3yR3jPcAa269bMuiMXKsVeEd
 PvjxgQawPY8QkE2woe0=
 =R9aC
 -----END PGP SIGNATURE-----

Merge tag 'android-15.0.0_r6' into staging/lineage-22.0_merge-android-15.0.0_r6

Android 15.0.0 Release 6 (AP4A.241205.013)

# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ1IsswAKCRDorT+BmrEO
# eHLxAJ9VFRJgjolHUwxeYIHRrAxp7WFw0wCeIiUvtF763IeQx6Ri6gz3/i1V9mY=
# =uE+H
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Dec  6 00:44:03 2024 EET
# gpg:                using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 2481 signatures in the past
#      3 years.  Encrypted 4 messages in the past 2 years.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg:          It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78

# By Akilesh Kailash (13) and others
# Via Automerger Merge Worker (317) and others
* tag 'android-15.0.0_r6': (158 commits)
  trusty: storage: proxy: FS_READY property setting on vendor only
  Fix the trigger name for loading bpf programs.
  start netd earlier
  Replace base::RandInt with std::uniform_int_distribution
  trusty: keymint: rename trusty_ipc_dev property
  Move the `dist` target of `mke2fs` to `build/core/tasks`
  Remove define of SA_EXPOSE_TAGBITS.
  Add input event profile to mitigate input latency of input threads
  Remove usage of base/string/* in libfs_avb
  Add getFdStateDebug to access Looper's callbacks
  libsnapshot: CHECK -> CHECK_EQ
  Mount /mnt/vm earlier
  Define linker.config.json as a filegroup
  Remove usage of base/logging.h in libfs_avb
  debuggerd: recognize jumps to non-executable memory.
  Support vendor partition in non-debuggable pVMs
  Remind the reader that they'll need to modify CTS too.
  Rename system/core/rootdir/Android.mk to create_root_structure.mk
  trusty: keymint/gatekeeper: Pass device name from init scripts
  Remove unused variable.
  ...

 Conflicts:
	fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
	fs_mgr/libsnapshot/snapshot.cpp
	init/Android.bp
	init/fuzzer/Android.bp

Change-Id: I29c07b3ac76940cb2b82726e98d2beb643b3e6e4
2024-12-10 23:23:24 +02:00
..
Android.bp Android 15.0.0 Release 6 (AP4A.241205.013) 2024-12-10 23:23:24 +02:00
init_parser_fuzzer.cpp init_parser_fuzzer: remove interface checks 2024-08-21 17:42:05 +09:00
init_property_fuzzer.cpp Added init_property_fuzzer 2022-08-19 11:48:19 +05:30
init_ueventHandler_fuzzer.cpp Added init_ueventHandler_fuzzer 2022-08-19 11:48:30 +05:30
README.md Added init_ueventHandler_fuzzer 2022-08-19 11:48:30 +05:30

README.md

Fuzzers for libinit

Table of contents

Fuzzer for InitParser

InitParser supports the following parameters:

  1. ValidPathNames (parameter name: "kValidPaths")
  2. ValidParseInputs (parameter name: "kValidInputs")
Parameter Valid Values Configured Value
kValidPaths 0./system/etc/init/hw/init.rc,
1./system/etc/init		 Value obtained from FuzzedDataProvider
kValidInputs 0.{"","cpu", "10", "10"},
1.{"","RLIM_CPU", "10", "10"},
2.{"","12", "unlimited", "10"},
3.{"","13", "-1", "10"},
4.{"","14", "10", "unlimited"},
5.{"","15", "10", "-1"}		 Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
  $ mm -j$(nproc) init_parser_fuzzer
  1. Run on device
  $ adb sync data
  $ adb shell /data/fuzz/arm64/init_parser_fuzzer/init_parser_fuzzer

Fuzzer for InitProperty

InitProperty supports the following parameters: PropertyType (parameter name: "PropertyType")

Parameter Valid Values Configured Value
PropertyType 0.STRING,
1.BOOL,
2.INT,
3.UINT,
4.DOUBLE,
5.SIZE,
6.ENUM,
7.RANDOM		 Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
  $ mm -j$(nproc) init_property_fuzzer
  1. Run on device
  $ adb sync data
  $ adb shell /data/fuzz/arm64/init_property_fuzzer/init_property_fuzzer

Fuzzer for InitUeventHandler

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

InitUeventHandler supports the following parameters:

  1. Major (parameter name: major)
  2. Minor (parameter name: minor)
  3. PartitionNum (parameter name: partition_num)
  4. Uid (parameter name: uid)
  5. Gid (parameter name: gid)
  6. Action (parameter name: action)
  7. Path (parameter name: path)
  8. Subsystem (parameter name: subsystem)
  9. PartitionName (parameter name: partition_name)
  10. DeviceName (parameter name: device_name)
  11. Modalias (parameter name: modalias)
  12. DevPath (parameter name: devPath)
  13. HandlerPath (parameter name: handlerPath)
Parameter Valid Values Configured Value
major UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
minor UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
partition_num UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
uid UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
gid UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
action String Value obtained from FuzzedDataProvider
path String Value obtained from FuzzedDataProvider
subsystem String Value obtained from FuzzedDataProvider
partition_name String Value obtained from FuzzedDataProvider
device_name String Value obtained from FuzzedDataProvider
modalias String Value obtained from FuzzedDataProvider
devPath String Value obtained from FuzzedDataProvider
handlerPath String Value obtained from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) init_ueventHandler_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/init_ueventHandler_fuzzer/init_ueventHandler_fuzzer