diff options
Diffstat (limited to 'trusty/apploader/fuzz/app_fuzzer.cpp')
-rw-r--r-- | trusty/apploader/fuzz/app_fuzzer.cpp | 134 |
1 files changed, 0 insertions, 134 deletions
diff --git a/trusty/apploader/fuzz/app_fuzzer.cpp b/trusty/apploader/fuzz/app_fuzzer.cpp deleted file mode 100644 index aa0caca81..000000000 --- a/trusty/apploader/fuzz/app_fuzzer.cpp +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (C) 2021 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <BufferAllocator/BufferAllocator.h> -#include <android-base/unique_fd.h> -#include <apploader_ipc.h> -#include <stdlib.h> -#include <sys/mman.h> -#include <trusty/coverage/coverage.h> -#include <trusty/fuzz/counters.h> -#include <trusty/fuzz/utils.h> -#include <trusty/tipc.h> -#include <unistd.h> -#include <iostream> - -using android::base::unique_fd; -using android::trusty::coverage::CoverageRecord; -using android::trusty::fuzz::ExtraCounters; -using android::trusty::fuzz::TrustyApp; - -#define TIPC_DEV "/dev/trusty-ipc-dev0" -#define APPLOADER_PORT "com.android.trusty.apploader" -#define APPLOADER_MODULE_NAME "apploader.syms.elf" - -/* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */ -static struct uuid apploader_uuid = { - 0x081ba88f, - 0xf1ee, - 0x452e, - {0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97}, -}; - -static inline uintptr_t RoundPageUp(uintptr_t val) { - return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1); -} - -static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) { - apploader_header hdr = { - .cmd = APPLOADER_CMD_LOAD_APPLICATION, - }; - apploader_load_app_req req = { - .package_size = static_cast<uint64_t>(dma_buf_size), - }; - iovec iov[] = { - { - .iov_base = &hdr, - .iov_len = sizeof(hdr), - }, - { - .iov_base = &req, - .iov_len = sizeof(req), - }, - }; - trusty_shm shm = { - .fd = dma_buf, - .transfer = TRUSTY_SHARE, - }; - - int rc = tipc_send(chan, iov, 2, &shm, 1); - if (rc != static_cast<int>(sizeof(hdr) + sizeof(req))) { - std::cerr << "Failed to send request" << std::endl; - return false; - } - - apploader_resp resp; - rc = read(chan, &resp, sizeof(resp)); - if (rc != static_cast<int>(sizeof(resp))) { - std::cerr << "Failed to receive response" << std::endl; - return false; - } - - return true; -} - -static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME); - -extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { - auto ret = record.Open(); - if (!ret.ok()) { - std::cerr << ret.error() << std::endl; - exit(-1); - } - return 0; -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - ExtraCounters counters(&record); - counters.Reset(); - - android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT); - auto ret = ta.Connect(); - if (!ret.ok()) { - std::cerr << ret.error() << std::endl; - android::trusty::fuzz::Abort(); - } - - uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE; - BufferAllocator alloc; - unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len)); - if (dma_buf < 0) { - std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl; - android::trusty::fuzz::Abort(); - } - - void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0); - if (shm_base == MAP_FAILED) { - std::cerr << "Failed to mmap() dmabuf" << std::endl; - android::trusty::fuzz::Abort(); - } - - memcpy(shm_base, data, size); - - bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len); - if (!success) { - std::cerr << "Failed to send load message" << std::endl; - android::trusty::fuzz::Abort(); - } - - munmap(shm_base, shm_len); - return 0; -} |