Merge "ANDROID: fuzz: Clean-up & Use <sanitizer/*.h>" am: a6bf998cc1

Original change: https://android-review.googlesource.com/c/platform/external/dtc/+/2182235 Change-Id: Idc662254804977236b256ad2ce6806321fcc5cec Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-08-15 08:07:53 +00:00 · 2022-08-15 08:07:53 +00:00 · 72d5d01e2a
commit 72d5d01e2a
parent e11eb4bded a6bf998cc1
2 changed files with 56 additions and 7 deletions
--- a/fuzzing/Android.bp
+++ b/fuzzing/Android.bp
@ -11,10 +11,11 @@ cc_fuzz {
    static_libs: [
        "libfdt",
    ],
-    host_supported: true,
+    corpus: ["corpus/*"],
    fuzz_config: {
        cc: [
            "ptosi@google.com",
        ],
    },
+    host_supported: true,
 }
--- a/fuzzing/libfdt_fuzzer.c
+++ b/fuzzing/libfdt_fuzzer.c
@ -1,18 +1,66 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/* Ensure assert() catches logical errors during fuzzing */
+#ifdef NDEBUG
+#undef NDEBUG
+#endif
+
+#include <inttypes.h>
 #include <assert.h>
+#include <stdbool.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <ctype.h>
+
+#include <sanitizer/asan_interface.h>
+#include <sanitizer/msan_interface.h>

 #include "libfdt.h"
 #include "libfdt_env.h"

-void walk_device_tree(const void *device_tree, int parent_node) {
+/* check memory region is valid, for the purpose of tooling such as asan */
+static void check_mem(const void *mem, size_t len) {
+
+  assert(mem);
+
+#if __has_feature(memory_sanitizer)
+  /* dumps if check fails */
+  __msan_check_mem_is_initialized((void *)mem, len);
+#endif
+
+#if __has_feature(address_sanitizer) || defined(__SANITIZE_ADDRESS__)
+  assert(!__asan_region_is_poisoned((void *)mem, len));
+#else
+  const volatile uint8_t *mem8 = mem;
+
+  /* Read each byte of memory for instrumentation */
+  for(size_t i = 0; i < len; i++) {
+    (void)mem8[i];
+  }
+#endif
+}
+
+
+static void walk_device_tree(const void *device_tree, int parent_node) {
  int len = 0;
  const char *node_name = fdt_get_name(device_tree, parent_node, &len);
  if (node_name != NULL) {
-    // avoid clang complaining about unused variable node_name and force
-    // ASan to validate string pointer in strlen call.
-    assert(strlen(node_name) == len);
+    check_mem(node_name, len);
  }

  uint32_t phandle = fdt_get_phandle(device_tree, parent_node);
@ -27,6 +75,7 @@ void walk_device_tree(const void *device_tree, int parent_node) {
  }
 }

+
 // Information on device tree is available in external/dtc/Documentation/
 // folder.
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
@ -35,8 +84,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {

  if (fdt_check_full(data, size) != 0) return 0;

-  int root_node_offset = 0;
-  walk_device_tree(data, root_node_offset);
+  walk_device_tree(data, /* parent_node */ 0);

  return 0;
 }