Merge "trusty: Adapt to Confirmationui Corpus Format"

2021-01-13 20:17:31 +00:00 · 2021-01-13 20:17:31 +00:00 · 1ee38ede4c
commit 1ee38ede4c
parent c6b6c08f95 dc45de0553
25 changed files with 30 additions and 9 deletions
--- a/trusty/confirmationui/fuzz/Android.bp
+++ b/trusty/confirmationui/fuzz/Android.bp
@ -16,4 +16,8 @@ cc_fuzz {
    name: "trusty_confirmationui_fuzzer",
    defaults: ["trusty_fuzzer_defaults"],
    srcs: ["fuzz.cpp"],
+
+    // The initial corpus for this fuzzer was derived by dumping bytes from
+    // ConfirmationUI VTS.
+    corpus: ["corpus/*"],
 }
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
+++ b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
--- a/trusty/confirmationui/fuzz/fuzz.cpp
+++ b/trusty/confirmationui/fuzz/fuzz.cpp
@ -39,6 +39,15 @@ static struct uuid confirmationui_uuid = {
    {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
 };

+/* The format of the packets is as following:
+ * 16 bits (uint16_t, header) + payload bytes
+ * The 16 bits header spicify the number of bytes of payload (header excluded).
+ */
+struct data_packet {
+    uint16_t header;
+    uint8_t payload[];
+};
+
 static CoverageRecord record(TIPC_DEV, &confirmationui_uuid);

 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
@ -47,8 +56,10 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
    return 0;
 }

+/* Each corpus contains one or more data packets. */
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
    static uint8_t buf[TIPC_MAX_MSG_SIZE];
+    size_t data_idx = 0;

    ExtraCounters counters(&record);
    counters.Reset();
@ -59,16 +70,22 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
        android::trusty::fuzz::Abort();
    }

-    /* Write message to confirmationui server */
-    ret = ta.Write(data, size);
-    if (!ret.ok()) {
-        return -1;
-    }
+    while (data_idx < size) {
+        struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx];
+        size_t payload_size = data_packet_ptr->header;
+        data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header);

-    /* Read message from confirmationui server */
-    ret = ta.Read(&buf, sizeof(buf));
-    if (!ret.ok()) {
-        return -1;
+        /* Write message to confirmationui server */
+        ret = ta.Write(data_packet_ptr->payload, payload_size);
+        if (!ret.ok()) {
+            return -1;
+        }
+
+        /* Read message from confirmationui server */
+        ret = ta.Read(&buf, sizeof(buf));
+        if (!ret.ok()) {
+            return -1;
+        }
    }

    return 0;