diff --git a/trusty/apploader/fuzz/Android.bp b/trusty/apploader/fuzz/Android.bp new file mode 100644 index 000000000..e37dab1b0 --- /dev/null +++ b/trusty/apploader/fuzz/Android.bp @@ -0,0 +1,40 @@ +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + +// Fuzz Trusty IPC messages sent to apploader. +cc_fuzz { + name: "trusty_apploader_tipc_fuzzer", + defaults: ["trusty_fuzzer_defaults"], + srcs: [":trusty_tipc_fuzzer"], + cflags: [ + "-DTRUSTY_APP_PORT=\"com.android.trusty.apploader\"", + "-DTRUSTY_APP_UUID=\"081ba88f-f1ee-452e-b5e8-a7e9ef173a97\"", + "-DTRUSTY_APP_FILENAME=\"apploader.syms.elf\"", + ] +} + +// Fuzz app package sent to apploader. +cc_fuzz { + name: "trusty_apploader_app_fuzzer", + defaults: ["trusty_fuzzer_defaults"], + srcs: ["app_fuzzer.cpp"], + include_dirs: ["system/core/trusty/apploader"], + shared_libs: [ + "libdmabufheap", + ], +} diff --git a/trusty/apploader/fuzz/app_fuzzer.cpp b/trusty/apploader/fuzz/app_fuzzer.cpp new file mode 100644 index 000000000..aa0caca81 --- /dev/null +++ b/trusty/apploader/fuzz/app_fuzzer.cpp @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +using android::base::unique_fd; +using android::trusty::coverage::CoverageRecord; +using android::trusty::fuzz::ExtraCounters; +using android::trusty::fuzz::TrustyApp; + +#define TIPC_DEV "/dev/trusty-ipc-dev0" +#define APPLOADER_PORT "com.android.trusty.apploader" +#define APPLOADER_MODULE_NAME "apploader.syms.elf" + +/* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */ +static struct uuid apploader_uuid = { + 0x081ba88f, + 0xf1ee, + 0x452e, + {0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97}, +}; + +static inline uintptr_t RoundPageUp(uintptr_t val) { + return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1); +} + +static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) { + apploader_header hdr = { + .cmd = APPLOADER_CMD_LOAD_APPLICATION, + }; + apploader_load_app_req req = { + .package_size = static_cast(dma_buf_size), + }; + iovec iov[] = { + { + .iov_base = &hdr, + .iov_len = sizeof(hdr), + }, + { + .iov_base = &req, + .iov_len = sizeof(req), + }, + }; + trusty_shm shm = { + .fd = dma_buf, + .transfer = TRUSTY_SHARE, + }; + + int rc = tipc_send(chan, iov, 2, &shm, 1); + if (rc != static_cast(sizeof(hdr) + sizeof(req))) { + std::cerr << "Failed to send request" << std::endl; + return false; + } + + apploader_resp resp; + rc = read(chan, &resp, sizeof(resp)); + if (rc != static_cast(sizeof(resp))) { + std::cerr << "Failed to receive response" << std::endl; + return false; + } + + return true; +} + +static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME); + +extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { + auto ret = record.Open(); + if (!ret.ok()) { + std::cerr << ret.error() << std::endl; + exit(-1); + } + return 0; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + ExtraCounters counters(&record); + counters.Reset(); + + android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT); + auto ret = ta.Connect(); + if (!ret.ok()) { + std::cerr << ret.error() << std::endl; + android::trusty::fuzz::Abort(); + } + + uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE; + BufferAllocator alloc; + unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len)); + if (dma_buf < 0) { + std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl; + android::trusty::fuzz::Abort(); + } + + void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0); + if (shm_base == MAP_FAILED) { + std::cerr << "Failed to mmap() dmabuf" << std::endl; + android::trusty::fuzz::Abort(); + } + + memcpy(shm_base, data, size); + + bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len); + if (!success) { + std::cerr << "Failed to send load message" << std::endl; + android::trusty::fuzz::Abort(); + } + + munmap(shm_base, shm_len); + return 0; +}