Merge "rpc_binder: Change trusty_tipc_fuzzer to support multiple connections and messages" into main

trusty/fuzz/tipc_fuzzer.cpp

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+#include <android-base/result.h>
+#include <fuzzer/FuzzedDataProvider.h>
 #include <stdlib.h>
 #include <trusty/coverage/coverage.h>
 #include <trusty/coverage/uuid.h>
@@ -23,6 +25,7 @@
 #include <iostream>
 #include <memory>
 
+using android::base::Result;
 using android::trusty::coverage::CoverageRecord;
 using android::trusty::fuzz::ExtraCounters;
 using android::trusty::fuzz::TrustyApp;
@@ -41,7 +44,14 @@ using android::trusty::fuzz::TrustyApp;
 #error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
 #endif
 
-static TrustyApp kTrustyApp(TIPC_DEV, TRUSTY_APP_PORT);
+#ifdef TRUSTY_APP_MAX_CONNECTIONS
+constexpr size_t MAX_CONNECTIONS = TRUSTY_APP_MAX_CONNECTIONS;
+#else
+constexpr size_t MAX_CONNECTIONS = 1;
+#endif
+
+static_assert(MAX_CONNECTIONS >= 1);
+
 static std::unique_ptr<CoverageRecord> record;
 
 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
@@ -53,7 +63,8 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
     }
 
     /* Make sure lazy-loaded TAs have started and connected to coverage service. */
-    auto ret = kTrustyApp.Connect();
+    TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
+    auto ret = ta.Connect();
     if (!ret.ok()) {
         std::cerr << ret.error() << std::endl;
         exit(-1);
@@ -73,24 +84,56 @@ extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
     return 0;
 }
 
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-    static uint8_t buf[TIPC_MAX_MSG_SIZE];
+Result<void> testOneInput(FuzzedDataProvider& provider) {
+    std::vector<TrustyApp> trustyApps;
 
+    while (provider.remaining_bytes() > 0) {
+        if (trustyApps.size() < MAX_CONNECTIONS && provider.ConsumeBool()) {
+            auto& ta = trustyApps.emplace_back(TIPC_DEV, TRUSTY_APP_PORT);
+            const auto result = ta.Connect();
+            if (!result.ok()) {
+                return result;
+            }
+        } else {
+            const auto i = provider.ConsumeIntegralInRange<size_t>(0, trustyApps.size());
+            std::swap(trustyApps[i], trustyApps.back());
+
+            if (provider.ConsumeBool()) {
+                auto& ta = trustyApps.back();
+
+                const auto data = provider.ConsumeRandomLengthString();
+                auto result = ta.Write(data.data(), data.size());
+                if (!result.ok()) {
+                    return result;
+                }
+
+                std::array<uint8_t, TIPC_MAX_MSG_SIZE> buf;
+                result = ta.Read(buf.data(), buf.size());
+                if (!result.ok()) {
+                    return result;
+                }
+
+                // Reconnect to ensure that the service is still up.
+                ta.Disconnect();
+                result = ta.Connect();
+                if (!result.ok()) {
+                    std::cerr << result.error() << std::endl;
+                    android::trusty::fuzz::Abort();
+                    return result;
+                }
+            } else {
+                trustyApps.pop_back();
+            }
+        }
+    }
+    return {};
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     ExtraCounters counters(record.get());
     counters.Reset();
 
-    auto ret = kTrustyApp.Write(data, size);
-    if (ret.ok()) {
-        ret = kTrustyApp.Read(&buf, sizeof(buf));
-    }
-
-    // Reconnect to ensure that the service is still up
-    kTrustyApp.Disconnect();
-    ret = kTrustyApp.Connect();
-    if (!ret.ok()) {
-        std::cerr << ret.error() << std::endl;
-        android::trusty::fuzz::Abort();
-    }
-
-    return ret.ok() ? 0 : -1;
+    FuzzedDataProvider provider(data, size);
+    const auto result = testOneInput(provider);
+    return result.ok() ? 0 : -1;
 }