From e4a80fe0669b405056e201eee1ce669d62592052 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Fri, 26 Feb 2021 20:24:55 -0800 Subject: [PATCH] trusty: Fuzz gatekeeper TA using generic TIPC fuzzer Bug: 171750250 Test: trusty_gatekeeper_fuzzer Change-Id: Ib3f40e7d2c01cdd2ca8df35f4b84234ddf7dbe50 --- trusty/gatekeeper/fuzz/Android.bp | 7 ++- trusty/gatekeeper/fuzz/fuzz.cpp | 76 ------------------------------- 2 files changed, 6 insertions(+), 77 deletions(-) delete mode 100644 trusty/gatekeeper/fuzz/fuzz.cpp diff --git a/trusty/gatekeeper/fuzz/Android.bp b/trusty/gatekeeper/fuzz/Android.bp index 6ff68b626..d084cb6b2 100644 --- a/trusty/gatekeeper/fuzz/Android.bp +++ b/trusty/gatekeeper/fuzz/Android.bp @@ -19,7 +19,12 @@ package { cc_fuzz { name: "trusty_gatekeeper_fuzzer", defaults: ["trusty_fuzzer_defaults"], - srcs: ["fuzz.cpp"], + srcs: [":trusty_tipc_fuzzer"], + cflags: [ + "-DTRUSTY_APP_PORT=\"com.android.trusty.gatekeeper\"", + "-DTRUSTY_APP_UUID=\"38ba0cdc-df0e-11e4-9869-233fb6ae4795\"", + "-DTRUSTY_APP_FILENAME=\"gatekeeper.syms.elf\"", + ], // The initial corpus for this fuzzer was derived by dumping messages from // the `secure_env` emulator interface for cuttlefish while enrolling a new diff --git a/trusty/gatekeeper/fuzz/fuzz.cpp b/trusty/gatekeeper/fuzz/fuzz.cpp deleted file mode 100644 index 7bfd7d1ec..000000000 --- a/trusty/gatekeeper/fuzz/fuzz.cpp +++ /dev/null @@ -1,76 +0,0 @@ -/* - * Copyright (C) 2020 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include -#include -#include -#include -#include -#include - -using android::trusty::coverage::CoverageRecord; -using android::trusty::fuzz::ExtraCounters; -using android::trusty::fuzz::TrustyApp; - -#define TIPC_DEV "/dev/trusty-ipc-dev0" -#define GATEKEEPER_PORT "com.android.trusty.gatekeeper" -#define GATEKEEPER_MODULE_NAME "gatekeeper.syms.elf" - -/* Gatekeeper TA's UUID is 38ba0cdc-df0e-11e4-9869-233fb6ae4795 */ -static struct uuid gatekeeper_uuid = { - 0x38ba0cdc, - 0xdf0e, - 0x11e4, - {0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95}, -}; - -static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid, GATEKEEPER_MODULE_NAME); - -extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) { - auto ret = record.Open(); - if (!ret.ok()) { - std::cerr << ret.error() << std::endl; - exit(-1); - } - return 0; -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - static uint8_t buf[TIPC_MAX_MSG_SIZE]; - - ExtraCounters counters(&record); - counters.Reset(); - - android::trusty::fuzz::TrustyApp ta(TIPC_DEV, GATEKEEPER_PORT); - auto ret = ta.Connect(); - if (!ret.ok()) { - android::trusty::fuzz::Abort(); - } - - /* Send message to test server */ - ret = ta.Write(data, size); - if (!ret.ok()) { - return -1; - } - - /* Read message from test server */ - ret = ta.Read(&buf, sizeof(buf)); - if (!ret.ok()) { - return -1; - } - - return 0; -}