This reverts commit 589c8d1e44.
Reason for revert: fuzzer crashes immediately on line 99 as vector is empty
Change-Id: I5e56a94671a43cd131c250d98f7cfae3c96f34ab
The FuzzerDefs.h APIs are internal to the fuzzer and aren't available
when the fuzzer is built with a custom private libc++, so remove the
ExtraCountersBegin/ExtraCountersEnd assertions and inline the array
clearing.
Bug: 175635923
Bug: 303175229
Bug: 315079422
Test: m libtrusty_fuzz_utils trusty_gatekeeper_fuzzer
Change-Id: I1ca9d9867026ff6f8e494ac6026fb1314caab7d1
tipc_fuzzer writes random data of length 'size' and then
attempts to read back data up to 'TIPC_MAX_MSG_SIZE' in length.
Since 'size' is unrestricted we can always write more than the
subsequent read; and in effect the fuzzer only checks that we
can read something.
Remove the read buffer's dependency on PAGE_SIZE.
Bug: 294914413
Test: mma
Change-Id: I909b49fda4e6ebf49f69b3c09ac29ff8629215ef
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
This changes `trusty_tipc_fuzzer` to be more like the existing binder rpc_fuzzer,
which opens and closes multiple connections and sends multiple messages in a single fuzz input.
The max number of connections is controlled by the define `TRUSTY_APP_MAX_CONNECTIONS`,
which defaults to `1`, thus keeping the existing behavior for now.
In the next CL, I'll add more fuzzers with `-DTRUSTY_APP_MAX_CONNECTIONS=10` instead.
Test: Build and run in trusty emulator
Change-Id: I9692e4d0295052a8da2204f63be9e52939e70ac3
We detect a TA crash by not being able to reconnect to its channel. We
were previously connecting to the TA at the beginning of each fuzz
iteration, but this results in only detecting a crash on the following
iteration. By moving this connection to the end of the fuzz iteration,
we can detect a crash corresponding to the correct fuzz iteration and
libFuzzer will produce the correct crashing input.
Test: /data/fuzz/arm64/trusty_keymaster_fuzzer/trusty_keymaster_fuzzer
Bug: 185407818
Change-Id: I6808c72611fcabab5b314218f8b588dd7d944188
We need to do this to make sure that target TA is connected to coverage
service.
Bug: 171750250
Test: trusty_test_fuzzer
Change-Id: I207b8c674a0c5630dd6baf966d3dfb243a855be0
The non-test fuzz targets should run automatically in Haiku.
None of these should be built for Host, and all but the
trusty_test_fuzzer should be built for Target.
Test: built locally (make haiku) and checked that non-test trusty fuzz
targets are included as expected.
Change-Id: Ic67b1e1ddea8ed61b83deef66acdeb0891489195
The keymaster TA has 30841 distinct coverage counters, so 0x4000 counter
slots is not enough to handle this TA. Increase maximum number of
coverage counters to 0x8000.
Test: adb shell trusty_keymaster_fuzzer
Bug: 175918322
Change-Id: I879d18538edb4933a4205c8f73b7939ddbf69e37
libtrusty can be depended on by multiple thing in a fuzzer's
dependencies tree. It's no longer convenient to link to statically.
Leave tests statically linked. Test infra doesn't seem to handle shared
test libs correctly.
Bug: 171750250
Test: trusty_test_fuzzer libtrusty_coverage_test
Change-Id: Ic7d003151e43fb5bab63354fd42ea9667332743f
Keymaster has more than 4096 counters, so we need to allocate a larger
section for the libfuzzer extra counters. Increases the size of the
extra counters section to 16384.
Bug: 171750250
Test: atest libtrusty_coverage_test
Change-Id: Iaee2c74b6d0c7ae8a2e5a30525759f89f825a091
We want to add coverage statistics to the trusty-ut-ctrl tool, which is
a vendor binary. Thus we need a vendor variant of libtrusty_coverage.
Merges system libtrusty_test and vendor libtrusty into a single
vendor_available library so that we can add vendor_available to
libtrusty_coverage and make it accessible from vendor tools.
Bug: 175221942
Test: make libtrusty_coverage
Change-Id: I68cc8f1c1580bda8591dbe744e9751474811576d
Adds the ability to retrieve and save program counter information from
the trusty coverage record data. PC information is saved to a .sancov
file, parseable by the LLVM sancov tool. Sancov can then symbolize and
display this coverage information for consumption by humans.
Adds a sancov dump to the libtrusty_coverage_test for testing.
Bug: 175221942
Test: atest libtrusty_coverage_test
Test: Retrieve sancov file and manually symbolize with sancov
Change-Id: I342ea2ca9abb87986b2904ff69415544ee6070fc
Simplifies development flow because libtrusty_test.so doesn't need to be
pushed with the fuzzer.
Bug: 171750250
Test: m trusty_gatekeeper_fuzzer && adb sync data && \
adb shell /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7c83b5784ede4881dcd9c2dd33c97bf49fcde6ff
Change-Id: Iba60f03000bfca15b00e484ef3a168604c65554a
Adds an Abort() function to the fuzzer utils library that grabs and
prints the relevant trusty kernel logs before exiting the fuzzer.
Test: /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer
Change-Id: I7741c7e5e0ffdc402e3d3dd9a7e5856e2a640dd2
