platform_system_core/init/fuzzer
Bob Badour 03d5052754 Add LOCAL_LICENSE_KINDS to system/core
Added SPDX-license-identifier-Apache-2.0 to:
  init/fuzzer/Android.bp

Bug: 68860345
Bug: 151177513
Bug: 151953481

Test: m all
Change-Id: I2db55c80799d0a8fc5935d9b07a2ddb17eb7235e
2022-10-06 19:59:07 +00:00
..
Android.bp Add LOCAL_LICENSE_KINDS to system/core 2022-10-06 19:59:07 +00:00
init_parser_fuzzer.cpp Added init_parser_fuzzer 2022-08-19 11:48:07 +05:30
init_property_fuzzer.cpp Added init_property_fuzzer 2022-08-19 11:48:19 +05:30
init_ueventHandler_fuzzer.cpp Added init_ueventHandler_fuzzer 2022-08-19 11:48:30 +05:30
README.md Added init_ueventHandler_fuzzer 2022-08-19 11:48:30 +05:30

Fuzzers for libinit

Table of contents

Fuzzer for InitParser

InitParser supports the following parameters:

  1. ValidPathNames (parameter name: "kValidPaths")
  2. ValidParseInputs (parameter name: "kValidInputs")
Parameter Valid Values Configured Value
kValidPaths 0./system/etc/init/hw/init.rc,
1./system/etc/init
Value obtained from FuzzedDataProvider
kValidInputs 0.{"","cpu", "10", "10"},
1.{"","RLIM_CPU", "10", "10"},
2.{"","12", "unlimited", "10"},
3.{"","13", "-1", "10"},
4.{"","14", "10", "unlimited"},
5.{"","15", "10", "-1"}
Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
  $ mm -j$(nproc) init_parser_fuzzer
  1. Run on device
  $ adb sync data
  $ adb shell /data/fuzz/arm64/init_parser_fuzzer/init_parser_fuzzer

Fuzzer for InitProperty

InitProperty supports the following parameters: PropertyType (parameter name: "PropertyType")

Parameter Valid Values Configured Value
PropertyType 0.STRING,
1.BOOL,
2.INT,
3.UINT,
4.DOUBLE,
5.SIZE,
6.ENUM,
7.RANDOM
Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
  $ mm -j$(nproc) init_property_fuzzer
  1. Run on device
  $ adb sync data
  $ adb shell /data/fuzz/arm64/init_property_fuzzer/init_property_fuzzer

Fuzzer for InitUeventHandler

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

InitUeventHandler supports the following parameters:

  1. Major (parameter name: major)
  2. Minor (parameter name: minor)
  3. PartitionNum (parameter name: partition_num)
  4. Uid (parameter name: uid)
  5. Gid (parameter name: gid)
  6. Action (parameter name: action)
  7. Path (parameter name: path)
  8. Subsystem (parameter name: subsystem)
  9. PartitionName (parameter name: partition_name)
  10. DeviceName (parameter name: device_name)
  11. Modalias (parameter name: modalias)
  12. DevPath (parameter name: devPath)
  13. HandlerPath (parameter name: handlerPath)
Parameter Valid Values Configured Value
major UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
minor UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
partition_num UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
uid UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
gid UINT32_MIN to UINT32_MAX Value obtained from FuzzedDataProvider
action String Value obtained from FuzzedDataProvider
path String Value obtained from FuzzedDataProvider
subsystem String Value obtained from FuzzedDataProvider
partition_name String Value obtained from FuzzedDataProvider
device_name String Value obtained from FuzzedDataProvider
modalias String Value obtained from FuzzedDataProvider
devPath String Value obtained from FuzzedDataProvider
handlerPath String Value obtained from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) init_ueventHandler_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/init_ueventHandler_fuzzer/init_ueventHandler_fuzzer