Google Git
Sign in
android / platform / system / core / HEAD / . / init / fuzzer
tree: 0427698c69a20c9df3bc5e6e2c4621519e20d3a8 [path history] [tgz]
  1. Android.bp
  2. init_parser_fuzzer.cpp
  3. init_property_fuzzer.cpp
  4. init_ueventHandler_fuzzer.cpp
  5. README.md
init/fuzzer/README.md

Fuzzers for libinit

Table of contents

Fuzzer for InitParser

InitParser supports the following parameters:

  1. ValidPathNames (parameter name: “kValidPaths”)
  2. ValidParseInputs (parameter name: “kValidInputs”)
ParameterValid ValuesConfigured Value
kValidPaths0./system/etc/init/hw/init.rc,
1./system/etc/init		Value obtained from FuzzedDataProvider
kValidInputs0.{"","cpu", "10", "10"},
1.{"","RLIM_CPU", "10", "10"},
2.{"","12", "unlimited", "10"},
3.{"","13", "-1", "10"},
4.{"","14", "10", "unlimited"},
5.{"","15", "10", "-1"}		Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
  $ mm -j$(nproc) init_parser_fuzzer
  1. Run on device
  $ adb sync data
  $ adb shell /data/fuzz/arm64/init_parser_fuzzer/init_parser_fuzzer

Fuzzer for InitProperty

InitProperty supports the following parameters: PropertyType (parameter name: “PropertyType”)

ParameterValid ValuesConfigured Value
PropertyType0.STRING,
1.BOOL,
2.INT,
3.UINT,
4.DOUBLE,
5.SIZE,
6.ENUM,
7.RANDOM		Value obtained from FuzzedDataProvider

Steps to run

  1. Build the fuzzer
  $ mm -j$(nproc) init_property_fuzzer
  1. Run on device
  $ adb sync data
  $ adb shell /data/fuzz/arm64/init_property_fuzzer/init_property_fuzzer

Fuzzer for InitUeventHandler

Maximize code coverage

The configuration parameters are not hardcoded, but instead selected based on incoming data. This ensures more code paths are reached by the fuzzer.

InitUeventHandler supports the following parameters:

  1. Major (parameter name: major)
  2. Minor (parameter name: minor)
  3. PartitionNum (parameter name: partition_num)
  4. Uid (parameter name: uid)
  5. Gid (parameter name: gid)
  6. Action (parameter name: action)
  7. Path (parameter name: path)
  8. Subsystem (parameter name: subsystem)
  9. PartitionName (parameter name: partition_name)
  10. DeviceName (parameter name: device_name)
  11. Modalias (parameter name: modalias)
  12. DevPath (parameter name: devPath)
  13. HandlerPath (parameter name: handlerPath)
ParameterValid ValuesConfigured Value
majorUINT32_MIN to UINT32_MAXValue obtained from FuzzedDataProvider
minorUINT32_MIN to UINT32_MAXValue obtained from FuzzedDataProvider
partition_num UINT32_MIN to UINT32_MAXValue obtained from FuzzedDataProvider
uidUINT32_MIN to UINT32_MAXValue obtained from FuzzedDataProvider
gidUINT32_MIN to UINT32_MAXValue obtained from FuzzedDataProvider
actionStringValue obtained from FuzzedDataProvider
pathStringValue obtained from FuzzedDataProvider
subsystemStringValue obtained from FuzzedDataProvider
partition_nameStringValue obtained from FuzzedDataProvider
device_nameStringValue obtained from FuzzedDataProvider
modaliasStringValue obtained from FuzzedDataProvider
devPathStringValue obtained from FuzzedDataProvider
handlerPathStringValue obtained from FuzzedDataProvider

This also ensures that the plugin is always deterministic for any given input.

Steps to run

  1. Build the fuzzer
$ mm -j$(nproc) init_ueventHandler_fuzzer
  1. Run on device
$ adb sync data
$ adb shell /data/fuzz/arm64/init_ueventHandler_fuzzer/init_ueventHandler_fuzzer