blob: db4a66fa4fee62f8a36089a829726a97885169b0 [file] [log] [blame]
/*
* Copyright 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef FUZZING_ORPHANS_LIBFFI_FUZZ_FFI_H_
#define FUZZING_ORPHANS_LIBFFI_FUZZ_FFI_H_
#include <fuzzer/FuzzedDataProvider.h>
#include <ffi.h>
#include <cstdarg>
#include <vector>
#if defined(__GNUC__)
#define __UNUSED__ __attribute__((__unused__))
#endif
#define MAX_NUM_ARGS 128
#define MAX_NUM_ELEMENTS 16
#define MAX_RESP_SIZE 4096
#define WORDSIZE_BYTES (__WORDSIZE / 8)
// TODO(michael.ensing@leviathansecurity.com):
// Ideally, we should add/remove supported types based on
// arch-specific #defines (listed in ffi_gen.h)
#define NUM_TYPES 21
ffi_type* ffi_types[] = {
&ffi_type_uchar,
&ffi_type_schar,
&ffi_type_ushort,
&ffi_type_sshort,
&ffi_type_uint,
&ffi_type_sint,
&ffi_type_ulong,
&ffi_type_slong,
&ffi_type_void,
&ffi_type_uint8,
&ffi_type_sint8,
&ffi_type_uint16,
&ffi_type_sint16,
&ffi_type_uint32,
&ffi_type_sint32,
&ffi_type_uint64,
&ffi_type_sint64,
&ffi_type_float,
&ffi_type_double,
&ffi_type_pointer,
&ffi_type_longdouble,
// The following types are not available on some architectures
// &ffi_type_complex_float,
// &ffi_type_complex_double,
// &ffi_type_complex_longdouble,
// // nullptrs are used to terminate the array. Handle them manually.
// nullptr
};
// Store vectors of allocated objects
std::vector<ffi_type*> ffi_alloc_vector;
std::vector<void*> raw_alloc_vector;
// Keep a boolean to track if the args have a struct,
// which will trigger an abort on java calls
bool args_contain_struct = false;
// Store the current ABI as a global
ffi_abi abi = FFI_DEFAULT_ABI;
// Define the number of possible ffi_abi values
// NOTE: Only supported architectures are arm/arm64, x86_64
// arm
#if defined(ARM)
#define MAX_ABI 4
// x86_64
#elif defined(X86_64) || (defined(__x86_64__) && defined(X86_DARWIN))
#define MAX_ABI 7
#else
#define MAX_ABI 0 // If we hit this case, do NOT fuzz the abi value.
#endif
// Retrieve the total size (in bytes) of a ffi_type.
// Useful for custom structs
size_t getTotalSize(ffi_type*);
// Retrieve a random type from the ffi_types array
ffi_type* getRandomType(FuzzedDataProvider*, bool);
// Generates a custom struct, in ffi_type format
ffi_type* generateCustomType(FuzzedDataProvider*);
// Copies buffer data into a buffer described by the provided ffi_type
// (may be a struct or have subobjects)
size_t copyArg(ffi_type*, void*, FuzzedDataProvider*);
// Builds out the arrays of ffi_types and arguments to define a function's
// parameters. Returns true on success, false on failure.
bool buildArgArrays(ffi_type*[], void*[], size_t, FuzzedDataProvider*);
// Allocates the necessary space for a new argument buffer for given ffi_type
// After allocation, calls copyArg() to fill buffer with data
void* genArg(ffi_type*, FuzzedDataProvider*);
// Functions to perform our library calls
void runMainFunctions(ffi_cif&, void*, void**, FuzzedDataProvider*);
void runRawFunctions(ffi_cif&, void*, void**, FuzzedDataProvider*);
void runJavaFunctions(ffi_cif&, void*, void**, FuzzedDataProvider*);
// Free any custom struct ffi_type objects
// Safe to call on default types.
void freeFFI(ffi_type*);
// Frees all elements that the fuzzer has allocated
void freeAll();
#endif // FUZZING_ORPHANS_LIBFFI_FUZZ_FFI_H_