Enable packing example fuzzer and add dict and corpus am: 2a07a90fa4 am: 0c1f2a7d56 am: bb6241187a
Original change: https://android-review.googlesource.com/c/platform/tools/security/+/1691317
Change-Id: I668045cd2786d8617a0017e594d6c237d93965b9
diff --git a/fuzzing/orphans/widevine/trusty/Android.bp b/fuzzing/orphans/widevine/trusty/Android.bp
new file mode 100644
index 0000000..c1f1165
--- /dev/null
+++ b/fuzzing/orphans/widevine/trusty/Android.bp
@@ -0,0 +1,38 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_fuzz {
+ name: "trusty_widevine_tipc_fuzzer",
+ defaults: ["trusty_fuzzer_defaults"],
+ srcs: [":trusty_tipc_fuzzer"],
+ cflags: [
+ "-DTRUSTY_APP_PORT=\"com.android.trusty.widevine\"",
+ "-DTRUSTY_APP_UUID=\"08d3ed40-bde2-448c-a91d-75f1989c57ef\"",
+ "-DTRUSTY_APP_FILENAME=\"widevine.syms.elf\"",
+ ],
+}
+
+// Fuzzer for ODK_DispatchMessage() that's inside Trusty.
+cc_fuzz {
+ name: "trusty_widevine_dispatch_fuzzer",
+ defaults: ["trusty_fuzzer_defaults"],
+ srcs: ["dispatch_fuzzer.cpp"],
+ shared_libs: [
+ "libdmabufheap",
+ ],
+}
diff --git a/fuzzing/orphans/widevine/trusty/OWNERS b/fuzzing/orphans/widevine/trusty/OWNERS
new file mode 100644
index 0000000..5f8199f
--- /dev/null
+++ b/fuzzing/orphans/widevine/trusty/OWNERS
@@ -0,0 +1 @@
+trong@google.com
diff --git a/fuzzing/orphans/widevine/trusty/dispatch_fuzzer.cpp b/fuzzing/orphans/widevine/trusty/dispatch_fuzzer.cpp
new file mode 100644
index 0000000..072b661
--- /dev/null
+++ b/fuzzing/orphans/widevine/trusty/dispatch_fuzzer.cpp
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <BufferAllocator/BufferAllocator.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <trusty/coverage/coverage.h>
+#include <trusty/fuzz/counters.h>
+#include <trusty/fuzz/utils.h>
+#include <trusty/tipc.h>
+#include <unistd.h>
+#include <iostream>
+
+using android::trusty::coverage::CoverageRecord;
+using android::trusty::fuzz::ExtraCounters;
+using android::trusty::fuzz::TrustyApp;
+
+#define countof(arr) (sizeof(arr) / sizeof(arr[0]))
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define WIDEVINE_PORT "com.android.trusty.widevine"
+#define WIDEVINE_MODULE_NAME "widevine.syms.elf"
+
+#define WV_IPC_BUFFER_SIZE (32)
+#define WV_MESSAGE_BUFFER_SIZE (32 * 1024)
+#define WV_SHARED_BUFFER_SIZE (16 * 1024 * 1024)
+
+struct wv_ipc_header {
+ uint16_t tag;
+};
+
+enum wv_tag : uint16_t {
+ WV_TAG_ACK = 0u,
+ WV_TAG_BIND = 1u,
+ WV_TAG_WIDEVINE = 2u,
+};
+
+struct bind_message {
+ uint32_t protocol_version;
+ uint32_t message_buffer_size;
+ uint32_t shared_buffer_size;
+};
+
+struct widevine_message {
+ uint32_t message_size;
+};
+
+/* Widevine TA's UUID is 08d3ed40-bde2-448c-a91d-75f1989c57ef */
+static struct uuid widevine_uuid = {
+ 0x08d3ed40,
+ 0xbde2,
+ 0x448c,
+ {0xa9, 0x1d, 0x75, 0xf1, 0x98, 0x9c, 0x57, 0xef},
+};
+
+static android::base::unique_fd wv_msg_buf_fd;
+static void* wv_msg_buf_base;
+
+static android::base::unique_fd wv_shared_buf_fd;
+static void* wv_shared_buf_base;
+
+static TrustyApp trusty_app(TIPC_DEV, WIDEVINE_PORT);
+static CoverageRecord record(TIPC_DEV, &widevine_uuid, WIDEVINE_MODULE_NAME);
+
+extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
+ auto ret = trusty_app.Connect();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ exit(-1);
+ }
+
+ ret = record.Open();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ exit(-1);
+ }
+
+ BufferAllocator allocator;
+
+ wv_msg_buf_fd.reset(allocator.Alloc(kDmabufSystemHeapName, WV_MESSAGE_BUFFER_SIZE));
+ if (wv_msg_buf_fd < 0) {
+ std::cerr << "Failed to allocate message buffer." << std::endl;
+ exit(-1);
+ }
+
+ wv_msg_buf_base = mmap(0, WV_MESSAGE_BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED,
+ wv_msg_buf_fd, 0);
+ if (wv_msg_buf_base == MAP_FAILED) {
+ std::cerr << "Failed to mmap() message buffer." << std::endl;
+ exit(-1);
+ }
+
+ wv_shared_buf_fd.reset(allocator.Alloc(kDmabufSystemHeapName, WV_SHARED_BUFFER_SIZE));
+ if (wv_shared_buf_fd < 0) {
+ std::cerr << "Failed to allocate shared buffer." << std::endl;
+ exit(-1);
+ }
+
+ wv_shared_buf_base = mmap(0, WV_SHARED_BUFFER_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED,
+ wv_shared_buf_fd, 0);
+ if (wv_shared_buf_base == MAP_FAILED) {
+ std::cerr << "Failed to mmap() shared buffer." << std::endl;
+ exit(-1);
+ }
+
+ return 0;
+}
+
+static bool Bind() {
+ wv_ipc_header hdr = {
+ .tag = WV_TAG_BIND,
+ };
+ bind_message args = {
+ .protocol_version = 0,
+ .message_buffer_size = WV_MESSAGE_BUFFER_SIZE,
+ .shared_buffer_size = WV_SHARED_BUFFER_SIZE,
+ };
+ iovec iov[] = {
+ {
+ .iov_base = &hdr,
+ .iov_len = sizeof(hdr),
+ },
+ {
+ .iov_base = &args,
+ .iov_len = sizeof(args),
+ },
+ };
+ trusty_shm handles[] = {
+ {
+ .fd = wv_msg_buf_fd,
+ .transfer = TRUSTY_SHARE,
+ },
+ {
+ .fd = wv_shared_buf_fd,
+ .transfer = TRUSTY_SHARE,
+ },
+ };
+ int chan = *trusty_app.GetRawFd();
+
+ int rc = tipc_send(chan, iov, countof(iov), handles, countof(handles));
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+ return false;
+ }
+
+ rc = read(chan, &hdr, sizeof(hdr));
+ if (rc != static_cast<int>(sizeof(hdr))) {
+ return false;
+ }
+
+ return true;
+}
+
+static bool Msg(const uint8_t* data, size_t size) {
+ size = std::min((size_t)WV_MESSAGE_BUFFER_SIZE, size);
+ wv_ipc_header hdr = {
+ .tag = WV_TAG_WIDEVINE,
+ };
+ widevine_message args = {
+ .message_size = static_cast<uint32_t>(size),
+ };
+ iovec iov[] = {
+ {
+ .iov_base = &hdr,
+ .iov_len = sizeof(hdr),
+ },
+ {
+ .iov_base = &args,
+ .iov_len = sizeof(args),
+ },
+ };
+ int chan = *trusty_app.GetRawFd();
+
+ memset(wv_msg_buf_base, 0, WV_MESSAGE_BUFFER_SIZE);
+ memcpy(wv_msg_buf_base, data, size);
+
+ int rc = tipc_send(chan, iov, countof(iov), NULL, 0);
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+ return false;
+ }
+
+ rc = readv(chan, iov, countof(iov));
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+ return false;
+ }
+
+ return true;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ ExtraCounters counters(&record);
+ counters.Reset();
+
+ bool success = Bind();
+ if (!success) {
+ android::trusty::fuzz::Abort();
+ }
+
+ success = Msg(data, size);
+ if (!success) {
+ android::trusty::fuzz::Abort();
+ }
+
+ // Reconnect to ensure that the service is still up.
+ trusty_app.Disconnect();
+ auto ret = trusty_app.Connect();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ android::trusty::fuzz::Abort();
+ }
+
+ return 0;
+}
diff --git a/fuzzing/system_fuzzers/libwatchdog_perf_service/Android.bp b/fuzzing/system_fuzzers/libwatchdog_perf_service/Android.bp
new file mode 100644
index 0000000..1193d18
--- /dev/null
+++ b/fuzzing/system_fuzzers/libwatchdog_perf_service/Android.bp
@@ -0,0 +1,27 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_fuzz {
+ name : "libwatchdog_perf_service_fuzzer",
+ srcs: [
+ "libwatchdog_perf_service_fuzzer.cpp",
+ ],
+ defaults: [
+ "carwatchdogd_defaults",
+ "libwatchdog_perf_service_defaults",
+ ],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ "-Wextra",
+ "-Wno-unused-parameter"
+ ],
+ static_libs: [
+ "libgtest",
+ "libwatchdog_perf_service",
+ ],
+ shared_libs: [
+ "libbase",
+ ],
+}
diff --git a/fuzzing/system_fuzzers/libwatchdog_perf_service/libwatchdog_perf_service_fuzzer.cpp b/fuzzing/system_fuzzers/libwatchdog_perf_service/libwatchdog_perf_service_fuzzer.cpp
new file mode 100644
index 0000000..4de3b0e
--- /dev/null
+++ b/fuzzing/system_fuzzers/libwatchdog_perf_service/libwatchdog_perf_service_fuzzer.cpp
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "IoPerfCollection.h"
+#include "UidIoStats.h"
+
+#include <android-base/file.h>
+#include <fuzzer/FuzzedDataProvider.h>
+#include <iostream>
+
+namespace android {
+namespace automotive {
+namespace watchdog {
+
+using ::android::base::WriteStringToFile;
+
+struct statsInfo {
+ std::string instr[13];
+ int len[13];
+};
+
+statsInfo info = {{"cpu", "procs_running", "procs_blocked", "cpu0", "cpu1", "cpu2", "cpu3", "intr",
+ "ctxt", "btime", "process", "procs_sleeping", "softirq"},
+ {10, 1, 1, 10, 10, 10, 10, 31, 1, 1, 1, 1, 11}};
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, std::size_t size) {
+ FuzzedDataProvider fdp(data, size);
+ std::string uidIoStatsSnapshot;
+ std::string procStatsSnapshot;
+
+ // Prepare for UidIOStats data
+ int count = 0;
+ while (fdp.remaining_bytes() > (size / 2)) {
+ uint64_t val = fdp.ConsumeIntegral<uint64_t>();
+ uidIoStatsSnapshot += (((count % 11) == 0 ? "" : " ") + std::to_string(val));
+ if (count > 0 && count % 11 == 10) {
+ uidIoStatsSnapshot += "\n";
+ }
+ count++;
+ }
+
+ // Prepare for ProcStats data
+ while (fdp.remaining_bytes() > 5) {
+ uint32_t choose = fdp.ConsumeIntegralInRange<uint32_t>(0, 3);
+ uint32_t idx = choose;
+ switch (choose) {
+ case 0:
+ case 1:
+ case 2:
+ break;
+ case 3:
+ idx = fdp.ConsumeIntegralInRange<uint32_t>(3, 12);
+ break;
+ default:
+ break;
+ }
+ procStatsSnapshot += info.instr[idx];
+ for (int i = 0; i < info.len[idx]; i++) {
+ uint64_t val = fdp.ConsumeIntegral<uint64_t>();
+ procStatsSnapshot += " " + std::to_string(val);
+ }
+ procStatsSnapshot += "\n";
+ }
+
+ if (uidIoStatsSnapshot.size() > 0 && procStatsSnapshot.size() > 0) {
+ // Test UidIoStats
+ TemporaryFile tf1;
+ WriteStringToFile(uidIoStatsSnapshot, tf1.path);
+ UidIoStats uidIoStats(tf1.path);
+ assert(uidIoStats.enabled() == true);
+ uidIoStats.collect();
+ // Test ProcStats
+ TemporaryFile tf2;
+ WriteStringToFile(procStatsSnapshot, tf2.path);
+ ProcStat procStat(tf2.path);
+ assert(procStat.enabled() == true);
+ procStat.collect();
+ }
+ return 0;
+}
+
+} // namespace watchdog
+} // namespace automotive
+} // namespace android
