trusty: fuzz: dump trusty kernel logs on crash

Adds an Abort() function to the fuzzer utils library that grabs and prints the relevant trusty kernel logs before exiting the fuzzer. Test: /data/fuzz/arm64/trusty_gatekeeper_fuzzer/trusty_gatekeeper_fuzzer Change-Id: I7741c7e5e0ffdc402e3d3dd9a7e5856e2a640dd2
2020-10-30 15:04:38 -07:00 · 2020-10-30 15:04:38 -07:00 · 5e3a3ce011
parent 6c0fb906f6
commit 5e3a3ce011
3 changed files with 49 additions and 2 deletions
--- a/trusty/fuzz/include/trusty/fuzz/utils.h
+++ b/trusty/fuzz/include/trusty/fuzz/utils.h
@ -43,6 +43,8 @@ class TrustyApp {
    android::base::unique_fd ta_fd_;
 };

+void Abort();
+
 }  // namespace fuzz
 }  // namespace trusty
 }  // namespace android
--- a/trusty/fuzz/utils.cpp
+++ b/trusty/fuzz/utils.cpp
@ -23,6 +23,9 @@
 #include <linux/ioctl.h>
 #include <linux/types.h>
 #include <linux/uio.h>
+#include <log/log_read.h>
+#include <time.h>
+#include <iostream>

 using android::base::ErrnoError;
 using android::base::Error;
@ -32,7 +35,42 @@ using android::base::unique_fd;
 #define TIPC_IOC_MAGIC 'r'
 #define TIPC_IOC_CONNECT _IOW(TIPC_IOC_MAGIC, 0x80, char*)

-static const size_t kTimeoutSeconds = 5;
+namespace {
+
+const size_t kTimeoutSeconds = 5;
+const std::string kTrustyLogTag = "trusty-log";
+
+const time_t kInitialTime = time(nullptr);
+
+void PrintTrustyLog() {
+    auto logger_list = android_logger_list_open(LOG_ID_KERNEL, ANDROID_LOG_NONBLOCK, 1000, 0);
+    if (logger_list == nullptr) {
+        std::cerr << "Could not open android kernel log\n";
+        return;
+    }
+
+    while (true) {
+        log_msg log_msg;
+        int rc = android_logger_list_read(logger_list, &log_msg);
+        if (rc < 0) {
+            break;
+        }
+        if (log_msg.entry.sec < kInitialTime) {
+            continue;
+        }
+        char* msg = log_msg.msg();
+        if (msg) {
+            std::string line(msg, log_msg.entry.len);
+            if (line.find(kTrustyLogTag) != std::string::npos) {
+                std::cerr << line.substr(kTrustyLogTag.length() + 2) << std::endl;
+            }
+        }
+    }
+
+    android_logger_list_free(logger_list);
+}
+
+}  // namespace

 namespace android {
 namespace trusty {
@ -104,6 +142,11 @@ Result<int> TrustyApp::GetRawFd() {
    return ta_fd_;
 }

+void Abort() {
+    PrintTrustyLog();
+    exit(-1);
+}
+
 }  // namespace fuzz
 }  // namespace trusty
 }  // namespace android
--- a/trusty/gatekeeper/fuzz/fuzz.cpp
+++ b/trusty/gatekeeper/fuzz/fuzz.cpp
@ -35,7 +35,9 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     * If we can't connect, then assume TA crashed.
     * TODO: Get some more info, e.g. stacks, to help Haiku dedup crashes.
     */
-    assert(ret.ok());
+    if (!ret.ok()) {
+        android::trusty::fuzz::Abort();
+    }

    /* Send message to test server */
    ret = ta.Write(data, size);