trusty: Fuzzer for ConfirmationUI messages

ConfirmationUI messages are a higher-level abstraction than TIPC messages (which is what TIPC fuzzer fuzzes). Bug: 174402999 Test: trusty_confirmationui_msg_fuzzer Change-Id: I1e1e2c7070b87b78d6236993330df65202840ce6
2021-02-22 11:54:52 -08:00 · 2021-02-22 11:54:52 -08:00 · 5ff073e832
parent fcfa3cd9b5
commit 5ff073e832
74 changed files with 187 additions and 0 deletions
--- a/trusty/confirmationui/fuzz/Android.bp
+++ b/trusty/confirmationui/fuzz/Android.bp
@ -27,3 +27,17 @@ cc_fuzz {
    ],

 }
+
+cc_fuzz {
+    name: "trusty_confirmationui_msg_fuzzer",
+    defaults: ["trusty_fuzzer_defaults"],
+    srcs: ["msg_fuzzer.cpp"],
+    include_dirs: ["system/core/trusty/confirmationui/include"],
+    shared_libs: [
+        "libdmabufheap",
+    ],
+
+    // The initial corpus for this fuzzer was derived by dumping messages from/to
+    // HAL to/from TA triggered by VtsHalConfirmationUIV1_0TargetTest.
+    corpus: ["msg_corpus/*"],
+}
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH
--- a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC
--- a/trusty/confirmationui/fuzz/msg_fuzzer.cpp
+++ b/trusty/confirmationui/fuzz/msg_fuzzer.cpp
@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <BufferAllocator/BufferAllocator.h>
+#include <TrustyIpc.h>
+#include <iostream>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <time.h>
+#include <trusty/coverage/coverage.h>
+#include <trusty/fuzz/counters.h>
+#include <trusty/fuzz/utils.h>
+#include <trusty/tipc.h>
+#include <unistd.h>
+
+using android::trusty::coverage::CoverageRecord;
+using android::trusty::fuzz::ExtraCounters;
+using android::trusty::fuzz::TrustyApp;
+
+#define countof(arr) (sizeof(arr) / sizeof(arr[0]))
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
+#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
+
+/* A request to render to screen may take a while. */
+const size_t kTimeoutSeconds = 30;
+
+/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
+static struct uuid confirmationui_uuid = {
+    0x7dee2364,
+    0xc036,
+    0x425b,
+    {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
+};
+
+static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
+
+static android::base::unique_fd dma_buf;
+static void* shm_base;
+
+extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
+    auto ret = record.Open();
+    if (!ret.ok()) {
+        std::cerr << ret.error() << std::endl;
+        exit(-1);
+    }
+
+    BufferAllocator allocator;
+    dma_buf.reset(allocator.Alloc(kDmabufSystemHeapName, CONFIRMATIONUI_MAX_MSG_SIZE));
+    if (dma_buf < 0) {
+        std::cerr << "Failed to allocate dma_buf" << std::endl;
+        exit(-1);
+    }
+
+    shm_base = mmap(0, CONFIRMATIONUI_MAX_MSG_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
+    if (shm_base == MAP_FAILED) {
+        std::cerr << "Failed to mmap() dma_buf" << std::endl;
+        exit(-1);
+    }
+
+    return 0;
+}
+
+static bool Init(int chan, int dma_buf) {
+    confirmationui_hdr hdr = {
+        .cmd = CONFIRMATIONUI_CMD_INIT,
+    };
+    confirmationui_init_req args = {
+        .shm_len = CONFIRMATIONUI_MAX_MSG_SIZE,
+    };
+    iovec iov[] = {
+        {
+            .iov_base = &hdr,
+            .iov_len = sizeof(hdr),
+        },
+        {
+            .iov_base = &args,
+            .iov_len = sizeof(args),
+        },
+    };
+    trusty_shm shm = {
+        .fd = dma_buf,
+        .transfer = TRUSTY_SHARE,
+    };
+
+    int rc = tipc_send(chan, iov, countof(iov), &shm, 1);
+    if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+        return false;
+    }
+
+    rc = read(chan, &hdr, sizeof(hdr));
+    if (rc != static_cast<int>(sizeof(hdr))) {
+        return false;
+    }
+
+    return true;
+}
+
+static bool Msg(int chan, const uint8_t* data, size_t size) {
+    confirmationui_hdr hdr = {
+        .cmd = CONFIRMATIONUI_CMD_MSG,
+    };
+    confirmationui_msg_args args = {
+        .msg_len = static_cast<uint32_t>(size),
+    };
+    iovec iov[] = {
+        {
+            .iov_base = &hdr,
+            .iov_len = sizeof(hdr),
+        },
+        {
+            .iov_base = &args,
+            .iov_len = sizeof(args),
+        },
+    };
+
+    memset(shm_base, 0, CONFIRMATIONUI_MAX_MSG_SIZE);
+    memcpy(shm_base, data, size);
+
+    int rc = tipc_send(chan, iov, countof(iov), NULL, 0);
+    if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+        return false;
+    }
+
+    rc = readv(chan, iov, countof(iov));
+    if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+        return false;
+    }
+
+    return true;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    ExtraCounters counters(&record);
+    counters.Reset();
+
+    TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
+    auto ret = ta.Connect();
+    if (!ret.ok()) {
+        android::trusty::fuzz::Abort();
+    }
+    int chan = *ta.GetRawFd();
+
+    alarm(kTimeoutSeconds);
+    bool success = Init(chan, dma_buf);
+    alarm(0);
+    if (!success) {
+        android::trusty::fuzz::Abort();
+    }
+
+    alarm(kTimeoutSeconds);
+    success = Msg(chan, data, size);
+    alarm(0);
+    if (!success) {
+        android::trusty::fuzz::Abort();
+    }
+
+    return 0;
+}