blob: aa0caca81c1c08fd39b0d365163c99900eb06de6 [file] [log] [blame]
/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <BufferAllocator/BufferAllocator.h>
#include <android-base/unique_fd.h>
#include <apploader_ipc.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <trusty/coverage/coverage.h>
#include <trusty/fuzz/counters.h>
#include <trusty/fuzz/utils.h>
#include <trusty/tipc.h>
#include <unistd.h>
#include <iostream>
using android::base::unique_fd;
using android::trusty::coverage::CoverageRecord;
using android::trusty::fuzz::ExtraCounters;
using android::trusty::fuzz::TrustyApp;
#define TIPC_DEV "/dev/trusty-ipc-dev0"
#define APPLOADER_PORT "com.android.trusty.apploader"
#define APPLOADER_MODULE_NAME "apploader.syms.elf"
/* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */
static struct uuid apploader_uuid = {
0x081ba88f,
0xf1ee,
0x452e,
{0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97},
};
static inline uintptr_t RoundPageUp(uintptr_t val) {
return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
}
static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) {
apploader_header hdr = {
.cmd = APPLOADER_CMD_LOAD_APPLICATION,
};
apploader_load_app_req req = {
.package_size = static_cast<uint64_t>(dma_buf_size),
};
iovec iov[] = {
{
.iov_base = &hdr,
.iov_len = sizeof(hdr),
},
{
.iov_base = &req,
.iov_len = sizeof(req),
},
};
trusty_shm shm = {
.fd = dma_buf,
.transfer = TRUSTY_SHARE,
};
int rc = tipc_send(chan, iov, 2, &shm, 1);
if (rc != static_cast<int>(sizeof(hdr) + sizeof(req))) {
std::cerr << "Failed to send request" << std::endl;
return false;
}
apploader_resp resp;
rc = read(chan, &resp, sizeof(resp));
if (rc != static_cast<int>(sizeof(resp))) {
std::cerr << "Failed to receive response" << std::endl;
return false;
}
return true;
}
static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME);
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
auto ret = record.Open();
if (!ret.ok()) {
std::cerr << ret.error() << std::endl;
exit(-1);
}
return 0;
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
ExtraCounters counters(&record);
counters.Reset();
android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT);
auto ret = ta.Connect();
if (!ret.ok()) {
std::cerr << ret.error() << std::endl;
android::trusty::fuzz::Abort();
}
uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE;
BufferAllocator alloc;
unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len));
if (dma_buf < 0) {
std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl;
android::trusty::fuzz::Abort();
}
void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
if (shm_base == MAP_FAILED) {
std::cerr << "Failed to mmap() dmabuf" << std::endl;
android::trusty::fuzz::Abort();
}
memcpy(shm_base, data, size);
bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len);
if (!success) {
std::cerr << "Failed to send load message" << std::endl;
android::trusty::fuzz::Abort();
}
munmap(shm_base, shm_len);
return 0;
}