commit 07664de9b7b3d07477125329b82d0ae48b0a5326
author Tri Vo <trong@google.com> Wed Jan 08 10:45:35 2020 -0800
committer Tri Vo <trong@google.com> Wed Jan 08 11:18:00 2020 -0800
tree db7953a8fe3bba0e43de4683719c262d5eb89dbe
parent fc5d9147a9cd26d6441377e31bd76080f304f1f9

fuzz: don't abort on deserializaiton errors

libFuzzer doesn't provide any guarantees on what's in the provided
buffers. In case the buffer(s) can't be deserialized in a ExecSpec,
generate a fresh random one.

Bug: 143375436
Test: m android.hardware.light@2.0-vts.fuzzer && adb sync data &&
adb shell "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/data/fuzz/arm64/lib \
/data/fuzz/arm64/android.hardware.light@2.0-vts.fuzzer/android.hardware.light@2.0-vts.fuzzer \
-max_len=65536 -max_total_time=1 > /dev/null"
Change-Id: Idc7d1712384b922892a98e825c126291afd0d745

iface_fuzzer/ProtoFuzzerMain.cpp

diff --git a/iface_fuzzer/ProtoFuzzerMain.cpp b/iface_fuzzer/ProtoFuzzerMain.cpp
index 597eecb..da09fc2 100644
--- a/iface_fuzzer/ProtoFuzzerMain.cpp
+++ b/iface_fuzzer/ProtoFuzzerMain.cpp
@@ -154,26 +154,17 @@
                                             uint8_t *out, size_t max_out_size,
                                             unsigned int seed) {
   ExecSpec exec_spec1{};
-  FromArray(data1, size1, &exec_spec1);
-  int function_call_size1 = exec_spec1.function_call_size();
+  if (!FromArray(data1, size1, &exec_spec1)) {
+    cerr << "Message 1 was invalid." << endl;
+    exec_spec1 =
+        mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
+  }
 
   ExecSpec exec_spec2{};
-  FromArray(data2, size2, &exec_spec2);
-  int function_call_size2 = exec_spec2.function_call_size();
-
-  if (function_call_size1 != static_cast<int>(params.exec_size_)) {
-    if (function_call_size2 != static_cast<int>(params.exec_size_)) {
-      cerr << "Both messages were invalid, aborting." << endl;
-      std::abort();
-    } else {
-      cerr << "Message 1 was invalid, copying message 2." << endl;
-      memcpy(out, data2, size2);
-      return size2;
-    }
-  } else if (function_call_size2 != static_cast<int>(params.exec_size_)) {
-    cerr << "Message 2 was invalid, copying message 1." << endl;
-    memcpy(out, data1, size1);
-    return size1;
+  if (!FromArray(data2, size2, &exec_spec2)) {
+    cerr << "Message 2 was invalid." << endl;
+    exec_spec2 =
+        mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
   }
 
   ExecSpec exec_spec_out{};
@@ -201,6 +192,8 @@
   ExecSpec exec_spec{};
   if (!FromArray(data, size, &exec_spec)) {
     cerr << "Failed to deserialize an ExecSpec." << endl;
+    // Don't generate an ExecSpec here so that libFuzzer knows that the provided
+    // buffer doesn't provide any coverage.
     return 0;
   }
   runner->Execute(exec_spec);