iface_fuzzer/ProtoFuzzerMain.cpp - platform/test/vts-testcase/fuzz - Git at Google

 /*
  * Copyright 2016 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include "FuzzerInternal.h"
 #include "ProtoFuzzerMutator.h"

 #include "test/vts/proto/ComponentSpecificationMessage.pb.h"

 #include <signal.h>
 #include <unistd.h>

 #include <cstdlib>
 #include <iostream>
 #include <memory>
 #include <string>
 #include <vector>

 using std::cout;
 using std::endl;
 using std::make_unique;
 using std::string;
 using std::unique_ptr;
 using std::vector;

 // Executed when fuzzer raises SIGABRT signal. This function calls
 // the signal handler from the libfuzzer library.
 extern "C" void sig_handler(int signo) {
   if (signo == SIGABRT) {
     cerr << "SIGABRT noticed, please refer to device logcat for the root cause."
          << endl;
     fuzzer::Fuzzer::StaticCrashSignalCallback();
     exit(1);
   }
 }

 namespace android {
 namespace vts {
 namespace fuzzer {

 #ifdef STATIC_TARGET_FQ_NAME
 // Returns parameters used for static fuzzer executables.
 extern ProtoFuzzerParams ExtractProtoFuzzerStaticParams(int argc, char **argv);
 #endif

 // 64-bit random number generator.
 static unique_ptr<Random> random;
 // Parameters that were passed in to fuzzer.
 static ProtoFuzzerParams params;
 // Used to mutate inputs to hal driver.
 static unique_ptr<ProtoFuzzerMutator> mutator;
 // Used to exercise HIDL HAL's API.
 static unique_ptr<ProtoFuzzerRunner> runner;

 static ProtoFuzzerMutatorConfig mutator_config{
     // Heuristic: values close to 0 are likely to be meaningful scalar input
     // values.
     [](Random &rand) {
       size_t dice_roll = rand(10);
       if (dice_roll < 3) {
         // With probability of 30% return an integer in range [0, 10).
         return rand(10);
       } else if (dice_roll >= 3 && dice_roll < 6) {
         // With probability of 30% return an integer in range [0, 100).
         return rand(100);
       } else if (dice_roll >= 6 && dice_roll < 9) {
         // With probability of 30% return an integer in range [0, 100).
         return rand(1000);
       }
       if (rand(10) == 0) {
         // With probability of 1% return 0xffffffffffffffff.
         return 0xffffffffffffffff;
       }
       // With probability 9% result is uniformly random.
       return rand.Rand();
     },
     // Odds of an enum being treated like a scalar are 1:1000.
     {1, 1000}};

 // Executed when fuzzer process exits. We use this to print out useful
 // information about the state of the fuzzer.
 static void AtExit() {
   // Print currently opened interfaces.
   cerr << "Currently opened interfaces: " << endl;
   for (const auto &iface_desc : runner->GetOpenedIfaces()) {
     cerr << iface_desc.first << endl;
   }
   cerr << endl;
   cerr << runner->GetStats().StatsString();
 }

 extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
 #ifdef STATIC_TARGET_FQ_NAME
   params = ExtractProtoFuzzerStaticParams(*argc, *argv);
 #else
   params = ExtractProtoFuzzerParams(*argc, *argv);
 #endif

   cerr << params.DebugString() << endl;

   random = make_unique<Random>(params.seed_);
   mutator = make_unique<ProtoFuzzerMutator>(
       *random.get(), ExtractPredefinedTypes(params.comp_specs_),
       mutator_config);
   runner = make_unique<ProtoFuzzerRunner>(params.comp_specs_,
                                           params.target_fq_name_.version());

   runner->Init(params.target_fq_name_.name(), params.binder_mode_);
   // Register atexit handler after all static objects' initialization.
   std::atexit(AtExit);
   // Register signal handler for SIGABRT.
   signal(SIGABRT, sig_handler);

   return 0;
 }

 extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
                                           size_t max_size, unsigned int seed) {
   ExecSpec exec_spec{};
   // An Execution is randomly generated if:
   // 1. It can't be serialized from the given buffer OR
   // 2. The runner has opened interfaces that have not been touched.
   // Otherwise, the Execution is mutated.
   if (!FromArray(data, size, &exec_spec) || runner->UntouchedIfaces()) {
     exec_spec =
         mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
   } else {
     mutator->Mutate(runner->GetOpenedIfaces(), &exec_spec);
   }

   if (static_cast<size_t>(exec_spec.ByteSize()) > max_size) {
     cerr << "execution specification message exceeded maximum size." << endl;
     cerr << max_size << endl;
     cerr << static_cast<size_t>(exec_spec.ByteSize()) << endl;
     std::abort();
   }
   return ToArray(data, max_size, &exec_spec);
 }

 extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
                                             const uint8_t *data2, size_t size2,
                                             uint8_t *out, size_t max_out_size,
                                             unsigned int seed) {
   ExecSpec exec_spec1{};
   if (!FromArray(data1, size1, &exec_spec1)) {
     cerr << "Message 1 was invalid." << endl;
     exec_spec1 =
         mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
   }

   ExecSpec exec_spec2{};
   if (!FromArray(data2, size2, &exec_spec2)) {
     cerr << "Message 2 was invalid." << endl;
     exec_spec2 =
         mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
   }

   ExecSpec exec_spec_out{};
   for (int i = 0; i < static_cast<int>(params.exec_size_); i++) {
     FuncCall temp;
     int dice = rand() % 2;
     if (dice == 0) {
       temp = exec_spec1.function_call(i);
     } else {
       temp = exec_spec2.function_call(i);
     }
     exec_spec_out.add_function_call()->CopyFrom(temp);
   }

   if (static_cast<size_t>(exec_spec_out.ByteSize()) > max_out_size) {
     cerr << "execution specification message exceeded maximum size." << endl;
     cerr << max_out_size << endl;
     cerr << static_cast<size_t>(exec_spec_out.ByteSize()) << endl;
     std::abort();
   }
   return ToArray(out, max_out_size, &exec_spec_out);
 }

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   ExecSpec exec_spec{};
   if (!FromArray(data, size, &exec_spec)) {
     cerr << "Failed to deserialize an ExecSpec." << endl;
     // Don't generate an ExecSpec here so that libFuzzer knows that the provided
     // buffer doesn't provide any coverage.
     return 0;
   }
   runner->Execute(exec_spec);
   return 0;
 }

 }  // namespace fuzzer
 }  // namespace vts
 }  // namespace android
	/*
	* Copyright 2016 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include "FuzzerInternal.h"
	#include "ProtoFuzzerMutator.h"

	#include "test/vts/proto/ComponentSpecificationMessage.pb.h"

	#include <signal.h>
	#include <unistd.h>

	#include <cstdlib>
	#include <iostream>
	#include <memory>
	#include <string>
	#include <vector>

	using std::cout;
	using std::endl;
	using std::make_unique;
	using std::string;
	using std::unique_ptr;
	using std::vector;

	// Executed when fuzzer raises SIGABRT signal. This function calls
	// the signal handler from the libfuzzer library.
	extern "C" void sig_handler(int signo) {
	if (signo == SIGABRT) {
	cerr << "SIGABRT noticed, please refer to device logcat for the root cause."
	<< endl;
	fuzzer::Fuzzer::StaticCrashSignalCallback();
	exit(1);
	}
	}

	namespace android {
	namespace vts {
	namespace fuzzer {

	#ifdef STATIC_TARGET_FQ_NAME
	// Returns parameters used for static fuzzer executables.
	extern ProtoFuzzerParams ExtractProtoFuzzerStaticParams(int argc, char **argv);
	#endif

	// 64-bit random number generator.
	static unique_ptr<Random> random;
	// Parameters that were passed in to fuzzer.
	static ProtoFuzzerParams params;
	// Used to mutate inputs to hal driver.
	static unique_ptr<ProtoFuzzerMutator> mutator;
	// Used to exercise HIDL HAL's API.
	static unique_ptr<ProtoFuzzerRunner> runner;

	static ProtoFuzzerMutatorConfig mutator_config{
	// Heuristic: values close to 0 are likely to be meaningful scalar input
	// values.
	[](Random &rand) {
	size_t dice_roll = rand(10);
	if (dice_roll < 3) {
	// With probability of 30% return an integer in range [0, 10).
	return rand(10);
	} else if (dice_roll >= 3 && dice_roll < 6) {
	// With probability of 30% return an integer in range [0, 100).
	return rand(100);
	} else if (dice_roll >= 6 && dice_roll < 9) {
	// With probability of 30% return an integer in range [0, 100).
	return rand(1000);
	}
	if (rand(10) == 0) {
	// With probability of 1% return 0xffffffffffffffff.
	return 0xffffffffffffffff;
	}
	// With probability 9% result is uniformly random.
	return rand.Rand();
	},
	// Odds of an enum being treated like a scalar are 1:1000.
	{1, 1000}};

	// Executed when fuzzer process exits. We use this to print out useful
	// information about the state of the fuzzer.
	static void AtExit() {
	// Print currently opened interfaces.
	cerr << "Currently opened interfaces: " << endl;
	for (const auto &iface_desc : runner->GetOpenedIfaces()) {
	cerr << iface_desc.first << endl;
	}
	cerr << endl;
	cerr << runner->GetStats().StatsString();
	}

	extern "C" int LLVMFuzzerInitialize(int argc, char **argv) {
	#ifdef STATIC_TARGET_FQ_NAME
	params = ExtractProtoFuzzerStaticParams(argc, argv);
	#else
	params = ExtractProtoFuzzerParams(argc, argv);
	#endif

	cerr << params.DebugString() << endl;

	random = make_unique<Random>(params.seed_);
	mutator = make_unique<ProtoFuzzerMutator>(
	*random.get(), ExtractPredefinedTypes(params.comp_specs_),
	mutator_config);
	runner = make_unique<ProtoFuzzerRunner>(params.comp_specs_,
	params.target_fq_name_.version());

	runner->Init(params.target_fq_name_.name(), params.binder_mode_);
	// Register atexit handler after all static objects' initialization.
	std::atexit(AtExit);
	// Register signal handler for SIGABRT.
	signal(SIGABRT, sig_handler);

	return 0;
	}

	extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
	size_t max_size, unsigned int seed) {
	ExecSpec exec_spec{};
	// An Execution is randomly generated if:
	// 1. It can't be serialized from the given buffer OR
	// 2. The runner has opened interfaces that have not been touched.
	// Otherwise, the Execution is mutated.
	if (!FromArray(data, size, &exec_spec) \|\| runner->UntouchedIfaces()) {
	exec_spec =
	mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
	} else {
	mutator->Mutate(runner->GetOpenedIfaces(), &exec_spec);
	}

	if (static_cast<size_t>(exec_spec.ByteSize()) > max_size) {
	cerr << "execution specification message exceeded maximum size." << endl;
	cerr << max_size << endl;
	cerr << static_cast<size_t>(exec_spec.ByteSize()) << endl;
	std::abort();
	}
	return ToArray(data, max_size, &exec_spec);
	}

	extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t *data1, size_t size1,
	const uint8_t *data2, size_t size2,
	uint8_t *out, size_t max_out_size,
	unsigned int seed) {
	ExecSpec exec_spec1{};
	if (!FromArray(data1, size1, &exec_spec1)) {
	cerr << "Message 1 was invalid." << endl;
	exec_spec1 =
	mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
	}

	ExecSpec exec_spec2{};
	if (!FromArray(data2, size2, &exec_spec2)) {
	cerr << "Message 2 was invalid." << endl;
	exec_spec2 =
	mutator->RandomGen(runner->GetOpenedIfaces(), params.exec_size_);
	}

	ExecSpec exec_spec_out{};
	for (int i = 0; i < static_cast<int>(params.exec_size_); i++) {
	FuncCall temp;
	int dice = rand() % 2;
	if (dice == 0) {
	temp = exec_spec1.function_call(i);
	} else {
	temp = exec_spec2.function_call(i);
	}
	exec_spec_out.add_function_call()->CopyFrom(temp);
	}

	if (static_cast<size_t>(exec_spec_out.ByteSize()) > max_out_size) {
	cerr << "execution specification message exceeded maximum size." << endl;
	cerr << max_out_size << endl;
	cerr << static_cast<size_t>(exec_spec_out.ByteSize()) << endl;
	std::abort();
	}
	return ToArray(out, max_out_size, &exec_spec_out);
	}

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
	ExecSpec exec_spec{};
	if (!FromArray(data, size, &exec_spec)) {
	cerr << "Failed to deserialize an ExecSpec." << endl;
	// Don't generate an ExecSpec here so that libFuzzer knows that the provided
	// buffer doesn't provide any coverage.
	return 0;
	}
	runner->Execute(exec_spec);
	return 0;
	}

	} // namespace fuzzer
	} // namespace vts
	} // namespace android