1 /*
2  * Copyright (C) 2021 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <BufferAllocator/BufferAllocator.h>
18 #include <android-base/unique_fd.h>
19 #include <apploader_ipc.h>
20 #include <stdlib.h>
21 #include <sys/mman.h>
22 #include <trusty/coverage/coverage.h>
23 #include <trusty/fuzz/counters.h>
24 #include <trusty/fuzz/utils.h>
25 #include <trusty/tipc.h>
26 #include <unistd.h>
27 #include <iostream>
28 
29 using android::base::unique_fd;
30 using android::trusty::coverage::CoverageRecord;
31 using android::trusty::fuzz::ExtraCounters;
32 using android::trusty::fuzz::TrustyApp;
33 
34 #define TIPC_DEV "/dev/trusty-ipc-dev0"
35 #define APPLOADER_PORT "com.android.trusty.apploader"
36 #define APPLOADER_MODULE_NAME "apploader.syms.elf"
37 
38 /* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */
39 static struct uuid apploader_uuid = {
40         0x081ba88f,
41         0xf1ee,
42         0x452e,
43         {0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97},
44 };
45 
RoundPageUp(uintptr_t val)46 static inline uintptr_t RoundPageUp(uintptr_t val) {
47     return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
48 }
49 
SendLoadMsg(int chan,int dma_buf,size_t dma_buf_size)50 static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) {
51     apploader_header hdr = {
52             .cmd = APPLOADER_CMD_LOAD_APPLICATION,
53     };
54     apploader_load_app_req req = {
55             .package_size = static_cast<uint64_t>(dma_buf_size),
56     };
57     iovec iov[] = {
58             {
59                     .iov_base = &hdr,
60                     .iov_len = sizeof(hdr),
61             },
62             {
63                     .iov_base = &req,
64                     .iov_len = sizeof(req),
65             },
66     };
67     trusty_shm shm = {
68             .fd = dma_buf,
69             .transfer = TRUSTY_SHARE,
70     };
71 
72     int rc = tipc_send(chan, iov, 2, &shm, 1);
73     if (rc != static_cast<int>(sizeof(hdr) + sizeof(req))) {
74         std::cerr << "Failed to send request" << std::endl;
75         return false;
76     }
77 
78     apploader_resp resp;
79     rc = read(chan, &resp, sizeof(resp));
80     if (rc != static_cast<int>(sizeof(resp))) {
81         std::cerr << "Failed to receive response" << std::endl;
82         return false;
83     }
84 
85     return true;
86 }
87 
88 static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME);
89 
LLVMFuzzerInitialize(int *,char ***)90 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
91     auto ret = record.Open();
92     if (!ret.ok()) {
93         std::cerr << ret.error() << std::endl;
94         exit(-1);
95     }
96     return 0;
97 }
98 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)99 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
100     ExtraCounters counters(&record);
101     counters.Reset();
102 
103     android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT);
104     auto ret = ta.Connect();
105     if (!ret.ok()) {
106         std::cerr << ret.error() << std::endl;
107         android::trusty::fuzz::Abort();
108     }
109 
110     uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE;
111     BufferAllocator alloc;
112     unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len));
113     if (dma_buf < 0) {
114         std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl;
115         android::trusty::fuzz::Abort();
116     }
117 
118     void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
119     if (shm_base == MAP_FAILED) {
120         std::cerr << "Failed to mmap() dmabuf" << std::endl;
121         android::trusty::fuzz::Abort();
122     }
123 
124     memcpy(shm_base, data, size);
125 
126     bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len);
127     if (!success) {
128         std::cerr << "Failed to send load message" << std::endl;
129         android::trusty::fuzz::Abort();
130     }
131 
132     munmap(shm_base, shm_len);
133     return 0;
134 }
135