Add fuzzer for the mainline supplicant service.
Bug: 365585450
Test: m mainline_supplicant_service_fuzzer \
&& adb sync data \
&& adb shell /data/fuzz/arm64/\
mainline_supplicant_service_fuzzer/\
mainline_supplicant_service_fuzzer
Change-Id: Ibb257c0a83c033804fd1c727019beb45592ea7fb
diff --git a/wpa_supplicant/Android.bp b/wpa_supplicant/Android.bp
index 210325b..8160071 100644
--- a/wpa_supplicant/Android.bp
+++ b/wpa_supplicant/Android.bp
@@ -1422,6 +1422,45 @@
],
}
+cc_fuzz {
+ name: "mainline_supplicant_service_fuzzer",
+ team: "trendy_team_fwk_wifi_hal",
+ srcs: [
+ "aidl/mainline/fuzzers/mainline_supplicant_service_fuzzer.cpp",
+ ],
+ defaults: [
+ "fuzzer_disable_leaks",
+ "service_fuzzer_defaults",
+ "wpa_supplicant_includes_default",
+ "wpa_supplicant_mainline_cflags_default",
+ "wpa_supplicant_srcs_default",
+ ],
+ shared_libs: [
+ "android.system.wifi.mainline_supplicant-ndk",
+ "libbase",
+ "libbinder_ndk",
+ "libc",
+ "libcrypto",
+ "libcutils_sockets",
+ "liblog",
+ "libnl",
+ "libssl",
+ ],
+ static_libs: [
+ "mainline_supplicant_aidl_bp",
+ ],
+ cflags: [
+ "-DSUPPLICANT_SERVICE_FUZZER",
+ ],
+ fuzz_config: {
+ triage_assignee: "android-wifi-team@google.com",
+ },
+ proto: {
+ type: "lite",
+ static: true,
+ },
+}
+
//## Aidl service library ###
//#######################
cc_library_static {
diff --git a/wpa_supplicant/aidl/mainline/fuzzers/mainline_supplicant_service_fuzzer.cpp b/wpa_supplicant/aidl/mainline/fuzzers/mainline_supplicant_service_fuzzer.cpp
new file mode 100644
index 0000000..23b16ad
--- /dev/null
+++ b/wpa_supplicant/aidl/mainline/fuzzers/mainline_supplicant_service_fuzzer.cpp
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2024 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <android/binder_interface_utils.h>
+#include <fuzzbinder/libbinder_ndk_driver.h>
+
+#include "aidl/mainline/mainline_supplicant.h"
+
+extern "C"
+{
+#include "utils/common.h"
+#include "utils/includes.h"
+#include "utils/wpa_debug.h"
+#include "wpa_supplicant_i.h"
+}
+
+using namespace android;
+using ndk::SharedRefBase;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ struct wpa_params params;
+ os_memset(¶ms, 0, sizeof(params));
+ params.wpa_debug_level = MSG_INFO;
+
+ struct wpa_global *global = wpa_supplicant_init(¶ms);
+ if (global == NULL) {
+ return 1;
+ }
+
+ std::shared_ptr<MainlineSupplicant> service = SharedRefBase::make<MainlineSupplicant>(global);
+ fuzzService(service->asBinder().get(), FuzzedDataProvider(data, size));
+ return 0;
+}
diff --git a/wpa_supplicant/main.c b/wpa_supplicant/main.c
index 9229eb5..517c6bc 100644
--- a/wpa_supplicant/main.c
+++ b/wpa_supplicant/main.c
@@ -178,7 +178,9 @@
}
#endif /* CONFIG_MATCH_IFACE */
-
+// Temporarily allow the fuzzer library to redefine main()
+// TODO: Remove this flag once mainline supplicant does not include this file
+#ifndef SUPPLICANT_SERVICE_FUZZER
int main(int argc, char *argv[])
{
int c, i;
@@ -409,3 +411,4 @@
return exitcode;
}
+#endif /* SUPPLICANT_SERVICE_FUZZER */