commit 0d4a47b0c70dce693f3b25c56a5da9cf75cef5a7
author Yifan Hong <elsk@google.com> Thu Apr 30 17:56:48 2020 -0700
committer Yifan Hong <elsk@google.com> Thu Apr 30 23:06:42 2020 -0700
tree 7d47d270a63b13be429cbc093b045f9082996d14
parent db0e62b87ad391fcacfdf13136326b8512bf36b8

libsnapshot_fuzzer: Fuzz MapUpdateSnapshot.

Test: run it
Bug: 154633114
Change-Id: I15ea0fb28df5b0f6d32096aab808549c3855c289

fs_mgr/libsnapshot/android/snapshot/snapshot_fuzz.proto

diff --git a/fs_mgr/libsnapshot/android/snapshot/snapshot_fuzz.proto b/fs_mgr/libsnapshot/android/snapshot/snapshot_fuzz.proto
index 77b2245..91fbb60 100644
--- a/fs_mgr/libsnapshot/android/snapshot/snapshot_fuzz.proto
+++ b/fs_mgr/libsnapshot/android/snapshot/snapshot_fuzz.proto
@@ -33,6 +33,19 @@
     bool is_local_image_manager = 1;
 }
 
+// A simplified version of CreateLogicalPartitionParams for fuzzing.
+// Next: 9
+message CreateLogicalPartitionParamsProto {
+    bool use_correct_super = 1;
+    string block_device = 2;
+    bool has_metadata_slot = 3;
+    uint32 metadata_slot = 4;
+    string partition_name = 5;
+    bool force_writable = 6;
+    int64 timeout_millis = 7;
+    string device_name = 8;
+}
+
 // Mimics the API of ISnapshotManager. Defines one action on the snapshot
 // manager.
 // Next: 18
@@ -51,8 +64,6 @@
         bool has_metadata_device_object = 1;
         bool metadata_mounted = 2;
     }
-    reserved 8;
-    reserved "map_update_snapshot";
     oneof value {
         NoArgs begin_update = 1;
         NoArgs cancel_update = 2;
@@ -61,6 +72,7 @@
         ProcessUpdateStateArgs process_update_state = 5;
         bool get_update_state = 6;
         chromeos_update_engine.DeltaArchiveManifest create_update_snapshots = 7;
+        CreateLogicalPartitionParamsProto map_update_snapshot = 8;
         string unmap_update_snapshot = 9;
         NoArgs need_snapshots_in_first_stage_mount = 10;
         CreateLogicalAndSnapshotPartitionsArgs create_logical_and_snapshot_partitions = 11;

fs_mgr/libsnapshot/include/libsnapshot/snapshot.h

diff --git a/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h b/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
index 8081866..4658fb4 100644
--- a/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
+++ b/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
@@ -173,6 +173,7 @@
 
     // Map a snapshotted partition for OTA clients to write to. Write-protected regions are
     // determined previously in CreateSnapshots.
+    // |snapshot_path| must not be nullptr.
     virtual bool MapUpdateSnapshot(const android::fs_mgr::CreateLogicalPartitionParams& params,
                                    std::string* snapshot_path) = 0;
 

fs_mgr/libsnapshot/snapshot_fuzz.cpp

diff --git a/fs_mgr/libsnapshot/snapshot_fuzz.cpp b/fs_mgr/libsnapshot/snapshot_fuzz.cpp
index ece1c06..7b57e79 100644
--- a/fs_mgr/libsnapshot/snapshot_fuzz.cpp
+++ b/fs_mgr/libsnapshot/snapshot_fuzz.cpp
@@ -32,6 +32,7 @@
 using android::base::SetLogger;
 using android::base::StderrLogger;
 using android::base::StdioLogger;
+using android::fs_mgr::CreateLogicalPartitionParams;
 using android::fuzz::CheckedCast;
 using android::snapshot::SnapshotFuzzData;
 using android::snapshot::SnapshotFuzzEnv;
@@ -132,6 +133,26 @@
     (void)snapshot->RecoveryCreateSnapshotDevices(device);
 }
 
+SNAPSHOT_FUZZ_FUNCTION(MapUpdateSnapshot, const CreateLogicalPartitionParamsProto& params_proto) {
+    auto partition_opener = std::make_unique<TestPartitionOpener>(GetSnapshotFuzzEnv()->super());
+    CreateLogicalPartitionParams params;
+    if (params_proto.use_correct_super()) {
+        params.block_device = GetSnapshotFuzzEnv()->super();
+    } else {
+        params.block_device = params_proto.block_device();
+    }
+    if (params_proto.has_metadata_slot()) {
+        params.metadata_slot = params_proto.metadata_slot();
+    }
+    params.partition_name = params_proto.partition_name();
+    params.force_writable = params_proto.force_writable();
+    params.timeout_ms = std::chrono::milliseconds(params_proto.timeout_millis());
+    params.device_name = params_proto.device_name();
+    params.partition_opener = partition_opener.get();
+    std::string path;
+    (void)snapshot->MapUpdateSnapshot(params, &path);
+}
+
 // During global init, log all messages to stdio. This is only done once.
 int AllowLoggingDuringGlobalInit() {
     SetLogger(&StdioLogger);