Merge changes Iad1713e1,Iaee2c74b,I6bd1c8b2,I067dd077
* changes:
trusty: Add simple fuzzer for keymaster TA
trusty: Increase limit on coverage counters
trusty: Write out sancov file when fuzzer exits
trusty: Switch to dmabuf for coverage shared memory
diff --git a/trusty/coverage/Android.bp b/trusty/coverage/Android.bp
index 6038d44..daa6f03 100644
--- a/trusty/coverage/Android.bp
+++ b/trusty/coverage/Android.bp
@@ -28,6 +28,7 @@
shared_libs: [
"libbase",
"liblog",
+ "libdmabufheap",
],
}
@@ -43,6 +44,7 @@
shared_libs: [
"libbase",
"liblog",
+ "libdmabufheap",
],
require_root: true,
}
diff --git a/trusty/coverage/coverage.cpp b/trusty/coverage/coverage.cpp
index f383dd1..185abe5 100644
--- a/trusty/coverage/coverage.cpp
+++ b/trusty/coverage/coverage.cpp
@@ -16,10 +16,12 @@
#define LOG_TAG "coverage"
+#include <BufferAllocator/BufferAllocator.h>
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/unique_fd.h>
#include <assert.h>
+#include <log/log.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/uio.h>
@@ -37,6 +39,7 @@
using android::base::ErrnoError;
using android::base::Error;
using std::string;
+using std::unique_ptr;
static inline uintptr_t RoundPageUp(uintptr_t val) {
return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
@@ -46,12 +49,29 @@
: tipc_dev_(std::move(tipc_dev)),
coverage_srv_fd_(-1),
uuid_(*uuid),
+ sancov_filename_(),
+ record_len_(0),
+ shm_(NULL),
+ shm_len_(0) {}
+
+CoverageRecord::CoverageRecord(string tipc_dev, struct uuid* uuid, string sancov_filename)
+ : tipc_dev_(std::move(tipc_dev)),
+ coverage_srv_fd_(-1),
+ uuid_(*uuid),
+ sancov_filename_(sancov_filename),
record_len_(0),
shm_(NULL),
shm_len_(0) {}
CoverageRecord::~CoverageRecord() {
if (shm_) {
+ if (sancov_filename_) {
+ auto res = SaveSancovFile(*sancov_filename_);
+ if (!res.ok()) {
+ ALOGE("Could not write sancov file for module: %s\n", sancov_filename_->c_str());
+ }
+ }
+
munmap((void*)shm_, shm_len_);
}
}
@@ -114,24 +134,23 @@
record_len_ = resp.open_args.record_len;
shm_len_ = RoundPageUp(record_len_);
- fd = memfd_create("trusty-coverage", 0);
+ BufferAllocator allocator;
+
+ fd = allocator.Alloc("system", shm_len_);
if (fd < 0) {
- return ErrnoError() << "failed to create memfd: ";
+ return ErrnoError() << "failed to create dmabuf of size " << shm_len_
+ << " err code: " << fd;
}
- unique_fd memfd(fd);
+ unique_fd dma_buf(fd);
- if (ftruncate(memfd, shm_len_) < 0) {
- return ErrnoError() << "failed to resize memfd: ";
- }
-
- void* shm = mmap(0, shm_len_, PROT_READ | PROT_WRITE, MAP_SHARED, memfd, 0);
+ void* shm = mmap(0, shm_len_, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
if (shm == MAP_FAILED) {
return ErrnoError() << "failed to map memfd: ";
}
req.hdr.cmd = COVERAGE_CLIENT_CMD_SHARE_RECORD;
req.share_record_args.shm_len = shm_len_;
- ret = Rpc(&req, memfd, &resp);
+ ret = Rpc(&req, dma_buf, &resp);
if (!ret.ok()) {
return Error() << "failed to send shared memory: ";
}
diff --git a/trusty/coverage/include/trusty/coverage/coverage.h b/trusty/coverage/include/trusty/coverage/coverage.h
index b6d46eb..ed723f6 100644
--- a/trusty/coverage/include/trusty/coverage/coverage.h
+++ b/trusty/coverage/include/trusty/coverage/coverage.h
@@ -16,6 +16,7 @@
#pragma once
+#include <optional>
#include <string>
#include <android-base/result.h>
@@ -32,7 +33,18 @@
class CoverageRecord {
public:
+ /**
+ * Create a coverage record interface. Coverage will not be written to a
+ * sancov output file on completion.
+ */
CoverageRecord(std::string tipc_dev, struct uuid* uuid);
+
+ /**
+ * Create a coverage record interface. On destruction, write this coverage
+ * to the given sancov filename.
+ */
+ CoverageRecord(std::string tipc_dev, struct uuid* uuid, std::string sancov_filename);
+
~CoverageRecord();
Result<void> Open();
void ResetFullRecord();
@@ -58,6 +70,7 @@
std::string tipc_dev_;
unique_fd coverage_srv_fd_;
struct uuid uuid_;
+ std::optional<std::string> sancov_filename_;
size_t record_len_;
volatile void* shm_;
size_t shm_len_;
diff --git a/trusty/fuzz/counters.cpp b/trusty/fuzz/counters.cpp
index 8c79475..1e863ac 100644
--- a/trusty/fuzz/counters.cpp
+++ b/trusty/fuzz/counters.cpp
@@ -21,6 +21,7 @@
#include <trusty/fuzz/counters.h>
#include <android-base/logging.h>
+#include <log/log.h>
#include <trusty/coverage/coverage.h>
#include <trusty/coverage/tipc.h>
@@ -32,7 +33,8 @@
* We don't know how many counters the coverage record will contain. So, eyeball
* the size of this section.
*/
-__attribute__((section("__libfuzzer_extra_counters"))) volatile uint8_t counters[PAGE_SIZE];
+static const size_t kMaxNumCounters = 0x4000;
+__attribute__((section("__libfuzzer_extra_counters"))) volatile uint8_t counters[kMaxNumCounters];
namespace android {
namespace trusty {
@@ -62,8 +64,16 @@
volatile uint8_t* end = NULL;
record_->GetRawCounts(&begin, &end);
+ if (!begin || !end) {
+ ALOGE("Could not get raw counts from coverage record\n");
+ return;
+ }
size_t num_counters = end - begin;
+ if (num_counters > kMaxNumCounters) {
+ ALOGE("Too many counters (%zu) to fit in the extra counters section!\n", num_counters);
+ num_counters = kMaxNumCounters;
+ }
for (size_t i = 0; i < num_counters; i++) {
*(counters + i) = *(begin + i);
}
diff --git a/trusty/gatekeeper/fuzz/fuzz.cpp b/trusty/gatekeeper/fuzz/fuzz.cpp
index c0e8abb..4d885ce 100644
--- a/trusty/gatekeeper/fuzz/fuzz.cpp
+++ b/trusty/gatekeeper/fuzz/fuzz.cpp
@@ -30,6 +30,7 @@
#define TIPC_DEV "/dev/trusty-ipc-dev0"
#define GATEKEEPER_PORT "com.android.trusty.gatekeeper"
+#define GATEKEEPER_MODULE_NAME "gatekeeper.syms.elf"
/* Gatekeeper TA's UUID is 38ba0cdc-df0e-11e4-9869-233fb6ae4795 */
static struct uuid gatekeeper_uuid = {
@@ -39,7 +40,7 @@
{0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95},
};
-static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid);
+static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid, GATEKEEPER_MODULE_NAME);
extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
auto ret = record.Open();
diff --git a/trusty/keymaster/fuzz/Android.bp b/trusty/keymaster/fuzz/Android.bp
new file mode 100644
index 0000000..da9f9ec
--- /dev/null
+++ b/trusty/keymaster/fuzz/Android.bp
@@ -0,0 +1,19 @@
+// Copyright (C) 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_fuzz {
+ name: "trusty_keymaster_fuzzer",
+ defaults: ["trusty_fuzzer_defaults"],
+ srcs: ["fuzz.cpp"],
+}
diff --git a/trusty/keymaster/fuzz/fuzz.cpp b/trusty/keymaster/fuzz/fuzz.cpp
new file mode 100644
index 0000000..70e19e6
--- /dev/null
+++ b/trusty/keymaster/fuzz/fuzz.cpp
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#undef NDEBUG
+
+#include <assert.h>
+#include <log/log.h>
+#include <stdlib.h>
+#include <trusty/coverage/coverage.h>
+#include <trusty/fuzz/counters.h>
+#include <trusty/fuzz/utils.h>
+#include <unistd.h>
+#include <iostream>
+
+using android::trusty::coverage::CoverageRecord;
+using android::trusty::fuzz::ExtraCounters;
+using android::trusty::fuzz::TrustyApp;
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define KEYMASTER_PORT "com.android.trusty.keymaster"
+#define KEYMASTER_MODULE_FILENAME "keymaster.syms.elf"
+
+/* Keymaster TA's UUID is 5f902ace-5e5c-4cd8-ae54-87b88c22ddaf */
+static struct uuid keymaster_uuid = {
+ 0x5f902ace,
+ 0x5e5c,
+ 0x4cd8,
+ {0xae, 0x54, 0x87, 0xb8, 0x8c, 0x22, 0xdd, 0xaf},
+};
+
+static CoverageRecord record(TIPC_DEV, &keymaster_uuid, KEYMASTER_MODULE_FILENAME);
+
+extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
+ auto ret = record.Open();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ exit(-1);
+ }
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ static uint8_t buf[TIPC_MAX_MSG_SIZE];
+
+ ExtraCounters counters(&record);
+ counters.Reset();
+
+ android::trusty::fuzz::TrustyApp ta(TIPC_DEV, KEYMASTER_PORT);
+ auto ret = ta.Connect();
+ if (!ret.ok()) {
+ android::trusty::fuzz::Abort();
+ }
+
+ /* Send message to test server */
+ ret = ta.Write(data, size);
+ if (!ret.ok()) {
+ return -1;
+ }
+
+ /* Read message from test server */
+ ret = ta.Read(&buf, sizeof(buf));
+ if (!ret.ok()) {
+ return -1;
+ }
+
+ return 0;
+}