commit d3bf149eb286d85bfac19254793dbd0732ff3506
author Khyber Sen <khyber@google.com> Sat Jan 04 08:07:00 2025 +0000
committer Khyber Sen <khyber@google.com> Wed Jan 08 06:03:56 2025 +0000
tree c0b646f51977997905f8f94a08a6ad2f776e8c10
parent 20f6234096143040b3629a60a53a5b86256d8ae2

Reapply "rpc_binder: Change `trusty_tipc_fuzzer` to support multiple connections and messages"

This reverts commit b1105589b752d9c85769c8265e8f051b95ce8d96.

This redoes change I9692e4d0295052a8da2204f63be9e52939e70ac3,
fixing the crash and simplifying the logic so it's
more obvious something similar won't happen again.

Bug: 380142627
Bug: 319144781
Test: build.py qemu-generic-arm64-fuzz-test-debug &&
    ./build-root/build-qemu-generic-arm64-fuzz-test-debug/run.py &&
    lunch aosp_lynx-trunk_staging-userdebug &&
    m trusty_binder_rpc_fuzzer_multi_connection &&
    adb root &&
    adb sync data &&
    adb shell /data/fuzz/arm64/trusty_binder_rpc_fuzzer_multi_connection/trusty_binder_rpc_fuzzer_multi_connection -seed=1727807641/data/fuzz/arm64/trusty_binder_rpc_fuzzer_multi_connection/input
Change-Id: I049e94c87083a4e212aaf7edb1eca421dc1e76ed

trusty/fuzz/tipc_fuzzer.cpp

diff --git a/trusty/fuzz/tipc_fuzzer.cpp b/trusty/fuzz/tipc_fuzzer.cpp
index f265ced..d5e23e0 100644
--- a/trusty/fuzz/tipc_fuzzer.cpp
+++ b/trusty/fuzz/tipc_fuzzer.cpp
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+#include <android-base/result.h>
+#include <fuzzer/FuzzedDataProvider.h>
 #include <stdlib.h>
 #include <trusty/coverage/coverage.h>
 #include <trusty/coverage/uuid.h>
@@ -23,6 +25,7 @@
 #include <iostream>
 #include <memory>
 
+using android::base::Result;
 using android::trusty::coverage::CoverageRecord;
 using android::trusty::fuzz::ExtraCounters;
 using android::trusty::fuzz::TrustyApp;
@@ -41,7 +44,12 @@
 #error "Binary file name must be parameterized using -DTRUSTY_APP_FILENAME."
 #endif
 
-static TrustyApp kTrustyApp(TIPC_DEV, TRUSTY_APP_PORT);
+#ifdef TRUSTY_APP_MAX_CONNECTIONS
+constexpr size_t MAX_CONNECTIONS = TRUSTY_APP_MAX_CONNECTIONS;
+#else
+constexpr size_t MAX_CONNECTIONS = 1;
+#endif
+
 static std::unique_ptr<CoverageRecord> record;
 
 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
@@ -53,7 +61,8 @@
     }
 
     /* Make sure lazy-loaded TAs have started and connected to coverage service. */
-    auto ret = kTrustyApp.Connect();
+    TrustyApp ta(TIPC_DEV, TRUSTY_APP_PORT);
+    auto ret = ta.Connect();
     if (!ret.ok()) {
         std::cerr << ret.error() << std::endl;
         exit(-1);
@@ -73,24 +82,74 @@
     return 0;
 }
 
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
-    static uint8_t buf[TIPC_MAX_MSG_SIZE];
+void abortResult(Result<void> result) {
+    if (result.ok()) {
+        return;
+    }
+    std::cerr << result.error() << std::endl;
+    android::trusty::fuzz::Abort();
+}
 
+void testOneInput(FuzzedDataProvider& provider) {
+    std::vector<TrustyApp> trustyApps;
+
+    while (provider.remaining_bytes() > 0) {
+        static_assert(MAX_CONNECTIONS >= 1);
+
+        // Either
+        // 1. Add a new TA and connect.
+        // 2. Remove a TA.
+        // 3. Send a random message to a random TA.
+        const std::function<void()> options[] = {
+                // Add a new TA and connect.
+                [&]() {
+                    if (trustyApps.size() >= MAX_CONNECTIONS) {
+                        return;
+                    }
+                    auto& ta = trustyApps.emplace_back(TIPC_DEV, TRUSTY_APP_PORT);
+                    abortResult(ta.Connect());
+                },
+                // Remove a TA.
+                [&]() {
+                    if (trustyApps.empty()) {
+                        return;
+                    }
+                    trustyApps.pop_back();
+                },
+                // Send a random message to a random TA.
+                [&]() {
+                    if (trustyApps.empty()) {
+                        return;
+                    }
+
+                    // Choose a random TA.
+                    const auto i =
+                            provider.ConsumeIntegralInRange<size_t>(0, trustyApps.size() - 1);
+                    std::swap(trustyApps[i], trustyApps.back());
+                    auto& ta = trustyApps.back();
+
+                    // Send a random message.
+                    const auto data = provider.ConsumeRandomLengthString();
+                    abortResult(ta.Write(data.data(), data.size()));
+
+                    std::array<uint8_t, TIPC_MAX_MSG_SIZE> buf;
+                    abortResult(ta.Read(buf.data(), buf.size()));
+
+                    // Reconnect to ensure that the service is still up.
+                    ta.Disconnect();
+                    abortResult(ta.Connect());
+                },
+        };
+
+        provider.PickValueInArray(options)();
+    }
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     ExtraCounters counters(record.get());
     counters.Reset();
 
-    auto ret = kTrustyApp.Write(data, size);
-    if (ret.ok()) {
-        ret = kTrustyApp.Read(&buf, sizeof(buf));
-    }
-
-    // Reconnect to ensure that the service is still up
-    kTrustyApp.Disconnect();
-    ret = kTrustyApp.Connect();
-    if (!ret.ok()) {
-        std::cerr << ret.error() << std::endl;
-        android::trusty::fuzz::Abort();
-    }
-
-    return ret.ok() ? 0 : -1;
+    FuzzedDataProvider provider(data, size);
+    testOneInput(provider);
+    return 0;
 }