tests/fuzzers/buffer_fuzz.cpp - platform/system/keymaster - Gitiles

 /*
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <functional>
 #include <memory>

 #include "fuzzer/FuzzedDataProvider.h"
 #include "keymaster/serializable.h"

 static constexpr uint16_t kMinBufferSize = 1;
 static constexpr uint16_t kMaxBufferSize = 2048;
 static constexpr uint16_t kMaxOperations = 1000;

 std::vector<std::function<void(keymaster::Buffer*, FuzzedDataProvider*)>> operations = {

     [](keymaster::Buffer* buf, FuzzedDataProvider*) -> void {
         // Just reading values, but there's some interesting
         // integer manipulation here.
         buf->begin();
         buf->end();
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider*) -> void { buf->Clear(); },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         buf->reserve(fdp->ConsumeIntegralInRange<int>(kMinBufferSize, kMaxBufferSize));
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         buf->advance_read(fdp->ConsumeIntegral<int>());
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         buf->advance_write(fdp->ConsumeIntegral<int>());
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         buf->Reinitialize(fdp->ConsumeIntegralInRange<size_t>(kMinBufferSize, kMaxBufferSize));
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         size_t buf_size = fdp->ConsumeIntegralInRange<size_t>(kMinBufferSize, kMaxBufferSize);
         std::unique_ptr<uint8_t[]> in_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
         buf->Reinitialize(in_buf.get(), buf_size);
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
         std::unique_ptr<uint8_t[]> in_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
         const uint8_t* data_ptr = in_buf.get();
         int32_t end = fdp->ConsumeIntegralInRange<int32_t>(0, buf_size);
         buf->Deserialize(&data_ptr, data_ptr + end);
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         uint16_t buf_size = buf->SerializedSize();
         std::unique_ptr<uint8_t[]> out_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
         int32_t end = fdp->ConsumeIntegralInRange<int32_t>(0, buf_size);
         buf->Serialize(out_buf.get(), out_buf.get() + end);
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
         std::vector<uint8_t> in_buf = fdp->ConsumeBytes<uint8_t>(buf_size);
         buf->write(in_buf.data(), fdp->ConsumeIntegralInRange<int16_t>(0, buf_size));
     },
     [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
         uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
         std::unique_ptr<uint8_t[]> out = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
         buf->read(out.get(), fdp->ConsumeIntegralInRange<int16_t>(0, buf_size));
     }};

 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
     FuzzedDataProvider fdp(data, size);
     uint16_t buf_size = fdp.ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
     keymaster::Buffer fuzzBuffer(buf_size);
     for (size_t i = 0; i < kMaxOperations && fdp.remaining_bytes() > 0; i++) {
         uint8_t op = fdp.ConsumeIntegralInRange<uint8_t>(0, operations.size() - 1);
         operations[op](&fuzzBuffer, &fdp);
     }
     return 0;
 }
	/*
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <functional>
	#include <memory>

	#include "fuzzer/FuzzedDataProvider.h"
	#include "keymaster/serializable.h"

	static constexpr uint16_t kMinBufferSize = 1;
	static constexpr uint16_t kMaxBufferSize = 2048;
	static constexpr uint16_t kMaxOperations = 1000;

	std::vector<std::function<void(keymaster::Buffer, FuzzedDataProvider)>> operations = {

	[](keymaster::Buffer* buf, FuzzedDataProvider*) -> void {
	// Just reading values, but there's some interesting
	// integer manipulation here.
	buf->begin();
	buf->end();
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider*) -> void { buf->Clear(); },
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	buf->reserve(fdp->ConsumeIntegralInRange<int>(kMinBufferSize, kMaxBufferSize));
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	buf->advance_read(fdp->ConsumeIntegral<int>());
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	buf->advance_write(fdp->ConsumeIntegral<int>());
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	buf->Reinitialize(fdp->ConsumeIntegralInRange<size_t>(kMinBufferSize, kMaxBufferSize));
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	size_t buf_size = fdp->ConsumeIntegralInRange<size_t>(kMinBufferSize, kMaxBufferSize);
	std::unique_ptr<uint8_t[]> in_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
	buf->Reinitialize(in_buf.get(), buf_size);
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
	std::unique_ptr<uint8_t[]> in_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
	const uint8_t* data_ptr = in_buf.get();
	int32_t end = fdp->ConsumeIntegralInRange<int32_t>(0, buf_size);
	buf->Deserialize(&data_ptr, data_ptr + end);
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	uint16_t buf_size = buf->SerializedSize();
	std::unique_ptr<uint8_t[]> out_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
	int32_t end = fdp->ConsumeIntegralInRange<int32_t>(0, buf_size);
	buf->Serialize(out_buf.get(), out_buf.get() + end);
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
	std::vector<uint8_t> in_buf = fdp->ConsumeBytes<uint8_t>(buf_size);
	buf->write(in_buf.data(), fdp->ConsumeIntegralInRange<int16_t>(0, buf_size));
	},
	[](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
	uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
	std::unique_ptr<uint8_t[]> out = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
	buf->read(out.get(), fdp->ConsumeIntegralInRange<int16_t>(0, buf_size));
	}};

	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
	FuzzedDataProvider fdp(data, size);
	uint16_t buf_size = fdp.ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
	keymaster::Buffer fuzzBuffer(buf_size);
	for (size_t i = 0; i < kMaxOperations && fdp.remaining_bytes() > 0; i++) {
	uint8_t op = fdp.ConsumeIntegralInRange<uint8_t>(0, operations.size() - 1);
	operations[op](&fuzzBuffer, &fdp);
	}
	return 0;
	}