summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorandroid-build-team Robot <android-build-team-robot@google.com>2021-03-04 02:09:18 +0000
committerandroid-build-team Robot <android-build-team-robot@google.com>2021-03-04 02:09:18 +0000
commitb06b355cb1595a2a6ccbd73aa7948629540d6daa (patch)
treed2f4d516636f3381bc6acefbf74fdc33eff96380
parent9b11e5d09816c9df1d7c48c8e634d3593dead46e (diff)
parenta60a52c1e851b3cd45464709830c4225022814d8 (diff)
Snap for 7183400 from a60a52c1e851b3cd45464709830c4225022814d8 to sc-release
Change-Id: If9672174754b6ed303c42a24d35e4f2d7ebe7b15
Diffstat
-rw-r--r--debuggerd/libdebuggerd/tombstone.cpp1
-rw-r--r--fs_mgr/libfiemap/image_manager.cpp11
-rw-r--r--fs_mgr/libsnapshot/dm_snapshot_internals.h71
-rw-r--r--fs_mgr/libsnapshot/include/libsnapshot/snapshot.h4
-rw-r--r--fs_mgr/libsnapshot/partition_cow_creator.cpp8
-rw-r--r--fs_mgr/libsnapshot/partition_cow_creator.h2
-rw-r--r--fs_mgr/libsnapshot/partition_cow_creator_test.cpp4
-rw-r--r--fs_mgr/libsnapshot/snapshot.cpp52
-rw-r--r--fs_mgr/libsnapshot/snapshot_test.cpp14
-rw-r--r--init/first_stage_mount.cpp46
-rw-r--r--libprocessgroup/setup/cgroup_map_write.cpp8
-rw-r--r--libprocessgroup/task_profiles.cpp8
-rw-r--r--rootdir/init.rc9
-rw-r--r--trusty/apploader/fuzz/Android.bp40
-rw-r--r--trusty/apploader/fuzz/app_fuzzer.cpp134
-rw-r--r--trusty/confirmationui/fuzz/Android.bp26
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2bin168 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soqbin160 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGObin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3bin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzObin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhRbin68 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-AieaIibin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5jbin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGsbin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4Tbin156 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLObin60 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3Bbin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-globJVbin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjDbin84 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-jXC78obin164 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-kykxnibin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-npHe8tbin84 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyIbin84 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Mebin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjKbin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-xjtOksbin60 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjNbin28 -> 0 bytes
-rw-r--r--trusty/confirmationui/fuzz/fuzz.cpp93
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIlbin0 -> 48 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOddbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a00
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumRbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64bbin0 -> 96 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCKbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ00
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPibin0 -> 24 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Kobin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABYbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUqbin0 -> 48 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vffbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTSTbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055eibin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEmbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8bin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbbbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7tbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzubin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5bin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rPbin0 -> 12 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj0
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHabin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWzbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4Ubin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hTbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG (renamed from trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f)bin6222 -> 6192 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpXbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWzbin0 -> 140 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKCbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFnbin0 -> 64 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSSbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30bin0 -> 136 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnCbin0 -> 64 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNnbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZibin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofvbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAGbin0 -> 64 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbnbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzsbin0 -> 40 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBCbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZpbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfEbin0 -> 144 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6bin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1rbin0 -> 88 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0bin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LLbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXsbin0 -> 24 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5angbin0 -> 24 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedbbin0 -> 40 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUtbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14bin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTwbin0 -> 88 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJCbin0 -> 148 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5bin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDHbin0 -> 48 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRCbin0 -> 8 bytes
-rw-r--r--trusty/confirmationui/fuzz/msg_fuzzer.cpp173
112 files changed, 543 insertions, 161 deletions
diff --git a/debuggerd/libdebuggerd/tombstone.cpp b/debuggerd/libdebuggerd/tombstone.cpp
index c1a59d85c..ca68212b7 100644
--- a/debuggerd/libdebuggerd/tombstone.cpp
+++ b/debuggerd/libdebuggerd/tombstone.cpp
@@ -592,7 +592,6 @@ void engrave_tombstone_ucontext(int tombstone_fd, int proto_fd, uint64_t abort_m
}
ProcessInfo process_info;
- unique_fd attr_fd(open("/proc/self/attr/current", O_RDONLY | O_CLOEXEC));
process_info.abort_msg_address = abort_msg_address;
engrave_tombstone(unique_fd(dup(tombstone_fd)), unique_fd(dup(proto_fd)), &unwinder, threads, tid,
process_info, nullptr, nullptr);
diff --git a/fs_mgr/libfiemap/image_manager.cpp b/fs_mgr/libfiemap/image_manager.cpp
index 841f21564..44f659b5d 100644
--- a/fs_mgr/libfiemap/image_manager.cpp
+++ b/fs_mgr/libfiemap/image_manager.cpp
@@ -16,6 +16,8 @@
#include <libfiemap/image_manager.h>
+#include <optional>
+
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
@@ -574,7 +576,7 @@ bool ImageManager::UnmapImageDevice(const std::string& name, bool force) {
return false;
}
auto& dm = DeviceMapper::Instance();
- LoopControl loop;
+ std::optional<LoopControl> loop;
std::string status;
auto status_file = GetStatusFilePath(name);
@@ -598,9 +600,14 @@ bool ImageManager::UnmapImageDevice(const std::string& name, bool force) {
return false;
}
} else if (pieces[0] == "loop") {
+ // Lazily connect to loop-control to avoid spurious errors in recovery.
+ if (!loop.has_value()) {
+ loop.emplace();
+ }
+
// Failure to remove a loop device is not fatal, since we can still
// remove the backing file if we want.
- loop.Detach(pieces[1]);
+ loop->Detach(pieces[1]);
} else {
LOG(ERROR) << "Unknown status: " << pieces[0];
}
diff --git a/fs_mgr/libsnapshot/dm_snapshot_internals.h b/fs_mgr/libsnapshot/dm_snapshot_internals.h
index fef256d03..ed77c1526 100644
--- a/fs_mgr/libsnapshot/dm_snapshot_internals.h
+++ b/fs_mgr/libsnapshot/dm_snapshot_internals.h
@@ -14,8 +14,10 @@
#pragma once
+#include <android-base/logging.h>
#include <stdint.h>
+#include <optional>
#include <vector>
namespace android {
@@ -26,19 +28,46 @@ class DmSnapCowSizeCalculator {
DmSnapCowSizeCalculator(unsigned int sector_bytes, unsigned int chunk_sectors)
: sector_bytes_(sector_bytes),
chunk_sectors_(chunk_sectors),
- exceptions_per_chunk(chunk_sectors_ * sector_bytes_ / (64 * 2 / 8)) {}
+ exceptions_per_chunk(chunk_sectors_ * sector_bytes_ / exception_size_bytes) {}
void WriteByte(uint64_t address) { WriteSector(address / sector_bytes_); }
void WriteSector(uint64_t sector) { WriteChunk(sector / chunk_sectors_); }
void WriteChunk(uint64_t chunk_id) {
+ if (!valid_) {
+ return;
+ }
+
if (modified_chunks_.size() <= chunk_id) {
+ if (modified_chunks_.max_size() <= chunk_id) {
+ LOG(ERROR) << "Invalid COW size, chunk_id is too large.";
+ valid_ = false;
+ return;
+ }
modified_chunks_.resize(chunk_id + 1, false);
+ if (modified_chunks_.size() <= chunk_id) {
+ LOG(ERROR) << "Invalid COW size, chunk_id is too large.";
+ valid_ = false;
+ return;
+ }
}
+
modified_chunks_[chunk_id] = true;
}
- uint64_t cow_size_bytes() const { return cow_size_sectors() * sector_bytes_; }
- uint64_t cow_size_sectors() const { return cow_size_chunks() * chunk_sectors_; }
+ std::optional<uint64_t> cow_size_bytes() const {
+ auto sectors = cow_size_sectors();
+ if (!sectors) {
+ return std::nullopt;
+ }
+ return sectors.value() * sector_bytes_;
+ }
+ std::optional<uint64_t> cow_size_sectors() const {
+ auto chunks = cow_size_chunks();
+ if (!chunks) {
+ return std::nullopt;
+ }
+ return chunks.value() * chunk_sectors_;
+ }
/*
* The COW device has a precise internal structure as follows:
@@ -56,7 +85,12 @@ class DmSnapCowSizeCalculator {
* - chunks addressable by previous map (exceptions_per_chunk)
* - 1 extra chunk
*/
- uint64_t cow_size_chunks() const {
+ std::optional<uint64_t> cow_size_chunks() const {
+ if (!valid_) {
+ LOG(ERROR) << "Invalid COW size.";
+ return std::nullopt;
+ }
+
uint64_t modified_chunks_count = 0;
uint64_t cow_chunks = 0;
@@ -90,19 +124,30 @@ class DmSnapCowSizeCalculator {
const uint64_t chunk_sectors_;
/*
- * The COW device stores tables to map the modified chunks. Each table
- * has the size of exactly 1 chunk.
- * Each row of the table (also called exception in the kernel) contains two
- * 64 bit indices to identify the corresponding chunk, and this 128 bit row
- * size is a constant.
- * The number of exceptions that each table can contain determines the
- * number of data chunks that separate two consecutive tables. This value
- * is then fundamental to compute the space overhead introduced by the
- * tables in COW devices.
+ * The COW device stores tables to map the modified chunks. Each table has
+ * the size of exactly 1 chunk.
+ * Each entry of the table is called exception and the number of exceptions
+ * that each table can contain determines the number of data chunks that
+ * separate two consecutive tables. This value is then fundamental to
+ * compute the space overhead introduced by the tables in COW devices.
*/
const uint64_t exceptions_per_chunk;
/*
+ * Each row of the table (called exception in the kernel) contains two
+ * 64 bit indices to identify the corresponding chunk, and this 128 bit
+ * pair is constant in size.
+ */
+ static constexpr unsigned int exception_size_bytes = 64 * 2 / 8;
+
+ /*
+ * Validity check for the container.
+ * It may happen that the caller attempts the write of an invalid chunk
+ * identifier, and this misbehavior is accounted and stored in this value.
+ */
+ bool valid_ = true;
+
+ /*
* |modified_chunks_| is a container that keeps trace of the modified
* chunks.
* Multiple options were considered when choosing the most appropriate data
diff --git a/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h b/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
index 0d90f6cd6..a79a86ddd 100644
--- a/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
+++ b/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
@@ -694,8 +694,8 @@ class SnapshotManager final : public ISnapshotManager {
// Call ProcessUpdateState and handle states with special rules before data wipe. Specifically,
// if |allow_forward_merge| and allow-forward-merge indicator exists, initiate merge if
// necessary.
- bool ProcessUpdateStateOnDataWipe(bool allow_forward_merge,
- const std::function<bool()>& callback);
+ UpdateState ProcessUpdateStateOnDataWipe(bool allow_forward_merge,
+ const std::function<bool()>& callback);
// Return device string of a mapped image, or if it is not available, the mapped image path.
bool GetMappedImageDeviceStringOrPath(const std::string& device_name,
diff --git a/fs_mgr/libsnapshot/partition_cow_creator.cpp b/fs_mgr/libsnapshot/partition_cow_creator.cpp
index da6fc9d20..6002043ab 100644
--- a/fs_mgr/libsnapshot/partition_cow_creator.cpp
+++ b/fs_mgr/libsnapshot/partition_cow_creator.cpp
@@ -142,11 +142,11 @@ void WriteExtent(DmSnapCowSizeCalculator* sc, const chromeos_update_engine::Exte
}
}
-uint64_t PartitionCowCreator::GetCowSize() {
+std::optional<uint64_t> PartitionCowCreator::GetCowSize() {
if (compression_enabled) {
if (update == nullptr || !update->has_estimate_cow_size()) {
LOG(ERROR) << "Update manifest does not include a COW size";
- return 0;
+ return std::nullopt;
}
// Add an extra 2MB of wiggle room for any minor differences in labels/metadata
@@ -239,7 +239,7 @@ std::optional<PartitionCowCreator::Return> PartitionCowCreator::Run() {
}
// Compute the COW partition size.
- uint64_t cow_partition_size = std::min(cow_size, free_region_length);
+ uint64_t cow_partition_size = std::min(cow_size.value(), free_region_length);
// Round it down to the nearest logical block. Logical partitions must be a multiple
// of logical blocks.
cow_partition_size &= ~(logical_block_size - 1);
@@ -247,7 +247,7 @@ std::optional<PartitionCowCreator::Return> PartitionCowCreator::Run() {
// Assign cow_partition_usable_regions to indicate what regions should the COW partition uses.
ret.cow_partition_usable_regions = std::move(free_regions);
- auto cow_file_size = cow_size - cow_partition_size;
+ auto cow_file_size = cow_size.value() - cow_partition_size;
// Round it up to the nearest sector.
cow_file_size += kSectorSize - 1;
cow_file_size &= ~(kSectorSize - 1);
diff --git a/fs_mgr/libsnapshot/partition_cow_creator.h b/fs_mgr/libsnapshot/partition_cow_creator.h
index 64d186b53..84372de9c 100644
--- a/fs_mgr/libsnapshot/partition_cow_creator.h
+++ b/fs_mgr/libsnapshot/partition_cow_creator.h
@@ -68,7 +68,7 @@ struct PartitionCowCreator {
private:
bool HasExtent(Partition* p, Extent* e);
- uint64_t GetCowSize();
+ std::optional<uint64_t> GetCowSize();
};
} // namespace snapshot
diff --git a/fs_mgr/libsnapshot/partition_cow_creator_test.cpp b/fs_mgr/libsnapshot/partition_cow_creator_test.cpp
index e4b476f9b..de35c132d 100644
--- a/fs_mgr/libsnapshot/partition_cow_creator_test.cpp
+++ b/fs_mgr/libsnapshot/partition_cow_creator_test.cpp
@@ -308,6 +308,10 @@ TEST(DmSnapshotInternals, CowSizeCalculator) {
cc.WriteByte(b);
ASSERT_EQ(cc.cow_size_sectors(), 40);
}
+
+ // Write a byte that would surely overflow the counter
+ cc.WriteChunk(std::numeric_limits<uint64_t>::max());
+ ASSERT_FALSE(cc.cow_size_sectors().has_value());
}
void BlocksToExtents(const std::vector<uint64_t>& blocks,
diff --git a/fs_mgr/libsnapshot/snapshot.cpp b/fs_mgr/libsnapshot/snapshot.cpp
index eb3a50144..cc2599d1f 100644
--- a/fs_mgr/libsnapshot/snapshot.cpp
+++ b/fs_mgr/libsnapshot/snapshot.cpp
@@ -894,6 +894,8 @@ UpdateState SnapshotManager::ProcessUpdateState(const std::function<bool()>& cal
const std::function<bool()>& before_cancel) {
while (true) {
UpdateState state = CheckMergeState(before_cancel);
+ LOG(INFO) << "ProcessUpdateState handling state: " << state;
+
if (state == UpdateState::MergeFailed) {
AcknowledgeMergeFailure();
}
@@ -920,13 +922,15 @@ UpdateState SnapshotManager::CheckMergeState(const std::function<bool()>& before
}
UpdateState state = CheckMergeState(lock.get(), before_cancel);
+ LOG(INFO) << "CheckMergeState for snapshots returned: " << state;
+
if (state == UpdateState::MergeCompleted) {
// Do this inside the same lock. Failures get acknowledged without the
// lock, because flock() might have failed.
AcknowledgeMergeSuccess(lock.get());
} else if (state == UpdateState::Cancelled) {
- if (!RemoveAllUpdateState(lock.get(), before_cancel)) {
- return ReadSnapshotUpdateStatus(lock.get()).state();
+ if (!device_->IsRecovery() && !RemoveAllUpdateState(lock.get(), before_cancel)) {
+ LOG(ERROR) << "Failed to remove all update state after acknowleding cancelled update.";
}
}
return state;
@@ -968,13 +972,23 @@ UpdateState SnapshotManager::CheckMergeState(LockedFile* lock,
return UpdateState::MergeFailed;
}
+ auto other_suffix = device_->GetOtherSlotSuffix();
+
bool cancelled = false;
bool failed = false;
bool merging = false;
bool needs_reboot = false;
bool wrong_phase = false;
for (const auto& snapshot : snapshots) {
+ if (android::base::EndsWith(snapshot, other_suffix)) {
+ // This will have triggered an error message in InitiateMerge already.
+ LOG(INFO) << "Skipping merge validation of unexpected snapshot: " << snapshot;
+ continue;
+ }
+
UpdateState snapshot_state = CheckTargetMergeState(lock, snapshot, update_status);
+ LOG(INFO) << "CheckTargetMergeState for " << snapshot << " returned: " << snapshot_state;
+
switch (snapshot_state) {
case UpdateState::MergeFailed:
failed = true;
@@ -1173,7 +1187,7 @@ void SnapshotManager::AcknowledgeMergeSuccess(LockedFile* lock) {
// indicator that cleanup is needed on reboot. If a factory data reset
// was requested, it doesn't matter, everything will get wiped anyway.
// To make testing easier we consider a /data wipe as cleaned up.
- if (device_->IsRecovery() && !in_factory_data_reset_) {
+ if (device_->IsRecovery()) {
WriteUpdateState(lock, UpdateState::MergeCompleted);
return;
}
@@ -1692,6 +1706,7 @@ UpdateState SnapshotManager::GetUpdateState(double* progress) {
for (const auto& snapshot : snapshots) {
DmTargetSnapshot::Status current_status;
+ if (!IsSnapshotDevice(snapshot)) continue;
if (!QuerySnapshotStatus(snapshot, nullptr, &current_status)) continue;
fake_snapshots_status.sectors_allocated += current_status.sectors_allocated;
@@ -3212,10 +3227,11 @@ bool SnapshotManager::HandleImminentDataWipe(const std::function<void()>& callba
};
in_factory_data_reset_ = true;
- bool ok = ProcessUpdateStateOnDataWipe(true /* allow_forward_merge */, process_callback);
+ UpdateState state =
+ ProcessUpdateStateOnDataWipe(true /* allow_forward_merge */, process_callback);
in_factory_data_reset_ = false;
- if (!ok) {
+ if (state == UpdateState::MergeFailed) {
return false;
}
@@ -3223,6 +3239,16 @@ bool SnapshotManager::HandleImminentDataWipe(const std::function<void()>& callba
if (!UnmapAllPartitionsInRecovery()) {
LOG(ERROR) << "Unable to unmap all partitions; fastboot may fail to flash.";
}
+
+ if (state != UpdateState::None) {
+ auto lock = LockExclusive();
+ if (!lock) return false;
+
+ // Zap the update state so the bootloader doesn't think we're still
+ // merging. It's okay if this fails, it's informative only at this
+ // point.
+ WriteUpdateState(lock.get(), UpdateState::None);
+ }
return true;
}
@@ -3257,15 +3283,15 @@ bool SnapshotManager::FinishMergeInRecovery() {
return true;
}
-bool SnapshotManager::ProcessUpdateStateOnDataWipe(bool allow_forward_merge,
- const std::function<bool()>& callback) {
+UpdateState SnapshotManager::ProcessUpdateStateOnDataWipe(bool allow_forward_merge,
+ const std::function<bool()>& callback) {
auto slot_number = SlotNumberForSlotSuffix(device_->GetSlotSuffix());
UpdateState state = ProcessUpdateState(callback);
LOG(INFO) << "Update state in recovery: " << state;
switch (state) {
case UpdateState::MergeFailed:
LOG(ERROR) << "Unrecoverable merge failure detected.";
- return false;
+ return state;
case UpdateState::Unverified: {
// If an OTA was just applied but has not yet started merging:
//
@@ -3285,8 +3311,12 @@ bool SnapshotManager::ProcessUpdateStateOnDataWipe(bool allow_forward_merge,
if (allow_forward_merge &&
access(GetForwardMergeIndicatorPath().c_str(), F_OK) == 0) {
LOG(INFO) << "Forward merge allowed, initiating merge now.";
- return InitiateMerge() &&
- ProcessUpdateStateOnDataWipe(false /* allow_forward_merge */, callback);
+
+ if (!InitiateMerge()) {
+ LOG(ERROR) << "Failed to initiate merge on data wipe.";
+ return UpdateState::MergeFailed;
+ }
+ return ProcessUpdateStateOnDataWipe(false /* allow_forward_merge */, callback);
}
LOG(ERROR) << "Reverting to old slot since update will be deleted.";
@@ -3304,7 +3334,7 @@ bool SnapshotManager::ProcessUpdateStateOnDataWipe(bool allow_forward_merge,
default:
break;
}
- return true;
+ return state;
}
bool SnapshotManager::EnsureNoOverflowSnapshot(LockedFile* lock) {
diff --git a/fs_mgr/libsnapshot/snapshot_test.cpp b/fs_mgr/libsnapshot/snapshot_test.cpp
index d57aa6c22..bde4ccadd 100644
--- a/fs_mgr/libsnapshot/snapshot_test.cpp
+++ b/fs_mgr/libsnapshot/snapshot_test.cpp
@@ -636,8 +636,8 @@ TEST_F(SnapshotTest, FlashSuperDuringMerge) {
// Because the status is Merging, we must call ProcessUpdateState, which should
// detect a cancelled update.
- ASSERT_EQ(sm->ProcessUpdateState(), UpdateState::Cancelled);
- ASSERT_EQ(sm->GetUpdateState(), UpdateState::None);
+ ASSERT_EQ(init->ProcessUpdateState(), UpdateState::Cancelled);
+ ASSERT_EQ(init->GetUpdateState(), UpdateState::None);
}
TEST_F(SnapshotTest, UpdateBootControlHal) {
@@ -1767,7 +1767,7 @@ TEST_F(SnapshotUpdateTest, DataWipeRollbackInRecovery) {
ASSERT_TRUE(new_sm->HandleImminentDataWipe());
// Manually mount metadata so that we can call GetUpdateState() below.
MountMetadata();
- EXPECT_EQ(new_sm->GetUpdateState(), UpdateState::Unverified);
+ EXPECT_EQ(new_sm->GetUpdateState(), UpdateState::None);
EXPECT_TRUE(test_device->IsSlotUnbootable(1));
EXPECT_FALSE(test_device->IsSlotUnbootable(0));
}
@@ -2105,8 +2105,12 @@ TEST_P(FlashAfterUpdateTest, FlashSlotAfterUpdate) {
// There should be no snapshot to merge.
auto new_sm = SnapshotManager::New(new TestDeviceInfo(fake_super, flashed_slot_suffix));
- // update_enigne calls ProcessUpdateState first -- should see Cancelled.
- ASSERT_EQ(UpdateState::Cancelled, new_sm->ProcessUpdateState());
+ if (flashed_slot == 0 && after_merge) {
+ ASSERT_EQ(UpdateState::MergeCompleted, new_sm->ProcessUpdateState());
+ } else {
+ // update_engine calls ProcessUpdateState first -- should see Cancelled.
+ ASSERT_EQ(UpdateState::Cancelled, new_sm->ProcessUpdateState());
+ }
// Next OTA calls CancelUpdate no matter what.
ASSERT_TRUE(new_sm->CancelUpdate());
diff --git a/init/first_stage_mount.cpp b/init/first_stage_mount.cpp
index de72f23c3..a11bb2837 100644
--- a/init/first_stage_mount.cpp
+++ b/init/first_stage_mount.cpp
@@ -44,6 +44,7 @@
#include "block_dev_initializer.h"
#include "devices.h"
+#include "result.h"
#include "snapuserd_transition.h"
#include "switch_root.h"
#include "uevent.h"
@@ -51,6 +52,7 @@
#include "util.h"
using android::base::ReadFileToString;
+using android::base::Result;
using android::base::Split;
using android::base::StringPrintf;
using android::base::Timer;
@@ -81,7 +83,7 @@ class FirstStageMount {
// The factory method to create either FirstStageMountVBootV1 or FirstStageMountVBootV2
// based on device tree configurations.
- static std::unique_ptr<FirstStageMount> Create();
+ static Result<std::unique_ptr<FirstStageMount>> Create();
bool DoCreateDevices(); // Creates devices and logical partitions from storage devices
bool DoFirstStageMount(); // Mounts fstab entries read from device tree.
bool InitDevices();
@@ -160,7 +162,7 @@ static inline bool IsDtVbmetaCompatible(const Fstab& fstab) {
return is_android_dt_value_expected("vbmeta/compatible", "android,vbmeta");
}
-static Fstab ReadFirstStageFstab() {
+static Result<Fstab> ReadFirstStageFstab() {
Fstab fstab;
if (!ReadFstabFromDt(&fstab)) {
if (ReadDefaultFstab(&fstab)) {
@@ -170,7 +172,7 @@ static Fstab ReadFirstStageFstab() {
}),
fstab.end());
} else {
- LOG(INFO) << "Failed to fstab for first stage mount";
+ return Error() << "failed to read default fstab for first stage mount";
}
}
return fstab;
@@ -236,12 +238,16 @@ FirstStageMount::FirstStageMount(Fstab fstab) : need_dm_verity_(false), fstab_(s
super_partition_name_ = fs_mgr_get_super_partition_name();
}
-std::unique_ptr<FirstStageMount> FirstStageMount::Create() {
+Result<std::unique_ptr<FirstStageMount>> FirstStageMount::Create() {
auto fstab = ReadFirstStageFstab();
- if (IsDtVbmetaCompatible(fstab)) {
- return std::make_unique<FirstStageMountVBootV2>(std::move(fstab));
+ if (!fstab.ok()) {
+ return fstab.error();
+ }
+
+ if (IsDtVbmetaCompatible(*fstab)) {
+ return std::make_unique<FirstStageMountVBootV2>(std::move(*fstab));
} else {
- return std::make_unique<FirstStageMountVBootV1>(std::move(fstab));
+ return std::make_unique<FirstStageMountVBootV1>(std::move(*fstab));
}
}
@@ -836,12 +842,12 @@ bool FirstStageMountVBootV2::InitAvbHandle() {
// ----------------
// Creates devices and logical partitions from storage devices
bool DoCreateDevices() {
- std::unique_ptr<FirstStageMount> handle = FirstStageMount::Create();
- if (!handle) {
- LOG(ERROR) << "Failed to create FirstStageMount";
+ auto fsm = FirstStageMount::Create();
+ if (!fsm.ok()) {
+ LOG(ERROR) << "Failed to create FirstStageMount: " << fsm.error();
return false;
}
- return handle->DoCreateDevices();
+ return (*fsm)->DoCreateDevices();
}
// Mounts partitions specified by fstab in device tree.
@@ -852,17 +858,17 @@ bool DoFirstStageMount(bool create_devices) {
return true;
}
- std::unique_ptr<FirstStageMount> handle = FirstStageMount::Create();
- if (!handle) {
- LOG(ERROR) << "Failed to create FirstStageMount";
+ auto fsm = FirstStageMount::Create();
+ if (!fsm.ok()) {
+ LOG(ERROR) << "Failed to create FirstStageMount " << fsm.error();
return false;
}
if (create_devices) {
- if (!handle->DoCreateDevices()) return false;
+ if (!(*fsm)->DoCreateDevices()) return false;
}
- return handle->DoFirstStageMount();
+ return (*fsm)->DoFirstStageMount();
}
void SetInitAvbVersionInRecovery() {
@@ -872,8 +878,12 @@ void SetInitAvbVersionInRecovery() {
}
auto fstab = ReadFirstStageFstab();
+ if (!fstab.ok()) {
+ LOG(ERROR) << fstab.error();
+ return;
+ }
- if (!IsDtVbmetaCompatible(fstab)) {
+ if (!IsDtVbmetaCompatible(*fstab)) {
LOG(INFO) << "Skipped setting INIT_AVB_VERSION (not vbmeta compatible)";
return;
}
@@ -883,7 +893,7 @@ void SetInitAvbVersionInRecovery() {
// We only set INIT_AVB_VERSION when the AVB verification succeeds, i.e., the
// Open() function returns a valid handle.
// We don't need to mount partitions here in recovery mode.
- FirstStageMountVBootV2 avb_first_mount(std::move(fstab));
+ FirstStageMountVBootV2 avb_first_mount(std::move(*fstab));
if (!avb_first_mount.InitDevices()) {
LOG(ERROR) << "Failed to init devices for INIT_AVB_VERSION";
return;
diff --git a/libprocessgroup/setup/cgroup_map_write.cpp b/libprocessgroup/setup/cgroup_map_write.cpp
index 753fd2dfc..aa41acbdc 100644
--- a/libprocessgroup/setup/cgroup_map_write.cpp
+++ b/libprocessgroup/setup/cgroup_map_write.cpp
@@ -183,10 +183,12 @@ static bool ReadDescriptorsFromFile(const std::string& file_name,
return false;
}
- Json::Reader reader;
+ Json::CharReaderBuilder builder;
+ std::unique_ptr<Json::CharReader> reader(builder.newCharReader());
Json::Value root;
- if (!reader.parse(json_doc, root)) {
- LOG(ERROR) << "Failed to parse cgroups description: " << reader.getFormattedErrorMessages();
+ std::string errorMessage;
+ if (!reader->parse(&*json_doc.begin(), &*json_doc.end(), &root, &errorMessage)) {
+ LOG(ERROR) << "Failed to parse cgroups description: " << errorMessage;
return false;
}
diff --git a/libprocessgroup/task_profiles.cpp b/libprocessgroup/task_profiles.cpp
index 8d4ce2545..f13a6815c 100644
--- a/libprocessgroup/task_profiles.cpp
+++ b/libprocessgroup/task_profiles.cpp
@@ -425,10 +425,12 @@ bool TaskProfiles::Load(const CgroupMap& cg_map, const std::string& file_name) {
return false;
}
- Json::Reader reader;
+ Json::CharReaderBuilder builder;
+ std::unique_ptr<Json::CharReader> reader(builder.newCharReader());
Json::Value root;
- if (!reader.parse(json_doc, root)) {
- LOG(ERROR) << "Failed to parse task profiles: " << reader.getFormattedErrorMessages();
+ std::string errorMessage;
+ if (!reader->parse(&*json_doc.begin(), &*json_doc.end(), &root, &errorMessage)) {
+ LOG(ERROR) << "Failed to parse task profiles: " << errorMessage;
return false;
}
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 04e954e31..0e1e98b84 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -620,6 +620,15 @@ on late-fs
# Load trusted keys from dm-verity protected partitions
exec -- /system/bin/fsverity_init --load-verified-keys
+ # Set up a tracing instance for system_server to monitor error_report_end events.
+ # These are sent by kernel tools like KASAN and KFENCE when a memory corruption
+ # is detected.
+ mkdir /sys/kernel/tracing/instances/bootreceiver 0700 system system
+ restorecon_recursive /sys/kernel/tracing/instances/bootreceiver
+ write /sys/kernel/tracing/instances/bootreceiver/buffer_size_kb 1
+ write /sys/kernel/tracing/instances/bootreceiver/trace_options disable_on_free
+ write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1
+
on post-fs-data
mark_post_data
diff --git a/trusty/apploader/fuzz/Android.bp b/trusty/apploader/fuzz/Android.bp
new file mode 100644
index 000000000..e37dab1b0
--- /dev/null
+++ b/trusty/apploader/fuzz/Android.bp
@@ -0,0 +1,40 @@
+// Copyright (C) 2021 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+// Fuzz Trusty IPC messages sent to apploader.
+cc_fuzz {
+ name: "trusty_apploader_tipc_fuzzer",
+ defaults: ["trusty_fuzzer_defaults"],
+ srcs: [":trusty_tipc_fuzzer"],
+ cflags: [
+ "-DTRUSTY_APP_PORT=\"com.android.trusty.apploader\"",
+ "-DTRUSTY_APP_UUID=\"081ba88f-f1ee-452e-b5e8-a7e9ef173a97\"",
+ "-DTRUSTY_APP_FILENAME=\"apploader.syms.elf\"",
+ ]
+}
+
+// Fuzz app package sent to apploader.
+cc_fuzz {
+ name: "trusty_apploader_app_fuzzer",
+ defaults: ["trusty_fuzzer_defaults"],
+ srcs: ["app_fuzzer.cpp"],
+ include_dirs: ["system/core/trusty/apploader"],
+ shared_libs: [
+ "libdmabufheap",
+ ],
+}
diff --git a/trusty/apploader/fuzz/app_fuzzer.cpp b/trusty/apploader/fuzz/app_fuzzer.cpp
new file mode 100644
index 000000000..aa0caca81
--- /dev/null
+++ b/trusty/apploader/fuzz/app_fuzzer.cpp
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <BufferAllocator/BufferAllocator.h>
+#include <android-base/unique_fd.h>
+#include <apploader_ipc.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <trusty/coverage/coverage.h>
+#include <trusty/fuzz/counters.h>
+#include <trusty/fuzz/utils.h>
+#include <trusty/tipc.h>
+#include <unistd.h>
+#include <iostream>
+
+using android::base::unique_fd;
+using android::trusty::coverage::CoverageRecord;
+using android::trusty::fuzz::ExtraCounters;
+using android::trusty::fuzz::TrustyApp;
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define APPLOADER_PORT "com.android.trusty.apploader"
+#define APPLOADER_MODULE_NAME "apploader.syms.elf"
+
+/* Apploader TA's UUID is 081ba88f-f1ee-452e-b5e8-a7e9ef173a97 */
+static struct uuid apploader_uuid = {
+ 0x081ba88f,
+ 0xf1ee,
+ 0x452e,
+ {0xb5, 0xe8, 0xa7, 0xe9, 0xef, 0x17, 0x3a, 0x97},
+};
+
+static inline uintptr_t RoundPageUp(uintptr_t val) {
+ return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
+}
+
+static bool SendLoadMsg(int chan, int dma_buf, size_t dma_buf_size) {
+ apploader_header hdr = {
+ .cmd = APPLOADER_CMD_LOAD_APPLICATION,
+ };
+ apploader_load_app_req req = {
+ .package_size = static_cast<uint64_t>(dma_buf_size),
+ };
+ iovec iov[] = {
+ {
+ .iov_base = &hdr,
+ .iov_len = sizeof(hdr),
+ },
+ {
+ .iov_base = &req,
+ .iov_len = sizeof(req),
+ },
+ };
+ trusty_shm shm = {
+ .fd = dma_buf,
+ .transfer = TRUSTY_SHARE,
+ };
+
+ int rc = tipc_send(chan, iov, 2, &shm, 1);
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(req))) {
+ std::cerr << "Failed to send request" << std::endl;
+ return false;
+ }
+
+ apploader_resp resp;
+ rc = read(chan, &resp, sizeof(resp));
+ if (rc != static_cast<int>(sizeof(resp))) {
+ std::cerr << "Failed to receive response" << std::endl;
+ return false;
+ }
+
+ return true;
+}
+
+static CoverageRecord record(TIPC_DEV, &apploader_uuid, APPLOADER_MODULE_NAME);
+
+extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
+ auto ret = record.Open();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ exit(-1);
+ }
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ ExtraCounters counters(&record);
+ counters.Reset();
+
+ android::trusty::fuzz::TrustyApp ta(TIPC_DEV, APPLOADER_PORT);
+ auto ret = ta.Connect();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ android::trusty::fuzz::Abort();
+ }
+
+ uint64_t shm_len = size ? RoundPageUp(size) : PAGE_SIZE;
+ BufferAllocator alloc;
+ unique_fd dma_buf(alloc.Alloc(kDmabufSystemHeapName, shm_len));
+ if (dma_buf < 0) {
+ std::cerr << "Failed to create dmabuf of size: " << shm_len << std::endl;
+ android::trusty::fuzz::Abort();
+ }
+
+ void* shm_base = mmap(0, shm_len, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
+ if (shm_base == MAP_FAILED) {
+ std::cerr << "Failed to mmap() dmabuf" << std::endl;
+ android::trusty::fuzz::Abort();
+ }
+
+ memcpy(shm_base, data, size);
+
+ bool success = SendLoadMsg(*ta.GetRawFd(), dma_buf, shm_len);
+ if (!success) {
+ std::cerr << "Failed to send load message" << std::endl;
+ android::trusty::fuzz::Abort();
+ }
+
+ munmap(shm_base, shm_len);
+ return 0;
+}
diff --git a/trusty/confirmationui/fuzz/Android.bp b/trusty/confirmationui/fuzz/Android.bp
index 12bb70a69..ba571914d 100644
--- a/trusty/confirmationui/fuzz/Android.bp
+++ b/trusty/confirmationui/fuzz/Android.bp
@@ -17,11 +17,27 @@ package {
}
cc_fuzz {
- name: "trusty_confirmationui_fuzzer",
+ name: "trusty_confirmationui_tipc_fuzzer",
defaults: ["trusty_fuzzer_defaults"],
- srcs: ["fuzz.cpp"],
+ srcs: [":trusty_tipc_fuzzer"],
+ cflags: [
+ "-DTRUSTY_APP_PORT=\"com.android.trusty.confirmationui\"",
+ "-DTRUSTY_APP_UUID=\"7dee2364-c036-425b-b086-df0f6c233c1b\"",
+ "-DTRUSTY_APP_FILENAME=\"confirmationui.syms.elf\"",
+ ],
- // The initial corpus for this fuzzer was derived by dumping bytes from
- // ConfirmationUI VTS.
- corpus: ["corpus/*"],
+}
+
+cc_fuzz {
+ name: "trusty_confirmationui_msg_fuzzer",
+ defaults: ["trusty_fuzzer_defaults"],
+ srcs: ["msg_fuzzer.cpp"],
+ include_dirs: ["system/core/trusty/confirmationui/include"],
+ shared_libs: [
+ "libdmabufheap",
+ ],
+
+ // The initial corpus for this fuzzer was derived by dumping messages from/to
+ // HAL to/from TA triggered by VtsHalConfirmationUIV1_0TargetTest.
+ corpus: ["msg_corpus/*"],
}
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2 b/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
deleted file mode 100644
index 53fe0c99f..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-2ekYc2
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq b/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
deleted file mode 100644
index bda80fdbc..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-6l8Soq
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO b/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-7kFpGO
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3 b/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-92m2f3
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO b/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-ALYIzO
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR b/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
deleted file mode 100644
index f5854f833..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-AcIMhR
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi b/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-AieaIi
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j b/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-BdqX5j
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs b/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-JBPIGs
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T b/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
deleted file mode 100644
index 0dc6e91f7..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-MWHw4T
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO b/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
deleted file mode 100644
index 927d64dd9..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-TZzVLO
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B b/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-WwdA3B
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV b/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-globJV
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD b/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
deleted file mode 100644
index 87870ca7e..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-hzUgjD
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o b/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
deleted file mode 100644
index 0b274bf90..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-jXC78o
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni b/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-kykxni
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t b/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
deleted file mode 100644
index 87870ca7e..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-npHe8t
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI b/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
deleted file mode 100644
index 87870ca7e..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-rPgnyI
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me b/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-uCJ1Me
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK b/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-wAQEjK
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks b/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
deleted file mode 100644
index b4a1c49ef..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-xjtOks
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN b/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
deleted file mode 100644
index 5adf90513..000000000
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-zKFIjN
+++ /dev/null
Binary files differ
diff --git a/trusty/confirmationui/fuzz/fuzz.cpp b/trusty/confirmationui/fuzz/fuzz.cpp
deleted file mode 100644
index df2517c8c..000000000
--- a/trusty/confirmationui/fuzz/fuzz.cpp
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <iostream>
-#include <stdlib.h>
-#include <trusty/coverage/coverage.h>
-#include <trusty/fuzz/counters.h>
-#include <trusty/fuzz/utils.h>
-#include <unistd.h>
-
-using android::trusty::coverage::CoverageRecord;
-using android::trusty::fuzz::ExtraCounters;
-using android::trusty::fuzz::TrustyApp;
-
-#define TIPC_DEV "/dev/trusty-ipc-dev0"
-#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
-#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
-
-/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
-static struct uuid confirmationui_uuid = {
- 0x7dee2364,
- 0xc036,
- 0x425b,
- {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
-};
-
-/* The format of the packets is as following:
- * 16 bits (uint16_t, header) + payload bytes
- * The 16 bits header spicify the number of bytes of payload (header excluded).
- */
-struct data_packet {
- uint16_t header;
- uint8_t payload[];
-};
-
-static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
-
-extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
- auto ret = record.Open();
- if (!ret.ok()) {
- std::cerr << ret.error() << std::endl;
- exit(-1);
- }
- return 0;
-}
-
-/* Each corpus contains one or more data packets. */
-extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
- static uint8_t buf[TIPC_MAX_MSG_SIZE];
- size_t data_idx = 0;
-
- ExtraCounters counters(&record);
- counters.Reset();
-
- TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
- auto ret = ta.Connect();
- if (!ret.ok()) {
- android::trusty::fuzz::Abort();
- }
-
- while (data_idx < size) {
- struct data_packet* data_packet_ptr = (struct data_packet*)&data[data_idx];
- size_t payload_size = data_packet_ptr->header;
- data_idx += data_packet_ptr->header + sizeof(data_packet_ptr->header);
-
- /* Write message to confirmationui server */
- ret = ta.Write(data_packet_ptr->payload, payload_size);
- if (!ret.ok()) {
- return -1;
- }
-
- /* Read message from confirmationui server */
- ret = ta.Read(&buf, sizeof(buf));
- if (!ret.ok()) {
- return -1;
- }
- }
-
- return 0;
-}
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-0AD0Mc
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl
new file mode 100644
index 000000000..c8741fbdf
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-1b1UIl
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-3hmWyl
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7FNOdd
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-7T30a0
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-86EumR
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b
new file mode 100644
index 000000000..168242791
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-89b64b
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-8UVUCK
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BSmqJ0
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-BdUGLb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-D2ENNi
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi
new file mode 100644
index 000000000..d48e5a167
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-EwBsPi
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-HjE2Ko
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-J5OABY
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-LUVKQn
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-MdY9ZS
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq
new file mode 100644
index 000000000..6f72ad5c5
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-NZ8yUq
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff
new file mode 100644
index 000000000..64a159c58
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OP4Vff
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-OizTST
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-QTsc3y
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-S055ei
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-VDguJL
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ZjDqjf
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bMNGfb
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-bm0GEm
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-cT2nt8
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb
new file mode 100644
index 000000000..64a159c58
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-e1NLbb
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t
new file mode 100644
index 000000000..64a159c58
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-eOCb7t
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-h7Gpzu
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ikJlIo
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-kxugwp
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5
new file mode 100644
index 000000000..556828d24
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-mY8uM5
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-nuYOin
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP
new file mode 100644
index 000000000..8be96c587
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-obk0rP
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-vg2hAB
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-recv-ysk3Rj
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-2upXHa
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-3n7SWz
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-5SZG4U
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-8uL1hT
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Anu8LZ
Binary files differ
diff --git a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
index d627b01a0..b944d949a 100644
--- a/trusty/confirmationui/fuzz/corpus/confirmationui-5yTG3f
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BFP3vG
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX
new file mode 100644
index 000000000..1d9374d4b
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-BjxIpX
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz
new file mode 100644
index 000000000..b3be8cd7a
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-DBzfWz
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GPOMKC
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn
new file mode 100644
index 000000000..4190adf33
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-GWcpFn
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS
new file mode 100644
index 000000000..1d9374d4b
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-HkRYSS
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30
new file mode 100644
index 000000000..38e3fca1c
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-LAyw30
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC
new file mode 100644
index 000000000..4190adf33
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-MtGRnC
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-PpfYNn
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-SVKqZi
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Suxofv
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG
new file mode 100644
index 000000000..4190adf33
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-UQPTAG
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-Up2pbn
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs
new file mode 100644
index 000000000..cbfd07a97
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZjgVzs
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ZuQuBC
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp
new file mode 100644
index 000000000..ecaec1233
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-bWlzZp
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE
new file mode 100644
index 000000000..58b1526a2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-dPozfE
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-e952U6
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r
new file mode 100644
index 000000000..af570ea46
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-f7ly1r
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-hme7P0
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-k7J5LL
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs
new file mode 100644
index 000000000..e4b99fb7a
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-rUtYXs
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang
new file mode 100644
index 000000000..d1149560d
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-sq5ang
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb
new file mode 100644
index 000000000..6caf7ddb6
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-uOtedb
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vGoOUt
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14
new file mode 100644
index 000000000..ecaec1233
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-vqAG14
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw
new file mode 100644
index 000000000..36445d957
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xKDdTw
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC
new file mode 100644
index 000000000..f6c6dcf6b
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-xT4sJC
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5 b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypshr5
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH
new file mode 100644
index 000000000..d6ba1fc10
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-ypzCDH
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC
new file mode 100644
index 000000000..7392034c2
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_corpus/confirmationui-send-zZNPRC
Binary files differ
diff --git a/trusty/confirmationui/fuzz/msg_fuzzer.cpp b/trusty/confirmationui/fuzz/msg_fuzzer.cpp
new file mode 100644
index 000000000..8e4443c78
--- /dev/null
+++ b/trusty/confirmationui/fuzz/msg_fuzzer.cpp
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <BufferAllocator/BufferAllocator.h>
+#include <TrustyIpc.h>
+#include <iostream>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <time.h>
+#include <trusty/coverage/coverage.h>
+#include <trusty/fuzz/counters.h>
+#include <trusty/fuzz/utils.h>
+#include <trusty/tipc.h>
+#include <unistd.h>
+
+using android::trusty::coverage::CoverageRecord;
+using android::trusty::fuzz::ExtraCounters;
+using android::trusty::fuzz::TrustyApp;
+
+#define countof(arr) (sizeof(arr) / sizeof(arr[0]))
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define CONFIRMATIONUI_PORT "com.android.trusty.confirmationui"
+#define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf"
+
+/* A request to render to screen may take a while. */
+const size_t kTimeoutSeconds = 30;
+
+/* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */
+static struct uuid confirmationui_uuid = {
+ 0x7dee2364,
+ 0xc036,
+ 0x425b,
+ {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b},
+};
+
+static CoverageRecord record(TIPC_DEV, &confirmationui_uuid, CONFIRMATIONUI_MODULE_NAME);
+
+static android::base::unique_fd dma_buf;
+static void* shm_base;
+
+extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
+ auto ret = record.Open();
+ if (!ret.ok()) {
+ std::cerr << ret.error() << std::endl;
+ exit(-1);
+ }
+
+ BufferAllocator allocator;
+ dma_buf.reset(allocator.Alloc(kDmabufSystemHeapName, CONFIRMATIONUI_MAX_MSG_SIZE));
+ if (dma_buf < 0) {
+ std::cerr << "Failed to allocate dma_buf" << std::endl;
+ exit(-1);
+ }
+
+ shm_base = mmap(0, CONFIRMATIONUI_MAX_MSG_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, dma_buf, 0);
+ if (shm_base == MAP_FAILED) {
+ std::cerr << "Failed to mmap() dma_buf" << std::endl;
+ exit(-1);
+ }
+
+ return 0;
+}
+
+static bool Init(int chan, int dma_buf) {
+ confirmationui_hdr hdr = {
+ .cmd = CONFIRMATIONUI_CMD_INIT,
+ };
+ confirmationui_init_req args = {
+ .shm_len = CONFIRMATIONUI_MAX_MSG_SIZE,
+ };
+ iovec iov[] = {
+ {
+ .iov_base = &hdr,
+ .iov_len = sizeof(hdr),
+ },
+ {
+ .iov_base = &args,
+ .iov_len = sizeof(args),
+ },
+ };
+ trusty_shm shm = {
+ .fd = dma_buf,
+ .transfer = TRUSTY_SHARE,
+ };
+
+ int rc = tipc_send(chan, iov, countof(iov), &shm, 1);
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+ return false;
+ }
+
+ rc = read(chan, &hdr, sizeof(hdr));
+ if (rc != static_cast<int>(sizeof(hdr))) {
+ return false;
+ }
+
+ return true;
+}
+
+static bool Msg(int chan, const uint8_t* data, size_t size) {
+ confirmationui_hdr hdr = {
+ .cmd = CONFIRMATIONUI_CMD_MSG,
+ };
+ confirmationui_msg_args args = {
+ .msg_len = static_cast<uint32_t>(size),
+ };
+ iovec iov[] = {
+ {
+ .iov_base = &hdr,
+ .iov_len = sizeof(hdr),
+ },
+ {
+ .iov_base = &args,
+ .iov_len = sizeof(args),
+ },
+ };
+
+ memset(shm_base, 0, CONFIRMATIONUI_MAX_MSG_SIZE);
+ memcpy(shm_base, data, size);
+
+ int rc = tipc_send(chan, iov, countof(iov), NULL, 0);
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+ return false;
+ }
+
+ rc = readv(chan, iov, countof(iov));
+ if (rc != static_cast<int>(sizeof(hdr) + sizeof(args))) {
+ return false;
+ }
+
+ return true;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ ExtraCounters counters(&record);
+ counters.Reset();
+
+ TrustyApp ta(TIPC_DEV, CONFIRMATIONUI_PORT);
+ auto ret = ta.Connect();
+ if (!ret.ok()) {
+ android::trusty::fuzz::Abort();
+ }
+ int chan = *ta.GetRawFd();
+
+ alarm(kTimeoutSeconds);
+ bool success = Init(chan, dma_buf);
+ alarm(0);
+ if (!success) {
+ android::trusty::fuzz::Abort();
+ }
+
+ alarm(kTimeoutSeconds);
+ success = Msg(chan, data, size);
+ alarm(0);
+ if (!success) {
+ android::trusty::fuzz::Abort();
+ }
+
+ return 0;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-09 22:39:06 +0000