werunplugged/unplugged-system
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
unplugged-system/frameworks/av/media/mtp/tests/MtpFuzzer/mtp_fuzzer.cpp

229 lines
8.6 KiB
C++
Raw Permalink Normal View History

Initial commit: AOSP 14 with modifications for Unplugged OS
2025-10-06 13:59:42 +00:00
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <android-base/properties.h>
#include <android-base/unique_fd.h>
#include <fuzzer/FuzzedDataProvider.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <unistd.h>
#include <filesystem>
#include <fstream>
#include <string>
#define LOG_TAG "MtpFuzzer"
#include "IMtpHandle.h"
#include "MtpMockDatabase.h"
#include "MtpMockHandle.h"
#include "MtpObjectInfo.h"
#include "MtpServer.h"
#include "MtpStorage.h"
#include "MtpUtils.h"
constexpr int32_t kMinFiles = 0;
constexpr int32_t kMaxFiles = 5;
constexpr int32_t kMaxBytes = 128;
constexpr float kMinDataSizeFactor = 0.8;
// prefer tmpfs for file operations to avoid wearing out flash
const char* storage_path = "/storage/fuzzer/0";
const char* source_database = "/data/local/tmp/srcdb/";
const std::string test_path = std::string(source_database) + "TestDir/";
const std::string kPropertyKey = "sys.fuse.transcode_mtp";
namespace android {
class MtpMockServer {
public:
MtpMockServer(const uint8_t* data, size_t size) : mFdp(data, size) {
// This is unused in our harness
int controlFd = -1;
mHandle = std::make_unique<MtpMockHandle>();
mStorage = std::make_unique<MtpStorage>(
mFdp.ConsumeIntegral<uint32_t>() /* storageId */, storage_path,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* descriptor */,
mFdp.ConsumeBool() /* removable */,
mFdp.ConsumeIntegral<uint64_t>() /* maxFileSize */);
mDatabase = std::make_unique<MtpMockDatabase>();
mDatabase->addStorage(mStorage.get());
init(data, size);
mMtp = std::make_unique<MtpServer>(
mDatabase.get(), controlFd, mFdp.ConsumeBool() /* ptp */,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* manu */,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* model */,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* version */,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* serial */);
mMtp->addStorage(mStorage.get());
// clear the old handle first, so we don't leak memory
delete mMtp->mHandle;
mMtp->mHandle = mHandle.get();
}
void process() {
if (mFdp.ConsumeBool()) {
createDatabaseFromSourceDir(source_database, storage_path, MTP_PARENT_ROOT);
}
while (mFdp.remaining_bytes()) {
MtpStorage storage(mFdp.ConsumeIntegral<uint32_t>() /* id */,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* filePath */,
mFdp.ConsumeRandomLengthString(kMaxBytes).c_str() /* description */,
mFdp.ConsumeBool() /* removable */,
mFdp.ConsumeIntegral<uint64_t>() /* maxFileSize */);
auto invokeMtpServerAPI = mFdp.PickValueInArray<const std::function<void()>>({
[&]() { mMtp->run(); },
[&]() { mMtp->sendObjectAdded(mFdp.ConsumeIntegral<uint32_t>()); },
[&]() { mMtp->sendObjectRemoved(mFdp.ConsumeIntegral<uint32_t>()); },
[&]() { mMtp->sendObjectInfoChanged(mFdp.ConsumeIntegral<uint32_t>()); },
[&]() { mMtp->sendDevicePropertyChanged(mFdp.ConsumeIntegral<uint16_t>()); },
[&]() { mMtp->addStorage(&storage); },
[&]() { mMtp->removeStorage(&storage); },
});
invokeMtpServerAPI();
}
std::filesystem::remove_all(source_database);
}
private:
void createFiles(std::string path, size_t fileCount) {
std::ofstream file;
for (size_t idx = 0; idx < fileCount; ++idx) {
file.open(path.append(std::to_string(idx)));
file.close();
}
}
void addPackets(const uint8_t* data, size_t size) {
size_t off = 0;
for (size_t i = 0; i < size; ++i) {
// A longer delimiter could be used, but this worked in practice
if (data[i] == '@') {
size_t pktsz = i - off;
if (pktsz > 0) {
packet_t pkt = packet_t((unsigned char*)data + off, (unsigned char*)data + i);
// insert into packet buffer
mHandle->add_packet(pkt);
off = i;
}
}
}
}
void init(const uint8_t* data, size_t size) {
std::vector<uint8_t> packetData = mFdp.ConsumeBytes<uint8_t>(
mFdp.ConsumeIntegralInRange<int32_t>(kMinDataSizeFactor * size, size));
// Packetize the input stream
addPackets(packetData.data(), packetData.size());
// Setting the property to true/false to randomly fuzz the PoC depended on it
base::SetProperty(kPropertyKey, mFdp.ConsumeBool() ? "true" : "false");
std::filesystem::create_directories(source_database);
if (mFdp.ConsumeBool()) {
std::filesystem::create_directories(test_path);
createFiles(test_path, mFdp.ConsumeIntegralInRange<size_t>(kMinFiles, kMaxFiles));
}
createFiles(source_database, mFdp.ConsumeIntegralInRange<size_t>(kMinFiles, kMaxFiles));
}
int createDatabaseFromSourceDir(const char* fromPath, const char* toPath,
MtpObjectHandle parentHandle) {
int ret = 0;
std::string fromPathStr(fromPath);
std::string toPathStr(toPath);
DIR* dir = opendir(fromPath);
if (!dir) {
ALOGE("opendir %s failed", fromPath);
return -1;
}
if (fromPathStr[fromPathStr.size() - 1] != '/') fromPathStr += '/';
if (toPathStr[toPathStr.size() - 1] != '/') toPathStr += '/';
struct dirent* entry;
while ((entry = readdir(dir))) {
const char* name = entry->d_name;
// ignore "." and ".."
if (name[0] == '.' && (name[1] == 0 || (name[1] == '.' && name[2] == 0))) {
continue;
}
std::string oldFile = fromPathStr + name;
std::string newFile = toPathStr + name;
if (entry->d_type == DT_DIR) {
ret += makeFolder(newFile.c_str());
MtpObjectInfo* objectInfo = new MtpObjectInfo(mDatabase->allocateObjectHandle());
objectInfo->mStorageID = mStorage->getStorageID();
objectInfo->mParent = parentHandle;
objectInfo->mFormat = MTP_FORMAT_ASSOCIATION; // folder
objectInfo->mName = strdup(name);
objectInfo->mKeywords = strdup("");
mDatabase->addObject(objectInfo);
ret += createDatabaseFromSourceDir(oldFile.c_str(), newFile.c_str(),
objectInfo->mHandle);
} else {
ret += copyFile(oldFile.c_str(), newFile.c_str());
MtpObjectInfo* objectInfo = new MtpObjectInfo(mDatabase->allocateObjectHandle());
objectInfo->mStorageID = mStorage->getStorageID();
objectInfo->mParent = parentHandle;
objectInfo->mFormat = MTP_FORMAT_TEXT;
objectInfo->mName = strdup(name);
objectInfo->mKeywords = strdup("");
mDatabase->addObject(objectInfo);
}
}
closedir(dir);
return ret;
}
FuzzedDataProvider mFdp;
std::unique_ptr<MtpMockHandle> mHandle;
std::unique_ptr<MtpStorage> mStorage;
std::unique_ptr<MtpMockDatabase> mDatabase;
std::unique_ptr<MtpServer> mMtp;
};
}; // namespace android
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) __attribute__((optnone)) {
// reset our storage (from MtpUtils.h)
android::deletePath(storage_path);
android::makeFolder("/storage/fuzzer");
android::makeFolder(storage_path);
std::unique_ptr<android::MtpMockServer> mtp =
std::make_unique<android::MtpMockServer>(data, size);
mtp->process();
std::filesystem::remove_all("/storage/fuzzer");
return 0;
}
Reference in New Issue Copy Permalink