1 /*
2 * Copyright (C) 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <stddef.h>
18 #include <stdint.h>
19 #include <unistd.h>
20
21 #include "perfetto/base/logging.h"
22 #include "perfetto/base/task_runner.h"
23 #include "perfetto/ext/base/utils.h"
24 #include "perfetto/ext/tracing/core/producer.h"
25 #include "perfetto/ext/tracing/core/trace_writer.h"
26 #include "perfetto/ext/tracing/ipc/producer_ipc_client.h"
27 #include "perfetto/ext/tracing/ipc/service_ipc_host.h"
28 #include "perfetto/tracing/core/data_source_config.h"
29 #include "perfetto/tracing/core/data_source_descriptor.h"
30 #include "perfetto/tracing/default_socket.h"
31 #include "protos/perfetto/trace/test_event.pbzero.h"
32 #include "src/base/test/test_task_runner.h"
33 #include "test/test_helper.h"
34
35 #include "protos/perfetto/trace/trace_packet.pbzero.h"
36
37 // If we're building on Android and starting the daemons ourselves,
38 // create the sockets in a world-writable location.
39 #if PERFETTO_BUILDFLAG(PERFETTO_OS_ANDROID) && \
40 PERFETTO_BUILDFLAG(PERFETTO_START_DAEMONS)
41 #define TEST_PRODUCER_SOCK_NAME "/data/local/tmp/traced_producer"
42 #else
43 #define TEST_PRODUCER_SOCK_NAME ::perfetto::GetProducerSocket()
44 #endif
45
46 namespace perfetto {
47 namespace shm_fuzz {
48 namespace {
49
50 // Fake producer writing a protozero message of data into shared memory
51 // buffer, followed by a sentinel message to signal completion to the
52 // consumer.
53 class FakeProducer : public Producer {
54 public:
FakeProducer(std::string name,const uint8_t * data,size_t size,std::function<void ()> on_produced_and_committed)55 FakeProducer(std::string name,
56 const uint8_t* data,
57 size_t size,
58 std::function<void()> on_produced_and_committed)
59 : name_(std::move(name)),
60 data_(data),
61 size_(size),
62 on_produced_and_committed_(on_produced_and_committed) {}
63
Connect(const char * socket_name,base::TaskRunner * task_runner)64 void Connect(const char* socket_name, base::TaskRunner* task_runner) {
65 endpoint_ = ProducerIPCClient::Connect(
66 socket_name, this, "android.perfetto.FakeProducer", task_runner);
67 }
68
OnConnect()69 void OnConnect() override {
70 DataSourceDescriptor descriptor;
71 descriptor.set_name(name_);
72 endpoint_->RegisterDataSource(descriptor);
73 }
74
OnDisconnect()75 void OnDisconnect() override {}
76
SetupDataSource(DataSourceInstanceID,const DataSourceConfig &)77 void SetupDataSource(DataSourceInstanceID, const DataSourceConfig&) override {
78 }
79
StartDataSource(DataSourceInstanceID,const DataSourceConfig & source_config)80 void StartDataSource(DataSourceInstanceID,
81 const DataSourceConfig& source_config) override {
82 auto trace_writer = endpoint_->CreateTraceWriter(
83 static_cast<BufferID>(source_config.target_buffer()));
84 {
85 auto packet = trace_writer->NewTracePacket();
86 packet->AppendRawProtoBytes(data_, size_);
87 }
88 trace_writer->Flush();
89
90 {
91 auto end_packet = trace_writer->NewTracePacket();
92 end_packet->set_for_testing()->set_str("end");
93 }
94 trace_writer->Flush(on_produced_and_committed_);
95 }
96
StopDataSource(DataSourceInstanceID)97 void StopDataSource(DataSourceInstanceID) override {}
OnTracingSetup()98 void OnTracingSetup() override {}
Flush(FlushRequestID,const DataSourceInstanceID *,size_t,FlushFlags)99 void Flush(FlushRequestID,
100 const DataSourceInstanceID*,
101 size_t,
102 FlushFlags) override {}
ClearIncrementalState(const DataSourceInstanceID *,size_t)103 void ClearIncrementalState(const DataSourceInstanceID*, size_t) override {}
104
105 private:
106 const std::string name_;
107 const uint8_t* data_;
108 const size_t size_;
109 std::unique_ptr<TracingService::ProducerEndpoint> endpoint_;
110 std::function<void()> on_produced_and_committed_;
111 };
112
113 class FuzzerFakeProducerThread {
114 public:
FuzzerFakeProducerThread(const uint8_t * data,size_t size,std::function<void ()> on_produced_and_committed)115 FuzzerFakeProducerThread(const uint8_t* data,
116 size_t size,
117 std::function<void()> on_produced_and_committed)
118 : data_(data),
119 size_(size),
120 on_produced_and_committed_(on_produced_and_committed) {}
121
~FuzzerFakeProducerThread()122 ~FuzzerFakeProducerThread() {
123 if (!runner_)
124 return;
125 runner_->PostTaskAndWaitForTesting([this]() { producer_.reset(); });
126 }
127
Connect()128 void Connect() {
129 runner_ = base::ThreadTaskRunner::CreateAndStart("perfetto.prd.fake");
130 runner_->PostTaskAndWaitForTesting([this]() {
131 producer_.reset(new FakeProducer("android.perfetto.FakeProducer", data_,
132 size_, on_produced_and_committed_));
133 producer_->Connect(TEST_PRODUCER_SOCK_NAME, runner_->get());
134 });
135 }
136
137 private:
138 std::optional<base::ThreadTaskRunner> runner_; // Keep first.
139
140 std::unique_ptr<FakeProducer> producer_;
141 const uint8_t* data_;
142 const size_t size_;
143 std::function<void()> on_produced_and_committed_;
144 };
145
146 class FuzzTestHelper : public TestHelper {
147 public:
FuzzTestHelper(base::TestTaskRunner * task_runner)148 explicit FuzzTestHelper(base::TestTaskRunner* task_runner)
149 : TestHelper(task_runner) {}
150 // Do not verify the data, as it will most likely be corrupted.
ReadTraceData(std::vector<TracePacket>)151 void ReadTraceData(std::vector<TracePacket>) override {}
152 };
153
154 int FuzzSharedMemory(const uint8_t* data, size_t size);
155
FuzzSharedMemory(const uint8_t * data,size_t size)156 int FuzzSharedMemory(const uint8_t* data, size_t size) {
157 base::TestTaskRunner task_runner;
158
159 FuzzTestHelper helper(&task_runner);
160 helper.StartServiceIfRequired();
161
162 auto cp =
163 helper.WrapTask(task_runner.CreateCheckpoint("produced.and.committed"));
164 FuzzerFakeProducerThread producer_thread(data, size, cp);
165 producer_thread.Connect();
166
167 helper.ConnectConsumer();
168 helper.WaitForConsumerConnect();
169
170 TraceConfig trace_config;
171 trace_config.add_buffers()->set_size_kb(8);
172
173 auto* ds_config = trace_config.add_data_sources()->mutable_config();
174 ds_config->set_name("android.perfetto.FakeProducer");
175 ds_config->set_target_buffer(0);
176
177 helper.StartTracing(trace_config);
178 task_runner.RunUntilCheckpoint("produced.and.committed");
179
180 helper.ReadData();
181 helper.WaitForReadData();
182
183 return 0;
184 }
185
186 } // namespace
187 } // namespace shm_fuzz
188 } // namespace perfetto
189
190 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
191
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)192 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
193 return perfetto::shm_fuzz::FuzzSharedMemory(data, size);
194 }
195