1*38e8c45fSAndroid Build Coastguard Worker# Fuzzer for libcmd_fuzzer 2*38e8c45fSAndroid Build Coastguard Worker 3*38e8c45fSAndroid Build Coastguard Worker## Plugin Design Considerations 4*38e8c45fSAndroid Build Coastguard WorkerThe fuzzer plugin for libcmd is designed based on the understanding of the library and tries to achieve the following: 5*38e8c45fSAndroid Build Coastguard Worker 6*38e8c45fSAndroid Build Coastguard Worker##### Maximize code coverage 7*38e8c45fSAndroid Build Coastguard WorkerThe configuration parameters are not hardcoded, but instead selected based on 8*38e8c45fSAndroid Build Coastguard Workerincoming data. This ensures more code paths are reached by the fuzzer. 9*38e8c45fSAndroid Build Coastguard Worker 10*38e8c45fSAndroid Build Coastguard Workerlibcmd supports the following parameters: 11*38e8c45fSAndroid Build Coastguard Worker1. In (parameter name: `in`) 12*38e8c45fSAndroid Build Coastguard Worker2. Out (parameter name: `out`) 13*38e8c45fSAndroid Build Coastguard Worker3. Err (parameter name: `err`) 14*38e8c45fSAndroid Build Coastguard Worker4. Run Mode (parameter name: `runMode`) 15*38e8c45fSAndroid Build Coastguard Worker 16*38e8c45fSAndroid Build Coastguard Worker| Parameter| Valid Values| Configured Value| 17*38e8c45fSAndroid Build Coastguard Worker|------------- |-------------| ----- | 18*38e8c45fSAndroid Build Coastguard Worker| `in` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider| 19*38e8c45fSAndroid Build Coastguard Worker| `out` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider| 20*38e8c45fSAndroid Build Coastguard Worker| `err` | `INT32_MIN` to `INT32_MAX` | Value obtained from FuzzedDataProvider| 21*38e8c45fSAndroid Build Coastguard Worker| `runMode` | 1.`RunMode::kStandalone` 2. `RunMode::kLibrary` | Value chosen from valid values using FuzzedDataProvider| 22*38e8c45fSAndroid Build Coastguard Worker 23*38e8c45fSAndroid Build Coastguard WorkerThis also ensures that the plugin is always deterministic for any given input. 24*38e8c45fSAndroid Build Coastguard Worker 25*38e8c45fSAndroid Build Coastguard Worker##### Maximize utilization of input data 26*38e8c45fSAndroid Build Coastguard WorkerThe plugin feeds the entire input data to the cmd module. 27*38e8c45fSAndroid Build Coastguard WorkerThis ensures that the plugin tolerates any kind of input (empty, huge, 28*38e8c45fSAndroid Build Coastguard Workermalformed, etc) and doesnt `exit()` on any input and thereby increasing the 29*38e8c45fSAndroid Build Coastguard Workerchance of identifying vulnerabilities. 30*38e8c45fSAndroid Build Coastguard Worker 31*38e8c45fSAndroid Build Coastguard Worker## Build 32*38e8c45fSAndroid Build Coastguard Worker 33*38e8c45fSAndroid Build Coastguard WorkerThis describes steps to build cmd_fuzzer binary. 34*38e8c45fSAndroid Build Coastguard Worker 35*38e8c45fSAndroid Build Coastguard Worker### Android 36*38e8c45fSAndroid Build Coastguard Worker 37*38e8c45fSAndroid Build Coastguard Worker#### Steps to build 38*38e8c45fSAndroid Build Coastguard WorkerBuild the fuzzer 39*38e8c45fSAndroid Build Coastguard Worker``` 40*38e8c45fSAndroid Build Coastguard Worker $ mm -j$(nproc) cmd_fuzzer 41*38e8c45fSAndroid Build Coastguard Worker``` 42*38e8c45fSAndroid Build Coastguard Worker#### Steps to run 43*38e8c45fSAndroid Build Coastguard WorkerTo run on device 44*38e8c45fSAndroid Build Coastguard Worker``` 45*38e8c45fSAndroid Build Coastguard Worker $ adb sync data 46*38e8c45fSAndroid Build Coastguard Worker $ adb shell /data/fuzz/${TARGET_ARCH}/cmd_fuzzer/cmd_fuzzer 47*38e8c45fSAndroid Build Coastguard Worker``` 48*38e8c45fSAndroid Build Coastguard Worker 49*38e8c45fSAndroid Build Coastguard Worker## References: 50*38e8c45fSAndroid Build Coastguard Worker * http://llvm.org/docs/LibFuzzer.html 51*38e8c45fSAndroid Build Coastguard Worker * https://github.com/google/oss-fuzz 52