1*789431f2SAndroid Build Coastguard Worker /*
2*789431f2SAndroid Build Coastguard Worker * Copyright (C) 2020 The Android Open Source Project
3*789431f2SAndroid Build Coastguard Worker *
4*789431f2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*789431f2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*789431f2SAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*789431f2SAndroid Build Coastguard Worker *
8*789431f2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*789431f2SAndroid Build Coastguard Worker *
10*789431f2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*789431f2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*789431f2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*789431f2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*789431f2SAndroid Build Coastguard Worker * limitations under the License.
15*789431f2SAndroid Build Coastguard Worker */
16*789431f2SAndroid Build Coastguard Worker
17*789431f2SAndroid Build Coastguard Worker #include <functional>
18*789431f2SAndroid Build Coastguard Worker #include <memory>
19*789431f2SAndroid Build Coastguard Worker
20*789431f2SAndroid Build Coastguard Worker #include "fuzzer/FuzzedDataProvider.h"
21*789431f2SAndroid Build Coastguard Worker #include "keymaster/serializable.h"
22*789431f2SAndroid Build Coastguard Worker
23*789431f2SAndroid Build Coastguard Worker static constexpr uint16_t kMinBufferSize = 1;
24*789431f2SAndroid Build Coastguard Worker static constexpr uint16_t kMaxBufferSize = 2048;
25*789431f2SAndroid Build Coastguard Worker static constexpr uint16_t kMaxOperations = 1000;
26*789431f2SAndroid Build Coastguard Worker
27*789431f2SAndroid Build Coastguard Worker std::vector<std::function<void(keymaster::Buffer*, FuzzedDataProvider*)>> operations = {
28*789431f2SAndroid Build Coastguard Worker
__anoncba9b4900102() 29*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider*) -> void {
30*789431f2SAndroid Build Coastguard Worker // Just reading values, but there's some interesting
31*789431f2SAndroid Build Coastguard Worker // integer manipulation here.
32*789431f2SAndroid Build Coastguard Worker buf->begin();
33*789431f2SAndroid Build Coastguard Worker buf->end();
34*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900202() 35*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider*) -> void { buf->Clear(); },
__anoncba9b4900302() 36*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
37*789431f2SAndroid Build Coastguard Worker buf->reserve(fdp->ConsumeIntegralInRange<int>(kMinBufferSize, kMaxBufferSize));
38*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900402() 39*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
40*789431f2SAndroid Build Coastguard Worker buf->advance_write(fdp->ConsumeIntegral<int>());
41*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900502() 42*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
43*789431f2SAndroid Build Coastguard Worker buf->Reinitialize(fdp->ConsumeIntegralInRange<size_t>(kMinBufferSize, kMaxBufferSize));
44*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900602() 45*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
46*789431f2SAndroid Build Coastguard Worker size_t buf_size = fdp->ConsumeIntegralInRange<size_t>(kMinBufferSize, kMaxBufferSize);
47*789431f2SAndroid Build Coastguard Worker std::unique_ptr<uint8_t[]> in_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
48*789431f2SAndroid Build Coastguard Worker buf->Reinitialize(in_buf.get(), buf_size);
49*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900702() 50*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
51*789431f2SAndroid Build Coastguard Worker uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
52*789431f2SAndroid Build Coastguard Worker std::unique_ptr<uint8_t[]> in_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
53*789431f2SAndroid Build Coastguard Worker const uint8_t* data_ptr = in_buf.get();
54*789431f2SAndroid Build Coastguard Worker int32_t end = fdp->ConsumeIntegralInRange<int32_t>(0, buf_size);
55*789431f2SAndroid Build Coastguard Worker buf->Deserialize(&data_ptr, data_ptr + end);
56*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900802() 57*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
58*789431f2SAndroid Build Coastguard Worker uint16_t buf_size = buf->SerializedSize();
59*789431f2SAndroid Build Coastguard Worker std::unique_ptr<uint8_t[]> out_buf = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
60*789431f2SAndroid Build Coastguard Worker int32_t end = fdp->ConsumeIntegralInRange<int32_t>(0, buf_size);
61*789431f2SAndroid Build Coastguard Worker buf->Serialize(out_buf.get(), out_buf.get() + end);
62*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900902() 63*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
64*789431f2SAndroid Build Coastguard Worker uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
65*789431f2SAndroid Build Coastguard Worker std::vector<uint8_t> in_buf = fdp->ConsumeBytes<uint8_t>(buf_size);
66*789431f2SAndroid Build Coastguard Worker buf->write(in_buf.data(), fdp->ConsumeIntegralInRange<int16_t>(0, buf_size));
67*789431f2SAndroid Build Coastguard Worker },
__anoncba9b4900a02() 68*789431f2SAndroid Build Coastguard Worker [](keymaster::Buffer* buf, FuzzedDataProvider* fdp) -> void {
69*789431f2SAndroid Build Coastguard Worker uint16_t buf_size = fdp->ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
70*789431f2SAndroid Build Coastguard Worker std::unique_ptr<uint8_t[]> out = std::unique_ptr<uint8_t[]>(new uint8_t[buf_size]);
71*789431f2SAndroid Build Coastguard Worker buf->read(out.get(), fdp->ConsumeIntegralInRange<int16_t>(0, buf_size));
72*789431f2SAndroid Build Coastguard Worker }};
73*789431f2SAndroid Build Coastguard Worker
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)74*789431f2SAndroid Build Coastguard Worker extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
75*789431f2SAndroid Build Coastguard Worker FuzzedDataProvider fdp(data, size);
76*789431f2SAndroid Build Coastguard Worker uint16_t buf_size = fdp.ConsumeIntegralInRange<uint16_t>(kMinBufferSize, kMaxBufferSize);
77*789431f2SAndroid Build Coastguard Worker keymaster::Buffer fuzzBuffer(buf_size);
78*789431f2SAndroid Build Coastguard Worker for (size_t i = 0; i < kMaxOperations && fdp.remaining_bytes() > 0; i++) {
79*789431f2SAndroid Build Coastguard Worker uint8_t op = fdp.ConsumeIntegralInRange<uint8_t>(0, operations.size() - 1);
80*789431f2SAndroid Build Coastguard Worker operations[op](&fuzzBuffer, &fdp);
81*789431f2SAndroid Build Coastguard Worker }
82*789431f2SAndroid Build Coastguard Worker return 0;
83*789431f2SAndroid Build Coastguard Worker }
84