xref: /aosp_15_r20/system/nfc/src/fuzzers/rw/t3t.cc (revision 7eba2f3b06c51ae21384f6a4f14577b668a869b3)

#include "fuzz.h"

#define MODULE_NAME "Type3 Read/Write"

enum {
  SUB_TYPE_CHECK_NDEF,
  SUB_TYPE_UPDATE_NDEF,
  SUB_TYPE_CHECK,
  SUB_TYPE_UPDATE,
  SUB_TYPE_SEND_RAW_FRAME,

  SUB_TYPE_NCI_CMD_FIRST,
  SUB_TYPE_DETECT_NDEF = SUB_TYPE_NCI_CMD_FIRST,
  SUB_TYPE_PRESENCE_CHECK,
  SUB_TYPE_POLL,
  SUB_TYPE_GET_SYSTEM_CODES,
  SUB_TYPE_FORMAT_NDEF,
  SUB_TYPE_SET_READ_ONLY_SOFT,
  SUB_TYPE_SET_READ_ONLY_HARD,

  SUB_TYPE_MAX
};

// The following definition are copied from rw_t3t.cc
// ============================================================================

/* Default NDEF attribute information block (used when formatting Felica-Lite
 * tags) */
/* NBr (max block reads per cmd)*/
#define RW_T3T_DEFAULT_FELICALITE_NBR 4
/* NBw (max block write per cmd)*/
#define RW_T3T_DEFAULT_FELICALITE_NBW 1
#define RW_T3T_DEFAULT_FELICALITE_NMAXB (T3T_FELICALITE_NMAXB)
#define RW_T3T_DEFAULT_FELICALITE_ATTRIB_INFO_CHECKSUM                       \
  ((T3T_MSG_NDEF_VERSION + RW_T3T_DEFAULT_FELICALITE_NBR +                   \
    RW_T3T_DEFAULT_FELICALITE_NBW + (RW_T3T_DEFAULT_FELICALITE_NMAXB >> 8) + \
    (RW_T3T_DEFAULT_FELICALITE_NMAXB & 0xFF) + T3T_MSG_NDEF_WRITEF_OFF +     \
    T3T_MSG_NDEF_RWFLAG_RW) &                                                \
   0xFFFF)
// ============================================================================

static void rw_cback(tRW_EVENT event, tRW_DATA* p_rw_data) {
  FUZZLOG(MODULE_NAME ": rw_cback: event=0x%02x, p_rw_data=%p", event,
          p_rw_data);

  if (event == RW_T3T_RAW_FRAME_EVT) {
    if (p_rw_data->data.p_data) {
      GKI_freebuf(p_rw_data->data.p_data);
      p_rw_data->data.p_data = nullptr;
    }
  }
}

#define TEST_NFCID_VALUE \
  { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 }
const uint8_t TEST_NFCID[] = TEST_NFCID_VALUE;

static bool Init(Fuzz_Context& /*ctx*/) {
  tNFC_ACTIVATE_DEVT activate_params = {
      .protocol = NFC_PROTOCOL_T3T,
      .rf_tech_param = {.mode = NFC_DISCOVERY_TYPE_POLL_F,
                        .param = {.pf = {
                                      .nfcid2 = TEST_NFCID_VALUE,
                                      .bit_rate = NFC_BIT_RATE_212,
                                      .sensf_res_len = NFC_MAX_SENSF_RES_LEN,
                                      .mrti_check = 1,
                                      .mrti_update = 1,
                                  }}}};

  rw_init();
  if (NFC_STATUS_OK != RW_SetActivatedTagType(&activate_params, rw_cback)) {
    FUZZLOG(MODULE_NAME ": RW_SetActivatedTagType failed");
    return false;
  }

  // A workaround to initialize Type3 tag attribute
  tRW_T3T_DETECT t3t_detect = {
      NFC_STATUS_OK,         // tNFC_STATUS status;
      T3T_MSG_NDEF_VERSION,  // uint8_t version; /* Ver: peer version */
      RW_T3T_DEFAULT_FELICALITE_NBR,  // uint8_t
                                      // nbr; /* NBr: number of blocks that can
                                      // be read using one Check command */
      RW_T3T_DEFAULT_FELICALITE_NBW,  // uint8_t nbw;    /* Nbw: number of
                                      // blocks that can be written using one
                                      // Update command */
      RW_T3T_DEFAULT_FELICALITE_NMAXB,  // uint16_t nmaxb; /* Nmaxb: maximum
                                        // number of blocks available for NDEF
                                        // data */
      T3T_MSG_NDEF_WRITEF_OFF,  // uint8_t writef; /* WriteFlag: 00h if writing
                                // data finished; 0Fh if writing data in
                                // progress */
      T3T_MSG_NDEF_RWFLAG_RW,   // uint8_t
                               // rwflag;  /* RWFlag: 00h NDEF is read-only; 01h
                               // if read/write available */
      0x100 * 16,  // uint32_t ln; /* Ln: actual size of stored NDEF data (in
                   // bytes) */
  };

  tRW_T3T_CB* p_cb = &rw_cb.tcb.t3t;
  memcpy(&p_cb->ndef_attrib, &t3t_detect, sizeof(t3t_detect));

  // workaround of issue b/139424089
  p_cb->p_cur_cmd_buf->offset = 1;
  p_cb->p_cur_cmd_buf->len = 0;
  return true;
}

static bool Init_CheckNDef(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tCheckNDef();
}

static bool Init_UpdateNDef(Fuzz_Context& ctx) {
  const uint8_t data[] = {0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04,
                          0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04};

  auto scratch = ctx.GetBuffer(sizeof(data), data);
  return NFC_STATUS_OK == RW_T3tUpdateNDef(sizeof(data), scratch);
}

static bool Init_Check(Fuzz_Context& /*ctx*/) {
  tT3T_BLOCK_DESC t3t_blocks = {0x000B, 5};
  return NFC_STATUS_OK == RW_T3tCheck(1, &t3t_blocks);
}

static bool Init_Update(Fuzz_Context& ctx) {
  const uint8_t data[] = {0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04,
                          0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04};
  auto scratch = ctx.GetBuffer(sizeof(data), data);
  tT3T_BLOCK_DESC t3t_blocks = {0x000B, 5};
  return NFC_STATUS_OK == RW_T3tUpdate(1, &t3t_blocks, scratch);
}

static bool Init_SendRawFrame(Fuzz_Context& /*ctx*/) {
  uint8_t data[] = {0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04,
                    0x01, 0x02, 0x03, 0x04, 0x01, 0x02, 0x03, 0x04};

  return NFC_STATUS_OK == RW_T3tSendRawFrame(sizeof(data), data);
}

static bool Init_DetectNDef(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tDetectNDef();
}

static bool Init_PresenceCheck(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tPresenceCheck();
}

static bool Init_Poll(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tPoll(0, 1, 0);
}

static bool Init_GetSystemCode(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tGetSystemCodes();
}

static bool Init_FormatNDef(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tFormatNDef();
}

static bool Init_SetReadonly(Fuzz_Context& /*ctx*/) {
  return NFC_STATUS_OK == RW_T3tSetReadOnly(true);
}

static bool Fuzz_Init(Fuzz_Context& ctx) {
  if (!Init(ctx)) {
    FUZZLOG(MODULE_NAME ": initialization failed");
    return false;
  }

  bool result = false;
  switch (ctx.SubType) {
    case SUB_TYPE_CHECK_NDEF:
      result = Init_CheckNDef(ctx);
      break;
    case SUB_TYPE_UPDATE_NDEF:
      result = Init_UpdateNDef(ctx);
      break;
    case SUB_TYPE_CHECK:
      result = Init_Check(ctx);
      break;
    case SUB_TYPE_UPDATE:
      result = Init_Update(ctx);
      break;
    case SUB_TYPE_SEND_RAW_FRAME:
      result = Init_SendRawFrame(ctx);
      break;
    case SUB_TYPE_DETECT_NDEF:
      result = Init_DetectNDef(ctx);
      break;
    case SUB_TYPE_PRESENCE_CHECK:
      result = Init_PresenceCheck(ctx);
      break;
    case SUB_TYPE_POLL:
      result = Init_Poll(ctx);
      break;
    case SUB_TYPE_GET_SYSTEM_CODES:
      result = Init_GetSystemCode(ctx);
      break;
    case SUB_TYPE_FORMAT_NDEF:
      result = Init_FormatNDef(ctx);
      break;
    case SUB_TYPE_SET_READ_ONLY_SOFT:
    case SUB_TYPE_SET_READ_ONLY_HARD:
      result = Init_SetReadonly(ctx);
      break;
    default:
      FUZZLOG(MODULE_NAME ": Unknown command %d", ctx.SubType);
      result = false;
      break;
  }

  if (!result) {
    FUZZLOG(MODULE_NAME ": Initializing command %02X failed", ctx.SubType);
  }

  return result;
}

static void Fuzz_Deinit(Fuzz_Context& /*ctx*/) {
  if (rf_cback) {
    tNFC_CONN conn = {
        .deactivate = {.status = NFC_STATUS_OK,
                       .type = NFC_DEACTIVATE_TYPE_IDLE,
                       .is_ntf = true,
                       .reason = NFC_DEACTIVATE_REASON_DH_REQ_FAILED}};

    rf_cback(NFC_RF_CONN_ID, NFC_DEACTIVATE_CEVT, &conn);
  }
}

static void t3t_nci_msg(NFC_HDR* p_msg) {
  uint8_t status;
  uint8_t num_responses;

  uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset;
  uint8_t plen = p_msg->len;

  if (plen >= 2) {
    /* Pass result to RW_T3T for processing */
    STREAM_TO_UINT8(status, p);
    STREAM_TO_UINT8(num_responses, p);
    plen -= NFC_TL_SIZE;
    rw_t3t_handle_nci_poll_ntf(status, num_responses, (uint8_t)plen, p);
  }

  GKI_freebuf(p_msg);
}

static void t3t_data_msg(NFC_HDR* p_msg) {
  tNFC_CONN conn = {.data = {
                        .status = NFC_STATUS_OK,
                        .p_data = p_msg,
                    }};
  if (p_msg->len < 1) {
    FUZZLOG(MODULE_NAME ": Ivalid message length=%hu", p_msg->len);
    return;
  }
  p_msg->len--;

  rf_cback(NFC_RF_CONN_ID, NFC_DATA_CEVT, &conn);
}

static void Fuzz_Run(Fuzz_Context& ctx) {
  for (auto it = ctx.Data.cbegin() + 1; it != ctx.Data.cend(); ++it) {
    NFC_HDR* p_msg;
    p_msg = (NFC_HDR*)GKI_getbuf(sizeof(NFC_HDR) + it->size());
    if (p_msg == nullptr) {
      FUZZLOG(MODULE_NAME ": GKI_getbuf returns null, size=%zu", it->size());
      return;
    }

    /* Initialize NFC_HDR */
    p_msg->len = it->size();
    p_msg->offset = 0;

    uint8_t* p = (uint8_t*)(p_msg + 1) + p_msg->offset;
    memcpy(p, it->data(), it->size());

    FUZZLOG(MODULE_NAME ": SubType=%02X, Response[%zd/%zd]=%s", ctx.SubType,
            it - ctx.Data.cbegin(), ctx.Data.size() - 1,
            BytesToHex(*it).c_str());

    if (ctx.SubType >= SUB_TYPE_NCI_CMD_FIRST) {
      t3t_nci_msg(p_msg);
    } else {
      t3t_data_msg(p_msg);
    }
  }
}

void Type3_FixPackets(uint8_t SubType, std::vector<bytes_t>& Packets) {
  for (auto it = Packets.begin() + 1; it != Packets.end(); ++it) {
    if (SubType >= SUB_TYPE_NCI_CMD_FIRST) {
      if (it->size() < 3) {
        it->resize(3);
        memset(it->data(), 0, it->size());
      }
    } else {
      if (it->size() <= T3T_MSG_RSP_COMMON_HDR_LEN) {
        it->resize(T3T_MSG_RSP_COMMON_HDR_LEN + 1);
        memset(it->data(), 0, it->size());
      }

      uint8_t* p = it->data();
      p[0] = it->size();
      p[it->size() - 1] = NFC_STATUS_OK;

      auto rsp = &p[1];
      rsp[T3T_MSG_RSP_OFFSET_STATUS1] = T3T_MSG_RSP_STATUS_OK;
      memcpy(&rsp[T3T_MSG_RSP_OFFSET_IDM], TEST_NFCID, sizeof(TEST_NFCID));
    }
  }
}

void Type3_Fuzz(uint8_t SubType, const std::vector<bytes_t>& Packets) {
  Fuzz_Context ctx(SubType % SUB_TYPE_MAX, Packets);
  if (Fuzz_Init(ctx)) {
    Fuzz_Run(ctx);
  }
  Fuzz_Deinit(ctx);
}