Merge changes I7741c7e5,I30bb2844,If55b93b1,Ife058ca2

* changes:
  trusty: fuzz: dump trusty kernel logs on crash
  trusty: Add corpus for gatekeeper fuzzer
  trusty: Fuzzer for Gatekeeper TA
  trusty: fuzz: Helper library

trusty/fuzz/Android.bp

@@ -0,0 +1,42 @@
+// Copyright (C) 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_defaults {
+    name: "trusty_fuzzer_defaults",
+    static_libs: [
+        "libtrusty_fuzz_utils",
+    ],
+    shared_libs: [
+        "libbase",
+        "liblog",
+    ],
+    cflags: [
+        "-Wall",
+        "-Werror",
+    ],
+    fuzz_config: {
+        fuzz_on_haiku_device: false,
+        fuzz_on_haiku_host: false,
+    },
+}
+
+cc_library {
+    name: "libtrusty_fuzz_utils",
+    srcs: ["utils.cpp"],
+    export_include_dirs: ["include"],
+    shared_libs: [
+        "libbase",
+        "liblog",
+    ],
+}

trusty/fuzz/include/trusty/fuzz/utils.h

@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <string>
+
+#include <android-base/result.h>
+#include <android-base/unique_fd.h>
+
+#define TIPC_MAX_MSG_SIZE PAGE_SIZE
+
+namespace android {
+namespace trusty {
+namespace fuzz {
+
+class TrustyApp {
+  public:
+    TrustyApp(std::string tipc_dev, std::string ta_port);
+
+    android::base::Result<void> Connect();
+    android::base::Result<void> Read(void* buf, size_t len);
+    android::base::Result<void> Write(const void* buf, size_t len);
+
+    android::base::Result<int> GetRawFd();
+
+  private:
+    std::string tipc_dev_;
+    std::string ta_port_;
+    android::base::unique_fd ta_fd_;
+};
+
+void Abort();
+
+}  // namespace fuzz
+}  // namespace trusty
+}  // namespace android

trusty/fuzz/utils.cpp

@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2020 The Android Open Sourete Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "trusty-fuzz-utils"
+
+#include <trusty/fuzz/utils.h>
+
+#include <android-base/logging.h>
+#include <android-base/unique_fd.h>
+#include <linux/ioctl.h>
+#include <linux/types.h>
+#include <linux/uio.h>
+#include <log/log_read.h>
+#include <time.h>
+#include <iostream>
+
+using android::base::ErrnoError;
+using android::base::Error;
+using android::base::Result;
+using android::base::unique_fd;
+
+#define TIPC_IOC_MAGIC 'r'
+#define TIPC_IOC_CONNECT _IOW(TIPC_IOC_MAGIC, 0x80, char*)
+
+namespace {
+
+const size_t kTimeoutSeconds = 5;
+const std::string kTrustyLogTag = "trusty-log";
+
+const time_t kInitialTime = time(nullptr);
+
+void PrintTrustyLog() {
+    auto logger_list = android_logger_list_open(LOG_ID_KERNEL, ANDROID_LOG_NONBLOCK, 1000, 0);
+    if (logger_list == nullptr) {
+        std::cerr << "Could not open android kernel log\n";
+        return;
+    }
+
+    while (true) {
+        log_msg log_msg;
+        int rc = android_logger_list_read(logger_list, &log_msg);
+        if (rc < 0) {
+            break;
+        }
+        if (log_msg.entry.sec < kInitialTime) {
+            continue;
+        }
+        char* msg = log_msg.msg();
+        if (msg) {
+            std::string line(msg, log_msg.entry.len);
+            if (line.find(kTrustyLogTag) != std::string::npos) {
+                std::cerr << line.substr(kTrustyLogTag.length() + 2) << std::endl;
+            }
+        }
+    }
+
+    android_logger_list_free(logger_list);
+}
+
+}  // namespace
+
+namespace android {
+namespace trusty {
+namespace fuzz {
+
+TrustyApp::TrustyApp(std::string tipc_dev, std::string ta_port)
+    : tipc_dev_(tipc_dev), ta_port_(ta_port), ta_fd_(-1) {}
+
+Result<void> TrustyApp::Connect() {
+    /*
+     * TODO: We can't use libtrusty because (yet)
+     * (1) cc_fuzz can't deal with vendor components (b/170753563)
+     * (2) We need non-blocking behavior to detect Trusty going down.
+     * (we could implement the timeout in the fuzzing code though, as
+     * it needs to be around the call to read())
+     */
+    alarm(kTimeoutSeconds);
+    int fd = open(tipc_dev_.c_str(), O_RDWR);
+    alarm(0);
+    if (fd < 0) {
+        return ErrnoError() << "failed to open TIPC device: ";
+    }
+    ta_fd_.reset(fd);
+
+    // This ioctl will time out in the kernel if it can't connect.
+    int rc = TEMP_FAILURE_RETRY(ioctl(ta_fd_, TIPC_IOC_CONNECT, ta_port_.c_str()));
+    if (rc < 0) {
+        return ErrnoError() << "failed to connect to TIPC service: ";
+    }
+
+    return {};
+}
+
+Result<void> TrustyApp::Read(void* buf, size_t len) {
+    if (ta_fd_ == -1) {
+        return Error() << "TA is not connected to yet: ";
+    }
+
+    alarm(kTimeoutSeconds);
+    int rc = read(ta_fd_, buf, len);
+    alarm(0);
+    if (rc < 0) {
+        return Error() << "failed to read TIPC message from TA: ";
+    }
+
+    return {};
+}
+
+Result<void> TrustyApp::Write(const void* buf, size_t len) {
+    if (ta_fd_ == -1) {
+        return Error() << "TA is not connected to yet: ";
+    }
+
+    alarm(kTimeoutSeconds);
+    int rc = write(ta_fd_, buf, len);
+    alarm(0);
+    if (rc < 0) {
+        return Error() << "failed to read TIPC message from TA: ";
+    }
+
+    return {};
+}
+
+Result<int> TrustyApp::GetRawFd() {
+    if (ta_fd_ == -1) {
+        return Error() << "TA is not connected to yet: ";
+    }
+
+    return ta_fd_;
+}
+
+void Abort() {
+    PrintTrustyLog();
+    exit(-1);
+}
+
+}  // namespace fuzz
+}  // namespace trusty
+}  // namespace android

trusty/gatekeeper/fuzz/Android.bp

@@ -0,0 +1,24 @@
+// Copyright (C) 2020 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+cc_fuzz {
+    name: "trusty_gatekeeper_fuzzer",
+    defaults: ["trusty_fuzzer_defaults"],
+    srcs: ["fuzz.cpp"],
+
+    // The initial corpus for this fuzzer was derived by dumping messages from
+    // the `secure_env` emulator interface for cuttlefish while enrolling a new
+    // password in the emulator.
+    corpus: ["corpus/*"],
+}

trusty/gatekeeper/fuzz/fuzz.cpp

@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#undef NDEBUG
+
+#include <assert.h>
+#include <log/log.h>
+#include <stdlib.h>
+#include <trusty/fuzz/utils.h>
+#include <unistd.h>
+
+#define TIPC_DEV "/dev/trusty-ipc-dev0"
+#define GATEKEEPER_PORT "com.android.trusty.gatekeeper"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+    static uint8_t buf[TIPC_MAX_MSG_SIZE];
+
+    android::trusty::fuzz::TrustyApp ta(TIPC_DEV, GATEKEEPER_PORT);
+
+    auto ret = ta.Connect();
+    /*
+     * If we can't connect, then assume TA crashed.
+     * TODO: Get some more info, e.g. stacks, to help Haiku dedup crashes.
+     */
+    if (!ret.ok()) {
+        android::trusty::fuzz::Abort();
+    }
+
+    /* Send message to test server */
+    ret = ta.Write(data, size);
+    if (!ret.ok()) {
+        return -1;
+    }
+
+    /* Read message from test server */
+    ret = ta.Read(&buf, sizeof(buf));
+    if (!ret.ok()) {
+        return -1;
+    }
+
+    return 0;
+}