test: host_command_fuzz: fuzzing test

Writing fuzzing tests is a little tricky, as clang takes over the main
function. Instead, we start the test main function in a thread, and
have LLVMFuzzerTestOneInput prepare the host command buffer, and
wake the TEST_RUNNER task.

To make fuzzing faster, we only send somehow correctly formed requests,
with a valid checksum and length (this can be disabled with an option).

We also make sure that the emulator does not hibernate, reboot or jump
to a different image when fuzzing is enabled.

BRANCH=none
BUG=chromium:854975
TEST=make buildfuzztests -j
     ASAN_OPTIONS="log_path=stderr" \
         build/host/host_command_fuzz/host_command_fuzz.exe -timeout=5

Change-Id: I27b25e44c405f118dfc1296247479245e15e54b4
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1107523
Reviewed-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Jonathan Metzman <metzman@chromium.org>

1 files changed, 4 insertions, 0 deletions

diff --git a/test/build.mk b/test/build.mk
index d1ca94b7dc..967231684e 100644
--- a/test/build.mk
+++ b/test/build.mk
@@ -65,6 +65,9 @@ test-list-host += vboot
 test-list-host += x25519
 endif
 
+# Fuzzing tests
+fuzz-test-list-host = host_command_fuzz
+
 base32-y=base32.o
 battery_get_params_smart-y=battery_get_params_smart.o
 bklight_lid-y=bklight_lid.o
@@ -81,6 +84,7 @@ fan-y=fan.o
 flash-y=flash.o
 hooks-y=hooks.o
 host_command-y=host_command.o
+host_command_fuzz-y=host_command_fuzz.o
 inductive_charging-y=inductive_charging.o
 interrupt-scale=10
 interrupt-y=interrupt.o