diff options
Diffstat (limited to 'fuzz')
| -rw-r--r-- | fuzz/build.mk | 34 | ||||
| -rw-r--r-- | fuzz/fuzz_config.h | 100 | ||||
| -rw-r--r-- | fuzz/host_command_fuzz.c | 169 | ||||
| -rw-r--r-- | fuzz/host_command_fuzz.mocklist | 10 | ||||
| -rw-r--r-- | fuzz/host_command_fuzz.tasklist | 10 | ||||
| -rw-r--r-- | fuzz/pchg_fuzz.c | 125 | ||||
| -rw-r--r-- | fuzz/pchg_fuzz.corpus | 26 | ||||
| -rw-r--r-- | fuzz/pchg_fuzz.tasklist | 12 | ||||
| -rw-r--r-- | fuzz/span.h | 56 | ||||
| -rw-r--r-- | fuzz/usb_pd_fuzz.c | 249 | ||||
| -rw-r--r-- | fuzz/usb_pd_fuzz.tasklist | 11 | ||||
| -rw-r--r-- | fuzz/usb_tcpm_v2_rev20_fuzz.c | 33 | ||||
| -rw-r--r-- | fuzz/usb_tcpm_v2_rev20_fuzz.mocklist | 7 | ||||
| -rw-r--r-- | fuzz/usb_tcpm_v2_rev20_fuzz.tasklist | 12 | ||||
| l--------- | fuzz/usb_tcpm_v2_rev30_fuzz.c | 1 | ||||
| l--------- | fuzz/usb_tcpm_v2_rev30_fuzz.mocklist | 1 | ||||
| l--------- | fuzz/usb_tcpm_v2_rev30_fuzz.tasklist | 1 |
17 files changed, 0 insertions, 857 deletions
diff --git a/fuzz/build.mk b/fuzz/build.mk deleted file mode 100644 index 3b5f117d20..0000000000 --- a/fuzz/build.mk +++ /dev/null @@ -1,34 +0,0 @@ -# -*- makefile -*- -# Copyright 2018 The Chromium OS Authors. All rights reserved. -# Use of this source code is governed by a BSD-style license that can be -# found in the LICENSE file. -# -# fuzzer binaries -# - -fuzz-test-list-host = -# Fuzzers should only be built for architectures that support sanitizers. -ifeq ($(ARCH),amd64) -fuzz-test-list-host += host_command_fuzz usb_pd_fuzz usb_tcpm_v2_rev20_fuzz \ - usb_tcpm_v2_rev30_fuzz pchg_fuzz -endif - -# For fuzzing targets libec.a is built from the ro objects and hides functions -# that collide with stdlib. The rw only objects are then linked against libec.a -# with stdlib support. Therefore fuzzing targets that need to call this internal -# functions should be marked "-y" or "-ro", and fuzzing targets that need stdlib -# should be marked "-rw". In other words: -# -# Does your object file need to link against the Cr50 implementations of stdlib -# functions? -# Yes -> use <obj_name>-y -# Does your object file need to link against cstdlib? -# Yes -> use <obj_name>-rw -# Otherwise use <obj_name>-y -host_command_fuzz-y = host_command_fuzz.o -usb_pd_fuzz-y = usb_pd_fuzz.o -usb_tcpm_v2_rev30_fuzz-y = usb_pd_fuzz.o usb_tcpm_v2_rev30_fuzz.o \ - ../test/fake_battery.o -usb_tcpm_v2_rev20_fuzz-y = usb_pd_fuzz.o usb_tcpm_v2_rev20_fuzz.o \ - ../test/fake_battery.o -pchg_fuzz-y = pchg_fuzz.o
\ No newline at end of file diff --git a/fuzz/fuzz_config.h b/fuzz/fuzz_config.h deleted file mode 100644 index fb974ea727..0000000000 --- a/fuzz/fuzz_config.h +++ /dev/null @@ -1,100 +0,0 @@ -/* Copyright 2018 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/* Fuzzer target config flags */ - -#ifndef __FUZZ_FUZZ_CONFIG_H -#define __FUZZ_FUZZ_CONFIG_H -#ifdef TEST_FUZZ - -/* Disable hibernate: We never want to exit while fuzzing. */ -#undef CONFIG_HIBERNATE - -#ifdef TEST_HOST_COMMAND_FUZZ -#undef CONFIG_HOSTCMD_DEBUG_MODE - -/* Defining this makes fuzzing slower, but exercises additional code paths. */ -#define FUZZ_HOSTCMD_VERBOSE - -#ifdef FUZZ_HOSTCMD_VERBOSE -#define CONFIG_HOSTCMD_DEBUG_MODE HCDEBUG_PARAMS -#else -#define CONFIG_HOSTCMD_DEBUG_MODE HCDEBUG_OFF -#endif /* ! FUZZ_HOSTCMD_VERBOSE */ - -/* The following are for fpsensor host commands. */ -#define CONFIG_AES -#define CONFIG_AES_GCM -#define CONFIG_ROLLBACK_SECRET_SIZE 32 -#define CONFIG_SHA256 - -#endif /* TEST_HOST_COMMAND_FUZZ */ - -#ifdef TEST_USB_PD_FUZZ -#define CONFIG_USB_POWER_DELIVERY -#define CONFIG_USB_PD_TCPMV1 -#define CONFIG_USB_PD_DUAL_ROLE -#define CONFIG_USB_PD_PORT_MAX_COUNT 2 -#define CONFIG_SHA256 -#define CONFIG_SW_CRC -#endif /* TEST_USB_PD_FUZZ */ - -#ifdef TEST_USB_TCPM_V2_REV30_FUZZ -#define CONFIG_USB_PD_DUAL_ROLE -#define CONFIG_USB_PD_PORT_MAX_COUNT 2 -#define CONFIG_USB_PD_TCPC_LOW_POWER -#define CONFIG_USB_PD_TRY_SRC -#define CONFIG_USB_PID 0x5555 -#define CONFIG_USB_POWER_DELIVERY -#define CONFIG_USB_PRL_SM -#define CONFIG_USB_PD_REV30 -#define CONFIG_USB_PD_TCPMV2 -#define CONFIG_USB_PD_DECODE_SOP -#define CONFIG_USB_DRP_ACC_TRYSRC -#define CONFIG_USB_PD_ALT_MODE_DFP -#define CONFIG_USBC_SS_MUX -#define CONFIG_USBC_VCONN -#define CONFIG_USBC_VCONN_SWAP -#define CONFIG_USBC_VCONN_SWAP_DELAY_US 5000 -#define CONFIG_SHA256 -#define CONFIG_SW_CRC -#define CONFIG_USB_PD_3A_PORTS 0 /* Host does not define a 3.0 A PDO */ -#endif /* TEST_USB_TCPM_V2_REV30_FUZZ */ - -#ifdef TEST_USB_TCPM_V2_REV20_FUZZ -#define CONFIG_USB_PD_DUAL_ROLE -#define CONFIG_USB_PD_PORT_MAX_COUNT 2 -#define CONFIG_USB_PD_TCPC_LOW_POWER -#define CONFIG_USB_PD_TRY_SRC -#define CONFIG_USB_PID 0x5555 -#define CONFIG_USB_POWER_DELIVERY -#define CONFIG_USB_PRL_SM -#define CONFIG_USB_PD_TCPMV2 -#define CONFIG_USB_PD_DECODE_SOP -#define CONFIG_USB_DRP_ACC_TRYSRC -#define CONFIG_USB_PD_ALT_MODE_DFP -#define CONFIG_USBC_SS_MUX -#define CONFIG_USBC_VCONN -#define CONFIG_USBC_VCONN_SWAP -#define CONFIG_USBC_VCONN_SWAP_DELAY_US 5000 -#define CONFIG_SHA256 -#define CONFIG_SW_CRC -#define CONFIG_USB_PD_3A_PORTS 0 /* Host does not define a 3.0 A PDO */ -#endif /* TEST_USB_TCPM_V2_REV20_FUZZ */ - -#ifdef TEST_PCHG_FUZZ -#define CONFIG_CTN730 -#define CONFIG_DEVICE_EVENT -#define CONFIG_MKBP_EVENT -#define CONFIG_MKBP_USE_GPIO -#define CONFIG_PERIPHERAL_CHARGER -#define I2C_PORT_WLC 0 -#define GPIO_WLC_IRQ_CONN 1 -#define GPIO_WLC_NRST_CONN 2 -#define GPIO_PCHG_P0 GPIO_WLC_IRQ_CONN -#endif /* TEST_PCHG_FUZZ */ - -#endif /* TEST_FUZZ */ -#endif /* __FUZZ_FUZZ_CONFIG_H */ diff --git a/fuzz/host_command_fuzz.c b/fuzz/host_command_fuzz.c deleted file mode 100644 index 4ca94ff616..0000000000 --- a/fuzz/host_command_fuzz.c +++ /dev/null @@ -1,169 +0,0 @@ -/* Copyright 2018 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Fuzz host command. - */ - -#include <pthread.h> -#include <sys/time.h> - -#include "common.h" -#include "console.h" -#include "host_command.h" -#include "host_test.h" -#include "task.h" -#include "test_util.h" -#include "timer.h" -#include "util.h" - -/* Only test requests with valid size and checksum (makes fuzzing faster) */ -#define VALID_REQUEST_ONLY - -#define TASK_EVENT_FUZZ TASK_EVENT_CUSTOM_BIT(0) -#define TASK_EVENT_HOSTCMD_DONE TASK_EVENT_CUSTOM_BIT(1) - -/* Request/response buffer size (and maximum command length) */ -#define BUFFER_SIZE 128 - -struct host_packet pkt; -static uint8_t resp_buf[BUFFER_SIZE]; -struct ec_host_response *resp = (struct ec_host_response *)resp_buf; -static uint8_t req_buf[BUFFER_SIZE]; -static struct ec_host_request *req = (struct ec_host_request *)req_buf; - -static void hostcmd_respond(struct host_packet *pkt) -{ - task_set_event(TASK_ID_TEST_RUNNER, TASK_EVENT_HOSTCMD_DONE); -} - -static char calculate_checksum(const char *buf, int size) -{ - int c = 0; - int i; - - for (i = 0; i < size; ++i) - c += buf[i]; - - return -c; -} - -struct chunk { - int start; - int size; -}; - -static int hostcmd_fill(const uint8_t *data, size_t size) -{ - static int first = 1; - -#ifdef VALID_REQUEST_ONLY - const int checksum_offset = offsetof(struct ec_host_request, checksum); - const int checksum_size = sizeof(req->checksum); - const int data_len_offset = offsetof(struct ec_host_request, data_len); - const int data_len_size = sizeof(req->data_len); - - struct chunk chunks[3]; - - chunks[0].start = 0; - chunks[0].size = checksum_offset; - chunks[1].start = chunks[0].start + chunks[0].size + checksum_size; - chunks[1].size = data_len_offset - chunks[1].start; - chunks[2].start = chunks[1].start + chunks[1].size + data_len_size; - chunks[2].size = sizeof(req_buf) - chunks[2].start; -#else - struct chunk chunks[1] = { {0, sizeof(req_buf)} }; -#endif - - int ipos = 0; - int i; - int req_size = 0; - - /* - * TODO(chromium:854975): We should probably malloc req_buf with the - * correct size, to make we do not read uninitialized req_buf data. - */ - memset(req_buf, 0, sizeof(req_buf)); - - /* - * Fill in req_buf, according to chunks defined above (i.e. skipping - * over checksum and data_len. - */ - for (i = 0; i < ARRAY_SIZE(chunks) && ipos < size; i++) { - int cp_size = MIN(chunks[i].size, size-ipos); - - memcpy(req_buf + chunks[i].start, data + ipos, cp_size); - - ipos += cp_size; - - req_size = chunks[i].start + cp_size; - } - - /* Not enough space in req_buf. */ - if (ipos != size) - return -1; - - pkt.request_size = req_size; - req->data_len = req_size - sizeof(*req); - req->checksum = calculate_checksum(req_buf, req_size); - - /* - * Print the full request on the first fuzzing attempt: useful to - * report bugs, and write up commit messages when reproducing - * issues. - */ - if (first) { - ccprintf("Request: cmd=%04x data=%ph\n", - req->command, HEX_BUF(req_buf, req_size)); - first = 0; - } - - pkt.send_response = hostcmd_respond; - pkt.request = (const void *)req_buf; - pkt.request_max = BUFFER_SIZE; - pkt.response = (void *)resp_buf; - pkt.response_max = BUFFER_SIZE; - pkt.driver_result = 0; - - return 0; -} - -static pthread_cond_t done_cond; -static pthread_mutex_t lock; - -void run_test(int argc, char **argv) -{ - ccprints("Fuzzing task started"); - wait_for_task_started(); - - while (1) { - task_wait_event_mask(TASK_EVENT_FUZZ, -1); - /* Send the host command (pkt prepared by main thread). */ - host_packet_receive(&pkt); - task_wait_event_mask(TASK_EVENT_HOSTCMD_DONE, -1); - pthread_cond_signal(&done_cond); - } -} - -int test_fuzz_one_input(const uint8_t *data, unsigned int size) -{ - /* Fill in req_buf. */ - if (hostcmd_fill(data, size) < 0) - return 0; - - task_set_event(TASK_ID_TEST_RUNNER, TASK_EVENT_FUZZ); - pthread_cond_wait(&done_cond, &lock); - -#ifdef VALID_REQUEST_ONLY - /* - * We carefully crafted all our requests to have a valid checksum, so - * we should never receive an invalid checksum error. (but ignore - * EC_CMD_TEST_PROTOCOL, as it can lead to arbitrary result values). - */ - ASSERT(req->command == EC_CMD_TEST_PROTOCOL || - resp->result != EC_RES_INVALID_CHECKSUM); -#endif - - return 0; -} - diff --git a/fuzz/host_command_fuzz.mocklist b/fuzz/host_command_fuzz.mocklist deleted file mode 100644 index 4ffc786b32..0000000000 --- a/fuzz/host_command_fuzz.mocklist +++ /dev/null @@ -1,10 +0,0 @@ -/* Copyright 2019 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - - #define CONFIG_TEST_MOCK_LIST \ - MOCK(FP_SENSOR) \ - MOCK(FPSENSOR_DETECT) \ - MOCK(MKBP_EVENTS) \ - MOCK(ROLLBACK) diff --git a/fuzz/host_command_fuzz.tasklist b/fuzz/host_command_fuzz.tasklist deleted file mode 100644 index 2ff8a94d98..0000000000 --- a/fuzz/host_command_fuzz.tasklist +++ /dev/null @@ -1,10 +0,0 @@ -/* Copyright 2018 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/** - * See CONFIG_TASK_LIST in config.h for details. - */ -#define CONFIG_TEST_TASK_LIST \ - TASK_TEST(FPSENSOR, fp_task, NULL, TASK_STACK_SIZE) diff --git a/fuzz/pchg_fuzz.c b/fuzz/pchg_fuzz.c deleted file mode 100644 index 97dbca74c4..0000000000 --- a/fuzz/pchg_fuzz.c +++ /dev/null @@ -1,125 +0,0 @@ -/* Copyright 2021 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Test peripheral device charger module. - */ - -#define HIDE_EC_STDLIB -#include "common.h" -#include "compile_time_macros.h" -#include "driver/nfc/ctn730.h" -#include "peripheral_charger.h" -#include "task.h" -#include "test_util.h" -#include "timer.h" -#include "util.h" - -#include <pthread.h> -#include <stdlib.h> -#include <string.h> - -#define TASK_EVENT_FUZZ TASK_EVENT_CUSTOM_BIT(0) - -extern struct pchg_drv ctn730_drv; -struct pchg pchgs[] = { - [0] = { - .cfg = &(const struct pchg_config) { - .drv = &ctn730_drv, - .i2c_port = I2C_PORT_WLC, - .irq_pin = GPIO_WLC_IRQ_CONN, - .full_percent = 96, - .block_size = 128, - }, - .events = QUEUE_NULL(PCHG_EVENT_QUEUE_SIZE, enum pchg_event), - }, -}; -const int pchg_count = ARRAY_SIZE(pchgs); - -static pthread_cond_t done_cond; -static pthread_mutex_t lock; - -#define MAX_MESSAGES 8 -#define MAX_MESSAGE_SIZE (sizeof(struct ctn730_msg) \ - + member_size(struct ctn730_msg, length) * 256) -static uint8_t input[MAX_MESSAGE_SIZE * MAX_MESSAGES]; -static uint8_t *head, *tail; -static bool data_available; - -int pchg_i2c_xfer(int port, uint16_t addr_flags, - const uint8_t *out, int out_size, - uint8_t *in, int in_size, int flags) -{ - if (port != I2C_PORT_WLC || addr_flags != CTN730_I2C_ADDR) - return EC_ERROR_INVAL; - - if (in == NULL || in_size == 0) - return EC_SUCCESS; - - if (head + in_size >= tail) { - data_available = false; - return EC_ERROR_OVERFLOW; - } - - memcpy(in, head, in_size); - head += in_size; - - return EC_SUCCESS; -} -DECLARE_TEST_I2C_XFER(pchg_i2c_xfer); - -/* - * Task for generating IRQs. The task priority is lower than the PCHG task so - * that it can yield the CPU to the PCHG task. - */ -void irq_task(int argc, char **argv) -{ - ccprints("%s task started", __func__); - wait_for_task_started(); - - while (1) { - int i = 0; - - task_wait_event_mask(TASK_EVENT_FUZZ, -1); - test_chipset_on(); - - while (data_available && i++ < MAX_MESSAGES) - pchg_irq(pchgs[0].cfg->irq_pin); - - test_chipset_off(); - - pthread_mutex_lock(&lock); - pthread_cond_signal(&done_cond); - pthread_mutex_unlock(&lock); - } - -} - -void run_test(int argc, char **argv) -{ - ccprints("Fuzzing task started"); - task_wait_event(-1); -} - -int test_fuzz_one_input(const uint8_t *data, unsigned int size) -{ - /* We're not interested in too small or too large input. */ - if (size < sizeof(struct ctn730_msg) || sizeof(input) < size) - return 0; - - pthread_mutex_init(&lock, NULL); - pthread_cond_init(&done_cond, NULL); - - head = input; - tail = input + size; - memcpy(input, data, size); - data_available = true; - - task_set_event(TASK_ID_IRQ, TASK_EVENT_FUZZ); - - pthread_mutex_lock(&lock); - pthread_cond_wait(&done_cond, &lock); - pthread_mutex_unlock(&lock); - - return 0; -} diff --git a/fuzz/pchg_fuzz.corpus b/fuzz/pchg_fuzz.corpus deleted file mode 100644 index 0b069baf4f..0000000000 --- a/fuzz/pchg_fuzz.corpus +++ /dev/null @@ -1,26 +0,0 @@ -"\xae\x01" -"\x18\x01\x00\x00" -"\xff~" -"\x01u" -"\x80\x00\x00\x00" -"Q\x00" -"5\x00" -"\xb7\x01\x00\x00" -"\x01\x00\x00\x00\x01\x00\x00\x00" -"\x00\x00\x00\x00\x00\x00\x00\x00" -"\xff\xff\xff\x00n_\x0b\xc0" -"\x92\x00" -"\xff\xdc" -"\xa6\x01" -"\x85f\xfc$\x00\x00\x00\x00" -"\xff\xff\xff\xff\xff\xff\xff\xff" -"\xff\xff\xff\xff\x00\x00\x00\x00" -"\xfff" -"\x01\xcb" -"\x8f\x00\x00\x00" -"\xff\xff\xff\x0d" -"=\x00\x00\x00" -"\xbc\x00" -"\x02\x91" -"\xff\xff\xff\x00\x00\x00\x00\x00" -"\x00y" diff --git a/fuzz/pchg_fuzz.tasklist b/fuzz/pchg_fuzz.tasklist deleted file mode 100644 index 5b30e09245..0000000000 --- a/fuzz/pchg_fuzz.tasklist +++ /dev/null @@ -1,12 +0,0 @@ -/* Copyright 2021 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/** - * See CONFIG_TASK_LIST in config.h for details. - */ -#define CONFIG_TEST_TASK_LIST \ - TASK_TEST(IRQ, irq_task, NULL, TASK_STACK_SIZE) \ - TASK_TEST(PCHG, pchg_task, NULL, LARGER_TASK_STACK_SIZE) \ - TASK_TEST(CHIPSET, chipset_task, NULL, LARGER_TASK_STACK_SIZE) diff --git a/fuzz/span.h b/fuzz/span.h deleted file mode 100644 index 531df832a3..0000000000 --- a/fuzz/span.h +++ /dev/null @@ -1,56 +0,0 @@ -// Copyright 2018 The Chromium OS Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef __FUZZ_SPAN_H -#define __FUZZ_SPAN_H - -#include <unistd.h> - -#include <algorithm> - -namespace fuzz { - -template <typename T> -class span { - public: - typedef T value_type; - - constexpr span() : span<T>(nullptr, nullptr) {} - constexpr span(T* begin, size_t size) : begin_(begin), end_(begin + size) {} - constexpr span(T* begin, T* end) : begin_(begin), end_(end) {} - - template <class Container> - constexpr span(Container& container) - : begin_(container.begin()), end_(container.end()){}; - - constexpr T* begin() const { return begin_; } - constexpr T* end() const { return end_; } - - constexpr T* data() const { return begin_; } - - constexpr bool empty() const { return begin_ == end_; } - constexpr size_t size() const { return end_ - begin_; } - - private: - T* begin_; - T* end_; -}; - -template <typename Source, typename Destination> -size_t CopyWithPadding(Source source, - Destination destination, - typename Destination::value_type fill_value) { - if (source.size() >= destination.size()) { - std::copy(source.begin(), source.begin() + destination.size(), - destination.begin()); - return destination.size(); - } - std::copy(source.begin(), source.end(), destination.begin()); - std::fill(destination.begin() + source.size(), destination.end(), fill_value); - return source.size(); -} - -} // namespace fuzz - -#endif // __FUZZ_SPAN_H diff --git a/fuzz/usb_pd_fuzz.c b/fuzz/usb_pd_fuzz.c deleted file mode 100644 index 64eb0913a6..0000000000 --- a/fuzz/usb_pd_fuzz.c +++ /dev/null @@ -1,249 +0,0 @@ -/* Copyright 2018 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Test USB PD module. - */ -#define HIDE_EC_STDLIB -#include "common.h" -#include "task.h" -#include "tcpm/tcpm.h" -#include "test_util.h" -#include "timer.h" -#include "usb_pd.h" -#include "usb_pd_tcpm.h" -#include "util.h" - -#include <pthread.h> -#include <stdlib.h> -#include <string.h> - -#define TASK_EVENT_FUZZ TASK_EVENT_CUSTOM_BIT(0) - -#define PORT0 0 - -static int mock_tcpm_init(int port) { return EC_SUCCESS; } -static int mock_tcpm_release(int port) { return EC_SUCCESS; } - -static int mock_tcpm_select_rp_value(int port, int rp) -{ - return EC_SUCCESS; -} - -static int mock_tcpm_set_cc(int port, int pull) { return EC_SUCCESS; } -static int mock_tcpm_set_polarity(int port, enum tcpc_cc_polarity polarity) -{ - return EC_SUCCESS; -} - -static __maybe_unused int mock_tcpm_sop_prime_enable(int port, bool enable) -{ - return EC_SUCCESS; -} - -static int mock_tcpm_set_vconn(int port, int enable) { return EC_SUCCESS; } -static int mock_tcpm_set_msg_header(int port, - int power_role, int data_role) { return EC_SUCCESS; } -static int mock_tcpm_set_rx_enable(int port, int enable) { return EC_SUCCESS; } -static int mock_tcpm_transmit(int port, enum tcpci_msg_type type, - uint16_t header, const uint32_t *data) -{ return EC_SUCCESS; } -static void mock_tcpc_alert(int port) {} -static int mock_tcpci_get_chip_info(int port, int live, - struct ec_response_pd_chip_info_v1 *info) -{ - return EC_ERROR_UNIMPLEMENTED; -} - -static __maybe_unused int mock_enter_low_power_mode(int port) -{ - return EC_SUCCESS; -} - -#define MAX_TCPC_PAYLOAD 28 - -struct message { - uint8_t cnt; - uint16_t header; - uint8_t payload[MAX_TCPC_PAYLOAD]; -} __packed; - -struct tcpc_state { - enum tcpc_cc_voltage_status cc1, cc2; - struct message message; -}; - -static struct tcpc_state mock_tcpc_state[CONFIG_USB_PD_PORT_MAX_COUNT]; - -static int mock_tcpm_get_cc(int port, enum tcpc_cc_voltage_status *cc1, - enum tcpc_cc_voltage_status *cc2) -{ - *cc1 = mock_tcpc_state[port].cc1; - *cc2 = mock_tcpc_state[port].cc2; - - return EC_SUCCESS; -} - -static int pending; - -int tcpm_has_pending_message(const int port) -{ - return pending; -} - -int tcpm_dequeue_message(const int port, uint32_t *const payload, - int *const header) -{ - struct message *m = &mock_tcpc_state[port].message; - - ccprints("%s", __func__); - - /* Force a segfault, if no message is actually pending. */ - if (pending == 0) - m = NULL; - - *header = m->header; - - /* - * This mirrors what tcpci.c:tcpm_dequeue_message does: always copy the - * whole payload to destination. - */ - memcpy(payload, m->payload, sizeof(m->payload)); - - pending--; - return EC_SUCCESS; -} - -/* Note this method can be called from an interrupt context. */ -int tcpm_enqueue_message(const int port) -{ - pending = 1; - - /* Wake PD task up so it can process incoming RX messages */ - task_set_event(PD_PORT_TO_TASK_ID(port), TASK_EVENT_WAKE); - - return EC_SUCCESS; -} - -void tcpm_clear_pending_messages(int port) {} - -static const struct tcpm_drv mock_tcpm_drv = { - .init = &mock_tcpm_init, - .release = &mock_tcpm_release, - .get_cc = &mock_tcpm_get_cc, -#ifdef CONFIG_USB_PD_VBUS_DETECT_TCPC - .check_vbus_level = &mock_tcpm_check_vbus_level, -#endif - .select_rp_value = &mock_tcpm_select_rp_value, - .set_cc = &mock_tcpm_set_cc, - .set_polarity = &mock_tcpm_set_polarity, -#ifdef CONFIG_USB_PD_DECODE_SOP - .sop_prime_enable = &mock_tcpm_sop_prime_enable, -#endif - .set_vconn = &mock_tcpm_set_vconn, - .set_msg_header = &mock_tcpm_set_msg_header, - .set_rx_enable = &mock_tcpm_set_rx_enable, - /* The core calls tcpm_dequeue_message. */ - .get_message_raw = NULL, - .transmit = &mock_tcpm_transmit, - .tcpc_alert = &mock_tcpc_alert, - .get_chip_info = &mock_tcpci_get_chip_info, -#ifdef CONFIG_USB_PD_TCPC_LOW_POWER - .enter_low_power_mode = &mock_enter_low_power_mode, -#endif -}; - -/* TCPC mux configuration */ -const struct tcpc_config_t tcpc_config[CONFIG_USB_PD_PORT_MAX_COUNT] = { - { - .drv = &mock_tcpm_drv, - }, - { - .drv = &mock_tcpm_drv, - } -}; - -static pthread_cond_t done_cond; -static pthread_mutex_t lock; - -enum tcpc_cc_voltage_status next_cc1, next_cc2; -#define MAX_MESSAGES 8 -static struct message messages[MAX_MESSAGES]; - -void run_test(int argc, char **argv) -{ - uint8_t port = PORT0; - int i; - - ccprints("Fuzzing task started"); - wait_for_task_started(); - - while (1) { - task_wait_event_mask(TASK_EVENT_FUZZ, -1); - - memset(&mock_tcpc_state[port], - 0, sizeof(mock_tcpc_state[port])); - - task_set_event(PD_PORT_TO_TASK_ID(port), PD_EVENT_TCPC_RESET); - task_wait_event(250 * MSEC); - - mock_tcpc_state[port].cc1 = next_cc1; - mock_tcpc_state[port].cc2 = next_cc2; - - task_set_event(PD_PORT_TO_TASK_ID(port), PD_EVENT_CC); - task_wait_event(50 * MSEC); - - /* Fake RX messages, one by one. */ - for (i = 0; i < MAX_MESSAGES && messages[i].cnt; i++) { - memcpy(&mock_tcpc_state[port].message, &messages[i], - sizeof(messages[i])); - - tcpm_enqueue_message(port); - task_wait_event(50 * MSEC); - } - - pthread_cond_signal(&done_cond); - } -} - -int board_vbus_source_enabled(int port) -{ - return 0; -} - -int test_fuzz_one_input(const uint8_t *data, unsigned int size) -{ - int i; - - if (size < 1) - return 0; - - next_cc1 = data[0] & 0x0f; - next_cc2 = (data[0] & 0xf0) >> 4; - data++; size--; - - memset(messages, 0, sizeof(messages)); - - for (i = 0; i < MAX_MESSAGES && size > 0; i++) { - int cnt = data[0]; - - if (cnt < 3 || cnt > MAX_TCPC_PAYLOAD+3 || cnt > size) { - /* Invalid count, or out of bounds. */ - return 0; - } - - memcpy(&messages[i], data, cnt); - - data += cnt; size -= cnt; - } - - if (size != 0) { - /* Useless extra data in buffer, skip. */ - return 0; - } - - task_set_event(TASK_ID_TEST_RUNNER, TASK_EVENT_FUZZ); - pthread_cond_wait(&done_cond, &lock); - - return 0; -} diff --git a/fuzz/usb_pd_fuzz.tasklist b/fuzz/usb_pd_fuzz.tasklist deleted file mode 100644 index 6edeac2f98..0000000000 --- a/fuzz/usb_pd_fuzz.tasklist +++ /dev/null @@ -1,11 +0,0 @@ -/* Copyright 2018 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/** - * See CONFIG_TASK_LIST in config.h for details. - */ -#define CONFIG_TEST_TASK_LIST \ - TASK_TEST(PD_C0, pd_task, NULL, LARGER_TASK_STACK_SIZE) \ - TASK_TEST(PD_C1, pd_task, NULL, LARGER_TASK_STACK_SIZE) diff --git a/fuzz/usb_tcpm_v2_rev20_fuzz.c b/fuzz/usb_tcpm_v2_rev20_fuzz.c deleted file mode 100644 index f5afb92ac1..0000000000 --- a/fuzz/usb_tcpm_v2_rev20_fuzz.c +++ /dev/null @@ -1,33 +0,0 @@ -/* Copyright 2020 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - * - * Stubs needed for fuzz testing the USB TCPMv2 state machines. - */ - -#define HIDE_EC_STDLIB -#include "charge_manager.h" -#include "mock/usb_mux_mock.h" -#include "usb_pd.h" - -const struct svdm_response svdm_rsp = { - .identity = NULL, - .svids = NULL, - .modes = NULL, -}; - -/* USB mux configuration */ -const struct usb_mux usb_muxes[CONFIG_USB_PD_PORT_MAX_COUNT] = { - { - .driver = &mock_usb_mux_driver, - }, - { - .driver = &mock_usb_mux_driver, - } -}; - -int pd_check_vconn_swap(int port) -{ - return 1; -} - diff --git a/fuzz/usb_tcpm_v2_rev20_fuzz.mocklist b/fuzz/usb_tcpm_v2_rev20_fuzz.mocklist deleted file mode 100644 index 1b2c615371..0000000000 --- a/fuzz/usb_tcpm_v2_rev20_fuzz.mocklist +++ /dev/null @@ -1,7 +0,0 @@ -/* Copyright 2020 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - - #define CONFIG_TEST_MOCK_LIST \ - MOCK(USB_MUX) diff --git a/fuzz/usb_tcpm_v2_rev20_fuzz.tasklist b/fuzz/usb_tcpm_v2_rev20_fuzz.tasklist deleted file mode 100644 index e3ad19e719..0000000000 --- a/fuzz/usb_tcpm_v2_rev20_fuzz.tasklist +++ /dev/null @@ -1,12 +0,0 @@ -/* Copyright 2019 The Chromium OS Authors. All rights reserved. - * Use of this source code is governed by a BSD-style license that can be - * found in the LICENSE file. - */ - -/** - * See CONFIG_TASK_LIST in config.h for details. - */ -#define CONFIG_TEST_TASK_LIST \ - TASK_TEST(PD_C0, pd_task, NULL, LARGER_TASK_STACK_SIZE) \ - TASK_TEST(PD_C1, pd_task, NULL, LARGER_TASK_STACK_SIZE) - diff --git a/fuzz/usb_tcpm_v2_rev30_fuzz.c b/fuzz/usb_tcpm_v2_rev30_fuzz.c deleted file mode 120000 index e62b1786fd..0000000000 --- a/fuzz/usb_tcpm_v2_rev30_fuzz.c +++ /dev/null @@ -1 +0,0 @@ -usb_tcpm_v2_rev20_fuzz.c
\ No newline at end of file diff --git a/fuzz/usb_tcpm_v2_rev30_fuzz.mocklist b/fuzz/usb_tcpm_v2_rev30_fuzz.mocklist deleted file mode 120000 index 061e1ef826..0000000000 --- a/fuzz/usb_tcpm_v2_rev30_fuzz.mocklist +++ /dev/null @@ -1 +0,0 @@ -usb_tcpm_v2_rev20_fuzz.mocklist
\ No newline at end of file diff --git a/fuzz/usb_tcpm_v2_rev30_fuzz.tasklist b/fuzz/usb_tcpm_v2_rev30_fuzz.tasklist deleted file mode 120000 index a01883297a..0000000000 --- a/fuzz/usb_tcpm_v2_rev30_fuzz.tasklist +++ /dev/null @@ -1 +0,0 @@ -usb_tcpm_v2_rev20_fuzz.tasklist
\ No newline at end of file |