1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
/* Copyright 2018 The ChromiumOS Authors
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* Fuzz host command.
*/
#include "builtin/assert.h"
#include "common.h"
#include "console.h"
#include "host_command.h"
#include "host_test.h"
#include "printf.h"
#include "task.h"
#include "test_util.h"
#include "timer.h"
#include "util.h"
#include <pthread.h>
#include <sys/time.h>
/* Only test requests with valid size and checksum (makes fuzzing faster) */
#define VALID_REQUEST_ONLY
#define TASK_EVENT_FUZZ TASK_EVENT_CUSTOM_BIT(0)
#define TASK_EVENT_HOSTCMD_DONE TASK_EVENT_CUSTOM_BIT(1)
/* Request/response buffer size (and maximum command length) */
#define BUFFER_SIZE 128
struct host_packet pkt;
static uint8_t resp_buf[BUFFER_SIZE];
struct ec_host_response *resp = (struct ec_host_response *)resp_buf;
static uint8_t req_buf[BUFFER_SIZE];
static struct ec_host_request *req = (struct ec_host_request *)req_buf;
static void hostcmd_respond(struct host_packet *pkt)
{
task_set_event(TASK_ID_TEST_RUNNER, TASK_EVENT_HOSTCMD_DONE);
}
static char calculate_checksum(const char *buf, int size)
{
int c = 0;
int i;
for (i = 0; i < size; ++i)
c += buf[i];
return -c;
}
struct chunk {
int start;
int size;
};
static int hostcmd_fill(const uint8_t *data, size_t size)
{
static int first = 1;
int ipos = 0;
int i;
int req_size = 0;
#ifdef VALID_REQUEST_ONLY
const int checksum_offset = offsetof(struct ec_host_request, checksum);
const int checksum_size = sizeof(req->checksum);
const int data_len_offset = offsetof(struct ec_host_request, data_len);
const int data_len_size = sizeof(req->data_len);
struct chunk chunks[3];
chunks[0].start = 0;
chunks[0].size = checksum_offset;
chunks[1].start = chunks[0].start + chunks[0].size + checksum_size;
chunks[1].size = data_len_offset - chunks[1].start;
chunks[2].start = chunks[1].start + chunks[1].size + data_len_size;
chunks[2].size = sizeof(req_buf) - chunks[2].start;
#else
struct chunk chunks[1] = { { 0, sizeof(req_buf) } };
#endif
/*
* TODO(chromium:854975): We should probably malloc req_buf with the
* correct size, to make we do not read uninitialized req_buf data.
*/
memset(req_buf, 0, sizeof(req_buf));
/*
* Fill in req_buf, according to chunks defined above (i.e. skipping
* over checksum and data_len.
*/
for (i = 0; i < ARRAY_SIZE(chunks) && ipos < size; i++) {
int cp_size = MIN(chunks[i].size, size - ipos);
memcpy(req_buf + chunks[i].start, data + ipos, cp_size);
ipos += cp_size;
req_size = chunks[i].start + cp_size;
}
/* Not enough space in req_buf. */
if (ipos != size)
return -1;
pkt.request_size = req_size;
req->data_len = req_size - sizeof(*req);
req->checksum = calculate_checksum(req_buf, req_size);
/*
* Print the full request on the first fuzzing attempt: useful to
* report bugs, and write up commit messages when reproducing
* issues.
*/
if (first) {
char str_buf[hex_str_buf_size(req_size)];
snprintf_hex_buffer(str_buf, sizeof(str_buf),
HEX_BUF(req_buf, req_size));
ccprintf("Request: cmd=%04x data=%s\n", req->command, str_buf);
first = 0;
}
pkt.send_response = hostcmd_respond;
pkt.request = (const void *)req_buf;
pkt.request_max = BUFFER_SIZE;
pkt.response = (void *)resp_buf;
pkt.response_max = BUFFER_SIZE;
pkt.driver_result = 0;
return 0;
}
static pthread_cond_t done_cond;
static pthread_mutex_t lock;
void run_test(int argc, const char **argv)
{
ccprints("Fuzzing task started");
wait_for_task_started();
while (1) {
task_wait_event_mask(TASK_EVENT_FUZZ, -1);
/* Send the host command (pkt prepared by main thread). */
host_packet_receive(&pkt);
task_wait_event_mask(TASK_EVENT_HOSTCMD_DONE, -1);
pthread_cond_signal(&done_cond);
}
}
int test_fuzz_one_input(const uint8_t *data, unsigned int size)
{
/* Fill in req_buf. */
if (hostcmd_fill(data, size) < 0)
return 0;
task_set_event(TASK_ID_TEST_RUNNER, TASK_EVENT_FUZZ);
pthread_cond_wait(&done_cond, &lock);
#ifdef VALID_REQUEST_ONLY
/*
* We carefully crafted all our requests to have a valid checksum, so
* we should never receive an invalid checksum error. (but ignore
* EC_CMD_TEST_PROTOCOL, as it can lead to arbitrary result values).
*/
ASSERT(req->command == EC_CMD_TEST_PROTOCOL ||
resp->result != EC_RES_INVALID_CHECKSUM);
#endif
return 0;
}
|
